[Publishing] Require all data required to form a PURL

[alvsan09]

In order to facilitate the analysis of the source code associated to an Extension version, it's essential to have proper coordinates to the corresponding source code.

Today, the extension meta-data is polluted with some extensions listing invalid URLs, or URLs requiring credentials, see some examples at [2] below.

When the URL is valid, it is also not possible to find the corresponding release associated to the version.

Adopting a well known standard to associate a VSX version with well defined coordinates will make vetting of extensions feasible.

This issue, proposes to adopt the Package URL specification (see [1]).

This would make it possible to resolve VSX version's source code and therefore facilitating vetting and analysis of it.

References: [1] PURL spec [2] Example of invalid URLs for open-vsx published VSXs:

http://tmc-gitlab.trasre.com/liucan.li/vscode-dlt
llc.vscode-dlt

https://devops.codingcorp.net/p/cloud-studio-next/d/cloud-studio-extensions/git
cloudstudio
browser-preview-lite
cloudstudio
workspaces
cloudstudio
deploykit
cloudstudio
metawork
cloudstudio
memory-cue

https://dgit.cs.uni-saarland.de/modest/vscode-plugin
https://git.holllo.cc/Holllo/love
https://git.snoot.club/chee/cheekeyoil
https://gitlab.devstar.cloud/devstar-ide/devcode.git

[amvanbaren]

This would make it possible to resolve VSX version's source code and therefore facilitating vetting and analysis of it.

What do you mean? The source code is in the package.

[amvanbaren]

After asking @ouuan's perspective on this issue I've come to the conclusion that this could lead to a false sense of security.
See 999 crates of Rust on the wall (comparing crates on crates.io against their upstream repositories) for more information.