Re: git: a90e961f4d19 - main - */*: Avoid extra CPE_VENDOR=kde by properly sorting USES

Am 11.10.21 um 21:43 schrieb Bernhard Fröhlich:
[...]
> Doesn't matter much since CPE data is a moving target anyway. To handle that I
> created chkcpe [1] which automatically analyzes the portstree once a day and
> verifies the CPE data it finds.
> 
> In this particular case it will detect a invalid CPE vendor/product and will
> list the port under "invalid". There are similar cases like port rename, "
> repocopy" etc. which can also easily lead to invalid CPE data.
> 
>  [1] https://github.com/decke/chkcpe <https://github.com/decke/chkcpe>

Hi Bernhard,

interesting service, has it ever been announced to port maintainers?

One question: what am I supposed to do with ports that are in the
"checkneeded" list with wrong information, but do not have a CPE
database entry (and probably won't ever get one)?

Specifically:

I just checked for entries matching ports I maintain, and there are
2 in the "checkneeded" category, both with wrong CPE information.

The ports in question are math/gh-bc and deskutils/calendar, and
neither of them is in the CPE dictionary and I'm not supposed to
make entries up.

The entry suggested for gh-bc is: cpe:2.3:a:gnu:bc:*:*:*:*:*:*:*:*
which is wrong. This project has no connection to GNU.

The calendar port is a slightly modified version of the calendar
program in FreeBSD-CURRENT for use with older -STABLE releases
that lack quite a number of features of the new version.

Neither the WiKi nor any other information I found seems to offer
any help for this case.

Is it possible to mark a port as: "ignore with regard to CPE"?

How do products added to the CPE database (should be possible
for gh-bc, which is available for a lot of operating systems)?

And how do we deal with base system components that have been
converted to a port or have been made available as a port in
addition to being present in some base system release?

Regards, STefan