Jeff McAffer

sorry for the delay in responding here. Progress is a real challenge in crawler-like systems. As you say, you never really know what you'll find and whether or not you've...

Agreed on the overall notion of explaining better how tokens are used/needed. I am concerned a bit about maintenance. The GitHub doc covers what permissions are needed for which apis....

Some of the org API calls need admin permissions (or at least did in the past). What is the failure noted in the deadletter entries? Have you tried using a...

Thanks for the detail @pombredanne. There is a differnet There is a bit of a miscommunication here. > the overall protocol to actually get to a package is that implemented...

Thanks @sschuberth . I mostly agree with you and quite like the idea of unifying on purls. There are still some lingering issues. * In our model the `type` is...

The misunderstanding may be explained by something @pombredanne said a few comments ago > The npm type implies two things: > 1. the overall protocol to actually get to a...

The fundamental issue is that there is a difference between the format (aka `type`) of the thing you are getting (the package, git repo, tgz file, ...), the `protocol` you...

It will likely be hard for purl to reconcile package identity semantics across all the ecosystems. It feels even harder if we start mixing additional package metadata like licenses etc....

+1 on having structure. means we only have the "when to run the voting" discussion once (now/here) rather than every year. If we want to address the time gap between...

Interesting tech. How would you see that working? For scenarios like ORT it seems like there are several interactions: * Getting definitions. This enables ORT users to benefit from the...