One of the Fedora 45 change proposals under consideration at the moment is making adding PURL "Package-URL" to Fedora's package metadata for simplifying the mapping between upstream projects and Fedora packages.

The PURL specification aims to serve as a "mostly universal" URL to help in identifying and tracking software packages across diverse ecosystems and tooling. It intends to be as a simple, consistent, and flexible approach for identifying software packages via a standardized URL-based syntax:

PURL can work across different package management solutions / protocols such as npm, Nuget, Gem, Docker Hub, PyPi, and more. It can optionally specify a particular version of the package and more.

PURL is seeing adoption across different open-source projects from SPDX SBOM formats to other tooling and software vulnerability databases. The hope with Fedora beginning to generate PURL metadata can help it map upstream projects to packages.

"This Change aims at making it easier and more reliable to identify which packages contain code from what projects. This allows for more reliable identification of packages affected by security vulnerabilities. Additionally, this metadata might be interesting for generating SBOMs for content included in (container) images."

The change proposal for beginning to generate PURL metadata with Fedora 45 is currently under discussion via [1]this thread and still needs to go through a vote by the Fedora Engineering and Steering Committee.

Those wishing to learn more about the Package-URL "PURL" specification itself can find it on [2]GitHub .



[1] https://discussion.fedoraproject.org/t/f45-change-proposal-adopt-purl-metadata-system-wide/192435

[2] https://github.com/package-url/purl-spec