New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
west: spdx: introduce support for SPDX 2.3 #70581
Conversation
Minor update to existing zspdx implementation to add support for PrimaryPackagePurpose introduced in SPDX 2.3. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Should we support SPDX 2 and 3 at the same time in the beginning (before "all" tooling are compatibles) ? One interesting feature of SPDX3 for me is "Build Profile". An example of something interesting to add would be the west build command maybe ? What do you think ? https://spdx.github.io/spdx-spec/v3.0/model/Build/Classes/Build/ |
+1. There is already still some work to do to make sure that current tools have all they need to really be useful (hence your work on external references, or this PR to catch up with latest SPDX2 features) so dropping 2 in favour of 3 would certainly be premature! |
Took a quick look at the changes and all look good to me. In terms of supporting SPDX 3 - I would strongly encourage moving to the tools-python library.. This would make it easier to implement future updates. |
I think this a good idea, however I don't know the policy of Zephyr about external python libraries. I don't know who we can ask this ? |
As the SPDX tools-python library is Apache 2.0, there won't be more to do than just add it to the requirements.txt as part of whatever PR will be adding support for SPDX 3 :) |
@mbolivar-ampere will you have a chance to review? If not, I would suggest re-assigning to @nashif or @tejlmand |
Do you plan to merge this PR in Did you try Thank you |
I think you might be mixing up SPDX 2.3 and SPDX 3.0? I tried to clarify in earlier comments but it looks like there might still be confusion :) In case you are not mixing up 2.3 and 3.x, are you suggest that it is necessary we look at other 2.3 changes before merging this PR? Or that we should keep an option for folks to decide whether the want 2.2 or 2.3 (and later 3.0 :-)) SBOMs? I didn't feel it was worth the effort but could underdtand it if people would want that.
It is, yes! It is actually part of my talk/demo at Zephyr Developer Summit next this week - are you attending by any chance @tgagneret-embedded? |
You are totally right I mixed it up. Unfortunately I won't be attending, but I'll certainly catch up on your presentation later on. |
Minor update to existing zspdx implementation to add support for PrimaryPackagePurpose introduced in SPDX 2.3.