Re: CPE information for Fedora packages useful?

Hi Silvio! On Mon, 31 Jan 2011 19:21:39 +1100 Silvio Cesare wrote: We currently do not use CPE names for security tracking in Fedora, so I don't see an obvious benefit maintaining such list. Can you explain briefly how you use it for Debian security tracking and what benefits it brings? It's not that uncommon to see new packages added to Fedora repositories even after the release of some Fedora version. I played a little more with this list and noticed few problems: - quite a few Debian packages map to Fedora arptools or binclock. Probably packages with not much sources, where other file (license, configure) confuse your tool to match unrelated packages - there does not seem to be a good way to list cases where multiple components contain the same sources. In Fedora, mingw32-* packages are a good example, and the list often maps Debian package foo to Fedora package mingw32-foo, while there is Fedora package foo that should be similarly good match. Another example is zlib:arm-gp2x-linux-zlib. Did you review "unexpected matches" to see if the sources are really similar, and how the match is picked when there are multiple "good candidates"? -- Tomas Hoger / Red Hat Security Response Team