Re: [CVEPRI] CVE准确性、一致性、稳定性和及时性

史蒂文所写的一些引用:>正如您所看到的CD的提出到目前为止,默认动作>一般是合并两个问题>当有不完整的信息。但是一些人表示偏好保持>分裂的问题如果没有好的信息。>我同意大卫·勒布朗,我想我们会付出代价,不管>我们选择默认动作。我最初的想法是,一个默认>分裂行动将使CVE维护工作容易得多——但我们>必须考虑CVE的对用户的影响。从的角度来看这两个CVE-using出现产品,我在工作,这是一个基本要求CVE不是“发明”关系。如果我们合并默认条目不应该被合并,我们意味着关系不存在,误导和CVE是错误的——科学研究基本罪。如果我们把默认情况下,CVE只是理想,从我的观点,它可以保持这种方式。位容许我多后续CVE合并和变化。一个脚注说两个CVE条目之间的合并是可能就足够了。>的基本问题是:应该投入多少精力做>确保CVE条目准确和稳定,我们能住在一起>扩展的审查过程,它将需要(换句话说,>照常营业)? Or are we willing to accept some inaccuracy and >additional mapping maintenance in order to allow CVE to remain >relatively timely? Accuracy as in the CVE modeling the vulnerabilities with a consistent level of abstraction is not the kind of accuracy that I need; a better word for what I need would be correctness, and that can be attained without a model. Correctness ranks 10/10; consistency in level of abstraction and optimal data compression ranks a 1/10. In my mind, it is possible to be perfectly correct and stable with a light review process. I believe that making an 'accurate' model of vulnerabilities is beyond the mandate of the CVE. As for error rates, it is hard to give a number because there is no alternative to the CVE. What is the error rate that we tolerate in dictionaries? I am much more tolerant of missing entries than of incorrect information. I would be cautious of any use I made of the CVE if I knew that it contained 5% of incorrect entries, and probably stop using it if there were more. Pascal "You cannot build a happy private life in a corrupt society anymore than you can build a house in a muddy ditch." Anonymous Czech woman, from the 2000 Commencement Address by Bill Moyers about the american political system