On Thursday, March 19, 2026 at 1:00 PM, Marta Rybczynska wrote: > On Thu, Mar 19, 2026 at 10:48 AM Benjamin Robin <[email protected]> > wrote: > > > Hello Marta, > > > > On Thursday, March 19, 2026 at 9:58 AM, Marta Rybczynska wrote: > > > On Thu, Mar 19, 2026 at 9:45 AM Benjamin Robin via > > lists.openembedded.org > > > <[email protected]> wrote: > > > > > > I have just a slight implementation "detail" if we are using BitBake > > > > fetcher. What is the license that we should use for the sources? > > > > How to declare that in the recipes? > > > > > > > > Because the license of the repositories: > > > > - https://github.com/CVEProject/cvelistV5 : Their is none > > > > - https://github.com/fkie-cad/nvd-json-data-feeds/tree/main/LICENSES > > > > It looks like custom license. > > > > > The CVE project repo does not have a licence included, but it is covered > > by > > > https://www.cve.org/legal/termsofuse (the usage part). It is basically > > MIT. > > > > > > NVD has the specific, licence, the one that is in the repo. A warning on > > > the > > > needed disclosure sentence in all documentation. > > > > So for you, it is fine to declare that the CVE databases are MIT? > > > > CVE database is MIT > NVD (so also FKIE) is custom
NVD license is apparently "cve-tou" which is available in Yocto. > > > > > AUTOREV isn't great here because it will re-fetch for each build. So if > > > you're > > > building multiple images or platforms (in CI or so), you will get > > > potentially different > > > results. cve-check has a set of variable to handle such use cases. You > > pin > > > to one specific release and do the whole checking with one single common > > > version. > > > > Yes, that is why I initially pushed to use my custom fetcher that is > > doing a git pull / shallow clone. With this fetcher I have a full control > > on the update period. > > > > But if we want to use BitBake fetcher, an user could pin to a specific > > version instead of using AUTOREV. But the user needs to to that manually. > > > > > I agree with Richard that using a git fetcher (or other existing fetcher) > is a better > idea than developing a custom fetcher. I am preparing a v5 of the patch series based on this RFC series, which is going to use the BitBake fetcher. -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233525): https://lists.openembedded.org/g/openembedded-core/message/233525 Mute This Topic: https://lists.openembedded.org/mt/118219723/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
