| 1 |
Sebastian Pipping wrote: |
| 2 |
> Petteri Räty wrote: |
| 3 |
>> Sebastian Pipping wrote: |
| 4 |
>>> To count into the same bucket we use global identifiers for the |
| 5 |
>>> "products" that fall out of a package. Gentoo package "dev-util/git" |
| 6 |
>>> can produce product "cpe://a:git:git", Debian's "git-core" can, too. |
| 7 |
>>> That string before is a CPE URI [1], a concept close to package naming |
| 8 |
>>> in Java. This "intermediate language" allows us to relate package names |
| 9 |
>>> from distro X with those of distro Y and answer various questions from |
| 10 |
>>> that data. |
| 11 |
>>> |
| 12 |
>>> To do such mapping we need code (or a "service") that does the mapping |
| 13 |
>>> for us and base of collected data that the service can operate on. Both |
| 14 |
>>> of these is project "PackageMap" |
| 15 |
>> Instead of manually populating a database wouldn't it make more sense to |
| 16 |
>> parse this information from package metadata.xml? |
| 17 |
> |
| 18 |
> Which information exactly? Please elaborate on that. |
| 19 |
> |
| 20 |
> Sebastian |
| 21 |
> |
| 22 |
|
| 23 |
I mean making metadata.xml the authoritative source for mapping CPE to |
| 24 |
Gentoo packages. I don't want to see the situation when adding new |
| 25 |
packages to the tree would need some mapping being done in an external |
| 26 |
web service. We should of course try to provide as much automation as |
| 27 |
possible for creating the value for metadata.xml. |
| 28 |
|
| 29 |
Regards, |
| 30 |
Petteri |
Archives