Code Monkey home page Code Monkey logo

Comments (4)

maxhbr avatar maxhbr commented on August 20, 2024

verifiedUsing is also part of ExternalMap, and there it does not (necessarily) apply to a sequence of bytes?

from spdx-3-model.

iamwillbar avatar iamwillbar commented on August 20, 2024
  • "verifiedUsing" always applies to content (sequence of bytes), never to metadata (element properties)
    This is true today, but subject to the proposal from the canonicalization subgroup.
  • only Artifact element types have content. (Annotation, Relationship, Collection, Actor, and Identity do not.)
    This is not necessarily true, for example, if we were to add a PublicKey subclass of IntegrityMethod then the content of an Annotation could be digitally signed and the PublicKey used to verify it. Future subclasses of Element in other profiles may have content that can be verified. We didn't want to restrict this capability to only Artifacts.
  • gitoid is a hash algorithm and can be added to verifiedUsing algorithm list (hashes can be used as content unique ids, but not as artifact ids)
    Yes, I believe that's true. Can you check with Jeff and if he agrees, propose what the enum value should be?
  • multiple artifacts that have the identical content / hash can be linked using a COPY relationship
    Correct. The addition of the contentIdentifier as discussed last Friday will also help identify identical content even in the absence of a relationship.
  • verifiedUsing is not a content unique identifier because different signatures apply to the same content. But it does apply only to content (including hardware), not to metadata.
    Correct.

@maxhbr in today's implementation the verifiedUsing in ExternalMap would be a sequence of bytes, however, when canonicalization is in place it may be a canonical hash instead.

from spdx-3-model.

armintaenzertng avatar armintaenzertng commented on August 20, 2024

If I understand @iamwillbar's comment correctly, verifiedUsing will not be moved to Artifact, so this issue can be closed, right?

The only remaining todo I can glean from this discussion is whether gitoid should be a supported HashsumAlgorithm. Is this still under consideration?

from spdx-3-model.

kestewart avatar kestewart commented on August 20, 2024

Agree with @armintaenzertng , and closing this issue for now. If there are still open discussions points, please open a new issue more focused.

from spdx-3-model.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.