[swift] Naming problem

[prabhu]

As per the spec, repository name must be used as the name.

The name is the repository name.

Take lottie-ios. As per its Package.swift, the package name is Lottie.

The spec is forcing us to use an incorrect name. It's breaking repositories that are monorepos and multi-modules, hosting multiple swift packages :(

[prabhu]

More examples:

1. Correct name: AirbnbSwift. purl name: swift
   https://github.com/airbnb/swift/blob/master/Package.swift#L5

2. Multi-module swift example:

This repo must get 3 separate purls based on the Package.swift entries. Instead the spec forces a single purl.

https://github.com/elmetal/multi-module-testing-swift/blob/fe9d96e7a04ed390101e7b92cebc26cfe15f1141/Package.swift#L7
https://github.com/elmetal/multi-module-testing-swift/blob/main/Sources/MyLib/Package.swift#L7
https://github.com/elmetal/multi-module-testing-swift/blob/main/Sources/MyLib2/Package.swift#L7

[matt-phylum]

How would you find the code if the name wasn't the name of the repository? Monorepos sounds like a job for subpaths.

[prabhu]

Purl spec need not worry about linking the purl string to a source repo or distribution url. We have SBOM specifications, like externalReferences in CycloneDX for that purpose.

Use of subpath is not correct, since the purl must be based on name and version and must not worry about where the package source code was present in the VCS. For example, in java pom.xml or build.gradle files could be anywhere in the vcs, but the generated purl doesn't change based on the vcs structure.

[matt-phylum]

If there's no link between the PURL and the source repo or distribution URL, what is the point of the PURL? What package does it represent? There's no way to know whether your "Lottie" and my "Lottie" are the same.

Java does not use VCS URLs. Packages are published to a registry, and the pom.xml or build.gradle files are always at a well known location which can be trivially determined based on the PURL.