[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax - Seeking Suggestions for Outreach

I thought about doing that (a test CVE) but the thought of breaking
things in production on purpose, earlier than previously announced
(expectations have already been set), made me queasy.  It would be
easier to stomach if done "just before" we run out of old IDs.


On Thu, 3 Apr 2014 10:40:23 -0400
Adam Shostack <adam@homeport.org> wrote:

> On Thu, Apr 03, 2014 at 09:04:11AM -0400, Pascal Meunier wrote:
> | I expect most customers will get engaged only when something breaks.
> | I think it would be most useful to publicize the switch and send
> notices | just before you run out of old format IDs.  What "just
> before" means | could be "1 week" but is of course debatable.
> I think Pascal nails it here: we will get incremental value from
> additional rounds of PR, but at some level, there will be folks who
> don't feel a need to act until there's a need.
> So allow me to advocate for "propaganda through action": issue a
> single CVE soon which is intended to stress the toolchains.  Make it
> a real CVE, so that the customers have a way to check if their
> toolchains really work.
> I'll further advocate that this should be done soon, and should be the
> focus of the new round of PR.
> Adam
> PS:  I don't actually know if this a good idea, but wanted to
> throw it out for consideration.

Page Last Updated or Reviewed: October 03, 2014