Hi Nisha,
The first question is a bit more challenging. Here is one approach you could take: * Include all the package information for each of the embedded packages with the FilesAnalyzed=false – this allows you to add the package information without requiring the verification code. * Create a “package” representing the entire tarball – you’ll need to generate a meaningful name for the package. * Set the filesAnalyzed = true * Generate a verification code for all the files in the tarball * Create a CONTAINS relationship between the tarball and package for each of the real packages Gary From: [email protected] <[email protected]> On Behalf Of Nisha Kumar via Lists.Spdx.Org Sent: Wednesday, March 18, 2020 7:33 AM To: Gary O'Neall <[email protected]>; [email protected] Cc: [email protected] Subject: Re: [spdx-tech] Questions about SPDX spec for container images Thanks Gary! Do you have any guidance for my first question? We don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? Nisha From: Gary O'Neall <[email protected] <mailto:[email protected]> > Date: Tuesday, March 17, 2020 at 5:49 PM To: Nisha Kumar <[email protected] <mailto:[email protected]> >, "[email protected] <mailto:[email protected]> " <[email protected] <mailto:[email protected]> > Subject: RE: [spdx-tech] Questions about SPDX spec for container images Hi Nisha, Containers are made up of a list of tarballs containing files, these files are analyzed for packages and files. So for the SPDX document we have each layer as a package and this package contains other packages for which we don’t have file information and it also contains files for which we don’t have package information. Basically, we don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? 1. The spec says that if the files were analyzed, you need to calculate a Package Verification Code. AIUI, you will have to calculate the SHA1 of all the files, sort the SHA1s in ASCII order, append them all into one string in order, and SHA1 that string. We calculate SHA256 sums of the files in the image layer (SHA256 is the checksum most widely used in the container world). Can we use SHA256 instead of SHA1? [G.O.] Currently, only SHA1 is supported in the spec for verification code (note – you can use SHA256 for file checksums). Since changing from SHA1 to SHA256 would be a breaking change, we can propose a change for SPDX 3.0. 2. The spec asks for a “Package License Info From Files”. Do we use license expressions here? [G.O.] Yes 3. The spec asks for “License Info In File” for each file. How is this different from “Package License Info From Files”? [G.O.] License info from Files is a collection of all license info collected from each file. It has a cardinality of 1* so you would add one for each license info in file. That’s all the questions for now ☺. No 1. Is the biggest one I would like an answer for. Thanks so much! Nisha K. Open Source Engineer VMware Open Source Technology Center -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3840): https://lists.spdx.org/g/Spdx-tech/message/3840 Mute This Topic: https://lists.spdx.org/mt/72037279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
