CSAF for Gentoo

From Gentoo Wiki
Jump to:navigation Jump to:search

This page collects the required information for a possible migration from GLSA to CSAF

Comparison of CSAF and GLSA

Caption text
Aspect GLSA CSAF
standardization Gentoo-specific International standard
Announce that Gentoo is not affected by a specific CVE Not implemented Implemented with VEX
File format XML JSON
File structure individual files one large file
Automation Manual processing Automated processing
Location Gentoo website, ebuild repository https://gentoo.org/.well-known/csaf-feed-tlp-white.json
Integration glsa-check many tools
Accessibility needs individual solutions due to standardization and wide spread it is easy to add multi language support and support for blind users

Who uses CSAF already?

Just a few examples, of projects related or similar to Gentoo


Steps for a migration

  • create a security.txt without OpenPGP signature for a start bug #688380
  • test if the security.txt was setup properly (https://internet.nl/site/gentoo.org/)
  • add the link to the CSAF JSON file to the security.txt
  • create first advisories with secvisogram
  • write converter to convert old GLSA to CSAF
  • optionally add OpenPGP

Important tools

Ideas