The Compact OSADL Online Lecture (COOL) September edition is presenting a tool to integrate OSSelot curation data into OpenEmbedded and Yocto build systems. The OSSelot curation database has been topic of several COOL editions in the past where the general concept of the project and the different ways of using the provided compliance data as well as the curation and contribution process have been demonstrated. Since the conception of the project, not only the amount of data has increased but also the availability of tools to work with this data and integrate it into other projects. This is an important step towards automating FOSS compliance tasks and as such a key aspect for the data’s practical application. One of these projects is the meta-osselot layer for integrating OSSelot curation data into OpenEmbedded and Yocto build systems.
In this COOL edition, Jasper Orschulko, the project’s creator and maintainer, will present the genesis of meta-osselot as well as its current status and plans for the future. First in theory and in the second part in practice, he will explain and demonstrate the functionality of the tool and show how it can be used in a development project to create an SBOM, obtain available compliance data from the OSSelot database and list those components for which curated data are not yet available. Anyone who builds software for embedded systems with OpenEmbedded or Yocto can learn how to simplify and accelerate FOSS compliance tasks by automating them as far as possible without compromising their quality.
The COOL edition takes place on September 25, 2024 from 2pm to 4pm CEST. Participation in COOL is free of charge. More details as well as the registration form can be found on the COOL event page.
More tools have been added to the Tools section to access the OSSelot curation data interactively from a website and via a newly provided REST interface. Details on how to use these new access modes and background information on the various interfaces can be found on the project’s Wiki pages, which were also recently launched. And by the way: The progress chart showing the time course of the number of curated software packages and evaluated files became confusing over time; therefore, additional charts are now available, each showing only one calendar year per chart.
Now that about 150 packages containing about 400,000 files had been inspected and curated, it was time to bring the OSSelot project to a wider audience. The embedded world exhibition and conference in Nuremberg, Germany with its "Official Daily" newspaper were a welcome opportunity for this: On day 1 of the exhibition, a related article appeared in German and on day 2 in English. Shortly thereafter, the German magazine "Elektronikpraxis" followed with a three-page article on OSSelot.
When people who copy and distribute Open Source software for whatever purpose are asked what they think most hinders and limits the use of such software, they regularly answer, “Clearing a software component for distribution and correctly fulfilling the various license obligations is so much painful work.” And they usually add: “It’s especially painful because you know that most of the work has been done a thousand times before by others, but you can’t get to the results.” It seems therefore obvious to share these efforts just as the development of the software itself is shared. To do so, three prerequisites must be fulfilled:
A minimal set of clearing information must be defined, and a database must be provided to store curated data.
A platform must be established where a community can grow that creates, shares, and makes such curation data generally available.
To create trust in the reliability of the provided material, its quality must be undeniably high, requiring experienced and responsible contributors and continuous, rigorous and thorough review.
To make this happen, the OSSelot project was established.
Content
The project data are provided in a publicly accessible repository for selected versions of software packages such as Coreboot, the Linux kernel or the OpenSSL library. Typically, three artifacts are included per package – a README file with general information, an SPDX tag:value file with curated data for every single source code file and a ready-to-use OSS disclosure file. The tag:value files can be integrated into the build process, so only the licenses of those files that are actually compiled into the build artifact and distributed need to be considered. See Presentations for use cases and examples on how to use the provided data. In addition, the tag:value files contain annotations to the license conclusions to elucidate decisions that are not obvious. The OSS disclosure files contain all applicable licenses and all copyright notices for the entire package. In addition, the OSS disclosure files contain “acknowledgment text” when such acknowledgment is required by the license.
Following the principle of Open Source software development, contributions, review of existing data and bug reports are encouraged. Feedback can be given via git issues in the repository or in direct contact to infoªosselot.org. In return, any inconsistencies or problems that are found while curating data are communicated to the respective projects in the hope that future versions are improved for everyone.
License
OSSelot is not only on Open Source software, but also is Open Source itself and licensed under CC0 1.0 Universal (SPDX-License-Identifier: CC0-1.0).