spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Purl for DownloadURL and DocumentNamespace tags

Open nishakm opened this issue 5 years ago • 3 comments

Use cases:

  • For content addressable artifacts like container images and CAS systems like registries, in most cases the download URL is not known or all that is known is the vendor or the vendor's domain name (gcr.io, docker.io, quay.io, etc), a possible namespace and reference.
  • For documents hosted in CAS systems, the specific URL may not be known.

Purl addresses these issues in the following ways:

  • A minimal requirement is to identify the type of package, a name and a version (eg: pkg:container/k8s/cluster-autoscaler@sha256:deadca66a9e)
  • Further identification can be provided by end vendors (eg: pkg:container/k8s/cluster-autoscaler@sha256:deadca66a9e?domain=quay.io)

nishakm avatar May 22 '20 22:05 nishakm

@nishakm - is this something you want considered for 3.0?

kestewart avatar Aug 10 '22 03:08 kestewart

Since this is non-breaking, moving to 3.1 for consideration.

goneall avatar Apr 04 '24 17:04 goneall