We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

A complete compliance toolchain for Yocto projects

Formale Metadaten

Titel
A complete compliance toolchain for Yocto projects
Untertitel
(even very large ones, yes)
Serientitel
Anzahl der Teile
542
Autor
Lizenz
CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Presenting the toolchain that we have created for Eclipse Oniro, we believe the single largest compliance effort by many metrics ever attempted for Yocto projects, featuring besides than the usual suspects (Fossology, Scancode, SPDX, BANG, Gitlab CI) some specifically developed tools, including a dashboard, aliens4friends, a graph database to map dependencies and license incompatibilities, a license resolver and way more. Yocto has (as a recent addition) its own facilities to create a SBOM. We worked on some complements that need to be added to consume it for all bells and whistles of a full OpenChain conformant software composition analysis. We have created a way to preserve this information throughout the entire process of creating a build and can demonstrate how it is possible to uniquely identify each and every file that goes into the final image, resolve each binary file license from a large mix of diversely licensed source files, find the dependencies, find potential incompatibilities and reuse this information by sharing it publicly. This for a project whose base of data and number of vetted licenses,files and packages is very large (one would say "huge"). Therefore, what we regard as an unprecedented amount of automation had to be put to work.