[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Red Hat Vote: CVE ID Syntax Change - Second Round Voting Ballot



Red Hat vote

> =====================================================
> VOTING BALLOT
> =====================================================
>
> Enter your votes as specified in the preceding "Instructions" and
> "Filling out the ballot" sections.
>
> *****************************************************
>
> FIRST CHOICE:

Option B

> REASONS (first choice):

This option had the unanimous support of the Red Hat Security Response 
Team and Product Security teams.  Our consideration was based on our 
belief of what is right for the community, not just for Red Hat (our own 
systems can currently already handle either Option A or Option B)

I believe that it is equally likely we'll see a contraction of scope of 
CVE instead of an expansion, so we may well never even breach the 4 digits 
anyway.

The downside is that without a fixed deadline to implement changes, many 
systems that handle CVE will delay changes, increasing the chance of 
systems breaking should the 4 digits be breached.

> *****************************************************
>
> SECOND CHOICE:

Option A

> REASONS (second choice):

Just too many digits; it will make it difficult for consumers to talk 
about CVE names in conversations, bloat CVE name lists and advisories, and 
we believe as above it's unlikely these extra digits will get much use.


Page Last Updated or Reviewed: October 03, 2014