[Development] Feature and provisioning freeze exception for SBOM (Software Bill of Materials) generation
Alexandru Croitor
alexandru.croitor at qt.io
Tue May 21 11:28:18 CEST 2024
Hi,
I would like to request a feature freeze and provisioning freeze exception for SBOM (Software Bill of Materials) generation.
https://codereview.qt-project.org/c/qt/qtbase/+/546923
https://codereview.qt-project.org/c/qt/qt5/+/561694
SBOM generation is about shipping some text files alongside the built Qt libraries, that describe things like 3rd party dependencies used, checksums of built files, copyright info, license info, etc.
Some details at https://www.ntia.gov/page/software-bill-materials
SBOM generation for Qt was planned for 6.8, but it is likely won't be finished in time for FF.
The generation itself only requires build system changes, no C++ API changes required.
The only user-facing changes would be a new opt-in configure flag (.e.g -sbom) and additional files being installed as part of Qt (one spdx.json file for each repository built).
Verification and auditing of the generated files needs some additional python packages to be available during the CI build, hence the request for provisioning exception.
The impact for those who don't opt-in should be zero, and for the CI, installing some additional python packages is nothing new, and hopefully shouldn't cause any breakage.
We'd like to have this in for 6.8 because it's an LTS release, and because of the new EU CRA law (Cyber Resilience Act) pending.
It would also be good to receive feedback during 6.8 release whether we lack any info in the generated SBOM, so we can fix it for the LTS.
Regards,
Alexandru.
More information about the Development
mailing list