[gentoo-dev] [PATCH 0/2] glep-0068: Stricten the XML format

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: "Michał Górny" <mgorny@gentoo.org>
Subject: [gentoo-dev] [PATCH 0/2] glep-0068: Stricten the XML format
Date: Sat,  8 Oct 2022 08:40:19 +0200	[thread overview]
Message-ID: <20221008064021.60348-1-mgorny@gentoo.org> (raw)

Hi,

The spec is a bit lax about the XML features allowed.  However, we don't
really expect people to use fancy features like custom entities,
XInclude, etc.  Let's formally stricten the spec to disallow anything
remote or potentially dangerous to at least protect implementations
from the most common XML security problems.

While at it, let's make it clear that while we don't permit elements
outside the spec in metadata.xml files, we may add new elements or
attributes in future versions.

I'm not sure whether we should be increasing the version number here.
On one hand, the change roughly matches the original intent (i.e. no
metadata.xml files should be broken by it, and implementation should not
have been processing external DTDs or anything like that anyway).
On the other, technically speaking the new version is more restrictive
than the old one, so a major version bump would be correct.

WDYT?

Michał Górny (2):
  glep-0068: Clarify and restrict XML data format
  glep-0068: Indicate that unknown elements should be ignored

 glep-0068.rst | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

-- 
2.38.0

next             reply	other threads:[~2022-10-08  6:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-08  6:40 Michał Górny [this message]
2022-10-08  6:40 ` [gentoo-dev] [PATCH 1/2] glep-0068: Clarify and restrict XML data format Michał Górny
2022-10-08  6:40 ` [gentoo-dev] [PATCH 2/2] glep-0068: Indicate that unknown elements should be ignored Michał Górny

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221008064021.60348-1-mgorny@gentoo.org \
    --to=mgorny@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox