So putting CVEs into the changelog is harmful, pointless, misleading and would just create a fake "scare users" and "gain attention" industry (coupled with a "delay bug fixes for a long time" aspect, if paid well enough) that operates based on issuing CVEs and 'solving' them - which disincentivises the *real* bugfixes and the non-self-selected bug fixers.
I'd like to strengthen the natural 'bug fixing' industry, not the security circus industry.
Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds