SPDX 2->3 conversion of filesAnalyzed #84

armintaenzertng · 2023-02-22T15:10:19Z

Part of #74:

There is no integrity profile to take the place of requiring checksums for files. Some uses of filesAnalyzed indicate that a certain level of tooling was applied to the source. We would lose this information if this field is removed.

Gary's comment from #74:

I wonder if the build profile would service this purpose?

Brandon Lum's comment from #74:

The build profile has some established relationships on the files themselves. So the information would be encodable by the build profile relationships. However, that is just the ability to express the relationship. I'd be curious to discuss what the integrity story would look like (as it ties into verification). I think that's probably something to discuss... since with the build profile the granularity of identities may be more granular and harder to manage.

goneall · 2023-07-28T23:37:04Z

Kate and I discussed this - perhaps we should introduce an "Integrity Profile" in release 3.1.

armintaenzertng mentioned this issue Feb 22, 2023

Potential punch list for issues regarding the SPDX2->3 conversion #74

Closed

9 tasks

maxhbr added v2-compatibility Profile:Software labels Mar 24, 2023

kestewart added this to the 3.0 milestone May 6, 2023

goneall modified the milestones: 3.0, 3.0-rc2 Jul 28, 2023

goneall added the Profile:Build label Jul 28, 2023

goneall modified the milestones: 3.0-rc2, 3.1 Jul 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SPDX 2->3 conversion of filesAnalyzed #84

SPDX 2->3 conversion of filesAnalyzed #84

armintaenzertng commented Feb 22, 2023 •

edited

Loading

goneall commented Jul 28, 2023

SPDX 2->3 conversion of filesAnalyzed #84

SPDX 2->3 conversion of filesAnalyzed #84

Comments

armintaenzertng commented Feb 22, 2023 • edited Loading

goneall commented Jul 28, 2023

armintaenzertng commented Feb 22, 2023 •

edited

Loading