automated-license-compliance: Update with changes for Rust packages

In particular, dh_dwarf2sources was renamed to dh_setup_copyright and
now performs additional tasks.

https://phabricator.apertis.org/T8554



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

content/concepts/automated-license-compliance.md

@@ -94,7 +94,7 @@ This utility has access to the source licensing report as it is contained in the
 As well as the source licensing, the Debian metadata archive contains configuration to help `dpkg-buildpackage` determine how to build the source.
 This is typically done with the help of [`debhelper`](https://manpages.debian.org/jessie/debhelper/debhelper.7.en.html), which provides helpers that simplify this process.
 
-Apertis extended `debhelper` by including a new command `dh_dwarf2sources` to perform the source file name extraction using `dwarf2sources` as described above. Typically the binaries are striped (using a debhelper command called `dh_strip`) prior to packaging, removing the debug symbols from the binary and reducing its size. For this reason `dh_dwarf2sources` is placed before this step in the `dh` sequence. Whilst the debug symbols are kept, packaged separately in the `dbgsym` package, it's easier to perform the mapping before this is done. The result is stored in the binary package under `/usr/share/doc/<package>/`.
+Apertis extended `debhelper` by including a new command `dh_setup_copyright` to perform the source file name extraction using `dwarf2sources` as described above, as well as copy in any copyright reports coming from source files that are part of external packages. Typically the binaries are stripped (using a debhelper command called `dh_strip`) prior to packaging, removing the debug symbols from the binary and reducing its size. For this reason `dh_setup_copyright` is placed before this step in the `dh` sequence. Whilst the debug symbols are kept, packaged separately in the `dbgsym` package, it's easier to perform the mapping before this is done. All the results from this command are stored in the binary package under `/usr/share/doc/<package>/`.
 
 Following this same idea, Apertis also extends `debhelper` the command `dh_installdocs` to install the license report generated by FOSSolgy in the binary under `/usr/share/doc/<package>/copyright_report`.
 
@@ -115,7 +115,7 @@ Not all possible combinations of licenses work out this way and thus why it is i
 
 The approach each project using Apertis takes with regards to the reporting of licensing information should be driven by how this information is to be utilized, i.e. some projects may wish to parse the license information and present it in a single BOM file in HTML, XML or human readable text.
 
-For the images provided by the Apertis project, the script `generate_bom.py` combines the reports saved in `/usr/share/doc/<package>/`, which consists in a `json` per package and a `DEP5` file per source package into a single `json` file which is provided with the image. This file can be generated with different levels of verbosity allowing to list licenses per image, package, binary or source file.
+For the images provided by the Apertis project, the script `generate_bom.py` combines the reports saved in `/usr/share/doc/<package>/`, using the binary-to-sources JSON mappings and the external package copyright information, into a single `json` file which is provided with the image. This file can be generated with different levels of verbosity allowing to list licenses per image, package, binary or source file.
 
 This same scripts also issues a warning in case a problematic license is found.
 
@@ -152,26 +152,39 @@ Other packages only provide copyright information which currently is not include
    pipeline will fail if problematic licenses are detected and the affected
    files are not whitelisted
 1. when the sources are submitted to OBS, during the build the
-   [`dh_dwarf2sources` subcommand for Debhelper](https://gitlab.apertis.org/pkg/debhelper/-/blob/apertis/v2023dev2/dh_dwarf2sources)
+   [`dh_setup_copyright` subcommand for Debhelper](https://gitlab.apertis.org/pkg/debhelper/-/blob/apertis/v2023dev2/dh_setup_copyright)
    calls the
    [`dwarf2sources` tool](https://gitlab.apertis.org/pkg/dwarf2sources/)
-   to generate a mapping from binaries to the source files used to build them
+   to generate a mapping from binaries to the source files used to build them and
+   determine if any of those source files came from external packages
 1. the output is included in the same `.deb` file as the processed
-   library/executable, as `/usr/share/doc/$packagename/$packagename_bin2sources_$packagearch.json`
+   library/executable:
+   - `/usr/share/doc/$packagename/$packagename_bin2sources_$packagearch.json`,
+     containing the mapping from binaries to source files
+   - `/usr/share/doc/$packagename/external_copyrights/`, a directory containing
+     all the copyrights of packages whose source files were directly embedded
+     into this package's binaries
+   - `/usr/share/doc/$packagename/$packagename_metadata_$packagearch.json`,
+     containing any other metadata related to copyrights (at the moment, this
+     maps source files from external packages to the package names that provided
+     them)
 1. during the same build on OBS, a custom hook in the `dh_installdocs` step
    stores the `debian/apertis/copyright` sourcefile-to-licenses mapping as
    `/usr/share/doc/$packagename/copyright_report.gz` in the binary `.deb`
    packages, to make it available when the packages get installed
-1. for each installed `.deb` package both the
-   `/usr/share/doc/$packagename/$packagename_bin2sources_$packagearch.json` and
-   `/usr/share/doc/$packagename/copyright_report.gz` files get unpacked during
-   image generation
+1. for each installed `.deb` package,
+   `/usr/share/doc/$packagename/$packagename_bin2sources_$packagearch.json`,
+   `/usr/share/doc/$packagename/$packagename_metadata_$packagearch.json`,
+   `/usr/share/doc/$packagename/external_coprights/`, and
+   `/usr/share/doc/$packagename/copyright_report.gz` get unpacked during image
+   generation
 1. the [`generate_bom.py` script](https://gitlab.apertis.org/infrastructure/apertis-image-recipes/-/blob/apertis/v2023dev2/scripts/generate_bom.py)
-   is [invoked at the end of each image recipe](https://gitlab.apertis.org/infrastructure/apertis-image-recipes/-/blob/apertis/v2023dev2/image-uboot.yaml),
+   is [invoked at the end of each image recipe](https://gitlab.apertis.org/infrastructure/apertis-image-recipes/-/apertis/v2023dev2/image-uboot.yaml),
    loading all the
    `/usr/share/doc/$packagename/$packagename_bin2sources_$packagearch.json`
-   binary-to-sourcefiles mappings and
-   `/usr/share/doc/$packagename/copyright_report.gz` sourcefile-to-licenses mappings
+   binary-to-sourcefiles mappings,
+   `/usr/share/doc/$packagename/copyright_report.gz` sourcefile-to-licenses mappings,
+   and `/usr/share/doc/$packagename/external_copyrights` external package copyrights
    to combine them and produce
    [a JSON `.licenses` report](https://images.apertis.org/release/v2022dev2/v2022dev2.0/arm64/minimal/apertis_v2022dev2-minimal-arm64-rpi64_v2022dev2.0.img.licenses.gz)
    with the binary-to-licenses mapping to match each library and executable