[gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Michał Górny]

Officially list the slot="" attribute that is used in GLSAs for quite
some time in the DTD. It is supported by Portage and gentoolkit for
a long time, and was used in GLSAs interchangeably with implicit
appended ':slot' to the version. However, the latter was ugly and worked
only by accident, so we are moving towards the former.
---
 glsa.dtd | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/glsa.dtd b/glsa.dtd
index 52be18e..22237b0 100644
--- a/glsa.dtd
+++ b/glsa.dtd
@@ -124,7 +124,8 @@
     Description:  Version of the vulnerable package. Can be a range too
 -->
 <!ELEMENT vulnerable (#PCDATA)>
-<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED>
+<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
+                     slot       CDATA                 #IMPLIED>
 
 <!--
     Element:      unaffected
@@ -140,6 +141,7 @@
 -->
 <!ELEMENT unaffected (#PCDATA)>
 <!ATTLIST unaffected range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
+                     slot       CDATA                 #IMPLIED
                      name       CDATA                 #IMPLIED>
 
 <!--
-- 
2.12.2

Re: [gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Mart Raudsepp]

Ühel kenal päeval, T, 11.04.2017 kell 22:10, kirjutas Michał Górny:
> Officially list the slot="" attribute that is used in GLSAs for quite
> some time in the DTD. It is supported by Portage and gentoolkit for
> a long time, and was used in GLSAs interchangeably with implicit
> appended ':slot' to the version. However, the latter was ugly and
> worked
> only by accident, so we are moving towards the former.

':slot' version was only used for less than a day until it was reverted
back to slot attribute. Slot attributes are used since January or so in
existing GLSAs where needed to avoid old slot version bumps starting to
give false positives, e.g libpng and such.

For further context for other readers, slot="" attribute support has
been in glsa-check for at least Q4 2008, potentially Q3 2007. The code
was synced to portage near there as well I believe (for @security and
such usage).

> ---
>  glsa.dtd | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/glsa.dtd b/glsa.dtd
> index 52be18e..22237b0 100644
> --- a/glsa.dtd
> +++ b/glsa.dtd
> @@ -124,7 +124,8 @@
>      Description:  Version of the vulnerable package. Can be a range
> too

Maybe some slot attribute documentation could be added as well, similar
to how the original patch attached to https://bugs.gentoo.org/106677
did? Though not the "*" stuff, that feels wrong and should be just
omitted attribute for that.


Mart

Re: [gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1424 bytes --]

On śro, 2017-04-12 at 01:57 +0300, Mart Raudsepp wrote:
> Ühel kenal päeval, T, 11.04.2017 kell 22:10, kirjutas Michał Górny:
> > ---
> >  glsa.dtd | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/glsa.dtd b/glsa.dtd
> > index 52be18e..22237b0 100644
> > --- a/glsa.dtd
> > +++ b/glsa.dtd
> > @@ -124,7 +124,8 @@
> >      Description:  Version of the vulnerable package. Can be a range
> > too
> 
> Maybe some slot attribute documentation could be added as well, similar
> to how the original patch attached to https://bugs.gentoo.org/106677
> did?

I'd rather not put more effort into the DTD than absolutely necessary.
I'm halfway porting it to XML Schema. Plus, a lot of the documentation
in the DTD is plain outdated. In fact, the patch in question has been
written against a different DTD file, more likely a better documented
version that was never committed.

>  Though not the "*" stuff, that feels wrong and should be just
> omitted attribute for that.

Not convinced about that. '*' is already used explicitly in arch='', so
I don't see a reason to not allow the same syntax here. This is also
what the Paludis implementation assumes, and it fits into slot operators
nicely.

Maybe I should just change the default from #IMPLIED to "*"? (i.e. make
omitted attribute equivalent to "*" DTD-wise)

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 826 bytes --]

On 04/12/2017 09:10 AM, Michał Górny wrote:
>>  Though not the "*" stuff, that feels wrong and should be just
>> omitted attribute for that.
> Not convinced about that. '*' is already used explicitly in arch='', so
> I don't see a reason to not allow the same syntax here. This is also
> what the Paludis implementation assumes, and it fits into slot operators
> nicely.
> 
> Maybe I should just change the default from #IMPLIED to "*"? (i.e. make
> omitted attribute equivalent to "*" DTD-wise)

I agree, mgorny, the explicit '*' is used already and should stay,
changing the default value for no attribute to interpret as '*' also
makes sense in this context.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[gentoo-dev] [PATCH v2] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Michał Górny]

Officially list the slot="" attribute that is used in GLSAs for quite
some time in the DTD. It is supported by Portage and gentoolkit for
a long time, and was used in GLSAs interchangeably with implicit
appended ':slot' to the version. However, the latter was ugly and worked
only by accident, so we are moving towards the former.
---
 glsa.dtd | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/glsa.dtd b/glsa.dtd
index 52be18e..b6459d1 100644
--- a/glsa.dtd
+++ b/glsa.dtd
@@ -124,7 +124,8 @@
     Description:  Version of the vulnerable package. Can be a range too
 -->
 <!ELEMENT vulnerable (#PCDATA)>
-<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED>
+<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
+                     slot       CDATA                 "*">
 
 <!--
     Element:      unaffected
@@ -140,6 +141,7 @@
 -->
 <!ELEMENT unaffected (#PCDATA)>
 <!ATTLIST unaffected range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
+                     slot       CDATA                 "*"
                      name       CDATA                 #IMPLIED>
 
 <!--
-- 
2.12.2

Re: [gentoo-dev] [PATCH v2] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

On czw, 2017-04-13 at 07:39 +0200, Michał Górny wrote:
> Officially list the slot="" attribute that is used in GLSAs for quite
> some time in the DTD. It is supported by Portage and gentoolkit for
> a long time, and was used in GLSAs interchangeably with implicit
> appended ':slot' to the version. However, the latter was ugly and worked
> only by accident, so we are moving towards the former.
> ---
>  glsa.dtd | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/glsa.dtd b/glsa.dtd
> index 52be18e..b6459d1 100644
> --- a/glsa.dtd
> +++ b/glsa.dtd
> @@ -124,7 +124,8 @@
>      Description:  Version of the vulnerable package. Can be a range too
>  -->
>  <!ELEMENT vulnerable (#PCDATA)>
> -<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED>
> +<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
> +                     slot       CDATA                 "*">
>  
>  <!--
>      Element:      unaffected
> @@ -140,6 +141,7 @@
>  -->
>  <!ELEMENT unaffected (#PCDATA)>
>  <!ATTLIST unaffected range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
> +                     slot       CDATA                 "*"
>                       name       CDATA                 #IMPLIED>
>  
>  <!--

Pushed.

-- 
Best regards,
Michał Górny

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]