How to specify alternative forge and mirrors?

[adulau]

Nowadays, it is increasingly difficult to identify the canonical forge and the available mirrors for an open source project.

How should this be expressed in publiccode.yml? In particular, is there a recommended way to distinguish between the authoritative repository and mirrors (backup)?

For example, we operate a ForgeJo instance that mirrors GitHub repositories we actively maintain. Can this relationship (canonical repository vs. mirror) be clearly and unambiguously expressed in the YAML file?

[bfabio]

For context: url always describes the repo it is in. If the publiccode.yml file is fetched from a different place, crawlers oughta reject it as invalid, it's basically hijacking.

Mirrors would have the same requirements as url: but they can't really be checked in the same way, since the publiccode.yml is fetched from a single URL. (as a sidenote: this is related with multi-repo projects with a single publiccode.yml, that we need to find an elegant solution for: #169)

But mirrors are verifiable, can be created by anyone and there can be many of them even that we don't know about, the simplest option might be to mention official mirrors in description, as an informational note.

After all, an unofficial mirror is no different from any other clone if the hash matches. WDYT?