On Fri, Mar 13, 2026 at 10:41 AM Daniel Turull <[email protected]> wrote: > > Hi all, > Just to experiment I made a script that converts the SPDX3 from oe-core to > SPDX2.3. I have used assisted AI, using specs for both SPDX2.3 and SPDX3 and > using https://github.com/spdx/tools-python > > I have uploaded it for now into my branch in openembedded-core-contrib if > people wants to take a look. > > If you think is a good idea to have in openembedded-core as a replacement of > the create-spdx2.2.bbclass, I can send it for review to oe-core. It is around > 1700 lines. > https://git.openembedded.org/openembedded-core-contrib/commit/?h=dturull/spdx-convert&id=4fe27f52a6848825bf51aa24fdcf5ae683b509be > > It can generate both a single SPDX file and a multi file as we have now with > SPDX2. > It passes validation and the single one it works fine in on tools injecting > SPDX2. > > There are instructions how to run in the header of the script. > > I have created also a report that I have also pushed with the differences > with a reference SPDX2 from yocto and a script to regenerate it. > https://git.openembedded.org/openembedded-core-contrib/commit/?h=dturull/spdx-convert&id=f9ee3da7f8daba34e9768e3b44e953c09f829735 > > It could help to keep the spdx2.2 functionality but use spdx3 generation, > while allowing people to start using SPDX 2 generated from Yocto.
Ya, that's great. I'll take a look at it. Obstensibly, this might be even better than SPDX 2.2 in oe-core because it can make a single file, which our SPDX 2.2 code had trouble with (for $REASONS) > > Best regards, > Daniel > > > -----Original Message----- > > From: [email protected] > > <[email protected]> On Behalf Of Mark > > Hatle via lists.openembedded.org > > Sent: Friday, 13 March 2026 00:49 > > To: [email protected]; [email protected]; Joshua > > Watt <[email protected]> > > Cc: OpenEmbedded Architecture <openembedded- > > [email protected]> > > Subject: Re: [Openembedded-architecture] Proposal to drop SPDX 2.2 support > > for 6.0 LTS > > > > > > > > On 3/12/26 10:46 AM, Richard Purdie via lists.openembedded.org wrote: > > > On Thu, 2026-03-12 at 16:41 +0100, Marta Rybczynska via > > lists.openembedded.org wrote: > > >> Unfortunately SPDX 3.x support isn't mature in most of the tooling I > > >> know of and you can't import it there (no support in timelines in > > >> many cases too). The only way to use YP SBOM there is to do a custom > > >> merge script for 2.2 files and then use that. > > >> > > >> In my opinion it's too early to drop yet. > > > > Is SPDX 2.2 sufficiently a subset of SPDX 3.x that we could create a > > conversion > > routine? This would at least let us drop the SPDX 2.2 support once the > > conversion is 'ready'. (I'm worried that the conversion could be a lot of > > work, > > so this is purely an idea, I don't know if it's worth it or not.) > > > > > The trouble is that the SPDX 2.2 output is sub optimal with known > > > issues and we'd be committing to keeping it going for 4 years into a > > > scenario where people are even likely going to want things added to it > > > for various reasons. > > > > > > I'm really worried about the support burden this is going to place on > > > us, I'd rather get behind SPDX 3 and support that as our output format. > > > If you need anything else, you could convert from that since all the > > > information should be there, even if 2.2 can't support all of it. > > > > > > I appreciate this isn't the answer people want to hear with the tools > > > situation right now but I don't think keeping going with 2.2 is going > > > to really help people in the long run either. > > > > > > Put another way, I'd rather do one thing well and right rather than > > > have multiple things with known issues. > > > > I worry about the same. If we keep supporting 'old standard' there is no > > incentive for anyone to move to the new standards that fix REAL problems. > > > > --Mark > > > > > Cheers, > > > > > > Richard > > > > > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2304): https://lists.openembedded.org/g/openembedded-architecture/message/2304 Mute This Topic: https://lists.openembedded.org/mt/118281203/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
