On May 18, 2012 6:57 PM, "William A. Rowe Jr." <wr...@rowe-clan.net> wrote: > > On 5/18/2012 11:57 AM, Greg Stein wrote: > > On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote: > >> ... > >> CVE are meant to be a unique identifier to an issue so I think it's > >> a (minor?) problem if different downstreamers requests CVE's > >> independently. > >> ... > >> IOW, "Should we be trigger-happy or conservative on requesting CVE > >> identifiers?". > > > > I think we can be conservative on this. We track things using issues, > > version control, and mailing lists. The CVE doesn't really help *us*. > > > > If we believe that a downstream user is going to want/need some fancy > > footwork around a security problem, then I think we generate a CVE > > (for their tracking) and begin the private disclosure process. > > > > Security team: does this sound like a reasonable approach? > > Not really.
I don't understand how your email differs from what I stated. > As a community we rely on certain words and phrases to mean specific things, and > to not mean other things. Using a CVE, once an advisory is likely to be filed, > ensures that every vendor, open source project and os distributor are all speaking > about the exact same defect. Right. I said, "If we believe [they need one]... we generate a CVE". Same thing as "likely to be filed". >... > Just don't be allocating CVE's if you don't plan to treat a fix as a vulnerability. Right. I said we don't normally set up CVEs. That we be conservative. So: > Not really. What does this mean? What do you suggest we do differently from what I suggested, and you apparently acknowledged as a reasonable approach? -g
