[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1339559 - /subversion/site/publish/docs/release-notes/release-history.html

From: Greg Stein <gstein_at_gmail.com>
Date: Sat, 19 May 2012 03:46:06 -0400

On May 18, 2012 6:57 PM, "William A. Rowe Jr." <wrowe_at_rowe-clan.net> wrote:
>
> On 5/18/2012 11:57 AM, Greg Stein wrote:
> > On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name>
wrote:
> >> ...
> >> CVE are meant to be a unique identifier to an issue so I think it's
> >> a (minor?) problem if different downstreamers requests CVE's
> >> independently.
> >> ...
> >> IOW, "Should we be trigger-happy or conservative on requesting CVE
> >> identifiers?".
> >
> > I think we can be conservative on this. We track things using issues,
> > version control, and mailing lists. The CVE doesn't really help *us*.
> >
> > If we believe that a downstream user is going to want/need some fancy
> > footwork around a security problem, then I think we generate a CVE
> > (for their tracking) and begin the private disclosure process.
> >
> > Security team: does this sound like a reasonable approach?
>
> Not really.

I don't understand how your email differs from what I stated.

> As a community we rely on certain words and phrases to mean specific
things, and
> to not mean other things. Using a CVE, once an advisory is likely to be
filed,
> ensures that every vendor, open source project and os distributor are all
speaking
> about the exact same defect.

Right. I said, "If we believe [they need one]... we generate a CVE". Same
thing as "likely to be filed".

>...
> Just don't be allocating CVE's if you don't plan to treat a fix as a
vulnerability.

Right. I said we don't normally set up CVEs. That we be conservative.

So:

> Not really.

What does this mean? What do you suggest we do differently from what I
suggested, and you apparently acknowledged as a reasonable approach?

-g
Received on 2012-05-19 09:46:42 CEST

This is an archived mail posted to the Subversion Dev mailing list.