Please vote on the most recent patchset to GLEP 68 (the metadata.xml GLEP). The changes are currently blocking me from requesting media type registration for these files, as they affect "security considerations" for the format. They're: - specifying that metadata.xml files are XML 1.0 and linking to the standard - forbidding "external markup declarations" and DTD use, to prevent network fetching and entity-based attacks - clarifying that metadata.xml files must not use non-standard elements but readers must accept and ignore them (for future extension) Proposed motion: """ Approved GLEP 68 changes as sent to the ml thread: https://archives.gentoo.org/gentoo-dev/message/8e90fc6d45c18500506acfbb0ca7032a """
I vote yes.
I vote yes
/me votes yes
Vote yes
yes
Accepted unanimously. https://gitweb.gentoo.org/data/glep.git/commit/?id=75261f97e6ea138d53f4b38834082ba4a10e0183 Author: Michał Górny <mgorny@gentoo.org> Date: Fri Oct 7 22:22:22 2022 +0200 glep-0068: Clarify and restrict XML data format Explicitly specify XML 1.0 and link to the specification. Forbid "external markup declarations" and processing DTDs to secure against common XML attacks. Signed-off-by: Michał Górny <mgorny@gentoo.org> https://gitweb.gentoo.org/data/glep.git/commit/?id=5330e6efbdf16a1aef8b257201359f224484f235 Author: Michał Górny <mgorny@gentoo.org> Date: Fri Oct 7 22:24:52 2022 +0200 glep-0068: Indicate that unknown elements should be ignored As originally stated, the GLEP did not permit extending the format. Let's relax the requirement to conforming files but indicate that the parsers should ignore unknown (i.e. future) elements. Signed-off-by: Michał Górny <mgorny@gentoo.org>
