* [PATCH] meta-isar/recipes-installer/bmap-tools: add Built-Using field @ 2025-11-04 14:44 srinuvasan.a via isar-users 2025-11-04 15:54 ` 'Jan Kiszka' via isar-users 0 siblings, 1 reply; 3+ messages in thread From: srinuvasan.a via isar-users @ 2025-11-04 14:44 UTC (permalink / raw) To: isar-users; +Cc: srinuvasan From: srinuvasan <srinuvasan.a@siemens.com> Add a Built-Using field to the binary package stanza in the debian/control file, since it is not provided by the upstream source This ensures that the original source package reference is captured in the generated SBOM file. During the clearance process, we need to provide the original package URL for this custom package By including the Built-Using field in debian/control, debsbom can record the corresponding source package information in the SBOM file. Signed-off-by: srinuvasan <srinuvasan.a@siemens.com> --- meta-isar/recipes-installer/bmap-tools/bmap-tools.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb index 376ab433..537e40ce 100644 --- a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb +++ b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb @@ -13,9 +13,14 @@ SRC_URI += "file://0001-Fix-path-parameter-passing-error-of-set_psplash_pipe.pat file://0002-Fix-_psplash_pipe-part-was-skipped-when-_progress_fi.patch;apply=no" do_prepare_build:append() { + upstream_version=$(dpkg-parsechangelog -l ${S}/debian/changelog -S Version) + deb_add_changelog cd ${S} quilt import -f ${WORKDIR}/*.patch quilt push -a + # Add Built-Using section + grep -q '^Built-Using: bmap-tools' debian/control || \ + sed -i "/Package: bmap-tools$/a Built-Using: bmap-tools (= ${upstream_version})" debian/control } -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251104144439.276529-1-srinuvasan.a%40siemens.com. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] meta-isar/recipes-installer/bmap-tools: add Built-Using field 2025-11-04 14:44 [PATCH] meta-isar/recipes-installer/bmap-tools: add Built-Using field srinuvasan.a via isar-users @ 2025-11-04 15:54 ` 'Jan Kiszka' via isar-users 2025-11-04 16:19 ` 'Jan Kiszka' via isar-users 0 siblings, 1 reply; 3+ messages in thread From: 'Jan Kiszka' via isar-users @ 2025-11-04 15:54 UTC (permalink / raw) To: srinuvasan.a, isar-users On 04.11.25 15:44, srinuvasan.a via isar-users wrote: > From: srinuvasan <srinuvasan.a@siemens.com> > > Add a Built-Using field to the binary package stanza in the debian/control file, > since it is not provided by the upstream source > This ensures that the original source package reference > is captured in the generated SBOM file. Is there a debian bug for that issue? Or is this only a problem for us since we are rebuilding here? > > During the clearance process, we need to provide the original package URL for this custom package Note that the term "clearing process" is not generic. We are talking about SBOM generation, that is fairly well understood also outside. > By including the Built-Using field in debian/control, > debsbom can record the corresponding source package information in the SBOM file. > > Signed-off-by: srinuvasan <srinuvasan.a@siemens.com> > --- > meta-isar/recipes-installer/bmap-tools/bmap-tools.bb | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb > index 376ab433..537e40ce 100644 > --- a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb > +++ b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb > @@ -13,9 +13,14 @@ SRC_URI += "file://0001-Fix-path-parameter-passing-error-of-set_psplash_pipe.pat > file://0002-Fix-_psplash_pipe-part-was-skipped-when-_progress_fi.patch;apply=no" > > do_prepare_build:append() { > + upstream_version=$(dpkg-parsechangelog -l ${S}/debian/changelog -S Version) > + > deb_add_changelog > > cd ${S} > quilt import -f ${WORKDIR}/*.patch > quilt push -a > + # Add Built-Using section > + grep -q '^Built-Using: bmap-tools' debian/control || \ > + sed -i "/Package: bmap-tools$/a Built-Using: bmap-tools (= ${upstream_version})" debian/control > } Does it mean that all isar-rebuilt packages should now carry this? Then we have more cases, and it should be established automatically, not just case-by-case and open-coded. Jan -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/7ef37806-3d03-4800-9899-8c020fd1aa86%40siemens.com. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] meta-isar/recipes-installer/bmap-tools: add Built-Using field 2025-11-04 15:54 ` 'Jan Kiszka' via isar-users @ 2025-11-04 16:19 ` 'Jan Kiszka' via isar-users 0 siblings, 0 replies; 3+ messages in thread From: 'Jan Kiszka' via isar-users @ 2025-11-04 16:19 UTC (permalink / raw) To: srinuvasan.a, isar-users, Felix Moessbauer On 04.11.25 16:54, 'Jan Kiszka' via isar-users wrote: > On 04.11.25 15:44, srinuvasan.a via isar-users wrote: >> From: srinuvasan <srinuvasan.a@siemens.com> >> >> Add a Built-Using field to the binary package stanza in the debian/control file, >> since it is not provided by the upstream source >> This ensures that the original source package reference >> is captured in the generated SBOM file. > > Is there a debian bug for that issue? Or is this only a problem for us > since we are rebuilding here? > >> >> During the clearance process, we need to provide the original package URL for this custom package > > Note that the term "clearing process" is not generic. We are talking > about SBOM generation, that is fairly well understood also outside. > >> By including the Built-Using field in debian/control, >> debsbom can record the corresponding source package information in the SBOM file. >> >> Signed-off-by: srinuvasan <srinuvasan.a@siemens.com> >> --- >> meta-isar/recipes-installer/bmap-tools/bmap-tools.bb | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb >> index 376ab433..537e40ce 100644 >> --- a/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb >> +++ b/meta-isar/recipes-installer/bmap-tools/bmap-tools.bb >> @@ -13,9 +13,14 @@ SRC_URI += "file://0001-Fix-path-parameter-passing-error-of-set_psplash_pipe.pat >> file://0002-Fix-_psplash_pipe-part-was-skipped-when-_progress_fi.patch;apply=no" >> >> do_prepare_build:append() { >> + upstream_version=$(dpkg-parsechangelog -l ${S}/debian/changelog -S Version) >> + >> deb_add_changelog >> >> cd ${S} >> quilt import -f ${WORKDIR}/*.patch >> quilt push -a >> + # Add Built-Using section >> + grep -q '^Built-Using: bmap-tools' debian/control || \ >> + sed -i "/Package: bmap-tools$/a Built-Using: bmap-tools (= ${upstream_version})" debian/control >> } > > Does it mean that all isar-rebuilt packages should now carry this? Then > we have more cases, and it should be established automatically, not just > case-by-case and open-coded. > ...but I seriously doubt that this is a correct generic approach. Built-Using has the following effect: "This causes the Debian archive to retain the versions of the source packages that were actually incorporated. In particular, if the versions of the incorporated parts are updated but the incorporating binary package is not rebuilt, the older versions of the incorporated parts will remain in the archive in order to satisfy the license." If we consider the superset of our fetched upstream sources plus that that self-built packages leave behind here as the equivalent target audience, this would cause the original sources to be stored twice because the self-built source package not only consists of our patches. Furthermore, if someone would extract the Debian-accumulated license information from this, that person would also pull everything about the upstream package twice. So, either we stop the duplication, or we don't use a Debian control field that is meant for different scenarios. Jan -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/63426c56-9960-413d-86df-4a9a4cf61998%40siemens.com. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-11-04 16:19 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-11-04 14:44 [PATCH] meta-isar/recipes-installer/bmap-tools: add Built-Using field srinuvasan.a via isar-users 2025-11-04 15:54 ` 'Jan Kiszka' via isar-users 2025-11-04 16:19 ` 'Jan Kiszka' via isar-users
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox