On 2016-03-13 08:53:38, Paul Wise wrote: > On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote: >> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: >>> For example, if there are no CVEs are we able to use OVEs instead? >> >> What abaout DWF? > > That didn't exist at the time of Brian's post. > > I think OVE/OVI still have less friction than DWF, you just need to > press a button.
Well, the friction is one thing, but we need to adopt *one* system for the future, if CVEs are going the wayside (or even as a complementary approach). DWF seems interesting because it incorporates CVE IDs directly and it also allocates CVE ranges to various projects. Debian could be one of those: https://github.com/distributedweaknessfiling/DNA-Registry/blob/master/DNA-Registry.csv ... and manage its own allocations. I am not sure I like the CSVs, however... and it doesn't seem to have much adoption yet: https://github.com/distributedweaknessfiling/DWF-Database/blob/master/DWF-Database-2016.csv Centralisation certainly doesn't scale here... a. -- The university must paint itself black, mulatto, worker anddd peasant. If not, people will break down their doors and paint the university the color they like. - Ernesto "che" Guevara