Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apko for openSUSE:Factory checked in at 2026-02-19 14:23:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apko (Old) and /work/SRC/openSUSE:Factory/.apko.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko" Thu Feb 19 14:23:41 2026 rev:96 rq:1333883 version:1.1.9 Changes: -------- --- /work/SRC/openSUSE:Factory/apko/apko.changes 2026-02-18 17:07:01.513707872 +0100 +++ /work/SRC/openSUSE:Factory/.apko.new.1977/apko.changes 2026-02-19 14:23:49.103814325 +0100 @@ -1,0 +2,12 @@ +Thu Feb 19 07:35:23 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.1.9: + * sbom: Include predicate type as the output SBOM. (#2005) + * build(deps): bump google.golang.org/api from 0.266.0 to 0.267.0 + (#2078) + * build(deps): bump chainguard-dev/actions from 1.6.1 to 1.6.2 + (#2077) + * docs: update GoVersion to go1.25. (#2075) + * spdx: set purpose on OCI layers (#2046) + +------------------------------------------------------------------- Old: ---- apko-1.1.8.obscpio New: ---- apko-1.1.9.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apko.spec ++++++ --- /var/tmp/diff_new_pack.PlgjWp/_old 2026-02-19 14:23:50.179858969 +0100 +++ /var/tmp/diff_new_pack.PlgjWp/_new 2026-02-19 14:23:50.183859135 +0100 @@ -17,7 +17,7 @@ Name: apko -Version: 1.1.8 +Version: 1.1.9 Release: 0 Summary: Build OCI images from APK packages directly without Dockerfile License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.PlgjWp/_old 2026-02-19 14:23:50.219860628 +0100 +++ /var/tmp/diff_new_pack.PlgjWp/_new 2026-02-19 14:23:50.223860794 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/apko</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.1.8</param> + <param name="revision">v1.1.9</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.PlgjWp/_old 2026-02-19 14:23:50.239861458 +0100 +++ /var/tmp/diff_new_pack.PlgjWp/_new 2026-02-19 14:23:50.247861790 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/apko</param> - <param name="changesrevision">5b0e4ae614eed88cc9d7fea6bcb1db9c41afb5b9</param></service></servicedata> + <param name="changesrevision">1a683b227173c90d68cba68c21b662e1f94276b0</param></service></servicedata> (No newline at EOF) ++++++ apko-1.1.8.obscpio -> apko-1.1.9.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/CONTRIBUTING.md new/apko-1.1.9/CONTRIBUTING.md --- old/apko-1.1.8/CONTRIBUTING.md 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/CONTRIBUTING.md 2026-02-19 07:52:51.000000000 +0100 @@ -46,7 +46,7 @@ GitCommit: unknown GitTreeState: unknown BuildDate: unknown -GoVersion: go1.18 +GoVersion: go1.25 Compiler: gc Platform: linux/amd64 @@ -59,7 +59,7 @@ ## Linting and Tests Before submitting a pull request, make sure tests and lints do not complain. -Make sure you have go 1.18 and +Make sure you have go 1.25 or later and [golangci-lint](https://golangci-lint.run/welcome/install/) installed and try running the linter and tests: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/go.mod new/apko-1.1.9/go.mod --- old/apko-1.1.8/go.mod 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/go.mod 2026-02-19 07:52:51.000000000 +0100 @@ -30,7 +30,7 @@ golang.org/x/sync v0.19.0 golang.org/x/sys v0.41.0 golang.org/x/time v0.14.0 - google.golang.org/api v0.266.0 + google.golang.org/api v0.267.0 gopkg.in/ini.v1 v1.67.1 gopkg.in/yaml.v3 v3.0.1 k8s.io/apimachinery v0.35.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/go.sum new/apko-1.1.9/go.sum --- old/apko-1.1.8/go.sum 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/go.sum 2026-02-19 07:52:51.000000000 +0100 @@ -373,8 +373,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/api v0.266.0 h1:hco+oNCf9y7DmLeAtHJi/uBAY7n/7XC9mZPxu1ROiyk= -google.golang.org/api v0.266.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0= +google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE= +google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0= google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M= google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I= google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 h1:Jr5R2J6F6qWyzINc+4AM8t5pfUz6beZpHp678GNrMbE= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-aarch64.spdx.json new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-aarch64.spdx.json --- old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-aarch64.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-aarch64.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,7 +8,7 @@ "Tool: apko (0.13.2)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-index.spdx.json new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-index.spdx.json --- old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-index.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-index.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,7 +8,7 @@ "Tool: apko (0.13.2)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-x86_64.spdx.json new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-x86_64.spdx.json --- old/apko-1.1.8/internal/cli/testdata/base_image/sboms/sbom-x86_64.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/base_image/sboms/sbom-x86_64.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,7 +8,7 @@ "Tool: apko (0.13.2)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json --- old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,16 +8,16 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a" + "SPDXRef-Package-Image-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a" ], "packages": [ { - "SPDXID": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "SPDXID": "SPDXRef-Package-Image-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "name": "sha256:462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "versionInfo": "sha256:462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "filesAnalyzed": false, @@ -40,13 +40,14 @@ ] }, { - "SPDXID": "SPDXRef-Package-sha256-b075b4a14ed0c1e236bac3448fa494c77772feb140cfad4033450e45010da27f", + "SPDXID": "SPDXRef-Package-ImageLayer-sha256-b075b4a14ed0c1e236bac3448fa494c77772feb140cfad4033450e45010da27f", "name": "sha256:b075b4a14ed0c1e236bac3448fa494c77772feb140cfad4033450e45010da27f", "versionInfo": "1.0.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: Replaces", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -142,9 +143,9 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "spdxElementId": "SPDXRef-Package-Image-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "relationshipType": "CONTAINS", - "relatedSpdxElement": "SPDXRef-Package-sha256-b075b4a14ed0c1e236bac3448fa494c77772feb140cfad4033450e45010da27f" + "relatedSpdxElement": "SPDXRef-Package-ImageLayer-sha256-b075b4a14ed0c1e236bac3448fa494c77772feb140cfad4033450e45010da27f" }, { "spdxElementId": "SPDXRef-Package-pretend-baselayout-1.0.0-r0", @@ -152,7 +153,7 @@ "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { - "spdxElementId": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "spdxElementId": "SPDXRef-Package-Image-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout-1.0.0-r0" }, @@ -162,7 +163,7 @@ "relatedSpdxElement": "SPDXRef-Package-replayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { - "spdxElementId": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "spdxElementId": "SPDXRef-Package-Image-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-replayout-1.0.0-r0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-index.spdx.json new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-index.spdx.json --- old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-index.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-index.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,7 +8,7 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json --- old/apko-1.1.8/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,16 +8,16 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a" + "SPDXRef-Package-Image-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a" ], "packages": [ { - "SPDXID": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "SPDXID": "SPDXRef-Package-Image-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "name": "sha256:3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "versionInfo": "sha256:3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "filesAnalyzed": false, @@ -40,13 +40,14 @@ ] }, { - "SPDXID": "SPDXRef-Package-sha256-622ca92e75385bab9884a8c8c65c3f4a4c3dd0eafbd2a57f2762bafcb393a456", + "SPDXID": "SPDXRef-Package-ImageLayer-sha256-622ca92e75385bab9884a8c8c65c3f4a4c3dd0eafbd2a57f2762bafcb393a456", "name": "sha256:622ca92e75385bab9884a8c8c65c3f4a4c3dd0eafbd2a57f2762bafcb393a456", "versionInfo": "1.0.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: Replaces", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -142,9 +143,9 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "spdxElementId": "SPDXRef-Package-Image-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "relationshipType": "CONTAINS", - "relatedSpdxElement": "SPDXRef-Package-sha256-622ca92e75385bab9884a8c8c65c3f4a4c3dd0eafbd2a57f2762bafcb393a456" + "relatedSpdxElement": "SPDXRef-Package-ImageLayer-sha256-622ca92e75385bab9884a8c8c65c3f4a4c3dd0eafbd2a57f2762bafcb393a456" }, { "spdxElementId": "SPDXRef-Package-pretend-baselayout-1.0.0-r0", @@ -152,7 +153,7 @@ "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { - "spdxElementId": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "spdxElementId": "SPDXRef-Package-Image-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout-1.0.0-r0" }, @@ -162,7 +163,7 @@ "relatedSpdxElement": "SPDXRef-Package-replayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { - "spdxElementId": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "spdxElementId": "SPDXRef-Package-Image-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-replayout-1.0.0-r0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/build/sbom.go new/apko-1.1.9/pkg/build/sbom.go --- old/apko-1.1.8/pkg/build/sbom.go 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/build/sbom.go 2026-02-19 07:52:51.000000000 +0100 @@ -129,10 +129,11 @@ return nil, fmt.Errorf("generating %s sbom: %w", gen.Key(), err) } sboms = append(sboms, types.SBOM{ - Path: filename, - Format: gen.Key(), - Arch: arch.String(), - Digest: h, + Path: filename, + Format: gen.Key(), + PredicateType: gen.PredicateType(), + Arch: arch.String(), + Digest: h, }) } return sboms, nil @@ -259,9 +260,10 @@ return nil, fmt.Errorf("generating %s sbom: %w", gen.Key(), err) } sboms = append(sboms, types.SBOM{ - Path: filename, - Format: gen.Key(), - Digest: h, + Path: filename, + Format: gen.Key(), + PredicateType: gen.PredicateType(), + Digest: h, }) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/build/types/types.go new/apko-1.1.9/pkg/build/types/types.go --- old/apko-1.1.8/pkg/build/types/types.go 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/build/types/types.go 2026-02-19 07:52:51.000000000 +0100 @@ -429,10 +429,11 @@ } type SBOM struct { - Arch string - Path string - Format string - Digest v1.Hash + Arch string + Path string + Format string + PredicateType string + Digest v1.Hash } type Layering struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/generator.go new/apko-1.1.9/pkg/sbom/generator/generator.go --- old/apko-1.1.8/pkg/sbom/generator/generator.go 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/generator.go 2026-02-19 07:52:51.000000000 +0100 @@ -25,6 +25,7 @@ type Generator interface { Key() string Ext() string + PredicateType() string Generate(context.Context, *options.Options, string) error GenerateIndex(*options.Options, string) error } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/spdx.go new/apko-1.1.9/pkg/sbom/generator/spdx/spdx.go --- old/apko-1.1.8/pkg/sbom/generator/spdx/spdx.go 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/spdx.go 2026-02-19 07:52:51.000000000 +0100 @@ -66,6 +66,10 @@ return "spdx.json" } +func (sx *SPDX) PredicateType() string { + return "https://spdx.dev/Document"; +} + func stringToIdentifier(in string) (out string) { in = strings.ReplaceAll(in, ":", "-") return validIDCharsRe.ReplaceAllStringFunc(in, func(s string) string { @@ -104,7 +108,7 @@ fmt.Sprintf("Tool: apko (%s)", version.GetVersionInfo().GitVersion), "Organization: Chainguard, Inc", }, - LicenseListVersion: "3.16", + LicenseListVersion: "3.27", }, DataLicense: "CC0-1.0", Namespace: "https://spdx.org/spdxdocs/apko/";, @@ -407,7 +411,7 @@ func (sx *SPDX) imagePackage(opts *options.Options) (p *Package) { return &Package{ ID: stringToIdentifier(fmt.Sprintf( - "SPDXRef-Package-%s", opts.ImageInfo.ImageDigest, + "SPDXRef-Package-Image-%s", opts.ImageInfo.ImageDigest, )), Name: opts.ImageInfo.ImageDigest, Version: opts.ImageInfo.ImageDigest, @@ -441,12 +445,13 @@ mainPkgID := stringToIdentifier(layerPackageName) return &Package{ - ID: fmt.Sprintf("SPDXRef-Package-%s", mainPkgID), + ID: fmt.Sprintf("SPDXRef-Package-ImageLayer-%s", mainPkgID), Name: layerPackageName, Version: opts.OS.Version, FilesAnalyzed: false, Description: "apko operating system layer", DownloadLocation: NOASSERTION, + PrimaryPurpose: "CONTAINER", Originator: "", Supplier: supplier(opts), Checksums: []Checksum{}, @@ -566,7 +571,7 @@ fmt.Sprintf("Tool: apko (%s)", version.GetVersionInfo().GitVersion), "Organization: Chainguard, Inc", }, - LicenseListVersion: "3.16", + LicenseListVersion: "3.27", }, DataLicense: "CC0-1.0", Namespace: "https://spdx.org/spdxdocs/apko/";, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: unknown", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -103,7 +104,7 @@ "relatedSpdxElement": "SPDXRef-Package-dep-from-relationship-2.0.0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-test-pkg-both-1.0.0-r0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: unknown", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -64,7 +65,7 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-font-ubuntu-0.869-r1" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: unknown", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -126,7 +127,7 @@ "relatedSpdxElement": "SPDXRef-Package-npm-lodash" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-test-pkg-describes-1.0.0-r0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: Apko Images, Plc", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -64,7 +65,7 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-libattr1-2.5.1-r2" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: unknown", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -129,7 +130,7 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-elastic-logstash-v8.15.3-8364c8e89cfb113e38ec3f966df7eb1e9abe9d33-0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-logstash-8-8.15.3-r4" }, @@ -144,7 +145,7 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-elastic-logstash-v8.15.3-8364c8e89cfb113e38ec3f966df7eb1e9abe9d33-0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-logstash-8-compat-8.15.3-r4" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json --- old/apko-1.1.8/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json 2026-02-16 16:12:52.000000000 +0100 +++ new/apko-1.1.9/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json 2026-02-19 07:52:51.000000000 +0100 @@ -8,22 +8,23 @@ "Tool: apko (devel)", "Organization: Chainguard, Inc" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.27" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/";, "documentDescribes": [ - "SPDXRef-Package-" + "SPDXRef-Package-ImageLayer-" ], "packages": [ { - "SPDXID": "SPDXRef-Package-", + "SPDXID": "SPDXRef-Package-ImageLayer-", "name": "", "versionInfo": "3.0", "filesAnalyzed": false, "description": "apko operating system layer", "downloadLocation": "NOASSERTION", "supplier": "Organization: unknown", + "primaryPackagePurpose": "CONTAINER", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -148,7 +149,7 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-unbound-libs-1.23.0-r0" }, @@ -163,7 +164,7 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-unbound-1.23.0-r0" }, @@ -178,7 +179,7 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" }, { - "spdxElementId": "SPDXRef-Package-", + "spdxElementId": "SPDXRef-Package-ImageLayer-", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Package-unbound-config-1.23.0-r0" } ++++++ apko.obsinfo ++++++ --- /var/tmp/diff_new_pack.PlgjWp/_old 2026-02-19 14:23:50.963891497 +0100 +++ /var/tmp/diff_new_pack.PlgjWp/_new 2026-02-19 14:23:50.967891663 +0100 @@ -1,5 +1,5 @@ name: apko -version: 1.1.8 -mtime: 1771254772 -commit: 5b0e4ae614eed88cc9d7fea6bcb1db9c41afb5b9 +version: 1.1.9 +mtime: 1771483971 +commit: 1a683b227173c90d68cba68c21b662e1f94276b0 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apko/vendor.tar.gz /work/SRC/openSUSE:Factory/.apko.new.1977/vendor.tar.gz differ: char 15, line 1
