Tryton project as CNA under Red Hat

yangoon · October 10, 2024, 2:30pm

We know that there were difficulties in the past to get CVEs assigned. The recent one for python-sql was assigned seemingly unproblematic to the Debian LTS team. My request if I could rely on the LTS team to get help in unproblematic assignment of CVEs was answered like that by the LTS coordinator

I am happy to help, but I believe you could get a better help, I
believe. I wasn't sure of forwarding this request from RedHat, but it
seems they are interested in the very own project to become their own
CNA:

    Could you please check with the python-sql community and maintainers if
    they are willing to become a CNA under Red Hat in order to have more
    independence when assigning a CVE?

If that make sense for you, could you please discuss that proposal with
tryton+python-sql upstream? I could forward the answer, or you could
write directly to "Red Hat Product Security" <secalert@redhat.com>.
I am curious in any case about what do the tryton community thinks about
it.

Sounds to me like a chance to evaluate.

Thoughts?

ced · October 10, 2024, 2:47pm

What is CNA?
A simple search shows “Certified Nursing Assistant” but I have doubts.

What are the requirements?

yangoon · October 10, 2024, 3:09pm

=> CVE Numbering Authority

https://www.cve.org/ResourcesSupport/AllResources/CNARules

ced · October 10, 2024, 3:41pm

I personally do not want to have to follow 23 pages of rules just to put a number on an issue.
But if someone else wants to commit to such clerk job for at least 5 years, I have no objection as long as it does not block us to release security fixes.