Data-SBOM pattern for research datasets (DOI + OTS in ExternalRef) — request guidance #1264
Description
Context
I need a clean SPDX pattern to publish a “data SBOM” for research artifacts so that:
- Each file has SHA-256 and an OTS proof reference.
- The collection references a DOI (Zenodo).
- Verifiers can treat it like software SBOMs.
Artifacts + hashes (subset shown; full list above)
- Corrected_H-Chondrite_Meteorite_Calculations.pdf
SHA-256: 0dbe589e391c9a13c56e9446be11cfaf55e708045245946f56d9fae435864d26
OTS (.ots) SHA-256: 0240a3c774436527b32f23e6d2361b2eb2a1cb21721fbedc4b97aa0459003319 - H_chondrite_fast_estimation.pdf
SHA-256: febf0663af204120080189b24a03a078048f706d107f8b0d9a80708b68f70064
OTS (.ots) SHA-256: ce6fa54048256c9d0142efaf44be38fe01ed9eb98ad3ab6c97a0eaa9de49b522 - H_chondrite_computed_results.csv
SHA-256: 5ab8558e397d4d34755479bc64542721e5d9835316a53c666b21274795ff87fa
OTS (.ots) SHA-256: 723faf61b7893105f38f672d3beac600bcf6eafb52628a39774d468d074cb8f1 - Chip_Blueprint_Package_Final_2025-08-24_AZ.zip
SHA-256: 778823a38559d652225c7510152444b4d93515d4461f30cfa0b7d6b60989c0b2
OTS (.ots) SHA-256: 018f5d1643951f10693b5efb641c8f5039ba0655eb8ee63c20af7aa7246e87bf
Identifiers
- DOI: 10.5281/zenodo.16935726
- Live index: https://pastebin.com/u/Danielecp
- Archived snapshot example: https://web.archive.org/web/20250824201219/https://pastebin.com/cPCpmeti
Ask
- Is it acceptable to include:
- DOI as
ExternalRef(DOCUMENTATION / DOI)? - OTS proof link/hash as
ExternalRef(SECURITY / OTS)?
- DOI as
- Minimal SPDX example (SPDX 2.3 or 3.0) for a “dataset SBOM” that tools won’t choke on.
- Recommended SPDX fields to carry the embedded “fingerprint phrase”.
Goal
Make reuse/attribution non-deniable and machine-verifiable in supply chains that already understand SPDX.
Thanks!