From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id OI8lLHOeG2egOQAA62LTzQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 25 Oct 2024 13:34:43 +0000
Received: from aspmx1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id OI8lLHOeG2egOQAA62LTzQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 25 Oct 2024 15:34:43 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=FctogQQJ;
	dmarc=pass (policy=reject) header.from=ngraves.fr;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1729863283; a=rsa-sha256; cv=none;
	b=WOre79MNzkP4r6vm7dulMcYob3QC3AwlOtvoozqm+faaFqNeceCpW07qs+W1bXKlHJOpxR
	+XTSXZJvkboNZjTWjSnCgLW/mp+pY5JWBZlZo9TcRqUxRz1Vg8NFaURBmbhzEsGywzhY/G
	13+47A0oZSJsm5wI9HFYjXxpG2anD2Kp/zGIvvTFY946pY7idAYhjdvxadYhUAwMCV5OhE
	7yd6nBp+lmoIkhpBME6w2E4XQVswgOcyR4/EX+zGeHl/vnTtDUB7R+8muMGn9i7VcYVSfb
	7YDOv4EIz/noijUt8+AaEo4jauuYfScFnj2xpVdT7GhQiF+KlYmJfg2KwdAU7w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=FctogQQJ;
	dmarc=pass (policy=reject) header.from=ngraves.fr;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1729863283;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=894DPwOaZIqBoGc3qguaBXLt2cXG14Hwv+31LoyYSMw=;
	b=mtwPV55Ro4hJTzM/k3dYrtIiW4WRk4v/9/rw8g6DM85IGPdnTNOiCAWQLIYu3JXh6zssF8
	nSd//I4oLq57P+VQ+HvRFV6SLWotFxfzyEa15DhFit1m/Dr/JrRYJ0WxoG26WJyfWet8ls
	9tYD4X9bymHsbe9fORZawiGXak3O4ctFn9in1JtA+EZoongoT4jkUXoTe52Yjv3R8vA2Um
	9Pv17DbHVO2QIPhIO1OJMRKfp8ZvaEfxZpvh4MHUmbjNI0Kax3IIQmnIw7p6htStmSDXiF
	3BIuV6KTHSpmmHzB16MGahY1vwPstl/4pwXCN4rUDzHrE7Cq9vhf9hUw+T9fNw==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3224879181
	for <larch@yhetil.org>; Fri, 25 Oct 2024 15:34:42 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1t4KS0-0000VH-5z; Fri, 25 Oct 2024 09:34:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@ngraves.fr>)
 id 1t4KRu-0000TN-PU
 for guix-devel@gnu.org; Fri, 25 Oct 2024 09:33:55 -0400
Received: from 2.mo576.mail-out.ovh.net ([178.33.251.80])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@ngraves.fr>)
 id 1t4KRs-0002Gi-Hz
 for guix-devel@gnu.org; Fri, 25 Oct 2024 09:33:54 -0400
Received: from director1.ghost.mail-out.ovh.net (unknown [10.109.140.177])
 by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4XZkJX17Spz23tY
 for <guix-devel@gnu.org>; Fri, 25 Oct 2024 13:33:47 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-klq4v (unknown [10.111.182.119])
 by director1.ghost.mail-out.ovh.net (Postfix) with ESMTPS id BF5C31FE8D
 for <guix-devel@gnu.org>; Fri, 25 Oct 2024 13:33:47 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.107])
 by ghost-submission-5b5ff79f4f-klq4v with ESMTPSA
 id 6l2kGzueG2d6HwAAe9DvqA (envelope-from <ngraves@ngraves.fr>)
 for <guix-devel@gnu.org>; Fri, 25 Oct 2024 13:33:47 +0000
X-OVh-ClientIp: 86.246.19.221
From: Nicolas Graves <ngraves@ngraves.fr>
To: guix-devel@gnu.org
Subject: Introduce a cpe-vendor package property?
Date: Fri, 25 Oct 2024 15:33:46 +0200
Message-ID: <87msise285.fsf@ngraves.fr>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 11401706884217627189
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrvdejvddgieehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvffufffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepueejleeileejfffhleetjedtleejheevudffleevgfdufeekhefgvddvveegveefnecukfhppeduvdejrddtrddtrddupdekiedrvdegiedrudelrddvvddupdefjedrheelrddugedvrddutdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopehguhhigidquggvvhgvlhesghhnuhdrohhrghdpoffvtefjohhsthepmhhoheejiedpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=894DPwOaZIqBoGc3qguaBXLt2cXG14Hwv+31LoyYSMw=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1729863228; v=1;
 b=FctogQQJRx1LJEpFZlplCRX1A1XqreZ3t1rPy/IjVCJFWWkz1GbrZP/faequpcUhi/HG42mu
 hBpgxZ5n//yDRGBVb4sD56RzQlKq8SBx+SkMudLpgFwIlonp9u5ZNPtDvdsM1BwdfaI9Cqb99qO
 XbH3DJizDMUvJaRJRWNQ07dHdFSIReXYgxmNcGBwuSszQVj4U8UlTVgEoXq30kAEqVawCLx9ukU
 Gl3LHgDZRNowF9OT3RWQAdaM/SsCoLPimgAzmaFiGbVUWxBdr12RdHOAcguXTVZ1B6D+R4z9dK9
 xfebSQ+5ZI5Nk7rmg5gWZBitqkcvvxw22Oe0Ilwaxz1pA==
Received-SPF: pass client-ip=178.33.251.80; envelope-from=ngraves@ngraves.fr;
 helo=2.mo576.mail-out.ovh.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -3.96
X-Spam-Score: -3.96
X-Migadu-Queue-Id: 3224879181
X-Migadu-Scanner: mx10.migadu.com
X-TUID: oi+TwKYgdZJe


Hi Guix,

As you've certainly noticed, I'm currently supplying some security
patches by checking every package that is linted on the cve checker.

I have a WIP patch series about adding lint-hidden-cve property to
packages where it is relevant.  While doing it, I noticed that there are
quite some packages with duplicated cpe-names (a few examples : xenon,
bolt, express, halibut, folders, portfolio...) in the NIST database.
I was wondering about handling a cpe-vendor property to handle such
cases, since cpe-name won't help here.

To note: Most of the time, this won't help and we'll still have to fill
hidden-lint-cve (since most of these packages have no CVEs and therefore
are not in the database at all, despite having similarly-named
packages).

-- 
Best regards,
Nicolas Graves