> Are security issues that don't have a CVE number tracked somewhere?
> Some issues may not have it by the time they're disclosed and I guess
> there are ones that for whatever reason don't have and aren't going to
> get one. If they're tracked in the usual audit/* files, what's the
> preferred format for them?
Put something along the lines of CVE-NOID as the ID so we know it needs
help (be sure to file a bug so we know what the issue is). Anything we
track in the audit files should have a CVE id. Anything that doesn't have
one right away will get one. You can mail cve@xxxxxxxxx with pointers at
new security issues and they should assign an ID. For anything that is not
public, feel free to let me know and I can assign a CVE id from Red Hat's
pool (remember if you mail this list, the issue becomes public if it wasn't
before).
>
> By the way, if more help is needed, feel free to add me (scop) rights to
> commit to the fe[45] files.
At this point in time, all help is welcome, you have access.
Once we get things moving along, we'll have to think about how assigning
access should work, as 'whoever I think should be a member' probably isn't
a suitable long term solution :)
--
JB
