Re: CVE ID语法投票,结果和下一步

我做了CVE的可取的属性标识符的列表,根据投票和讨论。我相信通过权衡这些,我们的情况可能更加清晰。CVE标识符应该(排名不分先后):1。是不变的曾经发布:引用不会改变,就像DOI(数字对象标识符)。当格式改变,新的格式应该只适用于新发行的CVE id。这不同于想要延迟变化,和可以在理论上允许任意数量的变化。2。有一个一致的(优雅,不是丑)编号方法和格式:应该遵循的“标准方法”的格式。3所示。有一个格式,编号将适应未来的需求。 4. Have a format that will help make transcription errors evident, or easily detectable (example errors: dropped digits, "fat finger"). 5. Have an easily readable format (for humans). 6. Have a format that is similar to the current one. 7. Have a format that is easy to handle by machines (read, decoded, sorted). 8. Delay a format change as long as possible. 9. Have clear storage or internal representation requirements (e.g., 64-bit integer). 10. Have a format similar to that used by other identification schemes (e.g., CCE) so parsing libraries can be reused. 11. Avoid complexity (e.g., extra check digit). Option A: 2, 3, 4, 5, 7, 9, 11 Option B: 1, 3, 5, 6, 8, 11 Option C: 3, 4, 7, 10 Option A' (no leading 0s, capped at static length): 2, 3, 5, 7, 9, 11 Option B' (no leading 0s): 2, 3, 5, 7, 11 Option A is superior if equal weights are used. I believe #1 and #8 should have more weight, so I prefer option B. #1 is an academic principle, #8 is practical. #1 could be satisfied by applying option A only from 2014 forward; if this was considered, I'd vote for it. Pascal