@kurtseifried The main problem in my view is that virtually nobody cares about the CWE. No one ever complains about it or asks for it to get change etc. We basically put a finger in the air during 20 seconds when writing the advisory, search around all the available ones and then go with the one we think is the least bad one. And we never go back to reconsider and no one propose anything else.
So they are all fairly arbitrary but "decent" because we try to pick an accurate one.
@profdc9 we do try to make it hard to do wrong, daniel.haxx.se/blog/2023/12/13… - but recall that 60% of the curl security problems were *not* C problems.
You know I spend all my days working on curl and related matters. I also spend a lot of time thinking on the project; like how we do things and how we should do things.
daniel:// stenberg://
Unknown parent • • •daniel:// stenberg://
Unknown parent • • •@kurtseifried The main problem in my view is that virtually nobody cares about the CWE. No one ever complains about it or asks for it to get change etc. We basically put a finger in the air during 20 seconds when writing the advisory, search around all the available ones and then go with the one we think is the least bad one. And we never go back to reconsider and no one propose anything else.
So they are all fairly arbitrary but "decent" because we try to pick an accurate one.
daniel:// stenberg://
Unknown parent • • •Making it harder to do wrong
daniel.haxx.sedaniel:// stenberg://
in reply to daniel:// stenberg:// • • •