Hi!

I don't have any opinion about FF exception for this but what comes to 
https://codereview.qt-project.org/c/qt/qt5/+/561694  I think we can wait 
branching & integrate this in 'dev' after it; In big picture it is more 
important to keep CI & provisioning as stable as possible this close to feature 
freeze to make sure we can keep FF schedule (and so on Qt 6.8.0 final schedule 
as well) and get Beta1 out before summer vacations starts... And if FF 
exception is granted you can pick provisioning change in '6.8' after beta1.

br,
Jani

> -----Original Message-----
> From: Development <development-boun...@qt-project.org> On Behalf Of
> Alexandru Croitor via Development
> Sent: tiistai 21. toukokuuta 2024 12.28
> To: Qt development mailing list <development@qt-project.org>
> Subject: [Development] Feature and provisioning freeze exception for SBOM
> (Software Bill of Materials) generation
>
> Hi,
>
> I would like to request a feature freeze and provisioning freeze exception for
> SBOM (Software Bill of Materials) generation.
>
> https://codereview.qt-project.org/c/qt/qtbase/+/546923
> https://codereview.qt-project.org/c/qt/qt5/+/561694
>
> SBOM generation is about shipping some text files alongside the built Qt
> libraries, that describe things like 3rd party dependencies used, checksums of
> built files, copyright info, license info, etc.
> Some details at
> https://www.n/
> tia.gov%2Fpage%2Fsoftware-bill-
> materials&data=05%7C02%7Cjani.heikkinen%40qt.io%7C76efd9f976324c74a
> d5408dc7978b429%7C20d0b167794d448a9d01aaeccc1124ac%7C0%7C0%7C6
> 38518806536519047%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
> data=EO%2BPZlyYYYsbiZjAr70Ak5wjWL9hF2mkxs%2FGgVHt7YM%3D&reserve
> d=0
>
> SBOM generation for Qt was planned for 6.8, but it is likely won't be finished
> in time for FF.
>
> The generation itself only requires build system changes, no C++ API changes
> required.
>
> The only user-facing changes would be a new opt-in configure flag (.e.g -
> sbom) and additional files being installed as part of Qt (one spdx.json file 
> for
> each repository built).
>
> Verification and auditing of the generated files needs some additional python
> packages to be available during the CI build, hence the request for
> provisioning exception.
>
> The impact for those who don't opt-in should be zero, and for the CI,
> installing some additional python packages is nothing new, and hopefully
> shouldn't cause any breakage.
>
> We'd like to have this in for 6.8 because it's an LTS release, and because of 
> the
> new EU CRA law (Cyber Resilience Act) pending.
>
> It would also be good to receive feedback during 6.8 release whether we lack
> any info in the generated SBOM, so we can fix it for the LTS.
>
> Regards,
> Alexandru.
> --
> Development mailing list
> Development@qt-project.org
> https://lists.qt-project.org/listinfo/development
-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to