Andrew Pollock

> Is there any available tool so far for converting between the two specs? Not to our knowledge. See also https://github.com/ossf/osv-schema/issues/7

> The GSD project will have a tool to convert between OSV 1.x and CVE 4 and 5 at some point. @kurtseifried please consider contributing this directly to this repo....

https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/163 has seen some recent activity, for what it's worth...

> What happens if there is a flaw in the binary package and not the source? (this has happened a handful of times if my memory serves). #202 touches on...

Stashing https://github.com/ossf/osv-schema/issues/109#issuecomment-1486078258 here to keep things together.

Related: https://github.com/CVEProject/cve-schema/issues/241

Drive by comment: > One possible answer: you can embed the entire CVE JSON in the database_specific field so data is not lost and then add support later since the...

[CalVer](https://calver.org/) seems to be a reasonably well defined versioning format. I think this issue could be retitled/rescoped to requesting support for this as an additional `range` type?

Yep, pointed you at my previous thoughts off-issue.

My initial thoughts on `curl | bash` are coloured by my past history with things like: - https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ - https://www.onsecurity.io/blog/careless-with-curl-dont-be/ and as such, given the space we're operating in, I'd...