Hi Jeremiah, Thanks for that info about Red Hat’s not-yet-public tool. It looks like videos from the Copyleft Conf this year are not yet available. I certainly wish I had known as I would have stayed a day longer.
I’ll submit a proposal to move to SHA256 to calculate the Package Verification Code. Nisha From: "Foster, Jeremiah" <[email protected]> Date: Tuesday, March 17, 2020 at 5:49 PM To: Nisha Kumar <[email protected]>, "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: Questions about SPDX spec for container images Hey Nisha! I wanted to pass along some info I gleaned from the Copyleft Conf in Brussels. There was a discussion there on license compliance in containers and Red Hat mentioned that they’re working on a tool for compliance in containers that is not yet public. I don’t know if the session was recorded but, if it is, there might be a tad more info there. I would like to also like to add a +1 to the request to use SHA256 over SHA1. SHA256 I think is more widely used every where and SHA1 apparently may suffer from collisions though that’s a somewhat remote possibility. Cheers, Jeremiah ________________________________ From: [email protected] on behalf of Nisha Kumar via Lists.Spdx.Org <[email protected]> Sent: Tuesday, March 17, 2020 6:51 PM To: [email protected] Cc: [email protected] Subject: [spdx-tech] Questions about SPDX spec for container images Hi Folks, I am in the process of incorporating file level data collected by Scancode into Tern’s SPDX document format. I have some questions about the elements and where they need to be placed. 1. Containers are made up of a list of tarballs containing files, these files are analyzed for packages and files. So for the SPDX document we have each layer as a package and this package contains other packages for which we don’t have file information and it also contains files for which we don’t have package information. Basically, we don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? 2. The spec says that if the files were analyzed, you need to calculate a Package Verification Code. AIUI, you will have to calculate the SHA1 of all the files, sort the SHA1s in ASCII order, append them all into one string in order, and SHA1 that string. We calculate SHA256 sums of the files in the image layer (SHA256 is the checksum most widely used in the container world). Can we use SHA256 instead of SHA1? 3. The spec asks for a “Package License Info From Files”. Do we use license expressions here? 4. The spec asks for “License Info In File” for each file. How is this different from “Package License Info From Files”? That’s all the questions for now ☺. No 1. Is the biggest one I would like an answer for. Thanks so much! Nisha K. Open Source Engineer VMware Open Source Technology Center ________________________________ This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3838): https://lists.spdx.org/g/Spdx-tech/message/3838 Mute This Topic: https://lists.spdx.org/mt/72037279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
