Re: CPE information for Fedora packages useful?
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
We currently do not use CPE names for security tracking in Fedora, so
On Mon, 31 Jan 2011 19:21:39 +1100 Silvio Cesare wrote:
> Debian maintain a list of CPE inormation for packages on their
> security tracker
I don't see an obvious benefit maintaining such list. Can you explain
briefly how you use it for Debian security tracking and what benefits
It's not that uncommon to see new packages added to Fedora repositories
> This makes it relatively static except when packages are added or
> removed from the repository.
even after the release of some Fedora version.
I played a little more with this list and noticed few problems:
> In the past I generated an automatic mapping between packages in
> Debian and Fedora
- quite a few Debian packages map to Fedora arptools or binclock.
Probably packages with not much sources, where other file (license,
configure) confuse your tool to match unrelated packages
- there does not seem to be a good way to list cases where multiple
components contain the same sources. In Fedora, mingw32-* packages
are a good example, and the list often maps Debian package foo to
Fedora package mingw32-foo, while there is Fedora package foo that
should be similarly good match. Another example is
Did you review "unexpected matches" to see if the sources are really
similar, and how the match is picked when there are multiple "good
Tomas Hoger / Red Hat Security Response Team
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
[Home] [Fedora Legacy List] [Fedora Maintainers] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Fedora SELinux] [Big List of Linux Books] [Yosemite News] [Yosemite Photos] [KDE Users] [Coolkey] [Fedora Tools]