RE: Current standards/criteria for 'Undefined Behavior'

["Waltermire, David A. (Fed)" <david.waltermire@nist.gov>]

Chris,

I am not a fan of your last suggestion. I think we want consensus (the 
lack of sustained objection) over agreement. In the rare situation 
where consensus cannot be reached on the list, we need to come up with 
a way to resolve that. Furthermore, your "final decision" suggestion 
creates a mechanism for the board to make a decision by fiat. For 
example, if there is no consensus between options A and B, and the 
board makes a decision to break the impasse with C on a call, then C 
needs to be reviewed by the board on the list, since the impacts of 
this decision have not been explored by that larger board.

I would change your statement to:

- If consensus cannot be reached on the list within the allotted 
discussion time period, we will discuss and make a decision in the 
following Board call taking into account new feedback or comments. If a 
new option is chosen on the call, a new discussion period will be 
started to provide a means for the board to provide feedback.

Also, I would assume that two weeks starts from the time that minutes 
are posted?

Regards,
Dave

> -----Original Message-----
> From: Coffin, Chris [mailto:ccoffin@mitre.org]
> Sent: Friday, July 07, 2017 5:16 PM
> To: Landfield, Kent <Kent_Landfield@McAfee.com>; Waltermire, David A.
> (Fed) <david.waltermire@nist.gov>; pmeunier@cerias.purdue.edu
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Current standards/criteria for 'Undefined Behavior'
> 
> Kent,
> 
> I think this sounds like a very reasonable approach and would be 
> onboard
> with making this change moving forward. I believe this approach also 
> aligns
> with what Dave had proposed, thought you have given it a few more
> specifics.
> 
> Proposed process:
> - Board minutes email contains a list of decisions made within the 
> body of the
> message
> - Each decision includes a brief background statement and additional 
> details
> where needed
> - Board members have two weeks to raise objections to the decision 
> (this
> would also include those in attendance who might later change their 
> mind)
> - If agreement cannot be reached on the list within the allotted 
> discussion
> time period, we discuss and make a final decision in the following 
> Board call
> taking into account new feedback or comments
> 
> Does this work for everyone?
> 
> Chris
> 
> -----Original Message-----
> From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
> Sent: Friday, July 7, 2017 3:50 PM
> To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>;
> pmeunier@cerias.purdue.edu; Coffin, Chris <ccoffin@mitre.org>
> Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: Current standards/criteria for 'Undefined Behavior'
> 
> As we become a more internationally diverse group, it is important 
> all get to
> participate in the decision making. I agree Board calls are useful for
> accelerating decisions based on back-and-forth conversations but it 
> is not fair
> to those that can’t participate due to time zone, travel or real day 
> jobs.
> 
> One of the things we have agreed to as a Board is that WG decisions 
> need to
> be put onto the Board list as recommendations. The Board then has a
> specified time to disagree with the recommendations. If there is no
> disagreement when the time period expires, the recommendations are
> approved.
> 
> Maybe we could consider that type of approach for Board call 
> decisions.  The
> call minutes could have a section that specifically lists the 
> decisions agreed to
> on the call with some background on the decision.  The minutes would 
> be
> posted with the decisions section copied and included in the body of 
> the
> Board Minutes message in addition to the attached minutes file.  The 
> Board
> members then have a week (or some specified time) to disagree and 
> initiate
> a conversation. Any decisions not addressed are blessed with the 
> “silence
> begets acceptance” approach.
> 
> We should be addressing the decisions that Board members have an issue
> with or need clarification on, not the ones we agree on.
> 
> --
> Kent Landfield
> 817-637-8026
> kent_landfield@mcafee.com
> 
> On 7/7/17, 2:55 PM, "owner-cve-editorial-board-list@lists.mitre.org on
> behalf of Waltermire, David A. (Fed)" <owner-cve-editorial-board-
> list@lists.mitre.org on behalf of david.waltermire@nist.gov> wrote:
> 
>     Who is responsible for deciding how big/risky or small/minor a 
> given issue
> is? I wouldn't want that job.
> 
>     The problem is those present on the board call might think an 
> issue is
> "small" and inconsequential. Those that might find a big problem in a 
> small
> thing might not be present on a given call to raise such a concern. 
> This is
> where there is value in sending a short email to the list to keep 
> everyone
> looped in. We have had some examples of this in the past with changes 
> to
> CVE status, impacts on downstream consumers, etc.
> 
>     Regards,
>     Dave
> 
>     > -----Original Message-----
>     > From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]
>     > Sent: Friday, July 07, 2017 3:46 PM
>     > To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. 
> (Fed)
>     > <david.waltermire@nist.gov>
>     > Cc: Carsten Eiram <che@riskbasedsecurity.com>; 
> cve-editorial-board-list
>     > <cve-editorial-board-list@LISTS.MITRE.ORG>
>     > Subject: Re: Current standards/criteria for 'Undefined Behavior'
>     >
>     > On Fri, 2017-07-07 at 18:49 +0000, Coffin, Chris wrote:
>     > > One worry in going this route would be that we'd never 
> actually make
>     > > any decisions on the Board calls and the value of them could 
> be
>     > > greatly diminished.
>     >
>     > I understand and applaud the drive to get things done and 
> decided.
>     >
>     > On the other hand, for some decisions, more time to think 
> things through
>     > and leverage the input of the entire board would be wise.
>     > Board calls are the perfect place to make decisions too minor, 
> or
> irrelevant to
>     > the board's interests, for the entire board to get involved, 
> for efficiency's
>     > sake.  I think it's a judgment call to decide which decisions 
> can be done on
> the
>     > calls.  However, CVE assignment policy decisions are of 
> interest to the
> entire
>     > board.  My point is that splitting the difference in the 
> middle, and having
>     > some categories of decisions flagged for mailing list 
> discussions, may be
> close
>     > to optimal.
>     >
>     > Pascal
>