Use gitoid for SoftwareArtifact integrity verification

[zvr]

This adds the gitoid property to SoftwareArtifact so that values can be recorded and used for verification.

[goneall]

I'm fine with this solution as well.

[sbarnum]

I disagree with this approach.

As extensively discussed in the many ( :-) ) other PRs, Issues, calls and threads gitoid is only one of multiple possible content identifier approaches.
We agreed that gitoid would be the suggested default for v3.0 but that we would leave the door open to others in the future post v3.0 in a backward compatible fashion.

I do not believe that throwing new properties on for each new approach is a tenable or scalable solution

I have not seen any identification of what is concretely broken or insufficient with the current approach where SoftwareArtifact has a contentIdentifier property of type IntegrityMethod with separate defined subclasses of IntegrityMethod for each artifact verification approach. There could be a simple Gitoid subclass of IntegrityMethod with a single gitoid property containing the gitoid. For v3.0 we could add a simple note to the markdown file for contentIdentifier stating that for SPDX v3.0 gitoid is the suggested approach.
Post v3.0, we could define a new SWHID (or whatever) subclass of IntegrityMethod and remove the gitoid default note and users could choose to use either.

What am I missing?

[sbarnum]

I disagree with this approach.

As extensively discussed in the many ( :-) ) other PRs, Issues, calls and threads gitoid is only one of multiple possible content identifier approaches. We agreed that gitoid would be the suggested default for v3.0 but that we would leave the door open to others in the future post v3.0 in a backward compatible fashion.

I do not believe that throwing new properties on for each new approach is a tenable or scalable solution

I have not seen any identification of what is concretely broken or insufficient with the current approach where SoftwareArtifact has a contentIdentifier property of type IntegrityMethod with separate defined subclasses of IntegrityMethod for each artifact verification approach. There could be a simple Gitoid subclass of IntegrityMethod with a single gitoid property containing the gitoid. For v3.0 we could add a simple note to the markdown file for contentIdentifier stating that for SPDX v3.0 gitoid is the suggested approach. Post v3.0, we could define a new SWHID (or whatever) subclass of IntegrityMethod and remove the gitoid default note and users could choose to use either.

What am I missing?

Ok. From #611 it looks like part of this is just wanting to make it clear that the integrity method is for ContentIdentifier.
If content identifiers can always be expressed as a single serialized string then #611 looks like a good solution. It fits into the above but does not require a separate subclass of IntegrityMethod for every approach.

[jeff-schutt]

LGTM after making the proposed change of maxcount to 2 to support SHA1 and SHA256

[goneall]

Based on @jeff-schutt comment in the security call, he's good with this PR now that the max cardinality has been updated

[kestewart]

Based on the tech call, and then the following security call, this seems the best compromise. It follows the pattern of PURLs, and lets us create a content identifier class in a future release, where this could be moved.