| 1 |
On Tuesday 26 May 2009, Tiziano Müller wrote: |
| 2 |
> Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz: |
| 3 |
> > I would like to announce the changes we want to introduce. If you |
| 4 |
> > have any feedback, please speak up. This can include feature |
| 5 |
> > requests. |
| 6 |
> |
| 7 |
> Maybe add a 'tag' attribute to the reference link to give them a |
| 8 |
> meaning, like: |
| 9 |
> <uri tag='upstream' link='http://bugs.samba.org/...'>...</uri> |
| 10 |
> |
| 11 |
> or keeping a table of tags in the XSL and replace it on |
| 12 |
> transformation: <uri tag='samba-bugs' id='1234'>Upstream Bug |
| 13 |
> 1234</uri> |
| 14 |
> |
| 15 |
> not sure whether uri would be the right point for such stuff though. |
| 16 |
|
| 17 |
In 98% of all cases, these are either links to the corresponding CVE |
| 18 |
identifiers or previous GLSAs. The CVE identifier then features a list |
| 19 |
of references of different types, such as upstream bugs, patches, |
| 20 |
advisories. See this CVE id for example: |
| 21 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316 |
| 22 |
|
| 23 |
You will notice that some links carry machine-readable information such |
| 24 |
as "DEBIAN:DSA-1747" and upstream bugs and the like are usually |
| 25 |
called "confirm" (such as CONFIRM:http://svn.gnome.org/...). |
| 26 |
|
| 27 |
With how we use our references, we could define three types of elements: |
| 28 |
<uri link=''>, <cve id='' /> and <glsa id='' /> |
| 29 |
The latter two could then be transformed to either URIs or local links |
| 30 |
(say, in applications displaying the content). |
| 31 |
|
| 32 |
> > After |
| 33 |
> > this discussion, we would like to freeze the DTD and ask all |
| 34 |
> > consumers of GLSA XML files (such as package managers) to implement |
| 35 |
> > said changes. The first GLSA using the new DTD will be at the |
| 36 |
> > earliest six weeks after the DTD was frozen. Once the new GLSA |
| 37 |
> > format is in use, we are going to convert some or all of the |
| 38 |
> > existing GLSAs to use the format. |
| 39 |
> |
| 40 |
> I wouldn't do that since a properly written tool should be able to |
| 41 |
> handle both versions anyway. |
| 42 |
|
| 43 |
That is true. I was referring (at least) to existing GLSAs that can |
| 44 |
benifit from added slot support that we must keep updated by hand |
| 45 |
today. Also, I think there were issues with the date formatting in |
| 46 |
current XML files and how they are displayed on our site. |
| 47 |
|
| 48 |
|
| 49 |
> > (+) SLOT support. An implied attribute 'slot' to the 'vulnerable' |
| 50 |
> > and 'unaffected' tag will be introduced. This limits the scope |
| 51 |
> > of the range specifiers to ebuilds in the specified slot. The |
| 52 |
> > default is '*' meaning all slots. [1] |
| 53 |
> |
| 54 |
> I don't think this is really a good idea since the version may or may |
| 55 |
> not be tied to a slot (at the moment it is in most cases I know). |
| 56 |
|
| 57 |
I'm not following -- maybe we had a misunderstanding. The slot attribute |
| 58 |
is additional to the tag, but its value is implied as '*' if it is not |
| 59 |
specified. |
| 60 |
|
| 61 |
This is what we have today (from GLSA 200804-20): |
| 62 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
| 63 |
<vulnerable range="lt">1.6.0.05</vulnerable> |
| 64 |
<unaffected range="ge">1.6.0.05</unaffected> |
| 65 |
<unaffected range="rge">1.5.0.15</unaffected> |
| 66 |
<unaffected range="rge">1.5.0.16</unaffected> |
| 67 |
<unaffected range="rge">1.5.0.17</unaffected> |
| 68 |
<unaffected range="rge">1.5.0.18</unaffected> |
| 69 |
<unaffected range="rge">1.4.2.17</unaffected> |
| 70 |
<unaffected range="rge">1.4.2.18</unaffected> |
| 71 |
<unaffected range="rge">1.4.2.19</unaffected> |
| 72 |
</package> |
| 73 |
|
| 74 |
This is would imply the following (in glsa-2): |
| 75 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
| 76 |
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable> |
| 77 |
<unaffected slot="*" range="ge">1.6.0.05</unaffected> |
| 78 |
<unaffected slot="*" range="rge">1.5.0.15</unaffected> |
| 79 |
<unaffected slot="*" range="rge">1.5.0.16</unaffected> |
| 80 |
<unaffected slot="*" range="rge">1.5.0.17</unaffected> |
| 81 |
<unaffected slot="*" range="rge">1.5.0.18</unaffected> |
| 82 |
<unaffected slot="*" range="rge">1.4.2.17</unaffected> |
| 83 |
<unaffected slot="*" range="rge">1.4.2.18</unaffected> |
| 84 |
<unaffected slot="*" range="rge">1.4.2.19</unaffected> |
| 85 |
</package> |
| 86 |
|
| 87 |
And (thank god!) should be equivalent to: |
| 88 |
<package name="dev-java/sun-jdk" auto="yes" arch="*"> |
| 89 |
<vulnerable slot="*" range="lt">1.6.0.05</vulnerable> |
| 90 |
<unaffected slot="*" range="ge">1.6.0.05</unaffected> |
| 91 |
<unaffected slot="1.5" range="rge">1.5.0.15</unaffected> |
| 92 |
<unaffected slot="1.4" range="rge">1.4.2.17</unaffected> |
| 93 |
</package> |
| 94 |
|
| 95 |
|
| 96 |
|
| 97 |
|
| 98 |
Robert |
Archives