> On 12 Nov 2022, at 00:01, Jonas Stein <jst...@gentoo.org> wrote: > >>>>> [2] https://oasis-open.github.io/csaf-documentation/ > >> Oh I see, I'd missed the actual link to CSAF, sorry. > > My fault. I should not add xkcd links in future.
Nah, the xkcd is fine, I just missed the link to the actual standard. No worries. > >> I'll take a look. It's not clear to me yet if this is going to be a good >> fit for distributions though, as we're not a normal "vendor". > > The major idea of CSAF is to use it optionally along with CPE, CVE, > security.txt > These are fully compatible and complete each other. > > We are a "vendor" in this scheme. > You can find already CVEs assigned to the product with the CPE > cpe:2.3:a:gentoo: > That's a bit different because that's when there's a vulnerability in e.g. Portage, I think. > So we are the vendor "gentoo". > Perhaps gentoo_project would be more intuitive but currently it is "gentoo". > >> Are you aware of any other Linux distros using this? > > Langley Rock from Red Hat seems to be part of the editors team. > So I guess Redhat/Centos are on the way. > > (see https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html) > > Here are some presentations: > https://oasis-open.github.io/csaf-documentation/videos.html > > CSAF is exactly what we want with GLSA. > There are already many tools to parse and pretty print the CSAF documents. Thanks, I'll look into it more. Can you offer to help implement it in Portage?
signature.asc
Description: Message signed with OpenPGP
