> On 10 Nov 2022, at 03:43, Michał Górny <mgo...@gentoo.org> wrote: > > On Wed, 2022-11-09 at 20:27 -0600, John Helmert III wrote: >> The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of >> October 2003. It used roughly the same format of the GLSAs we release >> today, in 2022, making that format almost as old as me. >> >> Somewhere along the way, it started to become necessary to target >> multiple version ranges within the same package. The GLSA format >> isn't capable of expressing this. Thus, I propose a new format (an >> example of which I've attached inline below), with the following >> changes from the old format: >> >> - Rework affected to use XML-ified logical operators to specify the >> affected versions, and *don't* use different fields to specify >> vulnerable and unaffected versions. Instead, only list vulnerable >> versions, unaffected versions are implicit. > > Does that imply op="" will now be limited to the standard ebuild > operators? Perhaps it'd be cleaner to take a step further and remove > the attribute in favor of going 100% ebuild syntax (yeah, escaping is > gonna suck there). > >> >> - Drop synopsis and description fields. These fields contain the same >> information and will be superceded by the existing impact field. > > Well, I'm not saying "no" but it feels a bit weird reading a GLSA that > doesn't say a word what the problem is but specifies impact. >
I think we'd rename impact -> description but description would now be "description of the problem" and not "description of the package".
signature.asc
Description: Message signed with OpenPGP
