Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define package types for ASF projects (Apache Software Foundation) #305

Open
pombredanne opened this issue Jun 14, 2024 · 3 comments
Open
Labels

Comments

@pombredanne
Copy link
Member

We should define a package type for ASF projects (Apache Software Foundation)

The spec mentioned originally apache for Apache projects packages. The direction may be to use asf rather than apache.

There have been on-going discussion on the ASF mailing lists on the topic and we need to collect these links for reference and invite the ASF folks to join and help define this (important) package type!

@raboof ping

@brianf
Copy link
Contributor

brianf commented Jun 14, 2024

Do you have the links to the threads? I'm curious what the use case is. Project !=Package. In fact I have asserted for >10 years that the major problem with CPE is that it maps to just a project... where a project like Struts has ~80 packages, making it useless for most use cases. Having a pURL recreate that lossy coordinate would be a huge step backwards.

@raboof
Copy link

raboof commented Jun 25, 2024

Do you have the links to the threads?

https://lists.apache.org/thread/vc3h1t7plq3sgtqvp385s4nlo3l7rry7 and https://lists.apache.org/thread/75l9f8bcs9fm232p2j3prbj9fw2or2k5 come to mind.

the major problem with CPE is that it maps to just a project... where a project like Struts has ~80 packages, making it useless for most use cases. Having a pURL recreate that lossy coordinate would be a huge step backwards.

That would be good to flesh out. I could see an approach where we use the PMC id as the first segment, and the PMC can determine whether/how to add further detail - something like pkg:asf/celix could perhaps stand on its own, while struts might introduce pkg:asf/struts/oval-plugin etc for its various components. We should probably give some guidance on how to apply that. WDYT?

@stevespringett
Copy link
Member

Most Apache projects fall into existing support for package ecosystems already supported by purl. See https://projects.apache.org/projects.html?language

Per definition, a purl is:

a URL string used to identify and locate a software package...

I cannot locate pkg:asf/struts/oval-plugin. Is on Maven Central or somewhere else? Additionally, oval-plugin already has a purl which is:

pkg:maven/org.apache.struts/struts2-oval-plugin@x.x.x therefore adding pkg:asf/struts/oval-plugin would introduce confusion IMO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants