I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.

We do complain about CPE quite a bit :)

But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.

opensourcesecurity.io/2025/202…

#PURL
#CVE
#SBOM

Package URLs with Philippe Ombredanne

I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages.

^{Josh Bressers (Open Source Security)}

Re: «deficiencies of "package URLs" (#purl) and how they still don't actually work to identify all and every project»

PackageURLs aren't really suitable for identifing _projects_ (a hard task when taking into account how names change depending on context, history and more).

They _are_ suitable for identifying _packages_ – and if you're not in the business of producing, distributing, curating, consuming, verifying or referring to packages, then yes, purls will be of limited use! 😃