On Tue, Mar 17, 2020 at 7:49 PM Jeremiah C. Foster <[email protected]> wrote:
> Hey Nisha! > > I wanted to pass along some info I gleaned from the Copyleft Conf in > Brussels. There was a discussion there on license compliance in containers > and Red Hat mentioned that they’re working on a tool for compliance in > containers that is not yet public. I don’t know if the session was recorded > but, if it is, there might be a tad more info there. > > I would like to also like to add a +1 to the request to use SHA256 over > SHA1. SHA256 I think is more widely used every where and SHA1 apparently > may suffer from collisions though that’s a somewhat remote possibility. > > This is definitely one of the changes already under discussion for 3.0 - feel free to add comments to https://github.com/spdx/spdx-spec/issues/106 :-) Moving to SHA256 also increases interoperability with SWH, which is another positive from my perspective. Kate > Cheers, > > Jeremiah > > ------------------------------ > *From:* [email protected] on behalf of Nisha Kumar via > Lists.Spdx.Org <[email protected]> > *Sent:* Tuesday, March 17, 2020 6:51 PM > *To:* [email protected] > *Cc:* [email protected] > *Subject:* [spdx-tech] Questions about SPDX spec for container images > > > Hi Folks, > > > > I am in the process of incorporating file level data collected by Scancode > into Tern’s SPDX document format. I have some questions about the elements > and where they need to be placed. > > > > 1. Containers are made up of a list of tarballs containing files, > these files are analyzed for packages and files. So for the SPDX document > we have each layer as a package and this package contains other packages > for which we don’t have file information and it also contains files for > which we don’t have package information. Basically, we don’t know what > files belong to what package. We just know they were all included in this > tarball. How do we report this data? Can we provide relationships for both > packages and files? Which one do we list first? > 2. The spec says that if the files were analyzed, you need to > calculate a Package Verification Code. AIUI, you will have to calculate the > SHA1 of all the files, sort the SHA1s in ASCII order, append them all into > one string in order, and SHA1 that string. We calculate SHA256 sums of the > files in the image layer (SHA256 is the checksum most widely used in the > container world). Can we use SHA256 instead of SHA1? > 3. The spec asks for a “Package License Info From Files”. Do we use > license expressions here? > 4. The spec asks for “License Info In File” for each file. How is this > different from “Package License Info From Files”? > > > > That’s all the questions for now ☺. No 1. Is the biggest one I would like > an answer for. Thanks so much! > > > > Nisha K. > > Open Source Engineer > > VMware Open Source Technology Center > > ------------------------------ > > This e-mail and any attachment(s) are intended only for the recipient(s) > named above and others who have been specifically authorized to receive > them. They may contain confidential information. If you are not the > intended recipient, please do not read this email or its attachment(s). > Furthermore, you are hereby notified that any dissemination, distribution > or copying of this e-mail and any attachment(s) is strictly prohibited. If > you have received this e-mail in error, please immediately notify the > sender by replying to this e-mail and then delete this e-mail and any > attachment(s) or copies thereof from your system. Thank you. > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3845): https://lists.spdx.org/g/Spdx-tech/message/3845 Mute This Topic: https://lists.spdx.org/mt/72037279/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
