ppkarwasz commented on issue #614: URL: https://github.com/apache/tooling-trusted-releases/issues/614#issuecomment-3932099382
> Let's not forget the most important two PURLs: the ASF release as a whole As @raboof says, an ASF release is rather a set of packages than a single package. There is a TEA object for that: the [TEA Product Release](https://github.com/CycloneDX/transparency-exchange-api/blob/main/tea-product/tea-product-release.md). > > and the "official" asf open source release. > > Similarly, I don't think we need a separate Purl for a 'source release'. I have mixed feelings about this: for C/C++ projects we need a PURL to put in the CVEs and a PURL for the “source release” seems a natural candidate. However some C/C++ projects are modular (like Httpd), so it might make sense to have a PURL for each of its modules. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
