Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: sbom filter to allow image distribution #716

Open
ricardosalveti opened this issue Oct 14, 2024 · 2 comments
Open

ci: sbom filter to allow image distribution #716

ricardosalveti opened this issue Oct 14, 2024 · 2 comments
Labels
enhancement

Comments

@ricardosalveti
Copy link
Contributor

ricardosalveti commented Oct 14, 2024
edited
Loading

Post build filter that evaluates the generated sbom based on a pre-approved sbom list, to allow image distribution.

Job should fail in case a new package gets included and it is not previously approved based on the approved list.
vishwamartur referenced this issue in vishwamartur/meta-qcom-hwe Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
d060292 
Related to #40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.
@vishwamartur vishwamartur mentioned this issue Nov 5, 2024
Closed
vishwamartur referenced this issue in vishwamartur/meta-qcom-hwe Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
c413340 
Related to #40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.

Signed-off-by: Vishwanath Martur <[email protected]>
vishwamartur referenced this issue in vishwamartur/meta-qcom-hwe Nov 5, 2024
@vishwamartur
Add SBOM filter to allow image distribution
39eb3c4 
Related to #40

Add post build filter to clear out generated SBOM files.

* Modify `ci/yocto-check-layer.sh` to include a step that uses the `find` command to locate and delete SBOM files.
* Update `ci/base.yml` to add a post build filter section that uses the `find` command to locate and delete SBOM files.
* Modify `.github/workflows/build-yocto.yml` to include a step that uses the `find` command to locate and delete SBOM files after the publish image step.

Signed-off-by: Vishwanath Martur <[email protected]>
@quaresmajose
Copy link
Contributor

quaresmajose commented Nov 6, 2024
edited
Loading

For that propose I think we can use the INCOMPATIBLE_LICENSE with the pretended spdx license identifiers that we don't want.

Building an image without GNU General Public License Version 3 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and the GNU Affero General Public License Version 3 (AGPL-3.0) components is only tested for core-image-minimal image. Furthermore, if you would like to build an image and verify that it does not include GPLv3 and similarly licensed components, you must make the following changes in the image recipe file before using the BitBake command to build the image:

INCOMPATIBLE_LICENSE = “GPL-3.0* LGPL-3.0*”

Alternatively, you can adjust local.conf file, repeating and adjusting the line for all images where the license restriction must apply:

INCOMPATIBLE_LICENSE:pn-your-image-name = “GPL-3.0* LGPL-3.0*”

https://docs.yoctoproject.org/ref-manual/images.html?highlight=incompatible_license#
https://docs.yoctoproject.org/ref-manual/variables.html#term-INCOMPATIBLE_LICENSE

@ricardosalveti
Copy link
Contributor Author

Our distribution issues are not specific to a certain license, but instead a combination of project + license, which is why we need a list of what can be approved for distribution.

@ricardosalveti ricardosalveti transferred this issue from qualcomm-linux/meta-qcom-hwe Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
Mainline Qualcomm Linux
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EmbeddedAndroid @quaresmajose @ricardosalveti