| Message ID | 20240205161309.2958827-1-simone.p.weiss@posteo.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | dev-manual: Rephrase spdx creation | expand |
On 05.02.24 17:13, Simone Weiß via lists.yoctoproject.org wrote: > From: Simone Weiß <simone.p.weiss@posteo.com> > > Make the options more clewar by providing them in a list instead of plain prosa. There's a W too much in clear. Kind regards Jörg Sommer
Simone, Jörg, Thanks for the patch and review! On 2/5/24 at 17:13, Simone Weiß wrote: > From: Simone Weiß <simone.p.weiss@posteo.com> > > Make the options more clewar by providing them in a list instead of plain prosa. > Also add a ref for a presentation wrt spdx 3.0 in the Yocto project. > > Fixes [YOCTO 7476] > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > --- > documentation/dev-manual/sbom.rst | 40 ++++++++++++++++++------------- > 1 file changed, 24 insertions(+), 16 deletions(-) > > diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst > index f51d08f84..b72bad155 100644 > --- a/documentation/dev-manual/sbom.rst > +++ b/documentation/dev-manual/sbom.rst > @@ -30,22 +30,29 @@ To make this happen, you must inherit the > > INHERIT += "create-spdx" > > -You then get :term:`SPDX` output in JSON format as an > -``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the > -:term:`Build Directory`. > +Upon building an image, you will then get: > > -This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json`` > -containing an index of JSON :term:`SPDX` files for individual recipes, together > -with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such > -files. > +- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in > + ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`. > + > +- This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json`` > + containing an index of JSON :term:`SPDX` files for individual recipes. > + > +- The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index > + and the files for the single recipes. > > The :ref:`ref-classes-create-spdx` class offers options to include > -more information in the output :term:`SPDX` data, such as making the generated > -files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of > -the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`), > -adding a description of the source files used to generate host tools and target > -packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source > -files themselves (:term:`SPDX_ARCHIVE_SOURCES`). > +more information in the output :term:`SPDX` data: > + > +- Make the json files more human readable by setting (:term:`SPDX_PRETTY`). > + > +- Add compressed archives of the files in the generated target packages by > + setting (:term:`SPDX_ARCHIVE_PACKAGED`). > + > +- Add a description of the source files used to generate host tools and target > + packages (:term:`SPDX_INCLUDE_SOURCES`) > + > +- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`). I agree that your changes make the text easier to read. > > Though the toplevel :term:`SPDX` output is available in > ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary > @@ -65,11 +72,12 @@ generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as: > > See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows > to associate custom notes to a recipe. > - > See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX` > project website for a list of tools to consume and transform the :term:`SPDX` > data generated by the OpenEmbedded build system. > > -See also Joshua Watt's > +See also Joshua Watt's presentations > `Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__ > -presentation at FOSDEM 2023. > +at FOSDEM 2023 and > +`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__ Wow, that's fresh stuff. I also watched this new one live. It's good to keep the first one as it shared more details if I recall correctly. Merged into master-next. I fixed the typo reported by Jörg in the commit message. Cheers Michael
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index f51d08f84..b72bad155 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst @@ -30,22 +30,29 @@ To make this happen, you must inherit the INHERIT += "create-spdx" -You then get :term:`SPDX` output in JSON format as an -``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the -:term:`Build Directory`. +Upon building an image, you will then get: -This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json`` -containing an index of JSON :term:`SPDX` files for individual recipes, together -with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such -files. +- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in + ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`. + +- This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json`` + containing an index of JSON :term:`SPDX` files for individual recipes. + +- The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index + and the files for the single recipes. The :ref:`ref-classes-create-spdx` class offers options to include -more information in the output :term:`SPDX` data, such as making the generated -files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of -the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`), -adding a description of the source files used to generate host tools and target -packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source -files themselves (:term:`SPDX_ARCHIVE_SOURCES`). +more information in the output :term:`SPDX` data: + +- Make the json files more human readable by setting (:term:`SPDX_PRETTY`). + +- Add compressed archives of the files in the generated target packages by + setting (:term:`SPDX_ARCHIVE_PACKAGED`). + +- Add a description of the source files used to generate host tools and target + packages (:term:`SPDX_INCLUDE_SOURCES`) + +- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`). Though the toplevel :term:`SPDX` output is available in ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary @@ -65,11 +72,12 @@ generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as: See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows to associate custom notes to a recipe. - See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX` project website for a list of tools to consume and transform the :term:`SPDX` data generated by the OpenEmbedded build system. -See also Joshua Watt's +See also Joshua Watt's presentations `Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__ -presentation at FOSDEM 2023. +at FOSDEM 2023 and +`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__ +at FOSDEM 2024.