Re: CVE Requests

[Andreas Ericsson <ae () op5 se>]

On 03/16/2012 04:41 AM, Kurt Seifried wrote:
> I need the actual info, please refer to:
>
> http://www.openwall.com/lists/oss-security/2012/03/16/2
> http://www.openwall.com/lists/oss-security/2012/03/15/9
> http://www.openwall.com/lists/oss-security/2012/03/14/6
> http://www.openwall.com/lists/oss-security/2012/03/12/7

Those mails are all exemplary requests for CVE id's, ofcourse, but the
fact that they are all already fixed and released means that 100% of
the work is already done. At that point, assigning a CVE id is mostly
useless and is done as a "just for the record" thing.

The need for unified identifier for a particular issue is greatest
when discussing the problem and its potential solutions; Not how
someone actually solved it after it's already done. If CVE is to become
a thing for changelogs only, all those projects that don't use one
but rely on commit-messages instead won't use CVE id's at all, and the
usefulness of the CVE database dwindles.

-- 
Andreas Ericsson                   andreas.ericsson () op5 se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.