From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Auditing CPE names Date: Sun, 12 Feb 2017 16:13:06 +0100 Message-ID: <87vasftpbx.fsf@gnu.org> References: <20170211195346.GA10400@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42364) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ccvpx-0008W1-Mk for guix-devel@gnu.org; Sun, 12 Feb 2017 10:13:15 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ccvpu-00045a-Fj for guix-devel@gnu.org; Sun, 12 Feb 2017 10:13:13 -0500 In-Reply-To: <20170211195346.GA10400@jasmine> (Leo Famulari's message of "Sat, 11 Feb 2017 14:53:46 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > I wonder if anyone checks the Common Platform Enumeration (CPE) names of > new packages when creating them? > > It's important to name the package in accordance with the CPE or set > the cpe-name property, or else `guix lint -c cve` won't work for that > package. > > There is an example of setting the cpe-name in the package definition of > isc-dhcp, where the cpe-name is 'dhcp'. > > Maybe we should audit the whole package set to find packages that appear > to not be covered by CPE. I think it=E2=80=99s a good idea, everyone should check whether important packages are covered. Packages that are definitely not covered are those for which we add a prefix to the upstream name, such as =E2=80=9Cpython-=E2=80=9D. We could t= ell =E2=80=98guix lint -c cve=E2=80=99 to strip common prefixes like this one, but I suspect = this won=E2=80=99t be enough. Thoughts? Ludo=E2=80=99.