VuXML
VuXML is the data format used to document security vulnerabilities in the FreeBSD Ports Collection.
Adding entries
Note: this process is tentative. Feel free to discuss and contribute. A reworded version of this section might fit into a PHB chapter.
Theory
- Don't panic!
- Rushing with security advisories can bring more damage than delaying them.
- Experience shows quite a few entries are added in a hurry, contain incomplete information and are unlikely to be corrected due to a "problem closed" kind of syndrome.
- Read up a bit.
- A security advisory made by someone who doesn't understand the first thing about it is a security hole in itself.
- Search VuXML for 2-3 (the more the better) previous entries affecting the package in question.
- Chances are the previous entries affected other packages as well and you need to include them in the new entry.
- Firefox is a good example where every other entry lacks half of affected packages.
- Don't ignore recently deleted packages.
- If a package has been deleted within a few months ago, we can't let down all the users who still have it installed and trust portaudit.
- Respect format
- If paragraphs in the entire vuln.xml file are wrapped at column 80 (or less) and your terminal has 160 columns, it doesn't mean we should all switch to your standards.
Practice
- Make sure you have security/vuxml installed.
- Check out security/vuxml into a working dir and cd to it.
- % make newentry
- % make validate
- submit a diff for review or commit it right away if you running low on pointyhats
Next VuXML version
This section contains ideas for possible additions to the VuXML specification.
* Specify architecture for each vulnerability (suggested by sem@)