[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

On Tue, 13 Jun 2000, Steven M. Christey wrote:

> *4) If P1 and P2 are not fixed by the same patch or set of patches,
>     then they must remain SPLIT.

I think this rule is inappropriate for CVE's purposes.

While I realize that rules 1-3 would usually apply before this rule would, this
rule is, in my opinion, completely orthagonal to the others, and is further a
poor guide for any decisions regarding the content of CVE.

The way that vendors construct patches is in no way related to the nature of
vulnerabilities. Further, some vendors don't even have to concept of "patches"
(e.g., Red Hat Linux and IBM AIX (mostly) has no "patches"; it only has newer
versions of packages). We have many, many experiences where vendors issue
patches, then change their mind subsequently and merge or split patches. Or they
incorporate many, many corrections into one "patch" (consider Microsoft SP?--is
that a patch or a collection of patches?). Vendors package software according to
the rules of their business, not according to the technical content of the
software; in some cases, it may not appear thus, but in the long run, this must
be true for the vendor to remain financially viable.

All of the preceding rules (1-3) and most of the ones following this one are
focused on the nature of the vulnerability and the related software engineering
practice that produced it. This rule is not.

I think this rule is incorrect and should not be used.

Bill Fithen

Page Last Updated or Reviewed: May 22, 2007