App Stores

[tonylturner]

Are there plans to support App Stores such as Microsoft or Apple as PURL types?

One of the things I've been exploring is the work by https://github.com/ossf/wg-securing-software-repos and doing some independent evaluation of software delivery channels and it would be great to use PURL to normalize comparative references including app stores.

[stevespringett]

No reason why we can't. We would need the specific details necessary to specify a purl type, which today we do not have those details.

[tonylturner]

Thanks Steve, I'll work on pulling some details together.

[tonylturner]

Example PURL for Apple App Store

pkg:appstore-apple/<namespace>/<name>@<version>
pkg:appstore-apple/apple/[email protected]
pkg:appstore-apple/[email protected]?os=macos&arch=x86_64

• appstore-apple: The type indicating it's Apple app store
• apple: An optional namespace, if not provided the assumption is this is Apple software, otherwise the software publisher would ideally be listed.
• name: The unique identifier for the app (e.g., com.example.myapp)
• version: The version of the application (optional)
• os=ios, ipados, macos, tvos, watchos (optional)
• arch=arm64, x86_64, universal (optional)

Note: There is not a single "Apple App Store" so it may warrant separate PURL types.

• appstore-apple-ios
• appstore-apple-ipados
• appstore-apple-macos
• appstore-apple-tvos
• appstore-apple-watchos

[tonylturner]

Additionally, if we want to support many appstores, my thought was to name the type with appstore- as a prefix to logically group appstores. It's not required from my standpoint, but just made sense to me.

[bureado]

Related: #255 (comment)

[pombredanne]

@tonylturner This makes all sense. I am not sure we need the appstore prefix though, but this is minor and to refine in a PR review. Ideally I would like to find the most obvious type that could be inferred from scanning actual code