« Return to Thread: More frequent CWE releases and CWE versioning
More frequent CWE releases and CWE versioning
by Steven M. Christey-2
::
Rate this Message:
All,
We are planning to release a new version of CWE on Tuesday, October 14.
But before we do so, we'd like to get your opinion on how we should label
things when CWE data changes.
This new version does not have the large number of changes that we saw
occurring between drafts. The schema remains the same. We've updated
a few dozen CWE entries and added a new entry, but otherwise the
content is the same.
For the foreseeable future, we are planning a more frequent update
schedule - currently estimated at once a month, although the frequency may
vary depending on "quality-based" criteria or external deadlines.
So, we now face a question of the best way to capture these ongoing
versions.
The CWE schema supports two separate elements that could be used for
versioning:
Catalog_Version - a string
Catalog_Date - a date
In the past, we've only used the Catalog_Version - so currently, it's
at "1.0."
We believe there are two main choices for how we can handle versions
in the future. We wanted to get feedback from the researcher list
because you are some of our most active users of CWE.
The options are:
1) Versions for each change
Use Catalog_Version to contain sub-versions for every new release
of CWE, no matter how small the change; and use larger versions to
reflect significant content changes, such as major changes to an
important view.
The Catalog_Date would be filled out, but only as a convenience for
users, so that they don't have to go to the CWE web site to figure
out what date CWE was released on.
So, the new release would be labeled "1.0.1"
The XML download would be cwec_v1.0.1.xml
2) Versions for significant changes
Catalog_Version would not be modified if only small changes
occurred, as will be the case for October 14. We would only modify
the version number when significant content changes occur, as
mentioned previously.
The Catalog_Date would be changed whenever content changed within
the same version, so that people who care about the small
differences can check to see if their copy of CWE needs updating.
So, the new release would remain labeled "1.0", and the
Catalog_Date would be "2008-10-14". The XML download would remain
at cwec_v1.0.xml.
By creating new versions for each change, including minor changes, this
would ensure that there is no confusion between copies of CWE; any two
parties who say they use "CWE 1.0.x" would be using the exact same data.
However, casual CWE users would not understand the rationale for why the
versions are updated, so they might update their data more frequently than
necessary.
By limiting new versions to significant changes only, then any version
change will send a strong signal that it's important for people to update
their copy of CWE. People who care about minor versions can still use the
date field if they want.
Note that in either case, we will be providing version-to-version diffs on
the web site.
What would work best for you? Do you expect to follow every single update
of CWE, or only the most significant changes?
Thanks,
Steve
We are planning to release a new version of CWE on Tuesday, October 14.
But before we do so, we'd like to get your opinion on how we should label
things when CWE data changes.
This new version does not have the large number of changes that we saw
occurring between drafts. The schema remains the same. We've updated
a few dozen CWE entries and added a new entry, but otherwise the
content is the same.
For the foreseeable future, we are planning a more frequent update
schedule - currently estimated at once a month, although the frequency may
vary depending on "quality-based" criteria or external deadlines.
So, we now face a question of the best way to capture these ongoing
versions.
The CWE schema supports two separate elements that could be used for
versioning:
Catalog_Version - a string
Catalog_Date - a date
In the past, we've only used the Catalog_Version - so currently, it's
at "1.0."
We believe there are two main choices for how we can handle versions
in the future. We wanted to get feedback from the researcher list
because you are some of our most active users of CWE.
The options are:
1) Versions for each change
Use Catalog_Version to contain sub-versions for every new release
of CWE, no matter how small the change; and use larger versions to
reflect significant content changes, such as major changes to an
important view.
The Catalog_Date would be filled out, but only as a convenience for
users, so that they don't have to go to the CWE web site to figure
out what date CWE was released on.
So, the new release would be labeled "1.0.1"
The XML download would be cwec_v1.0.1.xml
2) Versions for significant changes
Catalog_Version would not be modified if only small changes
occurred, as will be the case for October 14. We would only modify
the version number when significant content changes occur, as
mentioned previously.
The Catalog_Date would be changed whenever content changed within
the same version, so that people who care about the small
differences can check to see if their copy of CWE needs updating.
So, the new release would remain labeled "1.0", and the
Catalog_Date would be "2008-10-14". The XML download would remain
at cwec_v1.0.xml.
By creating new versions for each change, including minor changes, this
would ensure that there is no confusion between copies of CWE; any two
parties who say they use "CWE 1.0.x" would be using the exact same data.
However, casual CWE users would not understand the rationale for why the
versions are updated, so they might update their data more frequently than
necessary.
By limiting new versions to significant changes only, then any version
change will send a strong signal that it's important for people to update
their copy of CWE. People who care about minor versions can still use the
date field if they want.
Note that in either case, we will be providing version-to-version diffs on
the web site.
What would work best for you? Do you expect to follow every single update
of CWE, or only the most significant changes?
Thanks,
Steve
« Return to Thread: More frequent CWE releases and CWE versioning
| Free embeddable forum powered by Nabble | Forum Help |
