nisha

@rnjudge Applied on behalf of SPDX. We could also apply for something like `application/org.spdx+json`. It's something we can bring up in the next SPDX tech meeting.

This is excellent news! Thanks @rnjudge for pushing this through! cc: @SteveLasker for OCI mediaTypes

@kestewart no but I think it would be great to have it @lumjjb

Although, on reading the text above, it looks like the problems are different: the original use case was to handle circular dependencies, whereas the build profile group was looking for...

> One comment on this, which I just realized: > The current algorithm for the Package Verification Code is based on calculating a SHA1 sum from the sorted SHA1 values...

@tsteenbe @kestewart I can update this PR if that's OK.

@jonjohnsonjr thoughts?

> This bit explains that an index containing other media types are not an error: > > > Future versions of the spec MAY use a different mediatype (i.e. a...

> > The current proposal adds a singular `reference` to descriptors and image/index objects. I think this is cleaner in most cases, but it's not as concise as a list...

> > I think that's fine - this linkage/field is actually the reverse direction. So each SBOM would reference one artifact via this link. Then the artifact has multiple SBOMs...