curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Reproducing the release tarballs

From: Daniel Stenberg via curl-library <>
Date: Sun, 31 Mar 2024 11:24:27 +0200 (CEST)

On Sat, 30 Mar 2024, Dan Fandrich via curl-library wrote:

> SPDX seems to be the standard SBOM format for this that tools are starting
> to expect. The format is able to handle complex situations, but given the
> very limited scope needed in curl and for source releases only, once you get
> a template file set up the first time filling in the details for every
> release should be simple.

I can't but to feel that this is aiming (much) higher than what I want to do.
If someone truly thinks SPDX is a better way to provide this information then
I hope someone will step up and convert the scripts to instead use this

This is a SBOM for the tarball creation, not for curl.

I rather start with something basic and simple, as we don't even know if
anyone cares or wants this information.

> Even running "reuse spdx" in the curl tree (the same tool that's keeping
> curl in REUSE compliance in that CI build) will output a SPDX file for curl.

I tried it just now. It produces 86,000 lines of output! And yet I can't find
a lot of helpful content within the output for our purpose here.

It does not seem like a suitable tool for this.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2024-03-31