[PATCH] spdx30: default SPDX_PACKAGE_SUPPLIER to OpenEmbedded

[PATCH] spdx30: default SPDX_PACKAGE_SUPPLIER to OpenEmbedded

[Javier Tia]

spdx_package.suppliedBy is only set when SPDX_PACKAGE_SUPPLIER is
explicitly configured. Default builds leave the property empty on every
software_Package Element, so SBOM consumers that require it (BSI
TR-03183-2 v2.1.0 validators among them, surfaced by shipcheck at
https://github.com/jetm/shipcheck/issues/3) treat the SBOM as missing a
normative field.

Default SPDX_PACKAGE_SUPPLIER_ref to the SPDX_AUTHORS_openembedded
agent already defined in this file. new_agent() resolves the _ref
redirect (meta/lib/oe/sbom30.py), so the existing OpenEmbedded
Organization Element gets attached as suppliedBy on every Package
without creating a duplicate Agent. Builds that already configure
SPDX_PACKAGE_SUPPLIER via _name/_type/_import/_ref keep their
behavior; the ??= only kicks in when nothing is set. The default
resolves to a fixed in-tree string, so SPDX output stays reproducible.

This follows the additive pattern used by commit c8e6953a0b
("spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM"): give
the field a sensible default value, leave overrides untouched.

Signed-off-by: Javier Tia <floss@jetm.me>
---
COVER-LETTER-BODY-FOLLOWS
shipcheck v0.0.6 (https://github.com/jetm/shipcheck) added an SPDX 3.0
validator that scores SBOMs against the BSI TR-03183-2 v2.1.0 minimum
content set. A stock poky core-image-minimal with
INHERIT += "create-spdx-3.0" scores 0/30 on the per-package field
check because suppliedBy is empty by default. Patch context and a
public issue are at https://github.com/jetm/shipcheck/issues/3.

This series gives SPDX_PACKAGE_SUPPLIER a sensible default by
reusing the SPDX_AUTHORS_openembedded agent already defined in
create-spdx-3.0.bbclass. new_agent() (meta/lib/oe/sbom30.py) already
supports _ref redirection, so the change is one line and no Python
is touched. Builds that already configure SPDX_PACKAGE_SUPPLIER via
_name/_type/_import/_ref keep their behavior.

Two adjacent BSI gaps were considered for this series and intentionally
left out:

- software_declaredLicense as a field on software_Package. The
  SPDX 3.0.1 spec
  (https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/)
  does not define such a property; license is modeled exclusively via
  Relationship Elements. The hasDeclaredLicense Relationship is
  already emitted per package in meta/lib/oe/spdx30_tasks.py
  (61ba0ef140 switched it from hasConcludedLicense). The shipcheck
  validator needs the relationship-traversal path, not a new field.

- Per-package verifiedUsing aggregated from contained software_File
  Hash Elements. This is a real spec property (cardinality 0..*) but
  the multi-hop aggregation is invasive enough to warrant a separate
  discussion. Tracked on the shipcheck issue above.

Cc: Olivier Benjamin <olivier.benjamin@bootlin.com>
---
 meta/classes/create-spdx-3.0.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 56fd01fd53..1fc15ecc7d 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -123,6 +123,7 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
 
 SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
     is supplying artifacts produced by the build"
+SPDX_PACKAGE_SUPPLIER_ref ??= "SPDX_AUTHORS_openembedded"
 
 SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
     is supplying the image SBOM. The supplier will be set on all root elements \

---
base-commit: 3724b93538d3acbec9f48d4c524b51d166071708
change-id: 20260511-spdx30-package-supplier-default-17c1bdc10a21

Best regards,
--  
Javier Tia <floss@jetm.me>

Re: [PATCH] spdx30: default SPDX_PACKAGE_SUPPLIER to OpenEmbedded

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 4059 bytes --]

On Mon, 2026-05-11 at 17:55 -0600, Javier Tia wrote:
> spdx_package.suppliedBy is only set when SPDX_PACKAGE_SUPPLIER is
> explicitly configured. Default builds leave the property empty on every
> software_Package Element, so SBOM consumers that require it (BSI
> TR-03183-2 v2.1.0 validators among them, surfaced by shipcheck at
> https://github.com/jetm/shipcheck/issues/3) treat the SBOM as missing a
> normative field.
> 
> Default SPDX_PACKAGE_SUPPLIER_ref to the SPDX_AUTHORS_openembedded
> agent already defined in this file. new_agent() resolves the _ref
> redirect (meta/lib/oe/sbom30.py), so the existing OpenEmbedded
> Organization Element gets attached as suppliedBy on every Package
> without creating a duplicate Agent. Builds that already configure
> SPDX_PACKAGE_SUPPLIER via _name/_type/_import/_ref keep their
> behavior; the ??= only kicks in when nothing is set. The default
> resolves to a fixed in-tree string, so SPDX output stays reproducible.
> 
> This follows the additive pattern used by commit c8e6953a0b
> ("spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM"): give
> the field a sensible default value, leave overrides untouched.
> 
> Signed-off-by: Javier Tia <floss@jetm.me>
> ---
> COVER-LETTER-BODY-FOLLOWS
> shipcheck v0.0.6 (https://github.com/jetm/shipcheck) added an SPDX 3.0
> validator that scores SBOMs against the BSI TR-03183-2 v2.1.0 minimum
> content set. A stock poky core-image-minimal with
> INHERIT += "create-spdx-3.0" scores 0/30 on the per-package field
> check because suppliedBy is empty by default. Patch context and a
> public issue are at https://github.com/jetm/shipcheck/issues/3.
> 
> This series gives SPDX_PACKAGE_SUPPLIER a sensible default by
> reusing the SPDX_AUTHORS_openembedded agent already defined in
> create-spdx-3.0.bbclass. new_agent() (meta/lib/oe/sbom30.py) already
> supports _ref redirection, so the change is one line and no Python
> is touched. Builds that already configure SPDX_PACKAGE_SUPPLIER via
> _name/_type/_import/_ref keep their behavior.
> 
> Two adjacent BSI gaps were considered for this series and intentionally
> left out:
> 
> - software_declaredLicense as a field on software_Package. The
>   SPDX 3.0.1 spec
>   (https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/)
>   does not define such a property; license is modeled exclusively via
>   Relationship Elements. The hasDeclaredLicense Relationship is
>   already emitted per package in meta/lib/oe/spdx30_tasks.py
>   (61ba0ef140 switched it from hasConcludedLicense). The shipcheck
>   validator needs the relationship-traversal path, not a new field.
> 
> - Per-package verifiedUsing aggregated from contained software_File
>   Hash Elements. This is a real spec property (cardinality 0..*) but
>   the multi-hop aggregation is invasive enough to warrant a separate
>   discussion. Tracked on the shipcheck issue above.
> 
> Cc: Olivier Benjamin <olivier.benjamin@bootlin.com>
> ---
>  meta/classes/create-spdx-3.0.bbclass | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
> index 56fd01fd53..1fc15ecc7d 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -123,6 +123,7 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
>  
>  SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
>      is supplying artifacts produced by the build"
> +SPDX_PACKAGE_SUPPLIER_ref ??= "SPDX_AUTHORS_openembedded"

This variable sets the suppliedBy property, which according to the SPDX
3.0.1 spec [1] identifies "the actual distribution source for the
artifact". This should be the person/organisation building and
distributing the packages, not the author of the recipes. So this is not
correct as a default.

[1]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Properties/suppliedBy/

Thanks,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [OE-core] [PATCH] spdx30: default SPDX_PACKAGE_SUPPLIER to OpenEmbedded

[Mark Hatle]

On 5/14/26 6:43 AM, Paul Barker wrote:
> On Mon, 2026-05-11 at 17:55 -0600, Javier Tia wrote:
>> spdx_package.suppliedBy is only set when SPDX_PACKAGE_SUPPLIER is
>> explicitly configured. Default builds leave the property empty on every
>> software_Package Element, so SBOM consumers that require it (BSI
>> TR-03183-2 v2.1.0 validators among them, surfaced by shipcheck at
>> https://github.com/jetm/shipcheck/issues/3) treat the SBOM as missing a
>> normative field.
>>
>> Default SPDX_PACKAGE_SUPPLIER_ref to the SPDX_AUTHORS_openembedded
>> agent already defined in this file. new_agent() resolves the _ref
>> redirect (meta/lib/oe/sbom30.py), so the existing OpenEmbedded
>> Organization Element gets attached as suppliedBy on every Package
>> without creating a duplicate Agent. Builds that already configure
>> SPDX_PACKAGE_SUPPLIER via _name/_type/_import/_ref keep their
>> behavior; the ??= only kicks in when nothing is set. The default
>> resolves to a fixed in-tree string, so SPDX output stays reproducible.
>>
>> This follows the additive pattern used by commit c8e6953a0b
>> ("spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM"): give
>> the field a sensible default value, leave overrides untouched.
>>
>> Signed-off-by: Javier Tia <floss@jetm.me>
>> ---
>> COVER-LETTER-BODY-FOLLOWS
>> shipcheck v0.0.6 (https://github.com/jetm/shipcheck) added an SPDX 3.0
>> validator that scores SBOMs against the BSI TR-03183-2 v2.1.0 minimum
>> content set. A stock poky core-image-minimal with
>> INHERIT += "create-spdx-3.0" scores 0/30 on the per-package field
>> check because suppliedBy is empty by default. Patch context and a
>> public issue are at https://github.com/jetm/shipcheck/issues/3.
>>
>> This series gives SPDX_PACKAGE_SUPPLIER a sensible default by
>> reusing the SPDX_AUTHORS_openembedded agent already defined in
>> create-spdx-3.0.bbclass. new_agent() (meta/lib/oe/sbom30.py) already
>> supports _ref redirection, so the change is one line and no Python
>> is touched. Builds that already configure SPDX_PACKAGE_SUPPLIER via
>> _name/_type/_import/_ref keep their behavior.
>>
>> Two adjacent BSI gaps were considered for this series and intentionally
>> left out:
>>
>> - software_declaredLicense as a field on software_Package. The
>>    SPDX 3.0.1 spec
>>    (https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/)
>>    does not define such a property; license is modeled exclusively via
>>    Relationship Elements. The hasDeclaredLicense Relationship is
>>    already emitted per package in meta/lib/oe/spdx30_tasks.py
>>    (61ba0ef140 switched it from hasConcludedLicense). The shipcheck
>>    validator needs the relationship-traversal path, not a new field.
>>
>> - Per-package verifiedUsing aggregated from contained software_File
>>    Hash Elements. This is a real spec property (cardinality 0..*) but
>>    the multi-hop aggregation is invasive enough to warrant a separate
>>    discussion. Tracked on the shipcheck issue above.
>>
>> Cc: Olivier Benjamin <olivier.benjamin@bootlin.com>
>> ---
>>   meta/classes/create-spdx-3.0.bbclass | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
>> index 56fd01fd53..1fc15ecc7d 100644
>> --- a/meta/classes/create-spdx-3.0.bbclass
>> +++ b/meta/classes/create-spdx-3.0.bbclass
>> @@ -123,6 +123,7 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
>>   
>>   SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
>>       is supplying artifacts produced by the build"
>> +SPDX_PACKAGE_SUPPLIER_ref ??= "SPDX_AUTHORS_openembedded"
> 
> This variable sets the suppliedBy property, which according to the SPDX
> 3.0.1 spec [1] identifies "the actual distribution source for the
> artifact". This should be the person/organisation building and
> distributing the packages, not the author of the recipes. So this is not
> correct as a default.
> 
> [1]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Properties/suppliedBy/

I don't often chime in with an 'I agree', but in this case I think it's 
important that the actually supplier is the one whose name shows up here.  This 
can have ramifications for CRA or other legal liability.  So defaulting to the 
author of the recipe is incorrect.  It is not the authors, OpenEmbedded or Yocto 
Project's responsibility to 'supply' and 'support' these packages, it's the 
people who are building a product.

I would fix this by introducing a warning that this value is not defined, and 
then make sure the documentation has clear instructions (with references back to 
the SPDX specs) on what this is for and what should be set there.

--Mark

> Thanks,
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#237027): https://lists.openembedded.org/g/openembedded-core/message/237027
> Mute This Topic: https://lists.openembedded.org/mt/119266994/3616948
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mark.hatle@kernel.crashing.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>