dev-manual: Rephrase spdx creation

Make the options more clear by providing them in a list instead of plain prosa. Also add a ref for a presentation wrt spdx 3.0 in the Yocto project. Fixes [YOCTO 7476] (From yocto-docs rev: a15e354f98607592a67d2df91dfa2bf0707d8f38) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Simone Weiß <simone.p.weiss@posteo.com> 2024-02-05 16:13:09 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-02-24 16:13:28 +0000
commit: 1f247f545158338bb6d343d8acbff06ae8ef0837 (patch)
tree: 66ef135d3ec7b5116cc8fff79258269c61851a26 /documentation
parent: 296fdb6643dca484cd1f32cef51e3beeef8842c5 (diff)
download: poky-1f247f545158338bb6d343d8acbff06ae8ef0837.tar.gz
1 files changed, 24 insertions, 16 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index f51d08f84d..b72bad1554 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -30,22 +30,29 @@ To make this happen, you must inherit the
   INHERIT += "create-spdx"
-You then get :term:`SPDX` output in JSON format as an
+Upon building an image, you will then get:
-``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
-:term:`Build Directory`.
-This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``
+-  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
-containing an index of JSON :term:`SPDX` files for individual recipes, together
+   ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
-with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such
-files.
+-  This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
+   containing an index of JSON :term:`SPDX` files for individual recipes.
+-  The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
+   and the files for the single recipes.
 The :ref:`ref-classes-create-spdx` class offers options to include
-more information in the output :term:`SPDX` data, such as making the generated
+more information in the output :term:`SPDX` data:
-files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of
-the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),
+-  Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
-adding a description of the source files used to generate host tools and target
-packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source
+-  Add compressed archives of the files in the generated target packages by
-files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
+   setting (:term:`SPDX_ARCHIVE_PACKAGED`).
+-  Add a description of the source files used to generate host tools and target
+   packages (:term:`SPDX_INCLUDE_SOURCES`)
+-  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
 Though the toplevel :term:`SPDX` output is available in
 ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
@@ -65,11 +72,12 @@ generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
 See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
 to associate custom notes to a recipe.
 See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
 project website for a list of tools to consume and transform the :term:`SPDX`
 data generated by the OpenEmbedded build system.
-See also Joshua Watt's
+See also Joshua Watt's presentations
 `Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
-presentation at FOSDEM 2023.
+at FOSDEM 2023 and
+`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__
+at FOSDEM 2024.
author	Simone Weiß <simone.p.weiss@posteo.com>	2024-02-05 16:13:09 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-02-24 16:13:28 +0000
commit	1f247f545158338bb6d343d8acbff06ae8ef0837 (patch)
tree	66ef135d3ec7b5116cc8fff79258269c61851a26 /documentation
parent	296fdb6643dca484cd1f32cef51e3beeef8842c5 (diff)
download	poky-1f247f545158338bb6d343d8acbff06ae8ef0837.tar.gz

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index f51d08f84d..b72bad1554 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst
@@ -30,22 +30,29 @@ To make this happen, you must inherit the
30		30
31	INHERIT += "create-spdx"	31	INHERIT += "create-spdx"
32		32
33	You then get :term:`SPDX` output in JSON format as an	33	Upon building an image, you will then get:
34	``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
35	:term:`Build Directory`.
36		34
37	This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``	35	- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
38	containing an index of JSON :term:`SPDX` files for individual recipes, together	36	``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
39	with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such	37
40	files.	38	- This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
		39	containing an index of JSON :term:`SPDX` files for individual recipes.
		40
		41	- The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
		42	and the files for the single recipes.
41		43
42	The :ref:`ref-classes-create-spdx` class offers options to include	44	The :ref:`ref-classes-create-spdx` class offers options to include
43	more information in the output :term:`SPDX` data, such as making the generated	45	more information in the output :term:`SPDX` data:
44	files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of	46
45	the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),	47	- Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
46	adding a description of the source files used to generate host tools and target	48
47	packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source	49	- Add compressed archives of the files in the generated target packages by
48	files themselves (:term:`SPDX_ARCHIVE_SOURCES`).	50	setting (:term:`SPDX_ARCHIVE_PACKAGED`).
		51
		52	- Add a description of the source files used to generate host tools and target
		53	packages (:term:`SPDX_INCLUDE_SOURCES`)
		54
		55	- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
49		56
50	Though the toplevel :term:`SPDX` output is available in	57	Though the toplevel :term:`SPDX` output is available in
51	``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary	58	``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
@@ -65,11 +72,12 @@ generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
65		72
66	See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows	73	See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
67	to associate custom notes to a recipe.	74	to associate custom notes to a recipe.
68
69	See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`	75	See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
70	project website for a list of tools to consume and transform the :term:`SPDX`	76	project website for a list of tools to consume and transform the :term:`SPDX`
71	data generated by the OpenEmbedded build system.	77	data generated by the OpenEmbedded build system.
72		78
73	See also Joshua Watt's	79	See also Joshua Watt's presentations
74	`Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__	80	`Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
75	presentation at FOSDEM 2023.	81	at FOSDEM 2023 and
		82	`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__
		83	at FOSDEM 2024.