Add provider to Package
#155
Labels
Comments
|
@mnonnenmacher I believe what's called "provider" here is what we refer to as "provenance" in our idea. |
sschuberth
added
analyzer
|
|
|
I think this information should be added to the RemoteArtifact and VcsInfo models, because these are the two places where we reference URLs (apart from the homepage URL). |
|
@mnonnenmacher agreed, having a table that bi-directionally maps provider names to host names makes sense. It likely also makes sense to keep the provider names as generic as possible. For example, we recently ran into some identity problems because some folks were using "npmjs.org" vs "npmjs.com" as the provider. it turns out they are the same and going to npmjs.org forwards to npmjs.com. To isolate the data from these sorts of variations and changes, using just "npmjs" would be more resilient. That's also inline with your other examples like "maven central" etc. For simplicity perhaps we say that provider names need to be valid url segments that do not require any quoting. (e.g., no spaces, no funny chars, ...) and have them be case insensitive and NOT case preserving. (or just spec lowercase). |
|
This somewhat relates to #20. |
sschuberth
added a commit
that referenced
this issue
Jan 24, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, chnage the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 24, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, chnage the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 24, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, chnage the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 24, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 24, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 26, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Jan 26, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 6, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 6, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 7, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 8, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 8, 2023
Strictly speaking, a package id is not enough to query curations as different servers might host different artifacts under the same id. A typical example is an internal fork of an upstream artifact that is internally hosted under the same id. Currently, ClearlyDefined is the only curation provider that allows to take this into account via its "provider" concept, see [1] and [2] for related discussions. So, as a preparation for ORT to replace the hard-coded providers [3] with real ones determined based on URLs, change the curation provider API to take whole packages instead of only their ids, so that implementations have access to artifacts and VCS URLs. [1]: #155 [2]: package-url/purl-spec#33 [3]: https://github.com/oss-review-toolkit/ort/blob/33531c7/model/src/main/kotlin/utils/Extensions.kt#L38-L57 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 9, 2023
See [1]. This is will be used in an upcoming change to improve the mapping to ClearlyDefined coordinates. Resolves #155. [1]: https://github.com/clearlydefined/service#provider-registry Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 10, 2023
See [1]. This is will be used in an upcoming change to improve the mapping to ClearlyDefined coordinates. Resolves #155. [1]: https://github.com/clearlydefined/service#provider-registry Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 11, 2023
See [1]. This will be used in an upcoming change to improve the mapping to ClearlyDefined coordinates. Resolves #155. [1]: https://github.com/clearlydefined/service#provider-registry Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 11, 2023
See [1]. This will be used in an upcoming change to improve the mapping to ClearlyDefined coordinates. Resolves #155. [1]: https://github.com/clearlydefined/service#provider-registry Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth
added a commit
that referenced
this issue
Feb 13, 2023
See [1]. This will be used in an upcoming change to improve the mapping to ClearlyDefined coordinates. Resolves #155. [1]: https://github.com/clearlydefined/service#provider-registry Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Packages have a
packageManager(e.g, npm, maven, ...). Since a given type of package could come from many different places, thePackageshould also talk about aprovider. Theprovidershould not be the URL of the repository, rather the notional name of the repository (e.g., npmjs.org, github.com). This allows the repos to move and change their URL structure without affecting the identity of the data stored in ORT.The text was updated successfully, but these errors were encountered: