Add SPDX BOM support to mkosi

[behrmann]

As discussed on the image summit.

[keszybz]

https://spdx.github.io/spdx-spec/v2.3/package-information/

[septatrix]

Would this have to be implemented from scratch (for each supported distro/package manager) or can something like syft be reused?

[keszybz]

I think syft is overkill for our case here. We don't want to do "detection", we have all the information available, and we only need to write it out in a different format. If somebody thinks that syft or some other external tool should be hooked up, I don't have an issue with that and would support it as an optional feature. But I think that it'll actually be less work to just implement this internally. We currently write out a JSON manifest, so I expect it'd be ~20 lines of Python to write out XML instead.

[septatrix]

Including the license field would also be appreciated

[septatrix]

Including the license field would also be appreciated

rpm offers the %{LICENSE} field for querying, pkg also has a license array and dpkg has debian/copyright as a best-practice. Sadly none of these seem mandatory nor mandate SPDX license identifiers. Fedora seems to be best here as every package on my system has a license set and almost all are SPDX compliant. Debian has a few odd ones out and I cannot test arch.

Even with some packages not having a proper license set I still think including also the license in a BOM is the best play.