https://bugs.linuxfoundation.org/show_bug.cgi?id=1189
Bug #: 1189
Summary: Proposal for digitally signing SPDX 2.0 documents
Product: SPDX
Version: 2.0
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: spdx-t...@fossbazaar.org
ReportedBy: g...@sourceauditor.com
Classification: Unclassified
Based on the discussion at LinuxCon:
Problem statement - Today, there is no way to validate whether SPDX document(s)
which have been reviewed have been modified after the review (either the file
described by the SPDX document(s) or the metadata in the SPDX document(s)).
Proposal to have a documented best practice for creating a separate file
outside of the SPDX documents being reviewed. This document would contain the
file names and sha1 checksums for all SPDX documents which have been reviewed
(NOTE: This should include any externally referenced SPDX documents).
Additional reviewer comments/annotations would also be included in this
separate file. The resultant file could be digitally signed.
--
Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech
