| 1 |
Now that we've been growing a bit in numbers and have managed to get the |
| 2 |
GLSA circulation back on track, it is time to finally talk about the new |
| 3 |
GLSA format that has been planned for quite a while. |
| 4 |
The main goal of the new format is to support slots which is a feature |
| 5 |
especially glsa-check users will welcome. [1] |
| 6 |
Besides, it has become clear that filling in information in the level of |
| 7 |
detail the current format provides takes too much time while drafting |
| 8 |
advisories. |
| 9 |
|
| 10 |
Tobias and I took a bit of time today to combine all desired changes |
| 11 |
into a new sample document: |
| 12 |
|
| 13 |
http://a3li.li/~alex/gentoo/security/glsa-2-example.xml |
| 14 |
|
| 15 |
Quick outline of the most important changes: |
| 16 |
|
| 17 |
- Synopsis removed: The title provides a quick overview of the issues, |
| 18 |
while the new shorter description provides details, yet briefly as well. |
| 19 |
People requiring even more information can use the linked CVE entries, |
| 20 |
bugs, and other references. |
| 21 |
|
| 22 |
- Product and GLSA type removed: There are only 'ebuild' type GLSAs |
| 23 |
issued, the other types are no longer needed. Product was linked to that. |
| 24 |
|
| 25 |
- Packages section reworked: While adding Slot support we tried to get a |
| 26 |
new, simple, range-based scheme for marking vulnerable versions. The |
| 27 |
flexibility the range operators offered before was hardly ever used |
| 28 |
(mostly just to work around the lacking Slot support). We'd especially |
| 29 |
like feedback in this area, I fear we might be missing some |
| 30 |
functionality here. Quick explanation: |
| 31 |
<package name="dev-lang/python"> |
| 32 |
<vulnerable slot="3.2" fixed="3.2.9"/> |
| 33 |
<vulnerable slot="3.3" asof="3.3.0" fixed="3.3.1"/> |
| 34 |
<vulnerable slot="3.3" asof="3.3.3" fixed="3.3.5"/> |
| 35 |
<vulnerable slot="0" fixed="6.3"/> |
| 36 |
</package> |
| 37 |
<package name="dev-lang/python" arch="hppa"> |
| 38 |
<vulnerable/> |
| 39 |
</package> |
| 40 |
|
| 41 |
Reads as follows: |
| 42 |
On hppa, there is no fixed version. |
| 43 |
On all other arches, python in slot 3.2 is fixed in >=3.2.9, affected |
| 44 |
for anything less, in the 3.3 slot, [3.3.0; 3.3.1[ and [3.3.3; 3.3.5[ |
| 45 |
are affected, for the 0 slot, anything <6.3 is affected. |
| 46 |
|
| 47 |
- Human-readable texts reworked: Background + Description + Resolution |
| 48 |
instead of (Synopsis) + Background + Description + Impact + Resolution. |
| 49 |
|
| 50 |
- References reworked: Bugs moved into that tag, CVEs get their own tag |
| 51 |
without a link that could break, other references go as <url> |
| 52 |
|
| 53 |
- Metadata: Mostly leftovers from GLSAMaker v1 removed; We now list the |
| 54 |
author as well as people reviewing a draft and signing off on it with a |
| 55 |
proper name. Dates are in a standardized format. |
| 56 |
|
| 57 |
If there are any other questions, we'll do our best to answer them. |
| 58 |
Other than that, we'd appreciate any feedback. |
| 59 |
|
| 60 |
|
| 61 |
[1] Especially after today most glsa-check users got another set of |
| 62 |
false-positives from a faulty python GLSA that could have used it. |
| 63 |
|
| 64 |
-- |
| 65 |
Alex Legler <a3li@g.o> |
| 66 |
Gentoo Security/Ruby/Infrastructure |
Archives