I like the idea of voting on whether or not we want to CVE a fix because I hope it will make us focus on how to message the issue as clearly as possible in addition to having more eyes looking at similar possible issues.
Gary On Thu, Dec 30, 2021 at 4:02 AM Volkan Yazıcı <[email protected]> wrote: > Hello, > > The recent CVE-2021-44832 has been subject to quite some debate whether it > was CVE-worthy or not. I think that one had far fetched assumptions and > could very well be addressed in a patch release, just like we did, but > without a CVE associated with it. The created CVE caused yet another wave > of FUD surrounding the project. I can imagine millions of deployments all > around the world were marked as flagged by monitoring tools and people > rushed to upgrade in panic, most likely, for no reason. I put aside the > damage CVEs cause on the reputation of the project. > > I am told by [email protected] that what is CVE-worthy is up to the > PMC. *I > propose creating a VOTE thread for the CVE creation from now on.* I would > appreciate it if others can share their thoughts on this. If the overall > reception is positive, I will send a VOTE email to make this official. > > Kind regards. >
