Rose,
I believe the existing SPDX spec also supports your statement: “should be used for direct download location only” https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/package-information.md#77-package-download-location-field- “This section identifies the download Uniform Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX document was created.” Supported VCS identifiers are shown in Table 19, purl is not listed. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Rose Judge Sent: Friday, April 29, 2022 3:50 PM To: [email protected]; [email protected] Subject: Re: [spdx-tech] Question about encoding purl (Package URL) I think we have talked about this at previous docfests and from what I dug up from our notes, PackageDownloadLocation should be used for direct download location only and used complimentary to ExternalRef. ExternalRef should be used as normalization/correlation for packages with purl being the preferred reference. This is supported by the spec <https://spdx.github.io/spdx-spec/external-repository-identifiers/#f35-purl> which has purl used as an external references like so: "externalRefs" : [ { "referenceCategory" : "PACKAGE_MANAGER", "referenceLocator" : "<purl locator>", "referenceType" : "purl" } This would also be a great topic to discuss further at the upcoming SPDX Implementers call 😉 -Rose From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Brandon Lum via lists.spdx.org <[email protected]> Date: Friday, April 29, 2022 at 12:07 PM To: SPDX Technical Mailing List <[email protected] <mailto:[email protected]> > Subject: [spdx-tech] Question about encoding purl (Package URL) ⚠ External Email Hi, I have a quick question on where something like a package url (purl) <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-spec&data=05%7C01%7Crjudge%40vmware.com%7C344083ebb91949f03e5408da2a138eac%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637868560731480755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EDXMdvbhLT0jxJ5aKuuSlMhEPSk%2FvDYhwh%2BGNIbwyWo%3D&reserved=0> should be encoded in the SPDX package definition. Would it be as part of the PackageDownloadLocation field? The reason for asking is around using purls as look-up keys to retrieve auxiliary information. _____ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4480): https://lists.spdx.org/g/Spdx-tech/message/4480 Mute This Topic: https://lists.spdx.org/mt/90783058/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
