-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Windows purl type #255
Comments
I think "windows" is too generic, however, support for the Microsoft Store would be a welcome addition. There may be other types as well. Sorry, not a Windows person. Did you want to propose the purl type definition for the Microsoft Store? |
Not the store, but for Windows exe files/packages. For example, how would one represent the MySQL community server package for Windows found at: https://dev.mysql.com/downloads/mysql/ . Contrast this to the RHEL version of MySQL that is managed through RPM and does have a specific PURL (e.g. Also not a Windows person so correct me if I'm wrong. |
Perhaps use swid with purl instead of reinventing another id? Microsoft themselves use a numeric id in the msrc feeds.
|
I think For OS, see: #161 For WinGet, Chocolatey, Store, etc., I'm not an expert either but I do think those could be distinct types. |
https://dev.mysql.com/get/Downloads/MySQL-8.2/mysql-8.2.0-winx64.msi
chocolatey has its own type. Winget appears to be merely distributing/invoking msi or msix. |
@prabhu re. Winget, interesting. I don't think
I honestly don't know if this is enough to justify its own type (it's up to that community to weigh in!) but I can see why a given Winget manifest can't be fully represented with the |
The mysql manifest is here. To uninstall or update a package installed by winget, the real msi based installer or uninstaller is used. Users can also uninstall from Add/Remove programs. So Winget is only a package manager that is invoking other commands for installation/uninstallation/updates. To me, this resembles Ubuntu PPA, which supports easy distribution of .deb packages. We use deb as the type for even PPA-distributed packages. To remove these packages, we use apt remove command. vsix (Visual studio extension) is a package even though it only wraps a bunch of npm packages. Why? Because the vsix is distributed, installed, updated, and removed independently without involving the os or npm package manager. |
In keeping with the intent of @rhdesmond, let me recap. It sounds like this issue is not about OS identifiers (@prabhu suggested to use the
@prabhu, I think I now agree Winget is not a type. But maybe for other reasons than what you specifically argued. I think it's great that we can leave some perspectives here for whatever proposals come after. First, I agree that a purl type is not defined by the package manager (tool) This has less to do with the merits of the tool (you can say that I also think that _Note: if I had a Windows bulk software inventory, I wouldn't just like to see the applications installed, but the installation method - and if it was Winget, to know which manifest it came from. It looks like The fact that Winget calls something else to install the software is not a definitive argument (against it being a type) for me either. Why entertain Helm charts or Stacksmith then? They would all be In addition to the ability to vendoring an upstream, purl-representable package, there are likely more considerations for creating standalone types including the existence of a publishing marketplace, for example. Thanks for the additional perspectives that are helpful for me to expand and complement how I'm thinking about this. Fascinating discussion, thanks for entertaining it. |
Like sex, we all understand purl differently but eventually get there :) I am happy with using "Is it possible to vendor the installer" as a criterion. |
I think a WinGet type would make sense. If you have MSI packages installed on a machine, you have distinguishing information in the form of the UpgradeCode and ProductCode, but a PURL like WinGet basically wraps appx/exe/msi/msix/zip installers to make apk/deb/rpm-like package sources with detached payloads. However, the payloads are still part of the package because they must have the expected hash. It's not just a pointer "if you want to install MySQL, download it from Oracle." The WinGet package is connected to the MSI file by the hash of the MSI and by the UpgradeCode+ProductCode such that there is exactly one MSI file and installed product that corresponds to that WinGet package. In Chocolatey, packages typically have a detached payload and work generally the same way as WinGet packages, downloading, verifying, and installing the payload from an external source. However, that does not mean that the packages cannot be vendored. With Chocolatey, if you wanted to make a mirror that didn't depend on third party servers, that's called "Package Internalization," and involves modifying the Chocolatey package file and creating a parallel source. For WinGet, the payload is always detached, but the same thing should be possible by saving the payload to your own location and updating the WinGet package manifest to point to it. The value of having a For an example use case, there is a Microsoft.WinGet.DSC module which is used to create configurations that install packages. This example configuration currently installs ¹ This cannot be ² WinGet has an msstore package source, and the package IDs for the msstore source are just random characters. So, unfortunately, if the app was downloaded from the app store, WinGet may give a name that doesn't mean anything to humans but can still be used to uniquely identify the software and resolve it to an installer. Some packages are available in both the msstore source and the winget-pkgs source using the same installers, so those MSI packages may be resolvable to two different WinGet packages. For example, KeepassXC is both |
I fully agree with specifying a type for the Windows Package Manager (winget). It is the official CLI package management tool for Windows and I believe that it ships with Windows 10/11 now. The manifests are maintained in the winget-pkgs repo and it supports MSIX/MSI/APPX/EXE package types. I think that winget's Example
It might be reasonable for one to expect other PURL components to work:
( |
If the package manager is winget and the OS is always going to be windows, it seems unnecessary to introduce an os qualifier. If later on winget gets support for other operating systems, os could be defined at that time with a default of windows so the meanings of existing purls would remain unchanged. The publisher name being split out into the namespace field in the second example is optional. It's mandatory for packages in the winget-pkgs repo to have a publisher, but the winget-pkgs repo is not the only source of packages that can be installed by the winget cli. The schema used by the winget CLI only requires that packages have an ID. Winget comes with a second preinstalled package source where none of the package IDs contain |
I noticed that most common operating systems and language types are supported, but not Windows. Would it be possible to add Windows as a supported Purl type, perhaps with the signifier
win
The text was updated successfully, but these errors were encountered: