Re: repost: how to create a SPDX "notice file" from a build?
|
Mark Hatle
On 11/23/19 6:01 AM, Richard Purdie wrote:
On Fri, 2019-11-22 at 09:59 -0800, akuster808 wrote:I think the use-cases have changed over time, even though parts and pieces areThat code hasn't been touched in a while and needs some serious still valid. There are really a few groups to consider. 1) (old case) someone is building a system and wants to construct SPDX files for the things they are building. Contacting, uploading, getting a report from fossology may still be the best way of doing this. 2) (new case) things could be shipped with prebuilt SPDX files (based on fossology run by the system, maintainer, an addon layer, OSV, etc..) In this case we would want to simply tie a recipe to an SPDX and be able to correlate them. 3) In either case, we have a list of SPDX files, but that doesn't meet Robert's question. Something needs to process these SPDX files and generate notice files and similar. To me this is an external tool, that could optionally be invoked at image creation time (or by the user directly.) Further, a 4th case.. what is the license of the components I've actually deployed. I've wanted to do this for a long time, but using the dwarf debug information you can determine what files were actually used to construct the binaries in your images. From that you can go back to the SPDX files and correlated to exactly what was deployed including file level copyright, notice, and license requirements (not just recipe) and produce an incredibly accurate report. Add to this that SPDX has the ability for custom fields that can be used to track other IP issues like patents, legal concerns, etc. And you could construct a report in a form for the legal organization of a company to review prior to product shipment. Right now, we have an old way to do 1, but it doesn't solve Robert's issue -- even if it DID work. and no way to do the rest (that I am aware of). --Mark Cheers, |
|
|