On Sat, Mar 30, 2024 at 06:29:48PM +0100, Daniel Stenberg via curl-library wrote: > Any proposals for how to document the exact set of tools+versions I use for > each release in case someone in the future wants to reproduce an ancient > release tarball?
SPDX seems to be the standard SBOM format for this that tools are starting to expect. The format is able to handle complex situations, but given the very limited scope needed in curl and for source releases only, once you get a template file set up the first time filling in the details for every release should be simple. The spec is at https://spdx.dev/use/specifications/ but it's probably easier to look at some simple examples to get a feel for it. Even running "reuse spdx" in the curl tree (the same tool that's keeping curl in REUSE compliance in that CI build) will output a SPDX file for curl. That one doesn't include the source build dependencies that your interested in (because that's not what that particular tool does) but could be a start of something. The curl SBOM could also include Debian package names+versions as dependencies. Dan -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
