feat: record git cherry-picks in SBOMs #2221
Conversation
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
Signed-off-by: Łukasz 'sil2100' Zemczak <lukasz.zemczak@chainguard.dev>
|
@sergiodj sent some replies to your comments. Tell me what you think! Would you have some time to review this in more depth? |
Thanks, @sil2100. I just had those two questions that you've already answered. I sat down and looked at the code more carefully, and it seems great. Thanks a lot for doing this in such short notice! You rock. |
|
I still like this approach that I took here, but there are discussions of switching this to a directly-downloadable url (like in the |
|
@sil2100 I like this approach as well. Can we proceed with this one at least temporarily? Is it a problem if we withdraw these new fields in the future (in favour of a different approach, for example)? |
|
I'd love to go with this approach, but I am worried about withdrawal/change later! Since if people start expecting the reference to be one thing and then it's suddenly another, that feels problematic. Of course, there's still the option of having BOTH fields. Like, keep the cherry-pick-commit-id fields as proposed here and then supplement those with references with downloadable urls as we were discussing separately. |
2 participants
Currently cherry-picks, similar to patches, go unnoticed in our apk SBOMs. But unlike patches, which are hard to describe in SBOMs as their contents can be custom, cherry-picks come from upstream and can be registered. There's multiple ways to do it, but here I proposed recording those in
externalRefsfor the source. SPDX 2.3 supports an arbitrary"OTHER"category which I propose to use here for this. There is also"SECURITY", which is nice as it is something that tools already know how to parse, but it has some shortcomings: first, it's purpose is for security fixes. Second, the locator needs to be a direct url - which is nice, but redundant and might be a bit arbitrary.Thoughts?