OSPO-ready Yocto Projects: the data you didn't know to have
12-01, 13:15–13:45 (UTC), Langdale

Your company's OSPO would really enjoy to have many datapoints ready for consumption, for detecting inbound and outbound license incompatibilities at file level, generating detailed SBOM for firmware images with file-level license metadata, automatically identify offending binary files in IP compliance litigation cases and so on.

A PoC showcasing these features has been created via a dynamic representation of a Yocto project SBOM in a graph database, starting from upstream sources, down to workdir sources, debug sources, and finally to binary files and libraries, with very simple graph queries.

By collecting single file checksums at some stages of the build process (do_fetch, do_unpack, do_patch, do_package) it is possible to build a graph database with a set of relationships ("generated_from", "patch_applied_to", includes", "copy_of", "runtime_dependency_of", etc.). Combined with file-level license data available for upstream sources (coming from your project's audit team working on Fossology, or from other trusted online sources like ClearlyDefined) this graph database allows to perform many automated compliance checks that otherwise, at least in a Yocto environment, could be performed only manually (non-scalable, error-prone, etc.). The generation and the consumption of the graph database happens outside Yocto (current R&D implementation uses ArangoDB) while file checksum calculation might happen inside Yocto at build time. Oniro Compliance R&D Team developed a POC of the graph database (including a dynamic and browseable graphic representation) that will be showcased and proposed as a viable direction to make Yocto OSPO-ready. Also, some ways to implement it in Yocto will be presented.

See also: Ospo-Ready Yocto Projects - slides (5.1 MB)

Project Lead of the Eclipse Oniro Compliance Toolchain project.

Experienced IT Lawyer, skilled in Data Privacy, Privacy Law, Intellectual Property, Cyberlaw, and Copyright Law.
Member of the Legal Network of the FSFE. More than 10 years of experience in open source licensing and compliance, especially in the embedded/IoT field. Intermediate programming skills (python, php, java, C/C++); 5 years of experience in designing and developing compliance automation software tools for embedded projects, integrated in CI/CD pipelines.

Martin Rabanser is a business and technology consultant. In his 20+ years experience he has been a trainer for research groups for the CERN middleware gLite, has co-created the exponential growth in a tourism focused tech startup and led the technological directions as CTO in different companies and joint ventures.
Now he is coaching and supporting companies, startups and institutions to get their technological projects done and successful.