[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [CD] CD Proposal: VOTE (Voting Requirements)
I like David's proposal. In general I think that too much legislation on our process is not good, and rather than attempt to generate a code which prevents any manipulation or misuse (has any attempt at that ever succeeded?), we should trust that if something is going wrong we can raise the issue either to Steve or to the group and make corrections as needed. Bill David LeBlanc wrote: > > From: 'aleph1@SECURITYFOCUS.COM' [mailto:aleph1@SECURITYFOCUS.COM] > > > * David LeBlanc (email@example.com) [000613 22:28]: > > > > > > This rule is merely an attempt to codify what is currently > > an informal, > > > voluntary practice. I think it is a good practice - most > > decision making > > > bodies allow members to recuse themselves for conflict of > > interest. Do you > > > have a better way of saying it? > > > > I rather see a method of the owner of a vulnerable product or service > > to contents a CVE entry. In particular I would give them a way to > > state they believe some of the votes approving the CVE entry are > > malicious and with competition in mind. We could then vote again, > > including the entities they claim are malicious, but have a higher > > standard to approve the contested CVE entry (e.g. we would need > > 6 votes instead of 3). > > I don't see that this procedure would take the place of either a rule or a > guideline which states that conflicts of interest are to be avoided. > Personally, I'm going to NOOP anything that affects a vendor of products > which compete with Microsoft, even if I have direct knowledge of the bug. > Just seems to be the ethical thing to do. We don't currently have a problem > with other people doing anything wrong, and given the caliber of people on > the board, I don't think we are in any real danger of having a substantial > problem. > > I think that all we really need to do here is make a guideline, and then let > Steven work personally with anyone who he thinks doesn't understand the way > we work. We're making this whole thing a lot harder than it needs to be. > > My $0.02.