Buy commercial curl support from
WolfSSL. We help you work out your issues, debug your libcurl
applications, use the API, port to new platforms, add new features and more.
With a team lead by the curl founder himself.
Re: Reproducing the release tarballs
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 31 Mar 2024 11:24:27 +0200 (CEST)
On Sat, 30 Mar 2024, Dan Fandrich via curl-library wrote:
> SPDX seems to be the standard SBOM format for this that tools are starting
> to expect. The format is able to handle complex situations, but given the
> very limited scope needed in curl and for source releases only, once you get
> a template file set up the first time filling in the details for every
> release should be simple.
I can't but to feel that this is aiming (much) higher than what I want to do.
If someone truly thinks SPDX is a better way to provide this information then
I hope someone will step up and convert the scripts to instead use this
format.
This is a SBOM for the tarball creation, not for curl.
I rather start with something basic and simple, as we don't even know if
anyone cares or wants this information.
> Even running "reuse spdx" in the curl tree (the same tool that's keeping
> curl in REUSE compliance in that CI build) will output a SPDX file for curl.
I tried it just now. It produces 86,000 lines of output! And yet I can't find
a lot of helpful content within the output for our purpose here.
It does not seem like a suitable tool for this.
Date: Sun, 31 Mar 2024 11:24:27 +0200 (CEST)
On Sat, 30 Mar 2024, Dan Fandrich via curl-library wrote:
> SPDX seems to be the standard SBOM format for this that tools are starting
> to expect. The format is able to handle complex situations, but given the
> very limited scope needed in curl and for source releases only, once you get
> a template file set up the first time filling in the details for every
> release should be simple.
I can't but to feel that this is aiming (much) higher than what I want to do.
If someone truly thinks SPDX is a better way to provide this information then
I hope someone will step up and convert the scripts to instead use this
format.
This is a SBOM for the tarball creation, not for curl.
I rather start with something basic and simple, as we don't even know if
anyone cares or wants this information.
> Even running "reuse spdx" in the curl tree (the same tool that's keeping
> curl in REUSE compliance in that CI build) will output a SPDX file for curl.
I tried it just now. It produces 86,000 lines of output! And yet I can't find
a lot of helpful content within the output for our purpose here.
It does not seem like a suitable tool for this.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-03-31