top | item 44200414

(no title)

pombreda | 8 months ago

For "generic" interface-based dependencies, that's tougher.

This is a problem with a few ecosystems. OTH rpms, debs and Java OSGI... and may be a few more. We need to survey these to find if we can solve that and if this is a PURL problem at all.

Can I rope you in and interest you in filing an issue in the spec so we can move the discussion there? :P This would be great.

https://github.com/package-url/purl-spec/issues/

discuss

cryptonector|8 months ago

Well, for one thing a dependence on an interface could not have a hash to bind the provider(s), but one could have a dependence on an interface and also associated dependencies on one-of-N providers of the interface, then the latter could have hashes.

Basically you need a way to indicate "this package is an interface and requires providers of it" and also you need a way to indicate which packages are the associated providers (either as attributes of the interface PURLs, as attributes of the provider PURLs, or both).