Versions Compared

Old Version 10

changes.mady.by.user Naoto YAMAGUCHI

Saved on

compared with

New Version Current

changes.mady.by.user Naoto YAMAGUCHI

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The OSS must be released under a license included in the allow list in Table 1-1.  
  • When the OSS license is not included in the allowed list, it must be confirmed that it is not included in the deny list in Table 1-2.
  • When the OSS license is not listed on both lists, this license must be judged by AGL Instrument Expert Geoup Group and accepted by SAT.


Table 1-1. Allow licence listlicense list

No.License nameLicense URL
1GNU General Public License, version 2https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
2GNU Lesser General Public License, version 2.1https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
3Apache License 2.0https://www.apache.org/licenses/LICENSE-2.0
43-clause BSD licensehttps://opensource.org/licenses/BSD-3-Clause
52-clause BSD licensehttps://opensource.org/licenses/BSD-2-Clause
6MIT Licensehttps://opensource.org/licenses/mit-license.php
7Mozilla Public License 2.0https://www.mozilla.org/en-US/MPL/2.0/
8zlib/libpng Licensehttps://opensource.org/licenses/Zlib
9Boost Software License 1.0https://opensource.org/licenses/BSL-1.0
10 GCC Runtime Library Exceptionhttps://www.gnu.org/licenses/gcc-exception-3.1.en.html



...

No.License nameLicense URL
1GNU General Public License, version 3https://www.gnu.org/licenses/gpl-3.0.en.html
2GNU Lesser General Public License, version 3https://www.gnu.org/licenses/lgpl-3.0.en.html
3GNU Affero General Public License version 3https://opensource.org/licenses/AGPL-3.0

*The GPLv3 and GPLv3 like license does not allow tivoization.  This is incompatible with embedded use cases.

1.2.

...

 Special case

Licensing restrictions should be relaxed for some use cases such as debugger, host tools and analysis tools.  In this document, these use cases are calling the exception use cases.
The OSS used in the exception use case, that must block automatically to installing on the final target image using integration system.
Table 1-3 and Table 1-4 shows exception for Table 1-1 and Table 1-2.   In excepted use-case can use licence license both Table 1-1 and Table 1-3.  When the same license appears in more than one table, Table 1-3 is preferred over Table 1-2, Table 1-4 is preferred over Table 1-1.


Table 1-3.  Exception Special allow licence listlicense list

No.License nameLicense URL
1GNU General Public License, version 3https://www.gnu.org/licenses/gpl-3.0.en.html
2GNU Lesser General Public License, version 3https://www.gnu.org/licenses/lgpl-3.0.en.html



*The GPLv3 and GPLv3 like license does not allow tivoization.   When these software only to use debugging (not installing in final product), it's no problem.


Table 1-2. Exception Special deny license list

No.License nameLicense URL









...

No.RequirementExampleReq. Level
1Defining the coding rule or guideline

https://www.kernel.org/doc/html/latest/process/coding-style.html

https://www.gnu.org/prep/standards/standards.html

https://systemd.io/CODING_STYLE/

Must
2Defining the contribution rule

https://www.kernel.org/doc/html/latest/process/code-of-conduct-interpretation.html

https://gcc.gnu.org/contribute.html

https://systemd.io/CONTRIBUTING/

Must

3

Have a versioning and stable releaseDefining the release rule.

https://www.gnu.org/software/libc/

https://github.com/openssl/openssl/releases

https://github.com/wayland-project/weston/releases

Must
4Providing a change logs.

https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.54

Must
5Have a bug tracking system or other bug report and fix solution such as active mailing list, github issue, etc..

https://lkml.org/

https://github.com/systemd/systemd/issues

https://bugzilla.redhat.com/

ShallShould
6Have and maintain a test suite.

https://github.com/linux-test-project/ltp

https://github.com/systemd/systemd/tree/master/test

https://wiki.musl-libc.org/libc-test.html

ShallShould
7Used in popular distributions such as RHEL, SUSE, Ubuntu, Debian.
ShallShould

8

More than 2 or more active contributors.https://www.openhub.net/explore/projectsShallShould

9

Including OIN(Open Invention Network) packages listhttps://www.openinventionnetwork.com/joining-oin/linux-system/linux-system-table/?cat_id=15&type=tableRecommend




...

1st step is analyzing for history of code quality using static analysis tool.  Has a serious bug been fixed with the minor version up?  When major version up is made, how many new serious bugs increase this OSS?
This analysis cannot be based on the number of bug fix.  It need to use a static analysis tool to analyze the unfixed bugs.

These OSS must pass on these check items. Qualification point: TBD.

  • Outstanding defect per component.
  • Outstanding vs fixed defect over period time.
  • High and medium impact outstanding defect per category.

Ref.  https://scan.coverity.com/projects/gnu-c-library-glibcmust not include "must fix" error from static analysis tool.

Note. The validity of the version used by that OSS, including CVE checks, will be checked in the next phase. 

TO J.S.
Could you make a comparison both coverity and the OSS tool (clang) in this criteria.

Coverity vs OSS tool (clang) in architecture phase criteria

5. Requirement matching

All requirements assigned to the OSS must be met.

...