From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 12 Dec 2025 11:24:42 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pl1-f188.google.com (mail-pl1-f188.google.com [209.85.214.188]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5BCAOZw9026014 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 12 Dec 2025 11:24:41 +0100 Received: by mail-pl1-f188.google.com with SMTP id d9443c01a7336-29845b18d1asf20651985ad.1 for ; Fri, 12 Dec 2025 02:24:36 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1765535069; cv=pass; d=google.com; s=arc-20240605; b=VOFU/BMd2oUO7FgTN9zJB27gzVmQOtG2WUEtkSpRboXyURRyhdXHvmBphP8NN8s9df 5cLQy3KS6RrMfTf2ucQpJEw8ICSDtqHwN2XPPHwj6vcmjXq14tFf79kGzBQcy7bkyiAD HZTpB8QeyB5gcVLTI9L/SAGE6sS4CHLbiDw45csoaMuRFw9k8YLPQGvMDivpKoudw4xm IZ7z8w3v5H3c/xp/gNfCDCfxGjAxbT0OXAroOkpAUTQEVY1yPOtjYsWMXhlJ3crbVN/4 JL2/tGBW9oLDFZUfb8Y2OxlIAGAE0E0WhAnuqUoQghToh0n9W0gcHV66+p/ldsw5Em9Y 6OQw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:in-reply-to :autocrypt:content-language:from:references:cc:to:subject:user-agent :date:message-id:dkim-signature; bh=liyL8jb8+N3kUbM3Q43tLPevGmvM8SlAjM0z7c5UUh0=; fh=tv9sYWZvMHjS0WD4UJJv21KpHZxJdPqio9bONzwWjDQ=; b=Wh9EubQ0Ud+sFCyypWPHCEyUv0rLlgKgccKnp58IFNzFyASJLuvMkT++KMsducOrB9 egEeCr1w9wyOB37BsmEhaEIH62vU+ZQTCX05pTaYGNLDG538ijoOAUgmxn+tZS2gTyfn c7aTdU9g8MIGaEcZmD1BOyT6Bot3VhU7kDJSEq8yV+rrm1Wwjk54GiuMK5sg1hkLVeD+ u2hbIzLHDKsCFXkQUH5wC8dUyDHiSkLcg1b1AfGBEQtjifwiXrvec4BcchMJiDkFO+Ax Dm1hg/QijkLiZ8XfBzXKy5gPG8I3XfcyfkQq6ZDHDOnDXxe0JUp+J996Z1viR8Ya87I5 yKcA==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tD9iQke6; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c200::5 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1765535069; x=1766139869; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=liyL8jb8+N3kUbM3Q43tLPevGmvM8SlAjM0z7c5UUh0=; b=XDvCh62lVwvL5my0H0D3jgn82L7xOT/iWi0CMhyvsXzvqEX6LpT9/PDfNXOo19xe0s m/92TC6X0RqJbf4fadtZZzccTpOw/frqLu2ySaGbCsvA+Nj734JdrEzujNSkg5yHBUNT u5ji6RXeQAdpauPcE3H4NXPhydULBPDKlSfF+4UVg8jYjG5CmxYDPQUe4IuZ3n7Q7Hwz 7P8D8WsR9lAFXIkR2AOHBnkT97RgtXREzIdx9JuNpJ0M6VIg9kW2ngu7QzsDibQgD+1q RHc51z/qYL9TMQht69rX9yXC9j7RPRqq1VPswM7nYzIWGHFbK+skxM7ImH3UE11ov2DT 0voA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765535069; x=1766139869; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=liyL8jb8+N3kUbM3Q43tLPevGmvM8SlAjM0z7c5UUh0=; b=SfVcqX1FgDap4lXxns+ZdNq0c6EL1JLP4Nye3NJrgBePjJ2ZDtjUGEXgK6sQaUYmnp KNYoMF+9Cx4fjFEC0zbTUg5Z/2j4EXYcbEzcnnWzL8AZkKroGINNTK2V+SSHVm+D2TEq TSQEgRdPl3p9O49UTi/Mzfkme5mpR9fHcwehMfoJ3oloKVSptn1fyqOGlSIIImIjAQOh ErkQ7NcrntNpnAULhFOTeFu0+8E+dYQCv4aJmI1lftI1h100patFKTlWqw0u/6XPyu8s JMyvfcKHQ8cfk4PexMh552KQKKTouMR9zcyy3dIj+rTJvrW3SqggeehGy6du4rzTykod Ilwg== X-Forwarded-Encrypted: i=3; AJvYcCWDEz4JqK96X0cPxQBeIzTWEPygTqXrm3/jngvHebiQPMvGzINU6tow+kYiYKqAnzWhO2Xb@ilbers.de X-Gm-Message-State: AOJu0YwtyHEbaGvSKTHOMKpbX+P+LvF2BkS1mmu7UbMjCBvw9pPahZYz SFkxP8UcuQt0tu6f5/wS9rODenr2HDGZFbdFgghlO3cx5S257qORQCRu X-Google-Smtp-Source: AGHT+IEujJzB5nV+VDcrINVDHWpq12pR+xjQAGe+ZT/WEgEY13JAxX09zqlrlZvqv7ahw0/XxYigeQ== X-Received: by 2002:a17:903:1986:b0:295:9cb5:ae07 with SMTP id d9443c01a7336-29f23c7b894mr15639985ad.38.1765535069461; Fri, 12 Dec 2025 02:24:29 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AWVwgWYcvcznTZMLhHP9k5BdynyZ5LndHgH2b7yTvBmJ5/zePw==" Received: by 2002:a17:902:c1d3:b0:295:586a:9d87 with SMTP id d9443c01a7336-29f23553395ls5542285ad.1.-pod-prod-05-us; Fri, 12 Dec 2025 02:24:28 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUYmYOgZWcE9okE1PZ0XD7HYqkdCCqwc4fFMSqjYQjVez/6rwbx7GBQViUzahEQXmrzbb0gEhiInuc5@googlegroups.com X-Received: by 2002:a17:902:f688:b0:29f:29a8:608b with SMTP id d9443c01a7336-29f29a861cemr8340035ad.13.1765535067857; Fri, 12 Dec 2025 02:24:27 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1765535067; cv=pass; d=google.com; s=arc-20240605; b=B0CVQhCXgLz8zXSrlWTr2OdwIYXcp2qdytfRCmReVTk+3XvaKn0B7zCk+xZbvOxK9C DjYQCwsXzgu0dCXyRhoODlQyEqLaWDPOx8MHl2IjbsaH0h574OVNMewxR7E+jC6Ko/Ck g5mLWNV7nefVStrFDfPyQTfu4HLsai2D81qbLG6Q9GbNptdT9I/28/+/uSO6sPvT+8od DR6BGt3pePfY1cdNUOG2YibE3FzdwOtknDSKvbnCBcZbROVnFutkH4YNWjw7ogA4fT0S TntLmQCg0lKHrCFvPLPF6e18PXN/SSYiyDXWcVYpboUiBvwKDuzHVshvzR3qeQT5Jw/q 9dxg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:in-reply-to:autocrypt :content-language:from:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=2QR7hvAzelgH6ButDQcsh3pGqTHGJheN3n/1ZFgCBik=; fh=fqcZrbk8Ndqbb5I+7X1MMiqqjH8FYHaCxxBCdBARHmA=; b=ehzYodru/Tpvj5T67ZMHtq8UaCJKOLBz9Axn2UHFXSA/RWwINoTF0jMMoACkwYs8BQ Jn7oeg0wxhcGyThzM7Z8JHnasj94dgnd+zqXaPNxbB7Bb4uvCkLxNEdJzE1czWazPTE3 6PTQSjwwQCmjj/ux4Qolltxi1kGgksRV0vokkGZP402G0b2uZK2TLKQ+fBFvPnhUG+2Z 0bPgQZdTqDyelpPmReLbk1u6f1ueGgBdjIuW1ggvWiwb/9iwOlk9ycBzHtoBwLlSGDE9 NtnrjV3SXYtFODC9p+w/8LMHbtMlQ/eijHZwuv5UIqCzQ/MTMFGLpXvpAMgaH6l0R/Io lpQw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tD9iQke6; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c200::5 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from DUZPR83CU001.outbound.protection.outlook.com (mail-northeuropeazlp170120005.outbound.protection.outlook.com. [2a01:111:f403:c200::5]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-29f1738260bsi1100785ad.7.2025.12.12.02.24.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Dec 2025 02:24:27 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c200::5 as permitted sender) client-ip=2a01:111:f403:c200::5; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=G6kMS1tzmWSsMH5nHynuwpBS7NOLOw12wRKNIX2Ug/hsK3hoeLKTgH8pbH7JxRyZQzKxGSxIPo5Js7J62y/v1vsMlq+PwuBUCap8cBLfquRwUpH2SSiA9nmFrknii+xGS3eX0+6N0g3wZ/snT1MDk+eGFuvBtkJ+hzs62qnG/2R2K+Gnl5Wqd4XTtVuLB97bgyRk/ZLOXJQ2FnEr8agSB4wnakBN0ih10bgIvulnoUhrANWMINSwc9fZw+e2k46taKRxWTQQ+klqNwVk3ltcvKwo12C9DgiZ70zC8OeLUeSj7stF7SAEen/OpL6gjqkGACP1RMrPaXKURTjWaQYfYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2QR7hvAzelgH6ButDQcsh3pGqTHGJheN3n/1ZFgCBik=; b=VvbavzKtf7iNpg5TDPAemsVfW+eOGQ/gw/uooZ/u8UMoOKW91CGhFQEPNW1crQkmR0EAzjfGGCcaVP8tIh/xmQA7/VOnKNl5PDvz5CsN3gt4tLpCgZOqMJjD9UWza9WGAMe5VFYbA+ytzD81cV0c3naUqw4s+6dR4PnBbbNLSRcCJ88R6tv3gHhde01vUA9BOVmN9X2SpY04swY/+jEU5dN17l3BvVRpAghIDaqvVI7EPYew78REWoWlihuJjSUQAWxyng4wH9UEQ2hFT2t2Grb3nAbt06ukkzHc+tdAg9KXZeustkzn1Fy+oJiprHadPyn7s1nMAROzFQXcpyDJfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by DU0PR10MB5773.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:310::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9412.9; Fri, 12 Dec 2025 10:24:25 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408%6]) with mapi id 15.20.9412.005; Fri, 12 Dec 2025 10:24:24 +0000 Message-ID: <7b9b5669-fb6f-4dfe-b146-25a6f35b2583@siemens.com> Date: Fri, 12 Dec 2025 11:24:23 +0100 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v6 00/10] Add SBOM generation with debsbom To: Felix Moessbauer , isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, quirin.gylstorff@siemens.com References: <20251201085813.1616095-1-felix.moessbauer@siemens.com> From: "'Jan Kiszka' via isar-users" Content-Language: en-US Autocrypt: addr=jan.kiszka@siemens.com; keydata= xsFNBGZY+hkBEACkdtFD81AUVtTVX+UEiUFs7ZQPQsdFpzVmr6R3D059f+lzr4Mlg6KKAcNZ uNUqthIkgLGWzKugodvkcCK8Wbyw+1vxcl4Lw56WezLsOTfu7oi7Z0vp1XkrLcM0tofTbClW xMA964mgUlBT2m/J/ybZd945D0wU57k/smGzDAxkpJgHBrYE/iJWcu46jkGZaLjK4xcMoBWB I6hW9Njxx3Ek0fpLO3876bszc8KjcHOulKreK+ezyJ01Hvbx85s68XWN6N2ulLGtk7E/sXlb 79hylHy5QuU9mZdsRjjRGJb0H9Buzfuz0XrcwOTMJq7e7fbN0QakjivAXsmXim+s5dlKlZjr L3ILWte4ah7cGgqc06nFb5jOhnGnZwnKJlpuod3pc/BFaFGtVHvyoRgxJ9tmDZnjzMfu8YrA +MVv6muwbHnEAeh/f8e9O+oeouqTBzgcaWTq81IyS56/UD6U5GHet9Pz1MB15nnzVcyZXIoC roIhgCUkcl+5m2Z9G56bkiUcFq0IcACzjcRPWvwA09ZbRHXAK/ao/+vPAIMnU6OTx3ejsbHn oh6VpHD3tucIt+xA4/l3LlkZMt5FZjFdkZUuAVU6kBAwElNBCYcrrLYZBRkSGPGDGYZmXAW/ VkNUVTJkRg6MGIeqZmpeoaV2xaIGHBSTDX8+b0c0hT/Bgzjv8QARAQABzSNKYW4gS2lzemth IDxqYW4ua2lzemthQHNpZW1lbnMuY29tPsLBlAQTAQoAPhYhBABMZH11cs99cr20+2mdhQqf QXvYBQJmWPvXAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGmdhQqfQXvY zPAP/jGiVJ2VgPcRWt2P8FbByfrJJAPCsos+SZpncRi7tl9yTEpS+t57h7myEKPdB3L+kxzg K3dt1UhYp4FeIHA3jpJYaFvD7kNZJZ1cU55QXrJI3xu/xfB6VhCs+VAUlt7XhOsOmTQqCpH7 pRcZ5juxZCOxXG2fTQTQo0gfF5+PQwQYUp0NdTbVox5PTx5RK3KfPqmAJsBKdwEaIkuY9FbM 9lGg8XBNzD2R/13cCd4hRrZDtyegrtocpBAruVqOZhsMb/h7Wd0TGoJ/zJr3w3WnDM08c+RA 5LHMbiA29MXq1KxlnsYDfWB8ts3HIJ3ROBvagA20mbOm26ddeFjLdGcBTrzbHbzCReEtN++s gZneKsYiueFDTxXjUOJgp8JDdVPM+++axSMo2js8TwVefTfCYt0oWMEqlQqSqgQwIuzpRO6I ik7HAFq8fssy2cY8Imofbj77uKz0BNZC/1nGG1OI9cU2jHrqsn1i95KaS6fPu4EN6XP/Gi/O 0DxND+HEyzVqhUJkvXUhTsOzgzWAvW9BlkKRiVizKM6PLsVm/XmeapGs4ir/U8OzKI+SM3R8 VMW8eovWgXNUQ9F2vS1dHO8eRn2UqDKBZSo+qCRWLRtsqNzmU4N0zuGqZSaDCvkMwF6kIRkD ZkDjjYQtoftPGchLBTUzeUa2gfOr1T4xSQUHhPL8zsFNBGZY+hkBEADb5quW4M0eaWPIjqY6 aC/vHCmpELmS/HMa5zlA0dWlxCPEjkchN8W4PB+NMOXFEJuKLLFs6+s5/KlNok/kGKg4fITf Vcd+BQd/YRks3qFifckU+kxoXpTc2bksTtLuiPkcyFmjBph/BGms35mvOA0OaEO6fQbauiHa QnYrgUQM+YD4uFoQOLnWTPmBjccoPuiJDafzLxwj4r+JH4fA/4zzDa5OFbfVq3ieYGqiBrtj tBFv5epVvGK1zoQ+Rc+h5+dCWPwC2i3cXTUVf0woepF8mUXFcNhY+Eh8vvh1lxfD35z2CJeY txMcA44Lp06kArpWDjGJddd+OTmUkFWeYtAdaCpj/GItuJcQZkaaTeiHqPPrbvXM361rtvaw XFUzUlvoW1Sb7/SeE/BtWoxkeZOgsqouXPTjlFLapvLu5g9MPNimjkYqukASq/+e8MMKP+EE v3BAFVFGvNE3UlNRh+ppBqBUZiqkzg4q2hfeTjnivgChzXlvfTx9M6BJmuDnYAho4BA6vRh4 Dr7LYTLIwGjguIuuQcP2ENN+l32nidy154zCEp5/Rv4K8SYdVegrQ7rWiULgDz9VQWo2zAjo TgFKg3AE3ujDy4V2VndtkMRYpwwuilCDQ+Bpb5ixfbFyZ4oVGs6F3jhtWN5Uu43FhHSCqUv8 FCzl44AyGulVYU7hTQARAQABwsF8BBgBCgAmFiEEAExkfXVyz31yvbT7aZ2FCp9Be9gFAmZY +hkCGwwFCQWjmoAACgkQaZ2FCp9Be9hN3g/8CdNqlOfBZGCFNZ8Kf4tpRpeN3TGmekGRpohU bBMvHYiWW8SvmCgEuBokS+Lx3pyPJQCYZDXLCq47gsLdnhVcQ2ZKNCrr9yhrj6kHxe1Sqv1S MhxD8dBqW6CFe/mbiK9wEMDIqys7L0Xy/lgCFxZswlBW3eU2Zacdo0fDzLiJm9I0C9iPZzkJ gITjoqsiIi/5c3eCY2s2OENL9VPXiH1GPQfHZ23ouiMf+ojVZ7kycLjz+nFr5A14w/B7uHjz uL6tnA+AtGCredDne66LSK3HD0vC7569sZ/j8kGKjlUtC+zm0j03iPI6gi8YeCn9b4F8sLpB lBdlqo9BB+uqoM6F8zMfIfDsqjB0r/q7WeJaI8NKfFwNOGPuo93N+WUyBi2yYCXMOgBUifm0 T6Hbf3SHQpbA56wcKPWJqAC2iFaxNDowcJij9LtEqOlToCMtDBekDwchRvqrWN1mDXLg+av8 qH4kDzsqKX8zzTzfAWFxrkXA/kFpR3JsMzNmvextkN2kOLCCHkym0zz5Y3vxaYtbXG2wTrqJ 8WpkWIE8STUhQa9AkezgucXN7r6uSrzW8IQXxBInZwFIyBgM0f/fzyNqzThFT15QMrYUqhhW ZffO4PeNJOUYfXdH13A6rbU0y6xE7Okuoa01EqNi9yqyLA8gPgg/DhOpGtK8KokCsdYsTbk= In-Reply-To: <20251201085813.1616095-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR2P281CA0131.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:9e::14) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|DU0PR10MB5773:EE_ X-MS-Office365-Filtering-Correlation-Id: bb53dd6d-eeeb-4d13-507e-08de39689f59 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?B?UVYxcXk2aS9ULzlLSUU5ZFlqRW96cGxLSVkvN0JMbUs5Wkx2YTM4U0JhRDJK?= =?utf-8?B?cnJIRzA2QVRhRnVmSHlSQkR6d2xIMlgzVHRBbDJFT0xta1VNalhGUWx1TDNT?= =?utf-8?B?alRNbWpPWE1lSU84S01EdklMZHFVRWJjSDIyQkUxT2tyR0RJcXQ1YnBFVXBz?= =?utf-8?B?ciszVmZEWkZPM3lLT3FkdzZVSCs1aFlGaTNkTnpjcDJyWE9vcGhuam1FSXdG?= =?utf-8?B?RXNHcmRnejArem5tUTVwOStMbCtrYVhWUGNaM0tnWWlLUWEyanhRZmx6cVFQ?= =?utf-8?B?Qzl6Y3hidFZwRGVMall3bUxWNmVHb3BGcS9DcVFMMGx0R2JzMXA4c0FoNEpN?= =?utf-8?B?RExQWGNBVXpnN3RWL20xUStRUXltRlpFVGoySC9zYmx5UWhFRnVHUHU1TVpT?= =?utf-8?B?ditiWkRlbEV3NmNvNlJ1ZEZSRVZsVEt2TDBFQ2ZGTjdWVVBiRjNsdVRHVGNt?= =?utf-8?B?bnFQbXQvazdraFJxZHdRM3YvaEZNVjE0djlFbTl0ajBVUy8rMzVpVTE4bmYw?= =?utf-8?B?YTRpdStJR3JWMjYrM2x0YnhiYU90VUxmN1VucnVyc2JpLzMwbDhWMXZ6RjNS?= =?utf-8?B?dDJRNzY4bmVTdmI0aXJ6ZU1oOXhYU2xxR1hqL2FLaS9XMWZxNW4vd0JGejhI?= =?utf-8?B?eDdCQWdEMkpKMzFOSzV1eFk1TUwyVVRYZFN1WTNBSWx4NnJocUh2N0kyZkor?= =?utf-8?B?aEN3R2w0UnFxQlZMZkxkNkFjRVQxYnlUV1YvQ1g4ZElCOEl1Y3VhU0hhK25o?= =?utf-8?B?eDFLaXJEaXhKK3JvcUVRdDVDSXo0dW5vUnpoelZFcHoxSkNiMUozS2MwYzFx?= =?utf-8?B?M0VmY0Zlbm15a1REUVRvYldXU01vL1R5QWZTdzJicmphWCtuTS9iQ0VzajZs?= =?utf-8?B?VG9BNUtiUSswZ09JaFBXZXhKUnJId2Z1dHRqSTZ0VFZ6NCt1WkRibkF2ZEtK?= =?utf-8?B?T0NTcklqNzhPVnBWTE4rU2tRRkVDREJiZG5Kc2w3QWJESzhuK0EyOVFGbVFl?= =?utf-8?B?NFVFQ1JTU3RyOFZrQ041NDdyN1Ara0NoQjlhTDZRamk0eE5lbGMxallqaWFE?= =?utf-8?B?amZlclg2UXY2UTUycFB4aUYvY05OQVZrMzl6cjdXbE5YdmRKdStxKy9iQXdU?= =?utf-8?B?VHErNWVZam5KbjVtTm4yd2RzMW0zTi84Ly9pQnY2MXR1TUxzb0tRaURZaUQz?= =?utf-8?B?SVNZaFdqTkt5dXhXS1dkQzRIM1JHNW5uR0EycmxkYjBLdVFtRkUrR2E4eFJG?= =?utf-8?B?YW5UOHpZUzV6ZkE4OU1KRGFORFhwaXFseUZPVjJwQ1pIOTQ1YkJ0VW9SZmxG?= =?utf-8?B?ZXM1YzV1YkdzWVRuQ1RpMUFhWWtyT1FxZm14aVdaSWVjSmRDMkRUN056a2VJ?= =?utf-8?B?ZmQwOU5rYzFFN1dsYXZHTnc1b3VXd0JNaFBabEh0eDY1Z3JNTSsyRWtaRmk0?= =?utf-8?B?Zk9xRzd1NmljSWVPcXRDYlJLZ0tiVkRNQjBkYjJmTzJpeTJsVkNNMkRIeGFz?= =?utf-8?B?bjRWMWZDMkI4bGwvVE50RDZOdHhkTk9tM1d5K1lLVHl4N0hvdTFWcjlXRXJk?= =?utf-8?B?czBFdmlBWTdrZ1g4WG51S1FKbldiaERQS0FXUHhGeEFIYngzNWl4R1M4MW1k?= =?utf-8?B?ZTlVS2lKbzJ1cm5zU2ovRXczdGg4M3N4TS95VUc1cENqNkhpWVNKcjdmaGs0?= =?utf-8?B?UTdzWWxPZUhkUTZ0Vy9aSFByVHZvNzBScG1IUTA2VHc5YnZ0SW1vcGRWNUdY?= =?utf-8?B?MXNtWUZ3Q2ZNeTk2TlpJc2VkeVEyZUlEbWxEbDE3MHV6YUhhOE52R2drdXZG?= =?utf-8?B?aGtpaFBBeStQdVZFaUdSM1lkMFVLaTRxUFdDOGlQU3BWYmt3K2lMWk4vU0Mv?= =?utf-8?B?elAvRHAzSEVJMEFhZ2xLYlBGS0NtaWVEN2Z6d1F4cnZUMnc9PQ==?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?V0owblVSR0NidlJFNGtYamlvY3ZGYmRXbE5ZQTZ0N3pSVEpiKzB6TmdGZnVM?= =?utf-8?B?MEVUWm9HemdRQ0FzR0RaOC9KUzExTWxBdFpkTDFLY255WUMzMVptb2t0djNB?= =?utf-8?B?R1RFRjdDK1ZBdEhCc3VzdmQyZzIzYmVIRmp0c2RWMGU2N3lFTjQyVmNGckN4?= =?utf-8?B?L2liUk1QaFduU3RTbU9BczJrVHQ1N2FtNHp0S2Q0VjZ5UHRIeHZlbStwMFZt?= =?utf-8?B?UzErS3llUGhYQXB3aENHbVFneS9UVWhES05qdWFZNC95c2pNQndQMzd0Y3VU?= =?utf-8?B?QStoYVJjK0tHa0NDVGV4Sjd4R0IzWG50eG9VRDFsUnNaQXpJellJQk9OUWc0?= =?utf-8?B?K2JxbVQzRmdZZEx0OXhCc0hjV0JqY1V0cjk0bWowRjVwVVA4aUpaaDJ4NnJl?= =?utf-8?B?a3FFaDVJeU9nT0V1WjdWTE5PdWtjd2tadWI1Q3pCd0ZZd2xRcTFsRDJGMG1Z?= =?utf-8?B?NDJUZHU1NzFtUmdnYXRaYnlTTXZadzdLaTVUOUQ1TmlkOUFHWWZFb09hcHVT?= =?utf-8?B?eThyZHBlN3Bubzd6dkhnTERXekF4eFZMZ0xndTc5V2tlLzFZZVQ2bzFRMTBk?= =?utf-8?B?NE9rK01vaWpGeGNDc0c3MTN1c3BzMXRPamRhM0F1azB2ZyttSXNZaVY3NEc0?= =?utf-8?B?UlFNcjhwNmgySWlHaHpCeFZlREhBL09QU1JKdnpVamR1d0lLSjY4ZEs4Q2lY?= =?utf-8?B?L25CM1NjSnQ2N3pmbXJHVldwcDZhdFFER2ZOejhBaWhaRitpN3B3U1QxV01S?= =?utf-8?B?ckRVdElhcS9GZXRWOEFIUmJNWGlKTUFtSUdrQjg5REU3UUNscmhOVnFuK1hl?= =?utf-8?B?SE1aak9zazJSQXIxYSs4d0UwN1NvTWVKT3RlSFZ2c0ZxTWpBV2hmMWdBV0pM?= =?utf-8?B?Rzh2ZXpoZ0h5QzgwazFiNnBTV0lDOVQvYzFkbWlSejBreDh1Y0FqL0N2WmZQ?= =?utf-8?B?ZlllOUVBSVdRelJJUlpBUlRtbWpwdDZHUUoyUm1TWTVBVTZHNHdaaVN4VU5p?= =?utf-8?B?WDcya2tnTm9KQ2VKS3BBek9ManpNZnRLaW9NaHlsV096Rm44akM3Q2wrSUJy?= =?utf-8?B?VmVCM05YeE1OR2ExcTlyemMyNUpLSmhwa3VISFRpSTNRYVR6TElnRlR1Y29u?= =?utf-8?B?eE1aVkZtOC9WSlkwK1FaNVEzODg0bkdVaXBVY1pXNTJ3Z3RSMjRhM3crbmNX?= =?utf-8?B?MXR2MW9NbHY1NStnZE5BL0p5T1ovMlJuUHNtaDJTQ3N5WWlWemw2VWJnS3Ra?= =?utf-8?B?cnYwL3diSXVydStlMTBiRUU4M2lKTEZhd0ViMnppMEFsdllGYzNPd3g4Y3dX?= =?utf-8?B?TE04UU53eml6T3p3aDZRZVlwZ2Q1U25QOFBvK2ZUYXI1OTNGalhybWpnTVJR?= =?utf-8?B?VkpQckZ0bk56TTFRNm9IVTNFazIxb3pvZWxCUURqM25rTnZWL2w3YjNhbVUv?= =?utf-8?B?SitNcm9yWUgrVTRjL1F3TnVOR1BKU050cjE3eUFhWmFpZEIreEkzYUcxVnlH?= =?utf-8?B?S3NrbVFrcWRISzJlWkE0czlaMTlHRHZXY3NLMkk4bUZvR2VKM2NjbDRKTHQ5?= =?utf-8?B?VVNNc0gxSzNJRkZzdjhGTlJXNCtiaWxvUHJvYjY1LzNnbWJtdDFHcGcxYnY2?= =?utf-8?B?T0ZMSUpaVDlNWjNmVU9WZ1RtRFY5VlRvTitIL29oSGp0amhXa3dBM0Mvd0dB?= =?utf-8?B?OUdOYmptdS8rN0R5U3laeUVnV3pvS3hnaWdZYVZuMUhOSENhQmpKWnlzRnl5?= =?utf-8?B?NU1qc2k3TzQ5V29ZWG1IeGZablhQYlV6Z0RuT0xvQ0VnNWVVVlhnZXZWNzg2?= =?utf-8?B?NXlQUzQ1NnBPRk9CNjJqMkxURGorMmtrWmVTbUtGVy9RVWZiejhaRy9Ic0R6?= =?utf-8?B?K0RpQjh3ODR2d1d2MldQbFNyK0RPVVJBQlA1cXdGMi9FQVN2MEorL0twcmhH?= =?utf-8?B?cytxUXNySThkSzFmQUo2QUQ2Y2RtNzZxWkh6VjVwdG1mSkk0b0ZNeEtKQkpC?= =?utf-8?B?UlRncnRmYmVKVmM1R3Zrd2JGbjdybzZnQ1hTYWgwRWh4U3htZEFDL0pHWC90?= =?utf-8?B?Z2RDeUtSa2hsS3Ayam41Z1V6QUlBM2o1RlJCSEtLSk11bjlFaFJsQ3VOdjJM?= =?utf-8?Q?jCZ9mxe0PGcJYoOoDcTTYaplk?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: bb53dd6d-eeeb-4d13-507e-08de39689f59 X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Dec 2025 10:24:24.8010 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: u6T2W+LUXzxsS5GIOg14LmIveuqbz77i6iU1ER+rr968oHuYOncgej6exsRyRLhzPSOQkqH3oRVjNkjEdMmq8w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB5773 X-Original-Sender: jan.kiszka@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tD9iQke6; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c200::5 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Jan Kiszka Reply-To: Jan Kiszka Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: vcSpO3TzxWRJ On 01.12.25 09:58, Felix Moessbauer wrote: > This patchset adds proper SBOM generation in the two standard formats > SPDX and CycloneDX during the rootfs generation process. > > The generation is itself is handled by a SBOM generator `debsbom` [1] > which is developed as an open source project at Siemens. It is still > early in development, but it has enough features for what we require > in isar. The required dependencies which are not yet available as > Debian packages were minimally packaged directly in isar too. > > This is a followup of the previous RFC [2]. Since then the series has > changed a lot. The SBOM generation was moved from a simple OE lib to > `debsbom`. This also meant the introduction of a separate chroot was > necessary. The SBOM generation process was also moved from the image > step to the rootfs step, along with a lot of minor changes and > improvements. > > [1] https://github.com/siemens/debsbom > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ > > Changes since v5: > > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to > machine changes made in image file) > - rebased onto next > > Changes since v4: > > - rebased onto next > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) > > Changes since v3: > > - fix issue on external bullseye initramfs (we now disable sbom generation > on all unsupported distros rootfs instances) > - update debsbom to v0.4.0 > - rebased onto next > > Changes since v2: > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 > - generate SBOM for imager as well and create merged sbom of .wic image > - resend imager manifest + wic manifest patches to reduce conflicts > > Note, that the patches p1-p5 are most important as they add basic SBOM > support. The remaining patches address the imager + .wic bom part, > which also can be merged later on. > > Changes since v1: > > - remove tarball > - refactor packaging (auto-derive python dependencies) > - only build missing packages (varies on bookworm, trixie, noble) > - add ubuntu support > - only generate sboms for supported distributions (bookworm/jammy and > onwards) > - update debsbom (includes bug fixes and more information for source > packages) > > > Christoph Steiger (3): > meta: package python libraries for SBOM generation > meta: package python3-debsbom > meta: add SBOM generation with debsbom > > Felix Moessbauer (7): > refactor: move get_rootfs_distro from sdk into rootfs > override distro vendor in SBOM on Ubuntu > add support to add imager dependencies to BOM > wic: create uniform manifest describing all image components > qemuamd64: add IMAGER_BOM entries > imager: create SBOM of IMAGER_BOM packages > wic: create uniform SBOM describing all image components > > doc/user_manual.md | 1 + > meta-isar/conf/distro/ubuntu-common.inc | 2 + > meta-isar/conf/machine/qemuamd64.conf | 1 + > .../recipes-core/images/isar-image-ci.bb | 1 + > meta/classes/image-tools-extension.bbclass | 29 +++++++++ > meta/classes/image.bbclass | 7 ++ > meta/classes/imagetypes_wic.bbclass | 30 +++++++++ > meta/classes/initramfs.bbclass | 3 +- > meta/classes/rootfs.bbclass | 23 ++++++- > meta/classes/sbom.bbclass | 65 +++++++++++++++++++ > meta/classes/sdk.bbclass | 10 +-- > .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ > .../python3-beartype/files/rules | 8 +++ > .../python3-beartype_0.19.0.bb | 29 +++++++++ > .../files/pybuild.testfiles | 1 + > .../python3-cyclonedx-lib/files/rules | 8 +++ > .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ > ...icense-description-in-pyproject.toml.patch | 28 ++++++++ > .../python3-debsbom/files/rules | 8 +++ > .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++ > .../python3-packageurl/files/rules | 8 +++ > .../python3-packageurl_0.16.0.bb | 33 ++++++++++ > .../python3-py-serializable/files/rules | 8 +++ > .../python3-py-serializable_2.0.0.bb | 38 +++++++++++ > .../python3-spdx-tools/files/rules | 25 +++++++ > .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++ > 26 files changed, 524 insertions(+), 11 deletions(-) > create mode 100644 meta/classes/sbom.bbclass > create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb > create mode 100644 meta/recipes-support/python3-beartype/files/rules > create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb > create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch > create mode 100644 meta/recipes-support/python3-debsbom/files/rules > create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb > create mode 100644 meta/recipes-support/python3-packageurl/files/rules > create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb > create mode 100644 meta/recipes-support/python3-py-serializable/files/rules > create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb > create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules > create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb > Can we please make sbom generation opt-in for distros that require building the tool with all its dependencies manually? It's those extra package targets that are only interesting if you plan to ship, not so much while you are developing. Jan -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/7b9b5669-fb6f-4dfe-b146-25a6f35b2583%40siemens.com.