Open Source license compliance
Nearly all software is controlled by a license, even Open Source software. The RidgeRun SDK makes it easier to comply with Open Source license requirements by:
- Providing an easy-to-find license file for each Open Source package included with the SDK
- Easily generating a source file tarball for all the Open Source packages that are enabled when you build your product's firmware image.
Two of the new features added to RidgeRun's SDK are Open Source package license support and the Open Source source code tarball generation. The first one consists of the additional xml file in each Open Source package downloaded and a tool that parses all these files and generates an html license file. The second feature creates a tarball with all the enabled Open Source package source code.
Package License support
Package license support creates html files based on the information from the copyrights.xml file associated with each enabled Open Source package. The license files are created manually by RidgeRun for each package. The license file includes the following information, with some of the information being optional:
- Package name.
- Release date: this is the date on which the package version was published. (Optional)
- Manufacturer: This is the company that develops it. In the case that you don't know the manufacturer, you can write the official web page link of the package.
- Summary: Brief description of the package.
- Link: Official web page of the package or manufacturer.
- Download Link: It is the link where the package can be downloaded. It is used only in packages that needs an special treatment. (Optional)
- Issues: here you can write the link for the bug reports. (Optional)
- License type: this is the type of the package license, for example: MIT license, BSD license, LGPL license.
- License link: web page link for the license.
- License text: here you have to copy the license for this package.
An example of this license file can be seen below:
<?xml version="1.0" encoding="UTF-8"?> <component> <name>Boost C++ Libraries</name> <version>1.52.0</version> <releaseDate>11.05.12</releaseDate> <manufacturer>Boost.org</manufacturer> <summary>The Boost C++ Libraries are a collection of free libraries that extend the functionality of C++.</summary> <link>official web page/</link> <issues> <link><![CDATA[bug reports link]]></link> </issues> <license type="BSL-1.0"> <link>License Link</link> <text> <![CDATA[Boost Software License - Version 1.0 - August 17th, 2003 Permission is hereby granted, free of charge, to any person or organization obtaining a copy of the software and accompanying documentation covered bythis license (the "Software") to use, reproduce, display, distribute,execute, and transmit the Software, and to prepare derivative works of theSoftware, and to permit third-parties to whom the Software is furnished todo so, all subject to the following: The copyright notices in the Software and this entire statement, includingthe above license grant, this restriction and the following disclaimer,must be included in all copies of the Software, in whole or in part, andall derivative works of the Software, unless such copies or derivative works are solely in the form of machine-executable object code generated bya source language processor. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENTSHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHERDEALINGS IN THE SOFTWARE. ]]> </text> </license> </component>
RidgeRun created the copyrights.xml file by reading the LICENSE and README files in the src directory of each package. When the Open Source package didn't contain all the needed information, RidgeRun used on-line resources to make the license file as accurate as possible.
- Proprietary: non standard license which require a notice in the software description.
- Private: non standard license which must not be published.
- RidgeRun: these are added to RidgeRun packages.
When the SDK is built, the build process creates the html license files based on the copyrights.xml files. The xml parser tool takes all the license files, reads the information, and creates the following files:
- copyrights.html: shows the complete information of every package.
- copyrigths-pico.html: shows the package name, version and the official web page link.
- copyrights-short.xml: shows the package name, version, summary, official web page link and the license type.
- soup.html: it shows a chart with software basic documentation.
- summary.html: shows the package name, version, web page link, license type and the summary.
- table.html: displays a table with the next information: component, version, license type, URL of the package, and the issues link.
These html files are created in the following folder:
If you want to create the html files without build all the SDK, run the following command:
cd $DEVDIR make copyrights
Open source tarball generation
This feature creates a tarball with all the package source code that needs to be made available to persons who receive a binary version of the built code. The tarball contains all the packages that have an open source license. For every package, the tarball will include:
- Source code after the patches have been applied
- Patch series file
The tarball contains the following packages:
- All the applications that has open source license
- The glibc package of the toolchain
To figure out which packages need to be included, the RidgeRun SDK parses all the copyrights.xml files and reads the license type. If the license is proprietary or private, the package is excluded from the tarball, otherwise it is included.
To create the Open Source source code tarball, run the following command:
cd $DEVDIR make sourcedistro
You have to run this target when the SDK has not been built to include only the necessary information and avoid including files generated when the package is built.
The tarball will be save in the file: