[Secure-testing-team] discussing things in NOTE's

Michael S. Gilbert michael.s.gilbert at gmail.com
Wed May 20 17:06:25 UTC 2009 

On Wed, 20 May 2009 18:43:15 +0200, Thijs Kinkhorst wrote:
> Let's just split this discussion, and continue with the discussion-in-NOTE 
> issue here.
> 
> > i think NOTEs are a somewhat reasonable place to discuss conflicts of
> > opinion because it is centralized, connected to the issue at hand, and
> > the people that triage security issues will come across the
> > discussion/philosophy, have to think about it, and make a decision.
> > and finally, it's easy enough to change the text once that decision
> > is made.  
> >
> > however, if the consensus is that this is bad, then i will stop.
> 
> > ultimately, perhaps the core problem here is that the security tracker
> > provides no means to allow dissenting/conflicting opinion.
> 
> I don't think this is a problem. The security tracker is indeed not the place 
> to have discussions, or to register dissenting opinions. It's intended to 
> document the outcome of the discussions (if any): what is the current state 
> and what action needs to be taken?
> 
> Taking the 'no-dsa' issue: either there's going to be a DSA, or there's not 
> going to be a DSA. That fact can be debated just fine on our mailinglists or 
> in a relevant bug. Those means provide much better overviews and space for 
> who thinks what, to respond to arguments etc. In the end there has to be a 
> conclusion, we do either this or that. That conclusion/decision will be 
> documented in the tracker.

ok, i agree with this philosophy in intent.  however, in practice i
see some problems:

1. if discussion happens in the relevant bug, then the security team
will not automatically be made aware of that discussion (solution
would be to forward all discussion on bugs marked security to
secure-testing-team list).

2. if discussion happens on the security mailing list, the maintainer
will not be aware, and there is no link to the discussion from the
tracker for posterity.

> > note that 
> > dissenting opinions in US Supreme Court decisions are just as important
> 
> I cannot envision any security issue that would be comparable to a supreme 
> court case, nor can I even begin to think that we are operating even remotely 
> like a "supreme court".

just making a light-hearted analogy of the importance of giving everyone
a voice and the importance of recording that voice for future posterity
(specifically for anyone who does research using the tracker).

mike

More information about the Secure-testing-team mailing list