Re: RFC: Adopting SPDX for SBOM generation
- Reply: Rob Norris: "Re: RFC: Adopting SPDX for SBOM generation"
- In reply to: Lexi Winter : "Re: RFC: Adopting SPDX for SBOM generation"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Aug 2025 16:28:56 UTC
On Wed, Aug 6, 2025 at 4:46 AM Lexi Winter <ivy@freebsd.org> wrote: > > Ed Maste: > > We would appreciate your feedback on: > > [...] > > - Integration with existing FreeBSD development workflows > > > Any concerns or suggestions for the proposed approach > > this may be too obvious to be worth mentioning, but just in case: > whatever tooling is used should make it possible to correctly populate > the license metadata in pkgbase during build. at the moment we set this > to BSD2CLAUSE for every package, which is very wrong. Yea, at the very least we need to comply with SPDX and use one of their identifiers. I'd suggest 'SPDX-License-Identifier: BSD-3-Clause AND BSD-2-Clause' as a good first approximation until we can do finer-grained analysis. Yes, there are exceptions, and we can handle those on a case by case basis (eg ZFS could update the license metadata by hand to be the right CDDL variant, etc). If we can't do that with pkgbase, we should add it. Likewise for some of the other contrib things. IIRC, part of the SBOM effort was a focus on the things we have in contrib since part of the SBOM metadata, imperfect as this is, is the version number of things like awk, xz, zstd, etc. The project that Ed's talking about wasn't going to try to intuit what files were used to generate which of the pkgbase packages and come up with a custom SPDX-License-Identifier. We've splatted a bunch of those in the tree on top of whatever other license was present. At the time, we accepted that there would be approximations in this work. Since then, a number of new BSD variations have been recognized by SPDX that we should likely use instead. Plus we have an unbelievable number of variations in the tree. You don't notice them usually, until you run tools on the tree and see we have a lot of 80-95% matches. Some of the differences aren't legally relevant (so don't need a new identifier), others are. Plus, there's a number of places in the tree that we grabbed from upstreams like NetBSD that we can update to a newer version to get the newer terms that would make some of this less complicated. There's other places that are just wrong. sbin/etherswitchcfg/ifmedia.c has "SPDX-License-Identifier: BSD-4-Clause" but it should be "SPDX-License-Identifier: BSD-4-Clause AND BSD-3-Clause" (though this is one of those aforementioned files that we could update to get BSD-3-Clause all around)... Anyway, license work is both endless and thankless. Oh, and that that rewarding for me except when I need an easy win (and even those aren't always so easy). So in general, I love the sbom project, and understand its first iteration won't be perfect, but it gives us something (where today we have nothing) and lets us iterate from there. Warner