From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Marta Rybczynska <rybczynska@gmail.com>,
OE-core <openembedded-core@lists.openembedded.org>,
openembedded-architecture@lists.openembedded.org,
Joshua Watt <JPEWhacker@gmail.com>
Subject: Re: [Openembedded-architecture] Adding more information to the SBOM
Date: Thu, 15 Sep 2022 13:16:39 +0100 [thread overview]
Message-ID: <e0ece56dc5b05480313c5eee78a3d31081478687.camel@linuxfoundation.org> (raw)
In-Reply-To: <CAApg2=Q0+GqNVfyhnnadaEhXUB67_vbf5=ukKHdD8xRHqSOptg@mail.gmail.com>
On Wed, 2022-09-14 at 16:16 +0200, Marta Rybczynska wrote:
> The sources with a long README are available at
> https://gitlab.eclipse.org/eclipse/oniro-compliancetoolchain/toolchain/tinfoilhat/-/tree/srctracker/srctracker
>
> What do you think of this work? Would it be of interest to integrate
> into YP at some point? Shall we discuss this?
I had a look at this and was a bit puzzled by some of it.
I can see the issues you'd have if you want to separate the unpatched
source from the patches and know which files had patches applied as
that is hard to track. There would be significiant overhead in trying
to process and store that information in the unpack/patch steps and the
archiver class does some of that already. It is messy, hard and doens't
perform well. I'm reluctant to force everyone to do it as a result but
that can also result in multiple code paths and when you have that, the
result is that one breaks :(.
I also can see the issue with multiple sources in SRC_URI, although you
should be able to map those back if you assume subtrees are "owned" by
given SRC_URI entries. I suspect there may be a SPDX format limit in
documenting that piece?
Where I became puzzled is where you say "Information about debug
sources for each actual binary file is then taken from
tmp/pkgdata/<machine>/extended/*.json.zstd". This is the data we added
and use for the spdx class so you shouldn't need to reinvent that
piece. It should be the exact same data the spdx class uses.
I was also puzzled about the difference between rpm and the other
package backends. The exact same files are packaged by all the package
backends so the checksums from do_package should be fine.
For the source issues above it basically it comes down to how much
"pain" we want to push onto all users for the sake of adding in this
data. Unfortunately it is data which many won't need or use and
different legal departments do have different requirements. Experience
with archiver.bbclass shows that multiple codepaths doing these things
is a nightmare to keep working, particularly for corner cases which do
interesting things with the code (externalsrc, gcc shared workdir, the
kernel and more).
Cheers,
Richard
next prev parent reply other threads:[~2022-09-15 12:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 14:16 Adding more information to the SBOM Marta Rybczynska
2022-09-14 14:56 ` Joshua Watt
2022-09-14 17:10 ` [OE-core] " Alberto Pianon
2022-09-14 20:52 ` Joshua Watt
2022-09-15 1:16 ` [Openembedded-architecture] " Mark Hatle
2022-09-15 12:16 ` Richard Purdie [this message]
2022-09-16 15:18 ` Alberto Pianon
2022-09-16 15:49 ` Mark Hatle
2022-09-20 12:25 ` Alberto Pianon
2022-09-16 16:08 ` Richard Purdie
[not found] ` <1061592967.5114533.1663597215958.JavaMail.zimbra@piana.eu>
2022-09-20 13:15 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e0ece56dc5b05480313c5eee78a3d31081478687.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=JPEWhacker@gmail.com \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=rybczynska@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox