From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 04 Mar 2024 17:09:54 +0100
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1rhAt0-008TBD-0H
	for lore@lore.pengutronix.de;
	Mon, 04 Mar 2024 17:09:54 +0100
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1rhAsz-0001R3-Tn; Mon, 04 Mar 2024 17:09:53 +0100
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1rhAsc-0001Qt-3W; Mon, 04 Mar 2024 17:09:30 +0100
Received: from [2a0a:edc0:2:b01:1d::c5] (helo=pty.whiteo.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1rhAsb-004Noj-Hb; Mon, 04 Mar 2024 17:09:29 +0100
Received: from mol by pty.whiteo.stw.pengutronix.de with local (Exim 4.96)
 (envelope-from <mol@pengutronix.de>) id 1rhAsb-001wcI-1U;
 Mon, 04 Mar 2024 17:09:29 +0100
Date: Mon, 4 Mar 2024 17:09:29 +0100
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Simon Falsig <sfalsig@verity.net>
Message-ID: <ZeXyObMAjVlw4eEb@pengutronix.de>
Mail-Followup-To: Simon Falsig <sfalsig@verity.net>,
 "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
References: <GV0P278MB0784CD72B739D3DB1BCADEB2CBEEA@GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM>
 <ZR0P278MB09919BE2551D0750CC7695ACCB512@ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZR0P278MB09919BE2551D0750CC7695ACCB512@ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM>
X-Sent-From: Pengutronix Hildesheim
X-URL: http://www.pengutronix.de/
X-Accept-Language: de,en
X-Accept-Content-Type: text/plain
Subject: Re: [ptxdist] SBOM support
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

Hi,

On Mon, Feb 19, 2024 at 04:54:16PM +0000, Simon Falsig wrote:
> > I'd be happy to get a bit of initial feedback on the approach. I'll have a
> > look at putting up some initial patches in the coming days too.
> > 
> > Thanks in advance and best regards,
> 
> Sorry for the silence around this, but I've been busy with other things in
> the last months.

No problem. That's just the way it works. I've been looking into SBOMs as
well but my current focus is spdx.

> Finally managed to get something working, that integrates with the existing
> host-system-python3 handling. I'll be sending some patches right after this.
> 
> Main open questions would be:
> - Currently HOST_SYSTEM_PYTHON3 and (the new) HOST_SYSTEM_PYTHON3_CYCLONEDX
>   packages need to be enabled manually through the "enable sbom report
>   generation" option in PTXdist options. Not sure if that is the right place
>   for it, or if there is a nicer way of handling it? (for instance, if it's
>   not enabled, 'ptxdist sbom-report' will just fail with a not-so-helpful
>   error message...)

Hmm, maybe we can do something with a lazy package. That would require a
real package, that actually builds the stuff, but I prefer that anyways.
Otherwise we'll just add an option next to PROJECT_GENERATE_REPORTS that
selects this.
I'm not sure yet, let me worry about that part.

> - It looks a bit like a local venv is being set up (in sysroot-host), but
>   I can't really figure out how to use it. A nice change could be to install
>   whatever host-system packages are needed in that venv automatically? Right
>   now the functionality requires users to manually install the required
>   python library with pip.

So this stuff is not packaged anywhere and as far as I can tell it's not on
pypi either, so I really prefer to package this locally.

And yes, PTXdist now installs this stuff into a venv. Use host-meson as an
example. It is installed into the venv. You may not need all the
dependencies, it depends a bit on the package. The installation into the
venv should happen automatically.

I'll reply to the patches for more stuff.

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |