[AppStream] Adding CVE information to <releases>
Matthias Klumpp
matthias at tenstral.net
Sun Sep 15 16:47:20 UTC 2019
Am So., 15. Sept. 2019 um 15:40 Uhr schrieb Kalev Lember
<kalevlember at gmail.com>:
> [...]
> I really like the last proposal (issue type="cve", issue url=""). For
> comparison, here's how it looks like in Fedora's updateinfo.xml:
>
> <references>
> <reference
> href="https://bugzilla.redhat.com/show_bug.cgi?id=1748628" id="1748628"
> type="bugzilla" title="python-certbot-dns-sakuracloud-0.38.0 is available"/>
> </references>
>
> I wonder if it would make sense to try to use the same syntax in
> appstream just to avoid inventing yet another version of the same thing?
>
> issues -> references, url -> href, and added title.
I think "reference" in an AppStream context would be super confusing.
A release tag may already contain a "details"-type URL to refer to a
website explaining the release, multiple "artifacts" that link to
binaries and sources the release provides, etc. So it would be odd to
have something called "reference2 there when it really is about bugs.
Also, the way the XML is outlined (having a tag without value) would
feel very alien in AppStream, where this pattern doesn't occur
anywhere else, and the issue title wouldn't be translatable.
Given that AppStream needs to be parsed with some dedicated code
anyway, I don't think reusing the exact same schema makes sense here.
Using it as reference to get inspiration from is good though :-)
Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
More information about the AppStream
mailing list