Dear Sebastian, is the commit-id verifiable from the source code? I think it would require extra work to make it verifiable, and, if the distribution contains less files than the repo (which is common), then it will never be verifiable. Also, what happens if the author decides to rebase or simply delete the repo?
The commit-id is really a replacement of the "version" identifier. On Wed, May 18, 2016 at 4:29 AM, Schuberth, Sebastian < [email protected]> wrote: > Hi, > > nowadays most source code is stored in some sort of VCS. Particularly > popular in the OSS world, but also in commercial software development, is > Git as a DVCS. Git's internal data structures are based on simple > hierarchies of SHA-1 hashes: Contents of files ("blobs") are hashed, > entries of blobs are hashed to "trees", trees are hashes to "commits" etc. > > So basically Git already knows the hashes of all its files, and there's > usually no need to recalculate the hashes for the purpose of creating SPDX > File Checksum entries. The only hitch is that Git's SHA1 of a blob is > *slightly* different from the SHA1 of purely the file contents: Git > prefixes the file contents with "blob <size>\0" where <size> is the size of > the file. The "git hash-object <file>" command calculates this SHA1 on the > contents of <file> with the prefix added, and the script at [1] illustrates > how Git internally performs the calculation. > > In order to reuse Git's SHA1 of blobs when creating an SPDX file for files > stored in Git, I'd like to propose a new "SHA1GIT" algorithm. The hash > value for that algorithm must match the output of "git hash-object <file>". > Having the Git-style SHA1 also allows easier matching of a given SPDX File > Checksum to Git repositories by doing something like "git rev-list > --objects --all | grep <sha1git>". > > Benefitting from the new SHA1GIT algorithm the most would also require to > make the existing SHA1 algorithm non-mandatory. From a file consistency > point of view it does not really make sense to compute both ("git > hash-object <file>" also works on files not committed to Git), and neither > does it form a performance point of view. > > Please let me know what you think about this proposal. > > [1] > https://github.com/sschuberth/dev-scripts/blob/master/git/git-hash-blob.sh > > Regards, > Sebastian > > > _______________________________________________ > Spdx-tech mailing list > [email protected] > https://lists.spdx.org/mailman/listinfo/spdx-tech > -- --dmg --- Daniel M. German http://turingmachine.org
_______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
