Re: Current standards/criteria for 'Undefined Behavior'

[Kurt Seifried <kseifried@redhat.com>]

Can I suggest we bring things up on the list as soon as possible then, so they can be discussed prior to the calls, and then if covered on the call a summary can be posted, one thing to keep in mind we can change our minds, I think in a lot of cases it's more important for us to make a decision and try moving forwards rather than get stuck in analysis paralysis trying to make the "perfect" decision. I've already pivoted the DWF several times (the importance of embargoes, CNAs, etc.). 

On Fri, Jul 7, 2017 at 1:46 PM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
> One worry in going this route would be that we'd never actually make
> any decisions on the Board calls and the value of them could be
> greatly diminished.

I understand and applaud the drive to get things done and decided.

On the other hand, for some decisions, more time to think things
through and leverage the input of the entire board would be wise.
Board calls are the perfect place to make decisions too minor, or
irrelevant to the board's interests, for the entire board to get
involved, for efficiency's sake.  I think it's a judgment call to
decide which decisions can be done on the calls.  However, CVE
assignment policy decisions are of interest to the entire board.  My
point is that splitting the difference in the middle, and having some
categories of decisions flagged for mailing list discussions, may be
close to optimal.

Pascal

--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com