回复：CVE ID语法投票 - 结果和下一步

在2013年4月18日的星期四，kent_landfield@mcafee.com写道：：不确定您只是想进行对抗还是不看：现实。我的目标是进行讨论，以免我们不断击中这种投票僵局。此外，我可以问您是否想成为一些评论的巨魔。：作为一个社区，我们已经超过了10,000个漏洞。如果请教育我们。哪些VDB在给定的一年中记录了10,000个漏洞。然后向我们展示我是哪些内容经理。这是正确的。我经营着唯一一款我知道的公共VDB，那就是在2006年。从那时起，我们还没有再次击中10K，但我们正在以历史填补的努力来努力。现在，您想讨论谁在对抗和/或在这里拖钓？ Again, I state as absolute fact, which is not confrontational, that historically, we have not hit 10,000 CVEs. : CVE did not wish to report them all that does not change the situation. It absolutely does. If CVE says "we aren't going to report on all vulnerabilities", it speaks to the allocation pool required. If current guidelines suggest they only monitor X sources, which is a Y percent of total disclosed vulnerabilities as documented across all VDBs, it gives us a good idea if 1MIL or 10MIL is ever going to be breached by current or realistic future policy. : So what you are arguing about is a single digit? Really? By extending : it a 'single' digit you can most likely get the votes to pass it. A : single digit? Actually I am arguing against 'B' more than I am arguing for 'A'. Don't make assumptions. I am against the mixed format of 'B' where the padding of zeros applies to the first 9999 entries, and no more. I want a standard format. If that is 'A' and 6, 7, or 18 digits, or if that is 'B' and no padding at all, I don't much care. I see the standard digits as easier to work with and it helps ensure the identifier is correct in length. : As for being selfish? you are sadly mistaken. This is a real cost to : the entire community, All vendors and organizations that use CVE : internally, they too will have to go through the same QA. This is not That is factually incorrect too. This has absolutely NO cost to a large part of the community, unless you are selfishly describing the community as "vendors that have technical implementations of the CVE system", of which I am a part of on two fronts: my day job, and OSVDB. This impacts me more than it impacts you in some ways. : selfish, this is a reflection of the costs that ALL in the community are : going to have to deal with. We want CVE adoption to be universal. I am See above. You have delusions on what the "community" entails here I think. You think Joe Researcher with 4 disclosures a year, that is currently asking for a CVE has any cost associated with it? No. Yes, there is a real cost to some members of the community. Yes, you are in a position to bear a LOT more cost than 99% of the community. Thus, my assertion that your choice may be biased and selfish. That may be a bit confrontational, but it is also rooted in logic. : My opinion is more than clear. I am hoping we will hear from others as : well. We know where you stand as well. Except, you don't. You made assumptions that I outline and clarify above. Now that I tell you that 'A' or 'B' don't matter, as long as it is standard, does that change any of your arguments? I've already established that you are factually incorrect about two things.