[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current standards/criteria for 'Undefined Behavior'

Concur.  Using both like this improves communication and helps us make 
more informed decisions.  

Scott 

> On Jul 7, 2017, at 5:15 PM, jericho <jericho@attrition.org> wrote:
> 
> 
> Seconded.
> 
> On Fri, 7 Jul 2017, Waltermire, David A. (Fed) wrote:
> 
> : I don't believe we are facing a binary decision here. It seems like 
> we want to take advantage of email and phone conversations.
> : 
> : 1) phone calls - provide high bandwidth for communication; low 
> effort; not easy for everyone to follow due to scheduling
> : 2) email - low bandwidth; high-effort to write; easier for the full 
> board to follow with variable schedules
> : 
> : I believe with good note taking and email summaries of phone 
> discussions we can get the best of both worlds. That said, I would 
> like to see all decisions be confirmed on the list. This can be as 
> simple as "We decided XYZ on the call for ABC reasons. Anyone have 
> any concerns with this? If not, we will take action on DATE." 
> : 
> : I don't see this type of approach as a big burden. 
> : 
> : Regards,
> : Dave
> : 
> : > -----Original Message-----
> : > From: Beverly Finch [mailto:beverlyfinch@lenovo.com]
> : > Sent: Friday, July 07, 2017 3:18 PM
> : > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> : > <david.waltermire@nist.gov>
> : > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> : > <cve-editorial-board-list@lists.mitre.org>
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > I prefer calls over more email.  I apologize for missing this 
> past one....life
> : > happened and I was totally unavailable.
> : > 
> : > 
> : > 
> : > Regards,
> : > 
> : > 
> : > Beverly M Finch, PMP
> : > PSIRT Program Manager
> : > Product Security Office
> : > 
> : > 7001 Development Drive
> : > Office 3N-C1
> : > Morrisville, NC  27560
> : > 
> : > +1 919 294 5873
> : > beverlyfinch@lenovo.com
> : > 
> : > 
> : > 
> : > Lenovo.com
> : > Twitter | Facebook | Instagram | Blogs | Forums
> : > 
> : > 
> : > 
> : > 
> : > 
> : > 
> : > -----Original Message-----
> : > From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-
> : > editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> : > Sent: Friday, July 7, 2017 2:50 PM
> : > To: Waltermire, David A. (Fed)
> : > Cc: Carsten Eiram; cve-editorial-board-list
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > Dave,
> : > 
> : > The meeting minutes were intended to be an overview of past 
> meetings and
> : > allow someone to be aware of what was discussed and any decisions 
> made.
> : > We apologize if this specific issue and decision was not properly 
> captured in
> : > the meeting minutes for the call in question, and will try to do 
> a better job
> : > with this moving forward.
> : > 
> : > Let's also pull on this thread a bit and discuss what this might 
> mean if we
> : > move our issues and possibly decisions to the mailing list. Are 
> we suggesting
> : > that we create a separate email thread for each issue and/or 
> decision from
> : > the calls? Would the email threads be a recount of the issues 
> discussed an
> : > decisions made on the Board call, or would we want input from the 
> list in
> : > every case before making a final decision? It sounds as though we 
> are
> : > suggesting the latter. One worry in going this route would be 
> that we'd never
> : > actually make any decisions on the Board calls and the value of 
> them could be
> : > greatly diminished.
> : > 
> : > I think this also leads to a larger question of whether folks on 
> the Board
> : > prefer fewer calls and more mailing list communications?
> : > 
> : > What are others thoughts?
> : > 
> : > Regards,
> : > 
> : > Chris
> : > 
> : > -----Original Message-----
> : > From: Waltermire, David A. (Fed) 
> [mailto:david.waltermire@nist.gov]
> : > Sent: Friday, July 7, 2017 12:52 PM
> : > To: jericho <jericho@attrition.org>; Coffin, Chris 
> <ccoffin@mitre.org>
> : > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> : > <cve-editorial-board-list@lists.mitre.org>
> : > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > 
> : > What Brian is asking for here is something we absolutely should 
> be doing to
> : > host a healthy board community. My schedule has been chaotic 
> recently and
> : > I haven't been able to attend the calls like I normally do. 
> Posting these types
> : > of issues to the list would give me a way to contribute to the 
> conversation
> : > when I cannot be on the calls. I am sure others on the board 
> share the same
> : > view on this as Brian and me.
> : > 
> : > We have talked about this quite a few times, but change has been 
> slow and
> : > incomplete. How do we make this a standard practice going forward?
> : > 
> : > Thanks,
> : > Dave
> : > 
> : > > -----Original Message-----
> : > > From: owner-cve-editorial-board-list@lists.mitre.org
> : > > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On 
> Behalf Of
> : > > jericho
> : > > Sent: Friday, July 07, 2017 1:15 PM
> : > > To: Coffin, Chris <ccoffin@mitre.org>
> : > > Cc: Carsten Eiram <che@riskbasedsecurity.com>;
> : > > cve-editorial-board-list 
> <cve-editorial-board-list@lists.mitre.org>
> : > > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> : > > Importance: High
> : > >
> : > > On Fri, 7 Jul 2017, Coffin, Chris wrote:
> : > >
> : > > : Yes. We discussed on a Board call and decided to discontinue
> : > > assignment
> : > > : for undefined behavior issues.
> : > >
> : > > A couple things:
> : > >
> : > > 1. Which call? I do not see this topic in the meeting minutes 
> for the
> : > > last three meetings.
> : > >
> : > > 2. If a new policy is implemented based on a conference call, 
> it would
> : > > benefit everyone if it was more clearly stated in the meeting 
> minutes,
> : > > and it should also be posted directly to the list under a new 
> thread.
> : > >
> : > > 3. There are issues I bring up on list, that are then discussed 
> almost
> : > > exclusively on the calls with a fraction of the board present. 
> The
> : > > gist of the discussion and even the final disposition are not 
> always
> : > > included in the minutes, and not brought to the list. That 
> leaves
> : > > emails to the board list that appear to be unaddressed in any 
> fashion.
> : > > Since the list is public, this is not a good external 
> perception for MITRE or
> : > the Board.
> : > >
> : > > Brian
> :
Page Last Updated or Reviewed: July 10, 2017