From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1447026-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 47829158020
	for <garchives@archives.gentoo.org>; Fri, 14 Oct 2022 15:35:24 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0CB08E07D1;
	Fri, 14 Oct 2022 15:35:22 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E7AB4E07D1
	for <gentoo-commits@lists.gentoo.org>; Fri, 14 Oct 2022 15:35:21 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id EAEEB33C6B6
	for <gentoo-commits@lists.gentoo.org>; Fri, 14 Oct 2022 15:35:20 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 1F05460B
	for <gentoo-commits@lists.gentoo.org>; Fri, 14 Oct 2022 15:35:19 +0000 (UTC)
From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" <mgorny@gentoo.org>
Message-ID: <1665761699.75261f97e6ea138d53f4b38834082ba4a10e0183.mgorny@gentoo>
Subject: [gentoo-commits] data/glep:master commit in: /
X-VCS-Repository: data/glep
X-VCS-Files: glep-0068.rst
X-VCS-Directories: /
X-VCS-Committer: mgorny
X-VCS-Committer-Name: Michał Górny
X-VCS-Revision: 75261f97e6ea138d53f4b38834082ba4a10e0183
X-VCS-Branch: master
Date: Fri, 14 Oct 2022 15:35:19 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: fa2eabd8-5a34-4706-9d29-598c72026b5d
X-Archives-Hash: dfccd534feb3db8a64c5a449dc407874

commit:     75261f97e6ea138d53f4b38834082ba4a10e0183
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Fri Oct  7 20:22:22 2022 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Oct 14 15:34:59 2022 +0000
URL:        https://gitweb.gentoo.org/data/glep.git/commit/?id=75261f97

glep-0068: Clarify and restrict XML data format

Explicitly specify XML 1.0 and link to the specification.  Forbid
"external markup declarations" and processing DTDs to secure against
common XML attacks.

Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 glep-0068.rst | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/glep-0068.rst b/glep-0068.rst
index 78ac7ea..a2bee64 100644
--- a/glep-0068.rst
+++ b/glep-0068.rst
@@ -4,10 +4,10 @@ Title: Package and category metadata
 Author: Michał Górny <mgorny@gentoo.org>
 Type: Standards Track
 Status: Final
-Version: 1.2
+Version: 1.3
 Created: 2016-03-14
-Last-Modified: 2022-05-22
-Post-History: 2016-03-16, 2018-02-20, 2022-05-22
+Last-Modified: 2022-10-14
+Post-History: 2016-03-16, 2018-02-20, 2022-05-22, 2022-10-07
 Content-Type: text/x-rst
 Requires: 67
 Replaces: 34, 46, 56
@@ -59,10 +59,14 @@ Metadata files
 --------------
 
 This specification provides two kinds of metadata files: category metadata
-files and package metadata files. Both kinds of files use XML file format
-with structure defined in this GLEP. The XML structure does not use
-a namespace and must not contain any elements outside the scope of this
-specification.
+files and package metadata files. Both kinds of files use the XML 1.0 file
+format [#XML10]_. They must not use external markup declarations, as defined
+in the XML specification. While they may reference or include a DTD, the parser
+must not fetch or process it.
+
+The data structure of metadata files is defined in this GLEP. The elements
+and attributes do not use namespaces. Conforming files must not contain
+any elements or attributes that are not defined in this specification.
 
 Category metadata files are named ``metadata.xml`` and located inside category
 directories in an ebuild repository. Their structure is described
@@ -516,6 +520,9 @@ References
 .. [#METADATA-DTD] The original metadata.dtd file
    https://gitweb.gentoo.org/data/dtd.git/tree/metadata.dtd?id=a908a93b5afe295359e0a01814c9bef8b5268bcd
 
+.. [#XML10] Extensible Markup Language (XML) 1.0 (Fifth Edition)
+   https://www.w3.org/TR/xml/
+
 .. [#BCP-47] BCP 47: "Tags for identifying languages",
    https://tools.ietf.org/rfc/bcp/bcp47.txt