Go suggestions for PURL-TYPES.rst #196
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -258,15 +258,13 @@ golang | |||||
|
|
||||||
| - There is no default package repository: this is implied in the namespace | ||||||
| using the ``go get`` command conventions. | ||||||
| - The ``subpath`` is used to point to a package inside a module. | ||||||
| - The ``version`` for modules should be semver with a v prefix, or a pseudo-version that points to an untagged commit. | ||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment.
There was a problem hiding this comment. @matt-phylum
And then running it through the regexp provided here: const regexSemverNumberedGroups =
/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/Results in... regexSemverNumberedGroups.exec('0.0.0-20170915032832-14c0d48ead0c')
// =>['0.0.0-20170915032832-14c0d48ead0c', '0', '0', '0', '20170915032832-14c0d48ead0c', undefined, index: 0, input: '0.0.0-20170915032832-14c0d48ead0c', groups: undefined]a valid parse. Semver can have a trailing
There are handy utils for parsing, coercing, and comparing those too: There was a problem hiding this comment. Edit: this is wrong and you can skip reading it. It looks like semver, but it's not semver. Even if it can be parsed using a semver parser, it has none of the semantics of semantic versioning. Pseudo-versions and regular versions can never be compared without access to the repository history. If a repository has a v1.0.0, there is almost certainly a v0.0.0-* pseudo-version which is logically greater than the v1.0.0. Pseudo-versions can be compared with other pseudo-versions based on date, but dates do not have the same semantics as version numbers because they don't capture branching information. If there's a problem affecting v1.0.0..v1.0.1 and v2.0.0..v2.0.1, that problem is also affecting the pseudo-versions for those commits and any unreleased commits within those version ranges, and date ordering fails for commits that are made on branches parallel to the fix, or for commits that are made on the v1 series after the v2 series has been fixed but before the v1 series has been fixed. If you sorted the pseudo-versions and visualized whether they are affected or not, the result would be more like a noisy gradient than the sharp edge normally implied by those version ranges. It's an inherent problem with the tooling trying to create versions for arbitrary commits, not a lack of library support. There was a problem hiding this comment. Here are some docs on pseudo-versions: https://go.dev/ref/mod#pseudo-versions We could link those from the docs to clarify what the language is referring to There was a problem hiding this comment. I was wrong about this. Until today, I had only ever seen pseudo-versions that started with v0.0.0. Even in the documentation about pseudo-versions, every example given starts with v0.0.0. However, there are actually pseudo-versions that start with other prefixes--they are just much less common in the data that I normally deal with. You can treat it as regular semver. Example of a non-v0.0.0 pseudo-version: 1.8.2-0.20240728161807-756ba6dad614 follows after v1.8.1. There is not yet a tagged 1.8.2 release. This follows the usual semver behavior of being a prerelease greater than the previous release and less than the next release. It's still not really semver because in this example you can't infer whether one 1.8.2 pseudo-version comes before or after another in commit order, but that's a much more minor difference. In most cases it doesn't matter and it's probably not worth calling attention to beyond just linking to the pseudo-version documentation or just mentioning that it may be a pseudo-version. There was a problem hiding this comment. @matt-phylum Cool! I think I covered that on the JS implementation here. There was a problem hiding this comment. This has been codified in There was a problem hiding this comment.
I think this is implicit based on
Since Go supports multiple VCS systems, how about something like this? |
||||||
| - Examples:: | ||||||
|
|
||||||
| pkg:golang/github.com/gorilla/context@v1.1.1 | ||||||
| pkg:golang/google.golang.org/genproto#googleapis/api/annotations | ||||||
|
There was a problem hiding this comment. ☝️ This still leaves an empty version example without while removing the mention from the There was a problem hiding this comment. mentioned this above, but |
||||||
|
There was a problem hiding this comment. Please keep one of the github sha-1 hash examples in There was a problem hiding this comment. At least for modern Go tools, it should be a pseudo-version, not a bare commit ID like it is now: https://go.dev/doc/modules/version-numbers#in-development |
||||||
| pkg:golang/golang.org/x/[email protected]#collate | ||||||
|
|
||||||
| hackage | ||||||
| ------- | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where did this definition of namespace/name go?
see #308
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jkowalleck your Issue adds more nuance to this problem, so I left a link in there to an argument against namespaces for Go : #63 (comment)
to expedite this PR, I'll just revert that removal for now.