Now that we've been growing a bit in numbers and have managed to get the
GLSA circulation back on track, it is time to finally talk about the new
GLSA format that has been planned for quite a while.
The main goal of the new format is to support slots which is a feature
especially glsa-check users will welcome. [1]
Besides, it has become clear that filling in information in the level of
detail the current format provides takes too much time while drafting
advisories.
Tobias and I took a bit of time today to combine all desired changes
into a new sample document:
http://a3li.li/~alex/gentoo/security/glsa-2-example.xml
Quick outline of the most important changes:
- Synopsis removed: The title provides a quick overview of the issues,
while the new shorter description provides details, yet briefly as well.
People requiring even more information can use the linked CVE entries,
bugs, and other references.
- Product and GLSA type removed: There are only 'ebuild' type GLSAs
issued, the other types are no longer needed. Product was linked to that.
- Packages section reworked: While adding Slot support we tried to get a
new, simple, range-based scheme for marking vulnerable versions. The
flexibility the range operators offered before was hardly ever used
(mostly just to work around the lacking Slot support). We'd especially
like feedback in this area, I fear we might be missing some
functionality here. Quick explanation:
<package name="dev-lang/python">
<vulnerable slot="3.2" fixed="3.2.9"/>
<vulnerable slot="3.3" asof="3.3.0" fixed="3.3.1"/>
<vulnerable slot="3.3" asof="3.3.3" fixed="3.3.5"/>
<vulnerable slot="0" fixed="6.3"/>
</package>
<package name="dev-lang/python" arch="hppa">
<vulnerable/>
</package>
Reads as follows:
On hppa, there is no fixed version.
On all other arches, python in slot 3.2 is fixed in >=3.2.9, affected
for anything less, in the 3.3 slot, [3.3.0; 3.3.1[ and [3.3.3; 3.3.5[
are affected, for the 0 slot, anything <6.3 is affected.
- Human-readable texts reworked: Background + Description + Resolution
instead of (Synopsis) + Background + Description + Impact + Resolution.
- References reworked: Bugs moved into that tag, CVEs get their own tag
without a link that could break, other references go as <url>
- Metadata: Mostly leftovers from GLSAMaker v1 removed; We now list the
author as well as people reviewing a draft and signing off on it with a
proper name. Dates are in a standardized format.
If there are any other questions, we'll do our best to answer them.
Other than that, we'd appreciate any feedback.
[1] Especially after today most glsa-check users got another set of
false-positives from a faulty python GLSA that could have used it.
--
Alex Legler <a...@gentoo.org>
Gentoo Security/Ruby/Infrastructure
