1 |
Thierry Carrez wrote: |
2 |
|
3 |
>-----BEGIN PGP SIGNED MESSAGE----- |
4 |
>Hash: SHA1 |
5 |
> |
6 |
>Hello everyone, |
7 |
> |
8 |
>We're in the process of publishing Gentoo Official Policy for the |
9 |
>treatment of vulnerabilities. You can review the latest draft at the |
10 |
>following location : |
11 |
> |
12 |
>http://dev.gentoo.org/~koon/docs/vulnerability-policy.html |
13 |
> |
14 |
>Comments welcome. |
15 |
> |
16 |
>- -- |
17 |
>koon@g.o |
18 |
>Gentoo Linux Security Team |
19 |
>-----BEGIN PGP SIGNATURE----- |
20 |
>Version: GnuPG v1.2.4 (GNU/Linux) |
21 |
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
22 |
> |
23 |
>iD8DBQFAqmyTvcL1obalX08RArzbAJ0bPaDN335NlCDxos2u2LYjFecPlgCcC5ma |
24 |
>uBbGDixhfBd69VRd3mecgQY= |
25 |
>=FQtu |
26 |
>-----END PGP SIGNATURE----- |
27 |
> |
28 |
>-- |
29 |
>gentoo-security@g.o mailing list |
30 |
> |
31 |
|
32 |
Has the security team thought about issuing vulnerabilities as OVAL |
33 |
definitions? OVAL stands for Open Vulnerability Assessment Language (see |
34 |
http://oval.mitre.org ), and is administered by MITRE (who also do the CVE |
35 |
dictionary). Redhat, Microsoft and Sun are using it, and apparently Debian |
36 |
has a draft schema in the works. |
37 |
|
38 |
The process works like this: once an XML Schema is worked out for the |
39 |
platform (we would have to go through this process for Gentoo), |
40 |
vulnerabilities are submitted as XML, and through use of an interpreter |
41 |
--- which we would also have to write for Gentoo --- vulnerabilities can |
42 |
be detected automatically. What we offer to do once a vulnerability is |
43 |
detected in this manner would be up for debate. |
44 |
|
45 |
I am happy to do some dev work on this project, as I am a security and |
46 |
crypto developer with a fair bit of experience with XML. Is anyone |
47 |
interested? |
48 |
|
49 |
Cheers, |
50 |
|
51 |
Tim. |
52 |
|
53 |
|
54 |
-- |
55 |
gentoo-security@g.o mailing list |