purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard

Published 20 hours ago verified publisher icon package-url

Namespace clarification for third-party Debian/Ubuntu Package

Open captn3m0 opened this issue 1 year ago • 3 comments

The deb type says:

The namespace is the "vendor" name such as "debian" or "ubuntu". It is not case sensitive and must be lowercased.

However, there are scenarios where the vendor is neither of debian or ubuntu, such as when installing a package from a third-party deb repo, such as https://bell-sw.com/pages/repositories/#apt-repository-deb-based-linux-distributions

The packages from such a repository might be functional on both debian/ubuntu, and the "vendor" distinction might not be appropriate.

  1. Can namespace be marked optional in deb type for such usecases? It is unclear right now.
  2. If not, should "debian" be suggested as the default namespace.

captn3m0 avatar Jun 17 '24 04:06 captn3m0

Debian repositories contain an (optional) metadata field "Origin" in the Release file. Coincidentally it contains "Debian" for Debian upstream and "Ubuntu" for Ubuntu.

Other providers are supposed to add their own name there. So this seems like the correct source for the "vendor" PURL qualifier.

t-8ch avatar Jun 28 '24 10:06 t-8ch

Since it is optional - what happens in case of a missing Origin.

captn3m0 avatar Jul 02 '24 08:07 captn3m0

what happens in case of a missing Origin.

No idea. Either make it optional or empty.

t-8ch avatar Jul 02 '24 08:07 t-8ch