再保险:当前的标准/标准“未定义行为”

在13/05/17 28点啊,耶利哥写道:在星期五>,2017年5月12日,Landfield,肯特写道:> >:你能让我们知道你为什么不?t参与电话吗?是>时间> >在我这样做之前,你能给我打电话,因为他们的总结>开始,到%的董事会成员参加吗?>一般>是什么或中等出席吗?如果你不能,你应该停止>考虑如果这些调用是一个横切篡夺控制车辆> >时尚。毕竟,他们随机取代控制这么多>其他>关键/ industry-shocking变化,没有我们的审查。提醒我>为什么我们>信任斜方在这一点上吗?停止考虑他们“你的管理员”、>和>开始考虑“APTderp”。我认为这可能是一个更好>类比和更谨慎。抱歉我很难理解董事会称,整个董事会的邀请,举行一个合理的时间/可用性和涉及相当多的董事会成员(例如我和肯特=)持有横切的脚火一样是一个斜方试图篡夺控制(呃. .他们已经控制… at least as I understand the DHS funding/MITRE/etc stuff). > > : issue? If so we can work to try to find a better time that > accommodates > : more Board members. I agree and have stated in the past that real > > Given the current Board, and I am fairly sure we went through this > for > weeks... trying to find a time that works for EVERYONE is a lost > cause. > The current time was selected based on the "best we could do", no? I > think > we have some mails archived on this. Yup, and to that end we have the board mailing list, minutes of the calls, etc. It's like embargo release times, it's mostly a case of "what is the least worst time". > > : decisions need to be made on the Board list(s). The Board calls > : however, do give us a higher bandwidth opportunity to go more > in-depth > : on specific issues. We need all to be there if possible and have > had > > They do. But until we have a true transcript of those calls, and the > calls > are treated as a "single email" in the context of the Board, it > simply > isn't fair. Decisions are effectively made on these calls without the > consent of the board. I personally wouldn't be comfortable with a word for word transcript of the call as myself and quite a few others often speak off the cuff (and say things in a way that might not be politic, or intelligent sounding, but in summary seem rational). > > : Can you enlighten us as to why you do not attend? > > Sure! You can guess which is more important to me: Well there you go, CVE is important enough to you for emails, but not board calls. I and I bet everyone on the board is also busy. But we make time for this stuff (hint: the board calls actually cross over into time with my autistic son, but I make it work because my personal life and my professional life are both important). > 1. I am typically not available Thursday at ~ 1PM or whenver they > were. I > deleted my Calender event because I was basically never available > (best > case, I was driving up I-70 through dead zones and the tunnels, which > i > spent a year working with a local T-Mobile managing engineer to > resolve). > I can also guarantee you, that the Europeans will never make that > time > unless they stay up VERY late, after a 14 hour day working, often > fighting > to understand horrible CVE assignments. > > 2. We get a rough summary of the call, but not real detail. We get > "minutes", great. That doesn't tell me "Kent was really worked up, > and > thought that $newidea was complete crap". It doesn't tell me that > "$whoever objected quite a bit", or what was said to resolve it and > ultimately make some "informed" decision. > > 3. I have long had a serious disdain for InfoSec people who insisted > on > phone calls, after a few emails. In my personal experience, after too > many > years, they did it because they specifically did NOT want a record. > Usually because they were trying to explain why they weren't a > charlatan / > fraud, and why you could clearly trust them as a human. [Disclaimer: > remember, I was the primary person behind Attrition Errata.] > > 4. Based on the above, security is about integrity. We're auditors. > We > like logs... records... a transcript of what transpired. Until I have > that, and understand where a conclusion came from? I don't consider > myself > informed. Don't in turn expect me to make an informed vote on > anything. Or you could just hop on the call. > > .b > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@redhat.com