On 11/15/19 2:56 AM, Michael Richardson wrote:
On 2019-11-13 11:25 p.m., Keith Moore wrote:
On 11/13/19 10:07 AM, Phillip Hallam-Baker wrote:
Maybe what we need is a structure that assigns multiple reviewers for
some projects and rubber stamps others.
Seems like ADs already have a fair amount of discretion to ask for
multiple in-depth reviewers vs. getting minimal review. If having a
human make such decisions isn't your idea of an appropriate
"structure", I'd be curious to know what is.
The issue is that is only so much senior security clue to go around.
There is a non-trivial amount of effort for an-out-area reviewer to spin
up enough understanding about what a WG is doing. There are a lot of
documents that simply allocate a new attribute from an existing registry
and then use it for something. Determining if this has a trivial or
non-trivial security impact can be difficult. If it turns out to be
trivial, then we've wasted the reviewers time (opportunity cost). If it
turns out not to be trivial (and the reviewer missed that), then if we
are lucky, we catch it at IESG time, and then it might be a year later.
I don't disagree with any of the above. And yet, I don't see how it's
responding to either of the above replies.
Keith
