@@ -460,6 +460,15 @@ not and can not work as people would expect it should:
to let you know, and +not saved+ will appear in the +license files+ field
of the manifest file for this package.
+* +LIBFOO_TAINTS+ should be set to YES if a package taints a Buildroot
+ configuration. A Buildroot configuration is tainted when a package uses
+ external dependencies for which Buildroot cannot recover licensing
+ information, such as using a package manager (e.g., NPM) during the build.
+ If a configuration is tainted, the licensing information produced by
+ +make legal-info+ may not be accurate. If you wish to turn off taint
+ checking, it is possible to do so by enabling the BR2_DISABLE_TAINT_CHECKING
+ option.
+
* +LIBFOO_ACTUAL_SOURCE_TARBALL+ only applies to packages whose
+LIBFOO_SITE+ / +LIBFOO_SOURCE+ pair points to an archive that does
not actually contain source code, but binary code. This a very
@@ -72,6 +72,30 @@ some of the external toolchains and the Buildroot source code itself.
When you run +make legal-info+, Buildroot produces warnings in the +README+
file to inform you of relevant material that could not be saved.
+Furthermore, if a package uses custom external dependencies from the Buildroot
+tree, the configuration may be tainted. An example could be a package manager
+for a software stack that downloads the required dependencies while building a
+package, such as NPM. In such cases, Buildroot cannot check the licensing of
+the downloaded software and, thus, give accurate licensing information.
+However, it is possible to turn off taint checking by enabling the
+BR2_DISABLE_TAINT_CHECKING option. This option is helpful in cases where you
+can guarantee the reproducibility of the build. Here are three examples:
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="http://myserver/node-mods/VERSION/foo"
+ - The user manages the repository and guarantees that it is reproducible.
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="$(BR2_EXTERANL_MY_TREE_PATH)/mods/foo"
+ - Reproducible by way of being in a git-versioned br2-external tree.
+
+BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="foo@1.2.3"
+ - Reproducible because the version is specified.
+
+To check if your configuration is tainted, run:
+
+--------------------
+make check-tainted
+--------------------
+
Finally, keep in mind that the output of +make legal-info+ is based on
declarative statements in each of the packages recipes. The Buildroot
developers try to do their best to keep those declarative statements as
Add documentation about the usage of LIBFOO_TAINTS and what the make target "check-tainted" does. Also, add documentation about turning off taint checking and a few scenarios of why a user would want to do so. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- docs/manual/adding-packages-generic.adoc | 9 +++++++++ docs/manual/legal-notice.adoc | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+)