再保险:关于robots . txt的问题

下面的一些评论。>:我们有多个对话在董事会会议电话> >看到之前的邮件。直到你给我一个)的多数董事会电话>和> b)的整个记录电话提供给董事会,> >这是排他的。没有中间地带。这是长大的几个不同的时间不同的董事会成员。解决这个问题最简单的方法是post即将到来的CVE项目计划变更董事会名单,以便反馈之前所有董事会成员的变化。将来也会很好的给一两个星期通知,因为一些董事会成员可能度假或占领。以这种方式,是实际的话语。董事会电话然后成为更深层次的对话如果个人想要补充。> >:关于这一事实有许多保留CVE中的id >:当前CVE列表,和有一个普遍的共识,他们>应该> >当我有5或6董事会成员在聊天说“横切做错了>”,我们>也可以考虑到一般的共识? A second benefit of using email lists for feedback is that consensus, the lack of sustained objection, is easily discernable by all involved. > : As a first step in tackling the larger cleanup effort, we began > : contacting CNAs in March of this year to determine what CVE IDs > they had > : not used from their previously assigned CVE ID blocks. All but a > couple > > Did you CC the CNA list? If not, why not? I have a pretty solid case > history of > bringing CNA issues to you directly. It is clear that some of us have > a vested > interest in this and were proactive in coming to you with issues. Did > you > forget to include those same people in said discussions, publicly or > privately? CCing the CNA list would be a good thing to do here. > > : first step and he was not clear on exactly what the end result > would be. I wasn't clear. This highlights the need for more transparency and discussion of these things on the board list giving plenty of time to comment. > We saw the email about the one day push. And... can we go back to my > mail? > I really don't know how to say this any more simply, I thought the > original > mail was clear. > > - The Board got ONE DAY warning. > - NIST spoke up and said "whoa wait". > - We now see you had a phone call on the back of the NIST mail > - You pushed the 3k release by ONE day > - You told the public via a CVE mail that few in our industry read > - I said that wasn't sufficient for public warning See previous comments. > > Then you send a patronizing mail "innocently" (ignorantly) > questioning me on > all of this. Not sure where this attempt at gaslighting is coming > from, other > than you forget who the board is. The concern and questions are > legitimate, > speak directly to "stakeholders", and are of critical interest/impact > to the CVE > offering as affects the industry. > > : Dave can correct me if I'm wrong, but we didn't interpret the > comment > : "ignored by the NVD" to mean that the NVD team would not publish the > : REJECT CVE entries. Our interpretation is that the NVD team does > not see > : a need to analyze the entries and will simply publish them as is, > with > : no significant effort on their part. Any CVE entries that are rejected are not analyzed. The entries do appear in our feeds. > > Seriously? This is the biggest argument to stop these back-alley phone > conversations and to keep things on list, where we see a record of > what was > said. This is how NIST replied to the board, in all the glory: > > We have been able to confirm that the rejected CVEs will be > ignored by > the NVD. Thanks for being flexible by pushing this back a day. I regret not being more clear and specific in my email. Allowing more time to discuss these types of issues will allow for more robust dialog, which is needed in these cases. > > You did not "interpret" the comment "ingored by the NVD" to mean they > would not publish the REJECT CVE entries? > > Well guess what. Several of us explicitly read that statement to mean > they > would ignore them... completely. As in, "don't exist, at all". > > As in, other solutions are now involving Dev to figure out how to > handle > 3k+ new entries, on top of many hundreds of existing, to deliver to > 3k+ their > customers. These are customers who turned their back on CVE, but > still have > an "irrational compliance requirement" (a common term from customers) > to > ensure that they can explain EVERY single CVE ID that comes up. So > mature > VDBs have to handle these REJECTSs, pass it on to clients in a format > they can > easily process, and in turn offer to auditors. When making changes like the one being discussed, there is potential impact to the larger ecosystem of consumers. This impact is probably the most important reason why these issues need to be discussed with the board. Regards, Dave