[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'

I don't believe we are facing a binary decision here. It seems like we 
want to take advantage of email and phone conversations.

1) phone calls - provide high bandwidth for communication; low effort; 
not easy for everyone to follow due to scheduling
2) email - low bandwidth; high-effort to write; easier for the full 
board to follow with variable schedules

I believe with good note taking and email summaries of phone 
discussions we can get the best of both worlds. That said, I would like 
to see all decisions be confirmed on the list. This can be as simple as 
"We decided XYZ on the call for ABC reasons. Anyone have any concerns 
with this? If not, we will take action on DATE." 

I don't see this type of approach as a big burden. 

Regards,
Dave

> -----Original Message-----
> From: Beverly Finch [mailto:beverlyfinch@lenovo.com]
> Sent: Friday, July 07, 2017 3:18 PM
> To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> <david.waltermire@nist.gov>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> 
> I prefer calls over more email.  I apologize for missing this past 
> one....life
> happened and I was totally unavailable.
> 
> 
> 
> Regards,
> 
> 
> Beverly M Finch, PMP
> PSIRT Program Manager
> Product Security Office
> 
> 7001 Development Drive
> Office 3N-C1
> Morrisville, NC  27560
> 
> +1 919 294 5873
> beverlyfinch@lenovo.com
> 
> 
> 
> Lenovo.com
> Twitter | Facebook | Instagram | Blogs | Forums
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> Sent: Friday, July 7, 2017 2:50 PM
> To: Waltermire, David A. (Fed)
> Cc: Carsten Eiram; cve-editorial-board-list
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> 
> Dave,
> 
> The meeting minutes were intended to be an overview of past meetings 
> and
> allow someone to be aware of what was discussed and any decisions 
> made.
> We apologize if this specific issue and decision was not properly 
> captured in
> the meeting minutes for the call in question, and will try to do a 
> better job
> with this moving forward.
> 
> Let's also pull on this thread a bit and discuss what this might mean 
> if we
> move our issues and possibly decisions to the mailing list. Are we 
> suggesting
> that we create a separate email thread for each issue and/or decision 
> from
> the calls? Would the email threads be a recount of the issues 
> discussed an
> decisions made on the Board call, or would we want input from the 
> list in
> every case before making a final decision? It sounds as though we are
> suggesting the latter. One worry in going this route would be that 
> we'd never
> actually make any decisions on the Board calls and the value of them 
> could be
> greatly diminished.
> 
> I think this also leads to a larger question of whether folks on the 
> Board
> prefer fewer calls and more mailing list communications?
> 
> What are others thoughts?
> 
> Regards,
> 
> Chris
> 
> -----Original Message-----
> From: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
> Sent: Friday, July 7, 2017 12:52 PM
> To: jericho <jericho@attrition.org>; Coffin, Chris <ccoffin@mitre.org>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> 
> What Brian is asking for here is something we absolutely should be 
> doing to
> host a healthy board community. My schedule has been chaotic recently 
> and
> I haven't been able to attend the calls like I normally do. Posting 
> these types
> of issues to the list would give me a way to contribute to the 
> conversation
> when I cannot be on the calls. I am sure others on the board share 
> the same
> view on this as Brian and me.
> 
> We have talked about this quite a few times, but change has been slow 
> and
> incomplete. How do we make this a standard practice going forward?
> 
> Thanks,
> Dave
> 
> > -----Original Message-----
> > From: owner-cve-editorial-board-list@lists.mitre.org
> > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On Behalf 
> > Of
> > jericho
> > Sent: Friday, July 07, 2017 1:15 PM
> > To: Coffin, Chris <ccoffin@mitre.org>
> > Cc: Carsten Eiram <che@riskbasedsecurity.com>;
> > cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> > Importance: High
> >
> > On Fri, 7 Jul 2017, Coffin, Chris wrote:
> >
> > : Yes. We discussed on a Board call and decided to discontinue
> > assignment
> > : for undefined behavior issues.
> >
> > A couple things:
> >
> > 1. Which call? I do not see this topic in the meeting minutes for 
> > the
> > last three meetings.
> >
> > 2. If a new policy is implemented based on a conference call, it 
> > would
> > benefit everyone if it was more clearly stated in the meeting 
> > minutes,
> > and it should also be posted directly to the list under a new 
> > thread.
> >
> > 3. There are issues I bring up on list, that are then discussed 
> > almost
> > exclusively on the calls with a fraction of the board present. The
> > gist of the discussion and even the final disposition are not always
> > included in the minutes, and not brought to the list. That leaves
> > emails to the board list that appear to be unaddressed in any 
> > fashion.
> > Since the list is public, this is not a good external perception 
> > for MITRE or
> the Board.
> >
> > Brian
Page Last Updated or Reviewed: July 10, 2017