Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <ME0P300MB0713ACE3EB14C8F1375F2464EEC5A@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Date: Wed, 5 Nov 2025 12:30:41 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Becoming a CVE Naming Authority for your project

Greg KH <greg@...ah.com> writes:

>I totally agree that all "major" open source projects should become a CNA,
>and strongly recommend taking back control over stuff like this.

The problem is that individuals can't be CNAs, which means you'd need to do
something like going through the cost and overhead of setting up a shell
corporation or similar to meet the checkbox requirement that an individual
can't be a CNA but the same individual fronted by a paper entity can.

Does anyone know what the thinking behind this is?  It excludes any OSS
project that doesn't have some entity fronting it from being a CNA.  If by
"major" you mean "lots of people involved in the project" then there are
probably entities fronting them but if you mean "lots of users and critical to
Internet operation" then see the famous xkcd cartoon, and that person can't be
a CNA.

Peter.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.