[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Change - Voting Ballot (Deadline April 14, 11:59PM EDT)

On Mon, 1 Apr 2013, cve-id-change@mitre.org wrote:

: 1) You MUST fill out the entire voting ballot and post it to the
:    entire CVE Editorial Board mailing list.

: 3) There is only one vote per organization.

Voting on behalf of the Open Security Foundation (OSF) and the Open Source 
Vulnerability Database (OSVDB).

: 1) As specified in the VOTING BALLOT below, clearly indicate your
:    FIRST CHOICE, SECOND CHOICE, and LAST CHOICE.  For each choice,
:    list either "OPTION A", "OPTION B", or "OPTION C".

: 2) For each choice, fill out the associated REASONS section to give
:    your reasons for supporting (or not supporting) your choice.  There
:    is no limit on the length of your response, but the reasons must be
:    in plain text and included inline with the form, not as an
:    attachment.

This is our FIRST choice:

: OPTION A: Year + 6 digits, with leading 0's
:   Examples: CVE-2014-000001, CVE-2014-000999, CVE-2014-001234,
:   CVE-2014-009999, CVE-2014-010000, CVE-2014-054321, CVE-2014-099999,
:   CVE-2014-100000, CVE-2014-123456, CVE-2014-999999

Fixed length is easier to manage in many tracking systems, avoids 
confusion, and will last until Steve Christey is in the ground.

This is our SECOND choice:

: OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999
:   Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234,
:   CVE-2014-9999, CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,
:   CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567

This is absurd. Why pad digits for the first ten thousand, and not the 
rest? If the goal is to have this be a final solution to never need 
upgrading, fine, but drop the 0 padding from all of them to stay 
consistent. This scheme is also pretty ugly. Steve Christy in a dress 

This is our THIRD choice:

: OPTION C: Year + arbitrary digits + check digit
:   Examples: CVE-2014-1-8, CVE-2014-999-3, CVE-2014-1234-3,
:   CVE-2014-9999-3, CVE-2014-10000-8, CVE-2014-54321-5,
:   CVE-2014-123456-5, CVE-2014-999999-5, CVE-2014-1234567-4

Really? What the hell is the check digit really for, other than to make us 
look SMRT? This is also likely to introduce the most confusion as people 
may associate it with a versioning scheme, ala Debian (1.2.3-3 over 
1.2.3). It is also convoluted, and ugly like a 4am Vegas hooker, because 
the good ones got picked over already.


Page Last Updated or Reviewed: October 03, 2014