- All times are US Eastern times.
- 03 October 2011: 10:00 to 13:00
- 04 October 2011: 10:00 to 13:00
- 05 October 2011: 10:00 to 13:00
Teleconference
|
3 October 2011:
|
|
4 October 2011:
|
|
5 October 2011:
|
1.1 Opening Comments (Moore, Benito)
The convener noted that the telecon details for each of the three days are different. He apologized for the inconvenience. This is our first telecon meeting. He suggested that participants keep their phone muted except when they wish to speak.
1.2 Introduction of Participants/Roll Call
John Benito (Convener), Kevin Coyne (US), Bob Karlin (WG4 liaison), David Keaton (US), Steve Michell (Canada HOD), Jim Moore (Secretary, US HOD), Erhard Ploedereder (WG9 liaison), Clive Pygott (UK HOD), Larry Wagoner (US)
1.3 Procedures for this Meeting (Benito)
1.4 Approval of previous Minutes (Moore) [N0339]
No changes were suggested and the minutes were approved.
1.5 Review of previous actions items and resolutions, [S0001]
We updated the action item log.
Larry mentioned that his people are now drafting a PHP annex.
1.6 Approval of Agenda [N0356]
The agenda was approved with additions.
1.7 Information on Future Meetings
1.7.1 Future Meeting Schedule
WG 23 #20 2011-12-14/16 CHANGED Washington, DC WG23 Meeting #20 Logistics [N0351]. WG23 #21 2012-03 TBD Stuttgart, Germany WG23 Meeting #21 WG23 #22 2012-06-20/22 DATES PENDING Ottawa, Canada WG23 Meeting #22 SC22 2012-09-10/11 Geneva, Switzerland SC 22 plenary meeting WG23 #23 2012-09-12/14 Geneva, Switzerland Colocated with SC 22 plenary meeting Preliminary agenda [N0354] WG23 #24 2012-12 TBD Kona, Hawaii, USA We agree to swap the meeting locations of Meetings #21 and #22. For Meeting #21, we are considering either the last or the penultimate week in March. ACTION ITEM #19-01: Convener will sort out the dates of the meeting #21. Meeting #22 will be 2012-06-20/22.
Overnight, Michell and the convener selected 28-30 March as the dates for Meeting #21, thus completing AI #19-01.
The convener will set up the agenda and the Webex details for meeting #20 within a few weeks.
1.7.2 Future Agenda Items
1.8 Review of Document Schedule [S0002]
Formal working draft review will occur during November. That would imply that the document contents will be determined at this meeting. The annexes that we have in hand are for C and Ruby. We hope to get Ada and SPARK in time.
Joyce has requested feedback by 8 October on the comments on the Ada annex. We can hope to get the agreed comments by 15 October.
The convener took ACTION ITEM #19-02 to contact the convener of WG9 and settle on a schedule.
Larry hopes to create a PHP annex in time. It's not clear how WG23 would have a chance to review the content prior to the detailed working draft review of the assembled document. Edition 2 would have C, Ada, SPARK, Ruby, and Python. Edition 3 would have COBOL, C++, Fortran, and SQL. The issue is whether PHP should be rushed into Edition 2 or delayed for Edition 3. We decide that PHP should be allocated to Edition 3.
2.1 SC 22
- Convener's Report: [N0353]
- Meeting Notes: [N0364]
2.2 PL22.3/WG5 (Fortran)
2.3 PL22.4/WG4 (COBOL)
2.4 WG9 (Ada)
From Erhard Ploedereder, via email
The Ada Annex was distributed to the members of WG9 shortly after the Edinburgh meeting in June 2011. Members were given portions of the document to review and a deadline of Aug 1st to respond. Responses were mostly late. A few day ago, Joyce Tokar was still at work to process the comments.
2.5 PL22.11/WG14 (C)
2.6 PL22.16/WG21 (C++)
2.7 Ecma International, TC49/TG2 (C#)
2.8 Ecma International, TC39 (ECMAScript)
2.9 MISRA (C)
2.10 MISRA (C++)
2.11 MISRA L (MISRA L)
2.12 SPARK
2.13 MDC (MUMPS)
2.14 SC7/WG19 (UML)
2.15 Other Liaison Activities or National body reports
3.1 Revised Baseline Draft of TR 24772, Edition 2
N0352 2011-07-19 Replaces [N0344]. Revised Baseline draft of 24772, Ed 2, contributed by editor [pdf] N0361 2011-09-30 Comments on C Annex, contributed by Joyce Tokar [pdf] N0365 2011-10-01 Proposed revision to Sub-clause 4.3 to describe language annexes, contributed by Jim Moore [docx] S0003 2011-07-18 Material under consideration for inclusion in the 2nd revision of TR 24772 [html] [N0365] was marked up for incorporation into the baseline draft and saved as [N0366]. ACTION ITEM #19-03: The editor will incorporate [N0366] into the baseline draft. We make additional edits on the second day.
We considered the comments on the C Annex. The comment on C.20 was judged to be appropriate and helpful. Keaton said that the issue illustrates a problem in keeping the annexes in synch with the body of the document. We may need boilerplate to note that a description in an annex has not caught up with changes in the body. This led to a discussion of how to resolve balloting comments on language annexes. The convener stated that we should ensure that language experts attend the ballot disposition meeting. Keaton suggested that C.23, although incorrect, suggests that the reader may have misunderstood the relevant section in the annex and that the annex might need revision. It might be reasonable for C.23 to include a brief explanation of why the vulnerability is not applicable. ACTION ITEM #19-05: Keaton volunteered to offer a minor revision to 6.BJL. ACTION ITEM #19-04: Benito will propose words in C.BJL to explain why the vulnerability is not applicable.
3.2 Revised Proposal for Concurrency Vulnerability Descriptions
N0360 2011-09-30 Replaces [N0345] Revised Proposal for Concurrency Vulnerability Descriptions [dir, zip] During the first day, we marked up CGA and CGM and send them to Steve Michell for overnight rework. He revised the set; the result is [N0367]. During the second day, we marked up several of the proposals. The complete set, with markups of some, is [N0368]. On the third day, we reviewed remaining write-ups. The final results of all three days can be found in [N0369]. ACTION ITEM #19-06: Editor should incorporate the descriptions into a new Clause 8 of the baseline draft.
3.3 Revised Proposed Annex for Python
N0362 2011-09-26 Replaces [N0347] Revised Python Annex, contributed by Kevin Coyne [docx, pdf] We suggested that the definition of "guerilla patching" ought to be value-neutral and it should instead by described as a vulnerability, possibly NYY. We decided (ACTION ITEM #19-07) to ask Kevin to revise the text, get it reviewed, and give it to John for inclusion in the document to be balloted. Bob Karlin requested that Kevin ensure that all of the terms are actually used in the draft. Erhard requested that when a vulnerability is not applicable, there should be a a short, simple statement that explains why. Clive and Erhard agreed to be reviewers of the new draft.
3.4 Possible Work Item for Code Signing
N0273 2010-08-31 Proposed draft NWIP for software security APIs, contributed by Larry Wagoner [doc, pdf] N0306 2011-02-15 See [N0253] REVISED Result of Voting on SC 22 N 4575 - Information technology - Programming languages, their environments and system software interfaces - Software code signing, contributed by secretary [pdf] N0314 2011-03-11 Code signing proof of concept, contributed by Jim Johnson [zip] N0358 2011-09-07 Presentation for SC22 plenary regarding code signing, contributed by Jim Moore [pptx, pdf] N0359 2011-09-11 Replaces [N0357] Revised preliminary working draft for code signing, contributed by Larry Wagoner [docx, pdf] The convener stated that the NWIP should be updated to point out that the APIs will be language-independent and that a preliminary working draft has been prepared. We authorized the convener to revise the NWIP, obtain review as he sees fit, and submit it for ballot along with the preliminary working draft. (ACTION ITEM #19-08).
3.5 Process for new Vulnerabilities
Convener: At the Edinburgh meeting, we decided to maintain a standing document that traced past and planned changes/additions to the TR. Erhard suggests either of two alternatives: (1) adding a section to the TR that includes proposed vulnerabilities; (2) issuing a distinct document that contains planned vulnerabilities. Either would serve to put annex-writers on notice that new vulnerabilities are on the way.
Jim proposes a new Section 8 that would contain vulnerability descriptions that are not yet in the language-specific annexes. Erhard emphasizes that these are not to be regarded as draft or preliminary, but should be restricted to well-considered descriptions that are not yet in the annexes. Each one would move from Section 8 to Section 6 or 7 when it is treated in the annexes.
Erhard suggests the following lead-in verbiage for the Section (or Annex): "Section 8 / Annex F contains vulnerabilities for which this edition of the Technical Report do not yet contains matching sections in the language-specific annexes. The next edition of the Technical Report will merge these vulnerabilities into sections 6 and 7, and the language-specific annexes will address them."
We decided that we will insert new vulnerabilities into a new Clause 8 (ACTION ITEM #19-06).
The meeting was adjourned at 12:45 pm on Wednesday, 5 October.