Are security issues that don't have a CVE number tracked
somewhere?
Some issues may not have it by the time they're disclosed and I guess
there are ones that for whatever reason don't have and aren't going to
get one. If they're tracked in the usual audit/* files, what's the
preferred format for them?
Put something along the lines of CVE-NOID as the ID so we know it needs
help (be sure to file a bug so we know what the issue is). Anything we
track in the audit files should have a CVE id. Anything that doesn't have
one right away will get one. You can mail cve(a)mitre.org with pointers at
new security issues and they should assign an ID. For anything that is not
public, feel free to let me know and I can assign a CVE id from Red Hat's
pool (remember if you mail this list, the issue becomes public if it wasn't
before).
By the way, if more help is needed, feel free to add me (scop) rights to
commit to the fe[45] files.
At this point in time, all help is welcome, you have access.
Once we get things moving along, we'll have to think about how assigning
access should work, as 'whoever I think should be a member' probably isn't
a suitable long term solution :)
--
JB