Re: CVE ID Syntax Change - Voting Ballot (Deadline April 14, 11:59PM EDT)
On Mon, 1 Apr 2013, email@example.com wrote:
: 1) You MUST fill out the entire voting ballot and post it to the
: entire CVE Editorial Board mailing list.
: 3) There is only one vote per organization.
Voting on behalf of the Open Security Foundation (OSF) and the Open Source
Vulnerability Database (OSVDB).
: 1) As specified in the VOTING BALLOT below, clearly indicate your
: FIRST CHOICE, SECOND CHOICE, and LAST CHOICE. For each choice,
: list either "OPTION A", "OPTION B", or "OPTION C".
: 2) For each choice, fill out the associated REASONS section to give
: your reasons for supporting (or not supporting) your choice. There
: is no limit on the length of your response, but the reasons must be
: in plain text and included inline with the form, not as an
This is our FIRST choice:
: OPTION A: Year + 6 digits, with leading 0's
: Examples: CVE-2014-000001, CVE-2014-000999, CVE-2014-001234,
: CVE-2014-009999, CVE-2014-010000, CVE-2014-054321, CVE-2014-099999,
: CVE-2014-100000, CVE-2014-123456, CVE-2014-999999
Fixed length is easier to manage in many tracking systems, avoids
confusion, and will last until Steve Christey is in the ground.
This is our SECOND choice:
: OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999
: Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234,
: CVE-2014-9999, CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,
: CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567
This is absurd. Why pad digits for the first ten thousand, and not the
rest? If the goal is to have this be a final solution to never need
upgrading, fine, but drop the 0 padding from all of them to stay
consistent. This scheme is also pretty ugly. Steve Christy in a dress
This is our THIRD choice:
: OPTION C: Year + arbitrary digits + check digit
: Examples: CVE-2014-1-8, CVE-2014-999-3, CVE-2014-1234-3,
: CVE-2014-9999-3, CVE-2014-10000-8, CVE-2014-54321-5,
: CVE-2014-123456-5, CVE-2014-999999-5, CVE-2014-1234567-4
Really? What the hell is the check digit really for, other than to make us
look SMRT? This is also likely to introduce the most confusion as people
may associate it with a versioning scheme, ala Debian (1.2.3-3 over
1.2.3). It is also convoluted, and ugly like a 4am Vegas hooker, because
the good ones got picked over already.