BalenaOS: Bills of Materials(BOMs) for licenses and copyright

Product support balenaOS
1

Hi,

First of all thank you very much for Balena. This is really awesome! I was impressed by how easy it is to get started, and how you managed to abstract complexities of using single board computers. The entire experience flows very well. Thank you!

I am evaluating different solutions, and one important aspect for us is the bills of materials for licenses and copyright. We can manage that for our own applications, but we would like to have it for the BalenaOS as well.

Do you have the BOMs for the BalenaOS?

Thanks a lot again!

3

Hi, BalenaOS is using Yocto Project, and a manifest file with a list of packages and versions is available on compilation. We also publish those manifest files but we don’t have a UI to access them.

For example, to obtain the manifest for the production build of v2.80.5+rev1 for the raspberrypi4-64 you would do:

device_type=raspberrypi4-64
os_version=2.80.5%2Brev1.prod
image_name=balena-image

curl https://files.balena-cloud.com/images/${device_type}/${os_version}/${image_name}-${device_type}.manifest > /tmp/${image_name}-${device_type}.manifest

If your device type uses flasher images you would use balena-image-flasher as image_name, and if you want a development image you would substitute the prod suffix in the os_version with dev. You can get a list of device types and versions using balena CLI:

balena devices supported
balena os versions ${device_type}

License information is also available from the Yocto build, however we do not currently publish it. You will need to manually build the device type repository at the specific version tag you need with the following extra configuration in your conf/local.conf file:

INHERIT += "archiver"
ARCHIVER_MODE[src] = "original"
ARCHIVER_MODE[diff] = "1"
ARCHIVER_MODE[recipe] = "1"
COPY_LIC_MANIFEST = "1"
COPY_LIC_DIRS = "1"

We have an open request to provide this information with the builds, but unfortunately we don’t have an ETA for this yet (Output image license information for BalenaOS release · Issue #1955 · balena-os/meta-balena · GitHub). I have linked that issue in this ticket so we will update you here once progress is made.

5

@alexgg thank you very much for your help, your instructions provide us what we are looking for. Thank you!

6

Good to know Peter. Just a caveat I forgot to mention is that for flasher images the manifest file belongs to the image used to flash and not to the image actually being installed (the balena-image), and only the flasher image artifact is deployed. In this case a manual build will also provide you with the balena-image manifest.