License compliance for embedded Linux devices with Buildroot (Luca Ceresoli) [FOSDEM 2020]

link slides

Buildroot has some tools that help with license compliance.

Buildroot is an embedded Linux build system. It collects the sources of the packages you need, generates images (kernel, rootfs, etc) and those can be put on a target device. It also creates host tools that are used to create the image.

Since you pull in open source packages, you need to comply to their licenses. Some packages are permissively licensed. Although you don’t have to worry about redistributing their source code, you (almost always) still have to credit the authors and provide the license text. Copyleft packages have the additional requirement to redistribute the source.

To make things worse, some licenses are incompatible, which basically means it becomes impossible to distribute a program that combines those licenses.

So, what do you need to do for compliance? At the very least, you need to include the license text of all packages. In addition, for copyleft packages, you need to provide the source code. And for GPL, the source code includes the scripts used in building - so the build system itself.

Buildroot provides a command that helps with this: make legal-info. It collects all the license files and source tarballs, including patches, of all the packages. A manifest file specifies for each package what licenses it has (in short form) and the names of the tarball, patches and license files. A similar file exists for host tools.

For proprietary software, it is possible to set PACKAGE_REDISTRIBUTE = NO to make sure the source is not copied into the output when running make legal-info.

This tool doesn’t block you from using a package with an undesired license. It also doesn’t block you or warn if you combine incompatible licenses. However, it does give you all the material to be able to start license compliance.