mjherzog commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3874271217
@dave2wave Using the batik example the best PURL approach would be to keep the PURL type of maven, pypi or similar (for software distributed via a package manager) and use qualifiers (key-value pairs) to document the source download location and checksums. These are already commonly used as qualifiers across PURL types. You can also propose new qualifiers for the maven PURL type or other PURL types. For C/C++ FOSS we are working on a PURL prototype with a registry that would provide the essential identity information for these projects The generic PURL type is there as a backstop. The SCM/VCS PURL types should be better structured soon to provide a clearer picture of that option. The packageurl-python project is a leading PURL implementation but the code you referenced is not definitive. We would welcome your participation in one of the PURL meetings - see https://www.packageurl.org/docs/participate/participate-meetings to discuss the ranged of ASF use cases or we can use other forums. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
