| 1 |
> On 12 Nov 2022, at 00:01, Jonas Stein <jstein@g.o> wrote: |
| 2 |
> |
| 3 |
>>>>> [2] https://oasis-open.github.io/csaf-documentation/ |
| 4 |
> |
| 5 |
>> Oh I see, I'd missed the actual link to CSAF, sorry. |
| 6 |
> |
| 7 |
> My fault. I should not add xkcd links in future. |
| 8 |
|
| 9 |
Nah, the xkcd is fine, I just missed the link to the actual standard. No worries. |
| 10 |
|
| 11 |
> |
| 12 |
>> I'll take a look. It's not clear to me yet if this is going to be a good |
| 13 |
>> fit for distributions though, as we're not a normal "vendor". |
| 14 |
> |
| 15 |
> The major idea of CSAF is to use it optionally along with CPE, CVE, security.txt |
| 16 |
> These are fully compatible and complete each other. |
| 17 |
> |
| 18 |
> We are a "vendor" in this scheme. |
| 19 |
> You can find already CVEs assigned to the product with the CPE |
| 20 |
> cpe:2.3:a:gentoo: |
| 21 |
> |
| 22 |
|
| 23 |
That's a bit different because that's when there's a vulnerability in e.g. |
| 24 |
Portage, I think. |
| 25 |
|
| 26 |
> So we are the vendor "gentoo". |
| 27 |
> Perhaps gentoo_project would be more intuitive but currently it is "gentoo". |
| 28 |
> |
| 29 |
>> Are you aware of any other Linux distros using this? |
| 30 |
> |
| 31 |
> Langley Rock from Red Hat seems to be part of the editors team. |
| 32 |
> So I guess Redhat/Centos are on the way. |
| 33 |
> |
| 34 |
> (see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) |
| 35 |
> |
| 36 |
> Here are some presentations: |
| 37 |
> https://oasis-open.github.io/csaf-documentation/videos.html |
| 38 |
> |
| 39 |
> CSAF is exactly what we want with GLSA. |
| 40 |
> There are already many tools to parse and pretty print the CSAF documents. |
| 41 |
|
| 42 |
Thanks, I'll look into it more. Can you offer to help implement it in Portage? |
Archives