Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

distro qualifier should be standardized #247

Open
another-rex opened this issue Aug 2, 2023 · 2 comments
Open

distro qualifier should be standardized #247

another-rex opened this issue Aug 2, 2023 · 2 comments
Labels

Comments

@another-rex
Copy link

There doesn't seem to be a specification for how distro should be formatted apart from in examples (e.g. debian), or for some distros like Alpine there are no examples of the distro qualifier, so it's hard to implement a parser for it. (Alpine also does not have a shared package pool across releases, so knowing what alpine version a package is for is very important).

Defining a format for distro qualifier for each ecosystem would be very helpful for implementing tooling that need to know what distro release a PURL is for.

@prabhu
Copy link

prabhu commented Sep 4, 2023

+1

cdxgen team has a custom definition of distro and distro_name, where distro is of the form ID-VERSION_ID to deal with alpine and other distro-specific issues.

https://github.com/CycloneDX/cdxgen/blob/master/binary.js#L387

@oliverchang
Copy link
Contributor

@pombredanne

The discussion on ossf/osv-schema#208 reminded me of this issue again :)

Would it make sense to tighten down (for each supported distro), the exact definition of how the distro qualifier is meant to be encoded?

For instance, for Debian in the OSV Schema, we define a Debian distro as the exact release number as it appears in https://debian.pages.debian.net/distro-info-data/debian.csv. e.g. "4.0" as opposed to "4", and "8" as opposed to "8.0".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants