| 1 |
Thierry Carrez wrote: |
| 2 |
|
| 3 |
>-----BEGIN PGP SIGNED MESSAGE----- |
| 4 |
>Hash: SHA1 |
| 5 |
> |
| 6 |
>Hello everyone, |
| 7 |
> |
| 8 |
>We're in the process of publishing Gentoo Official Policy for the |
| 9 |
>treatment of vulnerabilities. You can review the latest draft at the |
| 10 |
>following location : |
| 11 |
> |
| 12 |
>http://dev.gentoo.org/~koon/docs/vulnerability-policy.html |
| 13 |
> |
| 14 |
>Comments welcome. |
| 15 |
> |
| 16 |
>- -- |
| 17 |
>koon@g.o |
| 18 |
>Gentoo Linux Security Team |
| 19 |
>-----BEGIN PGP SIGNATURE----- |
| 20 |
>Version: GnuPG v1.2.4 (GNU/Linux) |
| 21 |
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 22 |
> |
| 23 |
>iD8DBQFAqmyTvcL1obalX08RArzbAJ0bPaDN335NlCDxos2u2LYjFecPlgCcC5ma |
| 24 |
>uBbGDixhfBd69VRd3mecgQY= |
| 25 |
>=FQtu |
| 26 |
>-----END PGP SIGNATURE----- |
| 27 |
> |
| 28 |
>-- |
| 29 |
>gentoo-security@g.o mailing list |
| 30 |
> |
| 31 |
|
| 32 |
Has the security team thought about issuing vulnerabilities as OVAL |
| 33 |
definitions? OVAL stands for Open Vulnerability Assessment Language (see |
| 34 |
http://oval.mitre.org ), and is administered by MITRE (who also do the CVE |
| 35 |
dictionary). Redhat, Microsoft and Sun are using it, and apparently Debian |
| 36 |
has a draft schema in the works. |
| 37 |
|
| 38 |
The process works like this: once an XML Schema is worked out for the |
| 39 |
platform (we would have to go through this process for Gentoo), |
| 40 |
vulnerabilities are submitted as XML, and through use of an interpreter |
| 41 |
--- which we would also have to write for Gentoo --- vulnerabilities can |
| 42 |
be detected automatically. What we offer to do once a vulnerability is |
| 43 |
detected in this manner would be up for debate. |
| 44 |
|
| 45 |
I am happy to do some dev work on this project, as I am a security and |
| 46 |
crypto developer with a fair bit of experience with XML. Is anyone |
| 47 |
interested? |
| 48 |
|
| 49 |
Cheers, |
| 50 |
|
| 51 |
Tim. |
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
gentoo-security@g.o mailing list |
Archives