| Message ID | 1536186133-9933-3-git-send-email-angelo.compagnucci@gmail.com |
|---|---|
| State | Rejected |
| Headers | show |
| Series | Add tainting support to buildroot | expand |
Angelo, All, On 2018-09-06 00:22 +0200, Angelo Compagnucci spake thusly: > From: Angelo Compagnucci <angelo@amarulasolutions.com> > > Adding documentation about the usage of LIBFOO_TAINTS and > "make check-tainted". > > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> > Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com> > --- > docs/manual/adding-packages-generic.txt | 6 ++++++ > docs/manual/legal-notice.txt | 12 ++++++++++++ > 2 files changed, 18 insertions(+) > > diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt > index 7be1754..6495157 100644 > --- a/docs/manual/adding-packages-generic.txt > +++ b/docs/manual/adding-packages-generic.txt > @@ -445,6 +445,12 @@ not and can not work as people would expect it should: > to let you know, and +not saved+ will appear in the +license files+ field > of the manifest file for this package. > > +* +LIBFOO_TAINTS+ shoud be set to YES if a package taints a Buildroot > + configuration. A Buildroot configuration is tainted when a packages uses > + external dependencies for which Buildroot cannot clearly recover licensing > + informations. If a configuration is tainted, it means that the licensing > + information produced by +make legal-info+ could not be accurate. In your cover-letter, you said: FOO_TAINTS [...] can be used to signal that a package harms the reproducibility or licensing under certain conditions. But here, you only consider the licensing problem. As I already explained in my reply to the cover letter, I believe the licensing problem is already covered by the existing licensing infrastructure: FOO_LICENSE := $(FOO_LICENSE), Unknown (unreproducible external data) (which is a bit different but better than what I suggested in the cover letter.) Regards, Yann E. MORIN. > * +LIBFOO_ACTUAL_SOURCE_TARBALL+ only applies to packages whose > +LIBFOO_SITE+ / +LIBTOO_SOURCE+ pair points to an archive that does > not actually contain source code, but binary code. This a very > diff --git a/docs/manual/legal-notice.txt b/docs/manual/legal-notice.txt > index 6975328..7fde09a 100644 > --- a/docs/manual/legal-notice.txt > +++ b/docs/manual/legal-notice.txt > @@ -73,6 +73,18 @@ distribution is required). > When you run +make legal-info+, Buildroot produces warnings in the +README+ > file to inform you of relevant material that could not be saved. > > +Furthermore, a Buildroot configuration could be tainted from a package that uses > +some custom external dependencies from the Buildroot tree. An example could be > +a package manager for a software stack that downloads the required dependencies > +during the building of a package. In such cases, Buildroot cannot check the > +licensing of the downloaded software and thus giving accurate licensing > +informations. > +To check if your configuration is tainted, run: > + > +-------------------- > +make check-tainted > +-------------------- > + > Finally, keep in mind that the output of +make legal-info+ is based on > declarative statements in each of the packages recipes. The Buildroot > developers try to do their best to keep those declarative statements as > -- > 2.7.4 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt index 7be1754..6495157 100644 --- a/docs/manual/adding-packages-generic.txt +++ b/docs/manual/adding-packages-generic.txt @@ -445,6 +445,12 @@ not and can not work as people would expect it should: to let you know, and +not saved+ will appear in the +license files+ field of the manifest file for this package. +* +LIBFOO_TAINTS+ shoud be set to YES if a package taints a Buildroot + configuration. A Buildroot configuration is tainted when a packages uses + external dependencies for which Buildroot cannot clearly recover licensing + informations. If a configuration is tainted, it means that the licensing + information produced by +make legal-info+ could not be accurate. + * +LIBFOO_ACTUAL_SOURCE_TARBALL+ only applies to packages whose +LIBFOO_SITE+ / +LIBTOO_SOURCE+ pair points to an archive that does not actually contain source code, but binary code. This a very diff --git a/docs/manual/legal-notice.txt b/docs/manual/legal-notice.txt index 6975328..7fde09a 100644 --- a/docs/manual/legal-notice.txt +++ b/docs/manual/legal-notice.txt @@ -73,6 +73,18 @@ distribution is required). When you run +make legal-info+, Buildroot produces warnings in the +README+ file to inform you of relevant material that could not be saved. +Furthermore, a Buildroot configuration could be tainted from a package that uses +some custom external dependencies from the Buildroot tree. An example could be +a package manager for a software stack that downloads the required dependencies +during the building of a package. In such cases, Buildroot cannot check the +licensing of the downloaded software and thus giving accurate licensing +informations. +To check if your configuration is tainted, run: + +-------------------- +make check-tainted +-------------------- + Finally, keep in mind that the output of +make legal-info+ is based on declarative statements in each of the packages recipes. The Buildroot developers try to do their best to keep those declarative statements as