From nobody Mon May 12 06:21:13 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZwqJN51XXz5vY75 for ; Mon, 12 May 2025 06:21:56 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZwqJM74wFz3Z9j; Mon, 12 May 2025 06:21:55 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Authentication-Results: mx1.freebsd.org; none Received: from [10.0.5.4] (bigears.hs [10.0.5.4]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPA id 54C6LCbb016925; Mon, 12 May 2025 16:21:13 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1747030873; x=1747635674; bh=tMtVlzw8Mdr2qbDtN0CQkDAmTGwVkjsKiGo/oCWccO4=; h=Message-ID:Date:Subject:To:Cc:From; b=Fzm004Qm4adnUhRnIZnVTURXzKPiZ0uopRImoPxNWnFteiIbdgdZPt19cALilCaPr +pQFK+KAxIr+eV7RTP67UO983go28uFxwH+HJS1hSl4emvNDmUCKTqns7iJRAo3VLa 7cWsct3JxtsG1nFrxGr9c8yERfOsMId5YiyEXFvUhR6r1bo6Won9r X-Authentication-Warning: b3.hs: Host bigears.hs [10.0.5.4] claimed to be [10.0.5.4] Message-ID: <1b98ae6a-d0b0-496d-a32a-3202f41244dd@heuristicsystems.com.au> Date: Mon, 12 May 2025 16:21:13 +1000 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: CPE as a consistent element of pkg annotations To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: questions@freebsd.org References: <72b26605-50ac-41c5-aca0-aaf93f091436@heuristicsystems.com.au> <86msbis8e2.fsf@ltc.des.dev> Content-Language: en-GB From: Dewayne Geraghty In-Reply-To: <86msbis8e2.fsf@ltc.des.dev> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4ZwqJM74wFz3Z9j X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU] X-Spamd-Bar: ---- On 12/05/2025 3:30 pm, Dag-Erling Smørgrav wrote: > Dewayne Geraghty writes: >> I don't recall the argument for adding a CPE (Common Platform >> Enumeration) into USES for port building, nor why its inserted into >> the annotation section when using "pkg info". Though on a lightly >> configured machine, only 107 of the 265 ports actually had a CPE entry >> in annotations. > > It gets added when a CVE has actually been issued. > >> So I wondered, if its important then shouldn't it be mandatory? > > No, because we can't just make up CPEs. > I suspect you're conflating CPE with a CVE. The CPE is a construct defined in the /usr/ports/Mk/Uses/cpe.mk file. It takes as input standard fields from the port's Makefile, such as PORTNAME, PORTVERSION, PORTREVISION etc. >> Is there a reason that inclusion of a cpe being available, is >> determined by the port maintainer? > > Because the port maintainer needs to make sure it is correct. > The contribution by the port maintainer is to ensure that the elements required for the CPE record are current, like PORTVERSION PORTREVISION etc. Where the details are not included in the Makefile they have defaults. >> Interestingly, after reviewing >> https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf >> its noteworthy that the ports team uses the "Other" field (described >> in section 5.3.3.11) within the CPE structure for the port revision, >> rather than the "Update" (refer 5.3.3.5) field, as given as an example >> in the pdf. > > The port revision and epoch are specific to the FreeBSD ports system. > The update field is intended for a patch level or such chosen by the > original author of the software. Yes - the update field should be a patch level. Is it really by the original author or the maintainer? I suspect your familiarity with the standard is as current as needed. > >> So using tmux as an example, the CPE would be >> cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64: >> enabling the other field to be used for something else. > > That would be incorrect. > >> The question of why the "language" field isn't populated, is for >> another day... > > You understand that we don't get to just make shit up, right? > > DES Yes, thank-you DES, I did read the standard before writing the email. You're involved in a great many areas of FreeBSD and I appreciate the work that you do. Perhaps the PR that I've referenced will help refresh familiarity with the matter. For your convenience The CPE v2.3 standard is available at https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf The "language" field references https://www.rfc-editor.org/rfc/rfc5646.txt Kind regards, Dewayne