I'd like to pull together a Cookbook of samples for different scenarios.
Once you have an example for a container image it would be great to
review it with Gary and Thomas and I can turn it into a cookbook example.
William
On 3/18/20 10:45 AM, Nisha Kumar via Lists.Spdx.Org wrote:
Thanks, Gary. This gives me enough information to proceed. I
appreciate the help!
Nisha
*From: *Gary O'Neall <[email protected]>
*Date: *Wednesday, March 18, 2020 at 10:07 AM
*To: *Nisha Kumar <[email protected]>, "[email protected]"
<[email protected]>
*Subject: *RE: [spdx-tech] Questions about SPDX spec for container images
Forgot to answer your question on which do we list first.
If you create a package for the tarball, that could be listed first
and be the package described by the SPDX document.
Gary
*From:*Nisha Kumar <[email protected]>
*Sent:* Wednesday, March 18, 2020 7:33 AM
*To:* Gary O'Neall <[email protected]>; [email protected]
*Subject:* Re: [spdx-tech] Questions about SPDX spec for container images
Thanks Gary!
Do you have any guidance for my first question?
We don’t know what files belong to what package. We just know they
were all included in this tarball. How do we report this data? Can we
provide relationships for both packages and files? Which one do we
list first?
Nisha
*From: *Gary O'Neall <[email protected]
<mailto:[email protected]>>
*Date: *Tuesday, March 17, 2020 at 5:49 PM
*To: *Nisha Kumar <[email protected] <mailto:[email protected]>>,
"[email protected] <mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>
*Subject: *RE: [spdx-tech] Questions about SPDX spec for container images
Hi Nisha,
Containers are made up of a list of tarballs containing files, these
files are analyzed for packages and files. So for the SPDX document we
have each layer as a package and this package contains other packages
for which we don’t have file information and it also contains files
for which we don’t have package information. Basically, we don’t know
what files belong to what package. We just know they were all included
in this tarball. How do we report this data? Can we provide
relationships for both packages and files? Which one do we list first?
1. The spec says that if the files were analyzed, you need to
calculate a Package Verification Code. AIUI, you will have to
calculate the SHA1 of all the files, sort the SHA1s in ASCII
order, append them all into one string in order, and SHA1 that
string. We calculate SHA256 sums of the files in the image layer
(SHA256 is the checksum most widely used in the container world).
Can we use SHA256 instead of SHA1?
*/[G.O.] Currently, only SHA1 is supported in the spec for
verification code (note – you can use SHA256 for file checksums).
Since changing from SHA1 to SHA256 would be a breaking change, we can
propose a change for SPDX 3.0./*
2. The spec asks for a “Package License Info From Files”. Do we use
license expressions here?
*/[G.O.] Yes/*
3. The spec asks for “License Info In File” for each file. How is
this different from “Package License Info From Files”?
*/[G.O.] License info from Files is a collection of all license info
collected from each file. It has a cardinality of 1* so you would add
one for each license info in file./*
That’s all the questions for now ☺. No 1. Is the biggest one I would
like an answer for. Thanks so much!
Nisha K.
Open Source Engineer
VMware Open Source Technology Center
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#3843): https://lists.spdx.org/g/Spdx-tech/message/3843
Mute This Topic: https://lists.spdx.org/mt/72037279/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
