purl-spec
purl-spec copied to clipboard
package-url
Add support for `snapshot` as a qualifier for deb purls
snapshots are a way to refer to a series of packages from a give date. More details can be found at https://snapshot.debian.org/
The idea being that distro along with snapshot might be useful for reproducibility purposes.
The snapshot field should be a string field.
Is timestamp (or snapshot) specific to deb? Or does the semantics translate to other package types?
For reference #57, https://github.com/package-url/purl-spec/pull/57#issuecomment-558872707
IMHO they are specific to deb ... and it is often best to start specific as things can always be generalized later
How would a snapshot be different from a regular pool package? is it possible to a=have two different .deb for the same version ever published there?
The snapshots sort of serve as a "snapshot" of the distribution at a specific date and time. So if someone were to run apt install given a specific snapshot, they would be able to reliably reproduce with the set of various package versions in the distro at that point in time.
See https://snapshot.debian.org/ and https://github.com/fepitre/debrebuild for more.
I fundamentally disagree that snapshotted/timestamped packages are a concept exclusive to the Debian ecosystem. The semantics clearly carry to other ecosystems, particularly those that have versioned dependencies and build dependencies that will be more sensitive to replaying builds for reproducibility purposes.
That said, it's true that the Debian ecosystem has the best known real-life implementation of the concept and that there isn't much that we can contribute right now from purl to broadening this. (For completeness, when I asked the question above I was thinking specifically about non-Debian prior-art around the datetime format for the value and its semantics, e.g., "at or around" vs. "on or before" vs. "no earlier than")