GPL compliance

Using reproducible build information to help GPL compliance

  • spectrum of violations in the wild:
    • didn’t include license or source - beyond help
    • middle ground: partial source: missing patches, or all dependencies, or build information
  • distributors know they need to, want to, but source isn’t complete

  • compliance with GPL

  • GPL defines what’s necessary for compliance (Makefiles, other scripts for running build tools)

  • violators who aren’t totally clueless, but don’t really care either:

    • incomplete source code: downloaded tarball from upstream, without patches or incomplate patches

    • failure to document the full process for build environment (e.g. needs to be built from a specific homedir by specific user)

    • shipping full toolchain as a tarball

  • using buildinfo files

    • useful documentation for compliance issues

    • distro used to build
    • versions of toolchain
    • locale settings
  • gaps

    • distribution level reproducibility has been the focus

    • many violations are on systems that don’t even run a traditional distro, just a thin layer of binaries

    • move tooling from the distributions into the lower levels

      • gcc to generate a buildinfo file
  • we’re really not talking about distros necessarily
  • provide an SDK
    • include common toolchain for embedded development that generates proper reproducibility with .buildinfo or related information necessary to build
    • talk to linaro to ensure that their toolchains contains reproducibility information
  • GCC
    • generate buildinfo files
    • embedding hashes of includes and other build source in binaries
  • contacting embedded distros
    • get openembedded, angstrom, etc. using reproducibility toolchains
  • source code tarball tool
    • tool that looks at a source release, and .buildinfo and identifies missing pieces from the source code

-

Follow us on Twitter @ReproBuilds and please consider making a donation. Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. Patches welcome via our Git repository (instructions) or via our mailing list.