[1/1] os-release: Add CPE_NAME

Its time we add the CPE_NAME to os-release.

The vendor field is hardcoded to "openembedded" as it is the base
framework. We will use "DISTRO" to identify which variation of
openembedded is being used.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/os-release/os-release.bb | 8 ++++++++
 1 file changed, 8 insertions(+)

On Wed, 2023-05-03 at 07:19 -0400, Armin Kuster wrote:
> Its time we add the CPE_NAME to os-release.
> 
> The vendor field is hardcoded to "openembedded" as it is the base
> framework. We will use "DISTRO" to identify which variation of
> openembedded is being used.
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  meta/recipes-core/os-release/os-release.bb | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
> index 860ee97224..aa37dec7c7 100644
> --- a/meta/recipes-core/os-release/os-release.bb
> +++ b/meta/recipes-core/os-release/os-release.bb
> @@ -16,6 +16,7 @@ do_configure[noexec] = "1"
>  #                     HOME_URL SUPPORT_URL BUG_REPORT_URL
>  OS_RELEASE_FIELDS = "\
>      ID ID_LIKE NAME VERSION VERSION_ID VERSION_CODENAME PRETTY_NAME \
> +    CPE_NAME \
>  "
>  OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID"
>  
> @@ -25,6 +26,13 @@ VERSION = "${DISTRO_VERSION}${@' (%s)' % DISTRO_CODENAME if 'DISTRO_CODENAME' in
>  VERSION_ID = "${DISTRO_VERSION}"
>  VERSION_CODENAME = "${DISTRO_CODENAME}"
>  PRETTY_NAME = "${DISTRO_NAME} ${VERSION}"
> +
> +# The vendor field is hardcoded to "openembedded" as it is the base
> +# framework for all derivatives Distos.
> +# We use "DISTRO" to identify which variation of openembedded core 
> +# is being used. 
> +CPE_NAME="cpe:/o:openembedded:${DISTRO}:${VERSION_ID}"
> +
>  BUILD_ID ?= "${DATETIME}"
>  BUILD_ID[vardepsexclude] = "DATETIME"
>  

I know a bit more about the context of this and I don't think it is
clear in the above comment. I'd like to suggest something a little
stronger, how about:

"""
The vendor field is hardcoded to "openembedded" deliberately. We'd
advise developers leave it as this value to clearly identify the
underlying build environment from which the OS was constructed. We
understand people will want to identify themselves as the people who
built the image, we'd suggest using the DISTRO element to do this, so
that is customisable.
This end result combines to mean systems can be traced back to both who
built them and which system was used, which is ultimately the goal of
the CPE.
"""

Perhaps we'd also want to do:

CPE_DISTRO ??= "${DISTRO}"
CPE_NAME="cpe:/o:openembedded:${CPE_DISTRO}:${VERSION_ID}"

to make it clear we're suggesting which bit be customised?

Cheers,

Richard

On 5/3/23 7:44 AM, Richard Purdie wrote:
> On Wed, 2023-05-03 at 07:19 -0400, Armin Kuster wrote:
>> Its time we add the CPE_NAME to os-release.
>>
>> The vendor field is hardcoded to "openembedded" as it is the base
>> framework. We will use "DISTRO" to identify which variation of
>> openembedded is being used.
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>   meta/recipes-core/os-release/os-release.bb | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
>> index 860ee97224..aa37dec7c7 100644
>> --- a/meta/recipes-core/os-release/os-release.bb
>> +++ b/meta/recipes-core/os-release/os-release.bb
>> @@ -16,6 +16,7 @@ do_configure[noexec] = "1"
>>   #                     HOME_URL SUPPORT_URL BUG_REPORT_URL
>>   OS_RELEASE_FIELDS = "\
>>       ID ID_LIKE NAME VERSION VERSION_ID VERSION_CODENAME PRETTY_NAME \
>> +    CPE_NAME \
>>   "
>>   OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID"
>>   
>> @@ -25,6 +26,13 @@ VERSION = "${DISTRO_VERSION}${@' (%s)' % DISTRO_CODENAME if 'DISTRO_CODENAME' in
>>   VERSION_ID = "${DISTRO_VERSION}"
>>   VERSION_CODENAME = "${DISTRO_CODENAME}"
>>   PRETTY_NAME = "${DISTRO_NAME} ${VERSION}"
>> +
>> +# The vendor field is hardcoded to "openembedded" as it is the base
>> +# framework for all derivatives Distos.
>> +# We use "DISTRO" to identify which variation of openembedded core
>> +# is being used.
>> +CPE_NAME="cpe:/o:openembedded:${DISTRO}:${VERSION_ID}"
>> +
>>   BUILD_ID ?= "${DATETIME}"
>>   BUILD_ID[vardepsexclude] = "DATETIME"
>>   
> I know a bit more about the context of this and I don't think it is
> clear in the above comment. I'd like to suggest something a little
> stronger, how about:
>
> """
> The vendor field is hardcoded to "openembedded" deliberately. We'd
> advise developers leave it as this value to clearly identify the
> underlying build environment from which the OS was constructed. We
> understand people will want to identify themselves as the people who
> built the image, we'd suggest using the DISTRO element to do this, so
> that is customisable.
> This end result combines to mean systems can be traced back to both who
> built them and which system was used, which is ultimately the goal of
> the CPE.
> """
Works for me.
> Perhaps we'd also want to do:
>
> CPE_DISTRO ??= "${DISTRO}"
> CPE_NAME="cpe:/o:openembedded:${CPE_DISTRO}:${VERSION_ID}"

Like this better.
>
> to make it clear we're suggesting which bit be customised?

Thanks for the review. v2 shortly.

-armin
>
> Cheers,
>
> Richard
>
>
>
>