Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In my opinion, there are some problems with this, such as:

- The cryptographic hash is not included. (They do mention security, a hash and/or public keys would be helpful for security. It would also be helpful for identification if names are reused for unrelated reasons.)

- There is not a distinction between interfaces and implementations (which in some cases you might care about, although not always).

- They do not mention examples of what qualifiers are possible for some package types.



Can you tell a bit more? What is this? The OP article?


u/zzo38computer wants:

- an optional(?) hash parameter

- a way to say you depend on a thing for which there are multiple implementations and not specify which implementation


For "generic" interface-based dependencies, that's tougher.

This is a problem with a few ecosystems. OTH rpms, debs and Java OSGI... and may be a few more. We need to survey these to find if we can solve that and if this is a PURL problem at all.

Can I rope you in and interest you in filing an issue in the spec so we can move the discussion there? :P This would be great.

https://github.com/package-url/purl-spec/issues/


Well, for one thing a dependence on an interface could not have a hash to bind the provider(s), but one could have a dependence on an interface and also associated dependencies on one-of-N providers of the interface, then the latter could have hashes.

Basically you need a way to indicate "this package is an interface and requires providers of it" and also you need a way to indicate which packages are the associated providers (either as attributes of the interface PURLs, as attributes of the provider PURLs, or both).


We have a standard checksum "qualifier" at https://github.com/package-url/purl-spec/blob/main/PURL-SPEC... ... that would be the "hash" ... would this work?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: