Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html

From: Greg Stein <gstein_at_gmail.com>
Date: Fri, 18 May 2012 12:57:35 -0400

On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
>...
> CVE are meant to be a unique identifier to an issue so I think it's
> a (minor?) problem if different downstreamers requests CVE's
> independently.
>...
> IOW, "Should we be trigger-happy or conservative on requesting CVE
> identifiers?".

I think we can be conservative on this. We track things using issues,
version control, and mailing lists. The CVE doesn't really help *us*.

If we believe that a downstream user is going to want/need some fancy
footwork around a security problem, then I think we generate a CVE
(for their tracking) and begin the private disclosure process.

Security team: does this sound like a reasonable approach?

Cheers,
-g
Received on 2012-05-18 18:58:08 CEST

This message: [ Message body ]
Next message: Ivan Zhakov: "Re: [DISCUSS] delete ra_neon"
Previous message: Dmitry Pavlenko: "moved externals are not reported as externals by status"
In reply to: Daniel Shahaf: "Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html"
Next in thread: William A. Rowe Jr.: "Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html"
Reply: William A. Rowe Jr.: "Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]