Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Join ECMA tc54 for PURL standardization #295

Open
pombredanne opened this issue Mar 8, 2024 · 4 comments
Open

RFC: Join ECMA tc54 for PURL standardization #295

pombredanne opened this issue Mar 8, 2024 · 4 comments

Comments

@pombredanne
Copy link
Member

pombredanne commented Mar 8, 2024
edited

The ECMA https://tc54.org/ is inviting this spec to become standardized there.
I like this overall and I feel this is a good thing.
This issue is to discuss this and ensure that we have a consensus to more forward with this, and also to determine what this would mean going forward for the core spec, the types and the implementations.

I would like to collect your comments about this!
@stevespringett
Copy link
Member

I also believe this will be a good thing for purl and the community. Full disclosure, I chair Ecma TC54.

  • Ecma is an international standards organization.
  • Every Ecma standard is available free without charge.
  • Ecma has liasion agreements with other standards bodies
  • Ecma has a history of having a community model incorporating open source contributions, Ecma task groups, and Ecma Technical Committees. Examples of these models include TC39 (Javascript) and TC54 (Software and System Transparency/CycloneDX).
    • In the case of TC54, OWASP and Ecma worked together to come up with a working model that is driven primiarly by the community. See https://tc54.org/contribute/ and https://cyclonedx.org/about/standardization-process/
    • This allows CycloneDX to continue to innovate quickly while simultaneously having active involvement from TC54 resulting in high-quality specifications and the proper governance necessary to meet requirements of an international standard.
    • Package URL could benefit from the same approach.
  • If acceptable by the community, a Task Group (TG) will be formed under TC54 that will be dedicated to Package URL.
  • The TG would work to prepare the purl specification (currently 1.0) and vers (currently in draft) for standardization consideration.
  • purl types will need some discussion. One possible approach that has been discussed is a registry of purl types - possibly governed by the TG.

I fully support bringing Package URL into Ecma TC54 as I believe the purl community and the thousands of applications that use purl today, will benefit.

@prabhu
Copy link

prabhu commented Mar 21, 2024

purl +1
vers not sure. Also, vers can be another independent standard since the versioning scheme could be different from package types

Also, we need to secure engineering time to make the purl reference implementations compliant and consistent. For instance, the go implementation has some workarounds and patches not present in JS and Python.

@pombredanne
Copy link
Member Author

ok, with no objections and only positive +1, let's start the process!

@stevespringett
Copy link
Member

Thats fantastic @pombredanne. I'll follow-up with you on the next steps to establish a task group within TC54 and we'll get this thing rolling.

@stevespringett stevespringett mentioned this issue Apr 25, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prabhu @pombredanne @stevespringett