https://bugs.linuxfoundation.org/show_bug.cgi?id=1189
Bug #: 1189 Summary: Proposal for digitally signing SPDX 2.0 documents Product: SPDX Version: 2.0 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: spdx-t...@fossbazaar.org ReportedBy: g...@sourceauditor.com Classification: Unclassified Based on the discussion at LinuxCon: Problem statement - Today, there is no way to validate whether SPDX document(s) which have been reviewed have been modified after the review (either the file described by the SPDX document(s) or the metadata in the SPDX document(s)). Proposal to have a documented best practice for creating a separate file outside of the SPDX documents being reviewed. This document would contain the file names and sha1 checksums for all SPDX documents which have been reviewed (NOTE: This should include any externally referenced SPDX documents). Additional reviewer comments/annotations would also be included in this separate file. The resultant file could be digitally signed. -- Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. _______________________________________________ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech