| 1 |
>>>> [2] https://oasis-open.github.io/csaf-documentation/ |
| 2 |
|
| 3 |
> Oh I see, I'd missed the actual link to CSAF, sorry. |
| 4 |
|
| 5 |
My fault. I should not add xkcd links in future. |
| 6 |
|
| 7 |
> I'll take a look. It's not clear to me yet if this is going to be a good |
| 8 |
> fit for distributions though, as we're not a normal "vendor". |
| 9 |
|
| 10 |
The major idea of CSAF is to use it optionally along with CPE, CVE, |
| 11 |
security.txt |
| 12 |
These are fully compatible and complete each other. |
| 13 |
|
| 14 |
We are a "vendor" in this scheme. |
| 15 |
You can find already CVEs assigned to the product with the CPE |
| 16 |
cpe:2.3:a:gentoo: |
| 17 |
|
| 18 |
So we are the vendor "gentoo". |
| 19 |
Perhaps gentoo_project would be more intuitive but currently it is "gentoo". |
| 20 |
|
| 21 |
> Are you aware of any other Linux distros using this? |
| 22 |
|
| 23 |
Langley Rock from Red Hat seems to be part of the editors team. |
| 24 |
So I guess Redhat/Centos are on the way. |
| 25 |
|
| 26 |
(see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) |
| 27 |
|
| 28 |
Here are some presentations: |
| 29 |
https://oasis-open.github.io/csaf-documentation/videos.html |
| 30 |
|
| 31 |
CSAF is exactly what we want with GLSA. |
| 32 |
There are already many tools to parse and pretty print the CSAF documents. |
| 33 |
|
| 34 |
-- |
| 35 |
Best, |
| 36 |
Jonas |
Archives