[Dropping HTML formatting so it is possible to respond properly.] > -----Original Message----- > From: [email protected] > <[email protected]> On Behalf Of Marta > Rybczynska via lists.openembedded.org > Sent: den 4 juni 2026 14:31 > To: Paul Barker <[email protected]> > Cc: openembedded-architecture > <[email protected]>; Joshua Watt > <[email protected]> > Subject: Re: [Openembedded-architecture] SBOM information on used layers and > their versions > > On Thu, Jun 4, 2026 at 2:27 PM Paul Barker <mailto:[email protected]> wrote: > > On Thu, 2026-06-04 at 13:12 +0200, Marta Rybczynska via > > http://lists.openembedded.org wrote:
[cut] > > > - all patches applied during the build from recipes > > > All patch file are similarly listed as source files. E.g. for acl we > > have four sources listed in the hasInput relationship, corresponding to > > the source tarball and three patch files, all of which have hashes. > > And what is their provenance then? They have no download link, I guess. > I think it is a problem. Isn't it? Why? We publish SBOMs for our products, but we obviously do not publish our private layers. So including a link that you cannot access would be meaningless. If the component is covered by a copyleft license and you own the product you can of course ask for our modifications and we will send them to you, but expecting them to be publicly published is beyond what's required (AFAIK). [cut] > Kind regards, > Marta //Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2390): https://lists.openembedded.org/g/openembedded-architecture/message/2390 Mute This Topic: https://lists.openembedded.org/mt/119626760/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
