| Message ID | 20260609114814.197318-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] create-spdx-image-3.0: create image sbom recursively | expand |
On Tue, 2026-06-09 at 13:48 +0200, Peter Marko via lists.openembedded.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > Including image in another image is being done by depending on > do_image_complete. This however does not include SPDX SBOM. > We should not need second bitbake execution to create it. > > Recursively add do_create_image_sbom_spdx to do_build to resolve it. > > Use-case are e.g. fitimage or multiconfig containers. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/classes-recipe/create-spdx-image-3.0.bbclass | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass > index 15a91e90e2..4d6a6424fe 100644 > --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass > +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass > @@ -78,6 +78,7 @@ do_create_image_sbom_spdx[stamp-extra-info] = "${MACHINE_ARCH}" > do_create_image_sbom_spdx[cleandirs] = "${SPDXIMAGEDEPLOYDIR}" > do_create_image_sbom_spdx[recrdeptask] += "do_create_recipe_spdx do_create_spdx do_create_package_spdx" > do_create_image_sbom_spdx[file-checksums] += "${SPDX3_DEP_FILES}" > +do_build[recrdeptask] += "do_create_image_sbom_spdx" > > python do_create_image_sbom_spdx_setscene() { > sstate_setscene(d) recrdeptask is a really large hammer to apply and putting that on do_build will trigger all kinds of things which wouldn't otherwise trigger. I think the dependency needs to be much more focused than that... (the dependencies it adds and the complexity of the task graph will increase parse time as well as triggering executions we don't need) Cheers, Richard
I believe this is unnecessary now with the patch set I just published that allows SPDX documents to be aggregated across "deploy" tasks (e.g. do_deploy, do_image_complete). On Tue, Jun 9, 2026 at 5:48 AM Peter Marko <peter.marko@siemens.com> wrote: > > From: Peter Marko <peter.marko@siemens.com> > > Including image in another image is being done by depending on > do_image_complete. This however does not include SPDX SBOM. > We should not need second bitbake execution to create it. > > Recursively add do_create_image_sbom_spdx to do_build to resolve it. > > Use-case are e.g. fitimage or multiconfig containers. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/classes-recipe/create-spdx-image-3.0.bbclass | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass > index 15a91e90e2..4d6a6424fe 100644 > --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass > +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass > @@ -78,6 +78,7 @@ do_create_image_sbom_spdx[stamp-extra-info] = "${MACHINE_ARCH}" > do_create_image_sbom_spdx[cleandirs] = "${SPDXIMAGEDEPLOYDIR}" > do_create_image_sbom_spdx[recrdeptask] += "do_create_recipe_spdx do_create_spdx do_create_package_spdx" > do_create_image_sbom_spdx[file-checksums] += "${SPDX3_DEP_FILES}" > +do_build[recrdeptask] += "do_create_image_sbom_spdx" > > python do_create_image_sbom_spdx_setscene() { > sstate_setscene(d)
> -----Original Message----- > From: Joshua Watt <jpewhacker@gmail.com> > Sent: Wednesday, June 10, 2026 12:25 AM > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [RFC PATCH] create-spdx-image-3.0: create image sbom recursively > > I believe this is unnecessary now with the patch set I just published > that allows SPDX documents to be aggregated across "deploy" tasks > (e.g. do_deploy, do_image_complete). Unfortunately, that's a big feature and as such most probably doesn't land in scarthgap/wrynose. I guess I'll have to add a dependency in our product layer until we can upgrade to something newer. > > On Tue, Jun 9, 2026 at 5:48 AM Peter Marko <peter.marko@siemens.com> wrote: > > > > From: Peter Marko <peter.marko@siemens.com> > > > > Including image in another image is being done by depending on > > do_image_complete. This however does not include SPDX SBOM. > > We should not need second bitbake execution to create it. > > > > Recursively add do_create_image_sbom_spdx to do_build to resolve it. > > > > Use-case are e.g. fitimage or multiconfig containers. > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > meta/classes-recipe/create-spdx-image-3.0.bbclass | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes- > recipe/create-spdx-image-3.0.bbclass > > index 15a91e90e2..4d6a6424fe 100644 > > --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass > > +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass > > @@ -78,6 +78,7 @@ do_create_image_sbom_spdx[stamp-extra-info] = > "${MACHINE_ARCH}" > > do_create_image_sbom_spdx[cleandirs] = "${SPDXIMAGEDEPLOYDIR}" > > do_create_image_sbom_spdx[recrdeptask] += "do_create_recipe_spdx > do_create_spdx do_create_package_spdx" > > do_create_image_sbom_spdx[file-checksums] += "${SPDX3_DEP_FILES}" > > +do_build[recrdeptask] += "do_create_image_sbom_spdx" > > > > python do_create_image_sbom_spdx_setscene() { > > sstate_setscene(d)
diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass index 15a91e90e2..4d6a6424fe 100644 --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass @@ -78,6 +78,7 @@ do_create_image_sbom_spdx[stamp-extra-info] = "${MACHINE_ARCH}" do_create_image_sbom_spdx[cleandirs] = "${SPDXIMAGEDEPLOYDIR}" do_create_image_sbom_spdx[recrdeptask] += "do_create_recipe_spdx do_create_spdx do_create_package_spdx" do_create_image_sbom_spdx[file-checksums] += "${SPDX3_DEP_FILES}" +do_build[recrdeptask] += "do_create_image_sbom_spdx" python do_create_image_sbom_spdx_setscene() { sstate_setscene(d)