Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eliot, *:

I am not even parsing all the things you wrote below, i am sure they are right.

To me they are be another proof point that at this stage IETF has
accumulated enough processes, twist and complications that one of the top
things to think about even bringing outsiders more into the IETF not only
effectively reporting but maybe helping to take steps towards resolving security issues
is to have some form of "shepherding" through he process. 

To that extend, it would be good if even the "reporting" mail alias would
not be imited to a secret small group of participants but a broader set
of IETF participants, especially those who would volunteer to help
spehpherding the process.

Even the writeup is longer than i have seen on any other incident report web page
of other organizations.

Cheers
    Toerless

On Wed, Oct 28, 2020 at 06:00:48PM +0100, Eliot Lear wrote:
> Pete,
> 
> > On 28 Oct 2020, at 17:42, Pete Resnick <resnick@xxxxxxxxxxxx> wrote:
> > 
> > The fact that you think invoking them makes you a "drama queen" means that you are part of the problem. And the idea that if you "don't have a dog in the fight" means that you shouldn't fully participate (including using the pushback mechanisms we have), you're not understanding what the IETF is supposed to be about: We have plenary meetings and Last Calls and the like so that groups can get cross-area and outside feedback. Failure to call out problems simply because you're not a primary player is exacerbating the cultural problem you claim to see.
> 
> This is where I think there may be some subtle issue, and I don???t want to make this all about Mike.  Many researchers have no equities in our organization.  They may not even have a fix available for the very problem that they have found.  We have red teams for a reason: it???s just a different muscle.  So they see their job as finished when they???ve reported.  And then they???re on to the next thing.  That???s their incentive model.  Mike just happens to care more than most, but we shouldn???t optimize around him.
> 
> Eliot

-- 
---
tte@xxxxxxxxx




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux