This article is the 19th day article of OpenChain Advent Calender
Discussions on the software used by AGL (Automotive Grade Linux) in the Automotive OSS community at OpenChain Using the ongoing SW360 and SPDX Lite to use the software used by AGL I will introduce a method that anyone can easily check The contents of this time will be introduced at the OpenChain booth in the AGL demo booth of 2020 CES. OpenChain and AGL Collaborate to Facilitate Open Source Compliance in Automotive Production
AGL releases software twice a year, and the latest software, Icefish RC3 (v8.99.3), is being prepared for the official release at the beginning of the year. See this page for the AGL release notes. The pre-built software is also open to the public, and the license.manifest output when Yocto is built. -demo-platform-crosssdk-qemuarm64-20191206223152 / license.manifest), you can check what kind of software is used in AGL as follows.
PACKAGE VERSION: master+gitAUTOINC+82a9d79621 RECIPE NAME: af-binder LICENSE: Apache-2.0
in this way ·package name ·version ·license However, AGL uses software of about 1,500 to 1,600, and it is difficult to check license.manifest, so anyone can easily check AGL using SW360 / SPDX Lite. I would like to be able to check the release software of
Since it is assumed that SPDX will be imported to SW360 and used, use meta-spdxscanner to create an SPDX file from the AGL release software. With SW360, SPDX Lite can be output using SW360tools, so anyone can easily check the AGL software using EXCEL.
Since AGL supports meta-spdx scanner as shown below,
<project name="dl9pf/meta-spdxscanner" path="external/meta-spdxscanner" remote="github" revision="483f79e66eb76b0f1bebe1e3a0a0327b0ba59f16" upstream="thud"/>
Set up the foss driver used by the spdx scanner. Please refer to the article Day 10 for the setup method. After the setup is completed, edit local.conf referring to https://github.com/dl9pf/meta-spdxscanner, execute bitbake, and output the SPDX file.
$ bitbake package_name -c spdx # will generate spdx of a specified package
After setting up the environment, import the generated SPDX file into SW360.
When the import is completed, the software imported to SW360 will be displayed.
By using SW360tools, it is possible to select the SPDX item to be output, and it is possible to output in csv format while minimizing only the necessary information such as SPDX Lite.
Even in an environment where SW360 cannot be used, it is possible to easily refer to the file output by Excel at any time.
Although it was introduced in a hurry, the following is what I felt as a problem when using it at the actual development site. -The time to output SPDX using meta-spdx scanner is longer than the build time of bitbake, and there is a problem in incorporating it into CI. -When importing SPDX files to SW360, if the number of files exceeds 100, a freeze may occur during reading. ・ Maintenance of Dockerfile is delayed, and it costs money to build the environment. I think there are other operational issues, but I would like to accumulate achievements while gradually FB in open places such as AGL.
Tomorrow will be about "Points to keep in mind when building an OSS compliance system" Mr. Nonaka, a partner attorney of DLA Piper who also participates in Promotion SWG, will be in charge.