Open philips opened 5 years ago
Context, email to the TOC
Hey TOC-
A requirement of graduation to CNCF is following the CII Criteria. And one of the requirements is having CVE numbers in release notes.
Unfortunately, two weeks ago the DWF system designed for OSS projects to generate CVE numbers shutdown. https://twitter.com/kurtseifried/status/1103858442479910913
This leaves CNCF projects in an awkward position. And I see four options:
CNCF becomes a CVE Numbering Authority (I have started a CNCF service desk request for this, Chris A has some thoughts)
Revise CII in the face of no practical CVE system for OSS projects to not have that requirement.
Update the CNCF Graduation criteria to not require projects to create CVEs and rely exclusively on researcher issued CVEs
Create a new CVE alternative that is fully distributed without a central authority.
Thank You,
Brandon
https://github.com/cncf/toc/issues/213
philips
commented
5 years ago philips
commented
5 years ago
Context, email to the TOC
Hey TOC-
A requirement of graduation to CNCF is following the CII Criteria. And one of the requirements is having CVE numbers in release notes.
Unfortunately, two weeks ago the DWF system designed for OSS projects to generate CVE numbers shutdown. https://twitter.com/kurtseifried/status/1103858442479910913
This leaves CNCF projects in an awkward position. And I see four options:
CNCF becomes a CVE Numbering Authority (I have started a CNCF service desk request for this, Chris A has some thoughts)
Revise CII in the face of no practical CVE system for OSS projects to not have that requirement.
Update the CNCF Graduation criteria to not require projects to create CVEs and rely exclusively on researcher issued CVEs
Create a new CVE alternative that is fully distributed without a central authority.
Thank You,
Brandon