1 |
> On 12 Nov 2022, at 00:01, Jonas Stein <jstein@g.o> wrote: |
2 |
> |
3 |
>>>>> [2] https://oasis-open.github.io/csaf-documentation/ |
4 |
> |
5 |
>> Oh I see, I'd missed the actual link to CSAF, sorry. |
6 |
> |
7 |
> My fault. I should not add xkcd links in future. |
8 |
|
9 |
Nah, the xkcd is fine, I just missed the link to the actual standard. No worries. |
10 |
|
11 |
> |
12 |
>> I'll take a look. It's not clear to me yet if this is going to be a good |
13 |
>> fit for distributions though, as we're not a normal "vendor". |
14 |
> |
15 |
> The major idea of CSAF is to use it optionally along with CPE, CVE, security.txt |
16 |
> These are fully compatible and complete each other. |
17 |
> |
18 |
> We are a "vendor" in this scheme. |
19 |
> You can find already CVEs assigned to the product with the CPE |
20 |
> cpe:2.3:a:gentoo: |
21 |
> |
22 |
|
23 |
That's a bit different because that's when there's a vulnerability in e.g. |
24 |
Portage, I think. |
25 |
|
26 |
> So we are the vendor "gentoo". |
27 |
> Perhaps gentoo_project would be more intuitive but currently it is "gentoo". |
28 |
> |
29 |
>> Are you aware of any other Linux distros using this? |
30 |
> |
31 |
> Langley Rock from Red Hat seems to be part of the editors team. |
32 |
> So I guess Redhat/Centos are on the way. |
33 |
> |
34 |
> (see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) |
35 |
> |
36 |
> Here are some presentations: |
37 |
> https://oasis-open.github.io/csaf-documentation/videos.html |
38 |
> |
39 |
> CSAF is exactly what we want with GLSA. |
40 |
> There are already many tools to parse and pretty print the CSAF documents. |
41 |
|
42 |
Thanks, I'll look into it more. Can you offer to help implement it in Portage? |