From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Auditing CPE names
Date: Sat, 11 Feb 2017 14:53:46 -0500
Message-ID: <20170211195346.GA10400@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47082)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ccdk1-0003ji-UN
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:53:55 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ccdjw-00010U-PX
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:53:54 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44166)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1ccdjw-00010M-Lh
	for guix-devel@gnu.org; Sat, 11 Feb 2017 14:53:48 -0500
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 50C6E7E5E4
	for <guix-devel@gnu.org>; Sat, 11 Feb 2017 14:53:47 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--zhXaljGHf11kAtnf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I wonder if anyone checks the Common Platform Enumeration (CPE) names of
new packages when creating them?

It's important to name the package in accordance with the CPE or set
the cpe-name property, or else `guix lint -c cve` won't work for that
package.

There is an example of setting the cpe-name in the package definition of
isc-dhcp, where the cpe-name is 'dhcp'.

Maybe we should audit the whole package set to find packages that appear
to not be covered by CPE.

https://nvd.nist.gov/cpe.cfm

--zhXaljGHf11kAtnf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlifa8oACgkQJkb6MLrK
fwjKjA/+Ozlb6cEpn93J8B0GQUD6+K+4mQbiEswn5QYJp0RPrAWZrWNaXC+vIhvx
pDLDyZCfIX/oHy7EbReYbbcxdcJBuK6ToPwZU9oAQb9vPq1DhRpKz2X/tLdHTEpv
TpNyRfKtIpPM3vzyxNoyjM3NBqlku3bTayBl8QkPqr0rDZhy07849gADSD0Jt2XF
UqPNH1xPk6i0bTTAQfw0HtMB4gVxh+WQYbUk6OEXVlLkkFEF9YsyxceV6n+dVjCx
evdSdkX0LY8rY2VFCI9hpEhevOH3u+/6rvKGbboh5p/Kqa/J3d5yyEfAT+VKz3CO
5nnAqqHRWt6DPC0T5+81yXBfP3lsTyS+23CeTB7/lSqio5fvoDxq6uITcza2v79K
h/T9Fp7uMw0KFR9cIbaWvJDptVD6ygr3Ecz4yXyug1BqYd6f0mn6E9JYNlgpEz7L
YOHeqFr8EeoEajKLqN1dRjwMjvl3JrwYDNky5t3W7s9WVJ7/GHafmlMozzy+TC1l
eVdwQRgAgP9DPqSTCr90xKTPmzcCEAO+xL6y8GyBx2B8Sp7PDJQROGuD5Irjxq6+
ROAFOZzBrtwrZWznvymEuDYpU0SkD5VKh4/40Ntieyo1PgZpkl+gxktg2ejQNfx8
GoSL9AloWuUoSB0/2kEb6U5ZjSvlI2wkvFCjFASOgHMlPsm83pU=
=OnWG
-----END PGP SIGNATURE-----

--zhXaljGHf11kAtnf--