I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.
opensourcesecurity.io/2025/202…
Package URLs with Philippe Ombredanne
I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages.Josh Bressers (Open Source Security)
daniel:// stenberg://
in reply to Josh Bressers • • •Josh Bressers
in reply to daniel:// stenberg:// • • •@bagder for sure. There are still plenty of gaps, but I do think it’s all solvable
And all the alternatives I’ve seen are much worse :)
daniel:// stenberg://
in reply to Josh Bressers • • •Darakian
in reply to daniel:// stenberg:// • • •