Robert

@tdruez thank you so much for your work. Yes, your proposal for the download URL makes sense to me. Also prioritizing the source archive is an excellent idea, as this...

@tdruez In tests with DejaCode 5.4.0 I see issues with mappings from packages to PurlDB entries, that may be related to the changes made in this ticket. I'm not sure...

I've created a separate issue for this so these can be tracked independently in case the cause is not related

The root cause is in the comparison as the qualifier also has to be removed from PurlDB's PURL. Details are in issue #383

@tdruez It looks like multiple commits have been made in PurlDB for the prerequisits you have mentioned in https://github.com/aboutcode-org/dejacode/issues/307#issuecomment-2916380214 Are these now met so the selection between multiple matching PurlDB...

I noticed that the exact mapping should already be possible. The issue with the Python packages is that after they have been imported from the SBOM, the only hash populated...

The suggested fix unfortunately does not work. The SBOM import leads to the package in DejaCode only having a SHA256 assigned but no download URL. For some reason the PurlDB...

The proper way to solve this would be the following: 1. Patch PurlDB to pull SHA256 as well for PyPi (additionally check if other package manager can pull more hash...

Perhaps not ready for a pull request, but it seems this is working significantly better. Alternatively one could also go just by PURL and filter based on hashes locally. ```...

For context, see also https://github.com/aboutcode-org/dejacode/discussions/289