1. Are any meta-spdxscanner alternative solutions provided by Yocto for software bill of materials generation? 2. What level of maturity do artifacts generated by meta-spdxscanner version used in YP 2.6 show? Any kind of artifacts needed for to OSS compliance requirements still not collected by spdxscanner in mentioned YP version? To put in other words: How safe is it to rely merely on mentioned compound to be at the end of day compliant with OSS obligations? Distribution comprised from more than 200 packages is built hence we speak about potentially very wide range of open source licensing types for packages used in distribution. 3. How might feasibility of backporting spdxscanner versions to Yocto 2.6 look like?
