Silicon Blade

Back to Articles

Articles

Licences and Security in a Yocto Build (Part 1 - Licences)

Understanding licence manifests in a Yocto build and extracting package licence information

Yocto Published 08/02/2021 2 min read
YoctoLicenceSecurity
Licences and Security in a Yocto Build (Part 1 - Licences)

When building a system that makes use of Open Source Software, it is vital to know what your licence obligations are. Other than just the common decency of respecting the wishes of the author of that software, it is also a legal requirement as these are the terms and conditions by which you are agreeing to be bound.

If you are using the Yocto Project as your build system, then you will probably know that all recipes contain a LICENSE variable. Whenever you build an image, bitbake will populate the build/tmp/deploy/licenses/* directory with the licence information for every package you have created.

What it will also do is create a licence manifest for the entire system in:

build/tmp/deploy/licenses/<IMAGE_NAME>-<MACHINE_NAME>/license.manifest

The <IMAGE_NAME>-<MACHINE_NAME> directory is a symbolic link to the latest build, as each build will also have a timestamped directory of the form -YYYYMMDDHHMMSS, which is useful if you want to keep historical records.

The Manifest Format

The license.manifest file contains a stanza for each package with the following fields:

PACKAGE NAME:
PACKAGE VERSION:
RECIPE NAME:
LICENSE:

Here is an example with a couple of real entries:

PACKAGE NAME: binutils
PACKAGE VERSION: 2.35.1
RECIPE NAME: binutils
LICENSE: GPLv3

PACKAGE NAME: bluez5
PACKAGE VERSION: 5.55
RECIPE NAME: bluez5
LICENSE: GPLv2+ & LGPLv2.1+

Some of the key things to note are:

  • Each stanza is separated by a blank line.
  • A particular package and package version may have more than one licence.

Making the Data Useful

While this is a useful data set, what most of my customers actually want is a spreadsheet or table of packages and licences that they can include in their documentation.

To help with that, I wrote a small Python script that parses the manifest file and outputs either:

  • A list of packages and their licences
  • A list of licences and which packages use them

The source for this can be found in the Yocto Licence Parser repository on GitHub:

https://github.com/ming4real/yocto-licence-parser

Related posts

Browse all posts