| Message ID | 20251028081249.1378992-1-ejo@pengutronix.de |
|---|---|
| State | Under Review |
| Headers | show |
| Series | dev-manual/sbom.rst: reflect that create-spdx is enabled by default | expand |
Hi Enrico, On 10/28/25 9:12 AM, Enrico Jörns via lists.yoctoproject.org wrote: > Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by > default"), the create-spdx class is pulled in by default, not only by > poky. > Indeed! > Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO > since this is the more concrete variable to modify for disabling > create-spdx. > > Signed-off-by: Enrico Jörns <ejo@pengutronix.de> > --- > documentation/dev-manual/sbom.rst | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > > diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst > index ca0fc8b9d..d54a33a47 100644 > --- a/documentation/dev-manual/sbom.rst > +++ b/documentation/dev-manual/sbom.rst > @@ -24,19 +24,12 @@ users can read in standardized format. > :term:`SBOM` information is also critical to performing vulnerability exposure > assessments, as all the components used in the Software Supply Chain are listed. > > -The OpenEmbedded build system doesn't generate such information by default, > -though the :term:`Poky` reference distribution has it enabled out of the box. > +The OpenEmbedded build system generates such information by default (by > +inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`). > s/in/via/ ? > -To enable it, inherit the :ref:`ref-classes-create-spdx` class from a > -configuration file:: > +If needed, it can be disabled from a :term:`configuration file`:: > > - INHERIT += "create-spdx" > - > -In the :term:`Poky` reference distribution, :term:`SPDX` generation does > -consume some build time resources and thus if needed it can be disabled from a > -:term:`configuration file`:: > - > - INHERIT:remove = "create-spdx" > + INHERIT_DISTRO:remove = "create-spdx" > INHERIT_DISTRO is set with a weak operator (?=) so one can simply set it from any location with INHERIT_DISTRO = (or if parsed before defaultsetup.conf, with INHERIT_DISTRO ?=). There's no need to go the overkill way of using :remove here. In any case, Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Thanks! Quentin
Am Dienstag, dem 28.10.2025 um 11:04 +0100 schrieb Quentin Schulz: > Hi Enrico, > > On 10/28/25 9:12 AM, Enrico Jörns via lists.yoctoproject.org wrote: > > Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by > > default"), the create-spdx class is pulled in by default, not only by > > poky. > > > > Indeed! > > > Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO > > since this is the more concrete variable to modify for disabling > > create-spdx. > > > > Signed-off-by: Enrico Jörns <ejo@pengutronix.de> > > --- > > documentation/dev-manual/sbom.rst | 15 ++++----------- > > 1 file changed, 4 insertions(+), 11 deletions(-) > > > > diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst > > index ca0fc8b9d..d54a33a47 100644 > > --- a/documentation/dev-manual/sbom.rst > > +++ b/documentation/dev-manual/sbom.rst > > @@ -24,19 +24,12 @@ users can read in standardized format. > > :term:`SBOM` information is also critical to performing vulnerability exposure > > assessments, as all the components used in the Software Supply Chain are listed. > > > > -The OpenEmbedded build system doesn't generate such information by default, > > -though the :term:`Poky` reference distribution has it enabled out of the box. > > +The OpenEmbedded build system generates such information by default (by > > +inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`). > > > > s/in/via/ ? I guess both should work, but yours might be slightly better, indeed. > > -To enable it, inherit the :ref:`ref-classes-create-spdx` class from a > > -configuration file:: > > +If needed, it can be disabled from a :term:`configuration file`:: > > > > - INHERIT += "create-spdx" > > - > > -In the :term:`Poky` reference distribution, :term:`SPDX` generation does > > -consume some build time resources and thus if needed it can be disabled from a > > -:term:`configuration file`:: > > - > > - INHERIT:remove = "create-spdx" > > + INHERIT_DISTRO:remove = "create-spdx" > > > > INHERIT_DISTRO is set with a weak operator (?=) so one can simply set it > from any location with INHERIT_DISTRO = (or if parsed before > defaultsetup.conf, with INHERIT_DISTRO ?=). There's no need to go the > overkill way of using :remove here. But that would override the other settings, too. I guess it depends on what the actual goal is. But admittedly, I was unsure if and how to change the suggestion here, too (also since this is nothing really create-spdx-specific). Let me know in case I should make a v2 for any of these changes
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index ca0fc8b9d..d54a33a47 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst @@ -24,19 +24,12 @@ users can read in standardized format. :term:`SBOM` information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed. -The OpenEmbedded build system doesn't generate such information by default, -though the :term:`Poky` reference distribution has it enabled out of the box. +The OpenEmbedded build system generates such information by default (by +inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`). -To enable it, inherit the :ref:`ref-classes-create-spdx` class from a -configuration file:: +If needed, it can be disabled from a :term:`configuration file`:: - INHERIT += "create-spdx" - -In the :term:`Poky` reference distribution, :term:`SPDX` generation does -consume some build time resources and thus if needed it can be disabled from a -:term:`configuration file`:: - - INHERIT:remove = "create-spdx" + INHERIT_DISTRO:remove = "create-spdx" Upon building an image, you will then get:
Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by default"), the create-spdx class is pulled in by default, not only by poky. Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO since this is the more concrete variable to modify for disabling create-spdx. Signed-off-by: Enrico Jörns <ejo@pengutronix.de> --- documentation/dev-manual/sbom.rst | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-)