rhalar

This would be a Good Addition, I believe. The first option seems cleaner at first (`source artifact` as a name perhaps?) but note that currently purls are defined per package;...

Hi! I work for ReversingLabs and have been responsible for our OSSF integration. So, to clarify our process; we track multiple sources for malware activity on a number of repositories,...

>I can try creating the PRs myself and discuss OSSF's guidelines. Would you be able to update your database based on that? OSSF entries are additive, so changes you make...

@calebbrown We're preparing a new push to the bucket, and this is blocking us a wee bit. We'd like to withdraw these on our end, which shouldn't be too much...

Could it also be clarified how standard library packages are to be represented? Go has special handling for these, and the 'module' is never explicitly required when using them. But...

I'm not sure I follow how it would make it easier for tools? The problem I have with `pkg:golang/[email protected]#cmd` is that `cmd` and `std` aren't packages, but modules.

I believe I get the argument, and I will defer to your judgement as the more knowledgeable about Go concepts and internals. However, I do still feel that it would...