From nobody Thu Mar 27 00:09:31 2025 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZNPD72tlxz5rQCQ for ; Thu, 27 Mar 2025 00:09:43 +0000 (UTC) (envelope-from luke@foolishgames.com) Received: from stargazer.midnightbsd.org (stargazer.midnightbsd.org [IPv6:2603:3015:425f:100::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "stargazer.midnightbsd.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZNPD52gxZz4Qhq for ; Thu, 27 Mar 2025 00:09:41 +0000 (UTC) (envelope-from luke@foolishgames.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=foolishgames.com header.s=default header.b=Ubfc7tnJ; dmarc=none; spf=pass (mx1.freebsd.org: domain of luke@foolishgames.com designates 2603:3015:425f:100::1 as permitted sender) smtp.mailfrom=luke@foolishgames.com Received: from [192.168.1.162] (70-91-226-205-BusName-Michigan.hfc.comcastbusiness.net [70.91.226.205] (may be forged)) (authenticated bits=0) by stargazer.midnightbsd.org (8.18.1/8.18.1) with ESMTPSA id 52R09WiL083858 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 26 Mar 2025 20:09:33 -0400 (EDT) (envelope-from luke@foolishgames.com) DKIM-Filter: OpenDKIM Filter v2.10.3 stargazer.midnightbsd.org 52R09WiL083858 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foolishgames.com; s=default; t=1743034173; bh=+fpsirhlZvFw0guAZjBJtyVklYru0uSgZBD5BrKmMvY=; h=Date:To:From:Subject:From; b=Ubfc7tnJRnbNMPAfrNj62vumXQUdHX2gjeZX9dMnEFIjgiw1Cm3c+xPHGDW+rAKhg q/gNcLDO3KbKBGLe6kX1FVquUQcWi+kouvrMpPtfJYILF67MvhDRmA+zt5dhDDqZ1S nEJQOJxRexmwttfYzt7gJJvLyKh/EEdrE2ifEaJE= X-Authentication-Warning: stargazer.midnightbsd.org: Host 70-91-226-205-BusName-Michigan.hfc.comcastbusiness.net [70.91.226.205] (may be forged) claimed to be [192.168.1.162] Message-ID: <9b3e88a6-3502-4b5e-ad5d-fddbf763b5c4@foolishgames.com> Date: Wed, 26 Mar 2025 20:09:31 -0400 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: freebsd-hackers@freebsd.org From: Lucas Holt Subject: PURL URIs and SBOM Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 1.4.2 at stargazer.midnightbsd.org X-Virus-Status: Clean X-Spamd-Result: default: False [-0.70 / 15.00]; NEURAL_HAM_SHORT(-0.99)[-0.986]; NEURAL_SPAM_LONG(0.74)[0.740]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[foolishgames.com:s=default]; NEURAL_HAM_MEDIUM(-0.16)[-0.159]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:7922, ipnet:2603:3000::/24, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[foolishgames.com]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; DKIM_TRACE(0.00)[foolishgames.com:+] X-Rspamd-Queue-Id: 4ZNPD52gxZz4Qhq X-Spamd-Bar: / I know there's a project to work on SBOMs for the FreeBSD project, and perhaps things are far ahead there. I recently started working on submitting a patch to a smaller SBOM generator to support FreeBSD with the plan to eventually add MidnightBSD also. I ran into a snap when generating them.  There is a lot of validation on SBOM tools and the PURL spec also has validation. So they need to be submitted. This brought up the need for a standard PURL pattern for BSDs. I'm not sure if it makes sense to be based on being a BSD or what primary package manager we all use. I submitted a PR for a MidnightBSD PURL value and someone had mentioned the idea of doing something like pkg:bsd/freebsd/pkgname@version?arch=i386&distro=freebsd/14.2 or something similar. I was thinking of doing something based on the package manager though like pkg:mport/midnightbsd/pkgname@version?arch=amd64&osrel=3.2 (these are generated by mport purl already) but then it gets weird for freebsd pkg:pkg/freebsd/pkgname@version?arch=amd64&osrel=14.2 ... The PR is at https://github.com/package-url/purl-spec/issues/431 I'd appreciate input on this. Thanks, -- Lucas Holt Luke@FoolishGames.com ________________________________________________________ MidnightBSD.org (Free OS) JustJournal.com (Free blogging)