On May 18, 2012 6:57 PM, "William A. Rowe Jr." <wrowe_at_rowe-clan.net> wrote:
>
> On 5/18/2012 11:57 AM, Greg Stein wrote:
> > On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name>
wrote:
> >> ...
> >> CVE are meant to be a unique identifier to an issue so I think it's
> >> a (minor?) problem if different downstreamers requests CVE's
> >> independently.
> >> ...
> >> IOW, "Should we be trigger-happy or conservative on requesting CVE
> >> identifiers?".
> >
> > I think we can be conservative on this. We track things using issues,
> > version control, and mailing lists. The CVE doesn't really help *us*.
> >
> > If we believe that a downstream user is going to want/need some fancy
> > footwork around a security problem, then I think we generate a CVE
> > (for their tracking) and begin the private disclosure process.
> >
> > Security team: does this sound like a reasonable approach?
>
> Not really.
I don't understand how your email differs from what I stated.
> As a community we rely on certain words and phrases to mean specific
things, and
> to not mean other things. Using a CVE, once an advisory is likely to be
filed,
> ensures that every vendor, open source project and os distributor are all
speaking
> about the exact same defect.
Right. I said, "If we believe [they need one]... we generate a CVE". Same
thing as "likely to be filed".
>...
> Just don't be allocating CVE's if you don't plan to treat a fix as a
vulnerability.
Right. I said we don't normally set up CVEs. That we be conservative.
So:
> Not really.
What does this mean? What do you suggest we do differently from what I
suggested, and you apparently acknowledged as a reasonable approach?
-g
Received on 2012-05-19 09:46:42 CEST