From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Jose Quaresma <quaresma.jose@gmail.com>
Cc: Marta Rybczynska <rybczynska@gmail.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] cve-check.bbclass: support embedded SW components with different version number
Date: Thu, 19 Oct 2023 15:21:33 +0300 [thread overview]
Message-ID: <ZTEfTcgNMkUrITEG@nuoska> (raw)
In-Reply-To: <CANPvuRn1q0a63ZWyYer8LP0htmo7cBwyX6LTv_=ipZFcJq3j9Q@mail.gmail.com>
Hi,
On Thu, Oct 19, 2023 at 12:54:44PM +0100, Jose Quaresma wrote:
> Hi
>
> This change will need some adaptations in the create-spdx.bbclass to handle
> this new variable with _PN
Good point. How does SPDX tooling handle embedded SW components in recipe sources?
I presume it does not because recipe and license don't handle it either. Should
there be a more generic PN_subpn, PV_subpn, LICENSE_subpn and matching CVE_PRODUCT
and CVE_VERSION? I don't have use cases for these currently. I would like to fix
the CVE reporting issues with embedded SW components though. mbedtls being one good
example.
Or would it be better to convert mbedtls users to use the meta-oe side recipe for it?
Additionally I don't currently read the SDPX output. I don't have use cases for it.
I do check recipes and their metadata like LICENSE though. Feels like the SDPX data
is used as reporting/export data format which is fed to some other tools which are
not open source.
Can of worms...
Cheers,
-Mikko
next prev parent reply other threads:[~2023-10-19 12:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 7:01 [PATCH] cve-check.bbclass: support embedded SW components with different version number Mikko Rapeli
2023-10-19 8:19 ` [OE-core] " Marta Rybczynska
2023-10-19 9:13 ` Mikko Rapeli
2023-10-19 11:54 ` Jose Quaresma
2023-10-19 12:21 ` Mikko Rapeli [this message]
2023-10-20 7:46 ` Jose Quaresma
[not found] ` <178F819D833CF586.20272@lists.openembedded.org>
2023-10-19 12:45 ` Mikko Rapeli
2023-10-20 7:56 ` Jose Quaresma
2023-10-20 7:59 ` Mikko Rapeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZTEfTcgNMkUrITEG@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=quaresma.jose@gmail.com \
--cc=rybczynska@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox