From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 40DE1158003 for ; Thu, 10 Nov 2022 03:59:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A70F6E0922; Thu, 10 Nov 2022 03:59:15 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6526DE0916 for ; Thu, 10 Nov 2022 03:59:15 +0000 (UTC) From: Sam James Content-Type: multipart/signed; boundary="Apple-Mail=_C214A9C4-A53F-4D37-980C-5ADE8A4ED0BD"; protocol="application/pgp-signature"; micalg=pgp-sha512 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\)) Subject: Re: [gentoo-dev] [RFC] A new GLSA schema Date: Thu, 10 Nov 2022 03:58:58 +0000 References: To: gentoo-dev@lists.gentoo.org In-Reply-To: Message-Id: <2D2DD2C1-019D-4305-A3C1-AAC867D28F50@gentoo.org> X-Mailer: Apple Mail (2.3731.200.110.1.12) X-Archives-Salt: 22bb2e21-eeb1-4a54-aeab-9e0810590392 X-Archives-Hash: 075f825fd888e9e6929c45e41b171050 --Apple-Mail=_C214A9C4-A53F-4D37-980C-5ADE8A4ED0BD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 10 Nov 2022, at 03:43, Micha=C5=82 G=C3=B3rny = wrote: >=20 > On Wed, 2022-11-09 at 20:27 -0600, John Helmert III wrote: >> The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of >> October 2003. It used roughly the same format of the GLSAs we release >> today, in 2022, making that format almost as old as me. >>=20 >> Somewhere along the way, it started to become necessary to target >> multiple version ranges within the same package. The GLSA format >> isn't capable of expressing this. Thus, I propose a new format (an >> example of which I've attached inline below), with the following >> changes from the old format: >>=20 >> - Rework affected to use XML-ified logical operators to specify the >> affected versions, and *don't* use different fields to specify >> vulnerable and unaffected versions. Instead, only list vulnerable >> versions, unaffected versions are implicit. >=20 > Does that imply op=3D"" will now be limited to the standard ebuild > operators? Perhaps it'd be cleaner to take a step further and remove > the attribute in favor of going 100% ebuild syntax (yeah, escaping is > gonna suck there). >=20 >>=20 >> - Drop synopsis and description fields. These fields contain the = same >> information and will be superceded by the existing impact field. >=20 > Well, I'm not saying "no" but it feels a bit weird reading a GLSA that > doesn't say a word what the problem is but specifies impact. >=20 I think we'd rename impact -> description but description would now be "description of the problem" and not "description of the package". --Apple-Mail=_C214A9C4-A53F-4D37-980C-5ADE8A4ED0BD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCY2x3A18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MAAKCRBzhAn1IN+R kIOrAP0VGtklCgGA0YHuUcblJEP5WVC/aVt7xRl2PwJsw1pkcwD/Y2skYx3sdF/T oI29f+Rfixo8cSOwYL8xpeYQ/iLK3QM= =52DM -----END PGP SIGNATURE----- --Apple-Mail=_C214A9C4-A53F-4D37-980C-5ADE8A4ED0BD--