Re: Package Verification Code (section 4.7)

Gary O'Neall

Hi Marc-Etienne,

Responses inline below....

An example implementation of the 1.1 verification code can be found at;a=blob;f=src/org/spdx/rdfparser/Verifi;h=3c15b8b420fa1a5d5c5ed72d548c0cb43330d28c;hb=HEAD


-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On
Behalf Of Marc-Etienne Vargenau
Sent: Tuesday, June 19, 2012 7:33 AM
To: spdx@...
Subject: Package Verification Code (section 4.7)


The text of Package Verification Code (section 4.7) has been changed from
SPDX 1.0 to SPDX 1.1 draft.

1) Does that mean that the algorithm changed or is it just described better?
[Gary] See bug 968 (
for a description of the problems and fixes in the Package Verification code

2) After sorting, the CR/LF must be removed before applying SHA1?
[Gary] Correct

3) The text in SPDX 1.1 draft refers to "normalized_filename"
but this is no longer defined.
[Gary] This is probably a bug in the spec - if you don't mind, go ahead and
add a bug for this. BTW - the normalized filename was more critical in the
previous algorithms since it included the filename in the checksum
calculation. A fix for the documentation may just be removing the
referenced and calling it just a filename.

Best regards,


Marc-Etienne Vargenau
Alcatel-Lucent France, Route de Villejust, 91620 NOZAY, FRANCE
+33 (0)1 30 77 28 33, Marc-Etienne.Vargenau@...
Spdx mailing list

Join to automatically receive all group messages.