[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'

Dave,

The meeting minutes were intended to be an overview of past meetings 
and allow someone to be aware of what was discussed and any decisions 
made. We apologize if this specific issue and decision was not properly 
captured in the meeting minutes for the call in question, and will try 
to do a better job with this moving forward.

Let's also pull on this thread a bit and discuss what this might mean 
if we move our issues and possibly decisions to the mailing list. Are 
we suggesting that we create a separate email thread for each issue 
and/or decision from the calls? Would the email threads be a recount of 
the issues discussed an decisions made on the Board call, or would we 
want input from the list in every case before making a final decision? 
It sounds as though we are suggesting the latter. One worry in going 
this route would be that we'd never actually make any decisions on the 
Board calls and the value of them could be greatly diminished.

I think this also leads to a larger question of whether folks on the 
Board prefer fewer calls and more mailing list communications?

What are others thoughts?

Regards,

Chris

-----Original Message-----
From: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov] 
Sent: Friday, July 7, 2017 12:52 PM
To: jericho <jericho@attrition.org>; Coffin, Chris <ccoffin@mitre.org>
Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: RE: Current standards/criteria for 'Undefined Behavior'

What Brian is asking for here is something we absolutely should be 
doing to host a healthy board community. My schedule has been chaotic 
recently and I haven't been able to attend the calls like I normally 
do. Posting these types of issues to the list would give me a way to 
contribute to the conversation when I cannot be on the calls. I am sure 
others on the board share the same view on this as Brian and me.

We have talked about this quite a few times, but change has been slow 
and incomplete. How do we make this a standard practice going forward?

Thanks,
Dave

> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve- editorial-board-list@lists.mitre.org] On Behalf Of 
> jericho
> Sent: Friday, July 07, 2017 1:15 PM
> To: Coffin, Chris <ccoffin@mitre.org>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> Importance: High
> 
> On Fri, 7 Jul 2017, Coffin, Chris wrote:
> 
> : Yes. We discussed on a Board call and decided to discontinue 
> assignment
> : for undefined behavior issues.
> 
> A couple things:
> 
> 1. Which call? I do not see this topic in the meeting minutes for the 
> last three meetings.
> 
> 2. If a new policy is implemented based on a conference call, it 
> would 
> benefit everyone if it was more clearly stated in the meeting 
> minutes, 
> and it should also be posted directly to the list under a new thread.
> 
> 3. There are issues I bring up on list, that are then discussed 
> almost 
> exclusively on the calls with a fraction of the board present. The 
> gist of the discussion and even the final disposition are not always 
> included in the minutes, and not brought to the list. That leaves 
> emails to the board list that appear to be unaddressed in any 
> fashion. 
> Since the list is public, this is not a good external perception for 
> MITRE or the Board.
> 
> Brian
Page Last Updated or Reviewed: July 07, 2017