purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard

Published 20 hours ago verified publisher icon package-url

Add spec for `brew` package URLs

Open woodruffw opened this issue 1 year ago • 10 comments

This adds the brew purl type.

Closes #254.

woodruffw avatar Dec 04 '23 23:12 woodruffw

CC @p-linnane @SMillerDev @colindean for thoughts as well 🙂

woodruffw avatar Dec 08 '23 19:12 woodruffw

@MikeMcQuaid :wave: A quick review or ack from you would awesome!

pombredanne avatar Feb 04 '24 22:02 pombredanne

Thanks! LGTM overall, though the double @ in postgres@[email protected] name seems a bit weird. Is it possible to run brew install postgres@[email protected] or instead brew install [email protected] or instead brew install postgres%[email protected]

pombredanne avatar Feb 04 '24 22:02 pombredanne

According to Stack Overflow, you cannot install a specific version. pkg:brew/postgresql%[email protected] means version 16.1 of Postgres from the postgresql@16 package, which is useful for answering "what's installed?", but apparently not useful for trying to install the same package. The repository apparently doesn't keep old versions: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/p/[email protected]

matt-phylum avatar Feb 05 '24 13:02 matt-phylum

LGTM overall, though the double @ in postgres@[email protected] name seems a bit weird. Is it possible to run brew install postgres@[email protected] or instead brew install [email protected] or instead brew install postgres%[email protected]

Both brew install postgres and brew install postgres@16 are supported, but the others aren't. Homebrew doesn't really support multiple versions of the same package (per what @matt-phylum said) -- the @X syntax is a hack that Homebrew does to allow multiple versions of the same package to exist in a tap when the ecosystem can't all exist on a single version (e.g. OpenSSL, Python, etc.).

TL;DR yes, there is no way to install a specific minor version, e.g. postgres 16.1. postgres@16 is the full name of a formula, referring specifically to whatever latest version of postgres 16 is packaged by Homebrew.

Link for reference: https://github.com/Homebrew/homebrew-core/blob/master/Formula/p/postgresql%4016.rb

woodruffw avatar Feb 05 '24 13:02 woodruffw

Gentle ping for review+approval here: this is no longer a blocker in Homebrew's attestation work, but I'd like to get it in so that we can consider it for any future attestation changes, if necessary 🙂

woodruffw avatar Mar 04 '24 19:03 woodruffw

Another gentle ping for review here!

woodruffw avatar Apr 03 '24 19:04 woodruffw

I think it's important for this PR to add entries to the test suite. Package names can contain the @ character and this is not handled correctly by maennchen/purl (https://github.com/maennchen/purl/issues/10) or anchore/packageurl-go (does not accept bug reports). Both fail to handle pkg:brew/postgres%4016.

There's also a common misimplementation of the parsing spec which can cause problems here. The spec says "Split the remainder once from the right on '@'. The left side is the remainder. Percent-decode the right side. This is the version." However, some implementations split once from the left on '@'. If somebody writes pkg:brew/postgres@[email protected] (non-canonical. the test should ensure the correct canonicalization):

  • anchore/packageurl-go, maennchen/purl, sonatype/package-url-java parse it as postgres version [email protected] (split from the left instead of the right)
  • giterlizzi/perl-URI-PackageURL parse it as version 16 (somehow discarding the 16.1)
  • package-url/packageurl-js throws an exception (https://github.com/package-url/packageurl-js/issues/57)
{
  "description": "brew names may contain at signs",
  "purl": "pkg:brew/postgres%4016",
  "canonical_purl": "pkg:brew/postgres%4016",
  "type": "brew",
  "namespace": null,
  "name": "postgres@16",
  "version": null,
  "qualifiers": null,
  "subpath": null,
  "is_invalid": false
},
{
  "description": "brew may contain multiple at signs",
  "purl": "pkg:brew/postgres@[email protected]",
  "canonical_purl": "pkg:brew/postgres%[email protected]",
  "type": "brew",
  "namespace": null,
  "name": "postgres@16",
  "version": "16.1",
  "qualifiers": null,
  "subpath": null,
  "is_invalid": false
}

matt-phylum avatar Jun 17 '24 12:06 matt-phylum

Makes sense, although the ship has since sailed on the main backing feature that I needed this for (Homebrew's build provenance feature, which instead uses Homebrew's own wheel filename format for its subject).

~~As such, I don't have any time allocated for this in the immediate future. I'll try and get back to it when I do have some slack time, but if it's a pressing feature for anyone in the next 1-3 months I have no objection to someone else taking ownership here.~~

Edit: @colindean has graciously done this 🙂

woodruffw avatar Jun 17 '24 14:06 woodruffw

💪 I like this test case setup.

colindean avatar Jun 17 '24 20:06 colindean

Is there an update on this issue? I came here to submit a similar issue and was glad to see this but it's been open for 9 months now. Any ETA on review?

tonylturner avatar Sep 08 '24 01:09 tonylturner

From the perspective of the Homebrew upstream, this has been done and is ready for final review/merge since June. It'd be nice to have a repository owner to shepherd this, although I'm not exactly sure who that'd be (@pombredanne perhaps? :slightly_smiling_face:)

woodruffw avatar Sep 08 '24 01:09 woodruffw

please also remove bre from the list "Other candidate types to define"

Done with f8fd63e; PTAL.

woodruffw avatar Oct 17 '24 16:10 woodruffw

Thank you for your PR @woodruffw. When you have the chance, could you please resolve the conflicts referred to below?

johnmhoran avatar Nov 23 '24 02:11 johnmhoran

This should be good to go again thanks to @colindean -- @johnmhoran @jkowalleck PTAL

woodruffw avatar Dec 17 '24 01:12 woodruffw

@johnmhoran @jkowalleck Is there any chance this can be merged in the next few days?

colindean avatar Dec 21 '24 01:12 colindean

Is there any chance this can be merged in the next few days?

need to do some detailed research, before i can actually approve the PR. Sorry, will not have time for that before mid January.

jkowalleck avatar Dec 22 '24 19:12 jkowalleck

Thanks for that timeline clarity and for the depth of review. The next great window for this would be in time for Homebrew's annual meeting on February 3.

colindean avatar Dec 22 '24 20:12 colindean

Hello, purl came up in a discussion internal to my employer (not Homebrew) and that reminded me to check in on this. How can I or the Homebrew team facilitate your research?

colindean avatar Feb 18 '25 15:02 colindean

@woodruffw @colindean let's try to get this through.

pombredanne avatar Jun 28 '25 13:06 pombredanne

Since namespaces are gone, all that remains to distinguish package repo sources is repository_url. So there must be a default value for this -- please call it out explicitly. https://github.com/Homebrew/homebrew-core.git?

FYI, this can be either https://github.com/Homebrew/homebrew-core.git (although the consumption is through an API instead of git) or https://github.com/Homebrew/homebrew-cask.git is there a way to define that the default is one of multiple values?

SMillerDev avatar Jun 28 '25 14:06 SMillerDev

@woodruffw I am sorry for the pain... but after the merge of PR #514, PURL tests and defs are now defined in new JSON schema :angel: :innocent: :grin: :

  • See #514

With the new approach... this PR needs to be updated. Sorry for the churn. Thank you for your patience. :heart:

pombredanne avatar Jul 26 '25 15:07 pombredanne

Sorry folks, this is no longer a blocker for anything I'm currently working on (and hasn't been for a while, we routed around it for Homebrew's provenance feature), so I'm probably not going to be able to justify reviving a standards attempt here. I hope someone else is able to drive this work forwards with a new PR; I'm going to close this one to avoid confusion about its activeness.

woodruffw avatar Jul 27 '25 02:07 woodruffw