purldb
purldb copied to clipboard
nexB
Store package version release date
We should store package version release date which can help us in sorting the versions by release date.
- [x] Maven
- [ ] npm
- [ ] other packages
This would help with https://github.com/nexB/scancode.io/issues/943 . There is some code in the https://github.com/nexB/purldb/blob/179-focused-maven-visitor/ branch that can be modified to get the file dates of the packages from maven. We can make an improver that would look at maven packages and get their file dates and set them as a release date.
Some notes as there are multiple dates to consider:
- when available (such as with a directory listing) we may have the date of the archive file on the distribution web site
- there are the dates of the files in a package archive. Directories do not have a date AFAIK.
- there is the release or publishing date from the package metadata if available (inside the package) or at the package repository metadata API (outside of the package)
- there is a changelog date in a CHANGELOG for a release sometimes
- there is a possible tag or commit date in the corresponding VCS repo
- in all cases the various epochs should be ignored as they would be a wrong ... https://en.wikipedia.org/wiki/Epoch and this is a possible issue with the emergence of using epoch dates for reproducible builds
- also incorrect dates in the future should be ignored
- when there are mixed dates (say for files inside an archive) the earliest is less interesting in general and the latest is the one we want
