purl-spec propose `bazel` type for Bazel modules

Bazel 6 introduced a new system for managing external dependencies centered around the concept of Bazel modules, which are hosted in a registry. The default registry is the Bazel Central Registry. This system will become the default this year and its predecessor will be turned off next year.

As discussed in https://github.com/bazelbuild/bazel/discussions/23166, we would thus like to register the bazel purl type for Bazel modules, as specified in this PR.

(Approved by the Rules Authors SIG: https://docs.google.com/document/d/1YGCYAGLzTfqSOgRFVsB8hDz-kEoTgTEKKp9Jd07TJ5c/edit#heading=h.9h67icc19g8f)

Aug 01 '24 10:08 fmeum

CC @mzeren-vmw

Aug 06 '24 17:08 fmeum

Any status on the feedback you waited for?

Aug 07 '24 06:08 oej

@oej Yes, this has been approved and is ready for review!

Aug 07 '24 09:08 fmeum

@stevespringett Could you review this?

Aug 21 '24 14:08 fmeum

@pombredanne Not sure who to ask for a review, could you take a look?

Oct 09 '24 14:10 fmeum

@fmeum please rebase to resolve conflicts.

Nov 22 '24 09:11 sschuberth

@sschuberth Done

Nov 22 '24 09:11 fmeum

What's needed to get this merged?

Two approvals are needed since recently. Maybe @pombredanne can also review?

Nov 29 '24 16:11 sschuberth

@sschuberth I think this now has the second approval?

Dec 03 '24 13:12 Yannic

Unfortunately, @Yannic you have read-only permissions, so the approval does not count towards mergability:

Dec 03 '24 13:12 sschuberth

@sschuberth Do you happen to have write permission and could add the second approval yourself?

Dec 03 '24 14:12 fmeum

@sschuberth Do you happen to have write permission and could add the second approval yourself?

@fmeum As mentioned over here I'm currently pausing reviews to this project until some process question are clarified with @pombredanne.

Dec 03 '24 14:12 sschuberth

Unfortunately, @Yannic you have read-only permissions, so the approval does not count towards mergability:

Oh! Sorry, I was under the impression that you already approved. I'm aware that my LGTM doesn't count towards the two required approvals.

@sschuberth do you have a rough estimate on when you expect the process questions to be resolved? A few days? A few weeks? I'm asking mostly to understand when Fabian or me should follow-up here so we don't unnecessarily ping :)

Dec 04 '24 19:12 Yannic

@sschuberth do you have a rough estimate on when you expect the process questions to be resolved? A few days? A few weeks?

I simply have no idea. I've already reached out the respective people, but I'm not getting any answer. But I'll keep on pushing 😉

Dec 05 '24 11:12 sschuberth

@stevespringett @shibumi @johnmhoran @pombredanne Apologies for the multi-ping, but it's hard to tell who would be able to move this forward. Could you add a second review?

Jan 16 '25 08:01 fmeum

@fmeum Hi, I am "only" the packageurl-go maintainer and have not much to say when it comes to purl specification issues. I am afraid you will have to wait for @pombredanne or anyone else of the "steering committee".

Jan 19 '25 19:01 shibumi

Can we add a test case for valid purls that Bazel will reject (e.g., pkg:bazel/Curl@1234) to have coverage for the non-validation case?

Added via b29e1ea420b4e3ffc7f5b331e0fbe8aae2da6cfe

Jan 28 '25 13:01 fmeum

After the merge of PR #514, PURL tests and defs are now defined in new JSON schemas :angel: :innocent: :grin: :

See #514

... therefore with the new approach... this PR would need to be updated.

Do you think you can update this PR to the new format?

Sorry for the churn. :heart:

Jul 26 '25 16:07 pombredanne

@pombredanne PTAL

Jul 29 '25 19:07 fmeum

@jkowalleck Friendly ping, what is needed to get this merged?

Aug 27 '25 15:08 fmeum

@pombredanne Friendly ping

Oct 24 '25 06:10 fmeum

@mjherzog Could you take a look?

Oct 24 '25 06:10 fmeum

purl-spec purl-spec copied to clipboard

propose `bazel` type for Bazel modules

purl-spec
purl-spec copied to clipboard