Hi,
Before we get too settled on the format to use for the external
identifiers, its seemed appropriate to get feedback from members of the
repositories we'd be cross referencing. :-)
Stefano was kind enough to look at our draft for Package External
Identifiers, and had the following feedback that he agreed could be shared
with the team. I've responded in the text with some follow up
comments, and questions.
Stefano Zacchiroli wrote:
> The main problem I see with the Debian
> example is that it doesn't clarify whether it's a source or a binary
> package (although the specific example suggest it's the latter). You
> really want to be clear about that and, possibly, support both cases.
>
> In the case of binary packages specifying an architecture would be
> needed as, I guess, the trailing "/all" in the example suggests. In the
> case of source packages it will be not, but you need to make it explicit
> that you're talking about a source package.
Good points, will discuss
>
> You probably also want to define a precise concrete syntax for those
> identifiers, and ensure that all "weird" characters that might appear in
> Debian package versions are supported. Stuff like "~", "+", ":" comes to
> mind.
Is there a BNF grammar for recognizing valid package identifiers in Debian
(ie. with all the permitted weird characters?)
>
> There is also the question of what does "debian" mean in this context.
> "debian" has several different archives, e.g.: the main archive, debian
> security, debian backports, and now debian lts. The project does
> guarantee that <package name, version> is an unique identifier across
> all those archives. So it might be fine for you *not* to specify which
> archive you're referring to; but you should be aware that you depend on
> that guarantee from the Debian Project. And, not having the archive
> information will make it difficult to automate activities such as
> retrieving the package. If these limitations are fine for your needs,
> it's good enough not to specify the archive. If not, you'll probably
> need to specify it.
Since helping out with automation is a key goal, yes, we probably should
look at being explicit about the archive the <package name, version> is
associated with. Will discuss with others.
The SPDX tech team should probably do this exercise with the other external
repositories we're trying to represent as well, so we minimize the chance
of making bad assumptions.
The above is fodder for today's SPDX tech call discussion.
Kate
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
