1 |
>>>> [2] https://oasis-open.github.io/csaf-documentation/ |
2 |
|
3 |
> Oh I see, I'd missed the actual link to CSAF, sorry. |
4 |
|
5 |
My fault. I should not add xkcd links in future. |
6 |
|
7 |
> I'll take a look. It's not clear to me yet if this is going to be a good |
8 |
> fit for distributions though, as we're not a normal "vendor". |
9 |
|
10 |
The major idea of CSAF is to use it optionally along with CPE, CVE, |
11 |
security.txt |
12 |
These are fully compatible and complete each other. |
13 |
|
14 |
We are a "vendor" in this scheme. |
15 |
You can find already CVEs assigned to the product with the CPE |
16 |
cpe:2.3:a:gentoo: |
17 |
|
18 |
So we are the vendor "gentoo". |
19 |
Perhaps gentoo_project would be more intuitive but currently it is "gentoo". |
20 |
|
21 |
> Are you aware of any other Linux distros using this? |
22 |
|
23 |
Langley Rock from Red Hat seems to be part of the editors team. |
24 |
So I guess Redhat/Centos are on the way. |
25 |
|
26 |
(see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) |
27 |
|
28 |
Here are some presentations: |
29 |
https://oasis-open.github.io/csaf-documentation/videos.html |
30 |
|
31 |
CSAF is exactly what we want with GLSA. |
32 |
There are already many tools to parse and pretty print the CSAF documents. |
33 |
|
34 |
-- |
35 |
Best, |
36 |
Jonas |