On 11/10/25 20:21, Joshua Watt wrote: > On Mon, Nov 10, 2025 at 10:18 AM Fabio Berton via > lists.openembedded.org <[email protected]> > wrote: >> >> Hi Daniel, >> >> I'm working on something similar and have shared what I have so far, >> https://lists.openembedded.org/g/openembedded-core/topic/rfc_patch_0_1_spdx_add/116223136. >> >> Could you please take a look? > > You are correct in the observation that Files don't have a download > location, so externalRef would be the correct thing to use instead. > Otherwise, I think you're trying to do something pretty similar to > Daniel. I'll leave some comments in your patch
Hi Joshua, Did you have a chance to look at my patch? > >> >> Best regards, >> Fabio >> >> On 11/5/25 14:54, Daniel Wagenknecht via lists.openembedded.org wrote: >>> Hello, >>> >>> I've looked through the generated SPDX files for a project recently. >>> I' m specifically interested in the downloadLocation property that is >>> set for entries in SRC_URI in recipe scope SPDX files, as our list of >>> upstream sources we need to monitor for security information is based >>> off those values. >>> >>> We'd like to extend the generated SPDX to also cover files from meta- >>> layers, that are provided via file:// entries in SRC_URI. The files >>> provided via this mechanism are mostly configuration files, systemd >>> services, initscripts and the likes, so one could argue that they >>> are not relevant dependencies and thus do not need to be traced in >>> SPDX, but we'd prefer to properly trace them in the SPDX documents. >>> >>> Are there any thoughts on this, prior discussion that I've not found in >>> the mailinglist archive or external resources on how such files should >>> be treated in SPDX in general? >>> >>> I'm considering implementing this as outlined: >>> - for file:// entries in SRC_URI determine which layer provides the >>> file (via bb.fetch2.local.localpath()) >>> - check if the layer is modified via oe.buildcfg.is_layer_modified() >>> -> modified -> abort >>> - retrieve the layers URL. This is more involved since what >>> oe.buildcfg.get_metadata_git_remotes() returns might not be the URL >>> that should be specified in the downloadLocation >>> My approach would be to introduce a per-layer variable that specifies >>> it's public URL. >>> -> no public URL for the layer found -> abort >>> - create a SPDXRef-Download-recipename-X entry for the file with the >>> downloadLocation set to the layers url with commit and subpath of the >>> file in the repository specified >>> >>> If the layer is modified or a public URL for that layer is not >>> specified the downloadLocation would yield a NOASSERTION value. >>> >>> I'd be glad to get some feedback on those ideas! >>> >>> Sincerely >>> Daniel Wagenknecht >>> >>> >>> >>> >>> >> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226492): https://lists.openembedded.org/g/openembedded-core/message/226492 Mute This Topic: https://lists.openembedded.org/mt/116135395/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
