Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csaf.sbom vs csaf-sbom #92

Open
tschmidtb51 opened this issue Oct 31, 2024 · 9 comments
Open

csaf.sbom vs csaf-sbom #92

tschmidtb51 opened this issue Oct 31, 2024 · 9 comments

Comments

@tschmidtb51
Copy link

I saw that the packages mention io.github.csaf.sbom.*. However, If I remember correctly, we only own the namespace io.github.csaf-sbom.* as https://github.com/csaf was already taken.

What am I missing?
@oxisto
Copy link
Contributor

oxisto commented Oct 31, 2024

The Java package name is pretty much independent from the maven namespace. The issue is that io.github.csaf-sbom is an irregular Java package name, as there are no dashes. The only valid package name would be io.github.csafSbom, which in my opinion looks extremely weird.

We would however be free to just use io.csaf.sbom as a Java package name and use io.github.csaf-sbom purely as the maven namespace. It's not that uncommon that they do not match 100 %.

@milux
Copy link
Collaborator

milux commented Nov 7, 2024

Agreed. And it's very uncommon to have uppercase in package names, so csafSbom doesn't look like an ideal solution.
Underscores are allowed, however it is discouraged by most linters and in my opinion io.github.csaf_sbom looks by no means better than just replacing the dash with a dot. That's also what most libs do.
The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

@oxisto
Copy link
Contributor

oxisto commented Nov 12, 2024

@tschmidtb51 Can we close this? Should we think about io.csaf.sbom as package name?

@tschmidtb51
Copy link
Author

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Should we think about io.csaf.sbom as package name?

What would be needed to make that happen?

@oxisto
Copy link
Contributor

oxisto commented Nov 14, 2024

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Should we think about io.csaf.sbom as package name?

What would be needed to make that happen?

Wie just need to rename the packages, nothing more.

@tschmidtb51
Copy link
Author

In this case, please go ahead. Also make sure that it uses the corresponding namespace in Maven Central.

Flagging @santosomar for attention

@milux
Copy link
Collaborator

milux commented Nov 15, 2024
edited
Loading

The only thing I would deem an "acceptable solution" would be to write it io.github.csafsbom.

I guess we can't use that as it is not under our control (as it belongs to github.com/csafsbom).

Package names do not have to match the Maven Namespace. These are two different things with different naming rules and conventions. It is perfectly common to have subtile differences between them.
Judging from the previous posts we should maybe keep things as they are unless there is a solid reason for once again messing with the file paths in the repo? (As these are indeed directly related to the Java package names...)

@oxisto
Copy link
Contributor

oxisto commented Nov 15, 2024

Just do add, the only thing that has to match is the location of the GitHub repo (https://github.com/csaf-sbom) and the maven namespace (io.github.csaf-sbom or com.github.csaf-sbom).

@tschmidtb51
Copy link
Author

Sorry - now, I'm completely lost. Let's discuss it in our next meeting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@milux @oxisto @tschmidtb51