On Tue, Aug 18, 2020 at 08:42:23PM +0100, Simon McVittie wrote:
> > 1) Can the Debian CNA assign a CVE number to this issue? It is technically a
> > vulnerability, and a CVE might convince the upstream developer towards more
> > collaborative attitude.
>
> CVE IDs are a mechanism for tracking known security vulnerabilities
> so that sysadmins and users can know which packages need updating or
> avoiding. They are not a weapon to beat maintainers with; please don't
> treat them as that.
Exactly.
> (Procedurally, I don't think the Debian CNA is allowed to assign CVE
> numbers to vulnerabilities that are already known outside Debian.)
Indeed. (Plus the use of the Debian CNA has also shifted to only apply
to Debian-specific tooling (like dpkg/apt) or Debian-specific security
issues)
Cheers,
Moritz
