Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use redhat as namespace for redhat rpms #2914

Merged
merged 1 commit into from
Jun 3, 2024
Merged

Use redhat as namespace for redhat rpms #2914

merged 1 commit into from
Jun 3, 2024

Conversation

ralphbean
Copy link
Contributor

The namespace value of redhat signifies this as an RPM package produced and distributed by Red Hat.

Using "rhel" in the namespace is not correct.

@ralphbean
Use redhat as namespace for redhat rpms
e3265ee 
The namespace value of `redhat` signifies this as an RPM package
produced and distributed by Red Hat.

Using "rhel" in the namespace is not correct.

Signed-off-by: Ralph Bean <rbean@redhat.com>
@kzantow
Copy link
Contributor

kzantow commented May 30, 2024

Hi @ralphbean -- thanks for the contribution. Do you have some supporting information why "Using "rhel" in the namespace is not correct."? The RPM PURL spec types doesn't mention either, unfortunately.

@ralphbean
Copy link
Contributor Author

Hi! Thanks for the welcome. :)

I do not have a supporting reference - a colleague of mine intends to publish something that will support the case. But, in lieu of that, there are at least two ideas at play:

  • First, at Red Hat, we publish rpms for more than just RHEL. If you find an rpm on a Red Hat system, it may not be a RHEL rpm. It might be an Red Hat OpenStack rpm, or one from one of a bunch of other product lines.
  • Second, the package identifier in the purl should be globally unique in the namespace. At Red Hat, we make sure that rpm identifiers are globally unique across all products - our build system ensures it. An individual rpm you find (whether it is a RHEL rpm or an OpenStack rpm) can be understood to be unique across a broad "redhat" namespace.

wagoodman
wagoodman approved these changes Jun 3, 2024
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ralphbean I agree with your point, from the pURL type reference for rpm:

The namespace is the vendor such as Fedora or OpenSUSE.

...thus here the vendor is RedHat (and rhel is referencing a product, "enterprise linux"). There are probably other changes to the distro-to-namespace translations --we can leave that for a future enhancement.

@wagoodman wagoodman added the bug Something isn't working label Jun 3, 2024
@wagoodman wagoodman merged commit 8a7f08e into anchore:main Jun 3, 2024
11 checks passed
@ralphbean
Copy link
Contributor Author

Thanks so much @wagoodman!

@BrewTestBot BrewTestBot mentioned this pull request Jun 10, 2024
Merged
@ralphbean
Copy link
Contributor Author

Adding this retroacticely to the conversation: https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/docs/purl.md :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ralphbean @kzantow @wagoodman