Do pkg and vers URIs need a third scheme? The case for "lib" URIs

[sjn]

Hei!

Do we need third URI schema?

First some context.

As of today, we have two URI schemas: pkg and vers. The first is used to refer to distributed artifacts (e.g. zip archives or similar), and the second is used to specify version constraints to be used to specify dependency requirements.

This works less than ideal in quite a few situations. In the case of CPAN, the category mismatch becomes apparent when looking using package urls to both refer to package artifacts, and to library dependencies (and their associated version constraints).

I'll operate with the following definitions:

• Requirement: A capability (e.g. in the form of a library or module) with associated version constraints, that is needed by some other software. These capabilities are usually provided for the software through several steps: resolution, — the downloading of a package —, unpacking, building, testing, installation and more. — A requirement needs a capability to be provided
• Dependency: The results of resolving a requirement for some capability necessary to execute some other software. Dependencies come usually in the form of a package, that is downloaded, built and installed. The package provides a capability that is stated in some other software's requirements. — A dependency provides a capability.

	Requirement	Dependency
pURLs	pkg + vers	pkg
Reality	lib + vers	pkg

On CPAN we do not specify requirements for packages. Instead we specify requirements for something that provides a capability that happens to be distributed within a package.

When using pURLs to specify a Requirement that needs to be resolved and installed; or to report the resolution and subsequently what package ended up being installed, Package URLs are conflating two distinct concepts: the capability (e.g. library) and the distribution artifact (e.g. package).

Since we're forced to have pURL do double-duty, we're end up with situations like we have with the CPAN package URLs:

• pkg:cpan/Module::Name – for stating which capabilities are Required, and together with vers URIs, their version constraints
• pkg:cpan/AUTHOR/[email protected] – for reporting what Dependency was used to Provide above capability.

The first may or may not have an associated vers URI. The second must not have and associated vers URI, as this does not make sense – a package already has a specific version associated with it.

If we have a lib schema to go along with the vers, we remove a source of confusion, and make it abundantly clear that pkg URIs are for packages only, and lib are used only for the situations where one needs to refer to a capability that a pkg provides (and not is).

(And yes, for those interested in Philosophy – the pURL spec may very well have an is–ought problem. Hooray for Hume! 🤣)

[pombredanne]

Thanks for the detailed report!

[sjn]

One point of interest;

Apparently neither pkg, vers nor lib have been registered as URI schemes at IANA at the moment.