On Mon, 15 Jan 2024 at 01:54, Jasper Orschulko via lists.openembedded.org <[email protected]> wrote: > If no one objects, I would like to put into motion that we gradually > move all oe-core recipes SRC_URIs from Github releases to git source > code (archives) for better source code traceability. > > > Reasoning follows: > > --- > > Currently, there are (at least¹) 35 recipes in poky that use Github > release packages, rather than using the unmodified git source code > (archives). > > In my humble opinion, this is not a good idea, as the GitHub releases > do not necessarily align with the content of the accompanying git > repository, obscurifying the actual source code that goes into a yocto > package.
I don't understand this argument. It's an either-or situation: either the recipe takes the source code from release tarballs and never touches the git repository or vice versa. The two are never mixed. So if you need to trace the source code from the tarball, you trace it back to what is in the tarball, and stop there. That this source code also happens to be developed in git somewhere isn't relevant. > I believe that with the amount of work oe has already put into > reproducible builds from scratch, it would be a shame if we wouldn't > expand this effort make (at least) oe-core recipes build reproducible > from git source. > > What are your thoughts on this? Firmly negative, I'm afraid. Release tarballs are not a github invention, for example pretty much all of GNU and GNOME software is released that way, it's just that those projects obscure their respective git repositories better (on savannah and gitlab respectively). As 'old school' as they are, release tarballs are still an entirely valid way to consume source code from upstream, and in some cases upstreams prefer their users doing it that way. You need to fix the osselot tool to respect and support that. I'm also curious about what osselot outputs that can't be done with a oe-core class directly? Is something missing in existing create-spdx classes? Here's for example what osselot provides for busybox, but I can't really make sense of it: https://github.com/Open-Source-Compliance/package-analysis/tree/main/analysed-packages/busybox/version-1.36.1 Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#193631): https://lists.openembedded.org/g/openembedded-core/message/193631 Mute This Topic: https://lists.openembedded.org/mt/103730186/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
