[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tracking security issues without CVEs

On Wed, Mar 23, 2016 at 10:59:34AM +0800, Paul Wise wrote:
I think Debian needs to go towards the approach of VRDX-SIG and do
identifier cross-referencing instead of settling on *one* system for
referring to security vulnerabilities. Internally, we would continue
to use CVEs and CVE-2016-XXXX for issues without CVEs and then map all
the external identifiers onto those.

I think debian should pick a common one to use by default, and use a different one only if necessary. I think trying to turn into yet another clearinghouse of cross-referenced vulnerability IDs is a bottomless pit of wasted effort.
Mike Stone

Reply to: