W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: Karl Dubost <karl@la-grange.net>
Date: Tue, 4 Nov 2014 16:52:13 +0900
Cc: Anne van Kesteren <annevk@annevk.nl>, Jeff Jaffe <jeff@w3.org>, Philippe Le Hégaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
Message-Id: <3E460BD2-E5F7-4160-92D4-AED1A2E26BEC@la-grange.net>
To: chaals@yandex-team.ru
As Charles said:

Le 4 nov. 2014 à 16:35, chaals@yandex-team.ru a écrit :
> However we should be aware that security review (like internationalisation, accessibility, etc) isn't a boolean property, and the fact that somebody did one doesn't mean that no more is required. There is a risk that the labeling of "this had a security review" will give people a false sense of how likely it is that there are remaining issues…

yes, there is a wide range of review and depending one's expertise, it will be felt as a priority. 

* accessibility
* internationalization
* patents review
* privacy
* readability and quality (of the spec)
* security
* usability (for the devs)

When designing the specification guidelines, we had basically the same type of discussions, with each group coming and saying we have to be in there. We decided that they were important topics but basically "orthogonal" (for my std geek score) to the conformance.

>In addition to conformance, there are several other topics that should be addressed when writing a specification, such as accessibility, internationalization, security, and device independence. These topics are not directly in the scope of this document, but are evoked in section 3.3. Specification authors and editors are encouraged to consider these topics and coordinate their efforts in these areas with the relevant W3C Working Groups.
See http://www.w3.org/TR/qaframe-spec/#address-other-topics

Putting these reviews in a part of the process has always been a major pain point often antagonizing the publishing dance. The charter usually defines these reviews. And the group is free to set a requirement on its own publication. Entirely possible. 

Do not make it part of the process.
On the other hand, publish a set of guidelines and how to implement them for reviewing security issues *when* editing a spec.


-- 
Karl Dubost 🐄
http://www.la-grange.net/karl/
Received on Tuesday, 4 November 2014 07:52:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC