diff mbox series

[2/3] docs/manual: add information about tainting

Message ID 20231103182745.903344-3-adam.duskett@amarulasolutions.com
State Rejected, archived
Headers show
Series Add tainting support | expand

Commit Message

Adam Duskett Nov. 3, 2023, 6:27 p.m. UTC 
Add documentation about the usage of LIBFOO_TAINTS and what the make target
"check-tainted" does. Also, add documentation about turning off taint
checking and a few scenarios of why a user would want to do so.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 docs/manual/adding-packages-generic.adoc |  9 +++++++++
 docs/manual/legal-notice.adoc            | 24 ++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
diff mbox series

Patch

diff --git a/docs/manual/adding-packages-generic.adoc b/docs/manual/adding-packages-generic.adoc
index 76b037f436..12083b07d5 100644
--- a/docs/manual/adding-packages-generic.adoc
+++ b/docs/manual/adding-packages-generic.adoc
@@ -460,6 +460,15 @@  not and can not work as people would expect it should:
   to let you know, and +not saved+ will appear in the +license files+ field
   of the manifest file for this package.
 
+* +LIBFOO_TAINTS+ should be set to YES if a package taints a Buildroot
+  configuration. A Buildroot configuration is tainted when a package uses
+  external dependencies for which Buildroot cannot recover licensing
+  information, such as using a package manager (e.g., NPM) during the build.
+  If a configuration is tainted, the licensing information produced by
+  +make legal-info+ may not be accurate. If you wish to turn off taint
+  checking, it is possible to do so by enabling the BR2_DISABLE_TAINT_CHECKING
+  option.
+
 * +LIBFOO_ACTUAL_SOURCE_TARBALL+ only applies to packages whose
   +LIBFOO_SITE+ / +LIBFOO_SOURCE+ pair points to an archive that does
   not actually contain source code, but binary code. This a very
diff --git a/docs/manual/legal-notice.adoc b/docs/manual/legal-notice.adoc
index 179aa6b179..55a2120f8e 100644
--- a/docs/manual/legal-notice.adoc
+++ b/docs/manual/legal-notice.adoc
@@ -72,6 +72,30 @@  some of the external toolchains and the Buildroot source code itself.
 When you run +make legal-info+, Buildroot produces warnings in the +README+
 file to inform you of relevant material that could not be saved.
 
+Furthermore, if a package uses custom external dependencies from the Buildroot
+tree, the configuration may be tainted. An example could be a package manager
+for a software stack that downloads the required dependencies while building a
+package, such as NPM. In such cases, Buildroot cannot check the licensing of
+the downloaded software and, thus, give accurate licensing information.
+However, it is possible to turn off taint checking by enabling the
+BR2_DISABLE_TAINT_CHECKING option. This option is helpful in cases where you
+can guarantee the reproducibility of the build. Here are three examples:
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="http://myserver/node-mods/VERSION/foo"
+  - The user manages the repository and guarantees that it is reproducible.
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="$(BR2_EXTERANL_MY_TREE_PATH)/mods/foo"
+  - Reproducible by way of being in a git-versioned br2-external tree.
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="foo@1.2.3"
+  - Reproducible because the version is specified.
+
+To check if your configuration is tainted, run:
+
+--------------------
+make check-tainted
+--------------------
+
 Finally, keep in mind that the output of +make legal-info+ is based on
 declarative statements in each of the packages recipes. The Buildroot
 developers try to do their best to keep those declarative statements as