Slot: ecosystem

The package ecosystem (e.g., "PyPA", "npm", "OCI", "cargo") governing distribution conventions for this package.

URI: slsa:ecosystem Alias: ecosystem

Applicable Classes

Name	Description	Modifies Slot
Package	An identifiable unit of software intended for distribution	no

Properties

Type and Range

Property	Value
Range	String
Domain Of	Package

Cardinality and Requirements

Property	Value

In Subsets

• SlsaBuildTrack
• SlsaDependencyTrack

Notes

• Ecosystem naming inconsistency can undermine attestation accuracy (Tamanna et al., 2024, UR.1): For example, "npm install P" produces package name A while "npm download P && npm install P.tar.gz" produces name B from the same source, causing metadata and provenance mismatches that persist even with lock files. Policy engines must account for these cross-registry naming discrepancies when verifying provenance.

Identifier and Mapping Information

Schema Source

• from schema: https://w3id.org/lmodel/slsa

Mappings

Mapping Type	Mapped Value
self	slsa:ecosystem
native	slsa:ecosystem

LinkML Source

name: ecosystem
description: The package ecosystem (e.g., "PyPA", "npm", "OCI", "cargo") governing
  distribution conventions for this package.
notes:
- 'Ecosystem naming inconsistency can undermine attestation accuracy (Tamanna et al.,
  2024, UR.1): For example, "npm install P" produces package name A while "npm download
  P && npm install P.tar.gz" produces name B from the same source, causing metadata
  and provenance mismatches that persist even with lock files. Policy engines must
  account for these cross-registry naming discrepancies when verifying provenance.'
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: ecosystem
domain_of:
- Package
range: string