At FOSDEM 2018, we introduced Package-URL (PURL: https://github.com/package-url/purl-spec), a "mostly" universal URL to identify and locate software packages: https://archive.fosdem.org/2018/schedule/event/purl/
Now, PURL is an international standard to accurately and consistently reference packages across ecosystems, regardless of whether you're working with language-specific managers, OS distributions, or containerized environments.
This talk highlights the journey of PURL, from its first presentation to Ecma standard and planned ISO standard. We'll share how PURLs enable accurate package tracking across ecosystems for vulnerability management (PURL is now part of CVE format), tool interoperability (already adopted by security tools, SCA platforms, and package registries), and compliance and security workflows (generating accurate and actionable SBOMs and VEXs).
Whether you maintain a package manager, build supply chain security tools, query packages or vulnerability databases, or just want better visibility into your polyglot dependencies, you'll learn how this lightweight standard is the essential infrastructure for modern software ecosystems.