aboutcode-toolkit icon indicating copy to clipboard operation
aboutcode-toolkit copied to clipboard

Published 20 hours ago verified publisher icon nexB

[suggestion] SHA1 for about_resource field

Open maxbrito opened this issue 6 years ago • 2 comments

Hello,

I've been having difficulty in applying the about_resource field for customer code. The major hurdle is that the same binaries are duplicated across the project (e.g. folder for .war release, folder for binary release, folder used in development release).

This situation forces to triplicate the same ABOUT file and isn't practical. And gets worse when we try to include the path to the license_file field because then relative paths are not the same.

One possible way forward would be through an optional field for SHA1 signatures. When specified an hash, the matching files within the software project folders would be marked as belonging to this ABOUT file.

For example:

about_resource: gson-2.8.0.jar
about_resource_sha1: c4ba5371a29ac9b2ad6129b1d39ea38750043eff

This way we can have an ./inventory/items/ folder on the project root where the collection of ABOUT files can be neatly placed and delivered to end-users. This way no matter how often duplicated or moved, these files end up getting the expected match.

On the spec already exists checksum_sha1, perhaps it can be re-purposed for this goal rather than just downloaded files?

Many thanks for taking this into consideration.

maxbrito avatar Feb 26 '18 16:02 maxbrito

@maxbrito Thanks for your input. One of a possible solutions is to use about_resource_path to declare where are the reference components located, and put the ABOUT files in the project root as you suggested. That way we only need to create one ABOUT file and reference all the duplicated components in the ABOUT files.

Your suggestion is good as the above solution may not work very well if users move the component around the codebase after the ABOUT file is generated (i.e. whenever a user move a component, the ABOUT file needs to be updated). However, your suggestion lose the simplicity for user to easily identify where is the component located since no path value present.

Anyway, thanks for your suggestion. Your concern is noted and your suggestion will be taking into consideration.

chinyeungli avatar Feb 26 '18 22:02 chinyeungli

The current code get rid of the about_resource_path key and 1 ABOUT file will only reference one resource for simplicity purpose. In another word, for your case, same binaries are duplicated across the project, multiple ABOUT files are needed.

I will keep this ticket open for reference to see if we want to change the current behavior.

chinyeungli avatar Oct 15 '19 05:10 chinyeungli

Closing this and re-enter https://github.com/nexB/aboutcode-toolkit/issues/566 . The issue is about multiple references.

chinyeungli avatar Jul 17 '24 06:07 chinyeungli