Hi,
nowadays most source code is stored in some sort of VCS. Particularly popular
in the OSS world, but also in commercial software development, is Git as a
DVCS. Git's internal data structures are based on simple hierarchies of SHA-1
hashes: Contents of files ("blobs") are hashed, entries of blobs are hashed to
"trees", trees are hashes to "commits" etc.
So basically Git already knows the hashes of all its files, and there's usually
no need to recalculate the hashes for the purpose of creating SPDX File
Checksum entries. The only hitch is that Git's SHA1 of a blob is *slightly*
different from the SHA1 of purely the file contents: Git prefixes the file
contents with "blob <size>\0" where <size> is the size of the file. The "git
hash-object <file>" command calculates this SHA1 on the contents of <file> with
the prefix added, and the script at [1] illustrates how Git internally performs
the calculation.
In order to reuse Git's SHA1 of blobs when creating an SPDX file for files
stored in Git, I'd like to propose a new "SHA1GIT" algorithm. The hash value
for that algorithm must match the output of "git hash-object <file>". Having
the Git-style SHA1 also allows easier matching of a given SPDX File Checksum to
Git repositories by doing something like "git rev-list --objects --all | grep
<sha1git>".
Benefitting from the new SHA1GIT algorithm the most would also require to make
the existing SHA1 algorithm non-mandatory. From a file consistency point of
view it does not really make sense to compute both ("git hash-object <file>"
also works on files not committed to Git), and neither does it form a
performance point of view.
Please let me know what you think about this proposal.
[1] https://github.com/sschuberth/dev-scripts/blob/master/git/git-hash-blob.sh
Regards,
Sebastian
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
