1 |
On Tuesday 26 May 2009, Tiziano Müller wrote: |
2 |
> Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz: |
3 |
> > I would like to announce the changes we want to introduce. If you |
4 |
> > have any feedback, please speak up. This can include feature |
5 |
> > requests. |
6 |
> |
7 |
> Maybe add a 'tag' attribute to the reference link to give them a |
8 |
> meaning, like: |
9 |
> <uri tag='upstream' link='http://bugs.samba.org/...'>...</uri> |
10 |
> |
11 |
> or keeping a table of tags in the XSL and replace it on |
12 |
> transformation: <uri tag='samba-bugs' id='1234'>Upstream Bug |
13 |
> 1234</uri> |
14 |
> |
15 |
> not sure whether uri would be the right point for such stuff though. |
16 |
|
17 |
In 98% of all cases, these are either links to the corresponding CVE |
18 |
identifiers or previous GLSAs. The CVE identifier then features a list |
19 |
of references of different types, such as upstream bugs, patches, |
20 |
advisories. See this CVE id for example: |
21 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316 |
22 |
|
23 |
You will notice that some links carry machine-readable information such |
24 |
as "DEBIAN:DSA-1747" and upstream bugs and the like are usually |
25 |
called "confirm" (such as CONFIRM:http://svn.gnome.org/...). |
26 |
|
27 |
With how we use our references, we could define three types of elements: |
28 |
<uri link=''>, <cve id='' /> and <glsa id='' /> |
29 |
The latter two could then be transformed to either URIs or local links |
30 |
(say, in applications displaying the content). |
31 |
|
32 |
> > After |
33 |
> > this discussion, we would like to freeze the DTD and ask all |
34 |
> > consumers of GLSA XML files (such as package managers) to implement |
35 |
> > said changes. The first GLSA using the new DTD will be at the |
36 |
> > earliest six weeks after the DTD was frozen. Once the new GLSA |
37 |
> > format is in use, we are going to convert some or all of the |
38 |
> > existing GLSAs to use the format. |
39 |
> |
40 |
> I wouldn't do that since a properly written tool should be able to |
41 |
> handle both versions anyway. |
42 |
|
43 |
That is true. I was referring (at least) to existing GLSAs that can |
44 |
benifit from added slot support that we must keep updated by hand |
45 |
today. Also, I think there were issues with the date formatting in |
46 |
current XML files and how they are displayed on our site. |
47 |
|
48 |
|
49 |
> > (+) SLOT support. An implied attribute 'slot' to the 'vulnerable' |
50 |
> > and 'unaffected' tag will be introduced. This limits the scope |
51 |
> > of the range specifiers to ebuilds in the specified slot. The |
52 |
> > default is '*' meaning all slots. [1] |
53 |
> |
54 |
> I don't think this is really a good idea since the version may or may |
55 |
> not be tied to a slot (at the moment it is in most cases I know). |
56 |
|
57 |
I'm not following -- maybe we had a misunderstanding. The slot attribute |
58 |
is additional to the tag, but its value is implied as '*' if it is not |
59 |
specified. |
60 |
|
61 |
This is what we have today (from GLSA 200804-20): |
62 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
63 |
<vulnerable range="lt">1.6.0.05</vulnerable> |
64 |
<unaffected range="ge">1.6.0.05</unaffected> |
65 |
<unaffected range="rge">1.5.0.15</unaffected> |
66 |
<unaffected range="rge">1.5.0.16</unaffected> |
67 |
<unaffected range="rge">1.5.0.17</unaffected> |
68 |
<unaffected range="rge">1.5.0.18</unaffected> |
69 |
<unaffected range="rge">1.4.2.17</unaffected> |
70 |
<unaffected range="rge">1.4.2.18</unaffected> |
71 |
<unaffected range="rge">1.4.2.19</unaffected> |
72 |
</package> |
73 |
|
74 |
This is would imply the following (in glsa-2): |
75 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
76 |
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable> |
77 |
<unaffected slot="*" range="ge">1.6.0.05</unaffected> |
78 |
<unaffected slot="*" range="rge">1.5.0.15</unaffected> |
79 |
<unaffected slot="*" range="rge">1.5.0.16</unaffected> |
80 |
<unaffected slot="*" range="rge">1.5.0.17</unaffected> |
81 |
<unaffected slot="*" range="rge">1.5.0.18</unaffected> |
82 |
<unaffected slot="*" range="rge">1.4.2.17</unaffected> |
83 |
<unaffected slot="*" range="rge">1.4.2.18</unaffected> |
84 |
<unaffected slot="*" range="rge">1.4.2.19</unaffected> |
85 |
</package> |
86 |
|
87 |
And (thank god!) should be equivalent to: |
88 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
89 |
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable> |
90 |
<unaffected slot="*" range="ge">1.6.0.05</unaffected> |
91 |
<unaffected slot="1.5" range="rge">1.5.0.15</unaffected> |
92 |
<unaffected slot="1.4" range="rge">1.4.2.17</unaffected> |
93 |
</package> |
94 |
|
95 |
|
96 |
|
97 |
|
98 |
Robert |