1. 11
    Tag proposal: CVE meta
    friendlysock avatar authored by friendlysock 3 days ago | 9 comments

We’ve had some submissions recently that are basically just CVE announcements. Some folks think these are interesting, some folks think these are spam.

The traditional way of handling this is to open the floor to discussion, so I’d like to propose a CVE tag.

Examples:

  1.  

  2. 17
    mulander avatar mulander 3 days ago | link

    I strongly disagree with a CVE tag. If a specific CVE is worth attention it can be submitted under security, most likely with a nice abstract discussing it like the Theo undeadly link or the SSH enumeration issue. Adding a CVE tag will just give a green light to turning lobste.rs in a CVE database copy - I see no added value from that.

    1. 7
      timetoplatypus avatar timetoplatypus 3 days ago | link

      I agree. I think it comes down to the community being very selective about submitting CVEs. The ones that are worth it will either have a technical deep-dive that can be submitted here, or will be so important that we won’t mind a direct link.

      1. 2
        nickpsecurity avatar nickpsecurity 3 days ago | link

        Although I want to filter them, I agree this could invite more of them. Actually, that’s one of @friendlysock’s own warnings in other threads. The fact that the tags simultaneously are for highlighting and filtering, two contradictory things, might be a weakness of using them vs some alternative. It also might be fundamentally inescapable aspect of a good, design choice. I’m not sure. Probably worth some contemplation.

        1. 2
          freddyb avatar freddyb 3 days ago | link

          I completely agree with you. I enjoy reading great technical blog posts about people dissecting software and explaining what went wrong and how to mitigate. I want more of that.

          I don’t enjoy ratings and CVSS scores. I’d rather not encourage people by blessing it with a tag.

        2. 7
          numinit avatar numinit 3 days ago | link

          lobste.rs is the right place for fantastic writeups like this. http://cve.mitre.org/ is the right place for CVEs.

          1. 4
            ngoldbaum avatar ngoldbaum 3 days ago | link

            Why isn’t “security” sufficient?

            1. 8
              nickpsecurity avatar nickpsecurity 3 days ago | link

              Because people post CVE’s that teach me little no nothing about security. They’re like the security version of product updates. People that use the tech have places to look for release notes and security alerts. Entire sites and blogs are dedicated to it. Here, it’s just noise drowning out deeper submissions.

              1. 3
                friendlysock avatar friendlysock 3 days ago | link

                security talks about a general class of topics, whereas CVE would talk about a particular instance.

                Same reason we have both programming and rust, or mathematics and visualization.

                Personally I don’t think we should have them on the site at all, but we should do a community discussion first.

              2. 2
                blake avatar blake 2 days ago | link

                I also disagree with ‘CVE’ by itself being brought on-topic for lobste.rs - and I say this as someone who works in security. The recent Rust CVE is a great example of posts I don’t want to see more of here. It was just an announcement, no context, no write up, no lessons learned. I can get feeds of CVE’s elsewhere. I think we can still have write-ups that cover CVE’s submitted under existing tags.