RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Eliot!

 

From: Eliot Lear <lear@xxxxxxxxx>
Sent: Tuesday, October 27, 2020 8:20 AM
To: Roman Danyliw <rdd@xxxxxxxx>
Cc: The IETF List <ietf@xxxxxxxx>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

 

Hi Roman and thanks for the feedback.  Just on this point…

 

On 27 Oct 2020, at 12:56, Roman Danyliw <rdd@xxxxxxxx> wrote:

 

[Roman] The text proposed for the vulnerability reporting web page is longer (and more complex and certainly not KISS), but significantly less ambitious than yours in scope.  It appear that your concise text would redefine the IETF culture and process about handling a certain class of information.  That’s a big step that would require a comprehensive discussion and deliberate consensus process around it.  What’s being proposed instead is an initial outreach step with a “Tao of the IETF”-style prose which explains the as-is process to an IETF newcomer on reporting vulnerability information – almost no new process/culture invented (there will be a new email alias which will act as a final catch all).

 

 

I certainly didn’t set out to change culture OR process.  How do you think I’ve done that?  Perhaps it sounded as if the mailing list is intended to gate keep?  Certainly not what I had in mind.  Just to route. All the usual processes would still apply to what happens next, and the routing function should not be lossy.

 

[Roman] In my view, the proposed text effectively says “this is the IETF process and as a last resort, please use the catch all alias”.  My read of your tighter text is the opposite, “here is a new reporting  alias, consider also getting involved in the IETF processes”.  Put in another way, we are actively steering away from established processes (e.g., using the mailing lists) and preferring the triage alias as the first step.  With the reduced text, we are not longer explaining “all the usual processes”.

 

Roman

 

 

 

Regards,

Roman


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux