[v3,2/2] spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX

Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.

Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:<feature>
and value enabled or disabled, depending on whether the feature is active in
the current build.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.

Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
---
 meta/classes/create-spdx-3.0.bbclass |  5 +++++
 meta/lib/oe/spdx30_tasks.py          | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)

On Thu, Aug 21, 2025 at 8:54 AM Kamel Bouhara <kamel.bouhara@bootlin.com>
wrote:

> Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled
> causes
> PACKAGECONFIG features to be recorded in the SPDX document as build
> parameters.
>
> Each feature is recorded as a DictionaryEntry with key
> PACKAGECONFIG:<feature>
> and value enabled or disabled, depending on whether the feature is active
> in
> the current build.
>
> This makes the build-time configuration more transparent in SPDX output and
> improves reproducibility tracking.
>
> This makes the build-time configuration more transparent in SPDX output and
> improves reproducibility tracking. In particular, it allows consumers of
> the
> SBOM to identify enabled/disabled features that may affect security posture
> or feature set.
>
> Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
> ---
>  meta/classes/create-spdx-3.0.bbclass |  5 +++++
>  meta/lib/oe/spdx30_tasks.py          | 20 ++++++++++++++++++++
>  2 files changed, 25 insertions(+)
>
> diff --git a/meta/classes/create-spdx-3.0.bbclass
> b/meta/classes/create-spdx-3.0.bbclass
> index 15c31ba9a3..6125e8b547 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -56,6 +56,11 @@ and each CONFIG_* value will be included in the
> Build.build_parameter list as Di
>  items. Set to '0' to disable exporting kernel configuration to improve
> performance or reduce \
>  SPDX document size."
>
> +SPDX_INCLUDE_PACKAGECONFIG ??= "0"
> +SPDX_INCLUDE_PACKAGECONFIG[doc] = "If set to '1', each PACKAGECONFIG
> feature is recorded in the \
> +build_Build object's build_parameter list as a DictionaryEntry with key \
> +'PACKAGECONFIG:<feature>' and value 'enabled' or 'disabled'"
> +
>  SPDX_IMPORTS ??= ""
>  SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how
> to \
>      reference external SPDX ids. Each import is defined as a key in this \
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index c352dab152..d708715981 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -815,6 +815,26 @@ def create_spdx(d):
>              sorted(list(build_inputs)) + sorted(list(debug_source_ids)),
>          )
>
> +    if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0":
> +        packageconfig = (d.getVar("PACKAGECONFIG") or "").split()
> +        all_features = (d.getVarFlags("PACKAGECONFIG") or {}).keys()
> +
> +        if all_features:
> +            enabled = set(packageconfig)
> +            all_features_set = set(all_features)
> +            disabled = all_features_set - enabled
> +
> +            for feature in sorted(all_features):
> +                status = "enabled" if feature in enabled else "disabled"
> +                build.build_parameter.append(
> +                    oe.spdx30.DictionaryEntry(
> +                        key=f"PACKAGECONFIG:{feature}",
> +                        value=status
> +                    )
> +                )
> +
> +            bb.note(f"Added PACKAGECONFIG entries: {len(enabled)}
> enabled, {len(disabled)} disabled")
> +
>

LGTM

Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>


>      oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes",
> deploydir)
>
>
> --
> 2.43.0
>
>

Hi,

> On 21 Aug 2025, at 15:54, Kamel Bouhara via lists.openembedded.org <kamel.bouhara=bootlin.com@lists.openembedded.org> wrote:
> 
> Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
> PACKAGECONFIG features to be recorded in the SPDX document as build parameters.

My initial review comment was “what does Josh think” and he’s already acked this, but this is adding disabled-by-default functionality that isn’t documented or tested at all.

Can you add some documentation to the reference manual at least, and a test case in oe-selftest that turns on all of these optional toggles so they get exercised at least once?

Thanks,
Ross

On Mon, Sep 01, 2025 at 05:04:38PM +0000, Ross Burton via lists.openembedded.org wrote:
> Hi,
>

Hi Ross,

> > On 21 Aug 2025, at 15:54, Kamel Bouhara via lists.openembedded.org <kamel.bouhara=bootlin.com@lists.openembedded.org> wrote:
> >
> > Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
> > PACKAGECONFIG features to be recorded in the SPDX document as build parameters.
>
> My initial review comment was “what does Josh think” and he’s already acked this, but this is adding disabled-by-default functionality that isn’t documented or tested at all.
>
> Can you add some documentation to the reference manual at least, and a test case in oe-selftest that turns on all of these optional toggles so they get exercised at least once?

Sure, I’ll add the docs and an oe-selftest case in the next update.

Thanks,
Kamel

--
Kamel Bouhara, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com