--- xml/htdocs/proj/en/glep/glep-0014.html 2003/08/22 15:11:16 1.1 +++ xml/htdocs/proj/en/glep/glep-0014.html 2003/08/24 22:11:46 1.2 @@ -33,9 +33,9 @@
The coding part of this GLEP is a update tool that reads a GLSA, checks if -the system is affected by it and executes one of the following actions, depending -on user preferences:+
The coding part of this GLEP is a update tool that reads a GLSA, verifies its +GPG signature, checks if the system is affected by it and executes one of the +following actions, depending on user preferences:
The GLSA format needs to be specified, I suggest using XML for that to simplify parsing and later extensions. See implementation for a sample DTD. The format has to be compatible with the update tool of course. If necessary a converter -tool or an editor could be written for people not comfortable with XML.+tool or an editor could be written for people not comfortable with XML. +Every GLSA has to be GPG signed by the responsible developer, who has to be +a member of the security herd.
To verify the signatures of the GLSAs the public keys of the developers should be +available in the portage tree and on the HTTP server. The verification is necessary +to prevent exploits by fake GLSAs.