Re: CVE id request: busybox

[Thomas Biege <thomas () suse de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 05.03.2013 10:27, schrieb Thomas Biege:
> Hi Kurt,
>
> Am 04.03.2013 03:26, schrieb Kurt Seifried:
> > On 03/03/2013 01:06 PM, Michael Gilbert wrote:
> > > On Sun, Mar 3, 2013 at 2:50 PM, Kurt Seifried wrote:
> > > > This actually raises a good point, due to Debian being a 
> > > > secondary source in most cases (e.g. upstream has a bug
> > > > report which is then copied into Debian's bug tracker since
> > > > Debian ships it) the dates and sometimes information is
> > > > wrong.
>
> > > Aren't these problems true for any source whether it be
> > > primary, secondary, tertiary, or so on?
>
> > Sorry yeah I should have been more clear. This goes for all the 
> > major secondary sources (Debian, SUSE, etc.).
>
> I understand this. You provide a very valuable service for free
> here on the list and we should make as easy as possible for you to
> do your job.
>
>
> > > > I will no longer be issuing CVE's for issues brought up 
> > > > through the Debian bugtracker without an original source to 
> > > > back it up, otherwise more mistakes will happen which is not 
> > > > good.
>
> > > I don't understand the purpose of excluding an entire project's
> > >  sources.  Should redhat's bugzilla, gentoo, etc. also be 
> > > excluded for the same reason?  If not, why do they get special 
> > > treatment?
>
> > I didn't say I;'m excluding them. I simply will require an 
> > original source, in this case the year is probably wrong.
>
> > > Is there really a problem at all?  The debian report included
> > > the upstream commit, so you had a link to a primary resource 
> > > anyway. So, I think a simple solution to this 'problem' of 
> > > secondary sources is follow them to the primary one?
>
> > Yeah, and people can post them to the list. As stated before, I 
> > assign a lot of CVEs. One minute extra per CVE is about 20 hours
> > a year. It adds up. So from now on I'll be needing original
> > source confirmation in the emails to oss-sec.
>
> Unfortunately this will neither reduce your work-load nor increase
> the speed. Every CVE request should state exactly the source of the
> issue instead. I believe that the frequent posters on this list
> have no problem doing this.

After reading it again, that is what you already meant.

Thomas

> Best, Thomas

- -- 
Thomas Biege <thomas () suse de>, Teamlead MaintenanceSecurity, CSSLP
SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
21284 (AG Nürnberg)
- --
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRNb2VAAoJEJqHoVJVjr8DF/cIAIuKAHu5Z8ZklZA5PZA469I9
jWUid+XsdhDN6DGVMn2kGkujDmHEYW7Nz6iYKe+lDb3sEm/PlHGmcw+AWRQKSplQ
inMyyL+NO2HBJq9NYCY6Tr+Jgn0jazM/4/xif40wexZNTnYMM35qL829ymEYZFj5
rm+DbthL50pY9WkZ1foqK/5BOIu4mvfkjgFZhpq1GUvUyZuWjABX0VCmeD3tETC9
WpsRhPbn/CDm9i+LA6Z7gtpBlWLAfnPhD2DpfM8PPfSnJCLyXkzVCtDBoC7kLvdK
tHAJP3UxD1y+pArn5etD6VntcpcBaPLQv38H/tL/FFXbczegoMYVSzqmYOA/lPU=
=E+/g
-----END PGP SIGNATURE-----