Hi, On Thu, Oct 19, 2023 at 12:54:44PM +0100, Jose Quaresma wrote: > Hi > > This change will need some adaptations in the create-spdx.bbclass to handle > this new variable with _PN
Good point. How does SPDX tooling handle embedded SW components in recipe sources? I presume it does not because recipe and license don't handle it either. Should there be a more generic PN_subpn, PV_subpn, LICENSE_subpn and matching CVE_PRODUCT and CVE_VERSION? I don't have use cases for these currently. I would like to fix the CVE reporting issues with embedded SW components though. mbedtls being one good example. Or would it be better to convert mbedtls users to use the meta-oe side recipe for it? Additionally I don't currently read the SDPX output. I don't have use cases for it. I do check recipes and their metadata like LICENSE though. Feels like the SDPX data is used as reporting/export data format which is fed to some other tools which are not open source. Can of worms... Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189450): https://lists.openembedded.org/g/openembedded-core/message/189450 Mute This Topic: https://lists.openembedded.org/mt/101991269/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
