Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
D
docs
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Eclipse Projects
Oniro Core
docs
Commits
796e1667
Commit
796e1667
authored
2 years ago
by
Alberto Pianon
Browse files
Options
Downloads
Patches
Plain Diff
Update releases/2.0/2.0.0/ip_compliance_note.rst
parent
d529382b
No related branches found
No related tags found
No related merge requests found
Pipeline
#12987
failed
2 years ago
Stage: compliance
Stage: test
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
releases/2.0/2.0.0/ip_compliance_note.rst
+245
-0
245 additions, 0 deletions
releases/2.0/2.0.0/ip_compliance_note.rst
with
245 additions
and
0 deletions
releases/2.0/2.0.0/ip_compliance_note.rst
0 → 100644
+
245
−
0
View file @
796e1667
.. SPDX-FileCopyrightText: Alberto Pianon <pianon@array.eu> and Carlo Piana <piana@array.eu>
..
.. SPDX-License-Identifier: CC-BY-4.0
IP Compliance Note
==================
Since the very beginning, a Continuous Compliance `toolchain`_ and `process`_
have been developed and integrated in the Oniro project development, so that
source components used to generate Oniro binary images are continuously scanned
by open source tools like `Fossology`_ and `Scancode`_, and reviewed by Software
Audit Experts and IP Lawyers. [1]_
For detailed information about the why and the how of such process, please refer
to the Oniro Compliance Toolchain’s `official documentation`_. Sources and
documentation for custom components of the toolchain (`tinfoilhat`_,
`aliens4friends`_, `dashboard`_, `pipelines`_) can be found in their respective
repositories.
*TL;DR*: we put ourselves in your shoes (a device maker willing to use Oniro to
develop its products), and we simulated the IP compliance work that you would
have to do on third party components fetched by Yocto recipes to build your
firmware image(s), in order to spot possible legal risks and issues. In the true
open source spirit, every time we found an issue with a particular upstream
component, we raised that issue upstream, and most of the time we got that
solved for you by upstream developers.
As of Oniro’s Goofy GA Release, there are just a few issues left that cannot be
addressed by us (involving proprietary firmware/drivers for hardware support and
some patent-covered technologies) and which require your attention (and possibly
an action on your side - eg. getting a patent license). We will briefly explain
these here.
The overall status of audit activities can be monitored through a
`dedicated dashboard`_, which gets updated after every commit to Oniro's main
repository. In such dashboard, also CVE information (collected at the time of
the commit) is shown and can be filtered based on target machines, images and
single components.
*Disclaimer#1*: This is not legal advice. This note is provided just as a
convenience for you, to suggest some critical areas in which you should seek
legal advice if you want to develop real-world products based on Oniro. It is
not meant to be complete nor to substitute internal due-diligence activities you
need to perform before marketing your products.
*Disclaimer#2*: This note covers only source components used to generate
supported Oniro images (oniro-image-base and zephyr-philosophers) for supported
target machines (qemux86-64, qemux86, qemuarm-efi, qemuarm64-efi,
raspberrypi4-64, seco-intel-b68, seco-px30-d23, seco-imx8mm-c61-2gb,
seco-imx8mm-c61-4gb, qemu-cortex-m3, 96b-avenger96, nrf52840dk-nrf52840,
arduino-nano-33-ble).
*Disclaimer#3*: “supported” *referred to a board* means that a board is
officially targeted as a potential platform where an Oniro image can be
installed for any purposes; when *referred to an image*, means that the imagine
targeting a supported board receives thorough testing and specific attention
during the development. It does NOT mean that both will receive support services
nor that any member of the Oniro Working Group or of the Eclipse Foundation will
provide any warranty whatsoever.
Solved Issues
-------------
- There was a proprietary software font accidentally included in
zephyr-philosophers; we opened the issue upstream
(https://github.com/zephyrproject-rtos/zephyr/issues/48111), which was solved
(https://github.com/zephyrproject-rtos/zephyr/pull/49103), and the fix was
backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/0f36ae849d59da08e445af83f711a1c0108dd3bf);
- A similar issue was found also in Harfbuzz component, raised upstream
(https://github.com/harfbuzz/harfbuzz/issues/3845), fixed
(https://github.com/harfbuzz/harfbuzz/pull/3846), and the fix was backported
to Oniro
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/fbb4bc229b287fa293439ee0adbb0d830764b2d8).
- There were a lot of binary files found in zephyr-philosophers, without
corresponding sources and no clear license information; we opened the issue
upstream
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/0f36ae849d59da08e445af83f711a1c0108dd3bf),
which was then fixed
(https://github.com/zephyrproject-rtos/zephyr/pull/47181), and the fix was
backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/meta-zephyr/-/commit/a00d1c4f1aad8b0ea5b9f904966c0bd8a48d8d80)
- Some proprietary license headers, not granting redistribution nor any other
rights without a written permission by Intel, were found in some source files
in Intel-Media-SDK component; we opened the issue upstream
(https://github.com/Intel-Media-SDK/MediaSDK/issues/2937) and it turned out
it was an oversight occurred when open sourcing the component; it was then
fixed (https://github.com/Intel-Media-SDK/MediaSDK/pull/2939) and the fix was
backported to Oniro.
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/d5ee837d90903d91a1ff358ebfe985d28925484e);
- A similar issue was found also in Intel-Media-Driver component, it was raised
upstream (https://github.com/intel/media-driver/issues/1460), fixed
(https://github.com/intel/media-driver/pull/1465), and the fix was backported
to Oniro
(https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/commit/b56de944568c8e348cb8265c59d7cfd52a0831b9)
Warnings for Downstream Users: Hardware Support
-----------------------------------------------
Linux
~~~~~
IMX Firmware
^^^^^^^^^^^^
A couple of supported target boards (seco-imx8mm-c61-2gb and
seco-imx8mm-c61-4gb) require a Freescale proprietary VPU library to work, which
in turn requires the acceptance of an `EULA`_ by the user (you). Such acceptance
may be provided by flagging a specific environment variable (``ACCEPT_FSL_EULA =
"1"``) in your configuration file (please refer to Oniro’s technical
documentation). You should carefully read that `EULA`_ to check whether you are
actually in a position to accept it and whether you can fulfill all of its
conditions. If needed, seek legal advice for that.
Linux-firmware
^^^^^^^^^^^^^^
The third party components ``linux-firmware`` and ``linux-firmware-rpidistro``
contain many sub-components (mainly firmware BLOBs) for specific hardware
support, coming from different hardware vendors.
Almost all firmware vendor licenses restrict firmware usage to the specific
device(s) of their own.
Some of them (apparently) contain further restrictions, stating that the binary
file is licensed *“for use with [vendor] devices, but not as a part of the Linux
kernel or in any other form which would require these files themselves to be
covered by the terms of the GNU General Public License”*. Our understanding is
that such restriction is redundant, since apparently there is no way in which a
firmware blob may become *part* of the Linux kernel and therefore be covered by
the GNU General Public License. But you should seek legal advice on that if you
need to use the affected firmware files:
================================= ================================================== ======================== ============================
Source Device/driver File(s) License found in
================================= ================================================== ======================== ============================
`linux-firmware-20220913.tar.xz`_ Conexant Cx23100/101/102 USB broadcast A/V decoder v4l-cx231xx-avcore-01.fw WHENCE
`linux-firmware-20220913.tar.xz`_ meson-vdec - Amlogic video decoder meson/vdec/\* LICENSE.amlogic_vdec, WHENCE
`linux-firmware-20220913.tar.xz`_ lt9611uxc - Lontium DSI to HDMI bridge lt9611uxc_fw.bin LICENSE.Lontium, WHENCE
================================= ================================================== ======================== ============================
Some other firmware files are covered by proprietary licenses that contain
termination clauses providing that either party may terminate the license at any
time without cause, which may work as killswitches (i.e. vendor may terminate
your license at any time without any reason, so your devices - including already
distributed ones - may lose, say, Bluetooth or Wifi support). You should seek
legal advice (and possibly negotiate a different license with the vendor) if you
need to use the affected firmware files:
========================================================== ====================== ======== ================
Source Device/driver File(s) License found in
========================================================== ====================== ======== ================
[git://github.com/murata-wireless/cyw-fmac-fw@ba140e42] Murata Wi-Fi/Bluetooth cyfmac\* LICENCE, README
[git://github.com/murata-wireless/cyw-fmac-nvram@8710e74e] Murata Wi-Fi/Bluetooth cyfmac\* LICENCE.cypress
========================================================== ====================== ======== ================
Some other firmware files (for NVIDIA hardware, that is not included in any of
Oniro’s supported boards) have been expressly excluded from installation,
because they come with a proprietary license with an unclear “open source
exception”. See `issue #834`_ in Oniro main repo for further details.
Some other firmware files are covered by a limited patent license. If you need
to use them, you should check whether you fulfill the conditions of such
license.
================================= ========================= ============================= ======================
Source Device/driver File(s) License found in
================================= ========================= ============================= ======================
`linux-firmware-20220913.tar.xz`_ WiLink4 chips WLAN driver ti-connectivity/wl1251-fw.bin LICENCE.wl1251, WHENCE
================================= ========================= ============================= ======================
Finally, some licenses have an unclear license wording about use and
redistribution. If you need to use firmware covered by such files, you should
check and possibly seek legal advice.
================================= ===================================================== ================================ =======================
Source Device/driver File(s) License found in
================================= ===================================================== ================================ =======================
`linux-firmware-20220913.tar.xz`_ WiLink4 chips WLAN driver ti-connectivity/wl1251-fw.bin LICENCE.wl1251, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell Libertas 802.11b/g cards libertas/*.bin, mrvk/*.bin LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell mac80211 driver for 80211ac cards mwlwifi/*.bin LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell CPT driver mrvl/cpt01/\* LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ Marvell driver for Prestera family ASIC devices mrvl/prestera/*.img LICENCE.Marvell, WHENCE
`linux-firmware-20220913.tar.xz`_ wave5 - Chips&Media, Inc. video codec driver cnm/wave521c_j721s2_codec_fw.bin LICENCE.cnm, WHENCE
`linux-firmware-20220913.tar.xz`_ Broadcom 802.11n fullmac wireless LAN driver brcm/brcmfmac/*, cypress/cyfmac* LICENCE.cypress, WHENCE
`linux-firmware-20220913.tar.xz`_ BCM-0bb4-0306 Cypress Bluetooth firmware for HTC Vive brcm/BCM-0bb4-0306.hcd LICENCE.cypress, WHENCE
================================= ===================================================== ================================ =======================
Zephyr
~~~~~~
The third party repository ‘`zephyr-philosophers`_’ fetched by
zephyr-philosophers recipe contains many sub-components for specific hardware
support, coming from different hardware vendors. Some of them have specific
proprietary license conditions (eg. software components to support Atmel SAM
L21, Altera Nios II, Cypress/Infineon PSoC6) but are not used to generate Oniro
images, so they are not covered here. Should you need to add support for such
hardware boards, not officially supported by Oniro, you should carefully check
hardware vendor license conditions.
Warnings for Downstream Users: Patents
--------------------------------------
“Dropbear” component documentation contains a patent and trademark notice:
The author (Tom St Denis) is not a patent lawyer so this section is not to be
treated as legal advice. To the best of the author’s knowledge the only
patent related issues within the library are the RC5 and RC6 symmetric block
ciphers. They can be removed from a build by simply commenting out the two
appropriate lines in :raw-latex:`\textit{tomcrypt\_custom.h}`. The rest of
the ciphers and hashes are patent free or under patents that have since
expired.
The RC2 and RC4 symmetric ciphers are not under patents but are under
trademark regulations. This means you can use the ciphers you just can’t
advertise that you are doing so.
To our best knowledge, also patents on RC5 and RC6 symmetric block ciphers have
expired, but you should seek legal advice to check whether there still are
active patents covering such technologies.
.. [1]
Carlo Piana and Alberto Pianon from Array (Legal); Rahul Mohan G. and
Vaishali Avhad from NOI Techpark (Audit)
.. _toolchain: https://projects.eclipse.org/projects/oniro.oniro-compliancetoolchain
.. _process: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/docs/-/tree/main/audit_workflow
.. _Fossology: https://www.fossology.org
.. _Scancode: https://nexb.com/scancode
.. _official documentation: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/docs
.. _tinfoilhat: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/tinfoilhat
.. _aliens4friends: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/aliens4friends
.. _dashboard: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/dashboard
.. _pipelines: https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/pipelines
.. _EULA: https://git.yoctoproject.org/meta-freescale/tree/EULA
.. _linux-firmware-20220913.tar.xz: https://cdn.kernel.org/pub/linux/kernel/firmware/linux-firmware-20220913.tar.xz
.. _issue #834: https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/issues/834
.. _zephyr-philosophers: https://github.com/zephyrproject-rtos/zephyr
.. _dedicated dashboard: https://sca.software.bz.it/?json=https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/mirrors/oniro-goofy/-/jobs/artifacts/kirkstone/raw/report.harvest.json?job=harvest
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
