Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
* Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 16:17]:
> Bill Fithen said:
> >> *4) If P1 and P2 are not fixed by the same patch or set of patches,
> >> then they must remain SPLIT.
> >I think this rule is inappropriate for CVE's purposes... Vendors
> >package software according to the rules of their business, not
> >according to the technical content of the software...
> >most of the ones following this one are focused on the nature of the
> >vulnerability and the related software engineering practice that
> >produced it. This rule is not.
> So some of these rules, while moving away from looking at the bug
> itself, are designed to find "supporting evidence" that will help us
> to make a reasonably explainable (and repeatable) decision in the
> absence of good facts. That said, the fact that patches are
> implemented differently might require at least a reordering of the
> "evidence" rules.
While sympathetic I agree with Bill. A patch really provides no
strong "supporting evidence" that two vulnerabilities are the same
except that the vendor decided to fix them at the same time.
> - Steve
Si vis pacem, para bellum