CycloneDX
Add specification of release target
From meeting notes:
- __Classifier__: A reference to architecture and distro type (optional)
ARM64/RPM - can we steal from PURL? “Qualifiers from PURL”
CycloneDX has a list of platforms!!! <= Steal it!
{
“Architecture”: “ARM64”,
“Packagetype”: “WinInstall” | “RPM” | “source” <= Package type in PURL??
}
A related issue that was pointed out in today's call, there are different concepts of "release".
The current concept of TEA Component Release:
- does not coincide with the concept of GitHub Release. A TEA Component Release does correspond to an "asset" of a GitHub Release.
- does not coincide with the concept of Apache Software Foundation release. In this case a TEA Component Release corresponds to each convenience binary package that is derived from the official source release.
In version 1.1 of TEA we might consider adding a concept of TEA Product Release, which will be closer to what most people call "release".
Personally I am fine with both release and version, we just need to document property TEA Component Release (it is currently undocumented).
As also mentioned in the other thread I would suggest Release -> Deliverable model, where a Deliverable is an actual packaged representation of what is released, i.e. a .zip file.
Regarding Product Release, I would use this term for a bundle that may contain several other Product and/or Component Releases.
This is something that requires larger conversations.
I will remove the example of Apache Tomcat 11.0.6 release with a different packaging from #136 until this is resolved:
# Different packaging of Apache Tomcat 11.0.6
# Will have slightly different SBOM
- uuid: a9570065-9fc6-4d35-97b4-4bc67d68dbcd
version: "11.0.6"
release_date: 2025-04-01T15:43:00Z
identifiers:
- idType: purl
idValue: pkg:maven/org.apache.maven/[email protected]?classifier=windows-x64&type=zip