From: "Esben Haabendal" <esben@geanix.com>
To: "Marta Rybczynska" <rybczynska@gmail.com>
Cc: Joshua Watt <jpewhacker@gmail.com>,
yocto@lists.yoctoproject.org,
openembedded-architecture
<openembedded-architecture@lists.openembedded.org>
Subject: Re: [Openembedded-architecture] SPDX delivery
Date: Thu, 16 May 2024 10:32:01 +0200 [thread overview]
Message-ID: <87eda2qhry.fsf@geanix.com> (raw)
In-Reply-To: <CAApg2=TJAxkN995fApsU15T1sywt6uM_6v-wjyJhYH_fRPx5dA@mail.gmail.com> (Marta Rybczynska's message of "Thu, 16 May 2024 09:26:46 +0200")
"Marta Rybczynska" <rybczynska@gmail.com> writes:
> On Wed, May 15, 2024 at 8:09 PM Joshua Watt <jpewhacker@gmail.com> wrote:
>
> On Wed, May 15, 2024 at 11:11 AM Marta Rybczynska <rybczynska@gmail.com> wrote:
> > So, the question is, what people plan to archive from the build? Do
> > we need to archive the whole SPDX output too? This is an
> > interesting question for example in case of "world" builds..
>
> The algorithm for creating the final SBoM for SPDX is actually pretty
> generic: Given a single starting document that has some references to
> external SPDX objects, it finds the documents that provide those
> objects and adds those documents to the final SBoM. It then
> re-calculates all of the (missing) external SPDX objects from the new
> SBoM and repeats the process of adding documents to the SBoM until
> either all references are satisfied, or the references are known to
> not exist in the current build (which generates a warning, since it's
> not really expected).
>
> The nice thing about this algorithm is that we can really generate a
> SBoM for anything as long as you have the document (e.g. initial
> objects) you want to start from. As such, we should be able to
> generate SBoMs for world builds, individual packages, or just about
> whatever we want.
>
> I'm wondering what makes sense to store: on one side, image is
> something that people flash on the device, so we definitely want to
> keep it. If there is a vulnerability in the compiler used to build, it
> does not necessarily affect the image (and you do not need to update
> it); except the case it affects the generated code. It makes then
> sense to store SDK and image status separately.
>
> I'd like to head opinions from people who use the SPDX generation, if
> there is a preference.
As SDK is something that is potentially delivered to customers, having
SBoM for it definitely makes sense, and I believe any output of security
scanning/analysis would also make sense.
As for the native recipes, I don't think I will ever want to see that in
any of this.
/Esben
next prev parent reply other threads:[~2024-05-16 8:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-15 17:11 SPDX delivery Marta Rybczynska
2024-05-15 18:08 ` Joshua Watt
2024-05-16 7:26 ` Marta Rybczynska
2024-05-16 8:32 ` Esben Haabendal [this message]
2024-05-27 17:47 ` Marta Rybczynska
2024-05-27 23:01 ` Joshua Watt
2024-05-28 14:59 ` Marta Rybczynska
2024-05-28 15:13 ` Joshua Watt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eda2qhry.fsf@geanix.com \
--to=esben@geanix.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=rybczynska@gmail.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.