check in purl code

[matt-phylum]

This is the initial version of the PURL library.

It could use a better name. phylum-purl is probably not good. purl is available. I couldn't think of anything bird themed.

The repository is private for now but the intention is that the code will become public and the library be available on crates.io.

[Allan-Clements]

Looks really really good, this is gonna be awesome to have in our toolbox 🥳 .

Looking forward to swapping out the Java Purl library inside JG and with the JNI crate use this instead (with a simplifying shim layer since all we'll want to do is pass in a string and defensively canonicalize it)

[Allan-Clements]

Also it looks like the Repo settings may need to be done still? Requiring approval before merges is the big one for compliance requirements, unfortunately the template repo couldn't automate those. https://github.com/phylum-dev/repo-template/blob/75643e4a1e7a1aef1c066c6a961e2f2f3b562ae2/README.md

[matt-phylum]

Also it looks like the Repo settings may need to be done still? Requiring approval before merges is the big one for compliance requirements, unfortunately the template repo couldn't automate those. https://github.com/phylum-dev/repo-template/blob/75643e4a1e7a1aef1c066c6a961e2f2f3b562ae2/README.md

I don't have access to the reference branch protection rules.

[Allan-Clements]

Ah did you already turn over ownership of the repo? @eeclfrei can you help then?

[eeclfrei]

Ah did you already turn over ownership of the repo? @eeclfrei can you help then?

Ok, I updated settings to be in line with our other repos. Let me know if you run into any issues.

[Allan-Clements]

LGTM this is awesome work @matt-phylum 👏 . Learned a lot of Rustisms from this PR alone 😅

[louislang]

Learned a lot of Rustisms from this PR alone 😅

Read Rustisms as Russian at first and wondered what was going on in this PR 😂

[ein-tier]

very cool!

[Allan-Clements]

@matt-phylum Some other known qualifiers we may want to incorporate too that struck me this morning:

• platform for gem

It isn't in the purl spec but there might be an undocumented need for a possible platform qualifier for pypi too?
https://peps.python.org/pep-0425/
Example package: https://pypi.org/project/pandas/#files

This issue tried to call them tag but the PR kind of fizzled

[Allan-Clements]

Some investigation for how pypi intends retrieval here may be warranted on second thought.

https://pypi.org/pypi/pandas/json

Pulling out one listing

{
            "comment_text":"",
            "digests":{
               "blake2b_256":"6e4050e0bcdd46c7a9aa4ccbc4ff0b5d58829eda155270f1aa90ae7fa955caf8",
               "md5":"c80b12e4d0f0b4f1ed758581b1ce06db",
               "sha256":"2b0907d656c91b9cbf87fc585e842ac7820bf218d2f0917b5e6fbd7c655b0f3e"
            },
            "downloads":-1,
            "filename":"pandas-1.4.0rc0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
            "has_sig":false,
            "md5_digest":"c80b12e4d0f0b4f1ed758581b1ce06db",
            "packagetype":"bdist_wheel",
            "python_version":"cp310",
            "requires_python":">=3.8",
            "size":11680678,
            "upload_time":"2022-01-06T11:02:03",
            "upload_time_iso_8601":"2022-01-06T11:02:03.470895Z",
            "url":"https://files.pythonhosted.org/packages/6e/40/50e0bcdd46c7a9aa4ccbc4ff0b5d58829eda155270f1aa90ae7fa955caf8/pandas-1.4.0rc0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
            "yanked":false,
            "yanked_reason":null
         },

Maybe the best we can do python coordinate wise is name & version since I'm guessing the various build tools select off of their execution time context?

packagetype Adds some dimensionality to a coordinate, but it still doesn't uniquely identify one. I guess we could succumb to using file_name in the purl for python packages in our data catalog 🤔 .

Admittedly purl collision is unlikely since we require checksum but it'd help intuit which of the various pandas publications you wanted to focus on in ad-hoc queries.

Either way food for thought for platform for gem at least