I think we have talked about this at previous docfests and from what I dug up from our notes, PackageDownloadLocation should be used for direct download location only and used complimentary to ExternalRef. ExternalRef should be used as normalization/correlation for packages with purl being the preferred reference. This is supported by the spec<https://spdx.github.io/spdx-spec/external-repository-identifiers/#f35-purl> which has purl used as an external references like so: "externalRefs" : [ { "referenceCategory" : "PACKAGE_MANAGER", "referenceLocator" : "<purl locator>", "referenceType" : "purl" }
This would also be a great topic to discuss further at the upcoming SPDX Implementers call 😉 -Rose From: [email protected] <[email protected]> on behalf of Brandon Lum via lists.spdx.org <[email protected]> Date: Friday, April 29, 2022 at 12:07 PM To: SPDX Technical Mailing List <[email protected]> Subject: [spdx-tech] Question about encoding purl (Package URL) ⚠External Email Hi, I have a quick question on where something like a package url (purl)<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-spec&data=05%7C01%7Crjudge%40vmware.com%7C344083ebb91949f03e5408da2a138eac%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637868560731480755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EDXMdvbhLT0jxJ5aKuuSlMhEPSk%2FvDYhwh%2BGNIbwyWo%3D&reserved=0> should be encoded in the SPDX package definition. Would it be as part of the PackageDownloadLocation field? The reason for asking is around using purls as look-up keys to retrieve auxiliary information. ________________________________ ⚠External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4479): https://lists.spdx.org/g/Spdx-tech/message/4479 Mute This Topic: https://lists.spdx.org/mt/90783058/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
