docs/03-license-analysis/license-compliance.md

# License Compliance Documentation

**Document ID:** LIC-COMP-001  
**Date:** 2026-03-01  
**Scope:** Complete license analysis for TQMa6UL Yocto Scarthgap BSP

---

## Overview

This document provides templates and procedures for generating the license compliance table required for software approval.

## License Categories

### Approved for Military Use (Generally)

| License | SPDX ID | Military Use | Notes |
|---------|---------|--------------|-------|
| MIT | MIT | ✅ Yes | Permissive, no restrictions |
| BSD-2-Clause | BSD-2-Clause | ✅ Yes | Permissive |
| BSD-3-Clause | BSD-3-Clause | ✅ Yes | Permissive |
| Apache-2.0 | Apache-2.0 | ✅ Yes | Patent grant included |
| ISC | ISC | ✅ Yes | Permissive |

### Copyleft (Requires Source Distribution)

| License | SPDX ID | Military Use | Notes |
|---------|---------|--------------|-------|
| GPL-2.0-only | GPL-2.0-only | ✅ Yes* | *Must provide source code |
| GPL-2.0-or-later | GPL-2.0-or-later | ✅ Yes* | *Must provide source code |
| GPL-3.0-only | GPL-3.0-only | ⚠️ Review | Check anti-tivoization clause |
| GPL-3.0-or-later | GPL-3.0-or-later | ⚠️ Review | Check anti-tivoization clause |
| LGPL-2.1-only | LGPL-2.1-only | ✅ Yes* | *Must provide library source |
| LGPL-2.1-or-later | LGPL-2.1-or-later | ✅ Yes* | *Must provide library source |

### Special Cases

| License | Military Use | Reason |
|---------|--------------|--------|
| Proprietary | ❌ No | Closed source, not auditable |
| CC-BY-SA | ✅ Yes | Documentation license |
| OpenSSL | ✅ Yes | Special license, acceptable |

## License Table Template

Download as CSV: [license-table-template.csv](license-table-template.csv)

| Package Name | Version | License (SPDX) | License File | Source Location | Military Use | Notes |
|--------------|---------|----------------|--------------|-----------------|--------------|-------|
| linux-yocto | 6.6.y | GPL-2.0-only | COPYING | sources/poky-scarthgap/meta/recipes-kernel/linux/ | ✅ Yes | Kernel with 2038 support |
| glibc | 2.39 | LGPL-2.1-or-later | LICENSES | sources/poky-scarthgap/meta/recipes-core/glibc/ | ✅ Yes | 64-bit time_t |
| busybox | 1.36.x | GPL-2.0-only | LICENSE | sources/poky-scarthgap/meta/recipes-core/busybox/ | ✅ Yes | Core utilities |
| u-boot-tq | 2023.10 | GPL-2.0-or-later | Licenses/ | sources/meta-tq/recipes-bsp/u-boot/ | ✅ Yes | Bootloader |
| [Additional packages] | | | | | | |

## Generating the Complete Table

### Method 1: Yocto Built-in

```bash
# After successful build
cd ${MIRROR_BASE}/build

# Generate license manifest
bitbake core-image-minimal -c do_populate_lic

# Find license files
find tmp/deploy/licenses -name "license.manifest" -o -name "image_license.manifest"

# Copy for analysis
cp -r tmp/deploy/licenses ${MIRROR_BASE}/licenses/
```

### Method 2: Script-Based Extraction

```bash
#!/bin/bash
# generate-license-table.sh

OUTPUT="license-table.csv"
echo "Package,Version,License,Source,MilitaryUse" > $OUTPUT

cd ${MIRROR_BASE}/build/tmp/deploy/licenses
grep -r "LICENSE:" . | while read line; do
    pkg=$(echo $line | cut -d: -f2)
    lic=$(echo $line | cut -d: -f3)
    # Add logic to determine military use
    echo "$pkg,,$lic,,TBD" >> $OUTPUT
done
```

## Manual Review Required

### Packages to Flag for Review

1. **Firmware blobs** (WiFi, GPU, VPU)
   - Location: `linux-firmware`, `firmware-imx`
   - Often proprietary licenses
   - May require separate approval

2. **Cryptographic software**
   - OpenSSL, gnutls
   - Check export control classifications

3. **Graphics drivers**
   - Vivante GPU drivers (imx-gpu-viv)
   - Proprietary binary blobs

4. **Documentation**
   - CC-BY-SA licensed manuals
   - Generally acceptable

## Military Use Approval Criteria

### Automatic Approval
- MIT, BSD, Apache-2.0: ✅ No restrictions
- GPL/LGPL: ✅ With source code provision

### Requires Legal Review
- GPL-3.0 with anti-tivoization
- Any proprietary license
- Custom/TQ-specific licenses

### Automatic Rejection
- No license information
- Proprietary binary-only
- Export-controlled encryption (without clearance)

## Example Package Analysis

### Linux Kernel (linux-yocto)
- **License:** GPL-2.0-only
- **Military Use:** ✅ Yes
- **Requirement:** Must provide complete kernel source
- **Status:** Source included in mirror

### glibc
- **License:** LGPL-2.1-or-later
- **Military Use:** ✅ Yes  
- **Requirement:** Must provide library source
- **Status:** Source included in mirror

### imx-gpu-viv (Graphics Driver)
- **License:** Proprietary (NXP SLA)
- **Military Use:** ⚠️ Review Required
- **Action:** Check NXP license terms for military use
- **Alternative:** Use open-source etnaviv driver (if available)

## Deliverables for Approval

1. **Complete License Table** (CSV format)
2. **Source Code Archive** (full mirror)
3. **License Texts** (all unique licenses)
4. **Compliance Statement** (document)

---

**Author:** Siggi ⚙️  
**Date:** 2026-03-01  
**Classification:** Internal Use
Initial documentation for TQMa6UL Yocto mirror project Add comprehensive documentation for 2038-compliant BSP migration: - README.md: Project overview, 2038 compliance verification - 2038-problem-analysis.md: Detailed technical analysis confirming Scarthgap (5.0) provides 64-bit time_t on 32-bit ARM - step-by-step-mirror-creation.md: Complete procedure for creating offline mirror on Ubuntu 22.04 outside corporate network - license-compliance.md: License categories, approval criteria, and table templates for military use approval - corporate-network-deployment.md: Installation and build setup for air-gapped corporate environment Target: TQMa6UL-AB (i.MX6 UltraLite) on MBa6x BSP: TQ scarthgap.TQ.ARM.BSP.0006 2038 Status: Verified compliant (kernel 6.6 + glibc 2.38+) Repo: https://code.gegen.autos/openclaw/tqma6-yocto-mirror 2026-03-01 18:39:21 +00:00			`# License Compliance Documentation`

			`Document ID: LIC-COMP-001`
			`Date: 2026-03-01`
			`Scope: Complete license analysis for TQMa6UL Yocto Scarthgap BSP`

			`---`

			`## Overview`

			`This document provides templates and procedures for generating the license compliance table required for software approval.`

			`## License Categories`

			`### Approved for Military Use (Generally)`

			`\| License \| SPDX ID \| Military Use \| Notes \|`
			`\|---------\|---------\|--------------\|-------\|`
			`\| MIT \| MIT \| ✅ Yes \| Permissive, no restrictions \|`
			`\| BSD-2-Clause \| BSD-2-Clause \| ✅ Yes \| Permissive \|`
			`\| BSD-3-Clause \| BSD-3-Clause \| ✅ Yes \| Permissive \|`
			`\| Apache-2.0 \| Apache-2.0 \| ✅ Yes \| Patent grant included \|`
			`\| ISC \| ISC \| ✅ Yes \| Permissive \|`

			`### Copyleft (Requires Source Distribution)`

			`\| License \| SPDX ID \| Military Use \| Notes \|`
			`\|---------\|---------\|--------------\|-------\|`
			`\| GPL-2.0-only \| GPL-2.0-only \| ✅ Yes* \| *Must provide source code \|`
			`\| GPL-2.0-or-later \| GPL-2.0-or-later \| ✅ Yes* \| *Must provide source code \|`
			`\| GPL-3.0-only \| GPL-3.0-only \| ⚠️ Review \| Check anti-tivoization clause \|`
			`\| GPL-3.0-or-later \| GPL-3.0-or-later \| ⚠️ Review \| Check anti-tivoization clause \|`
			`\| LGPL-2.1-only \| LGPL-2.1-only \| ✅ Yes* \| *Must provide library source \|`
			`\| LGPL-2.1-or-later \| LGPL-2.1-or-later \| ✅ Yes* \| *Must provide library source \|`

			`### Special Cases`

			`\| License \| Military Use \| Reason \|`
			`\|---------\|--------------\|--------\|`
			`\| Proprietary \| ❌ No \| Closed source, not auditable \|`
			`\| CC-BY-SA \| ✅ Yes \| Documentation license \|`
			`\| OpenSSL \| ✅ Yes \| Special license, acceptable \|`

			`## License Table Template`

			`Download as CSV: [license-table-template.csv](license-table-template.csv)`

			`\| Package Name \| Version \| License (SPDX) \| License File \| Source Location \| Military Use \| Notes \|`
			`\|--------------\|---------\|----------------\|--------------\|-----------------\|--------------\|-------\|`
			`\| linux-yocto \| 6.6.y \| GPL-2.0-only \| COPYING \| sources/poky-scarthgap/meta/recipes-kernel/linux/ \| ✅ Yes \| Kernel with 2038 support \|`
docs: add distro comparison, recommend dumpling-wayland for Qt/glibc Key updates: - README: comprehensive distro comparison table (spaetzle vs dumpling-wayland) - Recommend dumpling-wayland (glibc) for Qt/GUI applications - spaetzle (musl) explicitly blocks Qt: SKIP_RECIPE[tq-image-qt6] - Both distros are 2038-safe (glibc 2.39 and musl 1.2+ both use 64-bit time_t) - Updated 2038 analysis to cover both C library options - Updated license tables with both glibc and musl entries - Fixed remaining config references (imx → mainline) - Added image availability matrix per distro - Corrected package versions to match Scarthgap 5.0.11 2026-03-01 19:55:10 +00:00			`\| glibc \| 2.39 \| LGPL-2.1-or-later \| LICENSES \| sources/poky-scarthgap/meta/recipes-core/glibc/ \| ✅ Yes \| 64-bit time_t \|`
Initial documentation for TQMa6UL Yocto mirror project Add comprehensive documentation for 2038-compliant BSP migration: - README.md: Project overview, 2038 compliance verification - 2038-problem-analysis.md: Detailed technical analysis confirming Scarthgap (5.0) provides 64-bit time_t on 32-bit ARM - step-by-step-mirror-creation.md: Complete procedure for creating offline mirror on Ubuntu 22.04 outside corporate network - license-compliance.md: License categories, approval criteria, and table templates for military use approval - corporate-network-deployment.md: Installation and build setup for air-gapped corporate environment Target: TQMa6UL-AB (i.MX6 UltraLite) on MBa6x BSP: TQ scarthgap.TQ.ARM.BSP.0006 2038 Status: Verified compliant (kernel 6.6 + glibc 2.38+) Repo: https://code.gegen.autos/openclaw/tqma6-yocto-mirror 2026-03-01 18:39:21 +00:00			`\| busybox \| 1.36.x \| GPL-2.0-only \| LICENSE \| sources/poky-scarthgap/meta/recipes-core/busybox/ \| ✅ Yes \| Core utilities \|`
			`\| u-boot-tq \| 2023.10 \| GPL-2.0-or-later \| Licenses/ \| sources/meta-tq/recipes-bsp/u-boot/ \| ✅ Yes \| Bootloader \|`
			`\| [Additional packages] \| \| \| \| \| \| \|`

			`## Generating the Complete Table`

			`### Method 1: Yocto Built-in`

			```bash
			`# After successful build`
			`cd ${MIRROR_BASE}/build`

			`# Generate license manifest`
			`bitbake core-image-minimal -c do_populate_lic`

			`# Find license files`
			`find tmp/deploy/licenses -name "license.manifest" -o -name "image_license.manifest"`

			`# Copy for analysis`
			`cp -r tmp/deploy/licenses ${MIRROR_BASE}/licenses/`
			```

			`### Method 2: Script-Based Extraction`

			```bash
			`#!/bin/bash`
			`# generate-license-table.sh`

			`OUTPUT="license-table.csv"`
			`echo "Package,Version,License,Source,MilitaryUse" > $OUTPUT`

			`cd ${MIRROR_BASE}/build/tmp/deploy/licenses`
			`grep -r "LICENSE:" . \| while read line; do`
			`pkg=$(echo $line \| cut -d: -f2)`
			`lic=$(echo $line \| cut -d: -f3)`
			`# Add logic to determine military use`
			`echo "$pkg,,$lic,,TBD" >> $OUTPUT`
			`done`
			```

			`## Manual Review Required`

			`### Packages to Flag for Review`

			`1. Firmware blobs (WiFi, GPU, VPU)`
			- Location: `linux-firmware`, `firmware-imx`
			`- Often proprietary licenses`
			`- May require separate approval`

			`2. Cryptographic software`
			`- OpenSSL, gnutls`
			`- Check export control classifications`

			`3. Graphics drivers`
			`- Vivante GPU drivers (imx-gpu-viv)`
			`- Proprietary binary blobs`

			`4. Documentation`
			`- CC-BY-SA licensed manuals`
			`- Generally acceptable`

			`## Military Use Approval Criteria`

			`### Automatic Approval`
			`- MIT, BSD, Apache-2.0: ✅ No restrictions`
			`- GPL/LGPL: ✅ With source code provision`

			`### Requires Legal Review`
			`- GPL-3.0 with anti-tivoization`
			`- Any proprietary license`
			`- Custom/TQ-specific licenses`

			`### Automatic Rejection`
			`- No license information`
			`- Proprietary binary-only`
			`- Export-controlled encryption (without clearance)`

			`## Example Package Analysis`

			`### Linux Kernel (linux-yocto)`
			`- License: GPL-2.0-only`
			`- Military Use: ✅ Yes`
			`- Requirement: Must provide complete kernel source`
			`- Status: Source included in mirror`

			`### glibc`
			`- License: LGPL-2.1-or-later`
			`- Military Use: ✅ Yes`
			`- Requirement: Must provide library source`
			`- Status: Source included in mirror`

			`### imx-gpu-viv (Graphics Driver)`
			`- License: Proprietary (NXP SLA)`
			`- Military Use: ⚠️ Review Required`
			`- Action: Check NXP license terms for military use`
			`- Alternative: Use open-source etnaviv driver (if available)`

			`## Deliverables for Approval`

			`1. Complete License Table (CSV format)`
			`2. Source Code Archive (full mirror)`
			`3. License Texts (all unique licenses)`
			`4. Compliance Statement (document)`

			`---`

			`Author: Siggi ⚙️`
			`Date: 2026-03-01`
			`Classification: Internal Use`