|
| 1 | +# Identifying Red Hat components using CPEs |
| 2 | + |
| 3 | + |
| 4 | +## RHEL 10 CPEs |
| 5 | +Starting with RHEL 10, we will change the way CPEs are assigned to RHEL: |
| 6 | +* Minor versions will be used in CPEs for mainstream RHEL versionss |
| 7 | +* The cpe:/o prefix will be used instead of mixed usage of cpe:/o and cpe:/a for all RHEL variants |
| 8 | +* The channel specifiers are being dropped |
| 9 | + |
| 10 | + |
| 11 | +### Minor Version CPEs |
| 12 | +Previously, for RHEL 9 and earlier we assigned generic CPEs like cpe:/o:redhat:enterprise_linux:9 for the entire |
| 13 | +lifetime of a major release. Minor versions were only reflected in xUS CPEs (e.g., cpe:/a:redhat:rhel_eus:9.2::appstream). |
| 14 | + |
| 15 | +Starting with RHEL 10 and all following versions of RHEL, we will use minor versions in mainstream CPEs, |
| 16 | +e.g., cpe:/o:redhat:enterprise_linux:10.0, incrementing with each subsequent minor release. This will apply to the |
| 17 | +MAIN, GA, and MAIN.EUS variants. This makes it easier to determine which version of RHEL an advisory was released for |
| 18 | +without consulting ET product configuration. This also improves our way of tracking releases and which sets of |
| 19 | +advisories they shipped. More granular minor versions also allow for the use of version ranges later on, which can be |
| 20 | +used to sets of versions (without having to enumerate them all) where the security status such as "fixed" is applicable. |
| 21 | + |
| 22 | +### CPE Type Standardization |
| 23 | +Previously, we used a mix of cpe:/o (operating system) and cpe:/a (application) for different variants of RHEL |
| 24 | +(for example, base OS used o and Appstream used a). It is unclear why we decided on this different usage and we've |
| 25 | +encountered various issues in our security data files where consumers have to account for both prefixes even though |
| 26 | +they identify the same products. |
| 27 | + |
| 28 | +Starting with RHEL 10 and all following versions of RHEL, we will standardize on cpe:/o for all RHEL-related components |
| 29 | +(those shipped under the RHEL product in Errata Tool). EUS CPEs will also transition from cpe:/a to cpe:/o, for example: |
| 30 | +Base OS: cpe:/o:redhat:enterprise_linux_eus:10.2 |
| 31 | +AppStream: cpe:/o:redhat:enterprise_linux_eus:10.2 |
| 32 | + |
| 33 | +### Removal of channel specifiers and consistent naming of EUS CPEs |
| 34 | +CPEs for RHEL 9 and earlier used channel specifiers such as ::appstream and ::baseos to differentiate between different |
| 35 | +Errata Tool Variants and pin a specific CPE to a set of RPM repositories. These specifiers were never used externally |
| 36 | +by any vendor or any of our external documents for any reason other than arbitrary differentiation between groups of |
| 37 | +content. Starting with RHEL 10, we will drop the use of channel specifiers for RHEL. We will continue using them for |
| 38 | +layered products to distinguish their base RHEL version if known. |
| 39 | + |
| 40 | +Extended streams such as EUS, AUS or TUS always used the name rhel instead of enterprise_linux in the CPE name. |
| 41 | +Starting with RHEL 10, we will use enterprise_linux only for increased consistency. |
| 42 | + |
| 43 | +## RHEL 9 CPEs and Before |
| 44 | + |
| 45 | + |
0 commit comments