Gentoo Archives: gentoo-embedded

From: Peter Stuge <peter@×××××.se>
To: gentoo-embedded@l.g.o
Subject: Re: [gentoo-embedded] Licence compliance - capturing all source files used to make a build?
Date: Thu, 01 Mar 2012 21:08:53
In Reply to: Re: [gentoo-embedded] Licence compliance - capturing all source files used to make a build? by Ed W
Ed W wrote:
>>> Whilst I guess it should be possible to tear apart catalyst and find out >>> how they do it, does anyone happen to know or have a heads up on the code >>> for catalyst? >> >> The catalyst code has no part in this, but it takes a portage snapshot >> as one of it's inputs, and if you maintain a custom snapshot (with >> only packages you need) then you know what gets used. > > But not all the patches are in the portage tree? Trivial example might > be the kernel where the ebuild is tiny and references an http location > for the patches?
Then you would change the kernel ebuild in your snapshot, so that it becomes self-contained. For the specific example of the kernel you could of course just pick vanilla-sources, but the issue is real.
> My understanding is that for a GPL licence one should provide a > copy of these patches in the "code dump", not just an http link? > Is that your understanding?
I think your understanding is incomplete, and I recommend that you read through the license again. There isn't just a single way to provide the source, but yes, if you have downloaded and included a patch in your binary, then you have to provide that patch yourself, because if you refer to someone else and they stop providing the patch you would no longer be in compliance.
> So by implication it's not clear that catalyst does satisfy your GPL > requirements for distribution?
I never say it did. I said that it helps with some things.
> I suspect something more is probably happening, eg some of the linked > patches probably get included into the source download location and > probably you can pick them up there - however, there are now a LOT of > ways to fetching source and patches and it would be hard to be sure > of 100% coverage?
Fourth time: Add bookkeeping into the epatch function. Downloading is irrelevant, especially since sometimes many more patches are downloaded than are actually applied.
> Has someone done some actual probing on this? Peter what does catalyst > provide for say gcc/kernel sources in it's source output? All the patches?
It's the other way around: You provide a snapshot to catalyst, and catalyst builds kernel from that. You say what you want catalyst to build, and you create the package. You may end up doing more ebuild maintenance, but you likely want to do just that anyway, in order to keep track of what actually goes into your system. //Peter