sbom.rst: how to disable SPDX generation

Generating SPDX is enabled by default in poky but it can take a lot of build time resources so document how to disable it. (From yocto-docs rev: bcd58b7a9455fbb0ea5944089d663e327f0eb38f) Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mikko Rapeli <mikko.rapeli@linaro.org> 2025-03-10 17:31:08 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-19 15:54:10 +0100
commit: dd3507f6d342750f214924ca35f5e2d0d708ba77 (patch)
tree: ec93036a73b095f6f3e729e7cc14aba55f66b6d8 /documentation
parent: e216e39c7e9e220fd81b8c506566d861c9ce5e60 (diff)
download: poky-dd3507f6d342750f214924ca35f5e2d0d708ba77.tar.gz
1 files changed, 11 insertions, 3 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index b72bad1554..eba07b7832 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,20 @@ users can read in standardized format.
 :term:`SBOM` information is also critical to performing vulnerability exposure
 assessments, as all the components used in the Software Supply Chain are listed.
-The OpenEmbedded build system doesn't generate such information by default.
+The OpenEmbedded build system doesn't generate such information by default,
-To make this happen, you must inherit the
+though the `:term:`Poky` reference distribution has it enabled out of the box.
-:ref:`ref-classes-create-spdx` class from a configuration file::
+To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
+configuration file::
   INHERIT += "create-spdx"
+In the `:term:`Poky` reference distribution, :term:`SPDX` generation does
+consume some build time resources and thus if needed it can be disabled from a
+:term:`configuration file`::
+   INHERIT:remove = "create-spdx"
 Upon building an image, you will then get:
 -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
author	Mikko Rapeli <mikko.rapeli@linaro.org>	2025-03-10 17:31:08 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-05-19 15:54:10 +0100
commit	dd3507f6d342750f214924ca35f5e2d0d708ba77 (patch)
tree	ec93036a73b095f6f3e729e7cc14aba55f66b6d8 /documentation
parent	e216e39c7e9e220fd81b8c506566d861c9ce5e60 (diff)
download	poky-dd3507f6d342750f214924ca35f5e2d0d708ba77.tar.gz

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index b72bad1554..eba07b7832 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,20 @@ users can read in standardized format.
24	:term:`SBOM` information is also critical to performing vulnerability exposure	24	:term:`SBOM` information is also critical to performing vulnerability exposure
25	assessments, as all the components used in the Software Supply Chain are listed.	25	assessments, as all the components used in the Software Supply Chain are listed.
26		26
27	The OpenEmbedded build system doesn't generate such information by default.	27	The OpenEmbedded build system doesn't generate such information by default,
28	To make this happen, you must inherit the	28	though the `:term:`Poky` reference distribution has it enabled out of the box.
29	:ref:`ref-classes-create-spdx` class from a configuration file::	29
		30	To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
		31	configuration file::
30		32
31	INHERIT += "create-spdx"	33	INHERIT += "create-spdx"
32		34
		35	In the `:term:`Poky` reference distribution, :term:`SPDX` generation does
		36	consume some build time resources and thus if needed it can be disabled from a
		37	:term:`configuration file`::
		38
		39	INHERIT:remove = "create-spdx"
		40
33	Upon building an image, you will then get:	41	Upon building an image, you will then get:
34		42
35	- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in	43	- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in