C++ Logo

SG14

Advanced search

Subject: Re: Proposal for a Security Review Group
From: Michael Wong (fraggamuffin_at_[hidden])
Date: 2020-11-11 13:53:52


Hi all, thank you for asking our opinion and sorry for the delay as this
was one of the messages that was lost and we are enacting procedure to
ensure other messages are also not lost.

DG reviewed this proposal and agrees that security should be a Review Group
similar to ARG, which is invitation-only, passive instead of active.

We feel that Security, like Safety, is a cross-cutting property like ABI,
and Performance.

In fact, it would be beneficial to extend the scope of the proposed review
group to both Security and Safety from the start. Our reasons include:

  - the topics are somewhat similar, have dependencies and intersect
significantly,
  - we expect there will be a desire to extend that scope early on and we
might as well avoid another round of administrative discussions, and
  - we think it would be harmful to end up with two separate groups for
that purpose

We would urge whoever is interested to start with a submission of charter
and goal (that DG and others can review), as well as a recommendation of
initial members and potential chairs.

We are now looking at a Dec 9th SG14 meeting to discuss the substance of
such a direction according to the minutes of the November WG21 Admin call
as well as forming a charter, goal, and possible initial review membership
and potential chairs. This is only because one of the proposals came from
an SG14 member.

If interested please subscribe to SG14 forum for the updated zoom times and
connection(also enclosed below), although we will also broadcast this to a
wider group which includes SG12, WG23, Critical reliability google group.
As SG14 is an open outreach group, that means anyone can join even those
who are not registered ISO experts by registering at the SG14 forum:
https://lists.isocpp.org/mailman/listinfo.cgi/sg14/

Herb, JF, and Bryce please feel free to forward to your constituents or
anyone else.

Hi,

Michael Wong is inviting you to a scheduled Zoom meeting.

Topic: SC14 monthly Dec 2020-Feb 2021
Time: Dec 9, 2020 02:00 PM Eastern Time (US and Canada)
    Every month on the Second Wed, until Feb 10, 2021, 3 occurrence(s)
    Dec 9, 2020 02:00 PM
    Jan 13, 2021 02:00 PM
    Feb 10, 2021 02:00 PM
    Please download and import the following iCalendar (.ics) files to your
calendar system.
    Monthly:
https://iso.zoom.us/meeting/tJcscuigqD8pHNESxi1bJ9ClURVqr_ZAvmv1/ics?icsToken=98tyKuCrrz4rEtKRsx-CRowqBY_4d_zwpilego14rwfsUiJ5OyD6A9B0I6BAKvnG

Join from PC, Mac, Linux, iOS or Android:
https://iso.zoom.us/j/93151864365?pwd=aDhOcDNWd2NWdTJuT1loeXpKbTcydz09
    Password: 789626

Or iPhone one-tap :
    US: +12532158782,,93151864365# or +13017158592,,93151864365#
Or Telephone:
    Dial(for higher quality, dial a number based on your current location):
        US: +1 253 215 8782 or +1 301 715 8592 or +1 312 626 6799 or +1
346 248 7799 or +1 408 638 0968 or +1 646 876 9923 or +1 669 900 6833
 or 877 853 5247 (Toll Free)
    Meeting ID: 931 5186 4365
    Password: 789626
    International numbers available: https://iso.zoom.us/u/agpDuueQY

Or Skype for Business (Lync):
    https://iso.zoom.us/skype/93151864365

Note that SG14 is only facilitating the initial call and to enable outside
experts. Further decisions on the formation of the entity will come from
the Convener.

Thank you.

On Tue, Oct 27, 2020 at 9:20 PM Michael Wong <fraggamuffin_at_[hidden]> wrote:

> Received. I will schedule this in the next call and check why this was
> never received. Thanks.
>
> On Tue, Oct 27, 2020 at 12:31 PM Bryce Adelstein Lelbach aka wash <
> brycelelbach_at_[hidden]> wrote:
>
>> Hi all,
>>
>> Michael Wong asked me to ping about this.
>>
>> On Fri, Nov 8, 2019 at 5:49 AM Herb Sutter <herb.sutter_at_[hidden]> wrote:
>> >
>> > Thanks Bryce,
>> >
>> >
>> >
>> > DG, after you've had a chance to discuss this in your telecons, please
>> let me know if you have an opinion on this. While DG doesn't generally
>> recommend organizational things like creating subgroups, DG does recommend
>> direction (including that P0939 already mentions security as a recommended
>> priority) and did recommend what became the new ARG.
>> >
>> >
>> >
>> > In particular: Would DG prefer an ARG-like review board which is more
>> passive, or an actual domain-specific SG(22) for Safety/Security that would
>> actively review/guide/incubate proposals where safety/security are a major
>> motivation, or major aspect, of the proposal (as SG1 does for concurrency,
>> SG2 for modules, etc.)?
>> >
>> >
>> >
>> > I also plan to consult the officers/chairs between meetings, and in
>> particular if we wanted to pursue an actual SG that decision would fall to
>> the EWG+LEWG chairs and myself (per SD-3). But either way we'd appreciate
>> input from DG and from the other chairs.
>> >
>> >
>> >
>> > Thanks,
>> >
>> >
>> >
>> > Herb
>> >
>> >
>> >
>> >
>> >
>> > > -----Original Message-----
>> >
>> > > From: Bryce Adelstein Lelbach aka wash <brycelelbach_at_[hidden]>
>> >
>> > > Sent: Friday, November 8, 2019 1:18 PM
>> >
>> > > To: direction_at_[hidden]; Herb Sutter <herb.sutter_at_[hidden]>;
>> JF
>> >
>> > > Bastien <cxx_at_[hidden]>
>> >
>> > > Subject: Proposal for a Security Review Group
>> >
>> > >
>> >
>> > > We've had a lot of proposals this week that have security
>> implications and
>> >
>> > > would benefit from security review from experts, such as:
>> >
>> > >
>> >
>> > > - P1031/P1883: Low-Level I/O
>> >
>> > > - P1750: Process Management
>> >
>> > > - Networking
>> >
>> > >
>> >
>> > > Currently, we have no group to provide this sort of review.
>> >
>> > >
>> >
>> > > This sort of review group could have saved us a lot of trouble with
>> >
>> > > std::filesystem, which has large security holes in it.
>> >
>> > >
>> >
>> > > More notably, some of these proposals /explicitly/ prioritize
>> security. During
>> >
>> > > LEWGI's review of P1883 (Low-Level I/O), we took a poll on design
>> goals, which
>> >
>> > > had no objection to unanimous consent with
>> >
>> > > 21 people present. The first design goal:
>> >
>> > >
>> >
>> > > 0. Priorities (for defaults): security > performance > ease of use.
>> >
>> > >
>> >
>> > > If we have proposals which are designing to be secure by default, we
>> must have
>> >
>> > > a group of experts that can review those proposals from a security
>> perspective.
>> >
>> > >
>> >
>> > > I'd like to suggest the creation of a (likely invite-only) Security
>> Review Group,
>> >
>> > > similar to the ABI Review Group, for this purpose.
>> >
>> > >
>> >
>> > > --
>> >
>> > > Bryce Adelstein Lelbach aka wash
>> >
>> > > CUDA Core C++ Libraries Lead @ NVIDIA
>> >
>> > > ISO C++ Library Evolution Incubator Chair ISO C++ Tooling Chair
>> CppCon and
>> >
>> > > C++Now Program Chair CUDA Convert and Reformed AVX Junkie
>> >
>> > >
>> >
>> > > Sleep is for the weak
>> >
>> > > --
>>
>>
>>
>> --
>> Bryce Adelstein Lelbach aka wash (he/him/his)
>> US Programming Language Standards (PL22) Chair
>> ISO C++ Library Evolution Chair
>> CppCon and C++Now Program Chair
>> C++ Core Compute Libraries (Thrust, CUB, libcu++) Lead @ NVIDIA
>> --
>>
>



SG14 list run by sg14-owner@lists.isocpp.org

Older Archives on Google Groups