From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id HxejJKSGHmdv7gAAqHPOHw:P1 (envelope-from ) for ; Sun, 27 Oct 2024 18:29:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id HxejJKSGHmdv7gAAqHPOHw (envelope-from ) for ; Sun, 27 Oct 2024 19:29:56 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=WS2yzE0Y; dmarc=pass (policy=reject) header.from=ngraves.fr; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1730053795; a=rsa-sha256; cv=none; b=pO559/OyOW2ZdHY6mn/4bkARwMc9Ud+SJ/2jWw+byDmb+Xshw+Ax4xfLMuSU1/ynkHBjm0 Ai7I9Xx/szniTsaiBBnZA5Vf2N5RBZu8jXrXU4WxqGYT8WPEMA1aOsrNqHVZCBwayE81si LlRzjyIr0zSwQPYvu6qf9SIq02efcUO1KVShjhr4FWwd6mYKoiKUvKgjoNm/P3IZtSfBEl Dwz020/QEdKCOnVtHpcZ+0uGcOe7QhPAlRABFIYX3Qz4KOXHd/JLTbz89ce8tGriKa8OtI LsLl/NL11MWKTIns6QVhqBRWK4feeoqsN2Ln/nhQQVOg3WwkFnXUCKiZBerHQw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=WS2yzE0Y; dmarc=pass (policy=reject) header.from=ngraves.fr; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1730053795; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=2WrqO4js57kJa3Iqb93xGj0YerzjV7Van4fEG8znTO0=; b=Xs12dmJA1UQN2PEbUwkLC5PqbPWgWtwdNWb9564uTTq7mniae+LRbUumrLA31dv+kAtjgb UPLFxaQYVO6VlDETdNxtsTn/1qMLGIWLIRAD4p+DQE1wvNkqKjo/rrvwG/degQXU8IuQOT b4y7gJ3prIahRsZl1DoTYsRYvfaEmNwKpGJ4r/4ZyC0R3Gd2iFjs0lVoSkcSZjOkurqPnt RlsBnpZmOSVGlmoWvzTY5cixxIu8z4iCHeeiGmYurIAzw1KOT3u+sjXH4H0ZXw1Fjl6tw3 4v1xzjGSTIwUFzRpjs1AXNORI3wo6GMNWIC7sGOuesNda6mdeSVB2OFvDJG5TA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 55C767EF89 for ; Sun, 27 Oct 2024 19:29:55 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t581E-0005Wc-GP; Sun, 27 Oct 2024 14:29:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t581C-0005W4-64 for guix-devel@gnu.org; Sun, 27 Oct 2024 14:29:38 -0400 Received: from 8.mo560.mail-out.ovh.net ([188.165.52.147]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t5819-0000MX-Mw for guix-devel@gnu.org; Sun, 27 Oct 2024 14:29:37 -0400 Received: from director11.ghost.mail-out.ovh.net (unknown [10.108.25.111]) by mo560.mail-out.ovh.net (Postfix) with ESMTP id 4Xc4mr5Gq1z1T6g for ; Sun, 27 Oct 2024 18:29:32 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-n5vq6 (unknown [10.111.182.238]) by director11.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 3F4E71FE78; Sun, 27 Oct 2024 18:29:32 +0000 (UTC) Received: from ngraves.fr ([37.59.142.105]) by ghost-submission-5b5ff79f4f-n5vq6 with ESMTPSA id KtVjNYuGHmf3WAAAR2s+SQ (envelope-from ); Sun, 27 Oct 2024 18:29:32 +0000 X-OVh-ClientIp: 86.246.19.221 From: Nicolas Graves To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org Subject: Re: Introduce a cpe-vendor package property? In-Reply-To: <87wmhuvr4q.fsf@gnu.org> References: <87msise285.fsf@ngraves.fr> <87wmhuvr4q.fsf@gnu.org> Date: Sun, 27 Oct 2024 19:29:31 +0100 Message-ID: <871q01csc4.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Ovh-Tracer-Id: 9695124100202357301 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrvdejiedggeejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtgfesthhqredttddtjeenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeffudelkeejveetleeuffejfefftefhhfffuedtteethfelueelveffjedvffdtffenucfkphepuddvjedrtddrtddruddpkeeirddvgeeirdduledrvddvuddpfeejrdehledrudegvddruddtheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepghhuihigqdguvghvvghlsehgnhhurdhorhhgpdfovfetjfhoshhtpehmohehiedtpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=2WrqO4js57kJa3Iqb93xGj0YerzjV7Van4fEG8znTO0=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1730053772; v=1; b=WS2yzE0YnEpy/0SJRjwLBz4wg6CkHIl7Sav4M4SqBjl00ErIRg3ihUh6ZdbJ/hAxyVYcdb+/ jarAgEWxHaWStU8YFuBoKpH6nLGdc4XvkCax6nb7Rm0KpWrBXdHlfMVzWKF9l7yRChPaXwA2G3j nUBp38cvKK+l4NT9OG/Dnnj+8fLwDX9JH29GPZs00iPSFAaXDxkur7lFcBwjAc37SPv1nk75joS ao9VTe9v4z15o3y240f84SBG7jWZxWvz0yeHAWdjqIOqW+5RBRAorDVFRGqNRo3IqTGwBmu2NVt aFUmgdD9/RbZRNOzJa2v5zpU5GGLJspW5rfmhpMwN2UsA== Received-SPF: pass client-ip=188.165.52.147; envelope-from=ngraves@ngraves.fr; helo=8.mo560.mail-out.ovh.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.50 X-Spam-Score: -4.50 X-Migadu-Queue-Id: 55C767EF89 X-Migadu-Scanner: mx10.migadu.com X-TUID: TX8FWKzQaaQJ On 2024-10-26 17:08, Ludovic Court=C3=A8s wrote: > Hi, > > Nicolas Graves skribis: > >> I was wondering about handling a cpe-vendor property to handle such >> cases, since cpe-name won't help here. > > Yes, we need that. (guix cve) currently blissfully ignores the =E2=80=9C= vendor=E2=80=9D > part of CPE names; we can do better. I've done that in the v2 of 74034. I actually introduce two properties, cpe-vendor and lint-hidden-cpe-vendors (akin to lint-hidden-cve). This is because: - most of the time we don't have a cpe-vendor but we know which others cpe-vendors to ignore - knowing which ones to ignore brings more information than lint-hidden-cve since it's stable in time (future CVEs for other packages won't get raised) --=20 Best regards, Nicolas Graves