Also this year a speech of ours has been accepted at Fosdem 2023. This time around we have applied to the Software Bill of Material Devroom with a title “A complete compliance toolchain for Yocto projects (even very large ones, yes)“.
The event is going to be a live one. We look forward to meet you therefore at ULB in Brussels on February 5th.
Presenting the toolchain that we have created for Eclipse Oniro, we believe the single largest compliance effort by many metrics ever attempted for Yocto projects, featuring besides than the usual suspects (Fossology, Scancode, SPDX, BANG, Gitlab CI) some specifically developed tools, including a dashboard, aliens4friends, a graph database to map dependencies and license incompatibilities, a license resolver and way more.
Yocto has (as a recent addition) its own facilities to create a SBOM. We worked on some complements that need to be added to consume it for all bells and whistles of a full OpenChain conformant software composition analysis. We have created a way to preserve this information throughout the entire process of creating a build and can demonstrate how it is possible to uniquely identify each and every file that goes into the final image, resolve each binary file license from a large mix of diversely licensed source files, find the dependencies, find potential incompatibilities and reuse this information by sharing it publicly. This for a project whose base of data and number of vetted licenses,files and packages is very large (one would say “huge”). Therefore, what we regard as an unprecedented amount of automation had to be put to work.
The link at the event is available at