purl-spec
purl-spec copied to clipboard
A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
Here is what I suggest: 1. add a simple DCO to the repo and document this in a CONTRIBUTING file, requesting sign off by in the good ole and time...
Been using the PURL spec for a while now and have started bumping into issues with valid PURLs not being valid package qualifier names. Currently, for golang, the following description...
Spec says about repository_url: `repository_url is an extra URL for an alternative, non-default package repository or registry.` I know this is kind of nitpicking, but `repository_url` in the examples are...
There are many pull requests that need merged and unanswered questions among some of the issues. The security industry is in the process of fully adopting PackageURL with OWASP and...
@stevespringett implemented Purl in his dependency-track which a package vulnerabilities tracker I think this is an awesome use case. https://github.com/search?l=&q=purl+user%3Astevespringett&ref=advsearch&type=Code&utf8=%E2%9C%93 We should have a page or doc of sorts that...
In the current spec the type of a package and the provider of a package are compressed into the `type` element. For example, type = `npm` implies npmjs.com as the...
Howdy folks, been looking over this specification and its pretty complete, but I have some concerns about the per-type specific component value transformations. Specifically the various bits that are per-type...
As "+" is frequently used within Debian package versions, I'd like to see a clarification (and probably examples/tests for it) whether this needs to be percent-encoded or not. This also...
The spec reads ``` If the qualifiers are not empty and not composed only of key/value pairs where the value is empty: ... * sort this list of qualifier strings...