Re: Machine-readable form for debian security advisories
On Thu, 12 Aug 2004 03:38 pm, Lupe Christoph wrote: On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote: Therefore I see a need for a machine readable DSA format. I know there's a defined format to the current header, but I'd like to expand on that. It will look something like: Please do not invent yet anoither format if you can avoid it. You don't mention VuXML (http://www.vuxml.org/), so I suppose you did not know it. Please have a look there. As I understand it, VuXML has a slightly different semantic. It expresses that specified binary package versions will have a certain vulnerability and implies they should be deinstalled or upgraded to some version for which the vulnerability does not exist. The DSA series always gives less than information and states you must upgrade to the version listed. VuXML also lacks metadata fields for specifying architecture limitations or restriction to different distributions of the system. They are required because the Debian security team generally backports fixes and thereby creates their own branch of the package. VuXML only distinguishes distributions using the system element, which is a sibling of the package element. That structure is correct for the *BSDs but not for Debian. e.g. I will probably use an extension of the vocabulary: --- vuxml-model-11.mod.orig 2004-04-03 01:29:56.0 +1000 +++ vuxml-model-11.mod 2004-08-12 17:21:11.0 +1000 @@ -57,6 +57,8 @@ !ENTITY % vuxml.system.qname %vuxml.pfx;system !ENTITY % vuxml.name.qname %vuxml.pfx;name !ENTITY % vuxml.range.qname %vuxml.pfx;range +!ENTITY % vuxml.distribution.qname %vuxml.pfx;distribution +!ENTITY % vuxml.architecture.qname %vuxml.pfx;architecture !ENTITY % vuxml.lt.qname %vuxml.pfx;lt !ENTITY % vuxml.le.qname %vuxml.pfx;le !ENTITY % vuxml.gt.qname %vuxml.pfx;gt @@ -197,6 +199,8 @@ !ELEMENT %vuxml.package.qname; ( ( %vuxml.name.qname; )+, + ( %vuxml.distribution.qname; )?, + ( %vuxml.architecture.qname; )+, ( %vuxml.range.qname; )+ ) !ATTLIST %vuxml.package.qname; %vuxml.Common.attrib; (untested, but you get the idea) to produce affects package distributionstable/distribution architecturei386/architecture architecturearm/architecture architectureia64/architecture architecturehppa/architecture architecturem68k/architecture architecturemips/architecture architecturemipsel/architecture architectures390/architecture architecturesparc/architecture namelibpng2/name rangelt1.0.12-3.woody.7/lt/range /package or package distributionstable/distribution architectureany/architecture namelibpng2-dev/name rangelt1.0.12-3.woody.7/lt/range /package etc. These nits aside, I can probably use VuXML for my project, even if it means extending the DTD. Thanks for pointing it out! -- Joshua Goodall [EMAIL PROTECTED] Solutions Architect / Principal Security Architect myinternet Limited. pgptYMFLgexSN.pgp Description: signature
Re: Machine-readable form for debian security advisories
On Thursday, 2004-08-12 at 17:25:32 +1000, Joshua Goodall wrote: As I understand it, VuXML has a slightly different semantic. It expresses that specified binary package versions will have a certain vulnerability and implies they should be deinstalled or upgraded to some version for which the vulnerability does not exist. The DSA series always gives less than information and states you must upgrade to the version listed. I have to confess I only use VuXML and have never look at it closely. If you find VuXML deficient for use with Debian and wish to extend or change it, it's probably best if you discuss this with the people who invented it. I can't comment on your statements and diff. So please leave me out of the discussion. I'm getting enough mail already ;-) These nits aside, I can probably use VuXML for my project, even if it means extending the DTD. Thanks for pointing it out! That's something I *can* comment on: Glad you found it useful. So I hope to see VuXML being used for Debian as well in the future. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | ... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Machine-readable form for debian security advisories
[Lupe dropped from cc: as (I think was) requested] On Thu, Aug 12, 2004 at 05:25:32PM +1000, Joshua Goodall wrote: [snip good stuff] These nits aside, I can probably use VuXML for my project, even if it means extending the DTD. Thanks for pointing it out! Hi Joshua! I'm only too happy to evolve VuXML for use by other projects. If you would be interested, would you kindly post your proposal to [EMAIL PROTECTED] It is a public list suitable for discussing such changes. Your timing is good, in that I've been busy for a couple of months and have some free time opening up, and I have some ideas for a version 1.2 of the DTD also. Let's see if we can make this a good fit! Cheers, -- Jacques Vidrine / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Machine-readable form for debian security advisories
* Joshua Goodall: I have several hundred debian instances to care for, and they are monitored via Nagios. I would like to institute a regular test that checks each box against a list of security advisories, without running apt-get update several times a day on 300 boxes. Therefore I see a need for a machine readable DSA format. Have a look at OVAL: http://oval.mitre.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Machine-readable form for debian security advisories
On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote: Therefore I see a need for a machine readable DSA format. I know there's a defined format to the current header, but I'd like to expand on that. It will look something like: Please do not invent yet anoither format if you can avoid it. You don't mention VuXML (http://www.vuxml.org/), so I suppose you did not know it. Please have a look there. Thank you, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | ... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
