[Secure-testing-team] Assigning unique identifiers (CVE?)
Moritz Muehlenhoff
jmm at inutil.org
Wed Mar 8 22:03:48 UTC 2006
Florian Weimer wrote:
> * Moritz Muehlenhoff:
>
> >> * Use the description (in [brackets]) as the unqiue identifier. The
> >> downside is that we still won't have really stable identifiers for
> >> non-CVE issues.
> >
> > I don't think we've ever changed a temporary description in brackets so
> > far, so that would be my preferred solution.
>
> Okay, in this case, this is probably the way to go. If we keep the
> text in square brackets once we switch from CVE-2006-XXXX to the real
> CVE name, I might even be able to automatically infer the transition
> of the internal identifier (used by debsecan) to the CVE ID.
Good, will this database rework include support for distribution specific
discards of not-affected and no-dsa? (At least in the web display)
That would be great, because the web display is getting noisy.
> > Nothing is too minor for MITRE, it's just that someone need to push it
> > to them. But we should track this process in SVN, e.g. with a short file
> > who did it, when at and at what time we pinged them etc.
>
> I doubt that the Subversion repository is best suited to this kind of
> task, but I'll shut up until I can offer something better. 8-)
The best solution would be if a single person volunteers to handle the
backlog, keeping track of what has already been sent and pings
where necessary.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list