| 1 |
Hello, |
| 2 |
|
| 3 |
the Security Team would like to create a new DTD for our GLSAs. GLSAs |
| 4 |
are distributed via our web site and the tree. Their format is defined |
| 5 |
by a DTD. |
| 6 |
|
| 7 |
When the format was initially defined in 2004, some use cases were |
| 8 |
considered that never got implemented or used. Other use cases only |
| 9 |
came up later. For this reason, we want to update the GLSA for the |
| 10 |
needs of 2009. Since this includes changes that make existing GLSAs |
| 11 |
invalid we are going to introduce a new DTD called glsa-2.dtd. |
| 12 |
|
| 13 |
I would like to announce the changes we want to introduce. If you have |
| 14 |
any feedback, please speak up. This can include feature requests. After |
| 15 |
this discussion, we would like to freeze the DTD and ask all consumers |
| 16 |
of GLSA XML files (such as package managers) to implement said changes. |
| 17 |
The first GLSA using the new DTD will be at the earliest six weeks |
| 18 |
after the DTD was frozen. Once the new GLSA format is in use, we are |
| 19 |
going to convert some or all of the existing GLSAs to use the format. |
| 20 |
|
| 21 |
Find the existing DTD here: |
| 22 |
http://dev.gentoo.org/~rbu/glsa-2/glsa.dtd |
| 23 |
|
| 24 |
The new DTD here: |
| 25 |
http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd |
| 26 |
|
| 27 |
And a diff between them here: |
| 28 |
http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd.diff |
| 29 |
|
| 30 |
Here's a list of changes: |
| 31 |
|
| 32 |
(-) Dropping of the product type. GLSAs will be used solely to announce |
| 33 |
security issues in the Portage Tree. The "infrastructure" |
| 34 |
and "informational" product type are not needed and the type |
| 35 |
attribute will be dropped altogether. |
| 36 |
(-) Dropping of service tag. Same rationale as above, if we |
| 37 |
drop "infrastructure", we do not need the service tag. |
| 38 |
(-) Drop the 'name' attribute to unaffected. This is not implemented in |
| 39 |
glsa-check or Portage 2.2 and it was never part of our Policy to mix |
| 40 |
GLSAs with package moves or similar. |
| 41 |
(+) SLOT support. An implied attribute 'slot' to the 'vulnerable' |
| 42 |
and 'unaffected' tag will be introduced. This limits the scope of |
| 43 |
the range specifiers to ebuilds in the specified slot. The default |
| 44 |
is '*' meaning all slots. [1] |
| 45 |
(+) Addition of a 'count' attribute to the 'revised' tag. We stop |
| 46 |
formatting revision dates as 'May 26, 2009: 03' and use |
| 47 |
'<revised count="3">2009-05-26</revised>' instead. |
| 48 |
(*) UTF-8 support. We would like to release GLSAs containing UTF-8 |
| 49 |
characters in places where they make sense (that is, not package |
| 50 |
names, version information, etc.). Please check whether your tools |
| 51 |
support this. |
| 52 |
|
| 53 |
A GLSA XML file containing said changes, including UTF-8 characters, is |
| 54 |
up here: |
| 55 |
http://dev.gentoo.org/~rbu/glsa-2/glsa-200012-34.txt |
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
Robert |
| 60 |
|
| 61 |
[1] This does not allow for undefined situations if you employ the |
| 62 |
following algorithm: An ebuild is vulnerable if falls into any of the |
| 63 |
ranges specified by the 'vulnerable' tags unless it also falls into any |
| 64 |
of the ranges specified by the 'unaffected' tags. |
Archives