[Buildroot] [PATCH 1/7] package/pkg-generic.mk: add PURL package variable

Thomas Perale thomas.perale at mind.be
Tue Apr 15 19:55:34 UTC 2025 

PURL stands for 'package URL', it's a specification that standardize
how packages are identified and located.

PURL is used to reference the same package across different package
manager, tracking tools, API and databases.

A purl is a URL composed of seven components:

  scheme:type/namespace/name at version?qualifiers#subpath

  - scheme: always 'pkg' (required)
  - type: package manager used to install the package, download origin,
      type of package (required)
  - namespace: name prefix, type specific additional information, it can be
      the package author or scope (optional)
  - name: package name (required)
  - version: package version (optional)
  - qualifiers: extra information, could be OS or architecture (optional)
  - subpath: extra subpath relative to package root (optional)

A PURL for the purl-spec repository looks like this:

  pkg:github/package-url/purl-spec at 346589846130317464b677bc4eab30bf5040183a

It contains information like the provenance (github), organization
(package-url), name (purl-spec) and version (34658984...).

This patch only introduces a subset of components but can be extended in
the future.

Similarly to the CPE variables, this patch introduces a set of PURL variable:
  - <pkg>_PURL_VALID: Whether the PURL generated for the given <pkg> is
    valid. If set to 'yes' the `<pkg>_PURL` will be defined.
    Similarly to the `<pkg>_CPE_ID_VALID` variable, this will be
    set to 'yes' if one of the following variable is defined.
  - <pkg>_PURL_TYPE: The package type or origin (default to 'generic').
  - <pkg>_PURL_NAMESPACE: The package namespace (optional).
  - <pkg>_PURL_NAME: The package name (default to `<pkg>_RAWNAME`).

If one of those variables is defined the `<pkg>_PURL` variable will be
generated as follows:

  <pkg>_PURL = pkg:$$(<pkg>_PURL_NAMESPACE)/$$(<pkg>_PURL_TYPE)/$$(<pkg>_PURL_NAME)@$$(<pkg>_VERSION)

For more information, see https://github.com/package-url/purl-spec

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/pkg-generic.mk | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index f22b6e981a..1e68f48f7c 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -745,6 +745,59 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
 endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
 
+# If any of the <pkg>_PURL_* variables are set, we assume the PURL
+# information is valid for this package.
+ifneq ($$($(2)_PURL_TYPE)$$($(2)_PURL_NAME)$$($(2)_PURL_NAMESPACE),)
+$(2)_PURL_VALID = YES
+endif
+
+# When we're a host package, make sure to use the variables of the
+# corresponding target package, if any.
+ifneq ($$($(3)_PURL_TYPE)$$($(3)_PURL_NAME)$$($(3)_PURL_NAMESPACE),)
+$(2)_PURL_VALID = YES
+endif
+
+# If the PURL is valid for the target package so it is for the host
+# package
+ifndef $(2)_PURL_VALID
+ ifdef $(3)_PURL_VALID
+   $(2)_PURL_VALID = $$($(3)_PURL_VALID)
+ endif
+endif
+
+ifeq ($$($(2)_PURL_VALID),YES)
+  # The package PURL type or provider.
+  # ex. pypi, npm, gem, ...
+  ifndef $(2)_PURL_TYPE
+   ifdef $(3)_PURL_TYPE
+    $(2)_PURL_TYPE = $$($(3)_PURL_TYPE)
+   else
+    $(2)_PURL_TYPE = generic
+   endif
+  endif
+
+  # The package PURL optional namespace
+  ifndef $(2)_PURL_NAMESPACE
+   ifdef $(3)_PURL_NAMESPACE
+    $(2)_PURL_NAMESPACE = $$($(3)_PURL_NAMESPACE)
+   endif
+  endif
+
+  # The package PURL name
+  # default to $(2)_RAWNAME
+  ifndef $(2)_PURL_NAME
+   ifdef $(3)_PURL_NAME
+    $(2)_PURL_NAME = $$($(3)_PURL_NAME)
+   else
+    $(2)_PURL_NAME = $$($(2)_RAWNAME)
+   endif
+  endif
+
+  # A PURL is created based on the $(2)_PURL_* variable values.
+  # see https://github.com/package-url/purl-spec
+  $(2)_PURL = pkg:$$($(2)_PURL_TYPE)/$$(if $$($(2)_PURL_NAMESPACE),$$($(2)_PURL_NAMESPACE)/)$$($(2)_PURL_NAME)$$(if $$($(2)_VERSION),@$$($(2)_VERSION))
+endif # ifeq ($$($(2)_PURL_VALID),YES)
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.
-- 
2.49.0

More information about the buildroot mailing list