search

csaf-sbom / kotlin-csaf

A Kotlin implementation of the CSAF standard.
Apache License 2.0
3 stars 0 forks source link

csaf.sbom vs csaf-sbom #92

Open tschmidtb51 opened 2 weeks ago

tschmidtb51 commented 2 weeks ago

I saw that the packages mention io.github.csaf.sbom.*. However, If I remember correctly, we only own the namespace io.github.csaf-sbom.* as https://github.com/csaf was already taken.

What am I missing?

oxisto commented 2 weeks ago

The Java package name is pretty much independent from the maven namespace. The issue is that io.github.csaf-sbom is an irregular Java package name, as there are no dashes. The only valid package name would be io.github.csafSbom, which in my opinion looks extremely weird.

We would however be free to just use io.csaf.sbom as a Java package name and use io.github.csaf-sbom purely as the maven namespace. It's not that uncommon that they do not match 100 %.

milux commented 1 week ago

Agreed. And it's very uncommon to have uppercase in package names, so csafSbom doesn't look like an ideal solution. Underscores are allowed, however it is discouraged by most linters and in my opinion io.github.csaf_sbom looks by no means better than just replacing the dash with a dot. That's also what most libs do. The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

oxisto commented 5 days ago

@tschmidtb51 Can we close this? Should we think about io.csaf.sbom as package name?

tschmidtb51 commented 4 days ago

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Should we think about io.csaf.sbom as package name?

What would be needed to make that happen?

oxisto commented 3 days ago

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Should we think about io.csaf.sbom as package name?

What would be needed to make that happen?

Wie just need to rename the packages, nothing more.

tschmidtb51 commented 3 days ago

In this case, please go ahead. Also make sure that it uses the corresponding namespace in Maven Central.

Flagging @santosomar for attention

milux commented 2 days ago

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Package names do not have to match the Maven Namespace. These are two different things with different naming rules and conventions. It is perfectly common to have subtile differences between them. Judging from the previous posts we should maybe keep things as they are unless there is a solid reason for once again messing with the file paths in the repo? (As these are indeed directly related to the Java package names...)

oxisto commented 2 days ago

Just do add, the only thing that has to match is the location of the GitHub repo (https://github.com/csaf-sbom) and the maven namespace (io.github.csaf-sbom or com.github.csaf-sbom).

tschmidtb51 commented 2 days ago

Sorry - now, I'm completely lost. Let's discuss it in our next meeting.