From 91b6f297fff2c83044170e21593850a864788f2e Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <forest.eckhardt@gmail.com>
Date: Tue, 26 Sep 2023 15:26:15 -0400
Subject: [PATCH 1/6] RFC: Standardize Paketo Dependency Metadata Format

---
 ...000-standard-dependency-metadata-format.md | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 text/0000-standard-dependency-metadata-format.md

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0000-standard-dependency-metadata-format.md
new file mode 100644
index 00000000..16da928c
--- /dev/null
+++ b/text/0000-standard-dependency-metadata-format.md
@@ -0,0 +1,48 @@
+# Standardized Paketo Dependency Metadata Format
+
+## Summary
+
+This proposal suggests that the Paketo project should converge on a single dependency metadata format.
+
+## Motivation
+
+There are several projects, such as the introduction of ARM or the removal of stacks, that are being discussed that would force Paketo to update the metadata for dependencies. It seems prudent that if we are going to have to do a large update to dependency metadata that it might also be a good time for us to converge as a project on the dependency metadata format that we should be using going forward.
+
+This could also be a good first step in converging on shared tooling. By having a shared dependency metadata format we would have a good common convergence point to begin building universal tooling for the Paketo project. 
+
+## Implementation
+
+The following in the proposed metadata format:
+
+```toml
+[[metadata.dependencies]]
+arch = "<dependency compatible architecture>"
+checksum = "<dependency algo:checksum>"
+id = "<dependency ID>"
+os = "<dependency compatible OS>"
+uri = "<dependency URI>"
+version = "dependency version"
+
+cpes = [ "<dependency cpe>" ] #optional
+name = "<dependency name>" #optional
+purl = "<dependency purl>" #optional
+strip-components = <number of directories to strip off dependency artifact> #optional
+
+    [[metadata.dependencies.distros]] #optional
+    name = "<compatible OS distribution name>"
+    version = "<compatible OS distribution version>" #optional
+
+    [[metadata.dependencies.licenses]] #optional
+    type = "<license of dependency>"
+    uri = "<URI for information of license>" #optional
+```
+
+**Note:** Both the `distros` and `licenses` fields are optional, however if they are given then the non-optional components of them must be set.
+
+## Prior Art
+- The layout of distributions is pulled from the [Buildpacks Spec](https://github.com/buildpacks/spec/blob/main/buildpack.md#buildpacktoml-toml).
+
+## Unresolved Questions / Bikeshedding
+- Should we make a new tooling repository as part of this initial RFC or should that wait for implementation?
+- Should this include a buffer for stacks or should the stack removal be the forcing function that forces this conversion?
+- Does this require the creatation of our own Paketo Spec or some other API style document or is this RFC sufficent?

From e03213b8a30266a35ee74bd0cdf9a4f2e442f77e Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <forest.eckhardt@gmail.com>
Date: Wed, 4 Oct 2023 10:37:33 -0400
Subject: [PATCH 2/6] Apply suggestions from code review

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
---
 text/0000-standard-dependency-metadata-format.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0000-standard-dependency-metadata-format.md
index 16da928c..345669ec 100644
--- a/text/0000-standard-dependency-metadata-format.md
+++ b/text/0000-standard-dependency-metadata-format.md
@@ -12,7 +12,7 @@ This could also be a good first step in converging on shared tooling. By having
 
 ## Implementation
 
-The following in the proposed metadata format:
+The following is the proposed metadata format:
 
 ```toml
 [[metadata.dependencies]]
@@ -45,4 +45,4 @@ strip-components = <number of directories to strip off dependency artifact> #opt
 ## Unresolved Questions / Bikeshedding
 - Should we make a new tooling repository as part of this initial RFC or should that wait for implementation?
 - Should this include a buffer for stacks or should the stack removal be the forcing function that forces this conversion?
-- Does this require the creatation of our own Paketo Spec or some other API style document or is this RFC sufficent?
+- Does this require the creation of our own Paketo Spec or some other API style document or is this RFC sufficient?

From c5fa1277d1b0e3a34eee79e5b24639f7f89d72fa Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <feckhardt@pivotal.io>
Date: Wed, 4 Oct 2023 15:02:08 +0000
Subject: [PATCH 3/6] Adds some fields and moves some to being optional

---
 ...000-standard-dependency-metadata-format.md | 37 ++++++++++++++-----
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0000-standard-dependency-metadata-format.md
index 345669ec..bc10db3d 100644
--- a/text/0000-standard-dependency-metadata-format.md
+++ b/text/0000-standard-dependency-metadata-format.md
@@ -2,13 +2,21 @@
 
 ## Summary
 
-This proposal suggests that the Paketo project should converge on a single dependency metadata format.
+This proposal suggests that the Paketo project should converge on a single
+dependency metadata format.
 
 ## Motivation
 
-There are several projects, such as the introduction of ARM or the removal of stacks, that are being discussed that would force Paketo to update the metadata for dependencies. It seems prudent that if we are going to have to do a large update to dependency metadata that it might also be a good time for us to converge as a project on the dependency metadata format that we should be using going forward.
+There are several projects, such as the introduction of ARM or the removal of
+stacks, that are being discussed that would force Paketo to update the metadata
+for dependencies. It seems prudent that if we are going to have to do a large
+update to dependency metadata that it might also be a good time for us to
+converge as a project on the dependency metadata format that we should be using
+going forward.
 
-This could also be a good first step in converging on shared tooling. By having a shared dependency metadata format we would have a good common convergence point to begin building universal tooling for the Paketo project. 
+This could also be a good first step in converging on shared tooling. By having
+a shared dependency metadata format we would have a good common convergence
+point to begin building universal tooling for the Paketo project.
 
 ## Implementation
 
@@ -16,16 +24,19 @@ The following is the proposed metadata format:
 
 ```toml
 [[metadata.dependencies]]
-arch = "<dependency compatible architecture>"
 checksum = "<dependency algo:checksum>"
 id = "<dependency ID>"
-os = "<dependency compatible OS>"
 uri = "<dependency URI>"
 version = "dependency version"
 
+arch = "<dependency compatible architecture>" #optional
 cpes = [ "<dependency cpe>" ] #optional
+eol-date = "<dependency eol>" #optional
 name = "<dependency name>" #optional
+os = "<dependency compatible OS>" #optional
 purl = "<dependency purl>" #optional
+source = "<dependency source URI>" #optional
+source-checksum = "<dependency source algo:checksum>" #optional
 strip-components = <number of directories to strip off dependency artifact> #optional
 
     [[metadata.dependencies.distros]] #optional
@@ -37,12 +48,20 @@ strip-components = <number of directories to strip off dependency artifact> #opt
     uri = "<URI for information of license>" #optional
 ```
 
-**Note:** Both the `distros` and `licenses` fields are optional, however if they are given then the non-optional components of them must be set.
+**Note:** Both the `distros` and `licenses` fields are optional, however if
+they are given then the non-optional components of them must be set.
+
+**Note:** If `os` or `arch` are not given it should be assumed that the
+dependency is OS or Architecture agnostic and is compatible to run on any given
+OS or Architecture.
 
 ## Prior Art
 - The layout of distributions is pulled from the [Buildpacks Spec](https://github.com/buildpacks/spec/blob/main/buildpack.md#buildpacktoml-toml).
 
 ## Unresolved Questions / Bikeshedding
-- Should we make a new tooling repository as part of this initial RFC or should that wait for implementation?
-- Should this include a buffer for stacks or should the stack removal be the forcing function that forces this conversion?
-- Does this require the creation of our own Paketo Spec or some other API style document or is this RFC sufficient?
+- Should we make a new tooling repository as part of this initial RFC or should
+  that wait for implementation?
+- Should this include a buffer for stacks or should the stack removal be the
+  forcing function that forces this conversion?
+- Does this require the creation of our own Paketo Spec or some other API style
+  document or is this RFC sufficient?

From 09ff944c8f97df91eef0aca43d5b431e436ef8d7 Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <forest.eckhardt@gmail.com>
Date: Wed, 18 Oct 2023 15:37:22 -0400
Subject: [PATCH 4/6] Make purls field accept multiple purls

---
 text/0000-standard-dependency-metadata-format.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0000-standard-dependency-metadata-format.md
index bc10db3d..203f9ccc 100644
--- a/text/0000-standard-dependency-metadata-format.md
+++ b/text/0000-standard-dependency-metadata-format.md
@@ -34,7 +34,7 @@ cpes = [ "<dependency cpe>" ] #optional
 eol-date = "<dependency eol>" #optional
 name = "<dependency name>" #optional
 os = "<dependency compatible OS>" #optional
-purl = "<dependency purl>" #optional
+purls = [ "<dependency purl>" ] #optional
 source = "<dependency source URI>" #optional
 source-checksum = "<dependency source algo:checksum>" #optional
 strip-components = <number of directories to strip off dependency artifact> #optional

From ce674de8f9582b11125b8e23ce184470483a8406 Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <forest.eckhardt@gmail.com>
Date: Wed, 13 Dec 2023 14:20:04 -0500
Subject: [PATCH 5/6] Remove unresolved question section

---
 text/0000-standard-dependency-metadata-format.md | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0000-standard-dependency-metadata-format.md
index 203f9ccc..9bedab1f 100644
--- a/text/0000-standard-dependency-metadata-format.md
+++ b/text/0000-standard-dependency-metadata-format.md
@@ -57,11 +57,3 @@ OS or Architecture.
 
 ## Prior Art
 - The layout of distributions is pulled from the [Buildpacks Spec](https://github.com/buildpacks/spec/blob/main/buildpack.md#buildpacktoml-toml).
-
-## Unresolved Questions / Bikeshedding
-- Should we make a new tooling repository as part of this initial RFC or should
-  that wait for implementation?
-- Should this include a buffer for stacks or should the stack removal be the
-  forcing function that forces this conversion?
-- Does this require the creation of our own Paketo Spec or some other API style
-  document or is this RFC sufficient?

From 522c8eeb8f79425c66f2260643f294af3eb84122 Mon Sep 17 00:00:00 2001
From: Forest Eckhardt <forest.eckhardt@gmail.com>
Date: Wed, 17 Jan 2024 11:27:08 -0500
Subject: [PATCH 6/6] Rename 0000-standard-dependency-metadata-format.md to
 0059-standard-dependency-metadata-format.md

---
 ...data-format.md => 0059-standard-dependency-metadata-format.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename text/{0000-standard-dependency-metadata-format.md => 0059-standard-dependency-metadata-format.md} (100%)

diff --git a/text/0000-standard-dependency-metadata-format.md b/text/0059-standard-dependency-metadata-format.md
similarity index 100%
rename from text/0000-standard-dependency-metadata-format.md
rename to text/0059-standard-dependency-metadata-format.md