Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#42002 - [filesystem] CPE_NAME in /etc/os-release

Attached to Project: Arch Linux
Opened by Andreas Baumann (andreas_baumann) - Wednesday, 17 September 2014, 15:16 GMT
Last edited by Dave Reisner (falconindy) - Thursday, 25 September 2014, 00:27 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Distros start to have a CPE_NAME field in
/etc/os-release like:

CPE_NAME="cpe:/o:centos:centos:7"

I wondered whether this would be a good idea
for ArchLinux too.

Peeking at the official CPE dictionary 2.3
(official-cpe-dictionary_v2.3.xml) I can't
see that an entry has already been registered
for Arch.

I also wondered how to name it, a possibility
would be:

CPE_NAME="cpe:/o:archlinux:archlinux:20140917"

The tricky part would be to define what version
should be in this case.. For sure it should not
be updated to the current date when you do an
update. Maybe the last installation medium
snapshot date is an option?
This task depends upon

Closed by  Dave Reisner (falconindy)
Thursday, 25 September 2014, 00:27 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Doesn't really seem useful for a rolling release.
Comment by Dave Reisner (falconindy) - Wednesday, 17 September 2014, 20:42 GMT
This seems pretty useless, especially given that we can never provide anything close to a meaningful "version".

What reads this? What benefit is there to adding this?
Comment by Andreas Baumann (andreas_baumann) - Thursday, 18 September 2014, 07:02 GMT
An application I know of is CVEs used as references in security reports for example:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002

So the operating system and the software affected can be referenced and be checked
by security software.

Concerning versioning, I can think that

CPE_NAME="cpe:/o:archlinux:archlinux:20140903:20140918"

is quite reasonable, as the Archlinux ISO is labelled as having

"Current Release: 2014.09.03"

The CPE update field would be the last update using pacman. But this
is I think optional, so

CPE_NAME="cpe:/o:archlinux:archlinux:20140903"

is also fine.

The question whether this is usable is a fair one: is ArchLinux going to hit
servers and companies with such security policies in place..
Comment by Daniel Micay (thestinger) - Thursday, 18 September 2014, 07:42 GMT
The only sensible value to use for an Arch version is a constant string like 'current' or 'testing' referring to the implicit release channel. The release date of the last official installation media snapshot isn't relevant. The update field can't be tied to the date of the last upgrade, because that's local information not tied to a specific set of package versions. It would need to be the date of the last package update in the official repositories for that release channel.

CPE_NAME="cpe:/o:archlinux:archlinux:current"
CPE_NAME="cpe:/o:archlinux:archlinux:current:2014-09-18T06:25Z"

It would need to be registered though, and I can't see a good reason to bother with it. What is actually going to read the string, and what value does it actually add? It couldn't narrow down the scope of vulnerabilities because the release version never changes.

Loading...