On Fri, 24 Apr 2020 14:21:18 +0200 Matthias Gerstner <mgerst...@suse.de> said:
> Hi, > > > > > > From my point of view at least items a), b) and d) deserve a CVE > > > > > assignment due to the severity of the issues. Even if to my knowledge > > > > > the code in question wasn't yet part of an official release yet it > > > > > might help the community to identify risks in their systems. Please > > > > > tell me whether you want to assign CVEs on your end or whether I > > > > > should do this. > > > > > > > > I'm curious, would it be worthwhile to ask for CVE's? I'm also curious > > > to know what's the target release for the fixes, so we can track these > > > in the Arch Linux side :) > > > > it's in new unreleased yet code in git master... the point is to not have > > any CVEs :) > > it's a point of debate. Very strictly spoken every state of the code > that was publicly available is entitled to CVE assignments. When > thinking of widespread projects like the Linux kernel, for example, you > can never know who was or who will be cherry-picking certain commits > etc. without being aware that there's a problem. > > For distributions in this specific case there's no added value, except > if they ship development snapshots of Enlightenment. > > I don't want to be all bureaucratic about it. I could also post the > report to the oss-sec mailing list and refrain from getting CVEs > assigned. This would also allow the OSS community to get some attention > on these findings that others may be interested in. that means you should do a security audit for every commit and generate CVEs... i think that's just insane. :) -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - ras...@rasterman.com _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel