Define namespace for new "scid" PURL type #834
Description
Background
With all deference to the the original idea from @stevespringett and commentary from the community in:
I have created this separate issue in response to community suggestions that we focus on the namespace question on its own. The rationale is that:
- namespace is the gating item for definition of a new 'scid' PURL type
- We may need to include name in this discussion, but it is not clear why name would be different than for other PURL types
- There is nothing special about version for a 'scid' PURL type
- Examples of how to use qualifiers in the 'scid' context may be helpful, but qualifiers are always available
- There is nothing special about subpath for a 'scid' PURL type
For convenience I have copied the outline of the original 'scid' proposal with 2 changes:
- Changed 'vendor' to 'supplier'. If we want one new PURL type to cover both proprietary and open source software we need a more neutral term than 'vendor'; 'publisher' is another option.
- Simplified the qualifiers to a placeholder in the PURL string and the table.
Proposed 'scid' PURL type syntax
pkg:scid/<domain>/<publisher>/<component>@<version>?<qualifiers>#<subpath>
Field Breakdown
| Field | PURL Component | Required | Description |
|---|---|---|---|
domain |
namespace | Yes | Internet domain name of the entity making the claim (e.g., publisher, distributor). |
supplier |
namespace | Yes | Human-readable name of the software creator, distributor or supplier (e.g., Microsoft, Acme Corp, or FOSS project). |
component |
name | Yes | Name of the actual software product, project, or application. |
version |
version | Optional | Version string identifying the specific release, tag, or snapshot of the product. |
| qualifiers | Optional | One or more relevant attributes of a PURL stated as a key-value pair. | |
| subpath | Optional | The subpath optionally identifies a specific module, subcomponent, or file within a software package. |
I have not copied over the Why Both Domain and Vendor Are Required section from #516 here, but you should read that section carefully if you have not done so already.
Scope
The scope of this issue is to define the structure for the namespace component for a new 'scid' PURL type so that it can identify a software package/component in combination with the name component. Some assumptions/considerations:
- namespace will be a required PURL component for the 'scid' type
- namespace may have more segments than
domainandsupplier. Suggestions include a segment to specify a sub-organization of 'supplier', a product line or some other<supplier-specific-namespace>.
The scope of this issue does not include:
- Specifying a URL or other locator for the software - that will be discussed separately.
- A requirement to "register" a 'scid' namespace in order for it to be valid. Conformance with the spec ('base'
test_group) will only require that the 'scid' PURL namespace syntax is correct. Tools may choose to validate a 'scid' namespace value against a registry and document this in 'advanced'test_grouptest cases.
NB: I have done my best to include relevant points from the discussion in issue #516 but I have probably missed some.