[Development] Maintainer PSA: Qt Software Bill of Materials (SBOM)

[Alexandru Croitor]

Hi,

Starting with Qt 6.8, the build system will generate a Software Bill of Materials (SBOM) file for each built repo in the CI.

These will be installed in $qt_prefix/sbom/${repo_name}.spdx.

This is only enabled by default in the CI, and not for your local builds. 

These files will be included in the binary packages that the Qt company provides.

The change that will activate the generation of the SBOM is at https://codereview.qt-project.org/c/qt/qt5/+/562482
The implementation is at: https://codereview.qt-project.org/c/qt/qtbase/+/546923

If you are a Qt maintainer, there are some things you should be aware of:
- if you are bundling new 3rd party sources into qt sources, make sure to create a qt_attribution.json file and tell about it to the build system
- when adding new qt modules, plugins, tools, apps, make sure to tell the build system what is the license expression under which the code is licensed

How to do that is described at https://wiki.qt.io/SBOM#For_Maintainers

Here you can find a list of gerrit changes where I've done it for existing repositories. You can use them as inspiration for the future.
https://codereview.qt-project.org/q/topic:%22sbom%22+message:Annotate+branch:dev

The docs might turn into a QUIP sometime in the future.

Please, reach out to me if you have any questions.

Thanks.