On Tue, 2026-02-17 at 09:02 +0100, Marc Leeman wrote: > Sorry for starting a second packaging effort, I have missed the ITP in > the almost 8000 wnpp reports and did a short search on the web > interface that did not turn up anything. > > Jumping in > > marc@jenek:~/Development/salsa/debsbom$ debsbom generate > ERROR:debsbom.cli:Cannot generate any SBOM because no SBOM format > dependencies are available. Install them by enabling the dependency > extras `cdx` and/or `spdx`: `pip install debsbom[spdx]`, `pip install > debsbom[cdx]`. > debsbom: error: Cannot generate any SBOM because no SBOM format > dependencies are available. Install them by enabling the dependency > extras `cdx` and/or `spdx`: `pip install debsbom[spdx]`, `pip install > debsbom[cdx]`.
You can also install them from Debian, but I agree that this does not give the best user experience. However, usually the recommends are installed and we have commands like download which not strictly require any of the CDX / SPDX libraries. Maybe we can just change the help message in a patch to state "apt-get install <lib>". > > The package declares 2 recommends to the formats > (python3-cyclonedx-lib, python3-spdx-tools), shouldn't these be added > as a dependency, it seems off to need pip to install a packaged > software to get this to work. > > fwiw, I've used dpkg-licenses [1], I don't know if it is any way > useful in this context. > > [1] https://github.com/daald/dpkg-licenses Feel free to propose using that in the upstream project. But it probably does not provide much value over what we already have, as in the end all tools just parse the copyright data of the packages. The tricky part is the conversion into SPDX expressions, which is already implemented in debsbom. Cheers! Felix -- Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany
