File checksum mentioned in SPDX report

Open-Source-Compliance / package-analysis

This repo contains license and copyright analysis results of open source packages. It further contains other license compliance relevant artifacts, which might be of value for others

https://www.osselot.org/

Other

37 stars 21 forks source link

File checksum mentioned in SPDX report #125

Closed vcmgc27 closed 4 months ago

vcmgc27 commented 4 months ago

Hi Team, Trying to understand on the file checksum attached to SPDX report. How this will be useful in case of compliance and will it not get changed when you pack and unpack it in another instance/system? Also, how this is created from your end? Please provide answers to the above question, so that it will be helpful for me to use it in my projects.

Thanks Gowtham C

OliverFendt commented 4 months ago

Hi Gowtham C, thank you for your question. The sha1 checksums are generated for the file, they do no change if you isolate the file. This is what I checked. The checksums in the tag value files are generated with FOSSology, these are reused when converting the tag value files in the other formats. The same applies to sha256 and MD5. I hope that helps. If you don't mind I would be glad to learn a bit about the workflow you are following/implementing in your projects

OliverFendt commented 4 months ago

I close the issue now, because there is no feedback and I provided the information, which was asked for

OliverFendt commented 4 months ago

As commented earlier