purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard
verified publisher icon package-url

New questions for the FAQ

Open sjn opened this issue 6 months ago • 0 comments

Hei!

I've encountered some communities that I suspect may be not up to speed on what PackageURLs are for, their purpose in the supply chain, and what to expect from this tool.

Would it make sense to expand the FAQ a little with more questions (perhaps in a "user story" format)?

e.g.

  • [ ] I'm an upstream component author, and my users are expecting me to produce a purl for one of my releases so that they may refer to it, but I don't create packages of my own software - I only distribute source tarballs. What should I do?
  • [ ] I'm an upstream component author, and some downstream packagers are asking me for an authoritative download location for getting my source tarball releases. My software is mirrored many places, what should I tell them?
  • [ ] I'm a packager downloading a tarball of a release of an project which I intend to create a package for use in my ecosystem. I'm also expected to associate a package url for this package. What should I do?
  • [ ] I'm an integrator, and have downloaded a package using the tooling provided by my ecosystem. How do I figure out the package url of the package I downloaded and installed?
  • [ ] I'm an integrator, and have downloaded a package using the tooling provided by my ecosystem. I know the package url of this package, but how do I find out where the packager downloaded it from originally? ("How can I find out the pedigree of a package?")
  • [ ] I'm a distributor, running a mirror of other people's open source software in a source distribution form (tarball or zipfile). I don't re-package any of this software, but my downstream users wonder if I have a package url for the software I'm distributing. What should I tell them?
  • [ ] I'm a distributor, running a mirror of other people's open source software in a source distribution form (tarball or zipfile). Do I need to keep track of and provide any metadata (e.g. urls or purls) of where I got each file from, and if yes - how?
  • [ ] I'm a packager, and I've downloaded an open source package from an upstream language ecosystem that I intend to repackage. The original package already has a package url. Do I need to create a new package url to replace it, or should I use the original one, or do something else?
  • [ ] I'm a packager, and my immediate upstream source of packages provide their own package urls. I intend to distribute these packages unmodified through my own ecosystem. Do I need to create a new package url?

(Note: The questions above are also intended for identifying different situations where package urls are the wrong solution, or where they cannot help. They may have to be rewritten a little for clarity 🙂)

sjn avatar Jun 11 '25 17:06 sjn