From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 39BF4139694 for ; Tue, 11 Apr 2017 22:57:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 12F54E0D6C; Tue, 11 Apr 2017 22:57:46 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BF245E0CA4 for ; Tue, 11 Apr 2017 22:57:45 +0000 (UTC) Received: from [192.168.2.10] (85.253.85.240.cable.starman.ee [85.253.85.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: leio) by smtp.gentoo.org (Postfix) with ESMTPSA id 24280341689 for ; Tue, 11 Apr 2017 22:57:43 +0000 (UTC) Message-ID: <1491951460.14800.1.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH dtd] glsa.dtd: Allow slot="" attribute for vulnerable&unaffected From: Mart Raudsepp To: gentoo-dev@lists.gentoo.org Date: Wed, 12 Apr 2017 01:57:40 +0300 In-Reply-To: <20170411201034.28677-1-mgorny@gentoo.org> References: <20170411201034.28677-1-mgorny@gentoo.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: f1afb308-8749-43d9-b79c-ea742f98ac32 X-Archives-Hash: 32660ee5c1d5ba5b6e86e8777de3c5a1 Ühel kenal päeval, T, 11.04.2017 kell 22:10, kirjutas Michał Górny: > Officially list the slot="" attribute that is used in GLSAs for quite > some time in the DTD. It is supported by Portage and gentoolkit for > a long time, and was used in GLSAs interchangeably with implicit > appended ':slot' to the version. However, the latter was ugly and > worked > only by accident, so we are moving towards the former. ':slot' version was only used for less than a day until it was reverted back to slot attribute. Slot attributes are used since January or so in existing GLSAs where needed to avoid old slot version bumps starting to give false positives, e.g libpng and such. For further context for other readers, slot="" attribute support has been in glsa-check for at least Q4 2008, potentially Q3 2007. The code was synced to portage near there as well I believe (for @security and such usage). > --- >  glsa.dtd | 4 +++- >  1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/glsa.dtd b/glsa.dtd > index 52be18e..22237b0 100644 > --- a/glsa.dtd > +++ b/glsa.dtd > @@ -124,7 +124,8 @@ >      Description:  Version of the vulnerable package. Can be a range > too Maybe some slot attribute documentation could be added as well, similar to how the original patch attached to https://bugs.gentoo.org/106677 did? Though not the "*" stuff, that feels wrong and should be just omitted attribute for that. Mart