Yocto 2.6, spdxscanner.. OE built-in capabilities..
Distribution comprised from more than 200 packages is built hence
we speak about potentially very wide range of open source licensing types
for packages used in distribution.
1. Is meta-spdxscanner the only solution provided by Yocto
to generate SBOM? I am aware of OE built-in capabilities YP Ref. Manual ch. 4.6 and
YP Dev. Manual ch. 5.20.
2. Is it good idea to rely merely on capabilities described in YP Ref. Manual ch. 4.6 and
YP Dev. Manual ch. 5.20 to achieve compliance with oss used?
3. What level of maturity do artifacts generated by meta-spdxscanner
version used in YP 2.6 show? Any kind of artifacts needed for to OSS compliance
requirements still not collected by spdxscanner in mentioned YP version?
To put in other words: How safe is it to rely merely on mentioned compound
to be at the end of day compliant with OSS obligations?
4. How might feasibility of backporting spdxscanner versions to Yocto 2.6 look like?