diff mbox series

[1/1] package/wine: add WINE_CPE_ID_VENDOR

Message ID 20210126211539.2497979-1-fontaine.fabrice@gmail.com
State Accepted
Headers show
Series [1/1] package/wine: add WINE_CPE_ID_VENDOR | expand

Commit Message

Fabrice Fontaine Jan. 26, 2021, 9:15 p.m. UTC
cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/wine/wine.mk | 1 +
 1 file changed, 1 insertion(+)

Comments

André Hentschel Jan. 27, 2021, 6:04 p.m. UTC | #1
Am 26.01.21 um 22:15 schrieb Fabrice Fontaine:
> cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/wine/wine.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/wine/wine.mk b/package/wine/wine.mk
> index 7eafe9b06d..80c9d20d3d 100644
> --- a/package/wine/wine.mk
> +++ b/package/wine/wine.mk
> @@ -9,6 +9,7 @@ WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
>  WINE_SITE = https://dl.winehq.org/wine/source/5.x
>  WINE_LICENSE = LGPL-2.1+
>  WINE_LICENSE_FILES = COPYING.LIB LICENSE
> +WINE_CPE_ID_VENDOR = winehq
>  WINE_DEPENDENCIES = host-bison host-flex host-wine
>  HOST_WINE_DEPENDENCIES = host-bison host-flex
>  
> 

Acked-by: André Hentschel <nerv@dawncrow.de>
Yann E. MORIN Jan. 28, 2021, 4:58 p.m. UTC | #2
Fabrice, All,

On 2021-01-26 22:15 +0100, Fabrice Fontaine spake thusly:
> cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:
> 
>   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

However, the last CVE against wine was against version 3.13, while we're
already using 5.12, and 6.0 is already out...

Regards,
Yann E. MORIN.

> ---
>  package/wine/wine.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/wine/wine.mk b/package/wine/wine.mk
> index 7eafe9b06d..80c9d20d3d 100644
> --- a/package/wine/wine.mk
> +++ b/package/wine/wine.mk
> @@ -9,6 +9,7 @@ WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
>  WINE_SITE = https://dl.winehq.org/wine/source/5.x
>  WINE_LICENSE = LGPL-2.1+
>  WINE_LICENSE_FILES = COPYING.LIB LICENSE
> +WINE_CPE_ID_VENDOR = winehq
>  WINE_DEPENDENCIES = host-bison host-flex host-wine
>  HOST_WINE_DEPENDENCIES = host-bison host-flex
>  
> -- 
> 2.29.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Fabrice Fontaine Jan. 28, 2021, 5:07 p.m. UTC | #3
Le jeu. 28 janv. 2021 à 17:58, Yann E. MORIN <yann.morin.1998@free.fr> a écrit :
>
> Fabrice, All,
>
> On 2021-01-26 22:15 +0100, Fabrice Fontaine spake thusly:
> > cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:
> >
> >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Applied to master, thanks.
>
> However, the last CVE against wine was against version 3.13, while we're
> already using 5.12, and 6.0 is already out...
Indeed, but I'm not really motivated to send hundreds of requests to
update the NVD ...
Updating release-monitoring.org is easy and useful for every
opensource projects, updating the version in the NVD (when there is no
CVEs associated to this version) seems complicated and not very
useful.
But that's just my feeling, if someone wants to do it, fine.
>
> Regards,
> Yann E. MORIN.
>
> > ---
> >  package/wine/wine.mk | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/package/wine/wine.mk b/package/wine/wine.mk
> > index 7eafe9b06d..80c9d20d3d 100644
> > --- a/package/wine/wine.mk
> > +++ b/package/wine/wine.mk
> > @@ -9,6 +9,7 @@ WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
> >  WINE_SITE = https://dl.winehq.org/wine/source/5.x
> >  WINE_LICENSE = LGPL-2.1+
> >  WINE_LICENSE_FILES = COPYING.LIB LICENSE
> > +WINE_CPE_ID_VENDOR = winehq
> >  WINE_DEPENDENCIES = host-bison host-flex host-wine
> >  HOST_WINE_DEPENDENCIES = host-bison host-flex
> >
> > --
> > 2.29.2
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'
Best Regards,

Fabrice
Yann E. MORIN Jan. 28, 2021, 5:34 p.m. UTC | #4
Fabrice, All,

On 2021-01-28 18:07 +0100, Fabrice Fontaine spake thusly:
> Le jeu. 28 janv. 2021 à 17:58, Yann E. MORIN <yann.morin.1998@free.fr> a écrit :
> >
> > Fabrice, All,
> >
> > On 2021-01-26 22:15 +0100, Fabrice Fontaine spake thusly:
> > > cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:
> > >
> > >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine
> > >
> > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> >
> > Applied to master, thanks.
> >
> > However, the last CVE against wine was against version 3.13, while we're
> > already using 5.12, and 6.0 is already out...
> Indeed, but I'm not really motivated to send hundreds of requests to
> update the NVD ...
> Updating release-monitoring.org is easy and useful for every
> opensource projects, updating the version in the NVD (when there is no
> CVEs associated to this version) seems complicated and not very
> useful.

Oh, no worries! I was just surprised not to see any CVE reported against
versions more recent than 3.13...

Regards,
Yann E. MORIN.

> But that's just my feeling, if someone wants to do it, fine.
> >
> > Regards,
> > Yann E. MORIN.
> >
> > > ---
> > >  package/wine/wine.mk | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/package/wine/wine.mk b/package/wine/wine.mk
> > > index 7eafe9b06d..80c9d20d3d 100644
> > > --- a/package/wine/wine.mk
> > > +++ b/package/wine/wine.mk
> > > @@ -9,6 +9,7 @@ WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
> > >  WINE_SITE = https://dl.winehq.org/wine/source/5.x
> > >  WINE_LICENSE = LGPL-2.1+
> > >  WINE_LICENSE_FILES = COPYING.LIB LICENSE
> > > +WINE_CPE_ID_VENDOR = winehq
> > >  WINE_DEPENDENCIES = host-bison host-flex host-wine
> > >  HOST_WINE_DEPENDENCIES = host-bison host-flex
> > >
> > > --
> > > 2.29.2
> > >
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot@busybox.net
> > > http://lists.busybox.net/mailman/listinfo/buildroot
> >
> > --
> > .-----------------.--------------------.------------------.--------------------.
> > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > '------------------------------^-------^------------------^--------------------'
> Best Regards,
> 
> Fabrice
Fabrice Fontaine Jan. 28, 2021, 5:46 p.m. UTC | #5
Le jeu. 28 janv. 2021 à 18:34, Yann E. MORIN <yann.morin.1998@free.fr> a écrit :
>
> Fabrice, All,
>
> On 2021-01-28 18:07 +0100, Fabrice Fontaine spake thusly:
> > Le jeu. 28 janv. 2021 à 17:58, Yann E. MORIN <yann.morin.1998@free.fr> a écrit :
> > >
> > > Fabrice, All,
> > >
> > > On 2021-01-26 22:15 +0100, Fabrice Fontaine spake thusly:
> > > > cpe:2.3:a:winehq:wine is a valid CPE identifier for this package:
> > > >
> > > >   https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Awinehq%3Awine
> > > >
> > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > >
> > > Applied to master, thanks.
> > >
> > > However, the last CVE against wine was against version 3.13, while we're
> > > already using 5.12, and 6.0 is already out...
> > Indeed, but I'm not really motivated to send hundreds of requests to
> > update the NVD ...
> > Updating release-monitoring.org is easy and useful for every
> > opensource projects, updating the version in the NVD (when there is no
> > CVEs associated to this version) seems complicated and not very
> > useful.
>
> Oh, no worries! I was just surprised not to see any CVE reported against
> versions more recent than 3.13...
wine 3.13 is not "so" old, it was published in July 2018. I don't know
if there have been any public security issues since that time.
NIST should use release-monitoring.org to track their versions because
a lot of CPEs seem a bit "outdated".
>
> Regards,
> Yann E. MORIN.
>
> > But that's just my feeling, if someone wants to do it, fine.
> > >
> > > Regards,
> > > Yann E. MORIN.
> > >
> > > > ---
> > > >  package/wine/wine.mk | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/package/wine/wine.mk b/package/wine/wine.mk
> > > > index 7eafe9b06d..80c9d20d3d 100644
> > > > --- a/package/wine/wine.mk
> > > > +++ b/package/wine/wine.mk
> > > > @@ -9,6 +9,7 @@ WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
> > > >  WINE_SITE = https://dl.winehq.org/wine/source/5.x
> > > >  WINE_LICENSE = LGPL-2.1+
> > > >  WINE_LICENSE_FILES = COPYING.LIB LICENSE
> > > > +WINE_CPE_ID_VENDOR = winehq
> > > >  WINE_DEPENDENCIES = host-bison host-flex host-wine
> > > >  HOST_WINE_DEPENDENCIES = host-bison host-flex
> > > >
> > > > --
> > > > 2.29.2
> > > >
> > > > _______________________________________________
> > > > buildroot mailing list
> > > > buildroot@busybox.net
> > > > http://lists.busybox.net/mailman/listinfo/buildroot
> > >
> > > --
> > > .-----------------.--------------------.------------------.--------------------.
> > > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > > '------------------------------^-------^------------------^--------------------'
> > Best Regards,
> >
> > Fabrice
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'
Best Regards,

Fabrice
diff mbox series

Patch

diff --git a/package/wine/wine.mk b/package/wine/wine.mk
index 7eafe9b06d..80c9d20d3d 100644
--- a/package/wine/wine.mk
+++ b/package/wine/wine.mk
@@ -9,6 +9,7 @@  WINE_SOURCE = wine-$(WINE_VERSION).tar.xz
 WINE_SITE = https://dl.winehq.org/wine/source/5.x
 WINE_LICENSE = LGPL-2.1+
 WINE_LICENSE_FILES = COPYING.LIB LICENSE
+WINE_CPE_ID_VENDOR = winehq
 WINE_DEPENDENCIES = host-bison host-flex host-wine
 HOST_WINE_DEPENDENCIES = host-bison host-flex