Hyrum K Wright wrote on Thu, May 17, 2012 at 12:59:23 -0500: > I'lll also point out that in the past downstream users have made the > determination for us, and requested their own CVEs for issues in our > releases. I don't think that's a problem, and we can't really control > how downstream judges the impact of a particular issue, but it just > feels nice if we handle the CVE process for our own issues. >
CVE are meant to be a unique identifier to an issue so I think it's a (minor?) problem if different downstreamers requests CVE's independently. > In the past CVE almost exclusively meant an embargo and > pre-notification and the rest of the circus that implies. I think > there is some middle ground here where we request a CVE, but then just > treat the release in a standard way, just mentioning the CVE in > CHANGES or the release announcement. > > It might also be nice to look at how other projects handle this stuff. > Are they as aggressive about labeling things "security-related" and > getting CVEs as we are? IOW, "Should we be trigger-happy or conservative on requesting CVE identifiers?". I think that's a good question; perhaps we should ask it security@.
