sbom.rst: how to disable SPDX generation

Generating SPDX is enabled by default in poky but
it can take a lot of build time resources so document
how to disable it.

(From yocto-docs rev: d26a3f2ed8f24e1b72f58ecb8b7cdba7007ba77b)

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit bcd58b7a9455fbb0ea5944089d663e327f0eb38f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

1 files changed, 11 insertions, 3 deletions

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index b72bad1554..eba07b7832 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,20 @@ users can read in standardized format.
 :term:`SBOM` information is also critical to performing vulnerability exposure
 assessments, as all the components used in the Software Supply Chain are listed.
 
-The OpenEmbedded build system doesn't generate such information by default.
-To make this happen, you must inherit the
-:ref:`ref-classes-create-spdx` class from a configuration file::
+The OpenEmbedded build system doesn't generate such information by default,
+though the `:term:`Poky` reference distribution has it enabled out of the box.
+
+To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
+configuration file::
 
    INHERIT += "create-spdx"
 
+In the `:term:`Poky` reference distribution, :term:`SPDX` generation does
+consume some build time resources and thus if needed it can be disabled from a
+:term:`configuration file`::
+
+   INHERIT:remove = "create-spdx"
+
 Upon building an image, you will then get:
 
 -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in