[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current standards/criteria for 'Undefined Behavior'



Sounds good to me.

Pascal

On Fri, 2017-07-07 at 19:41 +0000, Waltermire, David A. (Fed) wrote:
> I don't believe we are facing a binary decision here. It seems like
> we want to take advantage of email and phone conversations.
> 
> 1) phone calls - provide high bandwidth for communication; low
> effort; not easy for everyone to follow due to scheduling
> 2) email - low bandwidth; high-effort to write; easier for the full
> board to follow with variable schedules
> 
> I believe with good note taking and email summaries of phone
> discussions we can get the best of both worlds. That said, I would
> like to see all decisions be confirmed on the list. This can be as
> simple as "We decided XYZ on the call for ABC reasons. Anyone have
> any concerns with this? If not, we will take action on DATE." 
> 
> I don't see this type of approach as a big burden. 
> 
> Regards,
> Dave
> 
> > -----Original Message-----
> > From: Beverly Finch [mailto:beverlyfinch@lenovo.com]
> > Sent: Friday, July 07, 2017 3:18 PM
> > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> > <david.waltermire@nist.gov>
> > Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-
> > list
> > <cve-editorial-board-list@lists.mitre.org>
> > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> > 
> > I prefer calls over more email.  I apologize for missing this past
> > one....life
> > happened and I was totally unavailable.
> > 
> > 
> > 
> > Regards,
> > 
> > 
> > Beverly M Finch, PMP
> > PSIRT Program Manager
> > Product Security Office
> > 
> > 7001 Development Drive
> > Office 3N-C1
> > Morrisville, NC  27560
> > 
> > +1 919 294 5873
> > beverlyfinch@lenovo.com
> > 
> > 
> > 
> > Lenovo.com
> > Twitter | Facebook | Instagram | Blogs | Forums
> > 
> > 
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-
> > cve-
> > editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
> > Sent: Friday, July 7, 2017 2:50 PM
> > To: Waltermire, David A. (Fed)
> > Cc: Carsten Eiram; cve-editorial-board-list
> > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> > 
> > Dave,
> > 
> > The meeting minutes were intended to be an overview of past
> > meetings and
> > allow someone to be aware of what was discussed and any decisions
> > made.
> > We apologize if this specific issue and decision was not properly
> > captured in
> > the meeting minutes for the call in question, and will try to do a
> > better job
> > with this moving forward.
> > 
> > Let's also pull on this thread a bit and discuss what this might
> > mean if we
> > move our issues and possibly decisions to the mailing list. Are we
> > suggesting
> > that we create a separate email thread for each issue and/or
> > decision from
> > the calls? Would the email threads be a recount of the issues
> > discussed an
> > decisions made on the Board call, or would we want input from the
> > list in
> > every case before making a final decision? It sounds as though we
> > are
> > suggesting the latter. One worry in going this route would be that
> > we'd never
> > actually make any decisions on the Board calls and the value of
> > them could be
> > greatly diminished.
> > 
> > I think this also leads to a larger question of whether folks on
> > the Board
> > prefer fewer calls and more mailing list communications?
> > 
> > What are others thoughts?
> > 
> > Regards,
> > 
> > Chris
> > 
> > -----Original Message-----
> > From: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
> > Sent: Friday, July 7, 2017 12:52 PM
> > To: jericho <jericho@attrition.org>; Coffin, Chris <ccoffin@mitre.o
> > rg>
> > Cc: Carsten Eiram <che@riskbasedsecurity.com>; cve-editorial-board-
> > list
> > <cve-editorial-board-list@lists.mitre.org>
> > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> > 
> > What Brian is asking for here is something we absolutely should be
> > doing to
> > host a healthy board community. My schedule has been chaotic
> > recently and
> > I haven't been able to attend the calls like I normally do. Posting
> > these types
> > of issues to the list would give me a way to contribute to the
> > conversation
> > when I cannot be on the calls. I am sure others on the board share
> > the same
> > view on this as Brian and me.
> > 
> > We have talked about this quite a few times, but change has been
> > slow and
> > incomplete. How do we make this a standard practice going forward?
> > 
> > Thanks,
> > Dave
> > 
> > > -----Original Message-----
> > > From: owner-cve-editorial-board-list@lists.mitre.org
> > > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On
> > > Behalf Of
> > > jericho
> > > Sent: Friday, July 07, 2017 1:15 PM
> > > To: Coffin, Chris <ccoffin@mitre.org>
> > > Cc: Carsten Eiram <che@riskbasedsecurity.com>;
> > > cve-editorial-board-list <cve-editorial-board-list@lists.mitre.or
> > > g>
> > > Subject: RE: Current standards/criteria for 'Undefined Behavior'
> > > Importance: High
> > > 
> > > On Fri, 7 Jul 2017, Coffin, Chris wrote:
> > > 
> > > : Yes. We discussed on a Board call and decided to discontinue
> > > assignment
> > > : for undefined behavior issues.
> > > 
> > > A couple things:
> > > 
> > > 1. Which call? I do not see this topic in the meeting minutes for
> > > the
> > > last three meetings.
> > > 
> > > 2. If a new policy is implemented based on a conference call, it
> > > would
> > > benefit everyone if it was more clearly stated in the meeting
> > > minutes,
> > > and it should also be posted directly to the list under a new
> > > thread.
> > > 
> > > 3. There are issues I bring up on list, that are then discussed
> > > almost
> > > exclusively on the calls with a fraction of the board present.
> > > The
> > > gist of the discussion and even the final disposition are not
> > > always
> > > included in the minutes, and not brought to the list. That leaves
> > > emails to the board list that appear to be unaddressed in any
> > > fashion.
> > > Since the list is public, this is not a good external perception
> > > for MITRE or
> > 
> > the Board.
> > > 
> > > Brian
> 
> 


Page Last Updated or Reviewed: July 10, 2017