oss-sec mailing list archives
Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies
From: "Zach W." <kestrel () trylinux us>
Date: Thu, 10 Mar 2016 11:29:47 -0800
Hello Tim, This is all great info. Can you please add this to the feedback on the repo? Zach W. On 3/10/2016 11:25 AM, Tim wrote:
It's git. You can trivially keep an entire copy the databases trivially. It can be hosted in many places. We'd have to redo the issue tracking, but bugtracking systems are not exactly hard anymore.I see that as only one component of having a distributed database. Who's running the cron job that constantly pulls down updates from the github server? How do you ensure it's synced up when a legal threat causes the main repo to go black?See above. That's the whole point of the artifacts database. Please reread my original email maybe? I am of course open to feedback, but please actually go to https://github.com/distributedweaknessfiling/ and see what we're doing first before assuming we aren't doing certain things (like making sure the artifacts associated with a security vuln don't disappear).I did look. Sorry I missed the artifacts. The git repos and documentation make it far from obvious where that info lies. Ok so is "A database of artifacts, files and related files for DWF entries (so that when websites disappear the required content is hopefully still available)" in an email the sum of your documentation on that right now? Just want to be sure I didn't miss something else. Do you have ideas on how to capture vendor advisories? Vendors are almost certainly, in 99% of cases, going to ignore the DWF for a long time. Perhaps forever. We're currently lucky to get many of them to even include a CVE # in their own advisory. How can that information be captured without moderators having to do all the work? Have you thought about how we can deal with the copyright issues associated with copying vendor content directly into the DWF for archival? What I'm thinking is that perhaps there's a way to make vendors *want* to post information. Also, perhaps there could be a way to license DWF numbering in such a way that vendors implicitly agree that the DWF can re-publish. Or maybe there's a way to work with the Internet Archive to have third-party URLs archived automatically when they are first posted. See: https://archive-it.org/learn-more/ tim
Current thread:
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Boyle, Stephen V. (Mar 09)
- RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies John Scott (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Reed Loden (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Timothy D. Morgan (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Timothy D. Morgan (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Zach W. (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies halfdog (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 11)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 11)