Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH 0/2] glep-0068: Stricten the XML format
Date: Sat, 08 Oct 2022 06:40:30
Message-Id: 20221008064021.60348-1-mgorny@gentoo.org
1 Hi,
2
3 The spec is a bit lax about the XML features allowed. However, we don't
4 really expect people to use fancy features like custom entities,
5 XInclude, etc. Let's formally stricten the spec to disallow anything
6 remote or potentially dangerous to at least protect implementations
7 from the most common XML security problems.
8
9 While at it, let's make it clear that while we don't permit elements
10 outside the spec in metadata.xml files, we may add new elements or
11 attributes in future versions.
12
13 I'm not sure whether we should be increasing the version number here.
14 On one hand, the change roughly matches the original intent (i.e. no
15 metadata.xml files should be broken by it, and implementation should not
16 have been processing external DTDs or anything like that anyway).
17 On the other, technically speaking the new version is more restrictive
18 than the old one, so a major version bump would be correct.
19
20 WDYT?
21
22
23 Michał Górny (2):
24 glep-0068: Clarify and restrict XML data format
25 glep-0068: Indicate that unknown elements should be ignored
26
27 glep-0068.rst | 21 +++++++++++++++------
28 1 file changed, 15 insertions(+), 6 deletions(-)
29
30 --
31 2.38.0

Replies