Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Mar 2016 11:25:21 -0800
From: Tim <>
Subject: Re: Concerns about CVE coverage shrinking - direct
 impact to researchers/companies

> It's git. You can trivially keep an entire copy the databases trivially. It
> can be hosted in many places. We'd have to redo the issue tracking, but
> bugtracking systems are not exactly hard anymore.

I see that as only one component of having a distributed database.
Who's running the cron job that constantly pulls down updates from the
github server?  How do you ensure it's synced up when a legal threat
causes the main repo to go black?  

> See above. That's the whole point of the artifacts database. Please reread
> my original email maybe?

> I am of course open to feedback, but please actually go to
> and see what we're doing
> first before assuming we aren't doing certain things (like making sure the
> artifacts associated with a security vuln don't disappear).

I did look.  Sorry I missed the artifacts.  The git repos and
documentation make it far from obvious where that info lies.

Ok so is "A database of artifacts, files and related files for DWF
entries (so that when websites disappear the required content is
hopefully still available)" in an email the sum of your documentation
on that right now?  Just want to be sure I didn't miss something else.

Do you have ideas on how to capture vendor advisories?  Vendors are
almost certainly, in 99% of cases, going to ignore the DWF for a long
time.  Perhaps forever.  We're currently lucky to get many of them to
even include a CVE # in their own advisory.  How can that information
be captured without moderators having to do all the work?  Have you
thought about how we can deal with the copyright issues associated
with copying vendor content directly into the DWF for archival?

What I'm thinking is that perhaps there's a way to make vendors *want*
to post information.  Also, perhaps there could be a way to license
DWF numbering in such a way that vendors implicitly agree that the DWF
can re-publish.  Or maybe there's a way to work with the Internet
Archive to have third-party URLs archived automatically when they are
first posted.  See:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.