[Development] Extending qt_attribution.json files to mark provisioned components
Volker Hilsheimer
volker.hilsheimer at qt.io
Tue Mar 5 10:40:43 CET 2024
On 4 Mar 2024, at 14:42, Kai Köhne via Development <development at qt-project.org> wrote:
Hi,
I suggest extending our qt_attribution.json format to explicitly mark third-party components not part of the Qt sources, like https://doc.qt.io/qt-6/qtmultimedia-attribution-ffmpeg.html.
QUIP-7 change: https://codereview.qt-project.org/c/meta/quips/+/545126?usp=search
qtattributionsscanner change: https://codereview.qt-project.org/c/qt/qttools/+/545098
Let me know what you think.
Regards
Kai
Commented on the review, but also here, slightly more prosaic:
Being able to document 3rd party components that are included in Qt because we provision and package them as part of the pipeline is a good idea. Both from an SBOM perspective, and because there are advantages in having a standardized, descriptive, machine-readable documentation of all dependencies that any Qt module has. The question is whether the goal is for us to mark *all* 3rd party components that way.
E.g. we provision, compile and link against, and then package the runtime libraries for FFmpeg or SQL client libraries. The provenance of those should clearly be documented in something less obscure than a (power)shell-script in qt5.git/coin/provisioning.
But what about system libraries and SDKs where we don’t ship the runtime (either because we expect those to be available on the target, because of licensing, or because we can dynamically detect the presence of the runtime and fail gracefully). Those SDKs might have inline functions in their headers, generating executable code in a Qt artefact that we do deploy. Or the tools that come with those SDKs might generate code that ends up compiled into Qt. So strictly speaking, we should list those as well, even though our Qt package doesn’t include any artefacts from those?
Volker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20240305/845e5864/attachment.htm>
More information about the Development
mailing list