* Michael S. Gilbert: > interesting. i apologize for missing this, but how would FIXED-BY work? > a link to the previous discussion would very helpful.
<http://lists.alioth.debian.org/pipermail/secure-testing-team/2005-October/000508.html> There's even a follow-up which mentions FIXED-BY for unnamed issues. >> > a quick solution would be to change the way non-CVE issues are named in >> > the CVE list. for example, use CVE-2009-XXXX-YYYY and so on so that >> > each non-numbered issue is unique (where YYYY starts at 0001 and gets >> > incremented for each new unique non-numbered issue). >> >> We shouldn't call this CVE, but DVN ("Debian Vulnerability Name") or >> something else. > > this does make more sense, and its shorter. Fine. >> This would be more difficult to implement in the tracker than FIXED-BY:. > > wouldn't it just be a matter of converting the CVE-2009-XXXX handling > to use DVN-2009-0001, etc. instead? I'd suggest to use DVN- followed by a random five-digit number instead, so that we don't have to worry about the year. When an issue is assigned a CVE, I suggest to add it after the CVE name, preceded by a slash: CVE-2009-1572/70212 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote ...) Before that, the entry would have looked like this: DVN-70212 [quagga: bgpd crash with AS paths containing 32-bit ASNs] The precommit check will be updated to enforce uniqueness of numbers. We also could make it hexadecimal to avoid confusion with bug numbers. > i'd imagine that for the most part the CVE name is usually just > treated as a string, except for the conversion to TEMP number; > although i'm not familiar with the web scripts so i could be very > wrong. I don't think it's easy to add, at least not to the current code base. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
