Lähettäjä: Richard Purdie <richard.purdie@...>
Lähetetty: tiistai 18. toukokuuta 2021 12.19
There is no direct dependency from do_image_complete on the do_create_spdx
You can add:
do_rootfs[recrdeptask] += "do_create_spdx"
but this will have the side effect that the build will never use sstate and always
rebuild since that task isn't an sstate task.
Thanks, I'll give that a go!
I did have a quick look and you're going further than I'd been thinking of, at least
What I'm thinking of in core YP initially is to have do_packagedata generate
SPDX data for the output packaged files in do_package/do_packagedata. I
noticed you go further and process all the input sources and I'm not sure we're
ready to do that yet.
Doing it at do_package/do_packagedata time would still access any of the
sources included from a debug perspective, hence it should correctly find the
shipped manifest/license info without the complexity of having to scan all the
For your level of source scanning, I'd look at the existing do_populate_lic task
which is sstate and generates license info. I think I'd be in favour of totally
replacing that with something generating spdx output...
I'll give do_populate_lic task a look.
I'm actually hoping we could simply what we're doing today however the more I
look at all the information you can put into SPDX, the more I worry that whilst
we can generate tons of data and huge SPDX files, I'm not sure they're actually
useful to anyone to actually use :/.
We're working on this as a part of a workflow that utilizes the SPDX files. Our tool uploads the source code archived by the layer to a Fossology instance, after which it queries Fossology's API for the file level license and copyright data. We then utilize OSS Review Toolkit by converting the SPDX file to ORT's data format and use ORT's Evaluator and Reporter to evaluate license compliance and create notice files and other reports.
This is done to evaluate the image not based on the declared licenses of packages, which may omit some licenses of individual files, but those individual files.
For the SBOM information, we do need to somehow make something as useful
as our normal manifest to people for this to be useful and adopted, at least from
The huge SPDX files created might indeed not be super useful for all use cases. Long term, some kind of configurability regarding e.g. the level of granularity (packages vs. files) could enable the layer to be used for more use cases than the one we're currently working on.