More explicit expectations for package identifiers

openvex / spec

OpenVEX Specification

Creative Commons Zero v1.0 Universal

125 stars 18 forks source link

More explicit expectations for package identifiers #16

Closed luhring closed 1 year ago

luhring commented 1 year ago

(split out from #10)

See https://github.com/openvex/spec/issues/10#issuecomment-1416780433

Currently the spec reads:

The use of Package URLs (purls) is recommended

This ultimately means products could be anything.

We should consider either a) absolutely requiring PURLs, or b) requiring that the type of identifier being used in a statement is declared explicitly.

cc: @garethr — feel free to expand or correct me on this idea!

tschmidtb51 commented 1 year ago

If you require purl; a basic regex might be helpful: "^pkg:[A-Za-z\\.\\-\\+][A-Za-z0-9\\.\\-\\+]*/.+" (encoded as JSON pattern) - copied from an open standard

puerco commented 1 year ago

This is now resolved, release v0.2.0 of the spec now requires types of identifiers in products and subcomponents.