Add package_metadata target#122
Conversation
`@package_metadata` is the successor to `@rules_license`.
|
I don't like this approach. We should allow package_metadata to accept the old license as an attribute and have the gathering tool take either. |
aiuto
left a comment
aiuto
left a comment
There was a problem hiding this comment.
We should try this in a few large repositories.
@aiuto is this still a concern for you? @Yannic What's the current end-to-end expected outcome? i.e. are you just trying to update this as best practice, or are there more concrete use cases you're trying to support now? How many repos need to be updated to make those use cases practical? I believe |
|
@gregestren The API of the The supply-chain working group is currently working on the tooling, aspects, ... to collect all the metadata and produce an SBOM. There's a prototype, but nothing finished yet. Because of that, the inner details of providers may still change a bit depending on feedback from SBOM generation, but that won't affect users of the rules to declare package metadata. Our current milestone is to get an end-to-end SBOM working for a large-ish project (Selenium), so we're adding metadata to its dependencies to make this project practical. Modules like |
|
Thanks for the explanation. It sounds okay to me. @fweikert did you have any other input? I'm happy to merge otherwise. |
|
@gregestren no objections from my side. @Yannic thank you for your work! |
|
@Yannic should we roll a release out of this or wait for further changes? |
|
I don't see a need to rush a release. We'll probably bump again in a week. |
|
No need to rush. But also no need to delay a release on us if you have something lined up |
5 participants
@package_metadatais the successor to@rules_license.