ppkarwasz commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3847098025
The ASF officially only distributes source packages. In package-url/purl-spec#59 some participants expressed the position that source packages should not have a PURL and the [SPDX download location](https://spdx.github.io/spdx-spec/v2.3/package-information/#77-package-download-location-field) should be used instead. I don't have a strong opinion on this matter, but we should probably support both: - A SPDX “download location” like `git+https://gitbox.apache.org/repos/asf/logging-log4j2.git@rel/2.25.3#log4j-core` - A PURL to designate the source archive stored by the ASF We should also consider publishing [Software Heritage Identifiers](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html#persistent-identifiers) for each release, which as of 2025 are an ISO standard ([ISO/IEC 18670:2025](https://www.iso.org/standard/89985.html)). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
