Proposal for digitally signing SPDX 3.0 documents

[kestewart]

This was https://bugs.linuxfoundation.org/show_bug.cgi?id=1189
Moving it here so we don't loose track of it, but this is likely to be handled by other projects outside SPDX (OpenChain, SParts (w/ Hyperledger), etc.)

Gary O'Neall 2014-03-27 23:01:44 UTC
Based on the discussion at LinuxCon:
Problem statement - Today, there is no way to validate whether SPDX document(s) which have been reviewed have been modified after the review (either the file described by the SPDX document(s) or the metadata in the SPDX document(s)).

Proposal to have a documented best practice for creating a separate file outside of the SPDX documents being reviewed. This document would contain the file names and sha1 checksums for all SPDX documents which have been reviewed (NOTE: This should include any externally referenced SPDX documents). Additional reviewer comments/annotations would also be included in this separate file. The resultant file could be digitally signed.

Jeremiah C. Foster 2014-03-28 08:48:56 UTC
+1

As an example (only as an example, I'm not saying one has to copy this) here is a URL to a Debian "description" file for the Tomcat package; http://ftp.de.debian.org/debian/pool/main/t/tomcat6/tomcat6_6.0.35-6+deb7u1.dsc

It has the properties described in the orginal bug description for 1189.

Kate Stewart 2015-03-03 19:01:01 UTC
This will be addressed after 2.0 is available.

[wking]

This seems like it's already addressed (since SPDX 2.0) via annotations, which, in tag/value form, allow external references. The current RDF/XML spec still needs to be updated to allow similar external references.

[pombredanne]

IMHO signing and verification of SPDX documents should not be part of the spec. This should be done externally. This makes usage and adoption overly complicated otherwise. IMHO this is the kind of thing where extreme precision is an enemy of the good.