I agree this is an issue. I wanted to finish the vote on Microsoft OS
naming conventions before going here, but this gets at the alias problem as
well as some of the fundamental problems with using abbreviations.
I'm also not exactly clear on why the spec went with abbreviations versus
the old OVAL convention of fully spelling out names. Can someone with the
history on that share the rationale with the list?
Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700
-----Original Message-----
From: David McKinney [mailto:
[hidden email]]
Sent: Wednesday, October 10, 2007 4:25 PM
To:
[hidden email]
Subject: [CPE-DISCUSSION-LIST] Concerns about platform abbreviations and
vendor naming convetions
Hello,
I have some questions and concerns about the use of abbreviations and
the potential for loss of fidelity between a vendor naming convention
and how the platform is represented in the CPE dictionary.
1) Will the CPE abbreviation list include only abbreviations used by
vendors or will it also include ad-hoc abbreviations devised by CPE
dictionary maintainers? For example, SP4 is a common designation used
by Microsoft and other vendors to denote "Service Pack 4". However,
some of the abbreviations seem less commonly used or may not reflect
vendor naming conventions. As an example, "ed" (abbrev. for Edition)
seems like more of an ad-hoc abbreviation.
2) How do we resolve abbreviation collisions? Example, vendor A uses
the abbreviation "std" to denote something other than "standard". Does
the vendor-specific "std" get added to the master CPE abbreviation
list, and if so, how do we deal with the ensuing confusion?
3) With the problem presented by 2), is there room to include
abbreviation expansion markup or ideally a fully qualified title that
conforms to the vendor's naming scheme in the XML/CPE dictionary
representation?
I make this suggestion because a lot of adopters probably have a use
for fully-qualified platform names. This means providing support
expanding abbreviations, and restoring capitalization, and other
vendor naming conventions that may be lost when a platform is
CPE-ified. The <title> field seems to partly serve this purpose but
seems limited in the following ways:
a) <title> is optional
b) It's intended to provide a "human readable" title but there is
nothing to state whether or not this title should be following the
vendor's own naming convention.
I apologize in advance if this topic has already been discussed and
hammered out. In my experience, vendors can be particular about how
their products are represented. Also, even with a common naming
scheme, the vendor's own naming convention is still an authoritative
representation that people are apt to depend upon.
--
Dave McKinney
Symantec
keyID: E461AE4E
key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E
