[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'



I'm actually in favor of that idea. It would definitely help if we could have a designated #2 rep on the board.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Tuesday, July 11, 2017 3:11:56 AM
To: Andy Balinsky (balinsky)
Cc: Waltermire, David A. (Fed); Coffin, Chris; Landfield, Kent; pmeunier@cerias.purdue.edu; Carsten Eiram; cve-editorial-board-list
Subject: Re: Current standards/criteria for 'Undefined Behavior'

One thing would it be acceptable to consider having organizations on the board minutes/email rather than individuals, by this I mean at Red Hat we have myself and (I think..) still mjc@redhat.com on this, but if I'm on vacation/etc. it would be nice if the minutes/board email could go to secalert@redhat.com (the incoming team, and from there whoever at redhat security who needs to be involved). 

My goal long term with the DWF for example is to be dependant on process that are driven by people, and NOT to be dependant in specific people (I want the bus factor to be N-1 =). 

On Mon, Jul 10, 2017 at 6:01 PM, Andy Balinsky (balinsky) <balinsky@cisco.com> wrote:
I think that the clock (however many days it is) needs to start from publication of the minutes, just like the US Federal government uses X days from publication in the Federal Register for its comment periods. 

There have been occasions where the minutes have not come out in a timely fashion (3 May minutes released 31 May), and this would not be fair to other board members who were not on the call. It would provide both a consistent standard, and an incentive to get the minutes out on time. Any delays would impede finalization of any proposed decisions made in that meeting. 

Maybe we need an SLA for the publication of the minutes, too, like within 7 days of the meeting.

Andy

On Jul 10, 2017, at 10:27 AM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote:

Chris,

I think we want consensus (the lack of sustained objection) over
agreement.
Agreed.

If a new option is chosen on the call, a new discussion period will be started
to provide a means for the board to provide feedback.
The first time I read through your response, I took this as a way to extend the
decision indefinitely. However, I think what you are saying is that if the
decision is changed in a substantial way, we would want to have all board
members review the decision again as if it were a new decision entirely. I
think this makes sense and should be left as an option in cases where there is
sustained objection. However, what I think we want to avoid is the case
where a decision is held up by a single Board member indefinitely.

Sure. We want transparency, not bureaucratic deadlock. I was only concerned about the lack of transparency that could result from a new change.


Also, I would assume that two weeks starts from the time that minutes are
posted?
Kent had originally stated one week, and I extended this based on the board
call schedule since we would want to get consensus before or during the
next call. Assuming we get the meeting minutes out within the same week as
the call, I think this still gives about a week and a half for mailing list
discussion. Does a week and a half sound reasonable?

Why not set a minimum of 1 week and allow some flexibility to expand the period as needed for issues that will need more time?

Thanks,
Dave

Andy Balinsky (balinsky)
PSIRT Engineering






--
Kurt Seifried
kurt@seifried.org

Page Last Updated or Reviewed: July 11, 2017