package-url
Inconsistency in the description of the checksum qualifier.
According to the spec:
checksum is a qualifier for one or more checksums stored as a comma-separated list. Each item in the value is in form of lowercase_algorithm:hex_encoded_lowercase_value
and an abbreviated example is given as checksum=sha1:ad9503c3e994a4f...
However, also according to the spec:
A [qualifier] value must be a percent-encoded string
And to build a purl sting which has qualifiers, one must
create a string by joining the lowercased key, the equal '=' sign and the percent-encoded value to create a qualifier
In a percent-encoded string, the colon character, ':', is encoded as '%3A'. And in fact the reference java implementation will encode the above as checksum=sha1%3Aad9503c3e994a4f...
Also, as @jdillon has pointed out to me, the documentation sometimes uses "checksum" and sometimes "checksums"...
And @jdillon has further pointed out to me that near the top of the spec we have a docker example with
pkg:docker/gcr.io/customer/dockerimage@sha256:244fd47e07d1004f0aed9c
and lower down we have
pkg:docker/gcr.io/customer/dockerimage@sha256%3A244fd47e07d10
So it would seem that the inconsistency relating to the percent-encoding of ':' is also in the docker version, not just the checksum(s).