Date: Thu, 25 Jul 2013 10:14:12 +0100 From: Matthew Wilkes <matthew@...thewwilkes.co.uk> To: oss-security@...ts.openwall.com Subject: Re: CVE Request - PloneFormGen, multiple vulnerabilities > But I also want to make sure CVE's get assigned correctly. So three > main problems arise Kurt, I get it. Really. I'll make sure code commits are included in future. I don't think anyone's being deliberately obstructive here, I know I certainly try my best to give you clear, short descriptions so that you don't have to waste time going through others' code if you don't need to. I'm not trying to make your job harder, I'm trying to help. > Having QUICK access to the source code vulns/corrections makes all the > above much much easier. Sure, I'll make sure you have it it future. From my point of view, however, a lot of these things are caused by subtle interactions of various mistakes that would be harmless on their own. That makes it harder to provide useful source code as it could easily look correct. For example, the Zope application server uses the presence of documentation as an in-band marker of if something is public or private; just sending you a link to the removal of docs would be pretty confusing. > You're not asking for CVE's in a vacuum. CVE's are widely used by > literally millions of people and organizations, we need to make sure > they are done right or we will cause an obscene amount of time and > money to be wasted. The reason I write descriptions and include my estimates of CWE identifiers and CVSS scores is precisely because I know lots of people read these lists, and it matters to me to reduce the amount of work they have to go through. I'd be surprised to learn that more people care about the commits themselves rather than the information in an easy to consume format. > CVE assignment to follow tomorrow because it's 3am here. Thank you, it's appreciated. Matt
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.