Date: Wed, 15 Mar 2017 18:56:52 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Cc: Leo Famulari <leo@...ulari.name> Subject: Re: Dealing with CVEs that apply to unspecified package versions On Wed, 15 Mar 2017 at 18:12:52 +0100, Ludovic Courtès wrote: > 1. The software behind the CVE form could force submitters to specify > version numbers. That isn't going to work. Not all of the software of interest to major OS distributions even *has* a version number :-( (I am not arguing that software *shouldn't* have releases with version numbers, only that sometimes it *doesn't*; this is a statement about reality, not about best-practice.) S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ