[2] https://oasis-open.github.io/csaf-documentation/
Oh I see, I'd missed the actual link to CSAF, sorry.
My fault. I should not add xkcd links in future.
I'll take a look. It's not clear to me yet if this is going to be a good fit for distributions though, as we're not a normal "vendor".
The major idea of CSAF is to use it optionally along with CPE, CVE, security.txt
These are fully compatible and complete each other. We are a "vendor" in this scheme. You can find already CVEs assigned to the product with the CPE cpe:2.3:a:gentoo: So we are the vendor "gentoo". Perhaps gentoo_project would be more intuitive but currently it is "gentoo".
Are you aware of any other Linux distros using this?
Langley Rock from Red Hat seems to be part of the editors team. So I guess Redhat/Centos are on the way. (see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) Here are some presentations: https://oasis-open.github.io/csaf-documentation/videos.html CSAF is exactly what we want with GLSA. There are already many tools to parse and pretty print the CSAF documents. -- Best, Jonas
