From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BA3D2158020 for ; Sat, 12 Nov 2022 00:01:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5260FE09FE; Sat, 12 Nov 2022 00:01:52 +0000 (UTC) Received: from smtprelay07.ispgateway.de (smtprelay07.ispgateway.de [134.119.228.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1CFA4E09E2 for ; Sat, 12 Nov 2022 00:01:52 +0000 (UTC) Received: from [89.0.39.202] (helo=[192.168.1.12]) by smtprelay07.ispgateway.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1otdy1-0006SW-LE; Sat, 12 Nov 2022 01:01:49 +0100 Message-ID: Date: Sat, 12 Nov 2022 01:01:49 +0100 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [gentoo-dev] [RFC] A new GLSA schema Content-Language: de-DE To: gentoo-dev References: <626eaf6c-f41e-3dfd-2750-39c4522175c1@gentoo.org> <62C57F52-AAF6-4105-9276-EA5CAAEABB7E@gentoo.org> <018B23C1-7F65-4D99-A2E0-03B5280918FC@gentoo.org> From: Jonas Stein Cc: Sam James In-Reply-To: <018B23C1-7F65-4D99-A2E0-03B5280918FC@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Df-Sender: anNAam9uYXNzdGVpbi5kZQ== X-Archives-Salt: 16e83ca3-3363-4d81-87db-200f85529d18 X-Archives-Hash: 0731c23f6861437bfbfc212621d9324f >>>> [2] https://oasis-open.github.io/csaf-documentation/ > Oh I see, I'd missed the actual link to CSAF, sorry. My fault. I should not add xkcd links in future. > I'll take a look. It's not clear to me yet if this is going to be a good > fit for distributions though, as we're not a normal "vendor". The major idea of CSAF is to use it optionally along with CPE, CVE, security.txt These are fully compatible and complete each other. We are a "vendor" in this scheme. You can find already CVEs assigned to the product with the CPE cpe:2.3:a:gentoo: So we are the vendor "gentoo". Perhaps gentoo_project would be more intuitive but currently it is "gentoo". > Are you aware of any other Linux distros using this? Langley Rock from Red Hat seems to be part of the editors team. So I guess Redhat/Centos are on the way. (see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) Here are some presentations: https://oasis-open.github.io/csaf-documentation/videos.html CSAF is exactly what we want with GLSA. There are already many tools to parse and pretty print the CSAF documents. -- Best, Jonas