Hey kbuild and spdx people,
I recently tried out the SPDX SBOM generation tool posted by Luis Augenstein
a few weeks ago. I was able to successfully produce some sbom output from
a defconfig x86 kernel build. I then made a list of the files included in such
a build that are missing SDPX-License-Identifier lines. It's not as many as
you might
think. Out of 6968 source files used for the build (as reported in the source
sbom file),
only 566 were missing SPDX id lines.
This is a tractable number of files to fix, and will be the focus of my SPDX
work
in the next few weeks.
Here is a breakdown of the top-level directories in a kernel source tree under
which
these files (missing SPDX id lines) are found:
51 arch
4 crypto
185 drivers
18 fs
222 include
9 io_uring
1 ipc
2 kernel
42 lib
6 mm
24 net
2 sound
There are sboms, raw data files, and some tools at the following wiki page, if
people
are interested in this work.
https://birdcloud.org/bc/Linux_Kernel_Missing_SPDX_ID_lines_from_build_SBOMs
I plan to update that page with sboms from an ARM64 build in the near future.
In any event, I post this merely as a data point for SPDX work. I've already
done some
work on the io_uring, ipc, kernel and mm directories, with patches making their
way upstream.
Next, I plan to focus on the sound, security, net and lib directories. I'm just
letting you
know what I'm up to.
If anyone wants to help out by working on adding missing
SDPX-License-Identifier lines
to kernel source files, please let me know. I've got some online resources
that should
be helpful for this work.
See https://birdcloud.org/bc/Guidelines_for_fixing_Missing_SPDX_lines
Regards,
-- Tim
