Hi Folks, I am in the process of incorporating file level data collected by Scancode into Tern’s SPDX document format. I have some questions about the elements and where they need to be placed.
1. Containers are made up of a list of tarballs containing files, these files are analyzed for packages and files. So for the SPDX document we have each layer as a package and this package contains other packages for which we don’t have file information and it also contains files for which we don’t have package information. Basically, we don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? 2. The spec says that if the files were analyzed, you need to calculate a Package Verification Code. AIUI, you will have to calculate the SHA1 of all the files, sort the SHA1s in ASCII order, append them all into one string in order, and SHA1 that string. We calculate SHA256 sums of the files in the image layer (SHA256 is the checksum most widely used in the container world). Can we use SHA256 instead of SHA1? 3. The spec asks for a “Package License Info From Files”. Do we use license expressions here? 4. The spec asks for “License Info In File” for each file. How is this different from “Package License Info From Files”? That’s all the questions for now ☺. No 1. Is the biggest one I would like an answer for. Thanks so much! Nisha K. Open Source Engineer VMware Open Source Technology Center -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3835): https://lists.spdx.org/g/Spdx-tech/message/3835 Mute This Topic: https://lists.spdx.org/mt/72037279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
