[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'

Dave,

> I think we want consensus (the lack of sustained objection) over 
> agreement.
Agreed.

> If a new option is chosen on the call, a new discussion period will 
> be started to provide a means for the board to provide feedback.
The first time I read through your response, I took this as a way to 
extend the decision indefinitely. However, I think what you are saying 
is that if the decision is changed in a substantial way, we would want 
to have all board members review the decision again as if it were a new 
decision entirely. I think this makes sense and should be left as an 
option in cases where there is sustained objection. However, what I 
think we want to avoid is the case where a decision is held up by a 
single Board member indefinitely.

> Also, I would assume that two weeks starts from the time that minutes 
> are posted?
Kent had originally stated one week, and I extended this based on the 
board call schedule since we would want to get consensus before or 
during the next call. Assuming we get the meeting minutes out within 
the same week as the call, I think this still gives about a week and a 
half for mailing list discussion. Does a week and a half sound 
reasonable?

Chris

-----Original Message-----
From: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov] 
Sent: Monday, July 10, 2017 8:33 AM
To: Coffin, Chris <ccoffin@mitre.org>; Landfield, Kent 
<Kent_Landfield@McAfee.com>; pmeunier@cerias.purdue.edu
Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: RE: Current standards/criteria for 'Undefined Behavior'

Chris,

I am not a fan of your last suggestion. I think we want consensus (the 
lack of sustained objection) over agreement. In the rare situation 
where consensus cannot be reached on the list, we need to come up with 
a way to resolve that. Furthermore, your "final decision" suggestion 
creates a mechanism for the board to make a decision by fiat. For 
example, if there is no consensus between options A and B, and the 
board makes a decision to break the impasse with C on a call, then C 
needs to be reviewed by the board on the list, since the impacts of 
this decision have not been explored by that larger board.

I would change your statement to:

- If consensus cannot be reached on the list within the allotted 
discussion time period, we will discuss and make a decision in the 
following Board call taking into account new feedback or comments. If a 
new option is chosen on the call, a new discussion period will be 
started to provide a means for the board to provide feedback.

Also, I would assume that two weeks starts from the time that minutes 
are posted?

Regards,
Dave

> -----Original Message-----
> From: Coffin, Chris [mailto:ccoffin@mitre.org]
> Sent: Friday, July 07, 2017 5:16 PM
> To: Landfield, Kent <Kent_Landfield@McAfee.com>; Waltermire, David A.
> (Fed) <david.waltermire@nist.gov>; pmeunier@cerias.purdue.edu
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> 
> Kent,
> 
> I think this sounds like a very reasonable approach and would be 
> onboard with making this change moving forward. I believe this 
> approach also aligns with what Dave had proposed, thought you have 
> given it a few more specifics.
> 
> Proposed process:
> - Board minutes email contains a list of decisions made within the 
> body of the message
> - Each decision includes a brief background statement and additional 
> details where needed
> - Board members have two weeks to raise objections to the decision 
> (this would also include those in attendance who might later change 
> their mind)
> - If agreement cannot be reached on the list within the allotted 
> discussion time period, we discuss and make a final decision in the 
> following Board call taking into account new feedback or comments
> 
> Does this work for everyone?
> 
> Chris
> 
> -----Original Message-----
> From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
> Sent: Friday, July 7, 2017 3:50 PM
> To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>; 
> pmeunier@cerias.purdue.edu; Coffin, Chris <ccoffin@mitre.org>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: Current standards/criteria for 'Undefined Behavior'
> 
> As we become a more internationally diverse group, it is important 
> all 
> get to participate in the decision making. I agree Board calls are 
> useful for accelerating decisions based on back-and-forth 
> conversations but it is not fair to those that can’t participate due 
> to time zone, travel or real day jobs.
> 
> One of the things we have agreed to as a Board is that WG decisions 
> need to be put onto the Board list as recommendations. The Board then 
> has a specified time to disagree with the recommendations. If there 
> is 
> no disagreement when the time period expires, the recommendations are 
> approved.
> 
> Maybe we could consider that type of approach for Board call 
> decisions.  The call minutes could have a section that specifically 
> lists the decisions agreed to on the call with some background on the 
> decision.  The minutes would be posted with the decisions section 
> copied and included in the body of the Board Minutes message in 
> addition to the attached minutes file.  The Board members then have a 
> week (or some specified time) to disagree and initiate a 
> conversation. 
> Any decisions not addressed are blessed with the “silence begets 
> acceptance” approach.
> 
> We should be addressing the decisions that Board members have an 
> issue 
> with or need clarification on, not the ones we agree on.
> 
> --
> Kent Landfield
> 817-637-8026
> kent_landfield@mcafee.com
> 
> On 7/7/17, 2:55 PM, "owner-cve-editorial-board-list@lists.mitre.org 
> on 
> behalf of Waltermire, David A. (Fed)" <owner-cve-editorial-board- 
> list@lists.mitre.org on behalf of david.waltermire@nist.gov> wrote:
> 
>     Who is responsible for deciding how big/risky or small/minor a 
> given issue is? I wouldn't want that job.
> 
>     The problem is those present on the board call might think an 
> issue is "small" and inconsequential. Those that might find a big 
> problem in a small thing might not be present on a given call to 
> raise 
> such a concern. This is where there is value in sending a short email 
> to the list to keep everyone looped in. We have had some examples of 
> this in the past with changes to CVE status, impacts on downstream 
> consumers, etc.
> 
>     Regards,
>     Dave
> 
>     > -----Original Message-----
>     > From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
>     > Sent: Friday, July 07, 2017 3:46 PM
>     > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. 
> (Fed)
>     > <david.waltermire@nist.gov>
>     > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
>     > <cve-editorial-board-list@LISTS.MITRE.ORG>
>     > Subject: Re: Current standards/criteria for 'Undefined Behavior'
>     >
>     > On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
>     > > One worry in going this route would be that we'd never 
> actually make
>     > > any decisions on the Board calls and the value of them could 
> be
>     > > greatly diminished.
>     >
>     > I understand and applaud the drive to get things done and 
> decided.
>     >
>     > On the other hand, for some decisions, more time to think 
> things through
>     > and leverage the input of the entire board would be wise.
>     > Board calls are the perfect place to make decisions too minor, 
> or irrelevant to
>     > the board's interests, for the entire board to get involved, 
> for efficiency's
>     > sake.  I think it's a judgment call to decide which decisions 
> can be done on the
>     > calls.  However, CVE assignment policy decisions are of 
> interest 
> to the entire
>     > board.  My point is that splitting the difference in the 
> middle, and having
>     > some categories of decisions flagged for mailing list 
> discussions, may be close
>     > to optimal.
>     >
>     > Pascal
>
Page Last Updated or Reviewed: July 10, 2017