Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Standardize Paketo Dependency Metadata Format #297

Merged
merged 6 commits into from
Jan 17, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions text/0059-standard-dependency-metadata-format.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Standardized Paketo Dependency Metadata Format

## Summary

This proposal suggests that the Paketo project should converge on a single
dependency metadata format.

## Motivation

There are several projects, such as the introduction of ARM or the removal of
stacks, that are being discussed that would force Paketo to update the metadata
for dependencies. It seems prudent that if we are going to have to do a large
update to dependency metadata that it might also be a good time for us to
converge as a project on the dependency metadata format that we should be using
going forward.

This could also be a good first step in converging on shared tooling. By having
a shared dependency metadata format we would have a good common convergence
point to begin building universal tooling for the Paketo project.

## Implementation

The following is the proposed metadata format:

```toml
[[metadata.dependencies]]
checksum = "<dependency algo:checksum>"
id = "<dependency ID>"
uri = "<dependency URI>"
version = "dependency version"

arch = "<dependency compatible architecture>" #optional
cpes = [ "<dependency cpe>" ] #optional
eol-date = "<dependency eol>" #optional
name = "<dependency name>" #optional
os = "<dependency compatible OS>" #optional
purls = [ "<dependency purl>" ] #optional
source = "<dependency source URI>" #optional
source-checksum = "<dependency source algo:checksum>" #optional
strip-components = <number of directories to strip off dependency artifact> #optional

[[metadata.dependencies.distros]] #optional
name = "<compatible OS distribution name>"
version = "<compatible OS distribution version>" #optional

[[metadata.dependencies.licenses]] #optional
type = "<license of dependency>"
uri = "<URI for information of license>" #optional
```

**Note:** Both the `distros` and `licenses` fields are optional, however if
they are given then the non-optional components of them must be set.

**Note:** If `os` or `arch` are not given it should be assumed that the
dependency is OS or Architecture agnostic and is compatible to run on any given
OS or Architecture.

## Prior Art
- The layout of distributions is pulled from the [Buildpacks Spec](https://github.com/buildpacks/spec/blob/main/buildpack.md#buildpacktoml-toml).