Brussels / 4 & 5 February 2023


A complete compliance toolchain for Yocto projects

(even very large ones, yes)

Presenting the toolchain that we have created for Eclipse Oniro, we believe the single largest compliance effort by many metrics ever attempted for Yocto projects, featuring besides than the usual suspects (Fossology, Scancode, SPDX, BANG, Gitlab CI) some specifically developed tools, including a dashboard, aliens4friends, a graph database to map dependencies and license incompatibilities, a license resolver and way more.

Yocto has (as a recent addition) its own facilities to create a SBOM. We worked on some complements that need to be added to consume it for all bells and whistles of a full OpenChain conformant software composition analysis. We have created a way to preserve this information throughout the entire process of creating a build and can demonstrate how it is possible to uniquely identify each and every file that goes into the final image, resolve each binary file license from a large mix of diversely licensed source files, find the dependencies, find potential incompatibilities and reuse this information by sharing it publicly. This for a project whose base of data and number of vetted licenses,files and packages is very large (one would say "huge"). Therefore, what we regard as an unprecedented amount of automation had to be put to work.


Photo of Carlo Piana Carlo Piana
Photo of Alberto Pianon Alberto Pianon