> -----Alkuperäinen viesti----- > Lähettäjä: Richard Purdie <[email protected]> > Lähetetty: tiistai 18. toukokuuta 2021 12.19 > There is no direct dependency from do_image_complete on the do_create_spdx > tasks. > > You can add: > > do_rootfs[recrdeptask] += "do_create_spdx" > > but this will have the side effect that the build will never use sstate and > always > rebuild since that task isn't an sstate task.
Thanks, I'll give that a go! > I did have a quick look and you're going further than I'd been thinking of, > at least > initially. > > What I'm thinking of in core YP initially is to have do_packagedata generate > SPDX data for the output packaged files in do_package/do_packagedata. I > noticed you go further and process all the input sources and I'm not sure > we're > ready to do that yet. > > Doing it at do_package/do_packagedata time would still access any of the > sources included from a debug perspective, hence it should correctly find the > shipped manifest/license info without the complexity of having to scan all the > sources > > For your level of source scanning, I'd look at the existing do_populate_lic > task > which is sstate and generates license info. I think I'd be in favour of > totally > replacing that with something generating spdx output... I'll give do_populate_lic task a look. > I'm actually hoping we could simply what we're doing today however the more I > look at all the information you can put into SPDX, the more I worry that > whilst > we can generate tons of data and huge SPDX files, I'm not sure they're > actually > useful to anyone to actually use :/. We're working on this as a part of a workflow that utilizes the SPDX files. Our tool uploads the source code archived by the layer to a Fossology instance, after which it queries Fossology's API for the file level license and copyright data. We then utilize OSS Review Toolkit by converting the SPDX file to ORT's data format and use ORT's Evaluator and Reporter to evaluate license compliance and create notice files and other reports. This is done to evaluate the image not based on the declared licenses of packages, which may omit some licenses of individual files, but those individual files. > For the SBOM information, we do need to somehow make something as useful > as our normal manifest to people for this to be useful and adopted, at least > from > my perspective. The huge SPDX files created might indeed not be super useful for all use cases. Long term, some kind of configurability regarding e.g. the level of granularity (packages vs. files) could enable the layer to be used for more use cases than the one we're currently working on. Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53568): https://lists.yoctoproject.org/g/yocto/message/53568 Mute This Topic: https://lists.yoctoproject.org/mt/82910309/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
