Re: CVE ID Syntax Vote - results and next steps

[security curmudgeon <jericho@attrition.org>]

On Thu, 18 Apr 2013, Pascal Meunier wrote:

: On Thu, 18 Apr 2013 14:30:58 -0500
: security curmudgeon <jericho@attrition.org> wrote:
: 
: > And this speaks to my point about selfish desires. You are making this 
: > decision based on YOUR company, and YOUR development cycles that will be 
: > used to change the scheme internally. This is not voting in the interest 
: > of the community at all.
: > 
: ...
: 
: Please explain what you mean by "community" -- I thought McAfee was part of it,

Am I really about to explain that one piece does not make the whole to 
someone at Purdue?

McAfee is part of the community. A piece. A very small piece in the grand 
scheme of things.

McAfee is not THE community.

: and that their concerns would be shared by a part of the community. What 
: costs them could also cost people (customers) using the security 
: products of a number of vendors.

See my previous mail. I address that as well. McAfee will likely bear a 
disproportional cost in this change, I realize that. Again, that doesn't 
mean they get any more say in this, or that their problems should be the 
basis for forcing a decision that may not be the best on the rest of the 
community.

: > I will be the community advocate on this response:
: > 
: > So what? Your problem, not mine.
: 
: Isn't that response selfish?  I'm sorry, I don't understand.  I guess I also

You'd think so, except we stand ready to change our system regardless of 
the outcome. 'A' or 'B', we will change our system. That is OUR problem, 
and we are not about to make it yours, McAfee's, or some random researcher 
or CNA. Quite the opposite, we are not being selfish.

: I don't know nearly enough to say what's best for all the stakeholders 
: in the CVE (community?).

You do not know nearly enough to say what is best for the community, yet 
you voted anyway.