Gentoo Archives: gentoo-security

From: Alex Legler <a3li@g.o>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Soliciting feedback for the GLSA-2 format
Date: Wed, 08 Jan 2014 01:14:57
1 Now that we've been growing a bit in numbers and have managed to get the
2 GLSA circulation back on track, it is time to finally talk about the new
3 GLSA format that has been planned for quite a while.
4 The main goal of the new format is to support slots which is a feature
5 especially glsa-check users will welcome. [1]
6 Besides, it has become clear that filling in information in the level of
7 detail the current format provides takes too much time while drafting
8 advisories.
10 Tobias and I took a bit of time today to combine all desired changes
11 into a new sample document:
15 Quick outline of the most important changes:
17 - Synopsis removed: The title provides a quick overview of the issues,
18 while the new shorter description provides details, yet briefly as well.
19 People requiring even more information can use the linked CVE entries,
20 bugs, and other references.
22 - Product and GLSA type removed: There are only 'ebuild' type GLSAs
23 issued, the other types are no longer needed. Product was linked to that.
25 - Packages section reworked: While adding Slot support we tried to get a
26 new, simple, range-based scheme for marking vulnerable versions. The
27 flexibility the range operators offered before was hardly ever used
28 (mostly just to work around the lacking Slot support). We'd especially
29 like feedback in this area, I fear we might be missing some
30 functionality here. Quick explanation:
31 <package name="dev-lang/python">
32 <vulnerable slot="3.2" fixed="3.2.9"/>
33 <vulnerable slot="3.3" asof="3.3.0" fixed="3.3.1"/>
34 <vulnerable slot="3.3" asof="3.3.3" fixed="3.3.5"/>
35 <vulnerable slot="0" fixed="6.3"/>
36 </package>
37 <package name="dev-lang/python" arch="hppa">
38 <vulnerable/>
39 </package>
41 Reads as follows:
42 On hppa, there is no fixed version.
43 On all other arches, python in slot 3.2 is fixed in >=3.2.9, affected
44 for anything less, in the 3.3 slot, [3.3.0; 3.3.1[ and [3.3.3; 3.3.5[
45 are affected, for the 0 slot, anything <6.3 is affected.
47 - Human-readable texts reworked: Background + Description + Resolution
48 instead of (Synopsis) + Background + Description + Impact + Resolution.
50 - References reworked: Bugs moved into that tag, CVEs get their own tag
51 without a link that could break, other references go as <url>
53 - Metadata: Mostly leftovers from GLSAMaker v1 removed; We now list the
54 author as well as people reviewing a draft and signing off on it with a
55 proper name. Dates are in a standardized format.
57 If there are any other questions, we'll do our best to answer them.
58 Other than that, we'd appreciate any feedback.
61 [1] Especially after today most glsa-check users got another set of
62 false-positives from a faulty python GLSA that could have used it.
64 --
65 Alex Legler <a3li@g.o>
66 Gentoo Security/Ruby/Infrastructure


Subject Author
Re: [gentoo-security] Soliciting feedback for the GLSA-2 format Tobias Heinlein <keytoaster@g.o>
Re: [gentoo-security] Soliciting feedback for the GLSA-2 format Alex Legler <a3li@g.o>
Re: [gentoo-security] Soliciting feedback for the GLSA-2 format Yury German <BlueKnight@××××××××××××××××.com>