On Thu, 12 Aug 2004 03:38 pm, Lupe Christoph wrote:
> On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote:
> > Therefore I see a need for a machine readable DSA format. I know
> > there's a defined format to the current header, but I'd like to
> > expand on that.
> >
> > It will look something like:
>
> Please do not invent yet anoither format if you can avoid it. You
> don't mention VuXML (http://www.vuxml.org/), so I suppose you did not
> know it. Please have a look there.
As I understand it, VuXML has a slightly different semantic. It
expresses that specified binary package versions will have a certain
vulnerability and implies they should be deinstalled or upgraded to
some version for which the vulnerability does not exist. The DSA series
always gives "less than" information and states you must upgrade to the
version listed.
VuXML also lacks metadata fields for specifying architecture limitations
or restriction to different distributions of the system. They are
required because the Debian security team generally backports fixes and
thereby creates their own branch of the package. VuXML only
distinguishes distributions using the <system> element, which is a
sibling of the <package> element. That structure is correct for the
*BSDs but not for Debian.
e.g. I will probably use an extension of the vocabulary:
--- vuxml-model-11.mod.orig 2004-04-03 01:29:56.000000000 +1000
+++ vuxml-model-11.mod 2004-08-12 17:21:11.000000000 +1000
@@ -57,6 +57,8 @@
<!ENTITY % vuxml.system.qname "%vuxml.pfx;system" >
<!ENTITY % vuxml.name.qname "%vuxml.pfx;name" >
<!ENTITY % vuxml.range.qname "%vuxml.pfx;range" >
+<!ENTITY % vuxml.distribution.qname "%vuxml.pfx;distribution" >
+<!ENTITY % vuxml.architecture.qname "%vuxml.pfx;architecture" >
<!ENTITY % vuxml.lt.qname "%vuxml.pfx;lt" >
<!ENTITY % vuxml.le.qname "%vuxml.pfx;le" >
<!ENTITY % vuxml.gt.qname "%vuxml.pfx;gt" >
@@ -197,6 +199,8 @@
<!ELEMENT %vuxml.package.qname;
( ( %vuxml.name.qname; )+,
+ ( %vuxml.distribution.qname; )?,
+ ( %vuxml.architecture.qname; )+,
( %vuxml.range.qname; )+ )
>
<!ATTLIST %vuxml.package.qname; %vuxml.Common.attrib; >
(untested, but you get the idea)
to produce
<affects>
<package>
<distribution>stable</distribution>
<architecture>i386</architecture>
<architecture>arm</architecture>
<architecture>ia64</architecture>
<architecture>hppa</architecture>
<architecture>m68k</architecture>
<architecture>mips</architecture>
<architecture>mipsel</architecture>
<architecture>s390</architecture>
<architecture>sparc</architecture>
<name>libpng2</name>
<range><lt>1.0.12-3.woody.7</lt></range>
</package>
or
<package>
<distribution>stable</distribution>
<architecture>any</architecture>
<name>libpng2-dev</name>
<range><lt>1.0.12-3.woody.7</lt></range>
</package>
etc.
These nits aside, I can probably use VuXML for my project, even if it
means extending the DTD. Thanks for pointing it out!
--
Joshua Goodall <joshua@myinternet.com.au>
Solutions Architect / Principal Security Architect
myinternet Limited.
Attachment:
pgpqh1YU3EsZz.pgp
Description: signature