Should PyPI Purl Versions have `_` replaced with `-` (like Name)

[samuelmakarovskiy]

In this code blob, seems PyPI purls have _ replaced with - in the name field. This is likely to align with the purlspec: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#pypi

However, the wording here gives "name" as an example field where this replacement needs to happen.

For pre-release pypi purls like pkg:pypi/[email protected]_rc_2

Should the version be converted to 4.21.0-rc-2 instead of 4.21.0_rc_2?

[pombredanne]

The version should not be normalized the same a name is normalized IMHO. And things are likely more complex than this. Here is what the "packaging" library returns. This is the standard library to parse and normalize versions. This is not semver BTW.

>>> from packaging import version
>>> version.Version("4.21.0_rc_2")
<Version('4.21.0rc2')>
>>> version.Version("4.21.0-rc-2")
<Version('4.21.0rc2')>
>>> version.Version("4.21.0-rc2")
<Version('4.21.0rc2')>

This is based on the https://peps.python.org/pep-0440/ standard now at https://packaging.python.org/en/latest/specifications/version-specifiers/#version-specifiers The spec should be updated accordingly IMHO.