Handling of symbolic links when computing the package verification code #40
Comments
SamuraiAku
added a commit
that referenced
this issue
Jan 30, 2024
* On further review on the SPDX specification, updated the algorithm for computing a package verification code * Replaced the function spdxchecksum() with ComputePackageVerificationCode() and ComputeFileChecksum() * Resolved #40: Handling of symbolic links when computing the package verification code * Resolved #29: Support checksum calculation on a single file * Resolved #28: Use the Logging standard library to record all the files processed and their checksums
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Obviously any broken symbolic link would cause an error if you try to compute a hash on it.
But there are more subtle issues as well. What if the link is valid but points to something outside of the package? If it points to something inside the package then you'll be computing the hash twice on the same file, which doesn't make a lot of sense.
The SPDX spec does not provide clear direction on this issue. Research pulled up this issue in the SPDX spec repository indicating that the community has not definitively settled on a single approach.
The most reasonable approach, which we will do here, is to exclude all symbolic links from the computation of the verification code and to put all of the links in the excluded file list. That at least makes it very clear to the reader how the code was computed.
The text was updated successfully, but these errors were encountered: