lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a6f5f9e9-3652-4aff-8422-05e1c88850de@tngtech.com>
Date: Tue, 3 Feb 2026 15:41:42 +0100
From: Luis Augenstein <luis.augenstein@...tech.com>
To: Nathan Chancellor <nathan@...nel.org>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
 Greg KH <gregkh@...uxfoundation.org>, nsc@...nel.org,
 linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
 akpm@...ux-foundation.org, maximilian.huber@...tech.com
Subject: Re: [PATCH v2 00/14] Add SPDX SBOM generation tool

Hi Nathan,

> 2. This depends on having a clean initial build tree (either empty
>    directory or 'clean' as a make target) due to needing to parse the
>    .cmd files, which could be stale if someone builds a kernel, changes
>    their config, and rebuilds, right? This should be documented since I
>    do not think it is possible to do something like what Masahiro did in
>    commit 3d32285fa995 ("kbuild: wire up the build rule of
>    compile_commands.json to Makefile") because of the drawback that it
>    misses too many things.

There might be edge cases, but in general stale .cmd files should not be
an issue.

The script does not scan the build tree for .cmd files. It starts from a
set of root build artifacts (kernel image and .ko modules listed in
modules.order). From these roots, it parses the corresponding .cmd files
to discover the immediate dependencies, and then recursively processes
the .cmd files of those dependencies, effectively walking the entire
dependency graph up to the individual source files.

Stale .cmd files should not be referenced as dependencies by the root
artifacts and therefore not be part of the resulting dependency graph.

Best,
Luis

-- 
Luis Augenstein * luis.augenstein@...tech.com * +49-152-25275761
TNG Technology Consulting GmbH, Beta-Str. 13, 85774 Unterföhring
Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres
Aufsichtsratsvorsitzender: Christoph Stock
Sitz: Unterföhring * Amtsgericht München * HRB 135082

Download attachment "OpenPGP_0x795C8ACACDDCFB34.asc" of type "application/pgp-keys" (3156 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ