dave2wave commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3873848392
> The ASF officially only distributes source packages. I would put quotes around "officially" and say that truthfully ASF project communities do publish packages to packagers like PyPi and Maven Central. For these we should consider publishing the known PURL. The official source packages that the ASF provides are structured and provided at known URLs, the artifacts are accessed through a CDN which can handle whether the artifact has been archived. The signature and checksum are in a certain location and you must know if these are current or archived. Providing a link to anything other than this source archive is not "official". These SPDX urls are wrong whether to gitbox or GitHub. > We should also consider publishing [Software Heritage Identifiers](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html#persistent-identifiers) for each release, which as of 2025 are an ISO standard ([ISO/IEC 18670:2025](https://www.iso.org/standard/89985.html)). This looks incredibly opaque, I would prefer to eschew obfuscation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
