Updated CPAN type spec

[giterlizzi]

This PR is for the new version of the purl-type CPAN specification and includes new updated tests.

giterlizzi/perl-URI-PackageURL#8

In brief, this PR confirms the rules for generating a PURL string for CPAN.

Previously it was possible to create PURL strings in two ways:

• author (namespace) and distribution (name)
• module (name component).

Using only the module could create ambiguity, because in CPAN a distribution can have several authors (and co-authors) over time and does not allow precise identification of the artifact.

It was clarified that the author of the "distribution" is mandatory, allowing an artifact and its URL to be identified along with its version.

$ purl-tool pkg:cpan/GDT/[email protected] --download-url
https://www.cpan.org/authors/id/G/GD/GDT/URI-PackageURL-2.22.tar.gz

[sjn]

Looks good! Just a few tweaks, and one question.

Would it make sense to add some failing tests?

e.g. the previous format with Module::Names, and perhaps a couple more uses, with a short description on why it is invalid?

[pombredanne]

@giterlizzi Thanks. We need to make sure we are all clear first wrt. the encoding in the core spec and that is getting close to merge ready in #398

[giterlizzi]

the PR now includes these new tests for the new CPAN specification:

• valid CPAN purl
• CPAN distribution in BackPAN repository
• invalid CPAN distribution name as module name

[sjn]

Looks good to me, with a few final optional suggestions.

[sjn]

Would it be sensible to add a few more tests for corner cases?

• Distribution name with lowercase characters
• Distribution name which contains ::

[sjn]

Looks otherwise good! :-)

[sjn]

Not sure, but would it make sense to still point out that…

A distribution name MUST NOT contain the string ::.

…as earlier? I get it that it's strictly speaking not necessary, but as a hint for new users to understand the difference between a module name and a distribution name, I think it can be helpful.

(I have no strong opinions on this idea, and leave it to you to decide if this goes in or not)

[giterlizzi]

I agree, adding this sentence (A distribution name MUST NOT contain the string ::) reinforces the concept that only the distribution MUST be used.

[giterlizzi]

"name" component description updated

[pombredanne]

Looking good, and this is a big change... could it make sense to also add a FAQ entry and give hints to implementers what they can do when parsing older :: PURLs?

[pombredanne]

After the merge of PR #514, PURL types are now defined in JSON: 😇 😁

• See Refine Purl type schema #514

With the new approach... this PR needs to be updated. Could you look into this? Thanks for your understanding!

[giterlizzi]

@sjn @pombredanne Hi, i have updated the CPAN type spec and tests.

[giterlizzi]

Looking good, and this is a big change... could it make sense to also add a FAQ entry and give hints to implementers what they can do when parsing older :: PURLs?

If @sjn agrees, I will add the "notes" field with this sentence:

The previous CPAN PURL type specification allowed module names (e.g. URI::PackageURL) to be used as PURL "names" while also omitting the PURL "namespace". The parser MUST emit an error when a module is specified as a PURL "name" or detect "::" characters.

[pombredanne]

@giterlizzi this looks all good to me... is there more that you need to add to this?