-
Notifications
You must be signed in to change notification settings - Fork 215
Add github-release package type
#418
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
bdehamer
wants to merge
7
commits into
package-url:main
Choose a base branch
from
bdehamer:bdehamer/github-release
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
e08430b
add github-release purl type
bdehamer 928160d
add file_name qualifier for github-release
bdehamer 82cd85f
add checksum qualifier to github-release type
bdehamer 4975be7
add test case for github-release type
bdehamer 63eaca9
fixed checksum qualifier example for `github-release`
jkowalleck f29f9d7
fix encoding for `github-releases` tests
jkowalleck 60e42be
Update PURL-TYPES.rst
jkowalleck File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -297,6 +297,29 @@ github | |
| pkg:github/package-url/purl-spec@244fd47e07d1004 | ||
| pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs | ||
|
|
||
| github-release | ||
| -------------- | ||
| ``github-release`` for GitHub releases: | ||
|
|
||
| - ``namespace``: The GitHub user or organization. It is not case sensitive and | ||
| must be lowercased. | ||
| - ``name``: The GitHub repository name. It is not case sensitive and must be | ||
| lowercased. | ||
| - ``version``: The release version. It is required and is case sensitive. | ||
| - Qualifier ``repository_url``: GitHub server hosting the release (optional). | ||
| Useful in case a private server is used. If omitted, ``https://github.com`` | ||
| is assumed as the default. | ||
| - Qualifier ``file_name``: Selects a named (case sensitive) asset contained | ||
| within the release (optional). | ||
| - Qualifier ``checksum``: Checksum for the release asset (optional). Must be | ||
| in the form of `lowercase_algorithm:hex_encoded_lowercase_value`. | ||
|
|
||
| - Examples:: | ||
|
|
||
| pkg:github-release/cli/[email protected] | ||
| pkg:github-release/foo/[email protected]?repository_url=https:%2F%2Ffoobar.ghe.com | ||
| pkg:github-release/foo/[email protected]?file_name=bin-linux.tgz&checksum=sha256:deadbeef | ||
|
|
||
| golang | ||
| ------ | ||
| ``golang`` for Go packages: | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -706,5 +706,17 @@ | |
| "qualifiers": null, | ||
| "subpath": null, | ||
| "is_invalid": true | ||
| }, | ||
| { | ||
| "description": "github-release valid name", | ||
| "purl": "pkg:GitHub-Release/foo/[email protected]?repository_url=https://acme.ghe.com&file_name=bin-linux.tgz&checksum=sha256:ff537afd5996cb67a319d6b0d3e65a330480068398a90bd81ea823a0566512c8", | ||
| "canonical_purl": "pkg:github-release/foo/[email protected]?repository_url=https:%2F%2Facme.ghe.com&file_name=bin-linux.tgz&checksum=sha256:ff537afd5996cb67a319d6b0d3e65a330480068398a90bd81ea823a0566512c8", | ||
| "type": "github-release", | ||
| "namespace": "foo", | ||
| "name": "bar", | ||
| "version": "v1.0.1", | ||
| "qualifiers": {"repository_url": "https://acme.ghe.com", "file_name": "bin-linux.tgz", "checksum": "sha256:ff537afd5996cb67a319d6b0d3e65a330480068398a90bd81ea823a0566512c8" }, | ||
| "subpath": null, | ||
| "is_invalid": false | ||
| } | ||
| ] | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there anything that could not be accomplished with the
githubtype and afile_namequalifier?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concrete example of why this is different from the github type:
pkg:github-release/keepassxc/[email protected]?file_name=KeePassXC-2.7.10-arm64.dmgfrom https://github.com/keepassxreboot/keepassxc/releases/tag/2.7.10. The file is not part of the Git repository so it cannot be referenced usingpkg:github. You'd need to represent it with apkg:generic. I'm not sure whatpkg:github-releasegives beyondpkg:generic. GitHub Releases is a place where you could be downloading a package from but isn't a package management system. There's no implied meaning about version numbers or the content or format of the file or dependencies between releases.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So now that a released file is immutable, why would this not be fine to point to an exact file in a release? And a release is always attached to a git tag so what about this?
pkg:github/keepassxreboot/[email protected]?file_name=KeePassXC-2.7.10-arm64.dmgthat would resolve to this https://github.com/keepassxreboot/keepassxc/releases/download/2.7.10/KeePassXC-2.7.10-arm64.dmg ?And https://github.com/keepassxreboot/keepassxc/releases/download/2.7.10/KeePassXC-2.7.10-Win64.msi to
pkg:github/keepassxreboot/[email protected]?file_name=KeePassXC-2.7.10-Win64.msi(Note that works even if releases would be mutable, these are two different things)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems weird to me for
pkg:github/keepassxreboot/[email protected]to refer to a tag in a Git repository andpkg:github/keepassxreboot/[email protected]?file_name=KeePassXC-2.7.10-arm64.dmgto refer to an arbitrary file that exists alongside that Git repository. I guess it's kind of similar topkg:pypiwhere the package is made of multiple files that are not necessarily related, except that forpkg:githubthefile_namequalifier would change the mechanism for retrieving the package.