On Fri, Nov 24, 2023, 11:36 AM Michael Opdenacker < [email protected]> wrote:
> Hi Joshua > > On 24.11.23 at 16:44, Joshua Watt wrote: > > While we have the information about each recipe and package that is > > built in the SPDX document, the process of creating the document has > > to happen after do_package so that we know what files are actual in > > each package. As such, it's not currently possible to make a SPDX > > "package" for each package (because do_package is over). We would also > > have to figure out if the SPDX packages would depend on each other to > > provide missing IDs (which is quite tricky) or if each package is the > > complete SBoM for what it is describing (which results it larger > > packages and many SPDX packages having the same duplicates IDs). As > > with many things SPDX, version 3 will probably make this a little > simpler. > > Thanks you for these implementation details. Hey, that's not trivial > indeed :-) > Well, I'll just keep this as an unsolved issue for the moment. But that > would be great if we eventually came up with a way to generate SPDX from > currently installed packages, and not only at image creation time. For > sure, we can see what's possible when version 3 is available. > Yep. It's on the radar too be done, as we know it's something users would like once we are doing package feeds. I'm also curious to look and see what other distros end up doing for this; we are pretty cutting edge right now on a lot of this, so it's hard to guess what the right course of action is :) Cheers > Michael. > > -- > Michael Opdenacker, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1872): https://lists.openembedded.org/g/openembedded-architecture/message/1872 Mute This Topic: https://lists.openembedded.org/mt/102755562/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
