pub fn purl_matches_identifier(manifest_key: &str, identifier: &str) -> boolExpand description
Does a manifest PURL key match a user-supplied PURL identifier?
PyPI patches are keyed in the manifest by their fully-qualified PURL
(pkg:pypi/foo@1.0?artifact_id=...), one entry per release variant.
A user removing or rolling back a package usually types the base
PURL without a qualifier and expects it to cover every variant. So:
- a base identifier (no
?) matches any key whose base equals it — i.e. all release variants of thatpackage@version, and - a qualified identifier (
?artifact_id=...) matches only the exact key, so a single variant can still be targeted precisely.
Non-PyPI keys never carry a ?, so for them this reduces to plain
equality.