[C-safe-secure-studygroup] Proposal: Any spec from this group should be available for download at no cost (need to talk with ISO)

Wilson, Charles Charles.Wilson at draeger.com
Mon Jul 23 13:15:32 BST 2018

I'll echo David's comments with respect to lurking and things being available.

That being said, nothing prohibits the "interim" materials from being made available. This is how the ISO 14882 committee (C++) works. All the committee's stuff is mirrored at http://open-std.org/JTC1/SC22/WG21/docs/papers/.

Even the in-progress language specifications are included.

They also created a go-to site for all things C++ (https://isocpp.org/).

As someone who works with multiple development teams, I am usually the only person bringing them this information. And, as multiply stated, "what's the point if no one knows about the rules, let alone the motivation behind them."

Good examples of this are JSF++ (http://www.stroustrup.com/JSF-AV-rules.pdf) and the C++ Core Guidelines (https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md). Both are freely available. Both have extensive explanations as to why their rules exist. Both allow for exceptions.

If we're depending on automated systems to tell us when we write questionable code, but never teach people how to not write questionable code in the first place, we've only made matters worse as developers will simply change the code until the issue goes away without understanding the underlying principles at play.

How many on the teams that you all work with on a daily basis know that the default signed-ness of the char type is compiler dependent. Or that only the relative rank of integers is guaranteed? Or that a 6-, or for that matter 16-bit char is not only allowed, but actually used? DSP's anyone?

Failing to create materials which can engage the target audience (who are developers and not the creators of static analysis tools) to even realize that there even is a TS17961 will result at best in people ignoring the recommendations and at worst in people saying that the effort is pointless and does not deserve further resource expenditure. Either of which would be an unfortunate outcome.

-----Original Message-----
From: C-safe-secure-studygroup [mailto:c-safe-secure-studygroup-bounces at lists.trustable.io] On Behalf Of Wheeler, David A
Sent: Friday, July 20, 2018 3:11 PM
To: C Safety and Security Study Group Discussion <c-safe-secure-studygroup at lists.trustable.io>
Subject: Re: [C-safe-secure-studygroup] Proposal: Any spec from this group should be available for download at no cost (need to talk with ISO)

> -----Original Message-----
> bounces at lists.trustable.io] On Behalf Of Laurence Urhegyi A recent
> tweet from a colleague reminded me of this thread, and reminded me
> that it's a topic I've wanted to re-visit for some time, as I don't
> think we ever really agreed on a way forward.

I wish this group the best in resolving it.  The costs of standards once made sense - namely, when you had to own a printing press and there were only a few standards.
Nowadays posting on a website is practically free, and there are far too many specifications for organizations to rationally pay for them.
There is no *good* justification for the current policies to charge for standards, and they disincentivize the use of standards instead of encouraging their use.

On a personal note, I've been following this work with interest but not contributing.
I'm not being paid to do this work, and I don't see why I should contribute my personal unpaid time to an organization who will charge unconscionably large amounts of money for the results.  Those charges will extremely limit access to the results and will earn them money while not paying me for my part.
That kind of relationship looks exploitative.
I'd much rather donate my personal time to IETF, OMG, or other standards-setting bodies who will ensure that the resulting standards are available to all who need them.
If I'm going to freely donate my personal time to something, I expect the recipient to freely donate the results to all.  I suspect I'm not the only one with that viewpoint.

Other standards efforts have required ISO to freely release materials.
The Ada programming language standard & Common Criteria come immediately to mind.  In both of those cases the agreement was early in the process, though.

We're completing the transition to a world where "published" means "freely available on the Internet via an easy Google search".
A standard that cannot be freely & quickly retrieved is, for most people, a document they will ignore.

Don't get me wrong, I think what this group is trying to do is a great thing.
I know & respect a number of you, and I wish all of you the best of luck!!
But it wouldn't surprise me if many others aren't participating for the same reason.

Anyway, I wish the very best to this group!!
Thank you for your time.

--- David A. Wheeler

C-safe-secure-studygroup mailing list
C-safe-secure-studygroup at lists.trustable.io
This communication contains confidential information. If you are not the intended recipient please return this email to the sender and delete it from your records.

Diese Nachricht enthaelt vertrauliche Informationen. Sollten Sie nicht der beabsichtigte Empfaenger dieser E-mail sein, senden Sie bitte diese an den Absender zurueck und loeschen Sie die E-mail aus Ihrem System.

More information about the C-safe-secure-studygroup mailing list