search

package-url / purl-spec

A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
https://github.com/package-url/purl-spec
Other
696 stars 161 forks source link

Namespace clarification for third-party Debian/Ubuntu Package #307

Open captn3m0 opened 5 months ago

captn3m0 commented 5 months ago

The deb type says:

The namespace is the "vendor" name such as "debian" or "ubuntu". It is not case sensitive and must be lowercased.

However, there are scenarios where the vendor is neither of debian or ubuntu, such as when installing a package from a third-party deb repo, such as https://bell-sw.com/pages/repositories/#apt-repository-deb-based-linux-distributions

The packages from such a repository might be functional on both debian/ubuntu, and the "vendor" distinction might not be appropriate.

  1. Can namespace be marked optional in deb type for such usecases? It is unclear right now.
  2. If not, should "debian" be suggested as the default namespace.
t-8ch commented 4 months ago

Debian repositories contain an (optional) metadata field "Origin" in the Release file. Coincidentally it contains "Debian" for Debian upstream and "Ubuntu" for Ubuntu.

Other providers are supposed to add their own name there. So this seems like the correct source for the "vendor" PURL qualifier.

captn3m0 commented 4 months ago

Since it is optional - what happens in case of a missing Origin.

t-8ch commented 4 months ago

what happens in case of a missing Origin.

No idea. Either make it optional or empty.