Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mediatype for SPDX should be application/spdx+json #3515

Open
lumjjb opened this issue Feb 2, 2024 · 6 comments
Open

Mediatype for SPDX should be application/spdx+json #3515

lumjjb opened this issue Feb 2, 2024 · 6 comments
Labels
bug Something isn't working sbom

Comments

@lumjjb
Copy link

lumjjb commented Feb 2, 2024

Description

According to IANA registered, the mediatype for spdx JSON documents should be application/spdx+json

Currently, it is set to "text/spdx+json" in

Version

head

@lumjjb lumjjb added the bug Something isn't working label Feb 2, 2024
@viveksahu26
Copy link
Contributor

Yes, media type for spdx is text whereas, the media type for spdx+json is application,

@viveksahu26
Copy link
Contributor

WDYT @haydentherapper ?

@haydentherapper
Copy link
Contributor

Seems correct, just want to avoid any breaking changes on the verification path.

@viveksahu26
Copy link
Contributor

No it will not affect verification. Currently we have 2 way to add SBOM, one is cosign attach sbom(it doesn't sign) and cosign attest --type sbom(it sign sbom). On changing media type will only have to do with attach one not with attest one. And for verification process, the attest has a way for verification but not for attach one.

@haydentherapper , One thing I wanted to ask, basically cosign attach sbom will be depreciated on 22/02/2024, so, will change makes sense or not ?

@haydentherapper
Copy link
Contributor

We don't need to continue to support anything that's been deprecated.

@viveksahu26
Copy link
Contributor

Ok, let's close it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working sbom
Projects
None yet
Development

No branches or pull requests

3 participants