Hyrum K Wright wrote on Thu, May 17, 2012 at 12:59:23 -0500:
> I'lll also point out that in the past downstream users have made the
> determination for us, and requested their own CVEs for issues in our
> releases. I don't think that's a problem, and we can't really control
> how downstream judges the impact of a particular issue, but it just
> feels nice if we handle the CVE process for our own issues.
CVE are meant to be a unique identifier to an issue so I think it's
a (minor?) problem if different downstreamers requests CVE's
> In the past CVE almost exclusively meant an embargo and
> pre-notification and the rest of the circus that implies. I think
> there is some middle ground here where we request a CVE, but then just
> treat the release in a standard way, just mentioning the CVE in
> CHANGES or the release announcement.
> It might also be nice to look at how other projects handle this stuff.
> Are they as aggressive about labeling things "security-related" and
> getting CVEs as we are?
IOW, "Should we be trigger-happy or conservative on requesting CVE
I think that's a good question; perhaps we should ask it security@.
Received on 2012-05-17 20:03:38 CEST