Re: Linux kernel CVEs not mentioned on oss-security

[Stiepan <stie@itk.swiss>]

+1; let's use other identifiers! And why not, a blockchain (based on at least SHA3) for public security issues? That 
would be great. And as trustable, as transparent as it needs to be.

Amen

-------- Original Message --------
On 9 Oct 2017, 13:11, Fabian Keil wrote:

> Kurt Seifried  wrote:
>
> > If you see this: PLEASE SUBMIT THE URL AS AN UPDATE TO THE CVE USING THE
> > CVE FORM (yes, I am shouting).
> >
> > https://cveform.mitre.org
>
> As you seem to be "shouting" a lot lately, I just like to point out
> that using the MITRE(!) form requires the execution of non-free and
> unsigned software from various sources.
>
> Some people don't consider this a problem, others do.
>
> > Choose "Request an update to an existing CVE entry" and then for "Type of
> > update requested" choose "Update References" and then eneter the CVE #,
> > the ifo and URL and hit "Submit Request"
>
> ... trust your browser's "sandbox" to work as advertised for a change
> and ignore the fact that you're running proprietary software that may
> or may not be customised just for your system and can't be easily
> audited in advance.
>
> > TL;DR: Everyone wants the cat to wear a bell, and in past I'll admit we
> > (the CVE community) didn't make it easy to contribute. Well now we have
> > made it easy to contribute, so please do.
>
> TL;DR: Not everyone wants to allow remote code execution just to
> request a CVE. Some people are sufficiently satisfied when security
> issues are found and fixed in time. While CVE number are sometimes
> nice to have, other identifiers work just as well (for some).
>
> Fabian @redhat.com>