Re: SPDX 2.0 - update the checksum?

Thu, 14 Nov 2013 13:25:52 -0800 

Hi Nuno,
    For 2.0 I think we need to decide what makes sense from a space and risk 
perspective.  From an
individual file perspective,  SHA-1 is probably fine since its just meant to 
ensure that the file being
looked at matches the information recorded, rather than keep something secret.  
However, we 
may want to permit SHA-256 or something else to be used instead or as an 
option.   Not sure 
right now, and interested in thoughts.  Downside is its size and whether its 
really worth it for file level. 

   2.0 is just kicking off, and we're working on it on the WIKI at this point, 
and through the meeting
minutes, etc.   I'll start the document as soon as we have a clear direction on 
the model (subject of
current discussion).  

   Feel to chime up with other questions, or concerns here on the list.  :-)

Kate

________________________________
 From: Nuno Brito <[email protected]>
To: [email protected] 
Cc: [email protected] 
Sent: Thursday, November 14, 2013 11:54 AM
Subject: Re: SPDX 2.0 - update the checksum?
 

Dear Kate,

Would each file still be described with an SHA-1 signature in version 2.0 as 
default?

Sorry if I misunderstood something, I don't seem to be able of finding a draft 
for version 2.0 on the SPDX site and can't read the content for the mentioned 
sections.

Perhaps it would be possible to provide a link where the draft can be read?

My thanks in advance.

With kind regards,
Nuno Brito

---
http://triplecheck.de

> Date: Wed, 13 Nov 2013 13:19:24 -0800 (PST)
> From: [email protected]
> To: "[email protected]" <[email protected]>
> Subject: SPDX 2.0 - update the checksum?
> Message-ID:
>     <[email protected]>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> 
> 
> Noticed this, and thinking we may want to give an option for our
> checksum algorithms to be SHA-256 in 2.0 for 4.7, 4.8, and 6.3.
> 
> see:?http://it.slashdot.org/story/13/11/13/0154244/microsoft-warns-customers-away-from-rc4-and-sha-1
> 
> Kate
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech

Reply via email to