nuttxpr commented on PR #15018: URL: https://github.com/apache/nuttx/pull/15018#issuecomment-2511398040
[**\[Experimental Bot, please feedback here\]**](https://github.com/search?q=repo%3Aapache%2Fnuttx+13552&type=issues) No, this PR description does not fully meet the NuttX requirements. While it touches on some points, it lacks crucial details. Here's a breakdown: **Missing/Insufficient Information:** * **Summary:** * While the "why" is stated, it's too general. What *specific* problem does the lack of SPDX identifiers cause? Be explicit. * The "what" and "how" are missing entirely. *Which* files are changed? *How* are SPDX identifiers being added (e.g., new config option, direct modification of source files, new build system logic)? * Issue references are missing. * **Impact:** "SBOM" is not sufficient. You must answer all the yes/no questions explicitly. For example: * *Is new feature added?* Likely YES (SBOM generation capability, even if indirect) * *Is existing feature changed?* Possibly YES, depending on implementation. * *Impact on user?* Potentially YES if any build options or configuration changes are required. * *Impact on build?* Likely YES if the build system needs changes to handle SPDX information. * *Impact on hardware?* Likely NO. * *Impact on documentation?* Likely YES, if any user-facing changes occur. * *Impact on security?* Potentially YES or NO. Justify your answer. Adding SPDX identifiers themselves might not directly change security, but the *process* of generating SBOMs might expose vulnerabilities if not done carefully. * *Impact on compatibility?* Likely NO, but specify. * **Testing:** "CI" is insufficient. List the *specific* build hosts and targets tested *locally*. Don't just rely on CI. Provide actual log snippets showcasing the difference in behavior before and after the change. What did you *observe* that confirms the SPDX identifiers are being correctly handled? For example, did you generate an SBOM and verify its contents? **Example of how to improve the summary:** "Many compliance and SBOM generation tools require SPDX identifiers. Currently, NuttX lacks these identifiers, making automated SBOM generation difficult. This change adds SPDX license identifiers to all applicable source files within the `drivers/sensors` directory by modifying the file headers. This lays the groundwork for future automated SBOM generation and improves compliance efforts. Relates to NuttX Issue #1234." (Replace #1234 with the actual issue number). **Example of how to improve the testing section:** * Build Host(s): Linux (Ubuntu 22.04), x86_64, GCC 11.2 * Target(s): sim:nsh Testing logs before change (output of `sbom-tool`): ``` No SPDX identifiers found. ``` Testing logs after change (output of `sbom-tool`): ``` Component: drivers/sensors/xyz_sensor.c License: Apache-2.0 ... other components ... ``` (Replace `sbom-tool` with the actual tool used and provide realistic log snippets) By providing this level of detail, reviewers can quickly understand the change, its impact, and its verification, leading to faster and more effective code reviews. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
