From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3A326138247 for ; Wed, 8 Jan 2014 01:14:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35898E0A52; Wed, 8 Jan 2014 01:14:27 +0000 (UTC) Received: from mail.a3li.li (sawfish.a3li.li [89.238.78.10]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CA4C5E0A01 for ; Wed, 8 Jan 2014 01:14:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.a3li.li (Postfix) with ESMTP id 3D889227886 for ; Wed, 8 Jan 2014 02:14:24 +0100 (CET) X-Virus-Scanned: amavisd-new at a3li.li Received: from mail.a3li.li ([127.0.0.1]) by localhost (stingray.a3li.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWfkMr-IHOeA for ; Wed, 8 Jan 2014 02:14:22 +0100 (CET) Received: from [192.168.0.10] (95-91-238-156-dynip.superkabel.de [95.91.238.156]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.a3li.li (Postfix) with ESMTPSA id B528022787F for ; Wed, 8 Jan 2014 02:14:22 +0100 (CET) Message-ID: <52CCA65E.7040300@gentoo.org> Date: Wed, 08 Jan 2014 02:14:06 +0100 From: Alex Legler User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: [gentoo-security] Soliciting feedback for the GLSA-2 format X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: cf59c04f-534a-4d28-9de0-276fb4bb8a95 X-Archives-Hash: 6d2840d6b2f801fb7c19be804042a2aa Now that we've been growing a bit in numbers and have managed to get the GLSA circulation back on track, it is time to finally talk about the new GLSA format that has been planned for quite a while. The main goal of the new format is to support slots which is a feature especially glsa-check users will welcome. [1] Besides, it has become clear that filling in information in the level of detail the current format provides takes too much time while drafting advisories. Tobias and I took a bit of time today to combine all desired changes into a new sample document: http://a3li.li/~alex/gentoo/security/glsa-2-example.xml Quick outline of the most important changes: - Synopsis removed: The title provides a quick overview of the issues, while the new shorter description provides details, yet briefly as well. People requiring even more information can use the linked CVE entries, bugs, and other references. - Product and GLSA type removed: There are only 'ebuild' type GLSAs issued, the other types are no longer needed. Product was linked to that. - Packages section reworked: While adding Slot support we tried to get a new, simple, range-based scheme for marking vulnerable versions. The flexibility the range operators offered before was hardly ever used (mostly just to work around the lacking Slot support). We'd especially like feedback in this area, I fear we might be missing some functionality here. Quick explanation: Reads as follows: On hppa, there is no fixed version. On all other arches, python in slot 3.2 is fixed in >=3.2.9, affected for anything less, in the 3.3 slot, [3.3.0; 3.3.1[ and [3.3.3; 3.3.5[ are affected, for the 0 slot, anything <6.3 is affected. - Human-readable texts reworked: Background + Description + Resolution instead of (Synopsis) + Background + Description + Impact + Resolution. - References reworked: Bugs moved into that tag, CVEs get their own tag without a link that could break, other references go as - Metadata: Mostly leftovers from GLSAMaker v1 removed; We now list the author as well as people reviewing a draft and signing off on it with a proper name. Dates are in a standardized format. If there are any other questions, we'll do our best to answer them. Other than that, we'd appreciate any feedback. [1] Especially after today most glsa-check users got another set of false-positives from a faulty python GLSA that could have used it. -- Alex Legler Gentoo Security/Ruby/Infrastructure