Date: Thu, 21 Mar 2013 11:04:18 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: "Simon L. B. Nielsen" <simon@qxnitro.org> Cc: freebsd-security@freebsd.org Subject: Re: CPE [was old perl vulnerabilitiy] Message-ID: <867gl19ihp.fsf@ds4.des.no> In-Reply-To: <CAC8HS2Gwjb5S6k2cnVLpoWzQEEDoGxXWWMqjCMdQM6d2uZBvqg@mail.gmail.com> (Simon L. B. Nielsen's message of "Wed, 20 Mar 2013 17:22:50 %2B0000") References: <CAC8HS2Gwjb5S6k2cnVLpoWzQEEDoGxXWWMqjCMdQM6d2uZBvqg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Simon L. B. Nielsen" <simon@qxnitro.org> writes: > Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote: > > This wouldn't keep happening if we used CPEs whenever possible... > Where would you use CPE - in all packages ? I assume you are talking > about http://cpe.mitre.org/about/ ? Yes. > Part of the problem for VuXML is the trilion names for packages some > ports have, making it more painful. Exactly. So what I propose is: - Add a port Makefile variable for the CPE (or multiple variables for the different components of the CPE, and code that "assembles" it). The ports infrastructure ensures that the CPE is included in the port / package metadata. - If a vulnerability is discovered in a port that has a CPE, the CPE is included in the vuxml entry. - portaudit, "pkg audit" etc are modified so that if an installed package has a CPE, the CPE is used instead of (or in addition to?) the name when matching vuxml entries. It is very important that the CPE logic be conditional on the presence of a CPE in the *package* and not in the vuxml entry, not just to ensure the transition from the pre-CPE regime, but also because most software doesn't even have a CPE until the first time it is the subject of a CVE. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?867gl19ihp.fsf>