[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: Re: [gentoo-dev] RFC: GLSA-2, a new DTD for GLSAs
From: Robert Buchholz <rbu () gentoo ! org>
Date: 2009-05-26 15:20:51
Message-ID: 200905261721.04801.rbu () gentoo ! org
[Download RAW message or body]
On Tuesday 26 May 2009, Tiziano Müller wrote:
> Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz:
> > I would like to announce the changes we want to introduce. If you
> > have any feedback, please speak up. This can include feature
> > requests.
>
> Maybe add a 'tag' attribute to the reference link to give them a
> meaning, like:
> <uri tag='upstream' link='http://bugs.samba.org/...'>...</uri>
>
> or keeping a table of tags in the XSL and replace it on
> transformation: <uri tag='samba-bugs' id='1234'>Upstream Bug
> 1234</uri>
>
> not sure whether uri would be the right point for such stuff though.
In 98% of all cases, these are either links to the corresponding CVE
identifiers or previous GLSAs. The CVE identifier then features a list
of references of different types, such as upstream bugs, patches,
advisories. See this CVE id for example:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
You will notice that some links carry machine-readable information such
as "DEBIAN:DSA-1747" and upstream bugs and the like are usually
called "confirm" (such as CONFIRM:http://svn.gnome.org/...).
With how we use our references, we could define three types of elements:
<uri link=''>, <cve id='' /> and <glsa id='' />
The latter two could then be transformed to either URIs or local links
(say, in applications displaying the content).
> > After
> > this discussion, we would like to freeze the DTD and ask all
> > consumers of GLSA XML files (such as package managers) to implement
> > said changes. The first GLSA using the new DTD will be at the
> > earliest six weeks after the DTD was frozen. Once the new GLSA
> > format is in use, we are going to convert some or all of the
> > existing GLSAs to use the format.
>
> I wouldn't do that since a properly written tool should be able to
> handle both versions anyway.
That is true. I was referring (at least) to existing GLSAs that can
benifit from added slot support that we must keep updated by hand
today. Also, I think there were issues with the date formatting in
current XML files and how they are displayed on our site.
> > (+) SLOT support. An implied attribute 'slot' to the 'vulnerable'
> > and 'unaffected' tag will be introduced. This limits the scope
> > of the range specifiers to ebuilds in the specified slot. The
> > default is '*' meaning all slots. [1]
>
> I don't think this is really a good idea since the version may or may
> not be tied to a slot (at the moment it is in most cases I know).
I'm not following -- maybe we had a misunderstanding. The slot attribute
is additional to the tag, but its value is implied as '*' if it is not
specified.
This is what we have today (from GLSA 200804-20):
<package name="dev-java/sun-jdk" auto="yes" arch="*">
<vulnerable range="lt">1.6.0.05</vulnerable>
<unaffected range="ge">1.6.0.05</unaffected>
<unaffected range="rge">1.5.0.15</unaffected>
<unaffected range="rge">1.5.0.16</unaffected>
<unaffected range="rge">1.5.0.17</unaffected>
<unaffected range="rge">1.5.0.18</unaffected>
<unaffected range="rge">1.4.2.17</unaffected>
<unaffected range="rge">1.4.2.18</unaffected>
<unaffected range="rge">1.4.2.19</unaffected>
</package>
This is would imply the following (in glsa-2):
<package name="dev-java/sun-jdk" auto="yes" arch="*">
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable>
<unaffected slot="*" range="ge">1.6.0.05</unaffected>
<unaffected slot="*" range="rge">1.5.0.15</unaffected>
<unaffected slot="*" range="rge">1.5.0.16</unaffected>
<unaffected slot="*" range="rge">1.5.0.17</unaffected>
<unaffected slot="*" range="rge">1.5.0.18</unaffected>
<unaffected slot="*" range="rge">1.4.2.17</unaffected>
<unaffected slot="*" range="rge">1.4.2.18</unaffected>
<unaffected slot="*" range="rge">1.4.2.19</unaffected>
</package>
And (thank god!) should be equivalent to:
<package name="dev-java/sun-jdk" auto="yes" arch="*">
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable>
<unaffected slot="*" range="ge">1.6.0.05</unaffected>
<unaffected slot="1.5" range="rge">1.5.0.15</unaffected>
<unaffected slot="1.4" range="rge">1.4.2.17</unaffected>
</package>
Robert
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic