| 1 |
Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> the Security Team would like to create a new DTD for our GLSAs. GLSAs |
| 5 |
> are distributed via our web site and the tree. Their format is defined |
| 6 |
> by a DTD. |
| 7 |
> |
| 8 |
> When the format was initially defined in 2004, some use cases were |
| 9 |
> considered that never got implemented or used. Other use cases only |
| 10 |
> came up later. For this reason, we want to update the GLSA for the |
| 11 |
> needs of 2009. Since this includes changes that make existing GLSAs |
| 12 |
> invalid we are going to introduce a new DTD called glsa-2.dtd. |
| 13 |
> |
| 14 |
> I would like to announce the changes we want to introduce. If you have |
| 15 |
> any feedback, please speak up. This can include feature requests. |
| 16 |
Maybe add a 'tag' attribute to the reference link to give them a |
| 17 |
meaning, like: |
| 18 |
<uri tag='upstream' link='http://bugs.samba.org/...'>...</uri> |
| 19 |
|
| 20 |
or keeping a table of tags in the XSL and replace it on transformation: |
| 21 |
<uri tag='samba-bugs' id='1234'>Upstream Bug 1234</uri> |
| 22 |
|
| 23 |
not sure whether uri would be the right point for such stuff though. |
| 24 |
|
| 25 |
> After |
| 26 |
> this discussion, we would like to freeze the DTD and ask all consumers |
| 27 |
> of GLSA XML files (such as package managers) to implement said changes. |
| 28 |
> The first GLSA using the new DTD will be at the earliest six weeks |
| 29 |
> after the DTD was frozen. Once the new GLSA format is in use, we are |
| 30 |
> going to convert some or all of the existing GLSAs to use the format. |
| 31 |
|
| 32 |
I wouldn't do that since a properly written tool should be able to |
| 33 |
handle both versions anyway. |
| 34 |
|
| 35 |
> |
| 36 |
> Find the existing DTD here: |
| 37 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa.dtd |
| 38 |
> |
| 39 |
> The new DTD here: |
| 40 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd |
| 41 |
> |
| 42 |
> And a diff between them here: |
| 43 |
> http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd.diff |
| 44 |
> |
| 45 |
> Here's a list of changes: |
| 46 |
> |
| 47 |
> (-) Dropping of the product type. GLSAs will be used solely to announce |
| 48 |
> security issues in the Portage Tree. The "infrastructure" |
| 49 |
> and "informational" product type are not needed and the type |
| 50 |
> attribute will be dropped altogether. |
| 51 |
> (-) Dropping of service tag. Same rationale as above, if we |
| 52 |
> drop "infrastructure", we do not need the service tag. |
| 53 |
> (-) Drop the 'name' attribute to unaffected. This is not implemented in |
| 54 |
> glsa-check or Portage 2.2 and it was never part of our Policy to mix |
| 55 |
> GLSAs with package moves or similar. |
| 56 |
> (+) SLOT support. An implied attribute 'slot' to the 'vulnerable' |
| 57 |
> and 'unaffected' tag will be introduced. This limits the scope of |
| 58 |
> the range specifiers to ebuilds in the specified slot. The default |
| 59 |
> is '*' meaning all slots. [1] |
| 60 |
I don't think this is really a good idea since the version may or may |
| 61 |
not be tied to a slot (at the moment it is in most cases I know). |
| 62 |
|
| 63 |
Looks good so far. |
| 64 |
|
| 65 |
|
| 66 |
-- |
| 67 |
Tiziano Müller |
| 68 |
Gentoo Linux Developer, Council Member |
| 69 |
Areas of responsibility: |
| 70 |
Samba, PostgreSQL, CPP, Python, sysadmin, GLEP Editor |
| 71 |
E-Mail : dev-zero@g.o |
| 72 |
GnuPG FP : F327 283A E769 2E36 18D5 4DE2 1B05 6A63 AE9C 1E30 |
Archives