No real preferences, but at first glance I'd be worried about performance. The OVAL files are generated several times a day, and fetching *all* the associated informations about binary packages for each vulnerability could potentially take time.
I'd be willing to see a proof-of-concept, though, because I could totally be wrong :) And I agree that having the information about binary packages available in the OVAL files would be a plus. Cheers, --Seb
