If the rules say one thing, and literally everyone else does something else, who is at fault? It seems that a case can be made for three possibilities:
- Those who didn't follow the rules
- The rules are wrong
- The rules were not clear enough
Perhaps particularly in the NomCom situation, there are comparatively few people who can comment with expertise on the wording of the rule and its possible implications.
I did some RFC-spelunking because why not. The original wording is unchanged from 2004 (RFC 3777 top of page 17) and continues all the way through RFC 8713 of September 2020:
* If the Chair is unable to contact a voting volunteer the Chair
must repeat the random selection process in order to replace
the unavailable volunteer. There should be at least 1 day
between the announcement of the iteration and the selection
process.
(Well s/1/one/; Strunk & White would be proud :)
That "at least one day" sentence at the end is problematic as I'll detail below. The reference to RFC 3797 wasn't added until the January 2015 with RFC 7437. It was intended to be just an editorial update and merging of various update RFC's, as defined in its introduction:
This document is a revision of and supercedes BCP 10. It is in
essence a republishing of [RFC3777] and the other RFCs that updated
that document into a single specification. The result is a complete
specification of the process by which members of the IAB and IESG,
and some members of the IAOC, are selected, confirmed, and recalled
as of the date of its approval.
Here's what I think was missed. Both RFC 7437 and its successor RFC 8713 recommend RFC 3797. That seems okay for RFC 8713, but questionable for RFC 7437 as that's not just editorial, it has other implications. To wit, practice has been to use large lotteries, which are run once or twice a week. Therefore a delay of three to seven days seems much more likely than "at least one" depending on the day of the week, how many sources are needed, and when the decision and announcements are made.*
Another thing missed is that section 2.3 of RFC 3797 says this:
The algorithm can be run to select, in an ordered fashion,
a larger number than are actually necessary so that if any of those
selected need to be passed over or replaced for any reason, an
ordered set of additional alternate selections will be available.
That text could be seen as conflicting with the "repeat the random selection process" text quoted above. That this conflict wasn't noted, or a description of how to handle it provided, also seems wrong.
I hope that whoever works on revisions will address these points.
-Rich Salz, 2022 NomCom Chair
*Side note: Some people have posted "randomness is better now" and given examples. Maybe. I'm neither a mathematician nor a cryptographer and I haven't looked in detail, but I'm skeptical anyway. I admit that I'm scarred by thinking of Dual EC DRBG, having removed "opaque PRF" from OpenSSL, and my overall replacement of its RNG code.
