Hi all, Just to experiment I made a script that converts the SPDX3 from oe-core to SPDX2.3. I have used assisted AI, using specs for both SPDX2.3 and SPDX3 and using https://github.com/spdx/tools-python
I have uploaded it for now into my branch in openembedded-core-contrib if people wants to take a look. If you think is a good idea to have in openembedded-core as a replacement of the create-spdx2.2.bbclass, I can send it for review to oe-core. It is around 1700 lines. https://git.openembedded.org/openembedded-core-contrib/commit/?h=dturull/spdx-convert&id=4fe27f52a6848825bf51aa24fdcf5ae683b509be It can generate both a single SPDX file and a multi file as we have now with SPDX2. It passes validation and the single one it works fine in on tools injecting SPDX2. There are instructions how to run in the header of the script. I have created also a report that I have also pushed with the differences with a reference SPDX2 from yocto and a script to regenerate it. https://git.openembedded.org/openembedded-core-contrib/commit/?h=dturull/spdx-convert&id=f9ee3da7f8daba34e9768e3b44e953c09f829735 It could help to keep the spdx2.2 functionality but use spdx3 generation, while allowing people to start using SPDX 2 generated from Yocto. Best regards, Daniel > -----Original Message----- > From: [email protected] > <[email protected]> On Behalf Of Mark > Hatle via lists.openembedded.org > Sent: Friday, 13 March 2026 00:49 > To: [email protected]; [email protected]; Joshua > Watt <[email protected]> > Cc: OpenEmbedded Architecture <openembedded- > [email protected]> > Subject: Re: [Openembedded-architecture] Proposal to drop SPDX 2.2 support > for 6.0 LTS > > > > On 3/12/26 10:46 AM, Richard Purdie via lists.openembedded.org wrote: > > On Thu, 2026-03-12 at 16:41 +0100, Marta Rybczynska via > lists.openembedded.org wrote: > >> Unfortunately SPDX 3.x support isn't mature in most of the tooling I > >> know of and you can't import it there (no support in timelines in > >> many cases too). The only way to use YP SBOM there is to do a custom > >> merge script for 2.2 files and then use that. > >> > >> In my opinion it's too early to drop yet. > > Is SPDX 2.2 sufficiently a subset of SPDX 3.x that we could create a > conversion > routine? This would at least let us drop the SPDX 2.2 support once the > conversion is 'ready'. (I'm worried that the conversion could be a lot of > work, > so this is purely an idea, I don't know if it's worth it or not.) > > > The trouble is that the SPDX 2.2 output is sub optimal with known > > issues and we'd be committing to keeping it going for 4 years into a > > scenario where people are even likely going to want things added to it > > for various reasons. > > > > I'm really worried about the support burden this is going to place on > > us, I'd rather get behind SPDX 3 and support that as our output format. > > If you need anything else, you could convert from that since all the > > information should be there, even if 2.2 can't support all of it. > > > > I appreciate this isn't the answer people want to hear with the tools > > situation right now but I don't think keeping going with 2.2 is going > > to really help people in the long run either. > > > > Put another way, I'd rather do one thing well and right rather than > > have multiple things with known issues. > > I worry about the same. If we keep supporting 'old standard' there is no > incentive for anyone to move to the new standards that fix REAL problems. > > --Mark > > > Cheers, > > > > Richard > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2303): https://lists.openembedded.org/g/openembedded-architecture/message/2303 Mute This Topic: https://lists.openembedded.org/mt/118281203/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
