-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PHP PEAR/PECL type #300
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LaurentGoderre Thanks! Can you elaborate a bit on PECL?
Is there some extra information that would need to go in this Package URL definition?
Is there some API, spec documentation of similar that you can reference (at least in comments here)?
Also, could it be that PECL is just an alternate channel/repository for PEAR?
And can you add tests to the JSON test-suite-data.json test data file?
|
||
- The default repository is ``https://pecl.php.net/``. | ||
- The ``namespace`` is empty. | ||
- The ``name`` is not case sensitive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the standard case? is this normalized to lower case? Is there a spec/doc for this?
For instance, https://pecl.php.net/package/ApacheAccessor points to a proper page, and so is https://pecl.php.net/package/apacheaccessor but this is not true for https://pecl.php.net/rest/p/apacheaccessor/info.xml which is OK, but https://pecl.php.net/rest/p/ApacheAccessor/info.xml is not. So it seems that the name IS case insensitive BUT normalized to lowercase or something else.... if you could research this, it would be great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pombredanne wouldn't the behavior of the CLI take prescende over how their site is configured? In the CLI, the case doesn't matter. From the site though it doesn't seem like it's normalized to lowercase
PECL and PEAR are different. PEAR is closer to composer as it is PHP code vs PECL which is native extensions to PHP. |
Added some tests but the docs doesn't specify how to run the tests |
The PECL page says that PECL is PEAR:
|
You can't use interchangeably
|
Not being able to install them the same way doesn't mean they aren't the same system. They use the same protocol with different repository_urls (channels).
You can install pecl packages using pear.
But going the other direction doesn't work?
Having incompatible packages doesn't necessarily mean they are different package types. If To use the same package type, if you had a list of pecl extensions you could write them as |
@matt-phylum in my opinion, what is being installed (native extensions vs PHP code) is different enough to warrant distinct Purls |
@matt-phylum @pombredanne After some consideration, I updated the PR to have Here is the PR for the modified implementation in Syft: anchore/syft#2775 |
@pombredanne can you take another look at this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current draft looks good to me. 👍
- "pear" is the package manager used to fetch pear- and pecl-php-extensions/-applications, each from their respective repository.
- having the repository as the "namespace" sense, since it functions as such.
The actual php-extensions/-applications do not have a namespace on tier own, and even if they had, we could still bring that in likepkg:/pear/pecl.php.net/Me/[email protected]
andpkg:/pear/pecl.php.net/You/[email protected]
.
as domain names are lowercase per RFC, I would add this to the spec.
A thing I see missing is: how to handle static packages?
which qualifiers should be used to indicate the location, and which channel should be named to indicate this?
pear
CLI uses channel __uri
to do so.
Possible solution: in case a static URL was used, use PURL's well-known qualifier download_url
, and namespace/channel __uri
a feasible alternative to the currnet draft could be:
- do not use PEAR channels as namespaces.
- PEAR channels are indicated as PURL qualifier
channel
, default ispear.php.net
. - in case a static url was used, use PURL's well-known qualifier
download_url
, and omitchannel
qualifier
i would prefer the current draft over the shown alternative.
If the namespace of the PURL contains information for channel discovery, how does it interact with repository_url qualifier? Does repository_url override the base URL that would normally be determined through channel discovery? |
@matt-phylum I am not sure.... |
@cweiske do you think you can review as a PEAR contributor? |
Add Purl type for PHP PECL package type