nuttxpr commented on PR #15251: URL: https://github.com/apache/nuttx/pull/15251#issuecomment-2550321966
[**\[Experimental Bot, please feedback here\]**](https://github.com/search?q=repo%3Aapache%2Fnuttx+13552&type=issues) No, this PR description does not adequately meet the NuttX requirements. While it touches on some points, it lacks crucial details. Here's a breakdown of what's missing: **Summary:** * **Insufficient Detail:** "Most tools use SPDX identifiers" is too vague. *Which* tools? Why is this change *necessary*? What *specific* functional part of the code is changed (e.g., Kconfig, specific drivers, build system)? *How* does the change work (e.g., adding SPDX tags to source files, creating an SPDX document)? **Impact:** * **Far too brief:** Just saying "SBOM" isn't helpful. Address *all* the listed impact points specifically with "YES" or "NO" and provide details where applicable. Does this change affect the user experience? Build process? Any hardware? Does it require documentation updates? Are there security or compatibility implications? **Testing:** * **Unacceptable:** Simply stating "CI" is not sufficient. List the *specific* build hosts and targets where you tested this change. Provide *actual* testing logs (or snippets of relevant logs) demonstrating the behavior before and after the change. Saying the change works "as intended" is meaningless without evidence. **Example of a better summary (assuming the change adds SPDX tags to source files):** This change adds SPDX license identifiers to source files throughout the NuttX kernel and core libraries. This is necessary to facilitate automated generation of Software Bill of Materials (SBOMs), which are increasingly required for compliance and security analysis. Tools like Fossology and SPDX tools rely on these identifiers. The change modifies source files directly, adding SPDX-License-Identifier tags in comments. **Example of a better impact section (hypothetical):** * Is new feature added? YES (SBOM generation support) * Is existing feature changed? NO * Impact on user (will user need to adapt to change)? NO * Impact on build (will build process change)? NO * Impact on hardware (will arch(s) / board(s) / driver(s) change)? NO * Impact on documentation (is update required / provided)? YES (Documentation will be updated to explain how to generate an SBOM from NuttX.) * Impact on security (any sort of implications)? NO * Impact on compatibility (backward/forward/interoperability)? NO * Anything else to consider? This change prepares NuttX for future compliance requirements related to SBOMs. **Example of a better testing section (hypothetical):** I confirm that changes are verified on local setup and works as intended: * Build Host(s): Linux (Ubuntu 20.04), x86_64, GCC 9.4.0 * Target(s): sim:qemu-x86_64 Testing logs before change: (Showing no SPDX information available) ``` $ some-sbom-tool nuttx No SPDX license information found. ``` Testing logs after change: (Showing SPDX information extracted) ``` $ some-sbom-tool nuttx Found SPDX license identifiers: - Apache-2.0 - BSD-3-Clause - ... ``` In short, the provided PR description needs significant expansion and detail to meet the NuttX requirements. Provide specific information for each section, demonstrating that the change has been thoroughly considered and tested. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
