Hello all, As this discussion might be interesting to multiple people, I post it to YP list and the OE architecture list.
In the VEX work (the status will go out in a moment in a separate message), we're collecting SPDX and CVE files for builds to re-run the CVE checks later (potentially months later). The CVE check file is generated for both the image and the build as it is (including the SDK). On the other hand, the SPDX archive is generated for the image only, and contains only packages from the system image itself, omitting the build system. This is possible for us to get all the partial SPDX files from the build dir, but we do not expect the complete build dir to be kept for months. So, the question is, what people plan to archive from the build? Do we need to archive the whole SPDX output too? This is an interesting question for example in case of "world" builds.. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2008): https://lists.openembedded.org/g/openembedded-architecture/message/2008 Mute This Topic: https://lists.openembedded.org/mt/106118369/21656 Group Owner: openembedded-architecture+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
