Re: Proposed spec for external packages
On Tue, Aug 4, 2015 at 3:18 PM, Jeremiah Foster <jeremiah.foster@...> wrote:
There is no SPDX tag - per se. An SPDX document for a package contains hash codes at the file level. (SHA1, SHA256 ), as well as an algorithm for a verification code to be generated from the component files at the package level.
in Section 3 Package Section see 3.8 Package Verification Code & 3.9 Package Checksum.
in Section 4 File Section see 4.4 File Checksum.
The proposal is to add cross link to other databases where security information is being tracked already.
Today this is primarily through the CPE, however NIST is reviewing SWID proposal to be used, and so linking to the software identifier tag (SWID tag), seems to be useful from a security vulnerability tracking perspective. ie. lets not duplicate work, but rather make other's work easy to find.
There is another proposal already in discussion to include external identifiers which include the Debian, Fedora, Maven, etc. repositories.