On Tue, 2026-03-10 at 12:38 -0600, Joshua Watt via lists.openembedded.org wrote: > Adds a new package to the SPDX output that represents the recipe data > for a given recipe. Importantly, this data contains only things that can > be determined statically from only the recipe, so it doesn't require > fetching or building anything. This means that build time dependencies > and CVE information for recipes can be analyzed without needing to > actually do any builds. > > Sadly, license data cannot be included because NO_GENERIC_LICENSE means > that actual license text might only be available after do_fetch
We talked about these patches on the review call. I'm a bit worried about the direction we're going from a few angles. The general theme is the complexity and increasingly seemingly tangled web we seem to be weaving and whether we're going to end up in a good place. Taking NO_GENERIC_LICENSE specifically, it may be we should mandate that such licenses are copied into the metadata, then we solve the license data problem that way? That would simplify some of the problems we're facing and reduce some set of the corner cases. This patch adds a new task into the task graph and I'm getting a bit worried about the number of them the SPDX class is adding. I appreciate there is a later patch removing one, which is nice though :) So, for this patch, could we just drop NO_GENERIC_LICENSE and how much code complexity improvement does that buy us? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232942): https://lists.openembedded.org/g/openembedded-core/message/232942 Mute This Topic: https://lists.openembedded.org/mt/118246387/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
