'Re: [gentoo-dev] RFC: GLSA-2, a new DTD for GLSAs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] RFC: GLSA-2, a new DTD for GLSAs
From:       Robert Buchholz <rbu () gentoo ! org>
Date:       2009-05-26 15:20:51
Message-ID: 200905261721.04801.rbu () gentoo ! org
[Download RAW message or body]


On Tuesday 26 May 2009, Tiziano Müller wrote:
> Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz:
> > I would like to announce the changes we want to introduce. If you
> > have any feedback, please speak up. This can include feature
> > requests.
>
> Maybe add a 'tag' attribute to the reference link to give them a
> meaning, like:
> <uri tag='upstream' link='http://bugs.samba.org/...'>...</uri>
>
> or keeping a table of tags in the XSL and replace it on
> transformation: <uri tag='samba-bugs' id='1234'>Upstream Bug
> 1234</uri>
>
> not sure whether uri would be the right point for such stuff though.

In 98% of all cases, these are either links to the corresponding CVE 
identifiers or previous GLSAs. The CVE identifier then features a list 
of references of different types, such as upstream bugs, patches, 
advisories. See this CVE id for example:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316

You will notice that some links carry machine-readable information such 
as "DEBIAN:DSA-1747" and upstream bugs and the like are usually 
called "confirm" (such as CONFIRM:http://svn.gnome.org/...).

With how we use our references, we could define three types of elements:
<uri link=''>, <cve id='' /> and <glsa id='' />
The latter two could then be transformed to either URIs or local links 
(say, in applications displaying the content).

> >  After
> > this discussion, we would like to freeze the DTD and ask all
> > consumers of GLSA XML files (such as package managers) to implement
> > said changes. The first GLSA using the new DTD will be at the
> > earliest six weeks after the DTD was frozen. Once the new GLSA
> > format is in use, we are going to convert some or all of the
> > existing GLSAs to use the format.
>
> I wouldn't do that since a properly written tool should be able to
> handle both versions anyway.

That is true. I was referring (at least) to existing GLSAs that can 
benifit from added slot support that we must keep updated by hand 
today. Also, I think there were issues with the date formatting in 
current XML files and how they are displayed on our site.


> > (+) SLOT support. An implied attribute 'slot' to the 'vulnerable'
> >     and 'unaffected' tag will be introduced. This limits the scope
> > of the range specifiers to ebuilds in the specified slot. The
> > default is '*' meaning all slots.  [1]
>
> I don't think this is really a good idea since the version may or may
> not be tied to a slot (at the moment it is in most cases I know).

I'm not following -- maybe we had a misunderstanding. The slot attribute 
is additional to the tag, but its value is implied as '*' if it is not 
specified.

This is what we have today (from GLSA 200804-20):
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <vulnerable range="lt">1.6.0.05</vulnerable>
      <unaffected range="ge">1.6.0.05</unaffected>
      <unaffected range="rge">1.5.0.15</unaffected>
      <unaffected range="rge">1.5.0.16</unaffected>
      <unaffected range="rge">1.5.0.17</unaffected>
      <unaffected range="rge">1.5.0.18</unaffected>
      <unaffected range="rge">1.4.2.17</unaffected>
      <unaffected range="rge">1.4.2.18</unaffected>
      <unaffected range="rge">1.4.2.19</unaffected>
    </package>

This is would imply the following (in glsa-2):
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <vulnerable slot="*" range="lt">1.6.0.05</vulnerable>
      <unaffected slot="*" range="ge">1.6.0.05</unaffected>
      <unaffected slot="*" range="rge">1.5.0.15</unaffected>
      <unaffected slot="*" range="rge">1.5.0.16</unaffected>
      <unaffected slot="*" range="rge">1.5.0.17</unaffected>
      <unaffected slot="*" range="rge">1.5.0.18</unaffected>
      <unaffected slot="*" range="rge">1.4.2.17</unaffected>
      <unaffected slot="*" range="rge">1.4.2.18</unaffected>
      <unaffected slot="*" range="rge">1.4.2.19</unaffected>
    </package>

And (thank god!) should be equivalent to:
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <vulnerable slot="*" range="lt">1.6.0.05</vulnerable>
      <unaffected slot="*" range="ge">1.6.0.05</unaffected>
      <unaffected slot="1.5" range="rge">1.5.0.15</unaffected>
      <unaffected slot="1.4" range="rge">1.4.2.17</unaffected>
    </package>




Robert

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic