Re: Results of the App Installer Meeting
[David Kalnischkies]
> Thats another usecase of package name matching: "look at how debian
> describes the 'same' package compared to fedora."
I've been testing one approach to this the last few days, using the
Common Platform Enumeration (CPE) dictionary, <URL: http://cpe.mitre.org/ >.
I use it to look up CVEs for the locally maintained software here at
the university, but CPEs could also be used to compare the package
sets between distributions. RHEL got their own CVE -> CPE information
availalbe from
<URL: https://www.redhat.com/security/data/metrics/rhsamapcpe.txt >.
Perhaps Fedora got something similar?
If all distributions registered their packages with CPE info, it would
be trivial to map packages between distributions, and also a lot
easier to track security issues in packages. :)
My dream would be for every package to have their CPE ID in the
package, perhaps in debian/control using "Xs-CPE: <id>" or similar, to
allow cross-distro mapping of packages and make the security teams
work easier. :)
I've started on a package map from Debian source package to CPE ID in
the testing security team svn, data/CPE/list. I now got 815 entries
in the list.
Happy hacking,
--
Petter Reinholdtsen
Reply to: