We Need a Revote with a different Option A! Was RE: CVE ID Syntax Change - Second Round Voting Ballot (Deadline Wednesday, May 22, 2013, 11:59 PM EDT)
- To: "Boyle, Stephen V." <email@example.com>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: We Need a Revote with a different Option A! Was RE: CVE ID Syntax Change - Second Round Voting Ballot (Deadline Wednesday, May 22, 2013, 11:59 PM EDT)
- From: "Williams, James K" <James.Williams@ca.com>
- Date: Fri, 17 May 2013 12:23:49 +0000
- Accept-Language: en-US
- Delivery-Date: Fri May 17 08:25:17 2013
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- Thread-Index: Ac5S+WNEHTnPKfJJTne/w97tLPmicQ==
- Thread-Topic: We Need a Revote with a different Option A! Was RE: CVE ID Syntax Change - Second Round Voting Ballot (Deadline Wednesday, May 22, 2013, 11:59 PM EDT)
At this point in the 2nd round voting, with discussions over the rules and a recent vote submission controversy, this seems like a perfect time to bring up a much bigger issue. OPTION A (Year + 8 digits, with leading 0's) is simply a bad option, and 8 digits was never even considered to be a popular option before this round of voting. A much better Option A, and the Option that would likely win in a round of voting against the current Option B, is an Option A with Year + 6 digits, with leading 0's. I've spoken with a couple of other people who wholeheartedly agree.
Keep in mind that we're having this vote in the first place to solve a 10k problem. 6-digits is the most realistic solution to the 10k problem. If we reach a 1 million problem, then CVE as we know it will not even exist. It'll be a CVE where vulnerabilities/exposures are automatically processed by machine, read by machine, and humans will have less/no direct contact with CVE identifiers.
I'd like to propose that we have a revote with a modified Option A (Year + 6 digits, with leading 0's) that would be a *realistic choice and viable contender*. If absolutely necessary, we could even have an Option A Primary round of voting with [Year + 8 digits, with leading 0's] vs. [Year + 6 digits, with leading 0's].
Please think about it.
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
firstname.lastname@example.org - 816-914-4225
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Boyle, Stephen V.
Sent: Tuesday, May 07, 2013 7:35 PM
Cc: Boyle, Stephen V.
Subject: CVE ID Syntax Change - Second Round Voting Ballot (Deadline Wednesday, May 22, 2013, 11:59 PM EDT)
CVE ID Syntax Change - Second Round Voting Ballot
- Deadline May 22, 2013, 11:59 PM EDT
This is the official voting ballot for the Second Round of voting
for the CVE ID Syntax Change.
The Second Round voting period is from 12:01 AM US EDT on
Wednesday, May 8, 2013 until 11:59 PM US EDT on Wednesday,
May 22, 2013.
A summary of the two options is listed as OPTION A and OPTION B.
Option A is modified from the first round, per discussion on the CVE
Editorial Board mailing list.
The previous Option C has been eliminated from further consideration.
1) You MUST fill out the entire voting ballot and post it to the entire CVE
Editorial Board mailing list.
2) All votes MUST be received by 11:59 PM US EDT on Wednesday,
May 22, 2013. Please allow for possible delays in email delivery
and adjust accordingly.
3) There is only one vote per organization.
4) Only the FIRST valid voting ballot counts for each organization. A valid
voting ballot lists the first and second choice, and provides reasons for
each choice (details below). If another ballot is received at a later
time, only the first valid ballot will be counted.
5) A ballot will be marked as "invalid" and returned to the voter if any
of the following occurs:
- the first and second choices are not clearly identified
- there is no reason provided for one or more choices
- it is not clear which reason is associated with which option
- the ballot is not published to the Editorial Board mailing list
- the ballot is not received by the deadline.
The voter may fix an invalid ballot and resubmit a valid ballot as long
as it is submitted before the deadline.
6) Other details about procedures are covered in the email sent to the
CVE Editorial Board mailing list on May 7, 2013, with the subject line
"CVE ID Syntax Change - 2nd Round Voting - Procedures and Timeline
(starts May 8, 2013)".
Filling out the ballot
1) As specified in the VOTING BALLOT below, clearly indicate your
FIRST CHOICE and SECOND CHOICE. For each choice, list either
"OPTION A" or "OPTION B".
- Each option can only be listed once.
- The FIRST choice is the syntax option that is your primary choice.
This is the option that you most want CVE to use.
- The SECOND choice is the option that you would select *if* your
FIRST choice is not accepted.
2) For each choice, fill out the associated REASONS section to give your
reason(s) for supporting (or not supporting) your choice. The reason(s)
must be in plain text and included in-line with the form, not as
an attachment. There is no limit on the length of your response.
SUMMARY OF OPTIONS
OPTION A: Year + 8 digits, with leading 0's
CVE-2014-00000001, CVE-2014-00000999, CVE-2014-00001234,
CVE-2014-00009999, CVE-2014-00010000, CVE-2014-00123456,
OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999
CVE-2014-0001, CVE-2014-0999, CVE-2014-1234, CVE-2014-9999,
CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,
CVE-2014-100000, CVE-2014-123456, CVE-2014-999999,
Enter your votes as specified in the preceding "Instructions" and
"Filling out the ballot" sections.
REASONS (first choice):
REASONS (second choice):