|
| 1 | +# Agenda for the PURL community meeting on 2025-07-09 |
| 2 | + |
| 3 | +- **Host**: Remote |
| 4 | +- **Dates and times**: |
| 5 | + - 16:00 to 17:00 UTC |
| 6 | + - 18:00 to 19:00 CEST (Europe/Brussels) |
| 7 | + - 12:00 to 13:00 EDT (America/New_York) |
| 8 | + - 09:00 to 10:00 PDT (America/Los Angeles) |
| 9 | + - 01:00 to 02:00 JST (Tokyo, Japan) |
| 10 | + |
| 11 | +- **Attendee information**: |
| 12 | + - https://meet.google.com/ryq-aimn-ghd |
| 13 | + |
| 14 | +## Agenda items |
| 15 | +- Opening of the meeting and welcome |
| 16 | +- Meetings will follow the Ecma TC54 Code of Conduct https://github.com/Ecma-TC54/tg2/blob/main/CODE_OF_CONDUCT.md |
| 17 | +- GitHub project board – https://github.com/orgs/package-url/projects/1/views/1 |
| 18 | +- Open issues/PRs – https://docs.google.com/spreadsheets/d/1RKw0XB-xAPsZ09Uzj1W4ycYIvS1BVOyD/ |
| 19 | + |
| 20 | +## Attendees |
| 21 | +- Philippe Ombredanne, creator of PURL, Lead maintainer of AboutCode, TC54-TG2 convener |
| 22 | +- Jon Moroney |
| 23 | +- Immanuel Kunz |
| 24 | +- Tom Alrich |
| 25 | +- Matt Rutkowski, IBM |
| 26 | +- Michael Herzog, AboutCode |
| 27 | +- John Horan, AboutCode |
| 28 | + |
| 29 | +## Notes |
| 30 | +- Meeting minutes are being kept and will be published, and the meeting will be recorded with Google Meet video and Gemini "note-taking". |
| 31 | +- Our code of conduct (link in agenda above) applies to this meeting. |
| 32 | +- Introductions. |
| 33 | +- Additional agenda items: |
| 34 | + - Michael: PURL types update; a number of organizational topics to discuss if time permits, e.g., repo structuring, should VERS be separated from PURL (e.g., separate meetings, since they'll be on different schedules) |
| 35 | + - John: nothing atm |
| 36 | + - Jon: Can he help with any asynchronous work? |
| 37 | + - Immanuel: 3 open PRs (1 already has an approval) |
| 38 | + - Tom: CVE.org |
| 39 | + - Philippe: PURL type schemas, Thomas Schmidt discussion re JSON Schema etc. |
| 40 | + - Matt: there are 2 developers working on the website, internships end in 2 weeks but would like to keep working on this; they'll join call on 23rd to present their work (John H. will add to agenda for July 23rd meeting) |
| 41 | +- Summary |
| 42 | + - Michael Herzog discussed plans for reorganizing the purl-spec repo post-v0.90 release, including the potential separation of VERS into its own repo, which Jon Moroney supported for technical reasons, while Philippe Ombredanne preferred a single repository but acknowledged the benefits. |
| 43 | + - Philippe provided an update on the PURL type JSON Schema, including his draft PR, and discussed JSON Schema versions as well. Philippe plans to stay on JSON Schema draft 7 for now, despite recommendations to switch to the 2020 version, while Matt Rutkowski raised concerns about tooling support. |
| 44 | + - Matt emphasized the importance of normalization rules for PURL types to automate testing, but this does not seem to be practical for v1.0 with the Sept 1 deadline to submit the proposed PURL Standard to Ecma. |
| 45 | + - Philippe outlined the PURL type definition structure and proposed a new schema for PURL tests, while Immanuel Kunz noted his three open PRs. Tom Alrich reported that the CVE Quality Working Group is incorporating PURL into their schema, and Tom, Jon and others discussed CPE and proprietary software identifiers. |
| 46 | + - Michael proposed reorganizing the purl-spec repository and addressed the need to clarify the licensing for the PURL specification, and Philippe emphasized the need for community approval for any license change. |
| 47 | +- **Meeting Agenda and Volunteers** Michael Herzog introduced organizational topics for the repo after the v0.90 release, including potentially separating and scheduling different meetings for VERS due to their distinct standards and timelines (00:00:00). Jon Moroney volunteered for asynchronous work to help move things along (00:01:07). Matt Rutkowski announced that their two interns working on the website plan to present their progress at the next meeting on the 23rd (00:04:46). |
| 48 | +- **PURL Type Schemas Update** Philippe Ombredanne provided an update on PURL types, sharing a draft PR with three schemas. One schema is for a list of PURL types, serving as an index that could be generated when new types are added (00:05:42). |
| 49 | +- **JSON Schema Version Discussion** Philippe Ombredanne noted that the current draft uses an older JSON schema (draft 7) but, based on discussions with Thomas Schmidt, recommends switching to the 2020 version (six years old) for its expressiveness and widespread tool support (00:08:34). Matt Rutkowski expressed concerns about tooling support for versions beyond draft 7 in the open-source community, particularly for Go and JavaScript-based tools used for the website generator (00:11:45). Jon Moroney suggested identifying which languages and tooling ecosystems are critical to forge a path forward, agreeing that moving to a newer schema is a reasonable goal (00:13:01). Philippe Ombredanne stated their intent to stay on draft 7 for now, but noted that switching to a newer version would simplify things (00:14:59). |
| 50 | +- **Normalization Rules for PURL Types** Matt Rutkowski emphasized the importance of built-in normalization capabilities to enable consistent comparison of objects in a Bill of Materials at different points in time and suggested adding an identifier or a defined key for unambiguous normalization [this point applies more to an SBOM object than a PURL definition] (00:17:45). Philippe Ombredanne acknowledged the need to rework the normalization section in the schema, as some rules are difficult to formalize, citing the "PyPI" example where underscores replace dashes (00:19:51). Jon Moroney agreed with Matt Rutkowski on defining clear normalization rules, suggesting that such rules would be PURL type-dependent and could be defined on a per-type basis in the spec (00:26:02). |
| 51 | +- **Over-Specification and Timelines** Michael Herzog raised a concern about over-specifying in the current phase of the PURL project, emphasizing that it will be much harder to undo things once something is proposed for the standard (00:25:17). Philippe Ombredanne agreed on the need to avoid going into deep rabbit holes with overly formal definitions that might be regretted later, especially given the September 1st timeline (00:32:05). |
| 52 | +- **PURL Type Definition Structure** Philippe Ombredanne outlined the structure of the PURL type definition, which includes fields for a specific package type (e.g., npm), a name, a description, and a list of reference URLs (00:30:49). The definition also specifies requirements for components like namespace, name, and version, allowing for formal definitions with regular expressions while trying to avoid over-complication (00:32:05). |
| 53 | +- **PURL Examples and Test Suite Schema** Philippe Ombredanne showed that PURL examples are currently defined as an array of strings. Matt Rutkowski questioned if they could be self-validating against the PURL type itself, suggesting an "array of PURL types" (00:35:25). Philippe Ombredanne acknowledged that a self-validating PURL type schema is a goal but unlikely to be achieved by the September 1st deadline. Philippe Ombredanne introduced a new schema for PURL tests, drawing inspiration from CSAF, which defines parsing tests with input (a string) and expected output (components), allowing for formal validation of canonical PURLs (00:36:31). |
| 54 | +- **Test Suite Targets** Philippe Ombredanne proposed the notion of "targets" for tests, separating essential tests for core specification conformance from tests for "funky" or recovery-parsing PURLs. This separation would help implementers distinguish between conforming to the base spec and supporting recovery capabilities, avoiding current ambiguities (00:40:25). Matt Rutkowski observed that PURL seems to be a right-sized specification for exploring this testing ecosystem, which Cyclone could benefit from (00:42:01). |
| 55 | +- **Immanuel's Pull Requests** Immanuel Kunz mentioned having three open PRs in PURL, with one already approved and the other two having ongoing conversations (00:01:07). Philippe Ombredanne confirmed that the non-controversial PRs could be merged, while the others just need a bit more review (00:44:58). |
| 56 | +- **CVE Quality Working Group and Software Identifiers** Tom Alrich reported that the CVE Quality Working Group (QWG) is moving quickly to incorporate PURL into their schema, with a preliminary meeting with the board scheduled (00:46:03). Jon Moroney elaborated that this is part of a larger RFD (Request for Discussions) process, a new decision-making framework (00:47:23). Two identifiers, Omnibor and PURL, are being proposed, with the idea of vendoring a tagged version of PURL once 0.90 is in place (00:48:45). |
| 57 | +- **CPE and Proprietary Software** Tom Alrich mentioned that NIST has indicated they will not continue to fix CPE (Common Platform Enumeration), which has been trying to be too many things. Jon Moroney suggested that CPE's future might primarily be for proprietary software, where vendors can register namespaces, as PURL and Omnibor do not handle proprietary software well due to the lack of visibility for naming (00:51:04). Tom Alrich referenced a proposal from the SBOM Forum for a SWID-based software tag created by suppliers for proprietary software, which would serve as the source of truth for PURL (00:52:12). Jon Moroney argued that without a managed registry for such identifiers, they become arbitrary strings that are difficult to validate and lead to namespace conflicts (00:53:19) (00:57:41). |
| 58 | +- **Registry for Proprietary Software Identifiers** Michael Herzog highlighted that the concept of supplier registries and master lists for physical goods (like in hardware manufacturing) provides a concreteness that is lacking in software, making it difficult to achieve the same level of certainty (00:55:26). Jon Moroney emphasized that without a registered component and a way to look it up, security researchers inspecting proprietary software might invent names, leading to namespace conflicts that are impossible to unwind (00:56:51). |
| 59 | +- **Product Unique Identification and European Cyber Resilience Act** Philippe Ombredanne introduced the European Cyber Resilience Act, noting that it mandates unique identification for products placed on the market. This regulation will require commercial vendors to provide a unique name for their products, necessitating a public registry or a discoverable system for these unique identifiers (00:59:15). Jon Moroney acknowledged the potential for multiple vendor-specific solutions but agreed that as long as definitions are clear, the system should function effectively (01:00:34). |
| 60 | +- **Repository Structure Reorganization** Michael Herzog proposed a significant reorganization of the PURL spec repository to prepare for version 0.90, including switching to markdown and creating separate files for different sections of the standard (01:01:37). This new structure aims to improve manageability and align with how other standards, like ECMA, SPDX, and Cyclone DX, organize their documentation (01:02:56) (01:04:50). Jon Moroney supported this initiative and suggested creating individual files for each PURL type within a dedicated directory (01:05:43). |
| 61 | +- **License Discussion** Michael Herzog highlighted the need to address the licensing for the PURL specification, noting confusion regarding the use of BSD3 clause in the ECMA part and MIT for other components (01:07:17). He suggested that MIT might be problematic for specifications due to its lack of patent language, favoring Apache or Community Specification License for better patent protection. Philippe Ombredanne emphasized the importance of community approval for any license change and reiterated the need for a license that offers robust patent protection, despite the low perceived risk of patent assertion (01:08:10). |
| 62 | +- **Separation of VERS Repository** Michael Herzog raised the idea of splitting the 'vers' component into a separate repository, a proposal supported by Jon Moroney for technical reasons, allowing independent iteration and better product management (01:10:02) (01:11:51). Philippe Ombredanne, while preferring a single repository, acknowledged the technical benefits of separation, including facilitating independent development and testing of PURL and Vers specifications (01:10:59) (01:16:26). The team agreed to continue discussion and aim for a decision by the next TG2 meeting, with a focus on increasing Vers implementations and formalizing tests (01:11:51). |
| 63 | +- The meeting was adjourned. |
0 commit comments