oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Becoming a CVE Naming Authority for your project

From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Wed, 5 Nov 2025 12:30:41 +0000
Greg KH <greg () kroah com> writes:


I totally agree that all "major" open source projects should become a CNA,
and strongly recommend taking back control over stuff like this.


The problem is that individuals can't be CNAs, which means you'd need to do
something like going through the cost and overhead of setting up a shell
corporation or similar to meet the checkbox requirement that an individual
can't be a CNA but the same individual fronted by a paper entity can.

Does anyone know what the thinking behind this is?  It excludes any OSS
project that doesn't have some entity fronting it from being a CNA.  If by
"major" you mean "lots of people involved in the project" then there are
probably entities fronting them but if you mean "lots of users and critical to
Internet operation" then see the famous xkcd cartoon, and that person can't be
a CNA.

Peter.
Previous By Date Next
Previous By Thread Next

Current thread: