Thanks Rose and Dick! (yea i was chatting with Gary and he pointed me to the same appendix F)! Thanks - this helps!
On Fri, Apr 29, 2022 at 3:58 PM Dick Brooks < [email protected]> wrote: > Rose, > > > > I believe the existing SPDX spec also supports your statement: “should be > used for direct download location only” > > > > > https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/package-information.md#77-package-download-location-field- > > > > “This section identifies the download Uniform Resource Locator (URL), or a > specific location within a version control system (VCS) for the package at > the time that the SPDX document was created.” > > > > Supported VCS identifiers are shown in Table 19, purl is not listed. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 <(978)%20696-1788> > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Rose Judge > *Sent:* Friday, April 29, 2022 3:50 PM > *To:* [email protected]; [email protected] > *Subject:* Re: [spdx-tech] Question about encoding purl (Package URL) > > > > I think we have talked about this at previous docfests and from what I dug > up from our notes, PackageDownloadLocation should be used for direct > download location only and used complimentary to ExternalRef. ExternalRef > should be used as normalization/correlation for packages with purl being > the preferred reference. This is supported by the spec > <https://spdx.github.io/spdx-spec/external-repository-identifiers/#f35-purl> > which has purl used as an external references like so: > > "externalRefs" : [ { > "referenceCategory" : "PACKAGE_MANAGER", > "referenceLocator" : "<purl locator>", > "referenceType" : "purl" > } > > > > This would also be a great topic to discuss further at the upcoming SPDX > Implementers call 😉 > > > > -Rose > > > > > > *From: *[email protected] <[email protected]> on behalf of > Brandon Lum via lists.spdx.org <[email protected]> > *Date: *Friday, April 29, 2022 at 12:07 PM > *To: *SPDX Technical Mailing List <[email protected]> > *Subject: *[spdx-tech] Question about encoding purl (Package URL) > > *⚠ External Email* > > Hi, I have a quick question on where something like a package url (purl) > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-spec&data=05%7C01%7Crjudge%40vmware.com%7C344083ebb91949f03e5408da2a138eac%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637868560731480755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EDXMdvbhLT0jxJ5aKuuSlMhEPSk%2FvDYhwh%2BGNIbwyWo%3D&reserved=0> > should be encoded in the SPDX package definition. Would it be as part of > the PackageDownloadLocation field? > > > > The reason for asking is around using purls as look-up keys to retrieve > auxiliary information. > > > ------------------------------ > > *⚠ External Email:* This email originated from outside of the > organization. Do not click links or open attachments unless you recognize > the sender. > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4481): https://lists.spdx.org/g/Spdx-tech/message/4481 Mute This Topic: https://lists.spdx.org/mt/90783058/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
