-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Align package types with purl-spec? #93
Comments
There may be some relevant points to this discussion in package-url/purl-spec#33 |
Whilst I don't feel that the schema should necessarily provide a constructed Inherently at this stage with only one known public 'subscriber' (this being https://github.com/ossf/package-analysis/tree/main/scheduler) it wouldn't be to disruptive to propose a breaking change to the In terms of the last point about URL configurability and how that reflects in the name of the feeds packages themselves, this usecase came up when @Qinusty was implementing the original configuration surface: |
It would be awesome to reuse the same types as purl. |
The reason why is frictionless interop with many tools and DBs that use purl today. This includes the OSSF OSV and Google OSV and large number of open source SCA tools. Otherwise you condemn every downstream user to re-implement mappings (disclosure: I created purl ;) ) |
Something that was mentioned as part of #26 was the possibility of adding a package-url to the output. This could follow the
purl-spec
, which would allow downstream consumers to use other tools that conform to the spec to download new versions of packages for analysis. However, some of the package type names used in this project conflict with the well-known purl types from the spec. Here's how things compare currently:In general I think this boils down to the
purl-spec
project naming according to the package type, whereas we have feeds named after the package source. In terms of options, I see a few:purl-spec
types. This would be a one-time breaking change for existing downstream consumers.type
field that we already publish, and add an additional type mapping to be used when constructing a package-url. This would be more confusing, but would not be a breaking change for consumers.purl-spec
at all. This would make it harder to build interoperable tooling.It might also be worth thinking about whether we want to maintain a feed per source, or per package type. If we want to end up in a place where feeds have configurable URLs, and the ability to pull from multiple different sources - naming feeds after the package type rather than the source might make more sense.
The text was updated successfully, but these errors were encountered: