1 |
Now that we've been growing a bit in numbers and have managed to get the |
2 |
GLSA circulation back on track, it is time to finally talk about the new |
3 |
GLSA format that has been planned for quite a while. |
4 |
The main goal of the new format is to support slots which is a feature |
5 |
especially glsa-check users will welcome. [1] |
6 |
Besides, it has become clear that filling in information in the level of |
7 |
detail the current format provides takes too much time while drafting |
8 |
advisories. |
9 |
|
10 |
Tobias and I took a bit of time today to combine all desired changes |
11 |
into a new sample document: |
12 |
|
13 |
http://a3li.li/~alex/gentoo/security/glsa-2-example.xml |
14 |
|
15 |
Quick outline of the most important changes: |
16 |
|
17 |
- Synopsis removed: The title provides a quick overview of the issues, |
18 |
while the new shorter description provides details, yet briefly as well. |
19 |
People requiring even more information can use the linked CVE entries, |
20 |
bugs, and other references. |
21 |
|
22 |
- Product and GLSA type removed: There are only 'ebuild' type GLSAs |
23 |
issued, the other types are no longer needed. Product was linked to that. |
24 |
|
25 |
- Packages section reworked: While adding Slot support we tried to get a |
26 |
new, simple, range-based scheme for marking vulnerable versions. The |
27 |
flexibility the range operators offered before was hardly ever used |
28 |
(mostly just to work around the lacking Slot support). We'd especially |
29 |
like feedback in this area, I fear we might be missing some |
30 |
functionality here. Quick explanation: |
31 |
<package name="dev-lang/python"> |
32 |
<vulnerable slot="3.2" fixed="3.2.9"/> |
33 |
<vulnerable slot="3.3" asof="3.3.0" fixed="3.3.1"/> |
34 |
<vulnerable slot="3.3" asof="3.3.3" fixed="3.3.5"/> |
35 |
<vulnerable slot="0" fixed="6.3"/> |
36 |
</package> |
37 |
<package name="dev-lang/python" arch="hppa"> |
38 |
<vulnerable/> |
39 |
</package> |
40 |
|
41 |
Reads as follows: |
42 |
On hppa, there is no fixed version. |
43 |
On all other arches, python in slot 3.2 is fixed in >=3.2.9, affected |
44 |
for anything less, in the 3.3 slot, [3.3.0; 3.3.1[ and [3.3.3; 3.3.5[ |
45 |
are affected, for the 0 slot, anything <6.3 is affected. |
46 |
|
47 |
- Human-readable texts reworked: Background + Description + Resolution |
48 |
instead of (Synopsis) + Background + Description + Impact + Resolution. |
49 |
|
50 |
- References reworked: Bugs moved into that tag, CVEs get their own tag |
51 |
without a link that could break, other references go as <url> |
52 |
|
53 |
- Metadata: Mostly leftovers from GLSAMaker v1 removed; We now list the |
54 |
author as well as people reviewing a draft and signing off on it with a |
55 |
proper name. Dates are in a standardized format. |
56 |
|
57 |
If there are any other questions, we'll do our best to answer them. |
58 |
Other than that, we'd appreciate any feedback. |
59 |
|
60 |
|
61 |
[1] Especially after today most glsa-check users got another set of |
62 |
false-positives from a faulty python GLSA that could have used it. |
63 |
|
64 |
-- |
65 |
Alex Legler <a3li@g.o> |
66 |
Gentoo Security/Ruby/Infrastructure |