I wonder if anyone checks the Common Platform Enumeration (CPE) names of new packages when creating them?
It's important to name the package in accordance with the CPE or set the cpe-name property, or else `guix lint -c cve` won't work for that package. There is an example of setting the cpe-name in the package definition of isc-dhcp, where the cpe-name is 'dhcp'. Maybe we should audit the whole package set to find packages that appear to not be covered by CPE. https://nvd.nist.gov/cpe.cfm
signature.asc
Description: PGP signature
