Clarify distro qualifier per purl type?

[gernot-h]

The spec only briefly mentions distro as an example for a qualifier, but doesn't provide exact format.

In the purl types document, it's mentioned in several sections, but also not really narrowing down the format. This leads to some ambiguities already in the spec, I think:

• bitnami uses distro=debian-12 in the examples, while deb uses the codename, ie. distro=jessie. This might make sense as bitnami has a broader scope, but it's still confusing due to unclear scope if you just search for distro examples.
• apk mentions that the package repo shall be implied from distro or repository_url qualifier, but the examples use neither of both, so I'm unsure whether I should use only the branch name (alpine-3.20), which would be enough to know the repo, or the full release version (alpine-3.20.3) which is what e.g. Syft seems to use.

So my question is, should we have a general recommended format for this qualifier or better try to specify it only in the according sections? I personally think having a general format might be impossible, probably we could only state whether it should contain the namespace or type part or not. I could start by making a suggestion for deb and apk types, if we agree on that approach.

Or is the expectation that parsers should be flexible enough to accept different formats? I think this would be hard to reach, thinking of Debian, it could at least be "codename", "debian-codename", "debian-major", "debian-major.minor" etc.

[gernot-h]

Note that for many distributions using this qualifier is crucial as package release versions are per distro release, so pkg:apk/alpine/openssl@3.3.0-r3 is ambiguous as it refers to a different package (with different sources), depending if you use Alpine 3.20 or 3.21.

[RingoDev]

Is it important that there is a universal understanding of qualifiers?

In my (limited) understanding, qualifiers need to be interpreted in the scope of the type anyways, and could have a different meaning / schema in another type. E.g. distro could have different value schemas depending on if it is used in the context of a bitnami or a deb PURL type.
So I wouldn't see a blocker to define it for the types where you feel capable in the way that is necessary / useful to remove ambiguity

Because what is currently clearly confusing is that e.g. the deb type does not list distro as a known qualifier, but uses it in it's documented examples.

[pombredanne]

@JonoYang ping

[pombredanne]

• From distro qualifier should be standardized  #247 (comment)
• by @another-rex

distro qualifier should be standardized

There doesn't seem to be a specification for how distro should be formatted apart from in examples (e.g. debian), or for some distros like Alpine there are no examples of the distro qualifier, so it's hard to implement a parser for it. (Alpine also does not have a shared package pool across releases, so knowing what alpine version a package is for is very important).

Defining a format for distro qualifier for each ecosystem would be very helpful for implementing tooling that need to know what distro release a PURL is for.

[pombredanne]

• From distro qualifier should be standardized  #247 (comment)
• by @prabhu

+1

cdxgen team has a custom definition of distro and distro_name, where distro is of the form ID-VERSION_ID to deal with alpine and other distro-specific issues.

https://github.com/CycloneDX/cdxgen/blob/master/binary.js#L387

[pombredanne]

• From distro qualifier should be standardized  #247 (comment)
• by @oliverchang

The discussion on ossf/osv-schema#208 reminded me of this issue again :)

Would it make sense to tighten down (for each supported distro), the exact definition of how the distro qualifier is meant to be encoded?

For instance, for Debian in the OSV Schema, we define a Debian distro as the exact release number as it appears in https://debian.pages.debian.net/distro-info-data/debian.csv. e.g. "4.0" as opposed to "4", and "8" as opposed to "8.0".

[gernot-h]

My personal opinion here would be to use strings like debian-12 and alpine-3.20, so basically repeating the namespace plus the actual distribution release - this is what I would expect from a qualifier named distro. For OpenSUSE, I think it should be opensuse-leap-15.5.

I see no point in adding the minor version like alpine-3.20.1 or debian-12.1 because for all distributions I'm aware of, this minor version is incremented independent from package releases and has no influence on the actual package. So I'd consider the minor version to be only confusing as pkg:deb/debian/bash@5.2.15-2&distro=debian-12.5 and pkg:deb/debian/bash@5.2.15-2?distro=debian-12.11 refer to the exact identical package.

[pombredanne]

See also:

• Documentation around using PURLs as unique identifiers #242
• APK PURLs need to have more qualifiers to be identified #570
• Contradicting namespace case requirement for apk #219