Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Paul Horton
@madpah

Hey @pombredanne - re PEP-561 typing (and beyond the official Rationale), we had a few downstream folk request us type the CycloneDX Python LIb as they had tools like mypy in their CI processes and it caused extra work (headaches) for them to deal with un-typed dependencies.

tldr: Hygiene I guess?

Re: help @pombredanne - is this the best place to talk specifically about the Python library?
Philippe Ombredanne
@pombredanne
@madpah sure thing
@madpah I feel that typed Python is another language at times and not my Python :P
but I can live with it as long as we are still supporting Python 3.6+ for now
so please go for it :+1:
Paul Horton
@madpah
Sure @pombredanne - will look at a PR then for typing a’la PEP-561
What CI is actually used for package-url Python @pombredanne ? It’s not clear from the repo?
Philippe Ombredanne
@pombredanne
@madpah I am ashamed
The CI seem to be gone entirely :)
Paul Horton
@madpah
Oh dear. Any objection to me getting GitHub Actions or Circle CI up and running for it?
Philippe Ombredanne
@pombredanne
I will merge in a skeleton I use elsewhere with a decent CI setup and enable Azure + Appveyor at least
Paul Horton
@madpah
Sure - whatever you prefer.
Philippe Ombredanne
@pombredanne

Oh dear. Any objection to me getting GitHub Actions or Circle CI up and running for it?

@madpah perfect too

@madpah please go for it :)
Paul Horton
@madpah
Will do @pombredanne
Might need to get some permissions on the main https://github.com/package-url/packageurl-python repo @pombredanne
Philippe Ombredanne
@pombredanne
@madpah unrelated I think you found some use for https://github.com/nexB/pip-requirements-parser in some CycloneDX lib of yours and this sia wesome
Paul Horton
@madpah
We did @pombredanne !
Philippe Ombredanne
@pombredanne
@madpah Let me give you some access as you need. I guess you can be trusted as a committer?
@madpah done :)
1 reply
Jeffry Hesse
@DarthHater
Dang Paul got commit rights before me?!?!
DarthHater @DarthHater shakes fist at air
Paul Horton
@madpah
lol @DarthHater
Paul Horton
@madpah
@pombredanne PR for enabling GitHub Actions is with you for review (merging is blocked for me until 1 approver :-))
Tory Clasen
@tclasen

Anyone know why the python package isn't letting me get a url from a purl?

@app.command()
def get(purl: str):
    parsed = PackageURL.from_string(purl)
    typer.echo(f"Grabbing {parsed}")
    typer.echo("A", purl2url.get_url(purl))
    typer.echo("B", purl2url.get_url(parsed.to_string()))
    typer.echo("C", purl2url.get_url(str(parsed)))
    typer.echo("D", purl2url.get_url(parsed.to_string()))

For this I've tried the two following PURLs:

And for both of them I successfully parse and can print the purl, but the A, B, C, D echos after that are all empty (but don't crash).

Philippe Ombredanne
@pombredanne
It should be reasonably straightforward using tidbits of code from https://github.com/nexB/fetchcode/blob/master/src/fetchcode/package.py and the expansive set in https://github.com/nexB/scancode-toolkit/tree/develop/src/packagedcode
@tclasen can I interest you in contributing these?
@TG1999 ^ ping
@tclasen please start with an issue
Tushar Goel
@TG1999
@pombredanne ack
Jeffry Hesse
@DarthHater
@pombredanne any chance you are gonna check this out soonish? package-url/packageurl-go#32 (coworker is demoing something that relies on it right now, hence asking)
Tushar Goel
@TG1999
package-url/packageurl-python#86 @pombredanne @tclasen addressed the above chat in the issue
Philippe Ombredanne
@pombredanne
@DarthHater reviewed and approved. Will merged shortly! :bow:
Jeffry Hesse
@DarthHater
AWESOME!!!
Thanks dude!
Philippe Ombredanne
@pombredanne
done
ChronosMOT
@ChronosMOT
Hi, I would like to contribute, but am unsure how to go about it. I've seen an issue where a contributing.md was discussed, but never got realized.
What is the preffered way to contribute? Should I open an issue to discuss my ideas, discuss them here or start writing the specifications I think are needed and then discuss in the PR?
Specifically I'm looking into creating an SBOM for a Windows 10 System and would like to add a type for Store Apps. The data you can get on those is very uniform and it should be easy to create a specification for those.
Philippe Ombredanne
@pombredanne
@ChronosMOT Hey :) for this the best is to start with a PR adding a type. That's the simplest and this is usually fairly straightforward .... BTW is there a way to directly download Store Apps? just curious?
ChronosMOT
@ChronosMOT
Hi @pombredanne . Ok, then I'll do that.
Appearantly there is https://lazyadmin.nl/it/install-microsoft-store-apps-without-store/ ^^
Philippe Ombredanne
@pombredanne
great :+1: that's best
I assume that there is likely some recipe to automatically derive these
ChronosMOT
@ChronosMOT
Well... After a quick try it seems that there is a website that lists the download-link for the app-package for each product on the store. There isn't really a good way to get to that download-link...
So you can download it apps without using the store, but it gets a bit involved ^^"
Philippe Ombredanne
@pombredanne
if there is a will, there is a way! :)
Jason Kulatunga
@AnalogJ

I'm attempting to create an open-source universal downloader of sorts, based on PURL's. I've done this before in another life, and it was a PITA to come up with all the different URI's for the various artifact providers, the package-url spec seems very similar to what we ended up creating in house, and I'd love to build ontop of it.

Couple of questions:

  • is there already a known tool that will download artifacts given a PURL? (preferably a standalone binary written in Go?)
  • my first use-case is to download a github release asset (scrutiny-collector-metrics-windows-4.0-amd64.exe attached to this release https://github.com/AnalogJ/scrutiny/releases/tag/v0.4.8), is there a existing PURL format for something like that?
  • if not, which of the following would make the most sense?
    • pkg:github/AnalogJ/scrutiny@v0.4.8?file_name=scrutiny-collector-metrics-windows-4.0-amd64.exe&type=release_asset
    • pkg:github/AnalogJ/scrutiny@v0.4.8?type=release_asset#scrutiny-collector-metrics-windows-4.0-amd64.exe
Philippe Ombredanne
@pombredanne

@AnalogJ Hey :) looks great!

is there already a known tool that will download artifacts given a PURL? (preferably a standalone binary written in Go?)

That's a goal of https://github.com/nexB/fetchcode/ (in Python)

my first use-case is to download a github release asset (scrutiny-collector-metrics-windows-4.0-amd64.exe attached to this release https://github.com/AnalogJ/scrutiny/releases/tag/v0.4.8), is there a existing PURL format for something like that?

Not really, but we can invent one.

if not, which of the following would make the most sense?

IMHO, the first one would be the closest. A default one would be:
pkg:github/AnalogJ/scrutiny@v0.4.8?download_url=https://github.com/AnalogJ/scrutiny/releases/download/v0.4.8/scrutiny-collector-metrics-windows-4.0-amd64.exe ....

We could spec and update the spec for release assets:
could be something such as:

pkg:github/AnalogJ/scrutiny@v0.4.8?release_asset=scrutiny-collector-metrics-windows-4.0-amd64.exe
(and obvious) since here a specific property of GH release assets is that a name is unique within a release, so we could leverage this and have something compact and unambiguous

@AnalogJ is this for https://github.com/PackagrIO/fetchr ? :P
@AnalogJ you may be interested in package-url/purl-spec#139 which is to be merged anytime and https://github.com/nexB/univers which is in Python, not Go... but a Go vers would be awesome

Jason Kulatunga
@AnalogJ

Awesome, thanks for the help @pombredanne !
Yeah, fetchr will be a go library & cli for downloading artifacts using purl urls.

in my past life, we did run into an issue with our universal downloader that I havent seen discussed in the purl issues/repo -- immutable vs mutable references.

with a docker image its pretty easy to see that alpine:latest is not guaranteed to be immutable (vs alpine@sha256:12345abcdef) however referencing the image by digest is not always possible in the destination -- ie a helm chart references the image as alpine:v1.2.3

this also applies to git repos (where tags are mutable) and other artifact types.

We solved this by adding the ability to query and embed immutable refs in our "purl-like" identifiers.

something similar to:

pkg:docker/smartentry/debian@dc437cc87d10?immutable_ref=sha256@abc12345

Philippe Ombredanne
@pombredanne
@AnalogJ this makes sense... I think we may have specified something for checksums... https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs ... could this be of help?
may be this?
pkg:docker/alpine@v1.2.3?checksums=sha256:dc437cc87d10
Philippe Ombredanne
@pombredanne