[tools] wf-sbom and semi-automated license compliance

[asiekierka]

In a large software project, including homebrew projects, it is currently difficult to make a list of all licenses which a given program ought to comply with. This is less of a problem for dynamic linking, as the user often provides these libraries himself - however, as homebrew is statically linked, the requirement comes up for every library used in a project.

However, as the Wonderful toolchain is a controlled ecosystem, we can consider and support this scenario.

There's some things to consider:

• some licenses (CC0, zlib) do not put any requirements on a binary distributor; others (MIT, MPLv2) put requirements limited to the code being distributed; others (GPL) may have a viral effect on the entire binary.
• some libraries are header-only, but nonetheless meet the minimum criteria for copyrightability.
• some libraries (crt0, libgcc, libc, libstdc++) are default and thus not explicitly requested.
• some libraries have one global header (libtonc), others may have a few dozen headers depending on which files are linked in (newlib).

There's many sources of information which could be used here:

• ELF/map files - actually linked objects, functions and data,
• GNU make dependency files - headers pulled in by object files,
• Makefile - list of requested libraries.

Feedback wanted!

[AntonioND]

How detailed do you want the result to be? Because if you want a granularity of "file", the elf/map file is probably enough to determine which files are used, even for header-only libraries (probably? what about constexpr-only libs?). If you want a granularity of functions, it becomes way too complicated to do, and you'd need to check the git history (if it is even present!).

Once that is solved, SPDX comes into play (this is why I like it). It is trivial to determine the license of a file if you tag all your files with the right SPDX comment.

[asiekierka]

The granularity is somewhere between "library" and "file". Certainly not "function".

For constexpr-only libs, my plan was to parse through GNU make dependency files.

I don't plan on parsing SPDX from the source files themselves, as (a) third-party libraries' codebases (for a large example, newlib/picolibc) won't conform to it, (b) the SPDX identifier is not always sufficient to satisfy license compliance. What I plan on doing is defining a .wflicense file that's attached to a library (for example, lib/libtonc.a gets a lib/libtonc.a.wflicense) which provides (a) the SPDX identifier of a given license, (b) the text of the specific file's license, (c) rules for which files may be covered by distinct headers.

[AntonioND]

third-party libraries' codebases (for a large example, newlib/picolibc) won't conform to it

Yes, this is certainly a problem. I like the idea of the custom .wflicense file to work around that problem.