[Bug 1356] New: Add SHA1GIT as optional file checksum

Thu, 19 May 2016 07:06:51 -0700 

https://bugs.linuxfoundation.org/show_bug.cgi?id=1356

            Bug ID: 1356
           Summary: Add SHA1GIT as optional file checksum
           Product: SPDX
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Spec
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified

see: http://lists.spdx.org/pipermail/spdx-tech/2016-May/003101.html

and from farther down the thread. 

I see how making the SHA1 algorithm non-mandatory would be a breaking change,
and that we'd like to avoid that. But maybe we could at least allow SHA1GIT as
an additional algorithm and add it to the spec.

WRT the use-case you're asking for: It's all about performance. In our case
scanners actually *do* scan Git checkouts most of the time, as dependencies (be
it build time or runtime time) are usually included as Git submodules. When
scanning these files, it does not make much sense to force the scanner to
calculate the SHA1 on each file (in order to create valid SPDX) if the SHA1GIT
is already known. However, I have to admit that getting the blob SHA1 for a
given file name is a rather slow operation in Git, and for single small files
(which is not uncommon for source code files) it might actually be faster to
calculate the SHA1 instead of looking up the known SHA1GIT.

Finally, there's also the "reverse" use-case: Suppose you have an SPDX file
with a bunch of File Checksums given, an you'd like to know which are the
candidate Git commits these files can originate from. If only the SHA1s are
given, you'd have to iterate over all eligible commits in you Git repositiory,
checkout the files, and calculate the SHA1 on them to see whether there's a
match. With the SHA1GIT on the other hand, you could directly search Git's
object database to find the trees / commits that contain the given blobs.

I agree it probably is an edge-case, but maybe still enough reason to at least
*allow* SHA1GIT as a File Checksum algorithm.

Regards,
Sebastian

-- 
You are receiving this mail because:
You are the assignee for the bug.

_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech

Reply via email to