mkonda
commented
5 years ago So ... I would like to keep a more exhaustive list and a simplified most commonly used list, I think.
Closed omerlh closed 5 years ago
mkonda
commented
5 years ago So ... I would like to keep a more exhaustive list and a simplified most commonly used list, I think.
stevespringett
commented
5 years ago We should be targeting all the repos that are currently defined by PackageURL (or are a work-in-progress) https://github.com/package-url/purl-spec
Composer (php) Docker Ruby Gems Go Lang Maven (Maven Central, Android Central) NPM NuGet PyPi Cocoa Pods Swift Package Manager
Once these are done, we can expand out to other ecosystems. Package URL typically defines a default repository for each 'type'. The default provider for Maven for example, is Central, but Android Central can also be specified and should additionally be evaluated by this project. Dependency-Track has a list of repo's it currently supports here: https://docs.dependencytrack.org/datasources/repositories/
omerlh
commented
5 years ago The downside is that usually, the non-default package managers are more secure. Maybe we can just mention the more secure version where available.
mkonda
commented
5 years ago I am adding these now and closing for now.
There are many non-mainstream package managers, like quay (dockerhub alternative) MyGet (NPM and others) which are more secure is some (or most aspects. Do you think these should also be included? Maybe worth talking about types (e.g. docker, nodejs) instead of providers?