-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distinguish between ABOUT files found in the codebase vs. curations #834
Comments
@AyanSinhaMahapatra ping... this needs design. |
How do we know what type (curations/regular) we are dealing with? |
From @pombredanne this could be either:
I think the later is much easier and cleaner, maybe something like an |
Another consideration is that a curation may be for the current directory or it could be for a target deployed file. We should have a way to track these.
|
Adds two new attributes: - deployed_resource - is_curated These are used to curate resources in deployed code. Reference: aboutcode-org/scancode.io#834 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
Here are a few more thoughts on this issue:
We can now include and exclude patterns using An ABOUT file is like a package manifest. Or it is like a mini PurlDB. The cases we have are:
Issues arise when we are mixing the two cases as we cannot distinguish if an ABOUT file is/was present the codebase and designed to be used as missing package manifest or this is designed to be used as deployed codebase curation/override. Therefore we need to determine either if an ABOUT file is of type 1. or 2. and this can be done these many different ways:
Solutions B. and E. are the most appealing at first. The B. way seems to be the most appealing and general purpose approach.
Another ABOUT file to document the source side could be that (and we could have both):
In this case, With this it would not matter WHERE the ABOUT file lives in the codebase, it would be usable in all places. Existing ABOUT files would be still valid. So there is no compatibility breakage. And there is no need for solution E. There are interesting cases that this approach enables:
|
For case 2 (an ABOUT file present in the codebase designed to document files not yet present, such as files that will be fetched or compiled or created as a result of the build. This is the case we need and use in d2d pipelines today and the more complex case.) I am concerned that terms like development and deployment are not sufficient (and not well-understood/agreed outside AboutCode). Don't we want to distinguish between a package that is vendored in the development codebase vs one that is fetched from a separate repository? |
re:
That's what we are trying to do here. We could therefore have multiple ABOUT files, and some may be to document code that is in the current codebase while some fetched/built and found only in some other codebase, typically the deployed binaries.
Eventually, we could leave to the user to decide what this means, but I would rather come with a few simple and obvious codebase names. |
See also https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf
We could use a subset of these as a list. This is not perfect, but is published and exists. With this definition:
@chinyeungli @mjherzog @DennisClark @AyanSinhaMahapatra ping, feedback welcomed. |
@pombredanne |
If you read the CISA type descriptions closely I think that we should be using "Build" rather than "Deployed:. The description for Build is: "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs." |
We need to come up with good definitions here and use them to improve our AboutCode-internal terminology about codebases - the CISA types are for SBOMs which seems to be a different use case. |
In the d2d pipeline, the "curations" are ABOUT files designed to document code on the To side and are stored in the "From" side
There could also be "regular" ABOUT files in any of the codebases that would have been created by the maintainers of the repo to document code that lives side-by-side to these ABOUT files, like is done in SCTK or SCIO.
These are different!!!
The text was updated successfully, but these errors were encountered: