Generalize contentIdentifier for SoftwareArtifact integrity verification #611
Conversation
Signed-off-by: Alexios Zavras (zvr) <[email protected]>
There was a problem hiding this comment.
Overall, this looks like a consistent approach to contentIdentifier. The only downside I can see over the current state is with a choice, consumers of the SBOMs would need to be able to calculate all of the (two) methods to verify since we wouldn't know which one is provided.
One possible solution to the above downside would be to create an "Integrity" profile which specifies the property as required and limits the range to only one value. This could be a post RC2 improvement.
|
If the presumption that content identifiers can ALWAYS be reduced to a single serialized string then this approach seems to be the best solution to this issue. |
|
based on discussions in the tech call and in the security meeting week of 12 Feb, we are going to go with the gitoid renaming for RC2 and retarget the more general discussion for after RC2. Primarily due to the amount of thought and review needed for the more general approach and lack of availability of key individuals for discussion. |
|
@zvr - is this stale? or something still being requested. |
|
@zvr to fix up conflicts, but we need discussion with Sean & Jeff before merging. |
There was a problem hiding this comment.
I believe this PR has been overcome by other decisions.
While significant discussion occurred on this topic which resulted in a modified version of the concept in this PR that was clear, simple and preferred by the majority of those involved in the discussions a decision was made to add an explicitly dedicated 'gitoid' property to SoftwareArtifact for SPDX 3.0.
I believe this PR should be closed without approval.
|
I will re-work it and probably make a new one without conflicts, but there was never any decision that only |
|
See #701 |
Adds a general contentIdentifier type system to support various types.
Note that the actual value of an identifier (
contentIdentifierValuein aContentIdentifier) is defined to be of typexsd:string. The two current available types both producexsd:anyURIbut maybe we want to keep our options open for the future.The description of the types was copied from
/Core/ExternalIdentifierType; I simplifies theswhidentry since we only consider content in this context.