Specify registry & organisation name for container images about purl-spec HOT 8 CLOSED

The preferred way to specify alternate host that are not the default one for a given package type is to use the repository_url qualifier. You can use whatever you want in the namespace and it may be host-like looking, but that would not make it a host from a URL point of view .

So with your examples above, say you have a GH repo on a custom GHE host, this could come out this way:
pkg:github/me/myrepo@12435abc?repository_url=https://github.company.com/

The same would apply to the Docker images cases, and though some folks may like to also state a registry as part of the namespace I find it inconsistent at best

from purl-spec.

@lizrice Thank you! Any pointer in the code? there are ~ 400K lines of goodness there so it would be mightily helpful if you have one!

from purl-spec.

Also in your experience, how common is it to source images or base images from the non-default public docker.io/docker hub registry? I am all for making thing mandatory, but as much as much possible the theme here is that the common default case should be simple and other case should be possible. I would like to avoid making the less common case the default.

from purl-spec.

I happened to notice it in the example in the distribution section of the containerd README.

containerd has a Resolver which expects " a scheme-less URI representing the remote. Structurally, it has a host and path." There's some more description here.

I don't have numbers, but it's very common for people to use non-Docker Hub registries, especially for private images (though of course there are plenty of people with private images on Docker Hub too). Google, AWS, Azure and Red Hat all have their own registries, and there are third party ones like Quay.io too. The original, public versions of a base image would very often be obtained from Docker Hub in the first place, but a lot of enterprises then store a copy in their own private registry (or their cloud provider's registry) for security reasons, and/or to improve the speed at which images can be pulled from the registry.

I don't think it's absolutely essential, but having seen this was the direction that containerd has taken I figured it's worth suggesting making the registry explicit (and then the user/org name needs to be explicit too).

from purl-spec.

So the spec as it is supports both alright. Either with or without a namespace that would point to the registry in this case. I would like to keep in general the default case simple e.g. no registry, but that's just my taste and it does not prohibit to use one always. With the caveat that if you always use one instead for instance of using a repositoru_url qualifier you will not have the same images from different reegistries sorted side-by-side which is a nice but not essential property.

from purl-spec.

FYI, I presented this at FOSDEM: https://fosdem.org/2018/schedule/event/purl/

from purl-spec.

Chiming in late but non-default docker registries are very common. With the new spec, is the following still accepted?

pkg:docker/docker.io/library/redis@sha256:abc...

and if so then is namespace = docker.io/library and name = redis?

from purl-spec.

Re-reading the spec I see relevant parts in the readme.

First, namespace can contain slashes:

The optional namespace contains zero or more segments, separated by slash '/'

And non-encoded too:

the '/' used as type/namespace/name and subpath segments separator does not need to and must NOT be percent-encoded. It is unambiguous unencoded everywhere

And theses two similar sections on namespace vs host:

A purl must NOT contain a URL Authority i.e. there is no support for username, password, host and port components. A namespace segment may sometimes look like a host but its interpretation is specific to a type.

A URL host or Authority must NOT be used as a namespace. Use instead a repository_url qualifier. Note however that for some types, the namespace may look like a host.

I'm interested in whether there would be different approaches for (a) docker images like quay.io/a/b vs (b) customer git hosts like https://github.company.com/a/b. In practice both are specifying the host, but I'm wondering if the docker example would be classified as "namespace" while the github enterprise one is "host".

from purl-spec.