Show threadSalve J. NilsenFeb 24, 2024

@theory Yes.

I think the most promising standard for referring to out-of-ecosystem dependencies is with #PackageURL

If all goes well (crossing fingers) I'm hoping we'll have some support for this in the #CPAN toolchain not too long after PTS in April.

https://github.com/package-url/purl-spec (plus the version-range-spec branch, when it's done)

With this, we'll be able to specify dependencies in a cpanfile like this:

requires "pkg:deb/ubuntu/libfoobar-dev" => "vers:deb/>=1.0";

#TiltingAtWindmills 😅

GitHub - package-url/purl-spec: A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby

A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby - GitHub - package-url/purl-spec: A minimal specificat...

GitHub
Steve Springett Feb 22, 2024

Ecma TC54 will be working towards standardizing Package URL, specifically purl, vers, and purl types. TC54 will be working out the details over the next few weeks. We invite everyone to learn more about TC54 and contribute to the advancement of Package URL.

Additionally, a #purl channel is now available on the CycloneDX Slack workspace where nearly 2K people are discussing SBOM and related technologies. Slack information and invite located on the TC54 website.

https://tc54.org/

#PackageURL #SBOM #OWASP #CycloneDX

Ecma TC54 | Software and System Transparency

Ecma Technical Committee 54 is chartered to standardize the OWASP CycloneDX Bill of Materials specification, standards and algorithms that advance transparency and identity, and the sharing of transparency information across the supply chain.

Matija Å ukljeApr 12, 2023

Can cURL pURL? 

Should it?

#cURL #PackageURL #pURL