@raboof thanks for the detailed feedback!
Yes, but AFAIU that’s mainly because Debian doesn’t provide a common “hash of all dependencies” in the same way as Nix does. For an example where there is such a hash, see OCI images (The version is the sha256:hex_encoded_lowercase_digest of the artifact and is required to uniquely identify the artifact.
) and Docker images (The version should be the image id sha256 or a tag. Since tags can be moved, a sha256 image id is preferred.
).
I think including the derivation hash makes the version
field overly specific: for instance, if I want to express, “hello 2.12.1 is vulnerable to CVE-2024-foo”, how would I do that? Enumerating all derivation hashes of hello 2.12.1 is unfeasible.
Maybe something like *-2.12.1
would work? And then, for cases when only a small list of particular derivations is affected (e.g. a dependency update/patch quickly solved the issue without a version update), you have the ability to list those precisely.
For those cases where it’s useful, though I can’t think of any, you could still get it from the attribute.
Indeed, I agree it won’t often be useful for vulnerability scanning, but it is useful in the general context of purl, in that it identifies the package more precisely and uniquely.
I’ve spent some time deliberating on where exactly to split the full flakeRef. I think it makes more sense to keep the reference to the flake it as a single field, because the flake-ref syntax is quite complex and has various URI “parts” depending on the “scheme”. Inheriting this complexity into purl can lead to the need for updates of the schema in the future, which I think we should avoid if possible. However, I’ve come to the conclusion that it’s better to split off the attrPath from the flakeRef to keep compatibility with channelUrl
and lack of any source.
I think this should be something which nix
accepts as a --file
argument or part of NIX_PATH
. AFAIR there’s no documentation on that, and it only accepts local files and http(s)
URLs pointing to tar.gz
files, but I might be wrong here.
I was considering the same, but I think it makes sense to keep the output here and also as outputName
, since it’s not clear how to derive one from another and vice versa (consider a flake which re-exports zlib.dev
as outputs.myPackageScheme.zlib-dev
, overriding dev
to be something else; then, just appending outputName
to the attrPath would possibly break things, and it’s impossible to infer outputName
from the path). Ditto for system
: the flake output schema is not strict, there can easily be a custom output schema which doesn’t use ${system}
in the attrPath at all.