| 1 |
On Wed, May 19, 2004 at 09:13:07AM +1000 or thereabouts, Timothy David EBRINGER wrote: |
| 2 |
> Has the security team thought about issuing vulnerabilities as OVAL |
| 3 |
> definitions? OVAL stands for Open Vulnerability Assessment Language (see |
| 4 |
> http://oval.mitre.org ), and is administered by MITRE (who also do the CVE |
| 5 |
> dictionary). Redhat, Microsoft and Sun are using it, and apparently Debian |
| 6 |
> has a draft schema in the works. |
| 7 |
> |
| 8 |
> The process works like this: once an XML Schema is worked out for the |
| 9 |
> platform (we would have to go through this process for Gentoo), |
| 10 |
> vulnerabilities are submitted as XML, and through use of an interpreter |
| 11 |
> --- which we would also have to write for Gentoo --- vulnerabilities can |
| 12 |
> be detected automatically. What we offer to do once a vulnerability is |
| 13 |
> detected in this manner would be up for debate. |
| 14 |
> |
| 15 |
> I am happy to do some dev work on this project, as I am a security and |
| 16 |
> crypto developer with a fair bit of experience with XML. Is anyone |
| 17 |
> interested? |
| 18 |
|
| 19 |
This is certainly something we'd be interested in at least seeing it we can |
| 20 |
support it. All of our GLSAs are currently written in XML as it is, so |
| 21 |
hopefully it wouldn't be too much extra work. |
| 22 |
|
| 23 |
Feel free to contact me off-list or (even better) on #gentoo-security and |
| 24 |
we can discuss next steps. |
| 25 |
|
| 26 |
--kurt |
Archives