Determine package publish schema

[jordan-wright]

Note: this is specifically for the package manager ingestion part of the system.

Right now, when we pull packages from package managers, we eventually serialize them into ossmalware/pkg/library.Package instances. This creates a dependency on my package here which really isn't needed since we're not using the rest of the analysis portions of that repo.

Instead, I'd like to brainstorm what fields we'd want to include in a package entry moving forward. For example, if this system were to send details upstream to researchers or maybe a system like Rekor, what fields would we want to include?

Things like:

• Name
• Package manager
• Author
• Link to package
• Version
• Created Date
• Hash(es)
• Download Count

These are just some examples. Curious to get y'all's thoughts.

[dlorenc]

Good call!

cc @lukehinds for the Rekor side.

[dlorenc]

Another thing to consider might be the purl spec: https://github.com/package-url/purl-spec

[lukehinds]

If signing is present it would be good to capture the signature and the pub key used (with the assumption they signed the listed digest with the aforementioned).

[dlorenc]

Great point @lukehinds !

Looks like Ruby supports signing here: https://guides.rubygems.org/security/

My understanding is that PyPI might support signing, but I can't find any evidence NPM does.

[georgevanburgh]

Is this resolved by #81, or is there more to do here? There's several things that would be cool to add to the spec, should those be tracked here or in separate issues?

[tom--pollard]

I think with #81 merged we should be able to carry on working on the schema in a versioned way, as such separate issues per topic seems appropriate