Hi,
Starting with Qt 6.8, the build system will generate a Software Bill of
Materials (SBOM) file for each built repo in the CI.
These will be installed in $qt_prefix/sbom/${repo_name}.spdx.
This is only enabled by default in the CI, and not for your local builds.
These files will be included in the binary packages that the Qt company
provides.
The change that will activate the generation of the SBOM is at
https://codereview.qt-project.org/c/qt/qt5/+/562482
The implementation is at: https://codereview.qt-project.org/c/qt/qtbase/+/546923
If you are a Qt maintainer, there are some things you should be aware of:
- if you are bundling new 3rd party sources into qt sources, make sure to
create a qt_attribution.json file and tell about it to the build system
- when adding new qt modules, plugins, tools, apps, make sure to tell the build
system what is the license expression under which the code is licensed
How to do that is described at https://wiki.qt.io/SBOM#For_Maintainers
Here you can find a list of gerrit changes where I've done it for existing
repositories. You can use them as inspiration for the future.
https://codereview.qt-project.org/q/topic:%22sbom%22+message:Annotate+branch:dev
The docs might turn into a QUIP sometime in the future.
Please, reach out to me if you have any questions.
Thanks.
--
Development mailing list
[email protected]
https://lists.qt-project.org/listinfo/development
