1 |
Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz: |
2 |
> Hello, |
3 |
> |
4 |
> the Security Team would like to create a new DTD for our GLSAs. GLSAs |
5 |
> are distributed via our web site and the tree. Their format is defined |
6 |
> by a DTD. |
7 |
> |
8 |
> When the format was initially defined in 2004, some use cases were |
9 |
> considered that never got implemented or used. Other use cases only |
10 |
> came up later. For this reason, we want to update the GLSA for the |
11 |
> needs of 2009. Since this includes changes that make existing GLSAs |
12 |
> invalid we are going to introduce a new DTD called glsa-2.dtd. |
13 |
> |
14 |
> I would like to announce the changes we want to introduce. If you have |
15 |
> any feedback, please speak up. This can include feature requests. |
16 |
Maybe add a 'tag' attribute to the reference link to give them a |
17 |
meaning, like: |
18 |
<uri tag='upstream' link='http://bugs.samba.org/...'>...</uri> |
19 |
|
20 |
or keeping a table of tags in the XSL and replace it on transformation: |
21 |
<uri tag='samba-bugs' id='1234'>Upstream Bug 1234</uri> |
22 |
|
23 |
not sure whether uri would be the right point for such stuff though. |
24 |
|
25 |
> After |
26 |
> this discussion, we would like to freeze the DTD and ask all consumers |
27 |
> of GLSA XML files (such as package managers) to implement said changes. |
28 |
> The first GLSA using the new DTD will be at the earliest six weeks |
29 |
> after the DTD was frozen. Once the new GLSA format is in use, we are |
30 |
> going to convert some or all of the existing GLSAs to use the format. |
31 |
|
32 |
I wouldn't do that since a properly written tool should be able to |
33 |
handle both versions anyway. |
34 |
|
35 |
> |
36 |
> Find the existing DTD here: |
37 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa.dtd |
38 |
> |
39 |
> The new DTD here: |
40 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd |
41 |
> |
42 |
> And a diff between them here: |
43 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd.diff |
44 |
> |
45 |
> Here's a list of changes: |
46 |
> |
47 |
> (-) Dropping of the product type. GLSAs will be used solely to announce |
48 |
> security issues in the Portage Tree. The "infrastructure" |
49 |
> and "informational" product type are not needed and the type |
50 |
> attribute will be dropped altogether. |
51 |
> (-) Dropping of service tag. Same rationale as above, if we |
52 |
> drop "infrastructure", we do not need the service tag. |
53 |
> (-) Drop the 'name' attribute to unaffected. This is not implemented in |
54 |
> glsa-check or Portage 2.2 and it was never part of our Policy to mix |
55 |
> GLSAs with package moves or similar. |
56 |
> (+) SLOT support. An implied attribute 'slot' to the 'vulnerable' |
57 |
> and 'unaffected' tag will be introduced. This limits the scope of |
58 |
> the range specifiers to ebuilds in the specified slot. The default |
59 |
> is '*' meaning all slots. [1] |
60 |
I don't think this is really a good idea since the version may or may |
61 |
not be tied to a slot (at the moment it is in most cases I know). |
62 |
|
63 |
Looks good so far. |
64 |
|
65 |
|
66 |
-- |
67 |
Tiziano Müller |
68 |
Gentoo Linux Developer, Council Member |
69 |
Areas of responsibility: |
70 |
Samba, PostgreSQL, CPP, Python, sysadmin, GLEP Editor |
71 |
E-Mail : dev-zero@g.o |
72 |
GnuPG FP : F327 283A E769 2E36 18D5 4DE2 1B05 6A63 AE9C 1E30 |