question (non-blocking): When thinking about the examples below, I think you should clarify how purl spec should handle version-in-formula formulae.

As in, if I want PostgreSQL 12.17 (current release as of this posting), should the purl be

pkg:brew/postgresql@12@12.17

or

pkg:brew/postgresql@12.17

and let whatever's reading the purl — Homebrew, ostensibly — figure out how that version maps to our major-version formulae?

I speculate only the latter is a valid purl, a safe assumption because I don't think it's a good idea to allow two @ in the purl.

Thanks for calling this out -- my read of the purl spec is that the name and other components are always URL-escaped, e.g. pkg:brew/postgresql@12@12.17 would actually be encoded as pkg:brew/postgresql%4012@12.17 in a "wire format" context. So the purl should always unambiguously map to a package, without the end client having to do additional disambiguation work.

This is a readability sacrifice, but my (potentially wrong) understanding is that purls are mostly meant to show up only in machine-readable contexts anyways.

Sigh, it's not pretty, but if that's the way it needs to be, so be it. If that's the case, I'd recommend adding an example with that…

Done! Looks like the other examples for other ecosystem purls also contain URL-escaping examples, so we're in-line here 🙂

pkg:brew/postgresql@12@12.17 is incorrect. The instructions for parsing a PURL (which not all implementations follow) say to split on @ from the right, so it should parse as you expect for Homebrew, but the spec says that @ must always be escaped when it's not being used as the delimiter before the version number. It'd definitely be good to have an example and maybe even call this out since it's common for people to install packages with names like this.

giterlizzi/perl-URI-PackageURL has name "postgresql" version "12" (and discards the "12.17")

maenchen/purl, sonatype/package-url-java have name "postgresql" version "12@12.17"

package-url/packageurl-js throws an error (I thought I saw a fix for this, but maybe the PR hasn't merged)

Yep, I added @colindean's example below. Adding an explicit callout also makes sense to me; I'll add some language for that.

question (non-blocking): Should there be another parameter to name the tap? We use the named tap at work, e.g.

brew tap myco/brewhouse git@git.myco.com:brew/house.git

and the formula, uh, myco-ctl could have a purl

pkg:brew/myco/brewhouse/myco-ctl?tap_url=git@git.myco.com:brew/house.git

and brew would know how to name the tap if it needed to be tapped, or perhaps

pkg:brew/myco/brewhouse/myco-ctl?tap_url=git@git.myco.com:brew/house.git&tap_name=myco/brewhouse

or more simply

pkg:brew/myco-ctl?tap_url=git@git.myco.com:brew/house.git&tap_name=myco/brewhouse

My 0.02c would be for your first form:

pkg:brew/myco/brewhouse/myco-ctl?tap_url=git@git.myco.com:brew/house.git

I think that's unambiguous: the github.com/{org}/homebrew-{tap} logic only applies when a tap_url isn't present, so I think this is the shortest form that conveys all needed information. But maybe I've overlooked something?

Sigh, it's not pretty, but if that's the way it needs to be, so be it. If that's the case, I'd recommend adding an example with that…