Issues with no CVE number

[Josh Bressers]

> Are security issues that don't have a CVE number tracked somewhere?
> Some issues may not have it by the time they're disclosed and I guess
> there are ones that for whatever reason don't have and aren't going to
> get one.  If they're tracked in the usual audit/* files, what's the
> preferred format for them?

Put something along the lines of CVE-NOID as the ID so we know it needs
help (be sure to file a bug so we know what the issue is).  Anything we
track in the audit files should have a CVE id.  Anything that doesn't have
one right away will get one.  You can mail cve at mitre.org with pointers at
new security issues and they should assign an ID.  For anything that is not
public, feel free to let me know and I can assign a CVE id from Red Hat's
pool (remember if you mail this list, the issue becomes public if it wasn't
before).

> 
> By the way, if more help is needed, feel free to add me (scop) rights to
> commit to the fe[45] files.

At this point in time, all help is welcome, you have access.

Once we get things moving along, we'll have to think about how assigning
access should work, as 'whoever I think should be a member' probably isn't
a suitable long term solution :)

-- 
    JB