1 |
On Wed, 2022-11-09 at 20:27 -0600, John Helmert III wrote: |
2 |
> The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of |
3 |
> October 2003. It used roughly the same format of the GLSAs we release |
4 |
> today, in 2022, making that format almost as old as me. |
5 |
> |
6 |
> Somewhere along the way, it started to become necessary to target |
7 |
> multiple version ranges within the same package. The GLSA format |
8 |
> isn't capable of expressing this. Thus, I propose a new format (an |
9 |
> example of which I've attached inline below), with the following |
10 |
> changes from the old format: |
11 |
> |
12 |
> - Rework affected to use XML-ified logical operators to specify the |
13 |
> affected versions, and *don't* use different fields to specify |
14 |
> vulnerable and unaffected versions. Instead, only list vulnerable |
15 |
> versions, unaffected versions are implicit. |
16 |
|
17 |
Does that imply op="" will now be limited to the standard ebuild |
18 |
operators? Perhaps it'd be cleaner to take a step further and remove |
19 |
the attribute in favor of going 100% ebuild syntax (yeah, escaping is |
20 |
gonna suck there). |
21 |
|
22 |
> |
23 |
> - Drop synopsis and description fields. These fields contain the same |
24 |
> information and will be superceded by the existing impact field. |
25 |
|
26 |
Well, I'm not saying "no" but it feels a bit weird reading a GLSA that |
27 |
doesn't say a word what the problem is but specifies impact. |
28 |
|
29 |
BTW have you considered switching to JSON or TOML? ;-) |
30 |
|
31 |
|
32 |
-- |
33 |
Best regards, |
34 |
Michał Górny |