> On 31 Jul 2024, at 10:21, Marko, Peter <peter.ma...@siemens.com> wrote:
Hello Peter, > This topic comes up from time to time. It’s nice to get confirmation, I was unable to find any traces of the issue. > There was already a patch proposed for this: > https://lists.openembedded.org/g/openembedded-core/topic/101991269#msg189260 > https://lists.openembedded.org/g/openembedded-core/topic/102076964#msg189501 > > Maybe it wouldn't be that difficult to finish it, but it's possible that it > needs to get a bit broader to also update generated spdx > as there is ongoing activity to separate cve-check into offline tool > processing the spdx file. This does seems like a good start on the CVE reporting side. Whereas for SPDX, perhaps the “dummy dependency package” (e.g. nodejs-nghttp2) approach may be the simplest alternative even though it requires manual copying of license info/files and some extra maintenance overhead. How does this sound to you? Thanks a lot for the sync, Steven
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63629): https://lists.yoctoproject.org/g/yocto/message/63629 Mute This Topic: https://lists.yoctoproject.org/mt/107642720/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
