Yocto, with great power comes legal headache

How complex legal compliance can be in a Yocto building environment

Yocto is the go-to FOSS building environment for IoT and embedded devices firmware. Agile, flexible, powerful. Few realizes that this great power can create a lot of headache on the legal side. Some of the reasons:

– keeping control on which source components are actually used is difficult
– the licensing information is by no means authoritative and final
– the potential for mishaps is great
– to do Software Composition Analysis you need to build a firmware image first; this means, for example, that an error in the firmware image size setting may block IP compliance checks. By design.

These are just a few elements. We believe there is still little understanding about what is required to tick all the boxes in a minimal compliance workflow. We have hands-on tackling what this means in a very complex project like Eclipse Oniro, a multi-kernel, multi-platform operating system for low spec interconnected devices, and will give some heads-up on where to look first.