Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: sbom filter to allow image distribution #40

Open
ricardosalveti opened this issue Oct 14, 2024 · 2 comments
Open

ci: sbom filter to allow image distribution #40

ricardosalveti opened this issue Oct 14, 2024 · 2 comments
Labels
enhancement New feature or request
Milestone
12/24

Comments

@ricardosalveti
Copy link
Contributor

ricardosalveti commented Oct 14, 2024
edited
Loading

Post build filter that evaluates the generated sbom based on a pre-approved sbom list, to allow image distribution.

Job should fail in case a new package gets included and it is not previously approved based on the approved list.
@ricardosalveti ricardosalveti added this to the 11/24 milestone Oct 14, 2024
@EmbeddedAndroid EmbeddedAndroid added the enhancement New feature or request label Oct 21, 2024
vishwamartur added a commit to vishwamartur/meta-qcom-hwe that referenced this issue Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
d060292 
Related to qualcomm-linux#40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.
@vishwamartur vishwamartur mentioned this issue Nov 5, 2024
Closed
vishwamartur added a commit to vishwamartur/meta-qcom-hwe that referenced this issue Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
c413340 
Related to qualcomm-linux#40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.

Signed-off-by: Vishwanath Martur <[email protected]>
vishwamartur added a commit to vishwamartur/meta-qcom-hwe that referenced this issue Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
39eb3c4 
Related to qualcomm-linux#40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.

Signed-off-by: Vishwanath Martur <[email protected]>
@quaresmajose
Copy link
Contributor

quaresmajose commented Nov 6, 2024
edited
Loading

For that propose I think we can use the INCOMPATIBLE_LICENSE with the pretended spdx license identifiers that we don't want.

Building an image without GNU General Public License Version 3 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and the GNU Affero General Public License Version 3 (AGPL-3.0) components is only tested for core-image-minimal image. Furthermore, if you would like to build an image and verify that it does not include GPLv3 and similarly licensed components, you must make the following changes in the image recipe file before using the BitBake command to build the image:

INCOMPATIBLE_LICENSE = “GPL-3.0* LGPL-3.0*”

Alternatively, you can adjust local.conf file, repeating and adjusting the line for all images where the license restriction must apply:

INCOMPATIBLE_LICENSE:pn-your-image-name = “GPL-3.0* LGPL-3.0*”

https://docs.yoctoproject.org/ref-manual/images.html?highlight=incompatible_license#
https://docs.yoctoproject.org/ref-manual/variables.html#term-INCOMPATIBLE_LICENSE

@ricardosalveti
Copy link
Contributor Author

Our distribution issues are not specific to a certain license, but instead a combination of project + license, which is why we need a list of what can be approved for distribution.

@ricardosalveti ricardosalveti modified the milestones: 11/24, 12/24 Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Mainline Qualcomm Linux
Status: Backlog
Milestone
12/24
Development

No branches or pull requests
3 participants
@EmbeddedAndroid @quaresmajose @ricardosalveti