Active Candidates and Unresolved Content Decisions
A question has been raised as to what candidates are affected by
content decisions that have not yet been resolved.
The short answer is, that information is in my head. I have not
recorded the specific content decisions that impact each candidate.
However, I do plan to make this information explicit, at least for
I believe that as long as a candidate is affected by a content
decision that has not been resolved, that candidate should remain
active. Otherwise, if we promote it to a CVE vulnerability, it could
get changed if a content decision is modified, along with all other
vulnerabilities that are affected by that content decision. We should
avoid doing this as much as possible, since the CVE should be as
stable as possible. I believe it is especially important in these
early days for the CVE, because everything is still evolving.
The larger issue has to deal with knowing which content decisions
haven't been resolved yet. There are a number of decisions which we
all know are highly contentious; others have been presented, but
nobody has commented; others have elicited a mild response.
I will be developing a voting mechanism very similar to that for
individual candidates, which will make it easier to track the progress
of our discussions of content decisions.