Skip to content

feat: add a hasher for spdx#476

Closed
frezbo wants to merge 1 commit into
siderolabs:mainfrom
frezbo:feat/hasher-for-spdx
Closed

feat: add a hasher for spdx#476
frezbo wants to merge 1 commit into
siderolabs:mainfrom
frezbo:feat/hasher-for-spdx

Conversation

@frezbo

@frezbo frezbo commented Jun 4, 2026

Copy link
Copy Markdown
Member

Add a hasher similar to profile.Hash for spdx, this allows us to invalidate caches when we have an errata.

The current change to use hasher now has the effect that all existing ones are invalidated, since we dropped the spdx- prefix to align with how hashes are used for profiles too. So no errata are being added now.

Add a hasher similar to profile.Hash for spdx, this allows us to invalidate
caches when we have an errata.

The current change to use hasher now has the effect that all existing ones
are invalidated, since we dropped the `spdx-` prefix to align with how
hashes are used for profiles too. So no errata are being added now.

Signed-off-by: Noel Georgi <git@frezbo.dev>
Copilot AI review requested due to automatic review settings June 4, 2026 18:24
@github-project-automation github-project-automation Bot moved this to To Do in Planning Jun 4, 2026
@talos-bot talos-bot moved this from To Do to In Review in Planning Jun 4, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

//
// Operators are expected to use distinct cache repositories for OSS vs
// Enterprise deployments since the bundle content differs by build flavor.
func Hash(schematicID, version, arch string) string {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like us to move way forward on this one, and do proper caching for SBOMs.

If we just depend on schematic IDs, two schematics with e.g. just a different kernel args will not produce same SBOM ID.

Let's reconsider this, probably @shanduur can help here.

It feels like we only need list of extensions from the schematic (plus overlay?), but let's do a proper tested hashing here to avoid recomputing the SPDX.

Same applies to scan results - if a scan is requested, if the SPDX hash is same, don't re-run the scan unless vulndb/VEX changed.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we just depend on schematic IDs, two schematics with e.g. just a different kernel args will not produce same SBOM ID.

Ahhh that's bad already, we should rely on extensions only, overlays don't ship sboms, unless we want them to

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, schematicID is too fragile, we should cache on Version+Arch+Extensions.

@smira smira moved this from In Review to On Hold in Planning Jun 15, 2026
@shanduur

Copy link
Copy Markdown
Member

We can close this, right?

@frezbo

frezbo commented Jun 15, 2026

Copy link
Copy Markdown
Member Author

We can close this, right?

yes

@frezbo frezbo closed this Jun 15, 2026
@github-project-automation github-project-automation Bot moved this from On Hold to Done in Planning Jun 15, 2026
@frezbo frezbo deleted the feat/hasher-for-spdx branch June 15, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

5 participants