When filing bugs, please don''t ask maintainers to refer to Secunia IDs.
The entries in there are often poorly researched and not suitable as
unique references among distributions. Rather point them to the CVE
entry or - if not yet available - tell them that a CVE ID is going
to be requested.
Cheers,
Moritz
Moritz Muehlenhoff wrote:> When filing bugs, please don''t ask maintainers to refer to Secunia IDs. > The entries in there are often poorly researched and not suitable as > unique references among distributions. Rather point them to the CVE > entry or - if not yet available - tell them that a CVE ID is going > to be requested.This is what I have on my template:> If you fix the vulnerability please also make sure to include the SA id (or > the CVE id when one is assigned) in the changelog entry.Do I really need to mention that "a CVE ID is going to be requested"? I believe it is better to have a Secunia ID than no other information to easily identify the issue. Or should I stop asking for that?> > Cheers, > MoritzCheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
On Wed, Nov 19, 2008 at 04:07:27PM -0600, Raphael Geissert wrote:> Moritz Muehlenhoff wrote: > > > When filing bugs, please don''t ask maintainers to refer to Secunia IDs. > > The entries in there are often poorly researched and not suitable as > > unique references among distributions. Rather point them to the CVE > > entry or - if not yet available - tell them that a CVE ID is going > > to be requested. > > This is what I have on my template: > > If you fix the vulnerability please also make sure to include the SA id (or > > the CVE id when one is assigned) in the changelog entry. > > Do I really need to mention that "a CVE ID is going to be requested"? > > I believe it is better to have a Secunia ID than no other information to easily > identify the issue. Or should I stop asking for that?I''d write: | If you fix the vulnerability please also make sure to include the CVE id ( | if available) in the changelog entry. In such a case it''s probably better to simply add a CVE ID to the bug log later, the Secunia IDs are too disorganised to be useful. Thanks, Moritz
* Raphael Geissert:> I believe it is better to have a Secunia ID than no other > information to easily identify the issue. Or should I stop asking > for that?We should really concentrate on CVEs. The United States haven''t got a notion of database copyright, so their naming service won''t have any IPR issues. In addition, we''ve got local copies of their database.
Florian Weimer wrote:> * Raphael Geissert: > >> I believe it is better to have a Secunia ID than no other >> information to easily identify the issue. Or should I stop asking >> for that? > > We should really concentrate on CVEs.I never said we shouldn''t. I just though that having some sort of id when a CVE isn''t known/assigned would be better than none (one could argue that the BTS'' bug id is...).> The United States haven''t got a > notion of database copyright, so their naming service won''t have any > IPR issues. In addition, we''ve got local copies of their database.Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net