[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An interesting data point

: > #1 2017-1000186 doesn't appear to be in there, yet is a DWF 
: > Makes me think that your original mail applies to this sheet only. 
: > me wonder what the status codes for prior assignments would look 
like, in
: > a summary as you originally provided. That said, this sheet, along 
: > the original mail, still doesn't give me the info needed to answer 
: > question about 1000186.
: You can check the git history and the spreadsheet history for info on 


Pretty JSON and "cleanup", basically unhelpful commit messages. Taking 
time to go through them, there is no indication this request was 
at all. 

And "go through the sheet history"? I find it odd that after all the 
and work done, even via an automation sub-group, that your suggestion 
to go through a Google sheet history. Worse, you apparently don't 
that anonymous viewers cannot see the revision history of a Google 
That option is greyed out for us, so that is not a solution at all (see 
attached screenshot).

Is this really the CVE assignment history process we're encouraging? I 
about 2017-1000186 because this is a recent example of a bad 
and a cursory analysis of it should give you or anyone else the same 
conclusion. This, and other recent DWF assignments, haven't been 
up because the last time I did so (via opening Issues on the DWF GitHub 
project) received an equally negative reaction that makes *me* not want 
work to improve the assignments. Imagine what the regular CVE consumer 
would face if they wanted to. 

Now, consider your response to me asking about a single DWF assignment 
"read a Sheet history you can't access" and "read the commits which 
no information pertinent to your question". After opening issues the 
time, this makes two separate times where your proposed solution 
work for a CVE board member familiar with this process, and simply is 
viable for the average CVE consumer. Sincerely, and I have said this 
times on this list over the years, our actions as CVE board members 
be about us only. We are on the board to represent CVE consumers and 
input to the processes as they benefit the community and the entire CVE 

: > #2 Line 211/212, can you assign these ASAP? Hanno reached out to me
: > earlier today, frustrated at the time it has taken to get an 
: > for WolfSSL, as his intended multi-vendor disclosure date looms 
: > Please respond to him directly.
: Uh. 2 comments: one I told him to write better descriptions/etc. and 
: leave them as a comment. Secondly: this sheet is public.
: "Please note that the contents of this form are made PUBLIC at 
: https://pending-requests.distributedweaknessfiling.org/ and anyone 
: add comments. "
: so .. a disclosure date.. er... ok then.

Just relaying a message from an unhappy CVE consumer that felt reaching 
out to me for help was what he saw as the best altnerative, after not 
getting an assignment from DWF or MITRE. He didn't mention your reply 
him regarding the description, but it makes me wonder why we have 
different criteria for requesting a CVE via DWF and MITRE. Not sure who 
can speak to that, but it seems like a problem to me. 

Either way, in case he didn't tell you, this is part of a multi-vendor 
assignment that involves at least two other CNAs and several other 
vendors. So respectfully, please try to find a few minutes to reply to 
today and see if you two can figure out how to get him the WolfSSL 
assignment(s) in the interest of making this as coordinated a 
as possible.

Regarding your 2nd comment, would you like me to add a comment to the 
sheet saying "fix the column widths to make this readable" after your 
proposed "solution" below?

: > #3 I get that the sheet makes export and CSV manipulation easy, but 
: > someone expand the columns to make this more easily readable to 
humans, or
: > give me permission so I can do it? =)
: Nope. You can download/make a copy if needed.

For a sheet that will be updated hours/days/weeks/months/years later 
presumably... your solution to make this more readable to humans while 
native Sheet format is for them to make a copy, each and every time 
want to read it, and resize those columns every single time they make 

Again, did we lose focus on the whole 'automation' bit that seemed 
important earlier this year? What harm is there in making a one-time 
change that is a bit more readable for humans on a public sheet? I even 
offered to do that for you.

There is a serious disconnect between the handful of people working on 
these CVE assignment / tracking components, and the CVE consumers, who 
this is entire ecosystem is designed for.


Attachment: cve-request-form-history.png
Description: Binary data

Page Last Updated or Reviewed: December 05, 2017