On Wed, Mar 23, 2016 at 10:59:34AM +0800, Paul Wise wrote:
I think Debian needs to go towards the approach of VRDX-SIG and do identifier cross-referencing instead of settling on *one* system for referring to security vulnerabilities. Internally, we would continue to use CVEs and CVE-2016-XXXX for issues without CVEs and then map all the external identifiers onto those.
I think debian should pick a common one to use by default, and use a different one only if necessary. I think trying to turn into yet another clearinghouse of cross-referenced vulnerability IDs is a bottomless pit of wasted effort.
Mike Stone