[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html

From: Greg Stein <gstein_at_gmail.com>
Date: Fri, 18 May 2012 12:57:35 -0400

On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> CVE are meant to be a unique identifier to an issue so I think it's
> a (minor?) problem if different downstreamers requests CVE's
> independently.
> IOW, "Should we be trigger-happy or conservative on requesting CVE
> identifiers?".

I think we can be conservative on this. We track things using issues,
version control, and mailing lists. The CVE doesn't really help *us*.

If we believe that a downstream user is going to want/need some fancy
footwork around a security problem, then I think we generate a CVE
(for their tracking) and begin the private disclosure process.

Security team: does this sound like a reasonable approach?

Received on 2012-05-18 18:58:08 CEST

This is an archived mail posted to the Subversion Dev mailing list.