Add OmniBOR (previously GitBOM) namespace identifier as a PURL Type

[jeff-schutt]

The GitBOM community is working to specify a URI Namespace Identifier for GitBOM Identifiers.

This issue proposes creating a new PURL Type for that GitBOM URI NID once the syntax has been determined in the GitBOM spec.

Aligning to PURL, the currently proposed syntax could be:

pkg:gitoid:${git object type}:${hash type}:${hashvalue}

PURL Type Example for GitBOMs:

pkg:gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6

[stevespringett]

The proposed syntax would violate the purl spec.

From looking at it, you're proposing a purl type of gitoid. How do I locate a gitoid?

A purl or package URL is an attempt to standardize existing approaches to reliably identify and locate software packages.

The purl syntax is:

scheme:type/namespace/name@version?qualifiers#subpath

In purl, the namespace is optional, but the name is required. Do gitboms have a name?

[jeff-schutt]

Following up on this topic after our discussion today, @stevespringett. Thanks for the details :)

> In purl, the namespace is optional, but the name is required. Do gitboms have a name?

The GitBOM Artifact Identifier, a hash value commonly referred to as the gitoid, would be placed in the Package URL name field.

The complexity here is in aligning the GitBOM URI Scheme with the Package URL scheme. GitBOM has two Gitoid Identifier Types, gitoid:blob:sha1 and gitoid:blob:sha256. I haven't found a way to keep compliant w/ the GitBOM URI scheme and maintain the complete Gitoid Identifier Type while dropping into the Package URL scheme. Breaking the syntax of the Gitoid Identifier Type by using different delimiters or separating components of the Gitoid Identifier Type seems to be required to be compatible with Package URL.

The options I've come up with are below. Please confirm if each option is or isn't formatted correctly wrt the PURL spec's syntax.

[jeff-schutt]

1.

PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath

• Part of the Gitoid Identifier Type, the Git Object Type and the GitBOM hash algorithm would be placed in the Package URL type field with a colon (:) in between.
• The optional Package URL namespace field would be ignored.
• The GitBOM Artifact Identifier would be placed in the name field.

scheme:type/name
gitoid:{Git Object Type}:{GitBOM hash algorithm}/{GitBOM Artifact ID}
gitoid:blob:sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6
gitoid:blob:sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb

[jeff-schutt]

If I'm interpreting the purl spec correctly, then I believe that this is an invalid syntax as PURL won't allow a colon (:) as part of the type field.

[jeff-schutt]

2.

PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath

• Parts of the Gitoid Identifier Type, the Git Object Type, would be placed in the Package URL type field.
• Part of the Gitoid Identifier Type, the GitBOM hash algorithm, would be placed in the namespace field.
• The GitBOM Artifact Identifier would be placed in the name field.

scheme:type/namespace/name
gitoid:{Git Object Type}/{GitBOM hash algorithm}/{GitBOM Artifact ID}
gitoid:blob/sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6
gitoid:blob/sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb

[jeff-schutt]

3.

PURL Syntax: scheme:type/namespace/name@version?qualifiers#subpath

• Part of the Gitoid Identifier Type, the GitBOM hash algorithm would be placed in the type field.
• The GitBOM Artifact Identifier would be placed in the name field.
• Part of the Gitoid Identifier Type, the Git Object Type would be placed in the Package URL qualifiers field.

scheme:type/name?qualifiers
gitoid:{GitBOM hash algorithm}/{GitBOM Artifact ID}?{Git Object Type}
gitoid:sha1/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c6?git-object-type=blob
gitoid:sha256/4d410e22102ec5f057c90cd18ffa0f191e3cd9272957e528ed772a52282e1fbb?git-object-type=blob

[stevespringett]

How can someone locate the package (gitbom).

For example: gitoid:commit:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64

How do I know the VCS URL this commit is unique to?

[stevespringett]

I think GitBom could be represented in something as simple as:

pkg:gitoid/<git object type>/<hash value>

pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64

I honestly don't think hash algorithm is necessary as the spec only supports sha1 and sha256, so a simple length comparison will tell you the algorithm used.

If you wanted to be explicit, the use of qualifiers could be used:

pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64?alg=sha1

[iamwillbar]

It makes sense to treat the object type as a namespace and the hash is the name of object within that namespace. Since changing the object would change its hash there is no need for a version which purl allows.

Given that other algorithms may show up in the future, I would lean towards explicitly including the algorithm. The oci and docker types incorporate it (into the version but it's the same conceptually), so I would have a preference for that over qualifiers. This could be optional if there is a logical default.

This would give us:

pkg:gitoid/blob/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64
pkg:gitoid/blob/sha1%3A261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64

Does this seem reasonable @stevespringett and @jeff-schutt?

[stevespringett]

Yes. Reasonable @iamwillbar

[jeff-schutt]

@iamwillbar I discussed this with the GitBOM community and yes, this is reasonable. We agree with explicitly including the hash algorithm in the scheme, by using “%3A” encoding of the ":" separator:

pkg:gitoid/blob/sha1%3A261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64