GNU bug report logs - #74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

Previous Next

Package: guix-patches;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Sat, 26 Oct 2024 22:31:02 UTC

Severity: normal

Tags: patch

Done: Nicolas Graves <ngraves <at> ngraves.fr>

Bug is archived. No further changes may be made.

Full log

Message #135 received at 74034 <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 74034 <at> debbugs.gnu.org
Subject: Re: [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and
 lint-hidden-cpe-vendors properties.
Date: Thu, 07 Nov 2024 09:45:06 +0100

On 2024-11-06 22:43, Ludovic Courtès wrote:

> Hi,
>
> Nicolas Graves <ngraves <at> ngraves.fr> skribis:
>
>> * guix/cve.scm: Exploit cpe vendors information.
>> (cpe->package-name): Rename to cpe->package and use
>> cpe_vendor:cpe_name in place or cpe_name.
>> (filter-vendors): Add helper function.
>> (vulnerabilities->lookup-proc): Extract cpe_name for table
>> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
>> pass vulnerabilities to result in the fold.
>>
>> * guix/lint.scm (package-vulnerabilities): Use additional arguments
>> from vulnerabilities->lookup-proc.
>>
>> * tests/cve.scm: Adapt tests.
>
> Nice!
>
> Please mention the names of tests being change in the commit log (see
> ‘git log’ for examples).
>
>> -(define (cpe->package-name cpe)
>> +(define (cpe->package cpe)
>
> Or ‘cpe->package-identifier’?
>
> It’s unpleasant that said identifier is an unparsed “vendor:package”
> string.  I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
> and return three values: package, version, vendor.
>
> The downside is that it would lead to more changes down the road because
> we’d have to carry the vendor bit along.
>
> Thoughts?

I actually took this route first, then reverted back to editing the
regexp.  This was indeed for simplicity (rationale: make a first working
version with minimal changes, then if necessary improve).  Yes indeed
doing this makes a lot of changes in the code, although not complex.

I agree with the rest of the changes. I'll try to make a commit on top
of that, possibly this weekend.


-- 
Best regards,
Nicolas Graves
This bug report was last modified 130 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.