Leo Famulari <l...@famulari.name> skribis: > I wonder if anyone checks the Common Platform Enumeration (CPE) names of > new packages when creating them? > > It's important to name the package in accordance with the CPE or set > the cpe-name property, or else `guix lint -c cve` won't work for that > package. > > There is an example of setting the cpe-name in the package definition of > isc-dhcp, where the cpe-name is 'dhcp'. > > Maybe we should audit the whole package set to find packages that appear > to not be covered by CPE.
I think it’s a good idea, everyone should check whether important packages are covered. Packages that are definitely not covered are those for which we add a prefix to the upstream name, such as “python-”. We could tell ‘guix lint -c cve’ to strip common prefixes like this one, but I suspect this won’t be enough. Thoughts? Ludo’.
