Open letter to the CVE Project/CNAs

($INBOX_DIR/description missing)
 help / color / mirror / Atom feed

* Open letter to the CVE Project/CNAs
@ 2024-04-22 19:37 Richard Purdie
  0 siblings, 0 replies; only message in thread
From: Richard Purdie @ 2024-04-22 19:37 UTC (permalink / raw
  To: <yocto@lists.yoctoproject.org>, openembedded-architecture

The recent NVD changes have impacted a number of projects and there are
quite a few uneasy developers out there, not just in the Yocto Project
community but much more widely. There could be some simple changes or
process improvements that the CVE Project could make which would
massively help things.

The key thing for many of us is to have accurate product/vendor
identification and useful version constraints. A secondary issue is an
easy process to allow updates/addition of that information.

The intent would be to have accurate CVE data at source, freeing NVD
andothers to validate/improve/vet that information.

As such I'm inviting our community to sign this open letter, the intent
of which is show the demand for these improvements:

https://github.com/yoctoproject/cve-cna-open-letter

I've chosen to use github pull requests for this for ease.

Please feel free to share this widely as I believe the ideas here would
benefit many projects as we all face a similar challenge.

What we don't want to see is "pay for access" data, or a fragmented
data ecosystem which is becoming a real risk.

The letter deliberately doesn't dive into implementation details as it
would complicate a simple message, those details are a solvable problem
if the desire is there. The version 5 schema already hints at some of
this path, this proposal would just take it a step further again by
allowing buy in from the CNAs themselves.

If there is a good process and tooling to allow updates of CVE entries
with information, even if it is optional, it will get adopted if it
works well and is helpful.

Cheers,

Richard
(on behalf of the Yocto Project/OpenEmbedded TSCs)

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-04-22 19:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-22 19:37 Open letter to the CVE Project/CNAs Richard Purdie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).