spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

In external repo identifiers, add homepage URL and repo URL

Open david-a-wheeler opened this issue 5 years ago • 4 comments

SPDX already supports identifying packages using a CPE, some repos, or a package URL (purl), as noted here in Annex F:

https://github.com/spdx/spdx-spec/blob/development/v2.2.1/chapters/external-repository-identifiers.md

However, many packages don't have a CPE and aren't in a repo, so those don't work in many cases.

However, almost all software projects do have a homepage URL, and almost all open source software projects do have a publicly-visible repo (which may be different from the homepage). The CII Best Practices Badge project has had good success using these to identify projects.

I recommend adding a way to identify projects by either (1) homepage URL or (2) repository URL. So I recommend adding:

  • homePageUrl : The project home page Uniform Resource Locator (URL). Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a "stable" URL that does not change as new releases are made.

  • repoUrl : The project repository Uniform Resource Locator (URL). Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a "stable" URL that does not change as new releases are made. If it is a public git repository, it should be possible to clone this project using "git clone $(repoURL)".

david-a-wheeler avatar Jul 16 '20 18:07 david-a-wheeler

@kestewart - I'd love to hear your thoughts about this proposal!

david-a-wheeler avatar Jul 16 '20 18:07 david-a-wheeler

On further reflection, sometimes you also want to refer to a specific version. I think a very good way to do this with URLs is to be able to refer to a URL for a specific version that was downloaded/used. So let's add:

  • releaseURL : The project release Uniform Resource Locator (URL) that, when retrieved, will download the specific version of the software that was used. Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a stable URL, that is, the URL over time should continue to refer to the specific version as originally used. This releaseURL may refer to a compiled release or a "source code only" release; it should simply refer to whatever what used.

david-a-wheeler avatar Jul 16 '20 19:07 david-a-wheeler

Since this isn't a breaking change, moving to the 3.1 milestone for consideration

goneall avatar Apr 04 '24 17:04 goneall