diff mbox series

sbom.rst: how to disable SPDX generation

Message ID 20250310153108.40579-1-mikko.rapeli@linaro.org
State Under Review
Headers show
Series sbom.rst: how to disable SPDX generation | expand

Commit Message

Mikko Rapeli March 10, 2025, 3:31 p.m. UTC
Generating SPDX is enabled by default in poky but
it can take a lot of build time resources so document
how to disable it.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 documentation/dev-manual/sbom.rst | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

Antonin Godard March 11, 2025, 9:43 a.m. UTC | #1
Hi Mikko,

On Mon Mar 10, 2025 at 4:31 PM CET, Mikko Rapeli via lists.yoctoproject.org wrote:
> Generating SPDX is enabled by default in poky but
> it can take a lot of build time resources so document
> how to disable it.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  documentation/dev-manual/sbom.rst | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
> index b72bad1554..f5a706bc14 100644
> --- a/documentation/dev-manual/sbom.rst
> +++ b/documentation/dev-manual/sbom.rst
> @@ -24,12 +24,18 @@ users can read in standardized format.
>  :term:`SBOM` information is also critical to performing vulnerability exposure
>  assessments, as all the components used in the Software Supply Chain are listed.
>  
> -The OpenEmbedded build system doesn't generate such information by default.
> -To make this happen, you must inherit the
> -:ref:`ref-classes-create-spdx` class from a configuration file::
> +The OpenEmbedded build system doesn't generate such information by default,
> +though ``poky`` reference distribution has it enabled out of the box.

s/though ``poky`` reference/though the :term:`Poky` reference distribution/

> +
> +To enable it, inherit the :ref:`ref-classes-create-spdx` class from a configuration file::
>  
>     INHERIT += "create-spdx"
>  
> +In ``poky`` reference distribution, :term:`SPDX` generation does consume some build time

Same comment as above

> +resources and thus if needed it can be disabled with:

"...it can be disabled from a :term:`configuration file` with:"

> +
> +   INHERIT:remove = "create-spdx"
> +
>  Upon building an image, you will then get:
>  
>  -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in

Otherwise looks good to me, thanks!
Antonin
diff mbox series

Patch

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index b72bad1554..f5a706bc14 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,18 @@  users can read in standardized format.
 :term:`SBOM` information is also critical to performing vulnerability exposure
 assessments, as all the components used in the Software Supply Chain are listed.
 
-The OpenEmbedded build system doesn't generate such information by default.
-To make this happen, you must inherit the
-:ref:`ref-classes-create-spdx` class from a configuration file::
+The OpenEmbedded build system doesn't generate such information by default,
+though ``poky`` reference distribution has it enabled out of the box.
+
+To enable it, inherit the :ref:`ref-classes-create-spdx` class from a configuration file::
 
    INHERIT += "create-spdx"
 
+In ``poky`` reference distribution, :term:`SPDX` generation does consume some build time
+resources and thus if needed it can be disabled with:
+
+   INHERIT:remove = "create-spdx"
+
 Upon building an image, you will then get:
 
 -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in