> > what you are looking at is feeds area, where the format will vary > depending upon which online package management is in use. So you will > have to make that differentiation. Packages file is used when opkg is > used and not by rpm/dnf > for SCA perhaps you want to look at content of the packages. or maybe > use the manifests that yocto generates e.g. license manifest in images > have info on all packages that go into that image, it may not be > formatted as per your expectation > but its somewhere to start > > Thanks for helpful input. This matches my own observation. Tool-chain used in project requires additionally license.manifest file on its input. For some reason it also takes a look into files named Packages. Actually it can be clear why it does this: Packages file specifies among others each package source code address/path.
Despite the question files named Packages generated for .ipk YES, for .rpm NO, is it legitimate to use these files in external tool-chain for software composition analysis? I mean these files might be Yocto internal interface not intended for purpose pointed out here. May this be true?
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#52760): https://lists.yoctoproject.org/g/yocto/message/52760 Mute This Topic: https://lists.yoctoproject.org/mt/81379610/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
