tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

Multiple checksums per entity allowed by spec, but not supported by FIle and Package classes

Open njv299 opened this issue 4 years ago • 2 comments

The SPDX spec allows for multiple checksums to be provided for Packages and Files, but the current Package and File classes only allow a single value to be specified.

See the 'Cardinality' section of the following sections of the spec: image

image

njv299 avatar Jul 22 '21 15:07 njv299

Just adding a note here, from the SPDX Docfest on Sept. 16 -- looks like this issue leads to errors for valid SPDX documents if they include a FileChecksum with the mandatory SHA1, together with additional optional FileChecksums such as SHA256.

swinslow avatar Sep 16 '21 15:09 swinslow

https://github.com/spdx/tools-python/pull/197 can serialize multiple checksums. Parsing them back in is additional work.

dholth avatar Nov 16 '21 16:11 dholth