transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 2 months ago verified publisher icon CycloneDX

The distributionType field in release-distribution needs to be clarified

Open taleodor opened this issue 2 months ago • 1 comments

It's currently set as

        distributionType:
          type: string
          description: Unique identifier for the distribution type.

Where examples include things like "zip", "tar.gz", "windows-x64.exe".

The problem - if we want to frame this as "unique identifier", this must be an enum. If we want to frame this as a free-form field describing packaging, that should be mentioned in the description and likely the field should be renamed. Right now, this is open to interpretation for publishers, and at the same time not clear how use that for clients - both of which things are not good.

taleodor avatar Oct 16 '25 18:10 taleodor

The wording in the description is probably incorrect: the main purpose of distributionType is to restrict some documents in the TEA Collection to a specific distribution.

For example an executable installer for Windows (x64) will require a different SBOM and might have vulnerabilities that only affect this distribution.

ppkarwasz avatar Nov 05 '25 15:11 ppkarwasz