[Proposal] Adopt the "purl" package URL spec to identify software packages about grafeas HOT 24 OPEN

Thanks @pombredanne I'll review and leave comments early next week.
I don't think this changes the much for Grafeas - would just require the API implementation to handle and validate the revised formats.

from grafeas.

The container image referencing in the purl spec looks good to me

from grafeas.

I don't intend to derail purl adoption. I think I've articulated my hesitation, which seems to be a general problem and not exclusive to purl. package-url/purl-spec#29

from grafeas.

So I'm now learning the extent of the work that has gone into SWID ISO 19770-2, despite the pay-wall barrier. I'm very glad that purl-spec is more open, but we might should consider that many deployments may have requirements to use SWID over purl.
Purl-spec has a FAQ about this, https://github.com/package-url/purl-spec/wiki/FAQ#why-not-using-the-iso-19770-2-spec-for-swid-tags-instead-of-a-purl which I don't disagree with. Red Hat has participated in the SWID review, and is also a part urging/pressuring Tagvault to open the SWID spec up more.

from grafeas.

@R2wenD2 here we go as promised!

from grafeas.

Thanks!

I don't think this changes the much for Grafeas - would just require the API implementation to handle and validate the revised formats.

Indeed, and that's part of the intent.

FWIW there is a mention of a Go implementation in progress on the PR at package-url/purl-spec#1 (comment)

from grafeas.

Maven has a few more coordinates that can come into play in some instances: packaging and classifier. The typical ordering looks like this:
groupId:artifactId:(optional)packaging:(optional)classifier:version

While GAV may be sufficient for many cases, there will be times where some attestation needs to apply to one classifier and not another, or one package and not another. We should expand the spec to allow the optional inclusion of these extra fields.

ref: https://maven.apache.org/pom.html#Maven_Coordinates

from grafeas.

@brianf yes Maven has these and these are not the norm as you pointed out quite rightly. The current Grafeas README does not handle these at all. They also in most case derive from the same source, hence for these they would be treated as optional qualifiers in https://github.com/package-url/purl-spec/tree/a21a9ecbab171fe06d1ac88843bc3721a42dbed0 and they would come as "query string" aka. purl qualifiers with this proposal:

maven for Maven JARs and related artifacts
- The default repository is maven.org
- The group id is the namespace and the artifact id is the name
- Known qualifiers keys are: classifier and packaging as defined in the POM documentation
- Examples:
`maven:org.apache.xmlgraphics/[email protected]`
`maven:org.apache.xmlgraphics/[email protected]?packaging=sources`

from grafeas.

@brianf It would be awesome if you want to chime in on the purl spec btw. The initial and a tad messy PR is there package-url/purl-spec#1 and received comments from dpkg, nuget, spak, npm and several important package format maintainers and many others. Going forward a ticket is better.
Having a JVM implementation is also needed!

from grafeas.

Is the intent of the purl spec to replace the one in the README? If not, how do they correlate?

from grafeas.

@brianf that's the intent of this ticket to propose a replacement for the one of the README alright

from grafeas.

The purl spec extends a bit beyond Grafeas as it also caters to other tools, DB and APIs such as libraries.io, victims, openshift analytics, aboutcode.org projects and a few more.

from grafeas.

@lizrice Thank you for the valuable feedback!

from grafeas.

I think everyone is happy with this proposal, we'll just need to add the verification to the reference implementation and documentation.

from grafeas.

woof this purl conversation has gone wild while I was out! So to be clear, https://github.com/package-url/purl-spec is a recent discussion and not a widely agreed-upon and implemented spec, right?
I can follow the table, just want to make sure that it's a wider conversation.

from grafeas.

from grafeas.

@vbatts Do you have reservations about purl? If so I'd love to hear them. We want some kind of standard format for grafeas, so I basically +1 everything that @brianf said above.

from grafeas.

from grafeas.

❤️

from grafeas.

No problem. I think its still something we want to do. At this point, I expect that purl adoption means updating docs as well as the API implementation to parse for it.

from grafeas.

Next steps here:

1. Update docs
2. Incorporate the purl checks into our reference implementation!

from grafeas.

@vbatts Just back from FOSDEM where I presented this https://fosdem.org/2018/schedule/event/purl/ (video and deck are there)
There was a clear preference from most everyone there to use a single scheme prefix eg. pkg:npm:[email protected] such that this can be easily registered as an official RFC and many other good reasons so in this context we could have something like:
pkg:swid:<whatever is a swid> OR have a proper SWID URI or URL separately alright.
I wished SWID would not have been these walled garden centralized scheme, but that's not my battle to fight ;) Let's make a ticket on the purl side to have this included alright

from grafeas.

I would like to attract your attention to this purl ticket package-url/purl-spec#9
... which eventually would mean that all purl would share a common pkg: URL prefix for many good reasons including invaluable feedback from @annevk and @mnot

Some impact here: this would mean that existing grafeas resource URIs would not be quasi-purlesque as-is because of this added prefix BUT it also means more flexibility to use other identification strings such as swid, cpe, etc in the same spot. Food for thoughts!

from grafeas.

@pombredanne there is further conversation going regarding SWID. I am thinking that the prefixing may help. Further this FAQ really ought to be updated from "avoid this"-like language. As one [private] conversation included:

I can understand the sentiment, but it is wrong in many respects. First, the
ISO specification is not for proprietary software. How can anyone come to
that conclusion. The C programming language is governed by ISO/IEC 9899:2011.
Does that mean that gcc is a proprietary compiler? I think not.

Having this distinguished prefixes, it'll let SWID do what it's intended for of specifying files (not just whole software packages, regardless of proprietary or FOSS), and purl can map collections/packages of software.

Make sense?

from grafeas.