MIRRORS/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky.git synced 2025-07-19 21:09:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

dev-manual: Rephrase spdx creation

Browse Source 
Make the options more clear by providing them in a list instead of plain prosa.
Also add a ref for a presentation wrt spdx 3.0 in the Yocto project.

Fixes [YOCTO 7476]

(From yocto-docs rev: a15e354f98607592a67d2df91dfa2bf0707d8f38)

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Simone Weiß 2024-02-05 16:13:09 +00:00 committed by Richard Purdie
parent 296fdb6643
commit 1f247f5451
1 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
documentation/dev-manual/sbom.rst
View File

@ -30,22 +30,29 @@ To make this happen, you must inherit the
INHERIT += "create-spdx"
You then get :term:`SPDX` output in JSON format as an
``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
:term:`Build Directory`.
Upon building an image, you will then get:
This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``
containing an index of JSON :term:`SPDX` files for individual recipes, together
with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such
files.
- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
- This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
containing an index of JSON :term:`SPDX` files for individual recipes.
- The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
and the files for the single recipes.
The :ref:`ref-classes-create-spdx` class offers options to include
more information in the output :term:`SPDX` data, such as making the generated
files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of
the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),
adding a description of the source files used to generate host tools and target
packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source
files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
more information in the output :term:`SPDX` data:
- Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
- Add compressed archives of the files in the generated target packages by
setting (:term:`SPDX_ARCHIVE_PACKAGED`).
- Add a description of the source files used to generate host tools and target
packages (:term:`SPDX_INCLUDE_SOURCES`)
- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
Though the toplevel :term:`SPDX` output is available in
``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
@ -65,11 +72,12 @@ generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
to associate custom notes to a recipe.
See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
project website for a list of tools to consume and transform the :term:`SPDX`
data generated by the OpenEmbedded build system.
See also Joshua Watt's
See also Joshua Watt's presentations
`Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
presentation at FOSDEM 2023.
at FOSDEM 2023 and
`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__
at FOSDEM 2024.