Date: Mon, 12 May 2025 07:30:45 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au> Cc: questions@freebsd.org Subject: Re: CPE as a consistent element of pkg annotations Message-ID: <86msbis8e2.fsf@ltc.des.dev> In-Reply-To: <72b26605-50ac-41c5-aca0-aaf93f091436@heuristicsystems.com.au> (Dewayne Geraghty's message of "Mon, 12 May 2025 14:23:24 %2B1000") References: <72b26605-50ac-41c5-aca0-aaf93f091436@heuristicsystems.com.au>
index | next in thread | previous in thread | raw e-mail
Dewayne Geraghty <dewayne@heuristicsystems.com.au> writes: > I don't recall the argument for adding a CPE (Common Platform > Enumeration) into USES for port building, nor why its inserted into > the annotation section when using "pkg info". Though on a lightly > configured machine, only 107 of the 265 ports actually had a CPE entry > in annotations. It gets added when a CVE has actually been issued. > So I wondered, if its important then shouldn't it be mandatory? No, because we can't just make up CPEs. > Is there a reason that inclusion of a cpe being available, is > determined by the port maintainer? Because the port maintainer needs to make sure it is correct. > Interestingly, after reviewing > https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf > its noteworthy that the ports team uses the "Other" field (described > in section 5.3.3.11) within the CPE structure for the port revision, > rather than the "Update" (refer 5.3.3.5) field, as given as an example > in the pdf. The port revision and epoch are specific to the FreeBSD ports system. The update field is intended for a patch level or such chosen by the original author of the software. > So using tmux as an example, the CPE would be > cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64: > enabling the other field to be used for something else. That would be incorrect. > The question of why the "language" field isn't populated, is for > another day... You understand that we don't get to just make shit up, right? DES -- Dag-Erling Smørgrav - des@FreeBSD.orghelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86msbis8e2.fsf>