Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

[cheerala.rohith]

[-- Attachment #1: Type: text/plain, Size: 1108 bytes --]

I am reaching out to seek clarification regarding the license compatibility within theOpenEmbedded *Meta-Security layer* , particularly in relation to the presence of *LGPL, GPL 2.0 and GPL 3.0* licenses and the ambiguity in the license information of the ClamAV tool and other Security tools in meta-security layer.

We have noticed that the meta-security layer within the OpenEmbedded project contains several components with LGPL, GPL 2.0 and GPL 3.0 licenses. Additionally, there is ambiguity regarding the license information for the *ClamAV* tool, as the OpenEmbedded recipe documentation indicates it is LGPL ( https://layers.openembedded.org/layerindex/recipe/32867/ ), while the ClamAV documentation specifies GPL 2.0 ( https://github.com/Cisco-Talos/clamav ).

1. Please clarify on the ambiguity of license information for recipes and whether these recipes can be integrated into commercial products that necessitates strict adherence to licensing requirements.
2. Which license will apply to the Image that is bitbaked with openembedded recipes? will the license be *MIT as Yocto project.*

[-- Attachment #2: Type: text/html, Size: 1255 bytes --]

Re: [yocto] Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

[Alexander Kanavin]

On Tue, 23 May 2023 at 13:30, <cheerala.rohith@spacelabs.com> wrote:
>
> I am reaching out to seek clarification regarding the license compatibility within theOpenEmbedded Meta-Security layer, particularly in relation to the presence of LGPL, GPL 2.0 and GPL 3.0 licenses and the ambiguity in the license information of the ClamAV tool and other Security tools in meta-security layer.
>
> We have noticed that the meta-security layer within the OpenEmbedded project contains several components with LGPL, GPL 2.0 and GPL 3.0 licenses. Additionally, there is ambiguity regarding the license information for the ClamAV tool, as the OpenEmbedded recipe documentation indicates it is LGPL ( https://layers.openembedded.org/layerindex/recipe/32867/ ), while the ClamAV documentation specifies GPL 2.0 ( https://github.com/Cisco-Talos/clamav ).

I believe this is incorrectly written in the openembedded recipe and
the component is indeed GPL 2.0. CC Armin.

> 1. Please clarify on the ambiguity of license information for recipes and whether these recipes can be integrated into commercial products that necessitates strict adherence to licensing requirements.
> 2. Which license will apply to the Image that is bitbaked with openembedded recipes? will the license be MIT as Yocto project.

We do need to fix the clamav recipe to provide correct metadata (it
seems like a simple mistake in an isolated recipe), but otherwise
these are the questions for your company's legal department, not the
open source community. The community does not offer legal advice, but
we do know that a lot of successful products are shipped that are
built using Yocto project, and presumbly companies are able to handle
legal risks and requirements.

The image will contain code under many different licenses coming from
components such as clamav, and if you ship it in a product, you must
fulfil the requirements of all those licenses.

Alex

Re: [yocto] Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

[Ross Burton]

Alex replied to most of the points already but I want to make this very clear.

On 23 May 2023, at 12:30, cheerala.rohith via lists.yoctoproject.org <cheerala.rohith=spacelabs.com@lists.yoctoproject.org> wrote:
> 2. Which license will apply to the Image that is bitbaked with openembedded recipes? will the license be MIT as Yocto project.

Yocto/OpenEmbedded’s base license of MIT refers to *the license of the recipes themselves*. It has no impact on the built images, that is entirely down to the licenses of the components.

Ross

Re: [yocto] Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

[akuster808]

On 5/23/23 7:53 AM, Alexander Kanavin wrote:
> On Tue, 23 May 2023 at 13:30, <cheerala.rohith@spacelabs.com> wrote:
>> I am reaching out to seek clarification regarding the license compatibility within theOpenEmbedded Meta-Security layer, particularly in relation to the presence of LGPL, GPL 2.0 and GPL 3.0 licenses and the ambiguity in the license information of the ClamAV tool and other Security tools in meta-security layer.
>>
>> We have noticed that the meta-security layer within the OpenEmbedded project contains several components with LGPL, GPL 2.0 and GPL 3.0 licenses. Additionally, there is ambiguity regarding the license information for the ClamAV tool, as the OpenEmbedded recipe documentation indicates it is LGPL ( https://layers.openembedded.org/layerindex/recipe/32867/ ), while the ClamAV documentation specifies GPL 2.0 ( https://github.com/Cisco-Talos/clamav ).
> I believe this is incorrectly written in the openembedded recipe and
> the component is indeed GPL 2.0. CC Armin.

Yes indeed its incorrect. Patches welcome.

-armin
>> 1. Please clarify on the ambiguity of license information for recipes and whether these recipes can be integrated into commercial products that necessitates strict adherence to licensing requirements.
>> 2. Which license will apply to the Image that is bitbaked with openembedded recipes? will the license be MIT as Yocto project.
> We do need to fix the clamav recipe to provide correct metadata (it
> seems like a simple mistake in an isolated recipe), but otherwise
> these are the questions for your company's legal department, not the
> open source community. The community does not offer legal advice, but
> we do know that a lot of successful products are shipped that are
> built using Yocto project, and presumbly companies are able to handle
> legal risks and requirements.
>
> The image will contain code under many different licenses coming from
> components such as clamav, and if you ship it in a product, you must
> fulfil the requirements of all those licenses.
>
> Alex