Where should hardware architecture reside? Edition?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Where should hardware architecture reside? Edition?

shanford
Is the "edition" component the appropriate location for hardware
architecture? For example:
cpe:/o:redhat:enterprise_linux:2.1::ia64-as

This specifies architecture and edition in conjunction; I believe it might
be beneficial to separate the edition components (enterprise_linux:::as)
from the architecture (enterprise_linux:::::ia64) so that each could be used
as a qualifier for affected software independent of the other (e.g.
Vulnerabilities affecting all AS products, or flaws specific to the ia64
architecture across all editions)

FreeNAS uses edition for architecture exclusively:
cpe:/o:freenas:freenas:0.69.1:-:amd64

Thanks,
Seth Hanford
Cisco IntelliShield
Reply | Threaded
Open this post in threaded view
|

Re: Where should hardware architecture reside? Edition?

Mark J Cox-2
> cpe:/o:redhat:enterprise_linux:2.1::ia64-as

So that one is an exception for us.  In general we have no distinction for
architecture, even if an issue affects say only s390 kernel we'll also
update the x86_64 kernel package at the same time: there is no need to
distinguish between architectures on our CPE names.

However, for the specific case of Red Hat Enterprise Linux 2.1, the
i386-as and ia64-as variants had a package or two, including the kernel,
which were completely different versions, hence the need to distinguish
between them.  But RHEL 2.1 is end of life, so that exception has mostly
gone away.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: Where should hardware architecture reside? Edition?

shanford
Thanks, Mark.  

But outside of that specific example, for example the FreeNAS case, is
Edition the right component to store architecture, or should that have its
own component?

A hypothetical vulnerability affecting Rosetta Stone (used by Intel Macs to
run PPC legacy code) for workstations but not servers could affect Mac OS X
non-server editions for non-PPC architectures.

- Seth

On 4/22/10 7:20 PM, "Mark J Cox" <[hidden email]> wrote:

>> cpe:/o:redhat:enterprise_linux:2.1::ia64-as
>
> So that one is an exception for us.  In general we have no distinction for
> architecture, even if an issue affects say only s390 kernel we'll also
> update the x86_64 kernel package at the same time: there is no need to
> distinguish between architectures on our CPE names.
>
> However, for the specific case of Red Hat Enterprise Linux 2.1, the
> i386-as and ia64-as variants had a package or two, including the kernel,
> which were completely different versions, hence the need to distinguish
> between them.  But RHEL 2.1 is end of life, so that exception has mostly
> gone away.
>
> Mark