[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Luca Ceresoli]

Hi,

during the latest Buildroot Developers Day in November 2011 and in this
mailing list there has been some discussion about introducing in Buildroot the
possibility to derive automatically legally relevant material, such as
licensing info and source tarballs for open source packages.

This is a first tentative implementation of these features.

This code is not yet fully working, but I wanted to share it with you to
receive some early comments. I also wanted to allow those who will participate
to the next Buildroot Developer Day next Friday to have an idea of this
proposal in advance, in case this were object of discussion during the
meeting.

My approach is based on the creation of a per-package _LICENSE constant in
eack .mk file, such as:
  FOOBAR_LICENSE = GPL_V3
  MYAPP_LICENSE = PROPRIETARY
This is the only effort required to the package creator. Where it is not
specified it defaults to "unknown".

My overall goal is to add a new 'make legal-info' target that:
 - produces a manifest file listing all packages, including closed-source ones
   (and, why not, prints out to stdout the same info);
 - copies source code tarballs for all non-proprietary packages (although I'm
   saving also tarballs for BSD-licensed packages for now);
 - save the complete text of all license files that must be included in the
   product documentation (typically COPYING and LICENSE files); this is to
   simplify the work of who must provide these info to documentation writers.

This patchset implements the first two points, albeit with some issues that I
discuss below.
About the third point I devised a few different possible implementations, but
each of them has relevant drawbacks, so I left this point out for the moment.

Here's what is currently implmented:

  $ make legal-info
  busybox  1.19.3       GPL_V2_ONLY
  bzip2    1.0.5        BSD
  directfb 1.4.15       LGPL_V2.1
  foobar   1.2.3.4      PROPRIETARY
  freetype 2.4.8        unknown
  iostat   2.2          GPL_V2
  ...
  $ cat output/legal-info/manifest.csv 
  package,version,license
  busybox,1.19.3,GPL_V2_ONLY
  bzip2,1.0.5,BSD
  directfb,1.4.15,LGPL_V2.1
  foobar,1.2.3.4,PROPRIETARY
  freetype,2.4.8,unknown
  iostat,2.2,GPL_V2
  ...
  $ ls output/legal-info/sources/
  autoconf-2.65.tar.bz2
  automake-1.11.1.tar.bz2
  binutils-2.21.1.tar.bz2
  busybox-1.19.3.tar.bz2
  bzip2-1.0.5.tar.gz
  DirectFB-1.4.15.tar.gz
  fakeroot_1.9.5.tar.gz
  freetype-2.4.8.tar.bz2
  ...

The implementation is somewhat similar to 'make external-deps'.
A $(PKG)-legal-info target is created for each package which echoes the
$(PKG)_LICENSE value and other info both to stdout and to the manifest file.
It also copies source tarball in $(BASE_DIR)/legal-info/sources unless
$(PKG)_LICENSE equals "PROPRIETARY".

A top-level 'legal-info' target collects all of these per-package targets.

The implementation takes only ~35 lines of code so it should be simple to
review.

Now the long list of open issues.

The semantics of the _LICENSE variable is still non well defined.
It might be a generic string (e.g. FOOBAR_LICENSE = modified 3-clause BSD),
or one from a well-defined list of known licenses.
The former interpretation is probably the more useful for producing a manifest
file. The latter might be useful to help an automated implementation of the
last goal listed above: save the complete text of all license files to a
directory.

This patchset has been tested only in a few configurations. The only one that
has been really tested with reasonable depth is presented in the last patch
of this series.
This might in turn grow this list of open issues as soon as different configs
are tested...

Some packages do not appear in the 'make legal-info' output. It looks
like they are all and only the Buildroot's internal toolchain files (gcc,
mpfr, mpc etc). I couldn't find where the cause is yet, but I'm sure a more
expert eye can enlighten me.

Copying the source tarball does not currently work for packages with
_SITE_METHOD equal to local, as there is no tarball associated to it.
Other methods, such as file and all versioning systems, are not tested, but
they should work as there's a tarball in the download dir.

Non-gentargets and non-autotargets packages are not tested. I guess they need
a $(PKG)-legal-info target to be defined manually.

It might be useful to remove the output/legal-info dir before populating it,
to be sure there are no remnants of previous runs. It would not have a big
additional cost, since the computations and copies must be done anyway.

Finally, there is no documentation yet. I will write some if the presented
approach is considered good.

The patches are logically divided in these parts:
 - patches 1 to 4 introduce the mechanism to extract all the legal info;
   this is the interesting part;
 - patches 5 to 13 define the _LICENSE constant for some packages;
 - patches 14 and 15 only add some testing stuff; they are not meant to be
   merged.

Luca

Luca Ceresoli (15):
  legal-info: new target to echo basic per-package legal info
  legal-info: produce a manifest file with licensing info
  legal-info: save source tarballs for all packages
  legal-info: do not copy sources for proprietary packages
  mpc: define license
  linux: define license
  m4: define license
  busybox: define license
  bzip2: define license
  directfb: define license
  iostat: define license
  lzop: define license
  tslib: define license
  foobar: create a fake proprietary package (testing only)
  Create a test config (testing only)

 Makefile                          |   26 ++++++++++++++++++++++----
 configs/legal_info_test_defconfig |   13 +++++++++++++
 linux/linux.mk                    |    1 +
 package/Config.in                 |    1 +
 package/Makefile.package.in       |   11 +++++++++++
 package/busybox/busybox.mk        |    1 +
 package/bzip2/bzip2.mk            |    1 +
 package/directfb/directfb.mk      |    1 +
 package/foobar/Config.in          |    5 +++++
 package/foobar/foobar.mk          |   13 +++++++++++++
 package/foobar/source/foobar.c    |    7 +++++++
 package/iostat/iostat.mk          |    1 +
 package/lzop/lzop.mk              |    1 +
 package/m4/m4.mk                  |    1 +
 package/mpc/mpc.mk                |    1 +
 package/tslib/tslib.mk            |    1 +
 16 files changed, 81 insertions(+), 4 deletions(-)
 create mode 100644 configs/legal_info_test_defconfig
 create mode 100644 package/foobar/Config.in
 create mode 100644 package/foobar/foobar.mk
 create mode 100644 package/foobar/source/foobar.c

-- 
1.7.5.4

[Buildroot] [RFC 01/15] legal-info: new target to echo basic per-package legal info

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 Makefile                    |    9 ++++++++-
 package/Makefile.package.in |    6 ++++++
 2 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/Makefile b/Makefile
index 912012f..507fd78 100644
--- a/Makefile
+++ b/Makefile
@@ -354,6 +354,11 @@ HOST_DEPS = $(sort $(foreach dep,\
 		$($(dep))))
 HOST_SOURCE += $(addsuffix -source,$(sort $(TARGETS_HOST_DEPS) $(HOST_DEPS)))
 
+TARGETS_LEGAL_INFO:=$(patsubst %,%-legal-info,\
+		$(filter-out makedevs,\
+		$(patsubst host-%,%,\
+		$(TARGETS) $(BASE_TARGETS) $(TARGETS_HOST_DEPS) $(HOST_DEPS))))
+
 # all targets depend on the crosscompiler and it's prerequisites
 $(TARGETS_ALL): __real_tgt_%: $(BASE_TARGETS) %
 
@@ -387,7 +392,7 @@ $(O)/toolchainfile.cmake:
 
 .PHONY: all world dirs clean distclean source outputmakefile \
 	$(BASE_TARGETS) $(TARGETS) $(TARGETS_ALL) \
-	$(TARGETS_CLEAN) $(TARGETS_DIRCLEAN) $(TARGETS_SOURCE) \
+	$(TARGETS_CLEAN) $(TARGETS_DIRCLEAN) $(TARGETS_SOURCE) $(TARGETS_LEGAL_INFO) \
 	$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
 	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR)
 
@@ -497,6 +502,8 @@ source: dirs $(TARGETS_SOURCE) $(HOST_SOURCE)
 external-deps:
 	@$(MAKE) -Bs DL_MODE=SHOW_EXTERNAL_DEPS $(EXTRAMAKEARGS) source | sort -u
 
+legal-info: $(TARGETS_LEGAL_INFO)
+
 show-targets:
 	@echo $(TARGETS)
 
diff --git a/package/Makefile.package.in b/package/Makefile.package.in
index e57bfed..8e73f34 100644
--- a/package/Makefile.package.in
+++ b/package/Makefile.package.in
@@ -512,6 +512,8 @@ ifndef $(2)_SOURCE
  endif
 endif
 
+$(2)_LICENSE			?= unknown
+
 ifndef $(2)_PATCH
  ifdef $(3)_PATCH
   $(2)_PATCH = $($(3)_PATCH)
@@ -651,6 +653,9 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
 $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
 endif
 
+$(1)-legal-info:	$(1)-source
+			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
+
 $(1)-show-depends:
 			@echo $$($(2)_DEPENDENCIES)
 
@@ -694,6 +699,7 @@ $$($(2)_TARGET_PATCH):			PKG=$(2)
 $$($(2)_TARGET_PATCH):			RAWNAME=$(patsubst host-%,%,$(1))
 $$($(2)_TARGET_EXTRACT):		PKG=$(2)
 $$($(2)_TARGET_SOURCE):			PKG=$(2)
+$$($(2)_TARGET_LEGAL_INFO):		PKG=$(2)
 $$($(2)_TARGET_UNINSTALL):		PKG=$(2)
 $$($(2)_TARGET_CLEAN):			PKG=$(2)
 $$($(2)_TARGET_DIRCLEAN):		PKG=$(2)
-- 
1.7.5.4

[Buildroot] [RFC 02/15] legal-info: produce a manifest file with licensing info

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 Makefile                    |   14 +++++++++++---
 package/Makefile.package.in |    4 +++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 507fd78..dcff4dd 100644
--- a/Makefile
+++ b/Makefile
@@ -278,6 +278,9 @@ TARGET_DIR:=$(BASE_DIR)/target
 TOOLCHAIN_DIR=$(BASE_DIR)/toolchain
 TARGET_SKELETON=$(TOPDIR)/fs/skeleton
 
+LEGAL_INFO_DIR=$(BASE_DIR)/legal-info
+LEGAL_MANIFEST_CSV=$(LEGAL_INFO_DIR)/manifest.csv
+
 ifeq ($(BR2_CCACHE),y)
 CCACHE:=$(HOST_DIR)/usr/bin/ccache
 CCACHE_CACHE_DIR=$(HOME)/.buildroot-ccache
@@ -363,7 +366,7 @@ TARGETS_LEGAL_INFO:=$(patsubst %,%-legal-info,\
 $(TARGETS_ALL): __real_tgt_%: $(BASE_TARGETS) %
 
 dirs: $(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
-	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR)
+	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR)
 
 $(BASE_TARGETS): dirs $(O)/toolchainfile.cmake
 
@@ -391,6 +394,7 @@ $(O)/toolchainfile.cmake:
 	" > $@
 
 .PHONY: all world dirs clean distclean source outputmakefile \
+	legal-info-prepare-manifest \
 	$(BASE_TARGETS) $(TARGETS) $(TARGETS_ALL) \
 	$(TARGETS_CLEAN) $(TARGETS_DIRCLEAN) $(TARGETS_SOURCE) $(TARGETS_LEGAL_INFO) \
 	$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
@@ -402,7 +406,7 @@ $(O)/toolchainfile.cmake:
 # dependencies anywhere else
 #
 #############################################################
-$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR):
+$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR):
 	@mkdir -p $@
 
 $(STAGING_DIR):
@@ -502,7 +506,11 @@ source: dirs $(TARGETS_SOURCE) $(HOST_SOURCE)
 external-deps:
 	@$(MAKE) -Bs DL_MODE=SHOW_EXTERNAL_DEPS $(EXTRAMAKEARGS) source | sort -u
 
-legal-info: $(TARGETS_LEGAL_INFO)
+legal-info-prepare-manifest: $(LEGAL_INFO_DIR)
+	@rm -f $(LEGAL_MANIFEST_CSV)
+	@echo "package,version,license" >$(LEGAL_MANIFEST_CSV)
+
+legal-info: legal-info-prepare-manifest $(TARGETS_LEGAL_INFO)
 
 show-targets:
 	@echo $(TARGETS)
diff --git a/package/Makefile.package.in b/package/Makefile.package.in
index 8e73f34..e117223 100644
--- a/package/Makefile.package.in
+++ b/package/Makefile.package.in
@@ -653,8 +653,10 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
 $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
 endif
 
-$(1)-legal-info:	$(1)-source
+$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
 			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
+			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
+				>>$(LEGAL_MANIFEST_CSV)
 
 $(1)-show-depends:
 			@echo $$($(2)_DEPENDENCIES)
-- 
1.7.5.4

[Buildroot] [RFC 03/15] legal-info: save source tarballs for all packages

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 Makefile                    |   11 +++++++----
 package/Makefile.package.in |    3 ++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index dcff4dd..31fda9a 100644
--- a/Makefile
+++ b/Makefile
@@ -279,6 +279,7 @@ TOOLCHAIN_DIR=$(BASE_DIR)/toolchain
 TARGET_SKELETON=$(TOPDIR)/fs/skeleton
 
 LEGAL_INFO_DIR=$(BASE_DIR)/legal-info
+REDIST_SOURCES_DIR=$(LEGAL_INFO_DIR)/sources
 LEGAL_MANIFEST_CSV=$(LEGAL_INFO_DIR)/manifest.csv
 
 ifeq ($(BR2_CCACHE),y)
@@ -366,7 +367,8 @@ TARGETS_LEGAL_INFO:=$(patsubst %,%-legal-info,\
 $(TARGETS_ALL): __real_tgt_%: $(BASE_TARGETS) %
 
 dirs: $(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
-	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR)
+	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR) \
+	$(REDIST_SOURCES_DIR)
 
 $(BASE_TARGETS): dirs $(O)/toolchainfile.cmake
 
@@ -406,7 +408,7 @@ $(O)/toolchainfile.cmake:
 # dependencies anywhere else
 #
 #############################################################
-$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR):
+$(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR):
 	@mkdir -p $@
 
 $(STAGING_DIR):
@@ -510,7 +512,7 @@ legal-info-prepare-manifest: $(LEGAL_INFO_DIR)
 	@rm -f $(LEGAL_MANIFEST_CSV)
 	@echo "package,version,license" >$(LEGAL_MANIFEST_CSV)
 
-legal-info: legal-info-prepare-manifest $(TARGETS_LEGAL_INFO)
+legal-info: legal-info-prepare-manifest $(REDIST_SOURCES_DIR) $(TARGETS_LEGAL_INFO)
 
 show-targets:
 	@echo $(TARGETS)
@@ -633,7 +635,8 @@ endif
 
 clean:
 	rm -rf $(STAGING_DIR) $(TARGET_DIR) $(BINARIES_DIR) $(HOST_DIR) \
-		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging
+		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging \
+		$(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
 
 distclean: clean
 ifeq ($(DL_DIR),$(TOPDIR)/dl)
diff --git a/package/Makefile.package.in b/package/Makefile.package.in
index e117223..0d7e081 100644
--- a/package/Makefile.package.in
+++ b/package/Makefile.package.in
@@ -653,10 +653,11 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
 $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
 endif
 
-$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
+$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
 			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
 			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
 				>>$(LEGAL_MANIFEST_CSV)
+			@cp $(DL_DIR)/$$($(3)_SOURCE) $(REDIST_SOURCES_DIR)
 
 $(1)-show-depends:
 			@echo $$($(2)_DEPENDENCIES)
-- 
1.7.5.4

[Buildroot] [RFC 04/15] legal-info: do not copy sources for proprietary packages

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/Makefile.package.in |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/package/Makefile.package.in b/package/Makefile.package.in
index 0d7e081..745cb26 100644
--- a/package/Makefile.package.in
+++ b/package/Makefile.package.in
@@ -657,7 +657,9 @@ $(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
 			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
 			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
 				>>$(LEGAL_MANIFEST_CSV)
+ifneq ($$($(3)_LICENSE),PROPRIETARY)
 			@cp $(DL_DIR)/$$($(3)_SOURCE) $(REDIST_SOURCES_DIR)
+endif
 
 $(1)-show-depends:
 			@echo $$($(2)_DEPENDENCIES)
-- 
1.7.5.4

[Buildroot] [RFC 05/15] mpc: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/mpc/mpc.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/mpc/mpc.mk b/package/mpc/mpc.mk
index e5ee489..949b111 100644
--- a/package/mpc/mpc.mk
+++ b/package/mpc/mpc.mk
@@ -6,6 +6,7 @@
 
 MPC_VERSION = 0.9
 MPC_SITE = http://www.multiprecision.org/mpc/download
+MPC_LICENSE = LGPL_V2.1
 MPC_INSTALL_STAGING = YES
 MPC_DEPENDENCIES = gmp mpfr
 MPC_AUTORECONF = YES
-- 
1.7.5.4

[Buildroot] [RFC 06/15] linux: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 linux/linux.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/linux/linux.mk b/linux/linux.mk
index 5c5a1d2..cb481b1 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -4,6 +4,7 @@
 #
 ###############################################################################
 LINUX_VERSION=$(call qstrip,$(BR2_LINUX_KERNEL_VERSION))
+LINUX_LICENSE = GPL_V2_ONLY
 
 # Compute LINUX_SOURCE and LINUX_SITE from the configuration
 ifeq ($(LINUX_VERSION),custom)
-- 
1.7.5.4

[Buildroot] [RFC 07/15] m4: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/m4/m4.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/m4/m4.mk b/package/m4/m4.mk
index 173bba8..480df7b 100644
--- a/package/m4/m4.mk
+++ b/package/m4/m4.mk
@@ -7,6 +7,7 @@
 M4_VERSION = 1.4.16
 M4_SOURCE = m4-$(M4_VERSION).tar.bz2
 M4_SITE = $(BR2_GNU_MIRROR)/m4
+M4_LICENSE = GPL_V3
 M4_CONF_ENV = gl_cv_func_gettimeofday_clobber=no
 
 ifneq ($(BR2_USE_WCHAR),y)
-- 
1.7.5.4

[Buildroot] [RFC 08/15] busybox: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/busybox/busybox.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index d18b6d0..b3c43d3 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -12,6 +12,7 @@ BUSYBOX_VERSION = $(call qstrip,$(BR2_BUSYBOX_VERSION))
 BUSYBOX_SITE = http://www.busybox.net/downloads
 endif
 BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
+BUSYBOX_LICENSE = GPL_V2_ONLY
 BUSYBOX_BUILD_CONFIG = $(BUSYBOX_DIR)/.config
 # Allows the build system to tweak CFLAGS
 BUSYBOX_MAKE_ENV = $(TARGET_MAKE_ENV) CFLAGS="$(TARGET_CFLAGS) -I$(LINUX_HEADERS_DIR)/include"
-- 
1.7.5.4

[Buildroot] [RFC 09/15] bzip2: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/bzip2/bzip2.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index d3bb2b0..877cfdf 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -7,6 +7,7 @@ BZIP2_VERSION:=1.0.5
 BZIP2_SONAME=1.0.4
 BZIP2_SOURCE:=bzip2-$(BZIP2_VERSION).tar.gz
 BZIP2_SITE:=http://www.bzip.org/$(BZIP2_VERSION)
+BZIP2_LICENSE = BSD
 BZIP2_INSTALL_STAGING=YES
 
 define BZIP2_FIX_MAKEFILE
-- 
1.7.5.4

[Buildroot] [RFC 10/15] directfb: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/directfb/directfb.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/directfb/directfb.mk b/package/directfb/directfb.mk
index 977d272..fb6450c 100644
--- a/package/directfb/directfb.mk
+++ b/package/directfb/directfb.mk
@@ -7,6 +7,7 @@ DIRECTFB_VERSION_MAJOR = 1.4
 DIRECTFB_VERSION = $(DIRECTFB_VERSION_MAJOR).15
 DIRECTFB_SITE = http://www.directfb.org/downloads/Core/DirectFB-$(DIRECTFB_VERSION_MAJOR)
 DIRECTFB_SOURCE = DirectFB-$(DIRECTFB_VERSION).tar.gz
+DIRECTFB_LICENSE = LGPL_V2.1
 DIRECTFB_AUTORECONF = YES
 DIRECTFB_INSTALL_STAGING = YES
 DIRECTFB_CONF_OPT = \
-- 
1.7.5.4

[Buildroot] [RFC 11/15] iostat: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/iostat/iostat.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/iostat/iostat.mk b/package/iostat/iostat.mk
index 83eea07..52b7e08 100644
--- a/package/iostat/iostat.mk
+++ b/package/iostat/iostat.mk
@@ -6,6 +6,7 @@
 
 IOSTAT_VERSION = 2.2
 IOSTAT_SITE = http://www.linuxinsight.com/files
+IOSTAT_LICENSE = GPL_V2
 
 iostat-source: $(DL_DIR)/$(IOSTAT_SOURCE)
 
-- 
1.7.5.4

[Buildroot] [RFC 12/15] lzop: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/lzop/lzop.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/lzop/lzop.mk b/package/lzop/lzop.mk
index 6d1d674..2ef329b 100644
--- a/package/lzop/lzop.mk
+++ b/package/lzop/lzop.mk
@@ -6,6 +6,7 @@
 LZOP_VERSION = 1.03
 LZOP_SOURCE = lzop-$(LZOP_VERSION).tar.gz
 LZOP_SITE = http://www.lzop.org/download/
+LZOP_LICENSE = GPL_V2
 LZOP_DEPENDENCIES = lzo
 
 $(eval $(call AUTOTARGETS))
-- 
1.7.5.4

[Buildroot] [RFC 13/15] tslib: define license

[Luca Ceresoli]

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/tslib/tslib.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/tslib/tslib.mk b/package/tslib/tslib.mk
index 885bd88..b59daaa 100644
--- a/package/tslib/tslib.mk
+++ b/package/tslib/tslib.mk
@@ -5,6 +5,7 @@
 #############################################################
 TSLIB_VERSION = 412d99d8b92c
 TSLIB_SITE = git://github.com/kergoth/tslib.git
+TSLIB_LICENSE = GPL_V2
 TSLIB_AUTORECONF = YES
 TSLIB_INSTALL_STAGING = YES
 TSLIB_INSTALL_STAGING_OPT = DESTDIR=$(STAGING_DIR) LDFLAGS=-L$(STAGING_DIR)/usr/lib install
-- 
1.7.5.4

[Buildroot] [RFC 14/15] foobar: create a fake proprietary package (testing only)

[Luca Ceresoli]

This is only for testing the proprietary package handling, not to be
committed in any serious repository.

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 package/Config.in              |    1 +
 package/foobar/Config.in       |    5 +++++
 package/foobar/foobar.mk       |   13 +++++++++++++
 package/foobar/source/foobar.c |    7 +++++++
 4 files changed, 26 insertions(+), 0 deletions(-)
 create mode 100644 package/foobar/Config.in
 create mode 100644 package/foobar/foobar.mk
 create mode 100644 package/foobar/source/foobar.c

diff --git a/package/Config.in b/package/Config.in
index 65c2a98..d310f9d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -409,6 +409,7 @@ endmenu
 
 menu "Miscellaneous"
 source "package/shared-mime-info/Config.in"
+source "package/foobar/Config.in"
 endmenu
 
 menu "Networking applications"
diff --git a/package/foobar/Config.in b/package/foobar/Config.in
new file mode 100644
index 0000000..c88da26
--- /dev/null
+++ b/package/foobar/Config.in
@@ -0,0 +1,5 @@
+config BR2_PACKAGE_FOOBAR
+	bool "foobar"
+	default y
+	help
+	  Fake propritary package
diff --git a/package/foobar/foobar.mk b/package/foobar/foobar.mk
new file mode 100644
index 0000000..e2394f8
--- /dev/null
+++ b/package/foobar/foobar.mk
@@ -0,0 +1,13 @@
+#############################################################
+#
+# foobar - just a dummy, fake proprietary package
+#
+#############################################################
+
+FOOBAR_VERSION = 1.2.3.4
+FOOBAR_SOURCE = foobar-$(FOOBAR_VERSION).tar.bz2
+FOOBAR_SITE = package/foobar/source
+FOOBAR_SITE_METHOD = local
+FOOBAR_LICENSE = PROPRIETARY
+
+$(eval $(call GENTARGETS))
diff --git a/package/foobar/source/foobar.c b/package/foobar/source/foobar.c
new file mode 100644
index 0000000..2c375ef
--- /dev/null
+++ b/package/foobar/source/foobar.c
@@ -0,0 +1,7 @@
+#include <stdlib.h>
+
+int main(void)
+{
+  printf("Hello, World!\n");
+  return 0;
+}
-- 
1.7.5.4

[Buildroot] [RFC 15/15] Create a test config (testing only)

[Luca Ceresoli]

This is for testing only, not to be committed in any serious repository

Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
---
 configs/legal_info_test_defconfig |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)
 create mode 100644 configs/legal_info_test_defconfig

diff --git a/configs/legal_info_test_defconfig b/configs/legal_info_test_defconfig
new file mode 100644
index 0000000..ccb2df8
--- /dev/null
+++ b/configs/legal_info_test_defconfig
@@ -0,0 +1,13 @@
+BR2_x86_pentiumpro=y
+BR2_TARGET_GENERIC_GETTY_PORT="tty1"
+BR2_PACKAGE_BZIP2=y
+BR2_PACKAGE_LZOP=y
+BR2_PACKAGE_DIRECTFB=y
+BR2_PACKAGE_IOSTAT=y
+BR2_PACKAGE_KBD=y
+BR2_TARGET_ROOTFS_EXT2=y
+# BR2_TARGET_ROOTFS_TAR is not set
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-3.2.config"
-- 
1.7.5.4

[Buildroot] [RFC 14/15] foobar: create a fake proprietary package (testing only)

[Diego Iastrubni]

On Sun, Jan 29, 2012 at 5:11 PM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
>
> This is only for testing the proprietary package handling, not to be
> committed in any serious repository.
>
> +FOOBAR_LICENSE = PROPRIETARY
>
> +++ b/package/foobar/source/foobar.c
> @@ -0,0 +1,7 @@
> +#include <stdlib.h>
> +
> +int main(void)
> +{
> + ?printf("Hello, World!\n");
> + ?return 0;
> +}


<sarcasm>
OMG OMG... buildroot is forking into a?proprietary?applications DB...
where is ./ where we need them?
</sarcasm>

/me takes a cup of water and relaxes... ;-)

[Buildroot] [RFC 14/15] foobar: create a fake proprietary package (testing only)

[Michael S. Zick]

On Sun January 29 2012, Diego Iastrubni wrote:
> On Sun, Jan 29, 2012 at 5:11 PM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
> >
> > This is only for testing the proprietary package handling, not to be
> > committed in any serious repository.
> >
> > +FOOBAR_LICENSE = PROPRIETARY
> >
> > +++ b/package/foobar/source/foobar.c
> > @@ -0,0 +1,7 @@
> > +#include <stdlib.h>
> > +
> > +int main(void)
> > +{
> > + ?printf("Hello, World!\n");
> > + ?return 0;
> > +}
> 
> 
> <sarcasm>
> OMG OMG... buildroot is forking into a?proprietary?applications DB...
> where is ./ where we need them?
> </sarcasm>
> 

Perhaps you missed the recently added support for closed source
binary firmware blobs?

<sarcasm>
Your panic threshold setting may have to be tweaked up a bit.
</sarcasm>

If this proposal or something like it is included in the build
system, then those firmware blob licenses could also be handled
with the new bit of infrastructure.

Mike
> /me takes a cup of water and relaxes... ;-)
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
> 
> 

[Buildroot] [RFC 14/15] foobar: create a fake proprietary package (testing only)

[Diego Iastrubni]

Michael,

I think both of us forgot to take the funny pill today.

I always get confused, is it the blue pill.. or red pill...? :)

On Sun, Jan 29, 2012 at 5:50 PM, Michael S. Zick <minimod@morethan.org> wrote:
> On Sun January 29 2012, Diego Iastrubni wrote:
>> On Sun, Jan 29, 2012 at 5:11 PM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
>> >
>> > This is only for testing the proprietary package handling, not to be
>> > committed in any serious repository.
>> >
>> > +FOOBAR_LICENSE = PROPRIETARY
>> >
>> > +++ b/package/foobar/source/foobar.c
>> > @@ -0,0 +1,7 @@
>> > +#include <stdlib.h>
>> > +
>> > +int main(void)
>> > +{
>> > + ?printf("Hello, World!\n");
>> > + ?return 0;
>> > +}
>>
>>
>> <sarcasm>
>> OMG OMG... buildroot is forking into a?proprietary?applications DB...
>> where is ./ where we need them?
>> </sarcasm>
>>
>
> Perhaps you missed the recently added support for closed source
> binary firmware blobs?
>
> <sarcasm>
> Your panic threshold setting may have to be tweaked up a bit.
> </sarcasm>
>
> If this proposal or something like it is included in the build
> system, then those firmware blob licenses could also be handled
> with the new bit of infrastructure.
>
> Mike
>> /me takes a cup of water and relaxes... ;-)
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>>
>>
>
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [RFC 14/15] foobar: create a fake proprietary package (testing only)

[Luca Ceresoli]

Hi Michael,

Michael S. Zick wrote:
> On Sun January 29 2012, Diego Iastrubni wrote:
>> On Sun, Jan 29, 2012 at 5:11 PM, Luca Ceresoli<luca@lucaceresoli.net>  wrote:
>>>
> If this proposal or something like it is included in the build
> system, then those firmware blob licenses could also be handled
> with the new bit of infrastructure.


Thanks for pointing out.
I had a look at the linux-firmware module, and it raises some
interesting points for discussion of the compliance stuff in general,
as well as the implementation.

Firstly, linux-firmware is a package composed of different parts with
different licenses.
This makes it hard for BR to handle the legal stuff for this package,
as it should show a different set of licenses depending on which parts
are actually used.
This is not unique of linux-firmware though. binutils has as many as
9 license files in its sources.

Second, I read a few random license files in linux-firmware and most of
them are similar to BSD licenses, in that they require the license text
to be included in the product documentation.
This is why I did not implement the third goal of my RFC, "save the
complete text of all license files that must be included in the product
documentation". It would be far from trivial.
In fact, in a case such as linux-firmare, it would be relatively easy to
copy all the (many) license files, but it would be of limited
usefulness.
The best thing to do would be to copy only the license files for those
parts of the package that are actually used in the product. I think
there's no way to obtain such a feature without a manual work of the
package's .mk creator. This work could probably be limited to packages
with a non-obvious licensing scheme, though.

Luca

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Arnout Vandecappelle]

On Sunday 29 January 2012 16:11:33 Luca Ceresoli wrote:
[snip]
>   $ make legal-info
>   busybox  1.19.3       GPL_V2_ONLY
>   bzip2    1.0.5        BSD
>   directfb 1.4.15       LGPL_V2.1
>   foobar   1.2.3.4      PROPRIETARY
>   freetype 2.4.8        unknown
>   iostat   2.2          GPL_V2

 Cool!

>   ...
>   $ cat output/legal-info/manifest.csv 
>   package,version,license
>   busybox,1.19.3,GPL_V2_ONLY
>   bzip2,1.0.5,BSD
>   directfb,1.4.15,LGPL_V2.1
>   foobar,1.2.3.4,PROPRIETARY
>   freetype,2.4.8,unknown
>   iostat,2.2,GPL_V2
>   ...

 Personally I'd have used tabs instead of commas, so it is still
human-readable.  Not sure how non-libreoffice spreadsheets deal with
that, though.

>   $ ls output/legal-info/sources/
>   autoconf-2.65.tar.bz2
>   automake-1.11.1.tar.bz2
>   binutils-2.21.1.tar.bz2
>   busybox-1.19.3.tar.bz2
>   bzip2-1.0.5.tar.gz
>   DirectFB-1.4.15.tar.gz
>   fakeroot_1.9.5.tar.gz
>   freetype-2.4.8.tar.bz2
>   ...

 I think these should be hardlinks instead of copies of the dl 
directory.  You can use 'cp -l', which I believe falls back to
actual copying if the target filesystem doesn't support hardlinks
(although I can't think of a filesystem that supports symlinks but
not hardlinks).

[snip]
> The implementation takes only ~35 lines of code so it should be simple to
> review.

 I'll try to do that the coming days.  Without Reviewed-by tag, since this 
is still RFC.

> 
> Now the long list of open issues.
> 
> The semantics of the _LICENSE variable is still non well defined.
> It might be a generic string (e.g. FOOBAR_LICENSE = modified 3-clause BSD),
> or one from a well-defined list of known licenses.
> The former interpretation is probably the more useful for producing a manifest
> file. The latter might be useful to help an automated implementation of the
> last goal listed above: save the complete text of all license files to a
> directory.

 I would pre-define a number of strings, for which a predefined license
text exists.  The packager should check if the license text is identical,
and attach 'dirty' or something to the name if not.


[snip]
> Copying the source tarball does not currently work for packages with
> _SITE_METHOD equal to local, as there is no tarball associated to it.
 That should be fixed for the final version.

> Other methods, such as file and all versioning systems, are not tested, but
> they should work as there's a tarball in the download dir.
> 
> Non-gentargets and non-autotargets packages are not tested. I guess they need
> a $(PKG)-legal-info target to be defined manually.
 Those packages should be converted anyway.


> It might be useful to remove the output/legal-info dir before populating it,
> to be sure there are no remnants of previous runs. It would not have a big
> additional cost, since the computations and copies must be done anyway.
 I agree.

[snip]

 Regards,
 Arnout

-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [RFC 01/15] legal-info: new target to echo basic per-package legal info

[Arnout Vandecappelle]

On Sunday 29 January 2012 16:11:34 Luca Ceresoli wrote:
> Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

> ---
>  Makefile                    |    9 ++++++++-
>  package/Makefile.package.in |    6 ++++++
>  2 files changed, 14 insertions(+), 1 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index 912012f..507fd78 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -354,6 +354,11 @@ HOST_DEPS = $(sort $(foreach dep,\
>  		$($(dep))))
>  HOST_SOURCE += $(addsuffix -source,$(sort $(TARGETS_HOST_DEPS) $(HOST_DEPS)))
>  
> +TARGETS_LEGAL_INFO:=$(patsubst %,%-legal-info,\
> +		$(filter-out makedevs,\
> +		$(patsubst host-%,%,\
> +		$(TARGETS) $(BASE_TARGETS) $(TARGETS_HOST_DEPS) $(HOST_DEPS))))
> +
 Are we creating the legal info of the target or the SDK here?  If it is
for the target, the host-% are not needed since they are not distributed.
I think there should be a separate command for the SDK's legal info.

[snip]
> +$(1)-legal-info:	$(1)-source
> +			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
> +
 Minor detail: if this patch is separate from the one that saves the source
tarball, the dependency on $(1)-source is unnecessary.

[snip]

 Regards,
 Arnout

-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [RFC 02/15] legal-info: produce a manifest file with licensing info

[Arnout Vandecappelle]

On Sunday 29 January 2012 16:11:35 Luca Ceresoli wrote:
> Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

[snip]
>  dirs: $(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
> -	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR)
> +	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR)
 Since legal-info-prepare-manifest already depends on LEGAL_INFO_DIR, this
 is redundant.

[snip]
> +legal-info-prepare-manifest: $(LEGAL_INFO_DIR)
> +	@rm -f $(LEGAL_MANIFEST_CSV)
> +	@echo "package,version,license" >$(LEGAL_MANIFEST_CSV)
> +
 I might be wrong, but I think this won't rebuild the manifest if the
directory already exists.  You'd need a dependency on FORCE (and add the
phony FORCE target).

 Again a minor comment: the clean target is missing here (but it's added
in the next patch).  But for me, the first three patches can be rolled
into one.

> +legal-info: legal-info-prepare-manifest $(TARGETS_LEGAL_INFO)
>  
>  show-targets:
>  	@echo $(TARGETS)
> diff --git a/package/Makefile.package.in b/package/Makefile.package.in
> index 8e73f34..e117223 100644
> --- a/package/Makefile.package.in
> +++ b/package/Makefile.package.in
> @@ -653,8 +653,10 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
>  $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
>  endif
>  
> -$(1)-legal-info:	$(1)-source
> +$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
>  			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
> +			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
> +				>>$(LEGAL_MANIFEST_CSV)
 Same here: will the manifest be rebuilt if the directory already exists?

 Regards,
 Arnout

>  
>  $(1)-show-depends:
>  			@echo $$($(2)_DEPENDENCIES)
> 

-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [RFC 03/15] legal-info: save source tarballs for all packages

[Arnout Vandecappelle]

On Sunday 29 January 2012 16:11:36 Luca Ceresoli wrote:
> Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
 Darn, I've been adding Reviewed-by tags even though I said I wouldn't :-)

[snip]
> @@ -633,7 +635,8 @@ endif
>  
>  clean:
>  	rm -rf $(STAGING_DIR) $(TARGET_DIR) $(BINARIES_DIR) $(HOST_DIR) \
> -		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging
> +		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging \
> +		$(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
 $(REDIST_SOURCES_DIR) is a subdir of $(LEGAL_INFO_DIR), so doesn't need
to be cleaned twice.

>  
>  distclean: clean
>  ifeq ($(DL_DIR),$(TOPDIR)/dl)
> diff --git a/package/Makefile.package.in b/package/Makefile.package.in
> index e117223..0d7e081 100644
> --- a/package/Makefile.package.in
> +++ b/package/Makefile.package.in
> @@ -653,10 +653,11 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
>  $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
>  endif
>  
> -$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
> +$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
>  			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
>  			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
>  				>>$(LEGAL_MANIFEST_CSV)
> +			@cp $(DL_DIR)/$$($(3)_SOURCE) $(REDIST_SOURCES_DIR)

 Actually, for local and override packages (of which you said they are not
supported at the moment), $(1)-source should create a tar file.

 Regards,
 Arnout

>  
>  $(1)-show-depends:
>  			@echo $$($(2)_DEPENDENCIES)
> 

-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Yann E. MORIN]

Luca, All,

On Sunday 29 January 2012 16:11:33 Luca Ceresoli wrote:
> during the latest Buildroot Developers Day in November 2011 and in this
> mailing list there has been some discussion about introducing in Buildroot the
> possibility to derive automatically legally relevant material, such as
> licensing info and source tarballs for open source packages.
> 
> This is a first tentative implementation of these features.
> 
> This code is not yet fully working, but I wanted to share it with you to
> receive some early comments. I also wanted to allow those who will participate
> to the next Buildroot Developer Day next Friday to have an idea of this
> proposal in advance, in case this were object of discussion during the
> meeting.
> 
> My approach is based on the creation of a per-package _LICENSE constant in
> eack .mk file, such as:
>   FOOBAR_LICENSE = GPL_V3
>   MYAPP_LICENSE = PROPRIETARY
> This is the only effort required to the package creator. Where it is not
> specified it defaults to "unknown".
> 
> My overall goal is to add a new 'make legal-info' target that:
>  - produces a manifest file listing all packages, including closed-source ones
>    (and, why not, prints out to stdout the same info);
>  - copies source code tarballs for all non-proprietary packages (although I'm
>    saving also tarballs for BSD-licensed packages for now);
>  - save the complete text of all license files that must be included in the
>    product documentation (typically COPYING and LICENSE files); this is to
>    simplify the work of who must provide these info to documentation writers.
> 
> This patchset implements the first two points, albeit with some issues that I
> discuss below.
> About the third point I devised a few different possible implementations, but
> each of them has relevant drawbacks, so I left this point out for the moment.
> 
> Here's what is currently implmented:
> 
>   $ make legal-info
>   busybox  1.19.3       GPL_V2_ONLY
>   bzip2    1.0.5        BSD
>   directfb 1.4.15       LGPL_V2.1
>   foobar   1.2.3.4      PROPRIETARY
>   freetype 2.4.8        unknown
>   iostat   2.2          GPL_V2
>   ...
>   $ cat output/legal-info/manifest.csv 
>   package,version,license
>   busybox,1.19.3,GPL_V2_ONLY
>   bzip2,1.0.5,BSD
>   directfb,1.4.15,LGPL_V2.1
>   foobar,1.2.3.4,PROPRIETARY
>   freetype,2.4.8,unknown
>   iostat,2.2,GPL_V2
>   ...
>   $ ls output/legal-info/sources/
>   autoconf-2.65.tar.bz2
>   automake-1.11.1.tar.bz2
>   binutils-2.21.1.tar.bz2
>   busybox-1.19.3.tar.bz2
>   bzip2-1.0.5.tar.gz
>   DirectFB-1.4.15.tar.gz
>   fakeroot_1.9.5.tar.gz
>   freetype-2.4.8.tar.bz2
>   ...

That's a pretty nice feature! Great!

However, I can see something missing for GPL/LGPL packages. GPL/LGPL states
that you must also provide "the scripts used to control compilation and
installation of the executable."

Which means that, for packages such as Linux, busybox and uClibc (maybe
others as well), the associated .config file should be bundled as well.

Also, the config/build/install instructions for each GPL/LGPL package
must be provided. This could probably be done by bundling the buildroot
sources too in output/legal-info/sources/, or by leveraging the package
infrastructure to output the executed commands for every packages.

Also, for packages that get patches applied by buildroot, you must make
sure that the tarballs for those packages do contain the pathced code,
or that the patches are bundled as well. From what I see, you currently
only copy the downladed tarballs. Of course, if buildroot is also copied
to the output/legal-info/sources/ the patches will be there.

My 2 cents...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Thomas De Schampheleire]

Hi Luca,

On Tue, Jan 31, 2012 at 11:27 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> Luca, All,
>
> On Sunday 29 January 2012 16:11:33 Luca Ceresoli wrote:
>> during the latest Buildroot Developers Day in November 2011 and in this
>> mailing list there has been some discussion about introducing in Buildroot the
>> possibility to derive automatically legally relevant material, such as
>> licensing info and source tarballs for open source packages.
>>
>> This is a first tentative implementation of these features.
>>
>> This code is not yet fully working, but I wanted to share it with you to
>> receive some early comments. I also wanted to allow those who will participate
>> to the next Buildroot Developer Day next Friday to have an idea of this
>> proposal in advance, in case this were object of discussion during the
>> meeting.
>>
>> My approach is based on the creation of a per-package _LICENSE constant in
>> eack .mk file, such as:
>> ? FOOBAR_LICENSE = GPL_V3
>> ? MYAPP_LICENSE = PROPRIETARY
>> This is the only effort required to the package creator. Where it is not
>> specified it defaults to "unknown".
>>
>> My overall goal is to add a new 'make legal-info' target that:
>> ?- produces a manifest file listing all packages, including closed-source ones
>> ? ?(and, why not, prints out to stdout the same info);
>> ?- copies source code tarballs for all non-proprietary packages (although I'm
>> ? ?saving also tarballs for BSD-licensed packages for now);
>> ?- save the complete text of all license files that must be included in the
>> ? ?product documentation (typically COPYING and LICENSE files); this is to
>> ? ?simplify the work of who must provide these info to documentation writers.
>>
>> This patchset implements the first two points, albeit with some issues that I
>> discuss below.
>> About the third point I devised a few different possible implementations, but
>> each of them has relevant drawbacks, so I left this point out for the moment.
>>
>> Here's what is currently implmented:
>>
>> ? $ make legal-info
>> ? busybox ?1.19.3 ? ? ? GPL_V2_ONLY
>> ? bzip2 ? ?1.0.5 ? ? ? ?BSD
>> ? directfb 1.4.15 ? ? ? LGPL_V2.1
>> ? foobar ? 1.2.3.4 ? ? ?PROPRIETARY
>> ? freetype 2.4.8 ? ? ? ?unknown
>> ? iostat ? 2.2 ? ? ? ? ?GPL_V2
>> ? ...
>> ? $ cat output/legal-info/manifest.csv
>> ? package,version,license
>> ? busybox,1.19.3,GPL_V2_ONLY
>> ? bzip2,1.0.5,BSD
>> ? directfb,1.4.15,LGPL_V2.1
>> ? foobar,1.2.3.4,PROPRIETARY
>> ? freetype,2.4.8,unknown
>> ? iostat,2.2,GPL_V2
>> ? ...
>> ? $ ls output/legal-info/sources/
>> ? autoconf-2.65.tar.bz2
>> ? automake-1.11.1.tar.bz2
>> ? binutils-2.21.1.tar.bz2
>> ? busybox-1.19.3.tar.bz2
>> ? bzip2-1.0.5.tar.gz
>> ? DirectFB-1.4.15.tar.gz
>> ? fakeroot_1.9.5.tar.gz
>> ? freetype-2.4.8.tar.bz2
>> ? ...
>
> That's a pretty nice feature! Great!
>
> However, I can see something missing for GPL/LGPL packages. GPL/LGPL states
> that you must also provide "the scripts used to control compilation and
> installation of the executable."
>
> Which means that, for packages such as Linux, busybox and uClibc (maybe
> others as well), the associated .config file should be bundled as well.
>
> Also, the config/build/install instructions for each GPL/LGPL package
> must be provided. This could probably be done by bundling the buildroot
> sources too in output/legal-info/sources/, or by leveraging the package
> infrastructure to output the executed commands for every packages.
>
> Also, for packages that get patches applied by buildroot, you must make
> sure that the tarballs for those packages do contain the pathced code,
> or that the patches are bundled as well. From what I see, you currently
> only copy the downladed tarballs. Of course, if buildroot is also copied
> to the output/legal-info/sources/ the patches will be there.

I agree with Yann: I think we should package buildroot itself as well.

In fact, I think we should:
- make distclean
- create the manifest
- download all needed sources
- run a pre-legal-package script for customization
- create a .tar file with the whole

The pre-legal-package script (whatever the name) is similar to the
post-build script, and allows projects to modify certain things. For
example, modify the defconfig to disable some proprietary things that
are not useful or usable by the customer.

Also, I think the DL_DIR setting should be modified so that it points
to the location where the source tarballs are downloaded. This way,
the customer can directly use these sources from that location when
re-building buildroot.

I haven't done a technical review of your patches, but I went through
them and agree with the principle. Thanks for posting them before the
developer day, it will certainly help the discussion!

Best regards,
Thomas

[Buildroot] [RFC 01/15] legal-info: new target to echo basic per-package legal info

[Luca Ceresoli]

Hi Arnout,
thanks for the review.

Arnout Vandecappelle wrote:
> On Sunday 29 January 2012 16:11:34 Luca Ceresoli wrote:
>> Signed-off-by: Luca Ceresoli<luca@lucaceresoli.net>
> Reviewed-by: Arnout Vandecappelle (Essensium/Mind)<arnout@mind.be>
>
>> ---
>>   Makefile                    |    9 ++++++++-
>>   package/Makefile.package.in |    6 ++++++
>>   2 files changed, 14 insertions(+), 1 deletions(-)
>>
>> diff --git a/Makefile b/Makefile
>> index 912012f..507fd78 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -354,6 +354,11 @@ HOST_DEPS = $(sort $(foreach dep,\
>>   		$($(dep))))
>>   HOST_SOURCE += $(addsuffix -source,$(sort $(TARGETS_HOST_DEPS) $(HOST_DEPS)))
>>
>> +TARGETS_LEGAL_INFO:=$(patsubst %,%-legal-info,\
>> +		$(filter-out makedevs,\
>> +		$(patsubst host-%,%,\
>> +		$(TARGETS) $(BASE_TARGETS) $(TARGETS_HOST_DEPS) $(HOST_DEPS))))
>> +
>   Are we creating the legal info of the target or the SDK here?  If it is
> for the target, the host-% are not needed since they are not distributed.
> I think there should be a separate command for the SDK's legal info.

The intent was to save also the SDK (toolchain), except it does not
currently work.
But this raises a more high-level question about what we want to save
here: target packages, host packages (toolchain and others), BR sources,
BR .config? I think the right answer is "all of them", but I've put it
on my list of issues to be discussed in the BDD.

>
> [snip]
>> +$(1)-legal-info:	$(1)-source
>> +			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
>> +
>   Minor detail: if this patch is separate from the one that saves the source
> tarball, the dependency on $(1)-source is unnecessary.

Ops, this is the result of the massive rebases I did before posting.
Moved to the right patch, thanks.

Luca

[Buildroot] [RFC 02/15] legal-info: produce a manifest file with licensing info

[Luca Ceresoli]

Arnout Vandecappelle wrote:
> On Sunday 29 January 2012 16:11:35 Luca Ceresoli wrote:
>> Signed-off-by: Luca Ceresoli<luca@lucaceresoli.net>
> Reviewed-by: Arnout Vandecappelle (Essensium/Mind)<arnout@mind.be>
>
> [snip]
>>   dirs: $(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR) $(TARGET_DIR) \
>> -	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR)
>> +	$(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR)
>   Since legal-info-prepare-manifest already depends on LEGAL_INFO_DIR, this
>   is redundant.

I used to think some Buildroot user might want to 'make dirs'. I
understand this is pretty useless, so I'll remove it.

>
> [snip]
>> +legal-info-prepare-manifest: $(LEGAL_INFO_DIR)
>> +	@rm -f $(LEGAL_MANIFEST_CSV)
>> +	@echo "package,version,license">$(LEGAL_MANIFEST_CSV)
>> +
>   I might be wrong, but I think this won't rebuild the manifest if the
> directory already exists.  You'd need a dependency on FORCE (and add the
> phony FORCE target).

It is rebuilt because legal-info-prepare-manifest is PHONY.

>
>   Again a minor comment: the clean target is missing here (but it's added
> in the next patch).  But for me, the first three patches can be rolled
> into one.

I could move the clean target to the 2nd patch, but actually this
maintenance burden is quite annoying, and is going to be even more since
this patchset will definitely have further changes.

Anybody has something against squashing the first 3 or 4 patches as
Arnout suggests?

>
>> +legal-info: legal-info-prepare-manifest $(TARGETS_LEGAL_INFO)
>>
>>   show-targets:
>>   	@echo $(TARGETS)
>> diff --git a/package/Makefile.package.in b/package/Makefile.package.in
>> index 8e73f34..e117223 100644
>> --- a/package/Makefile.package.in
>> +++ b/package/Makefile.package.in
>> @@ -653,8 +653,10 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
>>   $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
>>   endif
>>
>> -$(1)-legal-info:	$(1)-source
>> +$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
>>   			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
>> +			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
>> +				>>$(LEGAL_MANIFEST_CSV)
>   Same here: will the manifest be rebuilt if the directory already exists?

It is rebuilt as well because $(1)-info-prepare-manifest is PHONY.

Luca

[Buildroot] [RFC 03/15] legal-info: save source tarballs for all packages

[Luca Ceresoli]

Arnout Vandecappelle wrote:
> On Sunday 29 January 2012 16:11:36 Luca Ceresoli wrote:
>> Signed-off-by: Luca Ceresoli<luca@lucaceresoli.net>
>   Darn, I've been adding Reviewed-by tags even though I said I wouldn't :-)
>
> [snip]
>> @@ -633,7 +635,8 @@ endif
>>
>>   clean:
>>   	rm -rf $(STAGING_DIR) $(TARGET_DIR) $(BINARIES_DIR) $(HOST_DIR) \
>> -		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging
>> +		$(STAMP_DIR) $(BUILD_DIR) $(TOOLCHAIN_DIR) $(BASE_DIR)/staging \
>> +		$(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
>   $(REDIST_SOURCES_DIR) is a subdir of $(LEGAL_INFO_DIR), so doesn't need
> to be cleaned twice.

You're right.
Again a remnant of my initial drafts, when the two subdirs ere not one
inside the other...

>
>>
>>   distclean: clean
>>   ifeq ($(DL_DIR),$(TOPDIR)/dl)
>> diff --git a/package/Makefile.package.in b/package/Makefile.package.in
>> index e117223..0d7e081 100644
>> --- a/package/Makefile.package.in
>> +++ b/package/Makefile.package.in
>> @@ -653,10 +653,11 @@ $(1)-rsync:		$$($(2)_TARGET_RSYNC)
>>   $(1)-source:		$$($(2)_TARGET_RSYNC_SOURCE)
>>   endif
>>
>> -$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR)
>> +$(1)-legal-info:	$(1)-source $(LEGAL_INFO_DIR) $(REDIST_SOURCES_DIR)
>>   			@echo -e "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
>>   			@echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
>>   				>>$(LEGAL_MANIFEST_CSV)
>> +			@cp $(DL_DIR)/$$($(3)_SOURCE) $(REDIST_SOURCES_DIR)
>
>   Actually, for local and override packages (of which you said they are not
> supported at the moment), $(1)-source should create a tar file.

Yes, this is another point in my TODO list. I have a few implementation
options to choose from.

Luca

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Luca Ceresoli]

Yann, Thomas,
thanks for your follow-ups.

Thomas De Schampheleire wrote:
>>
>> However, I can see something missing for GPL/LGPL packages. GPL/LGPL states
>> that you must also provide "the scripts used to control compilation and
>> installation of the executable."
>>
>> Which means that, for packages such as Linux, busybox and uClibc (maybe
>> others as well), the associated .config file should be bundled as well.
>>
>> Also, the config/build/install instructions for each GPL/LGPL package
>> must be provided. This could probably be done by bundling the buildroot
>> sources too in output/legal-info/sources/, or by leveraging the package
>> infrastructure to output the executed commands for every packages.
>>
>> Also, for packages that get patches applied by buildroot, you must make
>> sure that the tarballs for those packages do contain the pathced code,
>> or that the patches are bundled as well. From what I see, you currently
>> only copy the downladed tarballs. Of course, if buildroot is also copied
>> to the output/legal-info/sources/ the patches will be there.
>
> I agree with Yann: I think we should package buildroot itself as well.
>
> In fact, I think we should:
> - make distclean
> - create the manifest
> - download all needed sources
> - run a pre-legal-package script for customization
> - create a .tar file with the whole
>
> The pre-legal-package script (whatever the name) is similar to the
> post-build script, and allows projects to modify certain things. For
> example, modify the defconfig to disable some proprietary things that
> are not useful or usable by the customer.
>
> Also, I think the DL_DIR setting should be modified so that it points
> to the location where the source tarballs are downloaded. This way,
> the customer can directly use these sources from that location when
> re-building buildroot.
>
> I haven't done a technical review of your patches, but I went through
> them and agree with the principle. Thanks for posting them before the
> developer day, it will certainly help the discussion!

I think the best way is to just package BR itself in the legal-info
subdir. I'll have to check if/how it is feasible.
I'd also copy the current .config, which IMHO is part of the "scripts
used to control compilation".

OTOH I don't think a pre-legal-package script would be a good idea, as
it would easily allow to trick and create a fake GPL-compliant release.
In other words, what I use for building must go directly in the stuff
to be released.

Luca

[Buildroot] [RFC 02/15] legal-info: produce a manifest file with licensing info

[Thomas Petazzoni]

Le Wed, 01 Feb 2012 22:29:55 +0100,
Luca Ceresoli <luca@lucaceresoli.net> a ?crit :

> Anybody has something against squashing the first 3 or 4 patches as
> Arnout suggests?

No, I think it's ok to have them squashed together, as long as the
commit log in sufficiently long to explain how the implementation works.

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [RFC 02/15] legal-info: produce a manifest file with licensing info

[Thomas De Schampheleire]

On Wed, Feb 1, 2012 at 10:29 PM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
> Arnout Vandecappelle wrote:
>>
>> On Sunday 29 January 2012 16:11:35 Luca Ceresoli wrote:
>>>
>>> Signed-off-by: Luca Ceresoli<luca@lucaceresoli.net>
>>
>> Reviewed-by: Arnout Vandecappelle (Essensium/Mind)<arnout@mind.be>
>>
>> [snip]
>>>
>>> ?dirs: $(DL_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR) $(STAGING_DIR)
>>> $(TARGET_DIR) \
>>> - ? ? ? $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR)
>>> + ? ? ? $(HOST_DIR) $(BINARIES_DIR) $(STAMP_DIR) $(LEGAL_INFO_DIR)
>>
>> ?Since legal-info-prepare-manifest already depends on LEGAL_INFO_DIR, this
>> ?is redundant.
>
>
> I used to think some Buildroot user might want to 'make dirs'. I
> understand this is pretty useless, so I'll remove it.

For $(LEGAL_INFO_DIR), there isn't a real problem since you indeed put
it as a dependency elsewhere, which means that the directory will be
created anyway.
In other cases, like downloading packages, there is no such explicit
dependency on $(DL_DIR), and there may be certain scenarios that you
need to do 'make dirs' explicitly. One such scenario is when the first
downloaded package is not handled by wget (which creates the DL_DIR
automatically) but with e.g. git download.

>
>
>>
>> [snip]
>>>
>>> +legal-info-prepare-manifest: $(LEGAL_INFO_DIR)
>>> + ? ? ? @rm -f $(LEGAL_MANIFEST_CSV)
>>> + ? ? ? @echo "package,version,license">$(LEGAL_MANIFEST_CSV)
>>> +
>>
>> ?I might be wrong, but I think this won't rebuild the manifest if the
>> directory already exists. ?You'd need a dependency on FORCE (and add the
>> phony FORCE target).
>
>
> It is rebuilt because legal-info-prepare-manifest is PHONY.
>
>
>>
>> ?Again a minor comment: the clean target is missing here (but it's added
>> in the next patch). ?But for me, the first three patches can be rolled
>> into one.
>
>
> I could move the clean target to the 2nd patch, but actually this
> maintenance burden is quite annoying, and is going to be even more since
> this patchset will definitely have further changes.
>
> Anybody has something against squashing the first 3 or 4 patches as
> Arnout suggests?
>

No problem for me.

>
>>
>>> +legal-info: legal-info-prepare-manifest $(TARGETS_LEGAL_INFO)
>>>
>>> ?show-targets:
>>> ? ? ? ?@echo $(TARGETS)
>>> diff --git a/package/Makefile.package.in b/package/Makefile.package.in
>>> index 8e73f34..e117223 100644
>>> --- a/package/Makefile.package.in
>>> +++ b/package/Makefile.package.in
>>> @@ -653,8 +653,10 @@ $(1)-rsync: ? ? ? ? ? ? ? ?$$($(2)_TARGET_RSYNC)
>>> ?$(1)-source: ? ? ? ? ?$$($(2)_TARGET_RSYNC_SOURCE)
>>> ?endif
>>>
>>> -$(1)-legal-info: ? ? ? $(1)-source
>>> +$(1)-legal-info: ? ? ? $(1)-source $(LEGAL_INFO_DIR)
>>> ? ? ? ? ? ? ? ? ? ? ? ?@echo -e
>>> "$(1)\t$$($(3)_VERSION)\t$$($(3)_LICENSE)"
>>> + ? ? ? ? ? ? ? ? ? ? ? @echo "$(1),$$($(3)_VERSION),$$($(3)_LICENSE)" \
>>> + ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >>$(LEGAL_MANIFEST_CSV)
>>
>> ?Same here: will the manifest be rebuilt if the directory already exists?
>
>
> It is rebuilt as well because $(1)-info-prepare-manifest is PHONY.
>
> Luca
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Thomas De Schampheleire]

On Wed, Feb 1, 2012 at 10:47 PM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
> Yann, Thomas,
> thanks for your follow-ups.
>
>
> Thomas De Schampheleire wrote:
>>>
>>>
>>> However, I can see something missing for GPL/LGPL packages. GPL/LGPL
>>> states
>>> that you must also provide "the scripts used to control compilation and
>>> installation of the executable."
>>>
>>> Which means that, for packages such as Linux, busybox and uClibc (maybe
>>> others as well), the associated .config file should be bundled as well.
>>>
>>> Also, the config/build/install instructions for each GPL/LGPL package
>>> must be provided. This could probably be done by bundling the buildroot
>>> sources too in output/legal-info/sources/, or by leveraging the package
>>> infrastructure to output the executed commands for every packages.
>>>
>>> Also, for packages that get patches applied by buildroot, you must make
>>> sure that the tarballs for those packages do contain the pathced code,
>>> or that the patches are bundled as well. From what I see, you currently
>>> only copy the downladed tarballs. Of course, if buildroot is also copied
>>> to the output/legal-info/sources/ the patches will be there.
>>
>>
>> I agree with Yann: I think we should package buildroot itself as well.
>>
>> In fact, I think we should:
>> - make distclean
>> - create the manifest
>> - download all needed sources
>> - run a pre-legal-package script for customization
>> - create a .tar file with the whole
>>
>> The pre-legal-package script (whatever the name) is similar to the
>> post-build script, and allows projects to modify certain things. For
>> example, modify the defconfig to disable some proprietary things that
>> are not useful or usable by the customer.
>>
>> Also, I think the DL_DIR setting should be modified so that it points
>> to the location where the source tarballs are downloaded. This way,
>> the customer can directly use these sources from that location when
>> re-building buildroot.
>>
>> I haven't done a technical review of your patches, but I went through
>> them and agree with the principle. Thanks for posting them before the
>> developer day, it will certainly help the discussion!
>
>
> I think the best way is to just package BR itself in the legal-info
> subdir. I'll have to check if/how it is feasible.
> I'd also copy the current .config, which IMHO is part of the "scripts
> used to control compilation".
>
> OTOH I don't think a pre-legal-package script would be a good idea, as
> it would easily allow to trick and create a fake GPL-compliant release.
> In other words, what I use for building must go directly in the stuff
> to be released.

I don't think we should attempt a guaranteed GPL-compliant release. We
have no control over what someone did with its buildroot repository,
whether or not they modified the LICENSE variables etc. A malicious
company will be able to create a non-compliant tarball in many ways.
By modifying buildroot itself, by using a pre-legal-package script,
but also by post-processing the tarball. It's not something we should
try to guard against IMO.

Moreover, I think there are valid use cases. For example, in our case,
we build a proprietary package from within buildroot. This means we
need the sources available. A customer shouldn't get these sources.
But our .config or defconfig does enable the package. As a result, if
the customer does 'make', there will be an attempt to find the
proprietary sources, and the build will fail.
A pre-legal-package script could make such modifications to the
defconfig file: disable the proprietary packages.
Another use cas is where the pre-legal-package script could copy in
binary proprietary applications from elsewhere.
Or add a README file specific for the project.
Or maybe modify the login banner to indicate in the target image that
this is no official release, but one built by the customer.
Or ...

None of these are attempts to trick the customer or to be deviant from
GPL or other license obligations.

Best regards,
Thomas

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Luca Ceresoli]

Thomas De Schampheleire wrote:
>> I think the best way is to just package BR itself in the legal-info
>> subdir. I'll have to check if/how it is feasible.
>> I'd also copy the current .config, which IMHO is part of the "scripts
>> used to control compilation".
>>
>> OTOH I don't think a pre-legal-package script would be a good idea, as
>> it would easily allow to trick and create a fake GPL-compliant release.
>> In other words, what I use for building must go directly in the stuff
>> to be released.
>
> I don't think we should attempt a guaranteed GPL-compliant release. We
> have no control over what someone did with its buildroot repository,
> whether or not they modified the LICENSE variables etc. A malicious
> company will be able to create a non-compliant tarball in many ways.
> By modifying buildroot itself, by using a pre-legal-package script,
> but also by post-processing the tarball. It's not something we should
> try to guard against IMO.
>
> Moreover, I think there are valid use cases. For example, in our case,
> we build a proprietary package from within buildroot. This means we
> need the sources available. A customer shouldn't get these sources.
> But our .config or defconfig does enable the package. As a result, if
> the customer does 'make', there will be an attempt to find the
> proprietary sources, and the build will fail.
> A pre-legal-package script could make such modifications to the
> defconfig file: disable the proprietary packages.
> Another use cas is where the pre-legal-package script could copy in
> binary proprietary applications from elsewhere.
> Or add a README file specific for the project.
> Or maybe modify the login banner to indicate in the target image that
> this is no official release, but one built by the customer.
> Or ...
>
> None of these are attempts to trick the customer or to be deviant from
> GPL or other license obligations.

After having slept on it, and after your clarifications, I think you're
probably right.

On one hand, it's not feasible to have Buildroot enforce a compliant
release, and I would not take the risk of saying it does even if it did.

On the other hand, there are ways a pre-legal-package script may be
useful, as your examples demonstrate.

By the law you must release the sources, but not necessarily make them
straightforward to use. So to fulfill legal obligations you probably
don't need such a script (provided that BR can package all the code that
must be released).

But there are also FOSS-friendly device vendors that might want to sell
a product with some proprietary software on them, while releasing the
open-source part in a way that is fully usable except for the absence
of the proprietary parts.

Bottom line: I think the script you suggest would be useful, but non
strictly necessary. So I consider it something that might be added
later, unless it's a simple addition to the current patchset.
I'd prefer to keep the first patchset thin, for better review/discussion
and to ease Peter's integration work.

Luca

[Buildroot] [RFC 00/15] Automatically produce legal compliance info

[Thomas De Schampheleire]

Hi Luca,

On Thu, Feb 2, 2012 at 10:27 AM, Luca Ceresoli <luca@lucaceresoli.net> wrote:
> Thomas De Schampheleire wrote:
>>>
>>> I think the best way is to just package BR itself in the legal-info
>>> subdir. I'll have to check if/how it is feasible.
>>> I'd also copy the current .config, which IMHO is part of the "scripts
>>> used to control compilation".
>>>
>>> OTOH I don't think a pre-legal-package script would be a good idea, as
>>> it would easily allow to trick and create a fake GPL-compliant release.
>>> In other words, what I use for building must go directly in the stuff
>>> to be released.
>>
>>
>> I don't think we should attempt a guaranteed GPL-compliant release. We
>> have no control over what someone did with its buildroot repository,
>> whether or not they modified the LICENSE variables etc. A malicious
>> company will be able to create a non-compliant tarball in many ways.
>> By modifying buildroot itself, by using a pre-legal-package script,
>> but also by post-processing the tarball. It's not something we should
>> try to guard against IMO.
>>
>> Moreover, I think there are valid use cases. For example, in our case,
>> we build a proprietary package from within buildroot. This means we
>> need the sources available. A customer shouldn't get these sources.
>> But our .config or defconfig does enable the package. As a result, if
>> the customer does 'make', there will be an attempt to find the
>> proprietary sources, and the build will fail.
>> A pre-legal-package script could make such modifications to the
>> defconfig file: disable the proprietary packages.
>> Another use cas is where the pre-legal-package script could copy in
>> binary proprietary applications from elsewhere.
>> Or add a README file specific for the project.
>> Or maybe modify the login banner to indicate in the target image that
>> this is no official release, but one built by the customer.
>> Or ...
>>
>> None of these are attempts to trick the customer or to be deviant from
>> GPL or other license obligations.
>
>
> After having slept on it, and after your clarifications, I think you're
> probably right.
>
> On one hand, it's not feasible to have Buildroot enforce a compliant
> release, and I would not take the risk of saying it does even if it did.
>
> On the other hand, there are ways a pre-legal-package script may be
> useful, as your examples demonstrate.
>
> By the law you must release the sources, but not necessarily make them
> straightforward to use. So to fulfill legal obligations you probably
> don't need such a script (provided that BR can package all the code that
> must be released).
>
> But there are also FOSS-friendly device vendors that might want to sell
> a product with some proprietary software on them, while releasing the
> open-source part in a way that is fully usable except for the absence
> of the proprietary parts.
>
> Bottom line: I think the script you suggest would be useful, but non
> strictly necessary. So I consider it something that might be added
> later, unless it's a simple addition to the current patchset.
> I'd prefer to keep the first patchset thin, for better review/discussion
> and to ease Peter's integration work.

Ok, I understand.
Let's keep the script out of the patchset for now. We can add it later.

Best regards,
Thomas