Re: [PR] Add more source provenance attribtues [buildstream]

Tue, 06 Jan 2026 14:10:12 -0800 


doraskayo commented on code in PR #2095:
URL: https://github.com/apache/buildstream/pull/2095#discussion_r2665987016


##########
src/buildstream/source.py:
##########
@@ -572,14 +580,54 @@ def __init__(
         The url of the source input
         """
 
+        self.concluded_license: Optional[str] = concluded_license
+        """
+        The license of the source project as declared by the authors
+        """
+
+        self.copyright_text: Optional[str] = copyright_text
+        """
+        Copyright notice of the source
+        """
+
+        self.declared_license: Optional[str] = declared_license
+        """
+        Licences that have been officially declared for the source
+        """
+
+        self.description: Optional[str] = description
+        """
+        Description of the source
+        """
+
+        self.external_reference: Optional[str] = external_reference
+        """
+        Reference to an external source of information or assets relevant to 
the source
+        """
+
         self.homepage: Optional[str] = homepage
         """
-        The project homepage URL
+        The source's homepage URL
         """
 
         self.issue_tracker: Optional[str] = issue_tracker
         """
-        The project issue tracking URL
+        The source's issue tracking URL
+        """
+
+        self.name: Optional[str] = name
+        """
+        Name of the source
+        """

Review Comment:
   This might be a more general comment, but the `name` field appears to be one 
of the only mandatory package fields [in SPDX 
2.3](https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field)
 and is quite important to make an SBoM useful. As such, at the very least, I 
would expect it to be:
   
   1. Provided by all core source plugins that can reproduce it reliably (maybe 
`cargo` and `pip`?), instead of letting consumers guess it based on the `url` 
field.
   2. Made optionally user-configurable in all core plugins that cannot 
reliably reproduce it on their own every time, such as `tar` and other plugins 
that inherit from `DownloadableFileSource`. This would be similar to the 
`version` and `version-guess-pattern` configurations.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to