Description
Is your feature request related to a problem? Please describe.
In the predecessor of AI-controlled CI/CD, understanding provenance as a possible supply chain element is complex. The open source operating system Photon OS uses more than a thousand subcomponents from open source providers. And, the open source license statement usually is static, but from time to time vendors change their license statement or their supply chain elements.
The Photon OS make-build process consists of three phases. In Ph5, Level 1 consists of 16 packages, Level 2 consists of 124 packages, and Level 3 consists of all other packages. The number varies from Photon OS release to Photon OS release, however, in general, the provenance changes of level 3 packages are not continuously monitored and used downstream.
DM me. I would like to discuss some 2025 contribution tasks.
Describe the solution you'd like
Introducing continuous provenance chaining could result in a statistics website with a list per CPU architecture of Photon OS releases, flavors and packages with their license declaration per package version and the provenance changes of level packages that have been detected or have already been tested but not yet integrated, or deprecated and replaced with another component.
Describe alternatives you've considered
The following excel sheets (excel is a database...) have been populated with the old meccano and only contain the topicality data without provenance license data and without package dependencies.
photonos-urlhealth-3.0_202412282238.prn.xlsx
photonos-urlhealth-4.0_202412282351.prn.xlsx
photonos-urlhealth-5.0_202412290126.prn.xlsx
photonos-urlhealth-6.0_202412290239.prn.xlsx
photonos-diff-report-3.0-4.0_202412290355.prn.xlsx
photonos-diff-report-4.0-5.0_202412290355.prn.xlsx
photonos-diff-report-5.0-6.0_202412290355.prn.xlsx
photonos-package-report_202412290355.prn.xlsx
February 13th 2025
Remarks:
- Increased number of available source updates
- More and more developers switched from pypi to github repositories
- Gnome moved away from github readonly repositories
- More Fedoraproject.org packages with nested source packages (e.g. libsolv .tar.gz in src.rpm)
- kernel.org EOL dates
? 6.6 used in Ph6 : Dec, 2026
6.1 used in Ph5 : Dec, 2027
5.10 used in Ph4: Dec, 2026
4.19.325 used in Ph3: EOL
As usual, be aware of [ false positive / true negative ] entries in the following reports.
Ph3 : 635 available source updates in 884 packages: photonos-urlhealth-3.0_202502130955.prn.xlsx
Ph4 : 690 available source updates in 1003 packages: photonos-urlhealth-4.0_202502131126.prn.xlsx
Ph5 : 622 available source updates in 1045 packages: photonos-urlhealth-5.0_202502131259.prn.xlsx
Ph6 : 667 available source updates in 1042 packages: photonos-urlhealth-6.0_202502131438.prn.xlsx
Ph3-to-Ph4: 32 version differences with same package: photonos-diff-report-3.0-4.0_202502131616.prn.xlsx
Ph4-to-Ph5: 25 version differences with same package: photonos-diff-report-4.0-5.0_202502131616.prn.xlsx
Ph5-to-Ph6: 132 version differences with same package: photonos-diff-report-5.0-6.0_202502131616.prn.xlsx
photonos-package-report_202502131616.prn.xlsx
Additional context
No response