search

package-url / purl-spec

A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
https://github.com/package-url/purl-spec
Other
640 stars 148 forks source link

Define package types for ASF projects (Apache Software Foundation) #305

Open pombredanne opened 3 weeks ago

pombredanne commented 3 weeks ago

We should define a package type for ASF projects (Apache Software Foundation)

The spec mentioned originally apache for Apache projects packages. The direction may be to use asf rather than apache.

There have been on-going discussion on the ASF mailing lists on the topic and we need to collect these links for reference and invite the ASF folks to join and help define this (important) package type!

@raboof ping

brianf commented 3 weeks ago

Do you have the links to the threads? I'm curious what the use case is. Project !=Package. In fact I have asserted for >10 years that the major problem with CPE is that it maps to just a project... where a project like Struts has ~80 packages, making it useless for most use cases. Having a pURL recreate that lossy coordinate would be a huge step backwards.

raboof commented 1 week ago

Do you have the links to the threads?

https://lists.apache.org/thread/vc3h1t7plq3sgtqvp385s4nlo3l7rry7 and https://lists.apache.org/thread/75l9f8bcs9fm232p2j3prbj9fw2or2k5 come to mind.

the major problem with CPE is that it maps to just a project... where a project like Struts has ~80 packages, making it useless for most use cases. Having a pURL recreate that lossy coordinate would be a huge step backwards.

That would be good to flesh out. I could see an approach where we use the PMC id as the first segment, and the PMC can determine whether/how to add further detail - something like pkg:asf/celix could perhaps stand on its own, while struts might introduce pkg:asf/struts/oval-plugin etc for its various components. We should probably give some guidance on how to apply that. WDYT?

stevespringett commented 1 hour ago

Most Apache projects fall into existing support for package ecosystems already supported by purl. See https://projects.apache.org/projects.html?language

Per definition, a purl is:

a URL string used to identify and locate a software package...

I cannot locate pkg:asf/struts/oval-plugin. Is on Maven Central or somewhere else? Additionally, oval-plugin already has a purl which is:

pkg:maven/org.apache.struts/struts2-oval-plugin@x.x.x therefore adding pkg:asf/struts/oval-plugin would introduce confusion IMO.