On 4/15/21 1:31 PM, Paul Eggleton wrote:
Hi folks
On Friday, 9 April 2021 06:03:36 NZST Anders Wallin wrote:
image-manifest: script to generate product/image specific BOM
The image-manifest script generates image specific reports based on
an image manifest file. Currently there is data generated by buildhistory,
pkgdata, and license manifest but this data is poorly formated and spread
across multiple text files. This script can generate a single JSON output
file that is machine readable by other tools.
The manifest-info collects package information and stores the information
in a tarball. manifest-info can be configured using a json configuration
file. The default configuration including all possible options can be
dumped using the dump-config subcommand.
image-manifest takes an image manifest file as input to get the runtime
dependencies. As an option image-manifest can also use the build dependency
file, pn-buildlist, to get the build dependencies excluding native
packages.
This script extends the oe-image-manifest script [0] done by Paul Eggleton
[0]
https://github.com/intel/clear-linux-dissector-web/blob/master/layerindex/st
atic/files/oe-image-manifest
So I've thought some more about this. At minimum I think this script should be
under contrib/, and looking at the command line options it seems like there's
been a bit of scope creep such that it overlaps with other tools that we have.
Yes, as mentioned in the above commit message there are other tools, but
the problem is none of the other tools actually provide the required
reporting / compliance information in a reasonable parsable format.
As a matter of best practice, for reporting / compliance usage I think getting
this information should be something that is integrated into the build process
(a la buildhistory) rather than something that you run afterwards - that way
there is less chance that the information doesn't match up with the images
produced. I wrote the original script so that it would work with older
releases where the logic wouldn't have been able to be practically added that
way without otherwise needing to patch the code, so it kind of made sense to
have it as a separate script that you could run.
Paul and I had an IRC chat and I will try to summarize here.
So a possible future direction that generates this information would be
to create a bbclass that can work in parallel with the actual image
creation or image manifest creation depending on what hooks are
available to insert and gather the information needed.
All that is not to say this script *shouldn't* be used, I just think that it
shouldn't be something we have front-and-centre.
Thanks for your input and support.
Sau!
Cheers,
Paul
--
Sau!
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#150586):
https://lists.openembedded.org/g/openembedded-core/message/150586
Mute This Topic: https://lists.openembedded.org/mt/81949320/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
