3 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• ISO Online browsing platform: available at https://www.iso.org/obp
• IEC Electropedia: available at http://www.electropedia.org/

3.1

branch

parallel line of development in a version control system (3.7), that stems from the main line

3.2

Git

distributed version control system (3.7) created by Linus Torvalds in 2005

3.3

hierarchical file system

method of organizing and managing files in a computer where data is stored hierarchically

3.4

intrinsic identifier

identifier that can be computed directly from the object that it identifies, without needing access to a registry

3.5

repository

storage location for software development artifacts (3.8) including but not limited to source code, build scripts, and documentation

3.6

SHA1

SHA1

Secure Hash Algorithm 1

hash function that takes as input a sequence of bytes and produces a 160-bit (20-byte) hash value

Note 1 to entry: The returned value is called SHA1 checksum, or simply SHA1 when there is no risk of ambiguity between the function and the returned value. A detailed description of how to compute SHA1 is available in RFC-3174.

In the wake of the Shattered attack of 2017 (see [3]), it is now possible to produce collision-prone files that are different but return the same SHA1 checksums. It is however possible to detect, during SHA1 computation, such SHA1-colliding files using counter-cryptanalysis (see [2]).

As collision-prone files are problematic from the point of view of unequivocal identification and integrity verification, the SWHID standard takes measures to avoid that such files are referenced using only SHA1 checksums. For the purpose of this specification, the SHA1 function is therefore considered to be a partial function, that only returns a value when a Shattered-style collision is not detectable using the techniques described in [2] and the reference implementation of it available at https://github.com/cr-marcstevens/sha1collisiondetection (Git commit ID 38096fc021ac5b8f8207c7e926f11feb6b5eb17c, or version stable-v1.0.3).

When such a collision is detected during SHA1 computation, no SHA1 can be obtained for the object in question and hence, depending on the context, a valid SWHID might not exist for it.

In most cases, SHA1s in this specification are computed on objects after adding specific headers to them, making "trivial" collision-prone files still perfectly valid and hence referenceable using SWHIDs.

3.7

version control system

revision control system

source control system

software tool that helps manage different versions of software development artifacts (3.8)

3.8

software artifact

object

representation of a distinct entity identifiable by a SWHID

3.9

metadata

supplementary information associated with a software artifact (3.8)

3.10

UNIX epoch

time reference point that denotes the precise moment at 00:00:00 Coordinated Universal Time (UTC) on 1 January 1970