daniel:// stenberg://Sep 8, 2025

The other day me and @gregkh shot down a draft proposal to add a new role in the CVE ecosystem (SADP: "supplier ADP") that would append data to CVEs with details about dependencies and how they are or are not vulnerable to each particular CVE.

Imagine the amount of dependencies that use curl or the Linux kernel etc. These sweet innocent proposal makers thought in the terms of 5-10 dependencies per CVE. Not tens or hundreds of thousands which is far from unthinkable.

Show threadMatt "msw" Wilson
@bagder @gregkh where was that proposal circulating?
Sep 8, 2025 at 2:15pmWeb
Show threaddaniel:// stenberg://Sep 8, 2025
@msw @gregkh it was presented and discussed during our most recent OSS CNA user group meeting
Show threadsjvnSep 8, 2025
@bagder @msw @gregkh Ha! They weren't asking for much were they!?
Show threaddaniel:// stenberg://Sep 8, 2025
@sjvn @msw @gregkh to be honest, it felt almost a little cute and innocent!
Show threadMatt "msw" WilsonSep 8, 2025
@bagder @sjvn @gregkh that’s been my experience for a lot of these things. Well intentioned ideas, but they don’t withstand contact with the realities of wide-scale reuse.
Show threadJosh BressersSep 9, 2025
@msw @bagder @sjvn @gregkh The lack of understanding around open source is one of the biggest threats open source has I suspect