dev-manual/sbom.rst: reflect that create-spdx is enabled by default

Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by
default"), the create-spdx class is pulled in by default, not only by
poky.

Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO
since this is the more concrete variable to modify for disabling
create-spdx.

[AG: fix conflicts]

(From yocto-docs rev: 4c47eb98e096121d71663342dde86b8c9256c9b5)

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2b6228943443faf76c9869a0daeccfe7f93688ca)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

documentation/dev-manual/sbom.rst

@@ -24,11 +24,12 @@ users can read in standardized format.
 :term:`SBOM` information is also critical to performing vulnerability exposure
 assessments, as all the components used in the Software Supply Chain are listed.
 
-The OpenEmbedded build system doesn't generate such information by default.
+The OpenEmbedded build system generates such information by default (by
-To make this happen, you must inherit the
+inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`).
-:ref:`ref-classes-create-spdx` class from a configuration file::
 
-   INHERIT += "create-spdx"
+If needed, it can be disabled from a :term:`configuration file`::
+
+   INHERIT_DISTRO:remove = "create-spdx"
 
 Upon building an image, you will then get the compressed archive
 ``IMAGE-MACHINE.spdx.tar.zst`` contains the index and the files for the single