Re: tracking security issues without CVEs
On Wed, Mar 23, 2016 at 10:59:34AM +0800, Paul Wise wrote:
I think Debian needs to go towards the approach of VRDX-SIG and do
identifier cross-referencing instead of settling on *one* system for
referring to security vulnerabilities. Internally, we would continue
to use CVEs and CVE-2016-XXXX for issues without CVEs and then map all
the external identifiers onto those.
I think debian should pick a common one to use by default, and use a
different one only if necessary. I think trying to turn into yet another
clearinghouse of cross-referenced vulnerability IDs is a bottomless pit
of wasted effort.