GNU bug report logs - #74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74034 <at> debbugs.gnu.org
Subject: [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
Date: Thu, 09 Jan 2025 14:48:29 +0100

Hi,

Nicolas Graves <ngraves <at> ngraves.fr> skribis:

>>> On 2024-11-29 13:51, Ludovic Courtès wrote:
>>>
>>>> Nicolas Graves <ngraves <at> ngraves.fr> skribis:
>>>>
>>>>
>>>> ‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.
>>>>
>>>> (Perhaps I wasn’t clear: you need to implement this procedure such that,
>>>> when reading v1 data from ~/.cache, you still get valid <vulnerability>
>>>> records.)
>
> Is that actually necessary ?  Since the vulnerability-packages field is
> an sexp, vulnerability->sexp would be the same for v1 and v2.
>
> Seems like the place to handle this is rather the second match in the
> vulnerabilities->lookup-proc procedure, that should have a second case
> match (the previous one from version history most probably) that is
> accounting for the v1.
>
> WDYT?

What I’m suggesting here is a pattern commonly used in Guix where:

  1. There’s only one in-memory representation.

  2. There may be several on-disk representations, but we convert them
     once for all when reading them.

You can find this pattern in manifests, for instance with
‘sexp->manifest’.

That’s why I’m suggesting that ‘vulnerability->sexp’ converts to the
right in-memory representation when it’s reading a v1 sexp.

Does that make sense?

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.