1 |
On Wed, May 19, 2004 at 09:13:07AM +1000 or thereabouts, Timothy David EBRINGER wrote: |
2 |
> Has the security team thought about issuing vulnerabilities as OVAL |
3 |
> definitions? OVAL stands for Open Vulnerability Assessment Language (see |
4 |
> http://oval.mitre.org ), and is administered by MITRE (who also do the CVE |
5 |
> dictionary). Redhat, Microsoft and Sun are using it, and apparently Debian |
6 |
> has a draft schema in the works. |
7 |
> |
8 |
> The process works like this: once an XML Schema is worked out for the |
9 |
> platform (we would have to go through this process for Gentoo), |
10 |
> vulnerabilities are submitted as XML, and through use of an interpreter |
11 |
> --- which we would also have to write for Gentoo --- vulnerabilities can |
12 |
> be detected automatically. What we offer to do once a vulnerability is |
13 |
> detected in this manner would be up for debate. |
14 |
> |
15 |
> I am happy to do some dev work on this project, as I am a security and |
16 |
> crypto developer with a fair bit of experience with XML. Is anyone |
17 |
> interested? |
18 |
|
19 |
This is certainly something we'd be interested in at least seeing it we can |
20 |
support it. All of our GLSAs are currently written in XML as it is, so |
21 |
hopefully it wouldn't be too much extra work. |
22 |
|
23 |
Feel free to contact me off-list or (even better) on #gentoo-security and |
24 |
we can discuss next steps. |
25 |
|
26 |
--kurt |