1 files changed, 94 insertions, 0 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 71e8c272a7..f17960e0e9 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1508,6 +1508,18 @@ system and gives an overview of their function and contents.
         CVE_PRODUCT = "vendor:package"
+   :term:`CVE_VERSION`
+      In a recipe, defines the version used to match the recipe version
+      against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
+      when usign :ref:`cve-check <ref-classes-cve-check>`.
+      The default is ${:term:`PV`} but if recipes use custom version numbers
+      which do not map to upstream software component release versions and the versions
+      used in the CVE database, then this variable can be used to set the
+      version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
+          CVE_VERSION = "2.39"
   :term:`CVSDIR`
      The directory in which files checked out under the CVS system are
      stored.
@@ -7278,6 +7290,88 @@ system and gives an overview of their function and contents.
         You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
+   :term:`SPDX_ARCHIVE_PACKAGED`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the files in the generated target packages.
+      Such archives are available in
+      ``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_ARCHIVE_PACKAGED = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
+      option multiplied the size of the ``tmp/deploy/spdx`` directory by a
+      factor of 13 (+1.6 GiB for this image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
+      Note that this option doesn't increase the size of :term:`SPDX`
+      files in ``tmp/deploy/images/MACHINE``.
+   :term:`SPDX_ARCHIVE_SOURCES`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the sources for packages installed on the target. It currently
+      only works when :term:`SPDX_INCLUDE_SOURCES` is set.
+      This is one way of fulfilling "source code access" license
+      requirements.
+      Such source archives are available in
+      ``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+         SPDX_ARCHIVE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      these options multiplied the size of the ``tmp/deploy/spdx``
+      directory by a factor of 11 (+1.4 GiB for this image),
+      compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
+      class with no option.
+      Note that using this option only marginally increases the size
+      of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
+      (+ 0.07\% with the tested image), compared to just enabling
+      :term:`SPDX_INCLUDE_SOURCES`.
+   :term:`SPDX_INCLUDE_SOURCES`
+      This option allows to add a description of the source files used to build
+      the host tools and the target packages, to the ``spdx.json`` files in
+      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
+      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
+      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
+      modified to include references to such source file descriptions.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      this option multiplied the total size of the ``tmp/deploy/spdx``
+      directory by a factor of 3  (+291 MiB for this image),
+      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
+      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
+      image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
+   :term:`SPDX_PRETTY`
+      This option makes the SPDX output more human-readable, using
+      identation and newlines, instead of the default output in a
+      single line::
+         SPDX_PRETTY = "1"
+      The generated SPDX files are approximately 20% bigger, but
+      this option is recommended if you want to inspect the SPDX
+      output files with a text editor.
   :term:`SPDXLICENSEMAP`
      Maps commonly used license names to their SPDX counterparts found in
      ``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 71e8c272a7..f17960e0e9 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1508,6 +1508,18 @@ system and gives an overview of their function and contents.
1508		1508
1509	CVE_PRODUCT = "vendor:package"	1509	CVE_PRODUCT = "vendor:package"
1510		1510
		1511	:term:`CVE_VERSION`
		1512	In a recipe, defines the version used to match the recipe version
		1513	against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
		1514	when usign :ref:`cve-check <ref-classes-cve-check>`.
		1515
		1516	The default is ${:term:`PV`} but if recipes use custom version numbers
		1517	which do not map to upstream software component release versions and the versions
		1518	used in the CVE database, then this variable can be used to set the
		1519	version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
		1520
		1521	CVE_VERSION = "2.39"
		1522
1511	:term:`CVSDIR`	1523	:term:`CVSDIR`
1512	The directory in which files checked out under the CVS system are	1524	The directory in which files checked out under the CVS system are
1513	stored.	1525	stored.
@@ -7278,6 +7290,88 @@ system and gives an overview of their function and contents.
7278		7290
7279	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.	7291	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
7280		7292
		7293	:term:`SPDX_ARCHIVE_PACKAGED`
		7294	This option allows to add to :term:`SPDX` output compressed archives
		7295	of the files in the generated target packages.
		7296
		7297	Such archives are available in
		7298	``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
		7299	under the :term:`Build Directory`.
		7300
		7301	Enable this option as follows::
		7302
		7303	SPDX_ARCHIVE_PACKAGED = "1"
		7304
		7305	According to our tests on release 4.1 "langdale", building
		7306	``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
		7307	option multiplied the size of the ``tmp/deploy/spdx`` directory by a
		7308	factor of 13 (+1.6 GiB for this image), compared to just using the
		7309	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7310
		7311	Note that this option doesn't increase the size of :term:`SPDX`
		7312	files in ``tmp/deploy/images/MACHINE``.
		7313
		7314	:term:`SPDX_ARCHIVE_SOURCES`
		7315	This option allows to add to :term:`SPDX` output compressed archives
		7316	of the sources for packages installed on the target. It currently
		7317	only works when :term:`SPDX_INCLUDE_SOURCES` is set.
		7318
		7319	This is one way of fulfilling "source code access" license
		7320	requirements.
		7321
		7322	Such source archives are available in
		7323	``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
		7324	under the :term:`Build Directory`.
		7325
		7326	Enable this option as follows::
		7327
		7328	SPDX_INCLUDE_SOURCES = "1"
		7329	SPDX_ARCHIVE_SOURCES = "1"
		7330
		7331	According to our tests on release 4.1 "langdale", building
		7332	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7333	these options multiplied the size of the ``tmp/deploy/spdx``
		7334	directory by a factor of 11 (+1.4 GiB for this image),
		7335	compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
		7336	class with no option.
		7337
		7338	Note that using this option only marginally increases the size
		7339	of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
		7340	(+ 0.07\% with the tested image), compared to just enabling
		7341	:term:`SPDX_INCLUDE_SOURCES`.
		7342
		7343	:term:`SPDX_INCLUDE_SOURCES`
		7344	This option allows to add a description of the source files used to build
		7345	the host tools and the target packages, to the ``spdx.json`` files in
		7346	``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
		7347	As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
		7348	``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
		7349	modified to include references to such source file descriptions.
		7350
		7351	Enable this option as follows::
		7352
		7353	SPDX_INCLUDE_SOURCES = "1"
		7354
		7355	According to our tests on release 4.1 "langdale", building
		7356	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7357	this option multiplied the total size of the ``tmp/deploy/spdx``
		7358	directory by a factor of 3 (+291 MiB for this image),
		7359	and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
		7360	``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
		7361	image), compared to just using the
		7362	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7363
		7364	:term:`SPDX_PRETTY`
		7365	This option makes the SPDX output more human-readable, using
		7366	identation and newlines, instead of the default output in a
		7367	single line::
		7368
		7369	SPDX_PRETTY = "1"
		7370
		7371	The generated SPDX files are approximately 20% bigger, but
		7372	this option is recommended if you want to inspect the SPDX
		7373	output files with a text editor.
		7374
7281	:term:`SPDXLICENSEMAP`	7375	:term:`SPDXLICENSEMAP`
7282	Maps commonly used license names to their SPDX counterparts found in	7376	Maps commonly used license names to their SPDX counterparts found in
7283	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`	7377	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`