Telorand@reddthat.com 3 days ago
That’s good, I guess, but decentralize it. It’s a tool used globally with global ramifications, so other countries should be able to run their own instance of it. That way, if an instance goes down, nobody else is left without it.
Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.
Hopefully that includes decentralization on the roadmap.
dohpaz42@lemmy.world 3 days ago
Decentralizing a foundation such as CVE would do more harm than good. For things like git or the fediverse it makes perfect sense, but the last thing I want something like the CVE to be is fragmented. We need a single source of truth for this.
Now setting up a non-profit foundation and cutting dependence with governments is a good thing, but it’s not the same as decentralized.
billiam0202@lemmy.world 3 days ago
This, exactly.
The whole point of CVE is to make sure everyone is on the same page regarding exploits. That necessitates a single point of truth for the whole operation.
Telorand@reddthat.com 3 days ago
So distribute it, like DNS. Have the CVE Foundation be the final authority, but relying solely upon them makes me uneasy.
The CVE Foundation might currently be independent from the US government, but that doesn’t mean they’re not still subject to its whims. I think people underestimate just how awful things are or could get here, and “why is the government doing that stupid/heinous/bizarre thing” has become a daily mantra for many.
CVE needs better protection from hostile governments, and distributing the system seems like the only way to achieve that
barsoap@lemm.ee 3 days ago
That’s long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they’re a CNA. Which keeps the “root” CVS database completely out of the loop short of saying “this here is your namespace and scope”. Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.
Still important to have a fallback though because not all projects are big enough to do that kind of stuff.
IanTwenty@lemmy.world 3 days ago
There is some distribution of effort/expertise at least:
theregister.com/…/homeland_security_funding_for_c…
ricecake@sh.itjust.works 3 days ago
I think you might be overestimating how complex the system is. This isn’t collaborative, and it’s barely even dynamic. It’s essentially bookkeeping around a list of numbers and a zip file of text documents.
github.com/CVEProject/cvelistV5/…/main.zip
The reporting of the issues is already done by other people, they just rely on a central group to keep the numbers from colliding.
www.cve.org/CVERecord?id=CVE-2025-3576
Not a whole lot there.
Significantly more worrying is the nvd.
nvd.nist.gov/vuln/detail/CVE-2025-31161
There’s additional data attached relating to not just the vulnerability, but exploitation and the system configuration that’s known to be exploitable.
Up until now it was benign, as well as entirely unavoidable, for so much of the infrastructure of the Internet to be closely tied to the US government.
dohpaz42@lemmy.world 3 days ago
Distribution, decentralization… those ideas only serve to add unnecessary complexity to a sensitive and critical infrastructure. Instead of tweeting the baby with the bathwater, let’s work toward making these institutions not rely on or be beholden to governments. Anything else is a poor man’s Band-Aid to the problem.
FWIW, I agree with your concerns, but not the proposed solutions. Regardless, these are the types of discussions we all should be having for our critical infrastructure.
Telorand@reddthat.com 3 days ago
I don’t see how that’s possible unless you use a system that’s resistant to governments (or moneyed interests). And the only systems like that are effectively outside their government’s power or jurisdiction. Otherwise, the right mix of ambitious or greedy people could eventually cause it to crumble.
Did you have some other kind of system or plan in mind?