Skip to content

SBOM of tagged alpha release would miss all -dev packages: find a solution!

Value

SBOM of Goofy Alpha release should contain all packages from all possible targets/images, including -dev images. However, we just realized that because of issue #524 (closed) (all -dev images failed to build because of insufficient target image size), no package specific to -dev images has ever made it to be uploaded to Fossology, much less has it been reviewed by the Audit Team, and for sure it cannot get into the final SBOM of the release ‒ if we don't find a solution.

Issue #524 (closed) is being fixed but it is not fully fixed yet, and it was not fixed at all when the Alpha release was tagged. The problem is that if we wait for the fix, we would do the "final" compliance scan for the Alpha release on a manifest that is no more pinned (after tagging the release, the manifest was turned back into development mode since commit 3a023758), which is something that we cannot do, because the process would not be fully reproducible.

Some ideas for a possible solution:

  1. we wait that #524 (closed) is fully fixed and then we re-tag the release (dirty, probably no one would accept it)
  2. we wait that #524 (closed) is fully fixed and then we create a dedicated branch from the v2.0.0-alpha tag where we backport the fix(es) (this is cleaner, maybe)
  3. we wait that #524 (closed) is fully fixed and then we create a fork in the compliance team group with a dedicated branch as above, which we use for our final scan (dirty, I don't like it, but since it's an Alpha Release we may look the other way...)
  4. (from @landgraf) we wait that #524 (closed) is fully fixed and then we add a new v2.0.0-alpha2 tag, pinning the manifest again (but this should be done before any substantial change comes into the project)
  5. something else: any proposals?

Acceptance Criteria

Find a solution to cleanly scan Goofy Alpha with our compliance toolchain, with -dev images fixed (i.e. with -dev packages included), and with pinned revisions in the manifest

Applicable Personas

  • License Compliance Auditor
Edited by Alberto Pianon
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent