Hello Fabio, thanks for your comments and patch!
On Mon, 2025-11-10 at 17:13 +0000, Fabio Berton wrote: > Our first idea was to use 'downloadLocation', but what I understand is > that this is a package property, and files fetched from the layer are > 'software_File' type. Looking at the SPDX spec, it appears we could use > the 'ExternalRef' for this purpose. I'm not to familiar with the SPDX spec yet, but adding individual files entries as `ExternalRef` instead of `downloadLocation` to a recipes spdx sounds reasonable. I think in the long term adding a `SPDXRef-Layer-xyz` entry per layer with a `downloadLocation` pointing to the subpath of the layer inside a git repo. I'm not quite shure if it would be possible to formulate a dependency on a file contained within a different SPDXRef, e.g. ``` SPDXRef-Layer-xyz:recipes-core/base-files/base-files/fstab ``` or if we'd have to create a SPDXRef Item for each file within a layer in order to reference it properly. That would make it even more verbose. The approach of having a layer as an independent SPDXRef would mean getting the git revision etc. for that layer would run only once per build and not per `file://` entry in SRC_URI. > > The idea is to have two options to add this information: one to add the > full path of a file, and another to add the git information IMO the full path to the file is unneeded information, if the file is solely available locally a `NOASSERTION` would be appropriate. > > Should I add a variable like 'SPDX_FILE_LOCATION_GIT_REMOTE_<layername> > = "remote_name"' to set a specific remote for each layer? Would setting > the git remote be sufficient to cover most cases? In my experimentation I removed the per-layer setting again because tracking the `vardeps` for the `do_create_spdx` get's more complicated with per-layer variables. > Sincerely Daniel Wagenknecht
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226211): https://lists.openembedded.org/g/openembedded-core/message/226211 Mute This Topic: https://lists.openembedded.org/mt/116223136/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
