[gentoo-dev] GLEP #14: security updates based on GLSA

[gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

Hi all,

As already discussed here serveral days ago I've written up a GLEP for
this often requested feature:

http://www.gentoo.org/proj/en/glep/glep-0014.html

Everything in the GLEP is open for discussion, please share your
questions/comments/concerns with the other people on this list, so that
they can be incorporated. I'll update the GLEP if necessary, so make
sure you read the latest version before posting.

(for those reading this on the -security or -server mailinglist, please
reply only on -dev)

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Caleb Tennis]

On Friday 22 August 2003 12:19 pm, Marius Mauch wrote:
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:

Good first draft.  I'd propose to add in some way to verify the GLSA is indeed 
an authorized one (checking a GPG signature, perhaps?).  I would further 
propose some thought around making sure that a GLSA is indeed a formal Gentoo 
GLSA and that has gone through the security team, as opposed to having a 
random developer be able to issue one.

Caleb


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 902 bytes --]

On Friday 22 August 2003 19:19, Marius Mauch wrote:
> Hi all,
>
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
>
> http://www.gentoo.org/proj/en/glep/glep-0014.html
>
> Everything in the GLEP is open for discussion, please share your
> questions/comments/concerns with the other people on this list, so that
> they can be incorporated. I'll update the GLEP if necessary, so make
> sure you read the latest version before posting.
>
> (for those reading this on the -security or -server mailinglist, please
> reply only on -dev)
>

Looks good. We need something in this direction. One thing for the dtd though, 
you might want to add a possibility for a "between" value for the range 
attribute of the version tag. 

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[James Harlow]

On Fri, Aug 22, 2003 at 07:19:39PM +0200, Marius Mauch wrote:
> Hi all,
>
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
>
> http://www.gentoo.org/proj/en/glep/glep-0014.html
>
> Everything in the GLEP is open for discussion, please share your
> questions/comments/concerns with the other people on this list, so
> that
> they can be incorporated. I'll update the GLEP if necessary, so make
> sure you read the latest version before posting.

I think the glep itself is really good, and my python's not good enough
to critique the tool. So this is all about the DTD.

It would be nice if the solution and the command became mandatory, and
the command was formatted so that it could be run with /bin/sh.

It's also my feeling that the exploit element should become an attribute
so it can be checked - for example, if I'm writing a tool to secure a
firewall while I'm on holiday, it would be essential to update remote
holes, but less essential to update local holes.

And lastly and cosmetically, dates are normally represented as a 
day/month/year structure. In the version element, I think that you 
should get rid of the including attribute and extend the range attribute
with greater-or-equal / less-than-or-equal. It's just my feeling that 
this will create more readable xml documents...

> Marius

james.

-- 
When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. - Jonathan Swift

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 635 bytes --]

On Friday 22 August 2003 20:45, James Harlow wrote:
> And lastly and cosmetically, dates are normally represented as a
> day/month/year structure. In the version element, I think that you

Well it depends on where you live, as I understand in the US the month is put 
first. But I agree the current format (which appears to be seconds since 
epoch) is a bit unclear.
I personally like the universal time format YYYYMMDD as it also automatically 
sorts correctly and has no confusion on what is a mond and what a day.

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 363 bytes --]

On Fri, 2003-08-22 at 14:45, James Harlow wrote:
> And lastly and cosmetically, dates are normally represented as a 
> day/month/year structure. In the version element, I think that you 

YYYYMMDD is the ISO standard for dates, and I think all dates in Gentoo
should be using this widely accepted standard.

-- 
Chris Gianelloni
Developer, Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Karsten Schulz]

Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch:
> Everything in the GLEP is open for discussion, please share your
> questions/comments/concerns with the other people on this list

just a few suggestions from me:
I would remove the 'severity' attribute from the dtd. It depends on your 
local configuration wether a software bug is critical for your systems 
or not. Btw. who will explain the difference between 'high' and 
'critical'. On my systems 'high' *is* 'critical'.
A GLSA is per se important and needs attention, imho there is no need to 
differentiate it further, and every admin has to decide for himself 
respectively.

For admin's convinience, I would like to have an optional URL element, 
which can contain a location, where the bug is discussed (in addition 
to the CVE, which is not available in every case). The URL could point 
to the mailinglist of the program developers or other serious sources 
like security lists. This would just help the admin to get more 
information about the bug.

I would like to second Calebs suggestion to sign GLSAs. Besides there is 
need for a central Security page at www.gentoo.org, where users and 
admins get some hints how the security related communication works (Who 
creates and checks GLSAs, which public keys are used, a.s.o.)

My last point: The last few weeks, there were no new GLSAs, but some 
security related discussions elsewhere (unzip, gdm, XDMCP and others). 
There were no statements or GLSAs from Gentoo about such stories. It 
would be nice to have some kind of feedback, that the security team is 
aware of current problems. I would like to see GLSAs in a regular 
schedule, with status reports, which exploits, bugs and incidents are 
currently under examination. Imho GLSAs must not provide bugfixes in 
every case, they can provide only information, too. So the element 
'fixed' in the dtd should allow the value 'none', when it is important, 
that Gentoo users get security related information without providing a 
solution in form of a software update.

that's all for the moment,
Karsten




--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1887 bytes --]

On Friday 22 August 2003 21:50, Karsten Schulz wrote:
> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch:
> > Everything in the GLEP is open for discussion, please share your
> > questions/comments/concerns with the other people on this list
>
> just a few suggestions from me:
> I would remove the 'severity' attribute from the dtd. It depends on your
> local configuration wether a software bug is critical for your systems
> or not. Btw. who will explain the difference between 'high' and
> 'critical'. On my systems 'high' *is* 'critical'.
> A GLSA is per se important and needs attention, imho there is no need to
> differentiate it further, and every admin has to decide for himself
> respectively.

Maybe a bug classification could be used like:
(local exploit, remote exploit, denial of service, local denial of service)

>
> My last point: The last few weeks, there were no new GLSAs, but some
> security related discussions elsewhere (unzip, gdm, XDMCP and others).
> There were no statements or GLSAs from Gentoo about such stories. It
> would be nice to have some kind of feedback, that the security team is
> aware of current problems. I would like to see GLSAs in a regular
> schedule, with status reports, which exploits, bugs and incidents are
> currently under examination. Imho GLSAs must not provide bugfixes in
> every case, they can provide only information, too. So the element
> 'fixed' in the dtd should allow the value 'none', when it is important,
> that Gentoo users get security related information without providing a
> solution in form of a software update.

If you want to make sure a point is not missed by the security team, post a 
bug on bugs.gentoo.org and make sure you make clear it is a security bug.

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

Hands down I fully support this and your efforts so far in gentoo.

Also to go along with this GLEP I think we need to start talking about
the need for a herd solely devoted to security related issues in gentoo
linux. Not just a herd to be announced to -dev that does not have much
use like say "mysql" or "net-irc" but something subnational with a set
of predefined goals,guidelines,policies and procedures for achieving
those goals. The GLEP is/was the right way to go/start with this.
For the last week I've been trying to take a much more active interest
in bugs that have been assigned to security@gentoo.org in the bugzilla
system but have felt a little misguided on who to talk to for a final
resolution for a said bug. What I would like to help do is form a
security herd for the sole purpose of closing/opening/researching
security bugs for gentoo linux. 
Thus far it seems we have a security team of 1. I think/know aliz could
use some help in this area. I think it would be ideal if we could back
him up and elect/vote aliz to the the project manager for said herd.

On Fri, 2003-08-22 at 13:19, Marius Mauch wrote:
> Hi all,
> 
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
> 
> http://www.gentoo.org/proj/en/glep/glep-0014.html
> 
> Everything in the GLEP is open for discussion, please share your
> questions/comments/concerns with the other people on this list, so that
> they can be incorporated. I'll update the GLEP if necessary, so make
> sure you read the latest version before posting.
> 
> (for those reading this on the -security or -server mailinglist, please
> reply only on -dev)
> 
> Marius
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Fri, 22 Aug 2003 12:30:49 -0500
Caleb Tennis <caleb@gentoo.org> wrote:

> On Friday 22 August 2003 12:19 pm, Marius Mauch wrote:
> > As already discussed here serveral days ago I've written up a GLEP
> > for this often requested feature:
> 
> Good first draft.  I'd propose to add in some way to verify the GLSA
> is indeed an authorized one (checking a GPG signature, perhaps?).  I
> would further propose some thought around making sure that a GLSA is
> indeed a formal Gentoo GLSA and that has gone through the security
> team, as opposed to having a random developer be able to issue one.

Included in revision 1.2, no idea why I didn't thought of that myself.

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Fri, 22 Aug 2003 20:26:12 +0200
Paul de Vrieze <pauldv@gentoo.org> wrote:

> Looks good. We need something in this direction. One thing for the dtd
> though, you might want to add a possibility for a "between" value for
> the range attribute of the version tag. 

Hmm, looks difficult if this between type should also support the other
types for the boundaries. Any ideas how to implement this in the DTD ?

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Fri, 22 Aug 2003 19:45:46 +0100
James Harlow <james@is.never.wrong.nu> wrote:

> It would be nice if the solution and the command became mandatory, and
> the command was formatted so that it could be run with /bin/sh.

I don't like that for several reasons:
- it's not necessary if a simple package upgrade can solve the issue
- there are general concerns about the inclusion of the <command> tag

> It's also my feeling that the exploit element should become an
> attribute so it can be checked - for example, if I'm writing a tool to
> secure a firewall while I'm on holiday, it would be essential to
> update remote holes, but less essential to update local holes.

I don't understand this, why would an attribute be better than an
element? I might *add* an attribute to the exploit tag if we can define
the possible values for that.

> And lastly and cosmetically, dates are normally represented as a 
> day/month/year structure. In the version element, I think that you 
> should get rid of the including attribute and extend the range
> attribute with greater-or-equal / less-than-or-equal. It's just my
> feeling that this will create more readable xml documents...

As said by Paul and Chris, the YYYYMMDD format is better suited and I'll
change the tool and the example to use it. For the version format, I'll
put that in the queue as there might be more changes necessary (see
Pauls request for a between tag).

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Fri, 22 Aug 2003 21:50:15 +0200
Karsten Schulz <kaschu@t800.ping.de> wrote:

> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch:
> > Everything in the GLEP is open for discussion, please share your
> > questions/comments/concerns with the other people on this list
> 
> just a few suggestions from me:
> I would remove the 'severity' attribute from the dtd. It depends on
> your local configuration wether a software bug is critical for your
> systems or not. Btw. who will explain the difference between 'high'
> and 'critical'. On my systems 'high' *is* 'critical'.
> A GLSA is per se important and needs attention, imho there is no need
> to differentiate it further, and every admin has to decide for himself
> respectively.

Well, I've taken that from the existing GLSA format, it is currently not
used by my code. I've no real opinion on that, someone from the security
team (aliz, solar ?) should decide that.

> For admin's convinience, I would like to have an optional URL element,
> which can contain a location, where the bug is discussed (in addition 
> to the CVE, which is not available in every case). The URL could point
> to the mailinglist of the program developers or other serious sources 
> like security lists. This would just help the admin to get more 
> information about the bug.

Might be useful, any objections to include that information?

> I would like to second Calebs suggestion to sign GLSAs. Besides there
> is need for a central Security page at www.gentoo.org, where users and
> admins get some hints how the security related communication works
> (Who creates and checks GLSAs, which public keys are used, a.s.o.)

Well, I think that's outside of the scope of this GLEP.

> My last point: The last few weeks, there were no new GLSAs, but some 
> security related discussions elsewhere (unzip, gdm, XDMCP and others).
> There were no statements or GLSAs from Gentoo about such stories. It 
> would be nice to have some kind of feedback, that the security team is
> aware of current problems. I would like to see GLSAs in a regular 
> schedule, with status reports, which exploits, bugs and incidents are 
> currently under examination. Imho GLSAs must not provide bugfixes in 
> every case, they can provide only information, too. So the element 
> 'fixed' in the dtd should allow the value 'none', when it is
> important, that Gentoo users get security related information without
> providing a solution in form of a software update.

I don't like the idea of GLSAs being used for that, a simple status
update email on gentoo-security should do the job (again, that's
outside the scope of this GLEP). 
The DTD does not require the <fixed> tag to contain a <version> tag, so
the special value none is not necessary.

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On 22 Aug 2003 23:59:07 -0400
Ned Ludd <solar@gentoo.org> wrote:

> Hands down I fully support this and your efforts so far in gentoo.
> 
> Also to go along with this GLEP I think we need to start talking about
> the need for a herd solely devoted to security related issues in
> gentoo linux. Not just a herd to be announced to -dev that does not
> have much use like say "mysql" or "net-irc" but something subnational
> with a set of predefined goals,guidelines,policies and procedures for
> achieving those goals. The GLEP is/was the right way to go/start with
> this. For the last week I've been trying to take a much more active
> interest in bugs that have been assigned to security@gentoo.org in the
> bugzilla system but have felt a little misguided on who to talk to for
> a final resolution for a said bug. What I would like to help do is
> form a security herd for the sole purpose of
> closing/opening/researching security bugs for gentoo linux. 
> Thus far it seems we have a security team of 1. I think/know aliz
> could use some help in this area. I think it would be ideal if we
> could back him up and elect/vote aliz to the the project manager for
> said herd.

According to http://www.gentoo.org/proj/en/metastructure/projects.xml
there is a security subproject under the qa project, but noone assigned
to it (if the page is up2date). I agree that there should be more people
on it (same situation as with portage a few weeks ago).

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 658 bytes --]

On Saturday 23 August 2003 07:34, Marius Mauch wrote:
> On Fri, 22 Aug 2003 20:26:12 +0200
>
> Paul de Vrieze <pauldv@gentoo.org> wrote:
> > Looks good. We need something in this direction. One thing for the dtd
> > though, you might want to add a possibility for a "between" value for
> > the range attribute of the version tag.
>
> Hmm, looks difficult if this between type should also support the other
> types for the boundaries. Any ideas how to implement this in the DTD ?

Maybe just two space separated versions. like (2.0 2.45)

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 714 bytes --]

On Saturday 23 August 2003 08:10, Marius Mauch wrote:
>
> According to http://www.gentoo.org/proj/en/metastructure/projects.xml
> there is a security subproject under the qa project, but noone assigned
> to it (if the page is up2date). I agree that there should be more people
> on it (same situation as with portage a few weeks ago).

We are still looking where the security subproject will be put in the system, 
but there will be one. Mind you, it is not a herd but a project. Herds are 
ebuild collections, and I don't see the security people maintaining ebuilds 
(in their security role).

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[Denys Duchier]

Chris Gianelloni <wolf31o2@gentoo.org> writes:

> YYYYMMDD is the ISO standard for dates, and I think all dates in Gentoo
> should be using this widely accepted standard.

The ISO 8601 standard for dates recommends YYYY-MM-DD.  It also
states: "the hyphens can be omitted if compactness of the
representation is more important than human readability".  I doubt
this level of compactness is warranted here.  We should go with the
more readable format.

Cheers,

-- 
Dr. Denys Duchier
Équipe Calligramme
LORIA, Nancy, FRANCE

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Wolfram Schlich]

* Marius Mauch <genone@genone.de> [2003-08-22 19:24]:
> Hi all,
> 
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
> 
> http://www.gentoo.org/proj/en/glep/glep-0014.html

Hmm, looks good, but... :o)

I'd like to have a <vulnerability>, just like the <solution>:

--8<--
<vulnerability>
	<exploit>...
	<cve>...
	<summary>...
	<description>...
	[...]
</vulnerability>
<solution>
	<description>...
	[...]
</solution>
--8<--

What do you think?
-- 
Wolfram Schlich; Friedhofstr. 8, D-88069 Tettnang; +49-(0)178-SCHLICH

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Karsten Schulz]

Am Samstag, 23. August 2003 07:58 schrieb Marius Mauch:
> Well, I've taken that from the existing GLSA format, it is currently
> not used by my code. I've no real opinion on that, someone from the
> security team (aliz, solar ?) should decide that.

I would really like to hear from the security people what they think.

> > communication works (Who creates and checks GLSAs, which public
> > keys are used, a.s.o.)
>
> Well, I think that's outside of the scope of this GLEP.

ack.

> I don't like the idea of GLSAs being used for that, a simple status
> update email on gentoo-security should do the job (again, that's
> outside the scope of this GLEP).

As I understand GLSAs (Gentoo Linux Security Announcements), they should 
be used to announce security related information. I cannot find a 
source, where they are defined to deliver fixes in any case. Again, we 
need information from the Gentoo security experts to make this point 
clear, I think.

> The DTD does not require the <fixed> tag to contain a <version> tag,
> so the special value none is not necessary.

ok, I see!

Karsten



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Karsten Schulz]

Am Freitag, 22. August 2003 22:18 schrieb Paul de Vrieze:
> Maybe a bug classification could be used like:
> (local exploit, remote exploit, denial of service, local denial of
> service)

yes, that would be fine.

> If you want to make sure a point is not missed by the security team,
> post a bug on bugs.gentoo.org and make sure you make clear it is a
> security bug.

Of course I know, that it is to me to support the Gentoo Linux Security 
Team by providing information in form of posted bugs.

But that was not my point. I try to make it clearer, please let me give 
you an example:
The unzip-5.50-r2.ebuild fixes a well known security bug as everybody 
can read in $PORTDIR/app-arch/unzip/ChangeLog. I would like to have had 
a GLSA about that fact, so that I must not examine the related 
ChangeLogs by hand. Just the information about that, not more.
(As far as I remember, there was no GLSA in Gentoo-announce, nor in 
Gentoo-security). I feel we have more fixes, than there are announced. 

As I understand GLSA, they are 'announcements' and a new ebuild, which 
fixes a bug should be announced in every case.

Karsten

(If I missed this special GLSA about the unzip flaw, please give me the 
URI to the corresponding GLSA, I can't find it in my mail archive, nor 
in the forums, thank you)


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Sat, 23 Aug 2003 12:12:42 +0200
Denys Duchier <duchier@ps.uni-sb.de> wrote:

> Chris Gianelloni <wolf31o2@gentoo.org> writes:
> 
> > YYYYMMDD is the ISO standard for dates, and I think all dates in
> > Gentoo should be using this widely accepted standard.
> 
> The ISO 8601 standard for dates recommends YYYY-MM-DD.  It also
> states: "the hyphens can be omitted if compactness of the
> representation is more important than human readability".  I doubt
> this level of compactness is warranted here.  We should go with the
> more readable format.

Ok, I updated the code and the sample to use the YYYY-MM-DD HH:MM
format.

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Tobias Sager]

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

On 23.08.03 14:17 Karsten Schulz wrote:

> As I understand GLSA, they are 'announcements' and a new ebuild, which
> fixes a bug should be announced in every case.

And if this GLEP comes in action, there has to be a GLSA for every fixed
vulnerability, since only then this system works.

Regards,
Tobias

-- 
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Tobias Sager]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

On 22.08.03 19:19 Marius Mauch wrote:

> http://www.gentoo.org/proj/en/glep/glep-0014.html

Very nice, one question though:
why DTD and not XML Schema?

Regards,
Tobias

-- 
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Sat, 23 Aug 2003 16:40:00 +0200
Tobias Sager <moixa@gmx.ch> wrote:

> On 22.08.03 19:19 Marius Mauch wrote:
> 
> > http://www.gentoo.org/proj/en/glep/glep-0014.html
> 
> Very nice, one question though:
> why DTD and not XML Schema?

Because the library support for DTD is better and I have absolutely no
clue about XML Schema (I know it is supposed to be superior).

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 496 bytes --]

On Saturday 23 August 2003 14:17, Karsten Schulz wrote:
>
> (If I missed this special GLSA about the unzip flaw, please give me the
> URI to the corresponding GLSA, I can't find it in my mail archive, nor
> in the forums, thank you)

http://lwn.net/Articles/39595/

And it also still in my personal mail archive

Paul

ps. note that it took me about 15 seconds to find it on google

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Karsten Schulz]

Am Samstag, 23. August 2003 22:21 schrieb Paul de Vrieze:
> And it also still in my personal mail archive


and in the forum (<http://forums.gentoo.org/viewtopic.php?t=66706>).
(the reason, why I did not get GLSAs in July was a faulty configuration 
of my internet providers' mail server - *sigh*)

So I see, I had the chance really get the information I talked about. I 
am sorry for any inconvenience!

Karsten


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Sat, 23 Aug 2003 10:48:02 +0200
Paul de Vrieze <pauldv@gentoo.org> wrote:

> On Saturday 23 August 2003 07:34, Marius Mauch wrote:
> > On Fri, 22 Aug 2003 20:26:12 +0200
> >
> > Paul de Vrieze <pauldv@gentoo.org> wrote:
> > > Looks good. We need something in this direction. One thing for the
> > > dtd though, you might want to add a possibility for a "between"
> > > value for the range attribute of the version tag.
> >
> > Hmm, looks difficult if this between type should also support the
> > other types for the boundaries. Any ideas how to implement this in
> > the DTD ?
> 
> Maybe just two space separated versions. like (2.0 2.45)

I have now a local version that implements it, but I'd rather wait for
portage to support this kind of version ranges as it requires custom
code on nearly every place that deals with versions. And that is
something I try to avoid.

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] GLEP #14: security updates based on GLSA

[Marius Mauch]

On Fri, 22 Aug 2003 19:19:39 +0200
Marius Mauch <genone@genone.de> wrote:

> Hi all,
> 
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
> 
> http://www.gentoo.org/proj/en/glep/glep-0014.html
> 
> Everything in the GLEP is open for discussion, please share your
> questions/comments/concerns with the other people on this list, so
> that they can be incorporated. I'll update the GLEP if necessary, so
> make sure you read the latest version before posting.

Just as a heads up: I'll submit this for review next week in case there
are no more comments.

Marius

--
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: [gentoo-security] GLEP #14: security updates based on GLSA

[Klavs Klavsen]

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

On fre, 2003-08-22 at 19:19, Marius Mauch wrote:
> Hi all,
> 
> As already discussed here serveral days ago I've written up a GLEP for
> this often requested feature:
> 
> http://www.gentoo.org/proj/en/glep/glep-0014.html

Well, I for one like the idea. I'm no XML expert, so perhaps someone has
some comments to the dtd schema, but if noone else has any ideas for a
better approach, then I hope you can get to implement this proposal.

p.s. I am one of those who have suggested a security-update-only feature
for a loooong time.. :)
-- 
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62
See my new CMS Hosting Service at http://www.VirkPaaNettet.dk

Working with Unix is like wrestling a worthy opponent. 
Working with windows is like attacking a small whining child 
who is carrying a .38.				

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]