[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tracking security issues without CVEs

On 2016-03-13 08:53:38, Paul Wise wrote:
> On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote:
>> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
>>> For example, if there are no CVEs are we able to use OVEs instead?
>> What abaout DWF?
> That didn't exist at the time of Brian's post.
> I think OVE/OVI still have less friction than DWF, you just need to
> press a button.

Well, the friction is one thing, but we need to adopt *one* system for
the future, if CVEs are going the wayside (or even as a complementary
approach). DWF seems interesting because it incorporates CVE IDs
directly and it also allocates CVE ranges to various projects. Debian
could be one of those:


... and manage its own allocations.

I am not sure I like the CSVs, however... and it doesn't seem to have
much adoption yet:


Centralisation certainly doesn't scale here...


The university must paint itself black, mulatto, worker anddd
peasant. If not, people will break down their doors and paint the
university the color they like.
                        - Ernesto "che" Guevara

Reply to: