What relation type should be buildroot rpms?

[tkopecek]

I''m gathering all rpms used in buildroot and adding them as BUILD_DEPENDENCY_OF of every rpm produced in build architecture. It is a vast matrix for some rpms. Is it the right way? Just to illustrate my thinking: 1) They should be build deps only of srpm (which is not technically right) 2) They should be some other relation type. 3) Some build processes differ between srpm and rpm builds (koji) while others do everything in same buildroot (konflux). It would result in very different SBOMs which is probably fine.

[mprpic]

I assume by buildroot RPMs we're talking about all of the compilers, libraries, and other tools using during the process that are installed from specific RPM. I think it makes sense to list these out and relate them all to the SRPM package in the SBOM using the BUILD_TOOL_OF relationship type. The SRPM is the source package that defines how all the binary RPMs are built, and the relationship to the buildroot RPMs would then indicate that these RPMs are tools needed to turn that SRPM into the final binary packages.

We also use the BUILD_TOOL_OF relationship type to describe container images used during a multi-stage build (see https://github.com/RedHatProductSecurity/security-data-guidelines/pull/23).