Re: subtree …/tmp/deploy/… , files named Packages

keydi <krzysztof.dudziak@...>

what you are looking at is feeds area, where the format will vary
depending upon which online package management is in use. So you will
have to make that differentiation. Packages file is used when opkg is
used and not by rpm/dnf
for SCA perhaps you want to look at content of the packages. or maybe
use the manifests that yocto generates e.g. license manifest in images
have info on all packages that go into that image, it may not be
formatted as per your expectation
but its somewhere to start

Thanks for helpful input. This matches my own observation.
Tool-chain used in project requires additionally license.manifest file on its input.
For some reason it also takes a look into files named Packages.
Actually it can be clear why it does this: Packages file specifies among others each package source code address/path.

Despite the question files named Packages generated for .ipk YES, for .rpm NO,
is it legitimate to use these files in external tool-chain for software composition analysis?
I mean these files might be Yocto internal interface not intended for purpose pointed out here. May this be true?

Join to automatically receive all group messages.