From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 08 Mar 2024 17:02:36 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1ricg8-00DsC1-0m for lore@lore.pengutronix.de; Fri, 08 Mar 2024 17:02:36 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1ricg7-00075g-Le; Fri, 08 Mar 2024 17:02:35 +0100 Received: from mail-switzerlandnorthazon11022018.outbound.protection.outlook.com ([52.101.186.18] helo=ZR1P278CU001.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ricfl-00070v-Hr; Fri, 08 Mar 2024 17:02:14 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LB82Vg3g4H7RdME8mZoAADYESBH+Qve6pkqC6ZT4A7b/UCCyExrz3Pjo1ow4m4VCBMTkQGY5JsLo1/o3oAuhsj5oy4pOk8zyn4ruy2i3BMFKv8haz+jIScyh6X27W7S/puVPekGkVJfzYx96p9xCF5W01NOAkSEszkKM1vK0xU3OX/PkD1vDZSNJ7R4W49AsdW17SLAwGvLo2mX2FgjcRSZJx0q0U8bHF9U3Oln1v6le6tK5l4F0ck+BWOGkD6Ybi+1MRvnH8oYsyAciz5r2P7LNZTwnmooxlekigpPyuNcevgpwdmTbk82QAAFYiWgYx5hgyCX527n+yuFXvdMorw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ATuB8nBZAJAqogF0UN+xLowhT3EheZt88nsAB7HJBPA=; b=eUvoktV/BZrqcOmFkLXGYnDatm54YH8LI+PJKrn5tFBvhM6ehHKD1AOFJFZNDPwefCEw+3gJ/vHMSHbwXeobZQzqCcaZNiJx74BSSdM7h2ZoSpuYv+cMGDnYGmtM0+E/mC3N2WjVbhxqJR9J3VtDup9iP0z7BOwwazknrp7RNEWHQ8EidTXZZBEo8ivSOYWJp3CRmu12OD9aK771+AtlWarDmlE2/nKTt+ocJAUuNKEUMP6Tc1CAK7Say9HK81a2uWdzRq33MRAzglgIM9L6djRs+qOVsuc2/3ypnwhTbgLZlXe78ymFAZqzyzb6fNsSu8zdWALEKx65wmdYqhKt4w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ATuB8nBZAJAqogF0UN+xLowhT3EheZt88nsAB7HJBPA=; b=OlFXD1r7QjN1z5jYQVGbXMnxhzoSm3+xUCaarPAguz9gbQXvfGP7cTQQjPyVm2NDQVHs+Lg7OKIrtimhLfqpcCuU9BccOT5wMNClPZUeVIGcmg8UhQpYUDnAC0IhZtxEXzxNt6clNp+Fxk8iL7aIQMExFic7I/U7LN+AMPQbi20D7g83HPAS8dJEU+8ahXZv1YHNikGDu+ZVDHLhWPthbkvNmEFIxgojJ/DTnbD8OXY0CXsXAs3QKd45tlEjuNl84BIcTlFdflfa0xnjfJJzXnZA5P3il1EZQ/rgG3efS6bDQo4Q9S8rkE+JWxoAwyum4DQD7znlCKqypOd08edygQ== Received: from GV0P278MB0994.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:4e::12) by ZR0P278MB0943.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.27; Fri, 8 Mar 2024 16:02:10 +0000 Received: from GV0P278MB0994.CHEP278.PROD.OUTLOOK.COM ([fe80::5629:23fb:b3ef:244f]) by GV0P278MB0994.CHEP278.PROD.OUTLOOK.COM ([fe80::5629:23fb:b3ef:244f%3]) with mapi id 15.20.7362.024; Fri, 8 Mar 2024 16:02:10 +0000 From: Simon Falsig To: Michael Olbrich Thread-Topic: [ptxdist] SBOM support Thread-Index: AdnhnHsNiqon0zJeSR+/uNVF6SJp1CBto6HgAr7TG4AAyLFMsA== Date: Fri, 8 Mar 2024 16:02:10 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0994:EE_|ZR0P278MB0943:EE_ x-ms-office365-filtering-correlation-id: 196be34d-ac90-4d48-0ccf-08dc3f891c80 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Bn1syps7ns9Tpq2tqAB+s1aNtYdQvbeHhkalh5oRn2i2Srb4GSwPa8uGHVeKM+JPoMfHKL6sNSOLgsC8geLg/acE7xCIhSdnq18qotwa/+iesE0Zlo5t38gl3BvMYhc/bjOw4hv/rOomOgMaH0emOEZm7cTjJqTKf2r6L2xAemFxCSniqY4ssevqyDPkd8GqZuQ0sGDFb9p4ICyX1Xfn9MDefPEdWhxVkGN5yOwkAM/73habAscuBmLgj1HcUunhM7aJwXozpRD6Cx27UuU96XDFSem1I/UOHYymnt9m1U1APpKh2bMvDPHKsW2tbfTS8s6NqIrIFwJG3JOB4kmJjJwB543j3rer1PoJ1LBcEr74V5kHGYF+BIGn0FqDpnsUaAyrHYH0GtNUXS2pCvRW5+7SEPCn8grTWsvuSSB7FUr2mmoZVKDC/ac5owBKGMp5rPWZu/eEJISoRuDVSpL2sSO60sdpDxW/10/SRvSOBww3zzHdU++3bsRW2CzZl5Z3bC4EOwoiFYc56PLGLnvNabHSjwQ41HsBsqHKsIglkTElGvPH0q1+gBCNdPNmP0L3REbEgTMPbmo/ePEmPOiooU4DcdjrZHH8H+ED8dam23ptILk/tX80O/5kXmuaFzxmZ+C59034dYsPx4FTxcAJ0tQ1luRCiuOiy/3Z6ECac7iTIvID+k/yFtYykhH7I6D4e61xgoTTelZ0gcXE/5WzCg== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0994.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(38070700009); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?6NvjwdD+bJfUFh4C2fnoHbd+oS8BJtRSVKxLiSWF+Jbu7CidchAZBWs+iyYs?= =?us-ascii?Q?20S3Nvel2oxX+h4Z2VlzILVI3XycJ1qEhsfHw1RthIjXYIhIgqwdqNfkONda?= =?us-ascii?Q?r0YaXL8QF/8ibjfFUYSPwCOGTH9HN34YppJuWt8baqduG4gU/7MVpdE4xEua?= =?us-ascii?Q?L7XU0ZciR3JBo1aet7PjVOQ1sBNDl1Ol+kiiVUfrjys8ZFRsbvCM+kGaQpF+?= =?us-ascii?Q?x6DcZlfRyvPt6JKlLYXBQQ9VgiACWfpWCrxrbxb6prGWkUjLbYbkzNcRjUn6?= =?us-ascii?Q?/k4vvsSNGm/FnbovNTFgHIIsmoGxXOCjgg3rE56pWF/PReWkCF1JBKZKzwc0?= =?us-ascii?Q?i1zJWZ2bpUVfK2y5HdmRzVvxmPdPjp9dlyzrbYmB+WLM1Ym0GWELaKmPNZHQ?= =?us-ascii?Q?WIpX23a2+MfrFHCrTFyaP/y2iXGH6ywLlsUdYP0zBc9MoaTpbpSugx90JVgw?= =?us-ascii?Q?S71J8mJnV/W/NnQO68GJ/dAK9iwX/2XEBMkbzE/Cta1I0zojP1DSRcJRjpRk?= =?us-ascii?Q?Rv44nyV5AjrgQjKEH5aZgGzZ4mBgiNWP8uJYjAk2Ov7qLBdy4wLEP3RXL2by?= =?us-ascii?Q?qpTXBdg6QxaEXjzPH3oPCHzxykRXUzAosQ8Cz4tjYx8yEYIHGksNfXbbVQ0r?= =?us-ascii?Q?c1wPczQNYDoUVz2U3Xkn/xu4PgP5CI+sxCU5PPHjY5AOZ/beMxgMqaPzaCyo?= =?us-ascii?Q?C2XNWTycifw0O+Zt2F1Nkog6N+DC0d+4/rv1dpGp6+QijNhRsik5giBFG+5z?= =?us-ascii?Q?5LiQkYWZFcC3lHVngLr8yCm/QpaqrbBSCCP+WoVsQjoapUn6iExVMDqHqyfw?= =?us-ascii?Q?uxp/7mJqGcPMf8FYg2jWA9gYQJUlxJNEV0YzNZzUag3RQEtWmC8Gxrx6+ySA?= =?us-ascii?Q?Bua6I8uY4BYTtOhMDQIIJQ/OHP0t7W6xt2rBT3ubqYVdzUnxtLBp9mLpNfvP?= =?us-ascii?Q?4KDzBYGWEct8RuXtqPhMHyp2vrbJEu/eLIReZlIyyYeM+wQ0OvrHZBvth0ee?= =?us-ascii?Q?4YQ1ZgE4fL+HTfi8eYwivnGMbvaUxw70mkkOG4CcPxdxNO+uXDGEgOmkAmoW?= =?us-ascii?Q?K0RULHtNWEGGwIZX3PgIL2QzkPWG+sJpISLS5b4/YrHWA7W1tPVXAEtP3Gmo?= =?us-ascii?Q?aJnrj8r4YiNMiVZ9gQYWCM/neCSR7v8o7JaNYuTIhktNwo9knNvWc8nfKr2C?= =?us-ascii?Q?9WksCmDAOEDRtgFmmxHnd10+9AtYRYpc8XXgxL7FjmN8qenfRz0IP7oRWqHO?= =?us-ascii?Q?rpV2HvHCPmCdZ3Du27JUSxSv/ZSnMd94szQZL3LMBdOH+/ByTeN+GjaGys62?= =?us-ascii?Q?v4IWvZoXCTO5lOn8bYCzTCYYP7b2AlanwOCQoSClULpTBtcBHggkzPpPbz5J?= =?us-ascii?Q?dkIQNP048DMzMMPsIpiGTs+k8SX2zzGCsPnqgzH+do2nmG8kc9NtnW3P5HCN?= =?us-ascii?Q?A0sHvmPpu/MCohvsOb5srXogM5C6gevdb94U1h7cfS6VimF6toVud0d5MLqI?= =?us-ascii?Q?WYVoGdAqFwNAhQTIQyPVvs6ukpGnz0VIZBUgKt6L6Jg3bQ+NH+V5Aeda/C4X?= =?us-ascii?Q?Z1NM+ssePegFGZ1nP2E=3D?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0994.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 196be34d-ac90-4d48-0ccf-08dc3f891c80 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2024 16:02:10.0655 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ESFVoaQIU13cZDFEeTJym5mkUgJYiNCrCgX6/4CqDc+LxJHGElgZARjI1XRaJzTn/ff9fEiAeCW7sWvymohAuA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB0943 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] SBOM support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: "ptxdist@pengutronix.de" Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false > From: Michael Olbrich > Sent: Monday, March 4, 2024 17:09 > Hi, >=20 > On Mon, Feb 19, 2024 at 04:54:16PM +0000, Simon Falsig wrote: > > > I'd be happy to get a bit of initial feedback on the approach. I'll > > > have a look at putting up some initial patches in the coming days too= . > > > > > > Thanks in advance and best regards, > > > > Sorry for the silence around this, but I've been busy with other > > things in the last months. >=20 > No problem. That's just the way it works. I've been looking into SBOMs as > well but my current focus is spdx. >=20 > > Finally managed to get something working, that integrates with the > > existing > > host-system-python3 handling. I'll be sending some patches right after > this. > > > > Main open questions would be: > > - Currently HOST_SYSTEM_PYTHON3 and (the new) > HOST_SYSTEM_PYTHON3_CYCLONEDX > > packages need to be enabled manually through the "enable sbom report > > generation" option in PTXdist options. Not sure if that is the right > place > > for it, or if there is a nicer way of handling it? (for instance, if > it's > > not enabled, 'ptxdist sbom-report' will just fail with a not-so- > helpful > > error message...) >=20 > Hmm, maybe we can do something with a lazy package. That would require a > real package, that actually builds the stuff, but I prefer that anyways. > Otherwise we'll just add an option next to PROJECT_GENERATE_REPORTS that > selects this. > I'm not sure yet, let me worry about that part. >=20 > > - It looks a bit like a local venv is being set up (in sysroot-host), > but > > I can't really figure out how to use it. A nice change could be to > install > > whatever host-system packages are needed in that venv automatically? > Right > > now the functionality requires users to manually install the required > > python library with pip. >=20 > So this stuff is not packaged anywhere and as far as I can tell it's not > on pypi either, so I really prefer to package this locally. >=20 > And yes, PTXdist now installs this stuff into a venv. Use host-meson as a= n > example. It is installed into the venv. You may not need all the > dependencies, it depends a bit on the package. The installation into the > venv should happen automatically. >=20 > I'll reply to the patches for more stuff. >=20 > Michael >=20 Thanks for the detailed reply and review, Michael! I've had a look at your comments, and agree that it overall makes good sens= e to wait for your work, and then base the CycloneDX SBOM generation off of that. While I feel rather comfortable *using* ptxdist (at least for my previous and current usecases), I have very little insight into the interna= l workings and structure of the project... Maybe I'll find a bit of time to dive deeper into things before though, let= 's see. Thanks again, and have a good weekend! Simon