On Sat, Dec 8, 2012 at 3:32 AM, Joerg Jaspert wrote:
> On 13054 March 1977, Yves-Alexis Perez wrote:
>> Is dak is present in a “released” state somewhere? Do other people use
>> those releases? Meaning, should we ask for a CVE for this?
>
> No, no and no.
>
> We have git. We have people use that, thats for sure. Checked out at
> various dates. I don't think thats something a CVE should be issued
> for. Though I won't block it if someone does, but the only thing you can
> do is "anything before commit XY, update with the latest".
CVE is an awareness thing, helping people become aware of the
vulnerabilities they may have. The above wording would be a fine line
in terms of defining what is vulnerable.
I really don't think anything like that can be assumed. My guess is
that a larger percentage of clones have had no reason to subscribe to
the ml, and thus won't know about the problems in their versions.
Overall, it's better to be as transparent as possible to diffuse
knowledge further.
Best wishes,
Mike
Archive: http://lists.debian.org/CANTwMNnejU4BfYbHOdXccoXnp1z71gjBYu3WQWLdhnuHfkLw@mail.gmail.com