In external repo identifiers, add homepage URL and repo URL

[david-a-wheeler]

SPDX already supports identifying packages using a CPE, some repos, or a package URL (purl), as noted here in Annex F:

https://github.com/spdx/spdx-spec/blob/development/v2.2.1/chapters/external-repository-identifiers.md

However, many packages don't have a CPE and aren't in a repo, so those don't work in many cases.

However, almost all software projects do have a homepage URL, and almost all open source software projects do have a publicly-visible repo (which may be different from the homepage). The CII Best Practices Badge project has had good success using these to identify projects.

I recommend adding a way to identify projects by either (1) homepage URL or (2) repository URL. So I recommend adding:

• homePageUrl : The project home page Uniform Resource Locator (URL). Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a "stable" URL that does not change as new releases are made.

• repoUrl : The project repository Uniform Resource Locator (URL). Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a "stable" URL that does not change as new releases are made. If it is a public git repository, it should be possible to clone this project using "git clone $(repoURL)".

[david-a-wheeler]

@kestewart - I'd love to hear your thoughts about this proposal!

[david-a-wheeler]

On further reflection, sometimes you also want to refer to a specific version. I think a very good way to do this with URLs is to be able to refer to a URL for a specific version that was downloaded/used. So let's add:

• releaseURL : The project release Uniform Resource Locator (URL) that, when retrieved, will download the specific version of the software that was used. Where possible, use the "https" scheme in preference to the "http" scheme, and prefer a URL that is not tied to a particular locale. This should be a stable URL, that is, the URL over time should continue to refer to the specific version as originally used. This releaseURL may refer to a compiled release or a "source code only" release; it should simply refer to whatever what used.

[goneall]

Since this isn't a breaking change, moving to the 3.1 milestone for consideration

[bact]

For the proposed homePageUrl, in 3.0 we have Software/homePage.

For repoUrl, we may like to see how other schemas proposed as well:

• Citation File Format:
  • Apart from a generic repository, it also have repository-artifact (for binary/build artifact) and repository-code for code, in case they are different
• DCAT
  • Has landingPage, homepage, downloadURL
• CodeMeta
  • Has codeRepository, downloadUrl, and installUrl. It also use schema:SoftwareSourceCode. See their descriptions.
  • CodeMeta also provides a crosswalk of similar properties from other software package metadata standards, like

[bact]

Would it be possible to add these as entries in ExternalRefType? (or ExternalIdentifierType)

Currently we have entries like:

- altDownloadLocation: A reference to an alternative download location.
- altWebPage: A reference to an alternative web page.
- issueTracker: A reference to the issue tracker for a package.
- releaseNotes: A reference to the release notes for a package.
- releaseHistory: A reference to a published list of releases for a package.

These two could be added:

- codeRepository: ...
- releaseURL: ...