Date: Fri, 16 Mar 2012 11:26:58 +0100 From: Andreas Ericsson <ae@....se> To: oss-security@...ts.openwall.com CC: Kurt Seifried <kseifried@...hat.com>, Mark Stanislav <mark.stanislav@...il.com> Subject: Re: CVE Requests On 03/16/2012 04:41 AM, Kurt Seifried wrote: > > I need the actual info, please refer to: > > http://www.openwall.com/lists/oss-security/2012/03/16/2 > http://www.openwall.com/lists/oss-security/2012/03/15/9 > http://www.openwall.com/lists/oss-security/2012/03/14/6 > http://www.openwall.com/lists/oss-security/2012/03/12/7 > Those mails are all exemplary requests for CVE id's, ofcourse, but the fact that they are all already fixed and released means that 100% of the work is already done. At that point, assigning a CVE id is mostly useless and is done as a "just for the record" thing. The need for unified identifier for a particular issue is greatest when discussing the problem and its potential solutions; Not how someone actually solved it after it's already done. If CVE is to become a thing for changelogs only, all those projects that don't use one but rely on commit-messages instead won't use CVE id's at all, and the usefulness of the CVE database dwindles. -- Andreas Ericsson andreas.ericsson@....se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.