Re: CVE Request - PloneFormGen, multiple vulnerabilities

[Matthew Wilkes <matthew () matthewwilkes co uk>]

> But I also want to make sure CVE's get assigned correctly. So three
> main problems arise

Kurt, I get it. Really. I'll make sure code commits are included in 
future. I don't think anyone's being deliberately obstructive here, I 
know I certainly try my best to give you clear, short descriptions so 
that you don't have to waste time going through others' code if you 
don't need to. I'm not trying to make your job harder, I'm trying to help.

> Having QUICK access to the source code vulns/corrections makes all the
> above much much easier.

Sure, I'll make sure you have it it future. From my point of view, 
however, a lot of these things are caused by subtle interactions of 
various mistakes that would be harmless on their own. That makes it 
harder to provide useful source code as it could easily look correct. 
For example, the Zope application server uses the presence of 
documentation as an in-band marker of if something is public or private; 
just sending you a link to the removal of docs would be pretty confusing.

> You're not asking for CVE's in a vacuum. CVE's are widely used by
> literally millions of people and organizations, we need to make sure
> they are done right or we will cause an obscene amount of time and
> money to be wasted.

The reason I write descriptions and include my estimates of CWE 
identifiers and CVSS scores is precisely because I know lots of people 
read these lists, and it matters to me to reduce the amount of work they 
have to go through.  I'd be surprised to learn that more people care 
about the commits themselves rather than the information in an easy to 
consume format.

> CVE assignment to follow tomorrow because it's 3am here.

Thank you, it's appreciated.

Matt