Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: github-release type #299

Open
steiza opened this issue Apr 1, 2024 · 1 comment
Open

Proposal: github-release type #299

steiza opened this issue Apr 1, 2024 · 1 comment

Comments

@steiza
Copy link

steiza commented Apr 1, 2024

This issue is to suggest a github-release purl type, discuss the motivation, and list some possible alternatives.

Motivation

At GitHub we're working on some improvements to GitHub Releases including the ability to make a release immutable (after which you couldn't add, change, or remove any of the assets on the release).

The immutability would be externally auditable by publishing an in-toto release attestation, which includes a purl. As an aside, the in-toto release attestation is a formalization of the npm publish attestation, which has been out for over a year and is working well for over 10,000 different npm packages.

npm publish attestations use the npm purl type, but GitHub Releases doesn't have a purl type.

Proposal

Add a purl type github-release. For example, https://github.com/advanced-security/gh-sbom/releases/tag/v0.0.10 would look like:

pkg:github-release/advanced-security/gh-sbom@v0.0.10

To be explicit, here's a short definition for each of those purl fields:

  • type: github-release
  • namespace: GitHub "owner" (e.g. a user or an organization)
  • name: repository name
  • version: the version string of the GitHub Release

There is some weirdness here to call out:

  • In the purl spec the version is optional, but a github-release without a version doesn't make much sense.
  • Today GitHub Releases are tied to a git tag, but we're thinking of ways to decouple GitHub Releases from git tags, because git tags are mutable.

Alternative 1: use existing github purl type

The problem with this is that the purl version is ambiguous. Today the purl spec says the version can refer to a commit hash or a git tag. We'd like it to refer to the release version string, but there's no requirement that the git tag and the release version string match (also the git tag is mutable). For example:

pkg:github/advanced-security/gh-sbom@v0.0.10

Could refer to https://github.com/advanced-security/gh-sbom/tree/v0.0.10, which is mutable, or (if we don't have a separate github-release type) https://github.com/advanced-security/gh-sbom/releases/tag/v0.0.10, which could be made immutable.

Alternative 2: use generic purl type

The problem with this approach is that it's very easy to have purl name collisions. Maybe this would look something like:

pkg:generic/gh-sbom@v0.0.10?download_url=https://github.com/advanced-security/gh-sbom/releases/tag/v0.0.10

Any other package named gh-sbom (a fork, or an unrelated project) would end up with a similar-looking purl.

Conclusion

Feedback welcome! If folks think this sounds good, I can write up a more formal pull request.
@jhutchings1
Copy link
Contributor

I'm a fan of the proposal to use a new type here as you propose, @steiza.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steiza @jhutchings1