Date: Thu, 14 Oct 2021 15:58:01 +0200 From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= <decke@freebsd.org> To: Yasuhiro Kimura <yasu@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: Adding CPE information Message-ID: <CAE-m3X3Nke-y11=q_UgNuL5hHmB74q6nGZnfpP_Zfrbpr=tzmA@mail.gmail.com> In-Reply-To: <20211014.224312.1851469902312960663.yasu@FreeBSD.org> References: <20211014.200731.1708218659985202223.yasu@FreeBSD.org> <07c45bce-fa7a-2577-4e56-d3e88a8b46e4@madpilot.net> <20211014.224312.1851469902312960663.yasu@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 14, 2021 at 3:44 PM Yasuhiro Kimura <yasu@freebsd.org> wrote: > > From: Guido Falsi <mad@madpilot.net> > Subject: Re: Adding CPE information > Date: Thu, 14 Oct 2021 14:58:04 +0200 > > >> It seems recently some committers are working to add CPE information > >> to many ports. I don't know why it started. But if it is intended to > >> add CPE information to all (or most of ) ports, isn't it better to > >> modify ports framework so CPE intormation is added to each ports by > >> default? > >> > > > > AFAIK that's already in the tree. The framework tries to extrapolate > > CPE information from PORTNAME and other variables. > > Yes, but it isn't enabled by default. You need to add 'USES=cpe` to > Makefile if you want to add CPE information to specific port. What I > proposed is to change framework so CPE information is added to all > ports without adding 'USES=cpe' to Makefile of each port. > > > Unluckily most of the time it is actually impossible to get correct > > information and some other variables with the correct details, which > > are not necessarily logical or in any way connected with the > > information already present) need to be added by hand after manual > > discovery. > > I understand manual work is required to set the value of related > variables correctly. But it is always necessary whether we add CPE > information by changing framework of we do it by adding 'USES=cpe' to > Makefile of each port. And assuming that it is intended to add CPE > information to all ports, I think the former requires less work volume > than the latter. No, that does not work because valid CPE entries only exist if the software product was mentioned in a CVE or the CPE entry was reserved which is a rare case. -- Bernhard Froehlich http://www.bluelife.at/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE-m3X3Nke-y11=q_UgNuL5hHmB74q6nGZnfpP_Zfrbpr=tzmA>