purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard
verified publisher icon package-url

purl for Ubuntu ESM?

Open dodys opened this issue 10 months ago • 2 comments

For Ubuntu releases that are LTS (Long Term Support), after 5 years you have the ESM (Expanded Support Maintenance) period. The repository for ESM is different from the repository for the LTS period, e.g.: https://archive.ubuntu.com/ubuntu/dists/ https://esm.ubuntu.com/infra/ubuntu/dists/ (for main packages) https://esm.ubuntu.com/apps/ubuntu/dists/ (for universe packages)

Currently there are two possibilities, from my point of view, to support ESM in purl:

  1. We specify ESM through the distro parameter, which is what we are temporarily doing until we get to a conclusion here. For example: pkg:deb/ubuntu/[email protected]+dfsg-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-18838.json#L23

    And that would mean that only tools that convert purl ids into actual URLs to understand what is the ESM entries there.

  2. We would need to use a different namespace or repository_url instead for ESM. That also means that tools would need to understand this new namespace.

Thoughts? Preferences?

dodys avatar Feb 04 '25 12:02 dodys