The recent NVD changes have impacted a number of projects and there are quite a few uneasy developers out there, not just in the Yocto Project community but much more widely. There could be some simple changes or process improvements that the CVE Project could make which would massively help things.
The key thing for many of us is to have accurate product/vendor identification and useful version constraints. A secondary issue is an easy process to allow updates/addition of that information. The intent would be to have accurate CVE data at source, freeing NVD andothers to validate/improve/vet that information. As such I'm inviting our community to sign this open letter, the intent of which is show the demand for these improvements: https://github.com/yoctoproject/cve-cna-open-letter I've chosen to use github pull requests for this for ease. Please feel free to share this widely as I believe the ideas here would benefit many projects as we all face a similar challenge. What we don't want to see is "pay for access" data, or a fragmented data ecosystem which is becoming a real risk. The letter deliberately doesn't dive into implementation details as it would complicate a simple message, those details are a solvable problem if the desire is there. The version 5 schema already hints at some of this path, this proposal would just take it a step further again by allowing buy in from the CNAs themselves. If there is a good process and tooling to allow updates of CVE entries with information, even if it is optional, it will get adopted if it works well and is helpful. Cheers, Richard (on behalf of the Yocto Project/OpenEmbedded TSCs)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1990): https://lists.openembedded.org/g/openembedded-architecture/message/1990 Mute This Topic: https://lists.openembedded.org/mt/105676860/21656 Group Owner: openembedded-architecture+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-