Class: Package
An identifiable unit of software intended for distribution. In the SLSA model, a package is always the output of a build process (which may be a no-op). The package name is the primary security boundary within a package ecosystem.
URI: slsa:Package
classDiagram
class Package
click Package href "../Package/"
Package : artifact
Package --> "0..1" ResourceDescriptor : artifact
click ResourceDescriptor href "../ResourceDescriptor/"
Package : ecosystem
Package : name
Package : registry
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... | direct |
| ecosystem | 0..1 String |
The package ecosystem (e | direct |
| registry | 0..1 String |
URI of the package registry where a package is published and from which consu... | direct |
| artifact | 0..1 ResourceDescriptor |
A specific immutable package artifact or the artifact whose dependency invent... | direct |
In Subsets
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | slsa:Package |
| native | slsa:Package |
LinkML Source
Direct
name: Package
description: An identifiable unit of software intended for distribution. In the SLSA
model, a package is always the output of a build process (which may be a no-op).
The package name is the primary security boundary within a package ecosystem.
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
slots:
- name
- ecosystem
- registry
- artifact
Induced
name: Package
description: An identifiable unit of software intended for distribution. In the SLSA
model, a package is always the output of a build process (which may be a no-op).
The package name is the primary security boundary within a package ecosystem.
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
attributes:
name:
name: name
description: A local name for a resource within the context of an attestation,
or the name of a package, producer, or party.
in_subset:
- slsa_build_track
- slsa_source_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: name
owner: Package
domain_of:
- ResourceDescriptor
- Producer
- Package
range: string
ecosystem:
name: ecosystem
description: The package ecosystem (e.g., "PyPA", "npm", "OCI", "cargo") governing
distribution conventions for this package.
notes:
- 'Ecosystem naming inconsistency can undermine attestation accuracy (Tamanna
et al., 2024, UR.1): For example, "npm install P" produces package name A while
"npm download P && npm install P.tar.gz" produces name B from the same source,
causing metadata and provenance mismatches that persist even with lock files.
Policy engines must account for these cross-registry naming discrepancies when
verifying provenance.'
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: ecosystem
owner: Package
domain_of:
- Package
range: string
registry:
name: registry
description: URI of the package registry where a package is published and from
which consumers resolve the package name to an artifact.
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: registry
owner: Package
domain_of:
- Package
range: string
artifact:
name: artifact
description: A specific immutable package artifact or the artifact whose dependency
inventory is recorded.
in_subset:
- slsa_build_track
- slsa_dependency_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: artifact
owner: Package
domain_of:
- Package
- DependencyInventory
range: ResourceDescriptor
inlined: true