supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security
cole-h has joined #nixos-security
kalbasit_ has joined #nixos-security
kalbasit_ has quit [Ping timeout: 240 seconds]
facez[m] has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
facez[m] has left #nixos-security ["User left"]
cole-h has quit [Ping timeout: 264 seconds]
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
justanotheruser has quit [Ping timeout: 272 seconds]
<andi->
Just ask every software project to create a UUID to identify it + each version? (only have joking)
<andi->
*half
<bennofs>
andi-: isn't that basically what CPE is?
<andi->
well it doesn't support wildcards.
<andi->
it is one string, fixed length
<andi->
if you want to match it: provide the uuid.
<bennofs>
ah hmm, so you won't have "match any version"?
<bennofs>
CPE has a bit of enterprisy overengineering to it though, I agree (and I haven't used it enough to tell how of a problem that is)
<andi->
CPE is great if you want to know which hardware of a vendor has a problem, what issues are in windows 10 etc.. but for F/OSS it doesn't map that great
<bennofs>
i assume the problem is that the definition of a vendor and product is somewhat difficult in F/OSS?
<andi->
Yeah, I've seen issues filed under a distro, a company or some github username...
<andi->
which basically led me to ignoring the "vendor" field. Opening up false-positives due to very generic package names.
<Foxboron>
andi-: if you ignore the vendor field the product name for the linux kernel is "linux_kernel". It gets fairly hard to parse it in a sane fashion :p
<andi->
I used to have some special casing around the kernel exactly because of that
<andi->
but that is also the issue we are seeing here. How would you file a CVE against some linux-firmware version?
<andi->
Vendor linux:firmware?
<Foxboron>
The test code i wrote for Arch actually compares the vendor and product info towards valid package names AND known possible prefixes of packages. It's... uh.... it's not really great.
<Foxboron>
But I think we have looked at SWID for this as well in the openssf wg. It sounds like a better format. But I don't know who uses it for this yet
<andi->
It has to come from the upstream developers. They must define a unique id for their projects otherwise we will end up in the same mess all over again. Something like SPDX but for software projects and not licenses.
<bennofs>
but it seems that no matter if you use CPEs or SWIDs or UUIDs, you need upstream to specifiy an ID
<bennofs>
could just as well have upstream just state their preferred CPE
<andi->
It is very often the case that someone hacks on something for a while and then suddenly someone else drops a CVE on them
<bennofs>
or will someone be mad at you if you just pick some arbitrary CPE that you feel is right as open source project and state it in your README?
bennofs has joined #nixos-security
bennofs has quit [Client Quit]
bennofs has joined #nixos-security
cole-h has joined #nixos-security
cole-h has quit [Ping timeout: 264 seconds]
Raito_Bezarius has joined #nixos-security
lassulus_ has joined #nixos-security
kalbasit_ has joined #nixos-security
lassulus_ is now known as lassulus
kalbasit_ has quit [Ping timeout: 260 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
lassulus_ has joined #nixos-security
lassulus has quit [Ping timeout: 240 seconds]
lassulus_ is now known as lassulus
kalbasit_ has joined #nixos-security
kalbasit_ has quit [Ping timeout: 256 seconds]
kalbasit_ has joined #nixos-security
kalbasit_ has quit [Ping timeout: 246 seconds]
bennofs has quit [Remote host closed the connection]
bennofs has joined #nixos-security
kalbasit__ has joined #nixos-security
WilliButz has joined #nixos-security
kalbasit__ has quit [Ping timeout: 240 seconds]
WilliButz has quit [Remote host closed the connection]