Brian Fox
We provide information in our tooling that we call "occurrences" which would include a list of the file paths where the component was detected and the binary fingerprint that this...
If nothing else, capturing the various ecosystem version sorting is really key. Then you could at least use purl ids as upper and lower bounds and still evaluate what's in...
I'd agree that version ranges as a mechanism for choosing dependencies is generally bad. (Hence why things like LATEST and RELEASE were deprecated in Maven 3 years ago). However for...
Ranges in Maven are very rarely used. Going way back to the start of Maven 2 it was understood that it was an anti-pattern with limited use cases and that...
Maven takes the stance that you should be locking by default, with tooling to make updates when you want/need to. Other systems take the opposite approach which is why you...
I agree to the relicensing of this repo under the MIT license.
I agree @stevespringett that the general shape of a purl (aka The Spec) is separate from a given type syntax. That said, do we need to consider any inherent versioning...
An otter with a pearl necklace.
> @brianf for occurrences, what types of data do you have? Is it only the paths or is there other data? Our occurrences are file paths. This way if someone...
> Thanks @brianf. Few questions... > > * Is the binary fingerprint reproducible from external tools? If so, can you provide a pointer on where we can find more information?...