From dbf5ddbdb59548df2605349b7b5183aeddadee81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Enrico=20J=C3=B6rns?= Date: Tue, 28 Oct 2025 09:12:22 +0100 Subject: [PATCH] dev-manual/sbom.rst: reflect that create-spdx is enabled by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by default"), the create-spdx class is pulled in by default, not only by poky. Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO since this is the more concrete variable to modify for disabling create-spdx. [AG: fix conflicts] (From yocto-docs rev: 4c47eb98e096121d71663342dde86b8c9256c9b5) Signed-off-by: Enrico Jörns Reviewed-by: Quentin Schulz Signed-off-by: Antonin Godard (cherry picked from commit 2b6228943443faf76c9869a0daeccfe7f93688ca) Signed-off-by: Antonin Godard Signed-off-by: Steve Sakoman --- documentation/dev-manual/sbom.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index 7c4b5804fb..9157cbba5d 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst @@ -24,11 +24,12 @@ users can read in standardized format. :term:`SBOM` information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed. -The OpenEmbedded build system doesn't generate such information by default. -To make this happen, you must inherit the -:ref:`ref-classes-create-spdx` class from a configuration file:: +The OpenEmbedded build system generates such information by default (by +inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`). - INHERIT += "create-spdx" +If needed, it can be disabled from a :term:`configuration file`:: + + INHERIT_DISTRO:remove = "create-spdx" Upon building an image, you will then get the compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index and the files for the single