Am Dienstag, den 26.05.2009, 16:19 +0200 schrieb Robert Buchholz: > Hello, > > the Security Team would like to create a new DTD for our GLSAs. GLSAs > are distributed via our web site and the tree. Their format is defined > by a DTD. > > When the format was initially defined in 2004, some use cases were > considered that never got implemented or used. Other use cases only > came up later. For this reason, we want to update the GLSA for the > needs of 2009. Since this includes changes that make existing GLSAs > invalid we are going to introduce a new DTD called glsa-2.dtd. > > I would like to announce the changes we want to introduce. If you have > any feedback, please speak up. This can include feature requests. Maybe add a 'tag' attribute to the reference link to give them a meaning, like: <uri tag='upstream' link='http://bugs.samba.org/...'>...</uri>
or keeping a table of tags in the XSL and replace it on transformation: <uri tag='samba-bugs' id='1234'>Upstream Bug 1234</uri> not sure whether uri would be the right point for such stuff though. > After > this discussion, we would like to freeze the DTD and ask all consumers > of GLSA XML files (such as package managers) to implement said changes. > The first GLSA using the new DTD will be at the earliest six weeks > after the DTD was frozen. Once the new GLSA format is in use, we are > going to convert some or all of the existing GLSAs to use the format. I wouldn't do that since a properly written tool should be able to handle both versions anyway. > > Find the existing DTD here: > http://dev.gentoo.org/~rbu/glsa-2/glsa.dtd > > The new DTD here: > http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd > > And a diff between them here: > http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd.diff > > Here's a list of changes: > > (-) Dropping of the product type. GLSAs will be used solely to announce > security issues in the Portage Tree. The "infrastructure" > and "informational" product type are not needed and the type > attribute will be dropped altogether. > (-) Dropping of service tag. Same rationale as above, if we > drop "infrastructure", we do not need the service tag. > (-) Drop the 'name' attribute to unaffected. This is not implemented in > glsa-check or Portage 2.2 and it was never part of our Policy to mix > GLSAs with package moves or similar. > (+) SLOT support. An implied attribute 'slot' to the 'vulnerable' > and 'unaffected' tag will be introduced. This limits the scope of > the range specifiers to ebuilds in the specified slot. The default > is '*' meaning all slots. [1] I don't think this is really a good idea since the version may or may not be tied to a slot (at the moment it is in most cases I know). Looks good so far. -- Tiziano Müller Gentoo Linux Developer, Council Member Areas of responsibility: Samba, PostgreSQL, CPP, Python, sysadmin, GLEP Editor E-Mail : dev-z...@gentoo.org GnuPG FP : F327 283A E769 2E36 18D5 4DE2 1B05 6A63 AE9C 1E30
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
