Skip to content

add opam package url specification #763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mjherzog merged 6 commits into from
Jan 21, 2026
Merged

add opam package url specification #763

mjherzog merged 6 commits into from
Jan 21, 2026

Conversation

@hannesm
Copy link
Contributor

@hannesm hannesm commented Dec 4, 2025

addresses #762, superseeds #320

//cc @pombredanne @LaurentGoderre @kit-ty-kate

@hannesm @LaurentGoderre @kit-ty-kate
add opam package url specification
a68516b 
Co-Authored-By: Laurent Goderre <laurent.goderre@docker.com>
Co-Authored-By: Kate <kit-ty-kate@exn.st>
@hannesm
Copy link
Contributor Author

hannesm commented Dec 4, 2025

Please let me know what you think, and if you need more things (in tests or specification).

@pombredanne pombredanne mentioned this pull request Dec 8, 2025
Closed
@hannesm hannesm mentioned this pull request Dec 10, 2025
Closed
@hannesm hannesm mentioned this pull request Dec 16, 2025
Merged
another-rex pushed a commit to ossf/osv-schema that referenced this pull request Dec 22, 2025
@hannesm
Add the OPAM / OCaml ecosystem (#473)
1de720a 
Dear everyone,

we at OCaml have a security team (https://ocaml.org/security), and plan
to publish (historical and new) advisories in osv schema.

In order to achieve that, we want to contribute here a new ecosystem and
database-specific prefix. We will host our advisories at
https://github.com/ocaml/security-advisories.

In OCaml, we have one package manager -- named opam -- which hosts their
package database at https://github.com/ocaml/opam-repository. The OCaml
compiler is as well an opam package. This is why I chose to name the
ecosystem "opam" (also done in purl
package-url/purl-spec#763). As database we'd use
OSEC.

Let me know what you think about this.

Signed-off-by: Hannes Mehnert <hannes@mehnert.org>
@hannesm hannesm mentioned this pull request Jan 1, 2026
Open
pombredanne
pombredanne previously requested changes Jan 7, 2026
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! See my two nits about tests. Otherwise this is good to go!

@hannesm
Copy link
Contributor Author

hannesm commented Jan 12, 2026

Thanks @pombredanne for your review, I removed the test cases. Anything else I can do to move this forward?

@johnmhoran
Copy link
Member

johnmhoran commented Jan 14, 2026

Hi @hannesm . I see that one of your tests, "description": "name and version are always required", purports to require a version in the proposed opam PURL. However, this is inconsistent with the 1st Edition of the PURL specification, which provides that the version component is optional.

@hannesm
Copy link
Contributor Author

hannesm commented Jan 14, 2026
edited
Loading

Hi @johnmhoran, I hope 67ecae6 addresses your comment. If you were speaking about another test, please let me know the line numbers and we can adjust it. The specification itself (types/opam-definition.json) is clear that version is optional.

EDIT: there's as well a test which checks that a name-only opam package is fine.

@johnmhoran
Copy link
Member

johnmhoran commented Jan 14, 2026

Thanks @hannesm -- LGTM!

@hannesm
Copy link
Contributor Author

hannesm commented Jan 19, 2026

Great to hear. Is ther anything I can do to push this forward?

mjherzog
mjherzog approved these changes Jan 21, 2026
View reviewed changes
Copy link
Member

@mjherzog mjherzog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ready to go.

@mjherzog
Copy link
Member

mjherzog commented Jan 21, 2026

@hannesm
We currently display Registered PURL Types in a card-grid at: https://package-url.github.io/www.packageurl.org/docs/purl/purl-spec-purl-types#registered-purl-types where the card links to PURL Type definition markdown file at: purl-spec/types-doc/

We found the OCaml logo at: https://ocaml.org/logo with the following guidance:
"Websites related to the OCaml language or that use it are encouraged to incorporate the OCaml logo somewhere in their page to indicate their support for OCaml development."
"The logo should be linked to the OCaml website, ocaml.org."

In this use case the link from the card will be to the PURL type definition which refers to: https://opam.ocaml.org, but not directlyl to https://ocaml.org. Please confirm that it is OK to use the logo for the PURL Types card-grid (we can omit a logo as needed).

@mjherzog mjherzog merged commit aaede64 into package-url:main Jan 21, 2026
@hannesm
Copy link
Contributor Author

hannesm commented Jan 22, 2026

@hannesm We currently display Registered PURL Types in a card-grid at: https://package-url.github.io/www.packageurl.org/docs/purl/purl-spec-purl-types#registered-purl-types where the card links to PURL Type definition markdown file at: purl-spec/types-doc/

We found the OCaml logo at: https://ocaml.org/logo with the following guidance: "Websites related to the OCaml language or that use it are encouraged to incorporate the OCaml logo somewhere in their page to indicate their support for OCaml development." "The logo should be linked to the OCaml website, ocaml.org."

The logo itself is hosted at https://github.com/ocaml/ocaml-logo, with an "UNLICENSED" license, which does not contain any requirements about the link the logo should point to.

In this use case the link from the card will be to the PURL type definition which refers to: https://opam.ocaml.org, but not directlyl to https://ocaml.org. Please confirm that it is OK to use the logo for the PURL Types card-grid (we can omit a logo as needed).

This is fine as far as I understand. Please note: (a) I'm not a lawyer (b) I'm not the designer of the logo and (c) I don't know who is the copyright holder of the logo (so, I don't quite know whom to ask).

If the answer above is not sufficient for you to use the logo, please tell me. I'm happy to ask on the caml-list (the development mailing list for OCaml) about your question and hope there'd be someone knowing more details.

@hannesm hannesm deleted the ocaml branch January 22, 2026 10:34
This was referenced Jan 24, 2026
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjherzog mjherzog mjherzog approved these changes

@johnmhoran johnmhoran johnmhoran approved these changes

@pombredanne pombredanne pombredanne left review comments

+1 more reviewer

@LaurentGoderre LaurentGoderre LaurentGoderre approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Proposed new type type: opam Proposed new type

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@hannesm @johnmhoran @mjherzog @pombredanne @LaurentGoderre @jkowalleck