GNU bug report logs -
#74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 26 Oct 2024 22:31:02 UTC
Severity: normal
Tags: patch
Done: Nicolas Graves <ngraves <at> ngraves.fr>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
On 2025-01-09 14:48, Ludovic Courtès wrote:
> Hi,
>
>>
>> Is that actually necessary ? Since the vulnerability-packages field is
>> an sexp, vulnerability->sexp would be the same for v1 and v2.
>>
>> Seems like the place to handle this is rather the second match in the
>> vulnerabilities->lookup-proc procedure, that should have a second case
>> match (the previous one from version history most probably) that is
>> accounting for the v1.
>>
>> WDYT?
>
> What I’m suggesting here is a pattern commonly used in Guix where:
>
> 1. There’s only one in-memory representation.
>
> 2. There may be several on-disk representations, but we convert them
> once for all when reading them.
>
> You can find this pattern in manifests, for instance with
> ‘sexp->manifest’.
>
> That’s why I’m suggesting that ‘vulnerability->sexp’ converts to the
> right in-memory representation when it’s reading a v1 sexp.
>
> Does that make sense?
So convert v1-sexp to v2-sexp before passing it further? The issue is
that we don't necessarily have the vendor in v1 to be able to convert it
to v2. There are some cases where there's no vendor (don't remember if
it's #f or 'none or something else), I can put that value by default.
--
Best regards,
Nicolas Graves
This bug report was last modified 131 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.