New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions About Generating Component Checksums for SPDX Compliance #118

Open

agustingroh opened this issue Nov 5, 2024 · 1 comment

Assignees

Labels

question

agustingroh commented Nov 5, 2024

Hello,

Our team is developing a tool to produce a valid SPDX output that complies with the OpenChain Telco Guide.

We have some questions about the checksums field:

How can we obtain the checksum for each component?
What should we do for components that are custom-created or not hosted on GitLab or GitHub? How can we generate their checksum?

Regards,
Agustin

agustingroh added the question label

agustingroh assigned shanecoughlan

vargenau self-assigned this

Collaborator

vargenau commented Nov 20, 2024

Hi @agustingroh
You will find in
https://github.com/spdx/spdx-spec/blob/support/2.3.1/chapters/how-to-use.md#k3-verifying-spdx-packages
some information on how to compute the checksum.
In any case, you will need some access to the package code to be able to compute the checksum.

I will include this topic in our next meeting of the OpenChain Telco work group in December.
You are welcome to join.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment