[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE ID Syntax - Seeking Suggestions for Outreach
- To: Pascal Meunier <pascal@purdue.edu>
- Subject: Re: CVE ID Syntax - Seeking Suggestions for Outreach
- From: Adam Shostack <adam@homeport.org>
- Date: Thu, 3 Apr 2014 13:45:34 -0400
- CC: Pascal Meunier <pmeunier@cerias.purdue.edu>, <coley@mitre.org>, <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Thu Apr 3 13:45:48 2014
- In-Reply-To: <20140403105822.606c387e@saguenay.hubzero.org>
- References: <Pine.GSO.4.64.1404021001230.9228@faron.mitre.org><20140403090411.57d35fea@saguenay.hubzero.org><20140403144023.GA11439@boomer.homeport.org><20140403105822.606c387e@saguenay.hubzero.org>
- User-Agent: Mutt/1.5.23 (2014-03-12)
It makes me queasy, too. Another part of me says if it were done, then when it were done, twere best it was done quickly, and perhaps (noting Steve's mail), it would be best to announce a date when we plan to break things. As I think about the year, I can hope that security people will be busy migrating away from XP in the near future, and expect they'll be busy with Blackhat-related announcements at the start of August. So a soon date might be July, and a far date might be September. The later we push, the higher the liklihood that we're planning to scramble. Adam On Thu, Apr 03, 2014 at 10:58:22AM -0400, Pascal Meunier wrote: | I thought about doing that (a test CVE) but the thought of breaking | things in production on purpose, earlier than previously announced | (expectations have already been set), made me queasy. It would be | easier to stomach if done "just before" we run out of old IDs. | | Pascal | | On Thu, 3 Apr 2014 10:40:23 -0400 | Adam Shostack <adam@homeport.org> wrote: | | > On Thu, Apr 03, 2014 at 09:04:11AM -0400, Pascal Meunier wrote: | > | > | I expect most customers will get engaged only when something breaks. | > | I think it would be most useful to publicize the switch and send | > notices | just before you run out of old format IDs. What "just | > before" means | could be "1 week" but is of course debatable. | > | > I think Pascal nails it here: we will get incremental value from | > additional rounds of PR, but at some level, there will be folks who | > don't feel a need to act until there's a need. | > | > So allow me to advocate for "propaganda through action": issue a | > single CVE soon which is intended to stress the toolchains. Make it | > a real CVE, so that the customers have a way to check if their | > toolchains really work. | > | > I'll further advocate that this should be done soon, and should be the | > focus of the new round of PR. | > | > | > Adam | > | > PS: I don't actually know if this a good idea, but wanted to | > throw it out for consideration. | > | > -- Join my mailing list, and be the first to hear about my new projects! http://www.homeport.org/~adam/newthing.html
- References:
- CVE ID Syntax - Seeking Suggestions for Outreach
- From: "Steven M. Christey" <coley@mitre.org>
- Re: CVE ID Syntax - Seeking Suggestions for Outreach
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVE ID Syntax - Seeking Suggestions for Outreach
- From: Adam Shostack <adam@homeport.org>
- CVE ID Syntax - Seeking Suggestions for Outreach
- Prev by Date: RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Next by Date: Peter Mell has left the CVE Editorial Board
- Prev by thread: RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Next by thread: Re: CVE ID Syntax - Seeking Suggestions for Outreach
- Index(es):
