What is the additional metadata?

[mbauman]

Here are the concrete use-cases for having this project aggregate and re-distribute additional bits of data:

• Dependabot needs package versions and their registration dates: Add support for the Julia language dependabot/dependabot-core#12316
• osv-lint needs a simple endpoint for checking package existence and version numbers
• Julia Purls require UUIDs; a simple endpoint to get them is quite useful
  • As one specific example, osv.dev's purl_helpers.py needs to be able to easily grab these UUIDs (this is not required)
• Tagbot needs to have the tagged commit; the registry only stores the tree sha
• SecurityAdvisories.jl needs to know what upstream components Julia packages redistribute
• License checkers want to know the licenses of the packages themselves
  • It'd be really nice if we could gather enough information to directly construct spdx files, e.g., [contrib] Add versions to SDPX file. JuliaLang/julia#59777
• We also want to track the licenses of upstream components

[mbauman]

Note that we considered having General itself store some of this, but General is quite constrained on both repo size and GitHub Actions time. The registration dates toml alone is ~10MB // ~1.5MB compressed — this would reflect an increase of ~10-15% in the compressed size of the General repository.

[mbauman]

I really don't want to unnecessarily duplicate data that's already stored in General itself. It may be helpful to provide direct URLs to the particular package's toml files in General (without requiring jumping your way through the 1MB Registry.toml file).

[SamuraiAku]

FYI, PkgToSoftwateBOM.jl does generate SPDX files on the fly for your environment. This includes download info, license scanning, artifact lists and dependency graphs.

[SamuraiAku]

I think what you're more or less looking for is to automatically generate a software BOM for each version of each package in the general registry whenever a new version is released to the General Registry. Would that be a fair assessment?