On Sat, Jan 25, 2025 at 01:24:36AM +0000, Mark Esler wrote: > On Wed, Jan 22, 2025 at 03:18:10PM +0100, Johannes Segitz wrote: > > We're not empowered to do this. We are a CNA for code that we own (e.g. > > zypper), but not for arbitrary open source projects. > > The text of SUSE's scope [0] is similar to Canonical's [1]. We > understand "All Canonical issues (including Ubuntu Linux) only" as > including all software we distribute. It does not require us to be the > author of that code.
Interesting. I'll reach out to MITRE to clarify this and will report back (might take a while, I'll be away for some weeks starting tomorrow). When I was introduced to this > 10 years ago I was told not to allocate for anything for which we're not clearly upstream. Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
signature.asc
Description: Digital signature
