[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current standards/criteria for 'Undefined Behavior'

On Fri, Jul 7, 2017 at 1:55 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:
Who is responsible for deciding how big/risky or small/minor a given issue is? I wouldn't want that job.

The problem is those present on the board call might think an issue is "small" and inconsequential. Those that might find a big problem in a small thing might not be present on a given call to raise such a concern. This is where there is value in sending a short email to the list to keep everyone looped in. We have had some examples of this in the past with changes to CVE status, impacts on downstream consumers, etc.


I don't think anyone is advocating against email, but I don't think we want things getting stuck in email discussion limbo, something the phone calls are good for.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: July 10, 2017