Thanks, Gary. This gives me enough information to proceed. I appreciate the help!
Nisha From: Gary O'Neall <[email protected]> Date: Wednesday, March 18, 2020 at 10:07 AM To: Nisha Kumar <[email protected]>, "[email protected]" <[email protected]> Subject: RE: [spdx-tech] Questions about SPDX spec for container images Forgot to answer your question on which do we list first. If you create a package for the tarball, that could be listed first and be the package described by the SPDX document. Gary From: Nisha Kumar <[email protected]> Sent: Wednesday, March 18, 2020 7:33 AM To: Gary O'Neall <[email protected]>; [email protected] Subject: Re: [spdx-tech] Questions about SPDX spec for container images Thanks Gary! Do you have any guidance for my first question? We don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? Nisha From: Gary O'Neall <[email protected]<mailto:[email protected]>> Date: Tuesday, March 17, 2020 at 5:49 PM To: Nisha Kumar <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [spdx-tech] Questions about SPDX spec for container images Hi Nisha, Containers are made up of a list of tarballs containing files, these files are analyzed for packages and files. So for the SPDX document we have each layer as a package and this package contains other packages for which we don’t have file information and it also contains files for which we don’t have package information. Basically, we don’t know what files belong to what package. We just know they were all included in this tarball. How do we report this data? Can we provide relationships for both packages and files? Which one do we list first? 1. The spec says that if the files were analyzed, you need to calculate a Package Verification Code. AIUI, you will have to calculate the SHA1 of all the files, sort the SHA1s in ASCII order, append them all into one string in order, and SHA1 that string. We calculate SHA256 sums of the files in the image layer (SHA256 is the checksum most widely used in the container world). Can we use SHA256 instead of SHA1? [G.O.] Currently, only SHA1 is supported in the spec for verification code (note – you can use SHA256 for file checksums). Since changing from SHA1 to SHA256 would be a breaking change, we can propose a change for SPDX 3.0. 1. The spec asks for a “Package License Info From Files”. Do we use license expressions here? [G.O.] Yes 1. The spec asks for “License Info In File” for each file. How is this different from “Package License Info From Files”? [G.O.] License info from Files is a collection of all license info collected from each file. It has a cardinality of 1* so you would add one for each license info in file. That’s all the questions for now ☺. No 1. Is the biggest one I would like an answer for. Thanks so much! Nisha K. Open Source Engineer VMware Open Source Technology Center -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3842): https://lists.spdx.org/g/Spdx-tech/message/3842 Mute This Topic: https://lists.spdx.org/mt/72037279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
