dave2wave commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3917474754
> Each Component Release has a collection of [attachments](https://github.com/CycloneDX/transparency-exchange-api/blob/main/tea-collection/tea-collection.md#tea-artifact-object) (TEA Artifacts: SBOMs, VEXes, etc.), so additional metadata could be added that way. So we could use OTHER or request a new type of METADATA. Back to this: ``` pkg:tea/apache.org/[email protected] ``` To me using a UUID for a name is pure obfuscation. It means I have to search by UUID. Explain to me what that UUID would be referring along with the version string. Is it this a TEA Component or a TEA Component Release? It's feeling like there is a slippery slope to becoming a TEA Server, and while we may be willing to serve TEA, we won't commit to a full TEA server. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
