[Development] Feature and provisioning freeze exception for SBOM (Software Bill of Materials) generation
Jani Heikkinen
jani.heikkinen at qt.io
Wed May 22 09:17:03 CEST 2024
Hi!
I don't have any opinion about FF exception for this but what comes to https://codereview.qt-project.org/c/qt/qt5/+/561694 I think we can wait branching & integrate this in 'dev' after it; In big picture it is more important to keep CI & provisioning as stable as possible this close to feature freeze to make sure we can keep FF schedule (and so on Qt 6.8.0 final schedule as well) and get Beta1 out before summer vacations starts... And if FF exception is granted you can pick provisioning change in '6.8' after beta1.
br,
Jani
> -----Original Message-----
> From: Development <development-bounces at qt-project.org> On Behalf Of
> Alexandru Croitor via Development
> Sent: tiistai 21. toukokuuta 2024 12.28
> To: Qt development mailing list <development at qt-project.org>
> Subject: [Development] Feature and provisioning freeze exception for SBOM
> (Software Bill of Materials) generation
>
> Hi,
>
> I would like to request a feature freeze and provisioning freeze exception for
> SBOM (Software Bill of Materials) generation.
>
> https://codereview.qt-project.org/c/qt/qtbase/+/546923
> https://codereview.qt-project.org/c/qt/qt5/+/561694
>
> SBOM generation is about shipping some text files alongside the built Qt
> libraries, that describe things like 3rd party dependencies used, checksums of
> built files, copyright info, license info, etc.
> Some details at
> https://www.n/
> tia.gov%2Fpage%2Fsoftware-bill-
> materials&data=05%7C02%7Cjani.heikkinen%40qt.io%7C76efd9f976324c74a
> d5408dc7978b429%7C20d0b167794d448a9d01aaeccc1124ac%7C0%7C0%7C6
> 38518806536519047%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
> data=EO%2BPZlyYYYsbiZjAr70Ak5wjWL9hF2mkxs%2FGgVHt7YM%3D&reserve
> d=0
>
> SBOM generation for Qt was planned for 6.8, but it is likely won't be finished
> in time for FF.
>
> The generation itself only requires build system changes, no C++ API changes
> required.
>
> The only user-facing changes would be a new opt-in configure flag (.e.g -
> sbom) and additional files being installed as part of Qt (one spdx.json file for
> each repository built).
>
> Verification and auditing of the generated files needs some additional python
> packages to be available during the CI build, hence the request for
> provisioning exception.
>
> The impact for those who don't opt-in should be zero, and for the CI,
> installing some additional python packages is nothing new, and hopefully
> shouldn't cause any breakage.
>
> We'd like to have this in for 6.8 because it's an LTS release, and because of the
> new EU CRA law (Cyber Resilience Act) pending.
>
> It would also be good to receive feedback during 6.8 release whether we lack
> any info in the generated SBOM, so we can fix it for the LTS.
>
> Regards,
> Alexandru.
> --
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
More information about the Development
mailing list