Hi, Brice Waegeneire <br...@waegenei.re> skribis:
> It looks like, for most free software the name of the software is used > as > the vendor too, but I'm guessing that's not always the case in > particular > when two project are using the same name. So we can't just filter the > entries where the vendor name isn't the name of the package or we could > end up with false negatives which seems worse than false positive for a > vulnerability checker. Yeah. > One solution would be to display the name of the vendor when it doesn't > correspond to the name of the package. Such solution would still output > false positives but at least it will be quicker to identify then as > such, > compared to looking up and reading trough each CVE. Yes, though I think that (guix cve) should simply preserve the vendor part, and leave it up to its user, ‘guix lint’, to display vendor mismatches. Thanks, Ludo’.
