OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

Hello Vincent,

On 04/04/17 22:09, Vincent Danen wrote:
> On 04/04/2017, at 13:31 PM, Mr. Stefan Hagen wrote:
>> Dear Members, to enable a clearly documented decision on this crucial
>> question if we enforce CVSSv3 scoring with CSAF CVRF v1.2,
>> I move, that the chair of the TC shall request a ballot for a full
>> majority vote from administration with the ballot question: "Every
>> vuln:CVSSScoreSets element if present MUST contain zero or more
>> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the
>> answers "yes", "no", and "abstain".
> How do we vote on this or are we waiting for the next meeting?  I think
> the above is reasonable and would vote for it.

as I understand our abilities/rules as OASIS TC, we are allowed to perform motions via this TC mailing list. This requires someone who moves (done by me in this case), and at least another member that seconds the motion. 

Vincent, your above statement could be interpreted as seconding, but misses the clear form, that you second. So please rephrase, if you intended to do so.

I sense personally, that both "camps" have expressed valid reasoning and I do not have knowledge (or stakes) enough even how I could weight one against the other (from severeness of impact) so, I cannot even name now, what *I* would vote in the ballot, but this is to me the major open issue blocking publishing of the CSD01 WD01 and:

a) We could conduct voting over the mailing list, but I think we should in this case *not* use the mailing list for *collecting messages" with yes, no, abstain - say over one week some - as this even in such a mid sized committee may become a mess and peoples messages may get lost ... - thus a proposed ballot

b) Personally, the sharp controversy at this point in time, is to me a tad surprising, as I remember everyone entered in a rush, saying this (the contributions together) is *ready*, we must be fast to enable the market to start using CVSS v3 ... and now we see: It is *not*

c) We *could* discuss this in the next meeting (as was done in the last) but the trouble with monthly meetings is, that (cf. b) this is not what I understand as fast ;-) having said that: Personally, I am always in favor of discussions during the meeting, so we talk with each other and me as officer, facilitating this for all members, is my core job.

d) Maybe the discussion here brought already valuable enough outcome of the quest for a ballot via the mailing list, and we can come during the next meeting to a decision, that would be great, (and I have always time). It would be great, because if we do not come to a shared position, the alternative - a ballot if not unanimous in its outcome - has quite some detraction effect in my experience ...

e) Note: At least one strong proponent of the "MUST include one or more ScoreSetV3 if CVSSScoreSets given in v1.2 document" has not engaged himself in this mailing list discussion (albeit he spoke up clearly during the last meeting) ...

Despite the "to vote or not to vote" question, I see currently two major discussion topics aggravating (speaking as editor): 

1) A publisher (MUST or SHOULD) include a CVSSv3 ScoreSetV3 element if CVSSScoreSets is given in a valid CSAF CVRF v1.2 document ?

2) What SHOULD allow the model of the ScoreSetVx element to meet expectations from scoring the vuln and relating to products ? (Brought up through the "why should there be more ScoreSet elements for any specific version"? question)

Speaking as editor, I do suggest to publish a CSD01 WD01 and start a public comment phase only after these two points (1) and (2) have been resolved inside this committee (ideally unanimously).

@Chet: Please advise, if I stated something wrong about our mailing list capabilities, the formal procedures to clarify this kind of questions mixing mailing list or the ballot requesting formalities (esp. must it be a full majority ballot explicitly named in the motion, or does ballot suffice ...)? Thanks.

[... - - 8< - - ...]

All the best,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]