| Message ID | 20250310153108.40579-1-mikko.rapeli@linaro.org |
|---|---|
| State | Under Review |
| Headers | show |
| Series | sbom.rst: how to disable SPDX generation | expand |
Hi Mikko, On Mon Mar 10, 2025 at 4:31 PM CET, Mikko Rapeli via lists.yoctoproject.org wrote: > Generating SPDX is enabled by default in poky but > it can take a lot of build time resources so document > how to disable it. > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > --- > documentation/dev-manual/sbom.rst | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst > index b72bad1554..f5a706bc14 100644 > --- a/documentation/dev-manual/sbom.rst > +++ b/documentation/dev-manual/sbom.rst > @@ -24,12 +24,18 @@ users can read in standardized format. > :term:`SBOM` information is also critical to performing vulnerability exposure > assessments, as all the components used in the Software Supply Chain are listed. > > -The OpenEmbedded build system doesn't generate such information by default. > -To make this happen, you must inherit the > -:ref:`ref-classes-create-spdx` class from a configuration file:: > +The OpenEmbedded build system doesn't generate such information by default, > +though ``poky`` reference distribution has it enabled out of the box. s/though ``poky`` reference/though the :term:`Poky` reference distribution/ > + > +To enable it, inherit the :ref:`ref-classes-create-spdx` class from a configuration file:: > > INHERIT += "create-spdx" > > +In ``poky`` reference distribution, :term:`SPDX` generation does consume some build time Same comment as above > +resources and thus if needed it can be disabled with: "...it can be disabled from a :term:`configuration file` with:" > + > + INHERIT:remove = "create-spdx" > + > Upon building an image, you will then get: > > - :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in Otherwise looks good to me, thanks! Antonin
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index b72bad1554..f5a706bc14 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst @@ -24,12 +24,18 @@ users can read in standardized format. :term:`SBOM` information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed. -The OpenEmbedded build system doesn't generate such information by default. -To make this happen, you must inherit the -:ref:`ref-classes-create-spdx` class from a configuration file:: +The OpenEmbedded build system doesn't generate such information by default, +though ``poky`` reference distribution has it enabled out of the box. + +To enable it, inherit the :ref:`ref-classes-create-spdx` class from a configuration file:: INHERIT += "create-spdx" +In ``poky`` reference distribution, :term:`SPDX` generation does consume some build time +resources and thus if needed it can be disabled with: + + INHERIT:remove = "create-spdx" + Upon building an image, you will then get: - :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
Generating SPDX is enabled by default in poky but it can take a lot of build time resources so document how to disable it. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> --- documentation/dev-manual/sbom.rst | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)