From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D647B158020 for ; Thu, 10 Nov 2022 03:43:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 60223E090F; Thu, 10 Nov 2022 03:43:06 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 262ABE0905 for ; Thu, 10 Nov 2022 03:43:06 +0000 (UTC) Message-ID: Subject: Re: [gentoo-dev] [RFC] A new GLSA schema From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Thu, 10 Nov 2022 04:43:01 +0100 In-Reply-To: References: Organization: Gentoo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 5b7c23f0-9610-4da1-ad4f-9d6d1f9cc3aa X-Archives-Hash: d9961bb0ec60ec39383f327a61ec058e On Wed, 2022-11-09 at 20:27 -0600, John Helmert III wrote: > The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of > October 2003. It used roughly the same format of the GLSAs we release > today, in 2022, making that format almost as old as me. >=20 > Somewhere along the way, it started to become necessary to target > multiple version ranges within the same package. The GLSA format > isn't capable of expressing this. Thus, I propose a new format (an > example of which I've attached inline below), with the following > changes from the old format: >=20 > =C2=A0- Rework affected to use XML-ified logical operators to specify the > =C2=A0=C2=A0 affected versions, and *don't* use different fields to speci= fy > =C2=A0=C2=A0 vulnerable and unaffected versions. Instead, only list vulne= rable > =C2=A0=C2=A0 versions, unaffected versions are implicit. Does that imply op=3D"" will now be limited to the standard ebuild operators? Perhaps it'd be cleaner to take a step further and remove the attribute in favor of going 100% ebuild syntax (yeah, escaping is gonna suck there). >=20 > =C2=A0- Drop synopsis and description fields. These fields contain the sa= me > =C2=A0=C2=A0 information and will be superceded by the existing impact fi= eld. Well, I'm not saying "no" but it feels a bit weird reading a GLSA that doesn't say a word what the problem is but specifies impact. BTW have you considered switching to JSON or TOML? ;-) --=20 Best regards, Micha=C5=82 G=C3=B3rny