The license JSON file did only include the package names but not
any other metadata. Also since the file was not on the image itself,
it had to be downloaded.
Add more metadata to the license JSON and store it on the image.
portage-stable was updated to be in sync with upstream, so that the new
GLSA 201810-10, where systemd v238 got rejected due to security issues.
However, coreos-overlay still uses systemd v238. So we should also
follow the upstream strategy of whitelisting GLSA 201810-10, to build
Flatcar based on the current coreos-overlay.
So simply merge upstream/master into flatcar-master.
This changes the format from:
sys-apps/systemd-212-r8::coreos GPL-2 LGPL-2.1 MIT public-domain
to a JSON structure:
[
{
"project": "sys-apps/systemd-212-r8::coreos",
"license": ["GPL-2", "LGPL-2.1", "MIT", "public-domain"]
}
]
We don't have to worry about the changing format because the previous
format was never published. This is designed to match the
bill-of-materials [1] format so that it can be consumed by the site.
[1]: https://github.com/coreos/license-bill-of-materials
