On Thu, 2026-03-12 at 16:41 +0100, Marta Rybczynska via lists.openembedded.org wrote: > Unfortunately SPDX 3.x support isn't mature in most of the tooling I > know of and you can't import it there (no support in timelines in > many cases too). The only way to use YP SBOM there is to do a custom > merge script for 2.2 files and then use that. > > In my opinion it's too early to drop yet.
The trouble is that the SPDX 2.2 output is sub optimal with known issues and we'd be committing to keeping it going for 4 years into a scenario where people are even likely going to want things added to it for various reasons. I'm really worried about the support burden this is going to place on us, I'd rather get behind SPDX 3 and support that as our output format. If you need anything else, you could convert from that since all the information should be there, even if 2.2 can't support all of it. I appreciate this isn't the answer people want to hear with the tools situation right now but I don't think keeping going with 2.2 is going to really help people in the long run either. Put another way, I'd rather do one thing well and right rather than have multiple things with known issues. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2300): https://lists.openembedded.org/g/openembedded-architecture/message/2300 Mute This Topic: https://lists.openembedded.org/mt/118281203/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
