[C-safe-secure-studygroup] Update from Pittsburgh

Wed Oct 17 18:49:51 BST 2018

Hi everyone! During the WG14 meetings in Pittsburgh this week, we
discussed the progress report provided by the study group. Clive did a
great job of presenting the written report and kicked off a fairly
significant amount of discussion, which I want to broaden to include
the full study group.

Given Robert's current scheduling conflicts, we've lacked a chair for
the group and that's caused some problems with getting
teleconferencing services, etc. To alleviate this somewhat, I've
stepped up as the temporary chair and David Keaton has offered to help
me get the teleconferencing services from ISO. However, I am only able
to commit to being chair until we find a permanent chair or until the
next WG14 meeting.

There was significant concern expressed about the open questions we
have regarding IP rights to reproduce significant concepts from the
MISRA documents. There were conflicting opinions in the room about the
legality, but no attendees are IP lawyers (to the best of my
knowledge, anyway) and so our open question remains open.

We discussed the study group's lack of progress, and the prevailing
sentiment in the room was that more regular attendees could help
shoulder the burden of processing rules. A suggestion was also floated
for having a face-to-face study group meeting to attempt to form
consensus on perennial topics like deviations, false positives, etc.
and put them to rest once and for all. We could colocate a face to
face meeting with WG14 if there is sufficient interest. The committee
felt the lack of progress was concerning, but also noted that we have
not opened a new work item with ISO and so we're not under a deadline
for completing our work.

The convener assigned action items for the group to produce a
permanent chair who is a member of the ISO global directory and for
the group to determine whether we have obtained the necessary
permissions to republish some parts of MISRA's IP by the next WG14
meeting in April 2019. The committee's opinion was that if these two
action items could not be completed by then that it would be difficult
to justify continuing efforts in the direction the study group is
currently going, especially given our stated lack of progress. They
recommend that, in that case, the study group consider pivoting to
another focus (such as updating TS 17961 for security only, and not
safety in order to resolve the IP concerns) or disband. Given that one
of our stated concerns was availability of security experts for making
progress, I am not certain that pivoting to a security-only focus is a
viable option.

Given the above: what do we want to do?

I'd like everyone to consider this question so that we can discuss it
at the next teleconference, on Oct 31. Specifically, I am looking for:

* Do you think we should continue to attempt to produce a standard
combing both safety and security rules for static analyzers?
* If the consensus is to continue forward,
  * What is the best way for us to resolve the IP concerns before
April and are you willing to take on any or all of that effort?
  * If you are a member of the ISO global directory, are you willing
to step up as chair? If you're not, are you willing to join ISO to
step up as chair?
  * Are you able to help find more participants in either domain so
that we can address our quorum and expertise concerns?

Fair warning: I plan to poll the question of whether we want to
disband the study group. It would be useful for me to know if you're a
regular attendee that is unable to attend the teleconference on Oct 31
but have a strong opinion.

~Aaron, the only ISO chair ever to ask about disbanding their study
group on their first day on the job