purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard
verified publisher icon package-url

Add VS Code extensions

Open booniepepper opened this issue 3 months ago • 7 comments

Closes:

  • https://github.com/package-url/purl-spec/issues/287

~~Clashes a little with a different approach at https://github.com/package-url/purl-spec/pull/671 since this will consider the VS Code extension marketplace as the default repository~~

I think we're aligned on this now

~~The type vsx refers to "VS code eXtension" and seems to be used in multiple places. Open to alternatives like vscode. As a note, the file extension for these IDE extension packages is .vsix.~~

After discussion, the PR now proposes the type vscode. The previous suggestion of vsx is ambiguous as it could refer to either VS Code extensions (JS) or to Visual Studio extensions (C#) which are incompatible. (Refer to this comment thread)

Happy to hear & take feedback, thanks!

booniepepper avatar Sep 17 '25 14:09 booniepepper

@jkowalleck Any thoughts on this?

booniepepper avatar Sep 19 '25 11:09 booniepepper

As I raised here : https://github.com/package-url/purl-spec/pull/671#discussion_r2377128615 , I'm really interested in how we keep consumers of PURLs safe from things like typosquat attacks. Some context is I work in security and have had a client ask me to review an extension giving just it's name ... and it was really hard to answer their question because I did not know which code I was meant to be auditing! (because there are two registries and they can have different code).

To that end I'm against vsx because I'm scared of it being a foot-gun. I think vscode would be a lot safer.

I think we should explore the question of how we handle referencing extensions in these two registries before merging these PRs though. Propose we continue discussion in that other PR (it's got a bit of discussion already)

mixmix avatar Sep 24 '25 21:09 mixmix

I have examples in the PR. I think it's easy to distinguish the source by repository_url and this follows the convention used in many other PURL specs.

P.S. I incorporated your changes and credited you in one of the commits included in this PR

P.P.S. I've also been working on software supply chain security for much of the past 5 years

booniepepper avatar Sep 25 '25 07:09 booniepepper

Update: after some great input from community, have opted to close https://github.com/package-url/purl-spec/pull/671 in favour of this proposal ❤️

mixmix avatar Sep 26 '25 00:09 mixmix

Hi! I don't know why, but I got notified about this issue. Any way I can help?

amvanbaren avatar Oct 06 '25 09:10 amvanbaren

@amvanbaren The PR was waiting on me to update (which I have now) -- I'm not sure either, but the more eyes the merrier

booniepepper avatar Oct 07 '25 03:10 booniepepper

@pombredanne Looks like we've got all the comments addressed. Are you ready to take a look again?

booniepepper avatar Oct 24 '25 20:10 booniepepper