improve software integrity and verification documentation #602
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -4,11 +4,13 @@ SPDX-License-Identifier: Community-Spec-1.0 | |||||
|
|
||||||
| ## Summary | ||||||
|
|
||||||
| Used by SPDX producers to record the artifact’s gitoid: a canonical, unique, immutable identifier that can be used for software integrity verification. | ||||||
|
There was a problem hiding this comment. Obviously is not only a "gitoid", but any content identifier. There was a problem hiding this comment. It may be more appropriate to include an identifier tag in the syntax, like IANA uses to qualify identifier types - similar to what SPDX does today : dns:www.foo.com SHA256:....... There was a problem hiding this comment. There are other content identifiers out there, as Alexios points out. Let's handle the broadening as a separate PR though, and move this forward. The original had gitoid in it, and is just restructured here. There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Used by SPDX consumers to verify the identity and integrity of a software artifact they received. | ||||||
|
|
||||||
| ## Description | ||||||
|
|
||||||
| **For SPDX Producers:** The contentIdentifier is a canonical, unique, immutable artifact identifier for each software artifact. The ContentIdentifier for any software artifact can be calculated and recorded in SPDX 3.0 Snippet, File, or Package Elements. For additional information, see [OmniBOR](https://omnibor.io): an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. | ||||||
|
|
||||||
| The contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact. | ||||||
|
There was a problem hiding this comment. I disagree that There was a problem hiding this comment. Note that not all content identifiers support use in verification. We would also need to somehow specify which content identifier is used (e.g. the enumeration of supported content identifiers). There was a problem hiding this comment. That appears similar to how SPDX handles this today with the SHA* identifying tags accompanying a hash value in an SBOM There was a problem hiding this comment. @zvr - Let's move forward with this definition and open a separate issue to include better support for SWHID after RC2 - just trying to get RC2 released. There was a problem hiding this comment. We can remove gitoid and leave generic "unique, immutable artifact identifier" or we can mention both gitoid and swhid that we already know of. There was a problem hiding this comment. I'm not objecting just because I don't want SWHIDs to be forgotten: There was a problem hiding this comment. My recollection of the discussions on this topic from last year were that for v3.0 we would specify gitoid as the default but that the structures and definitions would be generalized (as @zvr is suggesting above) to enable addition of other possible types post v3.0 without breaking backward compatibility. In other words, I agree that the definitions should be generalized and not locked to one approach. |
||||||
|
|
||||||
|
|
@@ -18,7 +20,11 @@ The gitoid is expressed in the ContentIdentifier property by using the IANA [git | |||||
| Scheme syntax: gitoid":"<git object type>":"<hash algorithm>":"<hash value> | ||||||
| ``` | ||||||
|
|
||||||
| The OmniBOR ID for the OmniBOR Document associated with a software artifact must NOT be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details. | ||||||
|
|
||||||
| **For SPDX Consumers:** The integrity of software objects can be verified by calculating the gitoid(s) (`git hash-object foo`) of the object(s) and comparing the results to the value stored in the SPDX contentIdentifier field. ContentIdentifiers are canonical: Omnibor specifies a reproducible algorithm for anyone with the software object to perform this calculation. ContentIdentifiers are unique: the gitoid value is the result of a specific implementation of a one-way hash function. If the calculated gitoid value is the same as the gitoid value stored in SPDX, you can be sure it’s the same software. ContentIdentifiers are immutable: if a software object changes the resulting contentIdentifier will differ. These properties enable the verification of software integrity between producer and consumer using SPDX. | ||||||
|
|
||||||
|
|
||||||
|
|
||||||
| ## Metadata | ||||||
|
|
||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not think that these sort of case specific details should be placed here.
This is the general structure to be used across SPDX.
Placing case specific variations here is likely to lead to an eventual laundry list of such specializations.
I propose that it would be more appropriate to add this note to the markdown files for the case specific structures (SoftwareArtifact, File, Package, Snippet).