On Tue, May 28, 2024 at 8:59 AM Marta Rybczynska <[email protected]> wrote: > > > > On Tue, May 28, 2024 at 1:01 AM Joshua Watt <[email protected]> wrote: >> >> >> >> On Mon, May 27, 2024, 11:47 AM Marta Rybczynska <[email protected]> wrote: >>> >>> >>> >>> On Wed, May 15, 2024 at 8:09 PM Joshua Watt <[email protected]> wrote: >>>> >>>> On Wed, May 15, 2024 at 11:11 AM Marta Rybczynska <[email protected]> >>>> wrote: >>>> > >>>> > Hello all, >>>> > As this discussion might be interesting to multiple people, I post it to >>>> > YP list and the OE architecture list. >>>> > >>>> > In the VEX work (the status will go out in a moment in a separate >>>> > message), we're collecting SPDX and CVE files for builds to re-run the >>>> > CVE checks later (potentially months later). The CVE check file is >>>> > generated for both the image and the build as it is (including the SDK). >>>> > >>>> > On the other hand, the SPDX archive is generated for the image only, and >>>> > contains only packages from the system image itself, omitting the build >>>> > system. This is possible for us to get all the partial SPDX files from >>>> > the build dir, but we do not expect the complete build dir to be kept >>>> > for months. >>>> >>>> Can you clarify what you mean by "build" here? We do generate SPDX for >>>> the "native" recipes used during the build, and they are in the final >>>> SPDX generated for an image, so we do have some idea of the "build" >>>> tools used to generate an image. >>> >>> >>> >>> Hello Joshua, >>> This is still unclear to me. When I build an image eg bitbake >>> core-image-minimal I get the spdx archive as expected: >>> >>> ./tmp-glibc/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.spdx.tar.zst >>> ./tmp-glibc/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs-20240522164207.spdx.tar.zst >>> ./tmp-glibc/work/qemux86_64-oe-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemux86-64.rootfs.spdx.tar.zst >>> ./tmp-glibc/work/qemux86_64-oe-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemux86-64.rootfs-20240522164207.spdx.tar.zst >>> >>> However, there's no archive for the world build (not going to mention how >>> long it lasted). Is it on purpose? >> >> >> >> Ya sorry. I wasn't trying to imply that we currently generate a SPDX >> archive for world builds, just that we should be able to do so without to >> much trouble > > > Thanks for clarification. I was confused and couldn't find the code... To > clarify, what we have today is generation of the archive for rootfs images > and in case of sdk build with populate_sdk. Is it correct?
Correct; those are the two things we can generate a final archive for. The final archive is a collection of intermediate files, and we always generate the intermediate files anytime we build a recipe, so making archives for other targets is mostly a matter of determining which intermediate files need to be included in the (new) final archive, and passing them to the code that creates the archive. > > Kind regards, > Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2023): https://lists.openembedded.org/g/openembedded-architecture/message/2023 Mute This Topic: https://lists.openembedded.org/mt/106118369/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
