Mikko Rapeli <mikko.rap...@linaro.org> escreveu no dia quinta, 19/10/2023 à(s) 13:21:
> Hi, > > On Thu, Oct 19, 2023 at 12:54:44PM +0100, Jose Quaresma wrote: > > Hi > > > > This change will need some adaptations in the create-spdx.bbclass to > handle > > this new variable with _PN > > Good point. How does SPDX tooling handle embedded SW components in recipe > sources? > As far as I know SPDX doesn't support this at all because the class has a way of knowing that these components exist. > > I presume it does not because recipe and license don't handle it either. > Should > there be a more generic PN_subpn, PV_subpn, LICENSE_subpn and matching > CVE_PRODUCT > and CVE_VERSION? I don't have use cases for these currently. I would like > to fix > the CVE reporting issues with embedded SW components though. mbedtls being > one good > example. > > Or would it be better to convert mbedtls users to use the meta-oe side > recipe for it? > In a perfect world this would be the way but as we know the world is far from perfect :) > > Additionally I don't currently read the SDPX output. I don't have use > cases for it. > I do check recipes and their metadata like LICENSE though. Feels like the > SDPX data > is used as reporting/export data format which is fed to some other tools > which are > not open source. > Can of worms... > Given that one of the main characteristics of the SPDX metadata is that they enable and have a complete description of the software used, this can and will be used by other tools to do all types of analysis. AI models will love eating this... > > Cheers, > > -Mikko > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189499): https://lists.openembedded.org/g/openembedded-core/message/189499 Mute This Topic: https://lists.openembedded.org/mt/101991269/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-