Details
-
Task
-
Resolution: Unresolved
-
P3: Somewhat important
-
None
-
None
-
None
-
Linux/Yocto
Description
A Yocto build of Qt also provides SBOMs.
Some user facing documentation can be found at:
https://docs.yoctoproject.org/dev/dev-manual/sbom.html
Qt 6.8.0 and current dev as of today uses poky yocto tag yocto-5.0.2.
That generates SPDX v2.2 documents.
Qt currently generates SPDX v2.3 documents.
yocto master generates SPDX v3.0 documents.
As far as I can tell, the yocto implementation currently doesn't allow integrating external sbom documents into the ones it generates.
The main developer of SPDX integration in yocto briefly mentioned in their FOSSDEM 2023 and 2024 SPDX talks that it would be nice to be able to do that in the future.
https://www.youtube.com/watch?v=Q5UQUM6zxVU
https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/
The structure of the Qt SPDX documents and the yocto ones are quite different, with the yocto ones being more fine-grained in some things.
The tooling for merging and splitting spdx documents is also not quite good, especially for v2.3, making this task hard.
If we really have to try and achieve, we will likely at least have to upgrade our own SBOMs to SPDX v3.0, and ensure that the Boot2Qt poky version generates the same SPDX version.
As such, it's likely infeasible to try and integrate with the yocto spdx documents at the moment.
This might change in the future.
Attachments
Issue Links
- split from
-
QTBUG-122899
Generate SBOM from Qt build system
-
- In Progress
-