Hi Joshua On 24.11.23 at 16:44, Joshua Watt wrote:
While we have the information about each recipe and package that is built in the SPDX document, the process of creating the document has to happen after do_package so that we know what files are actual in each package. As such, it's not currently possible to make a SPDX "package" for each package (because do_package is over). We would also have to figure out if the SPDX packages would depend on each other to provide missing IDs (which is quite tricky) or if each package is the complete SBoM for what it is describing (which results it larger packages and many SPDX packages having the same duplicates IDs). As with many things SPDX, version 3 will probably make this a little simpler.
Thanks you for these implementation details. Hey, that's not trivial indeed :-) Well, I'll just keep this as an unsolved issue for the moment. But that would be great if we eventually came up with a way to generate SPDX from currently installed packages, and not only at image creation time. For sure, we can see what's possible when version 3 is available.
Cheers Michael. -- Michael Opdenacker, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1866): https://lists.openembedded.org/g/openembedded-architecture/message/1866 Mute This Topic: https://lists.openembedded.org/mt/102755562/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
