ISO/IEC JTC 1/SC 22/WG 23 N0339
Minutes: Meeting #18
ISO/IEC JTC 1/SC 22/WG 23: Programming Language Vulnerabilities
19-20 June 2011


Meeting Times:

19 June 2011: 09:00 to 12:00 and 13:30 to 17:00
20 June 2011: 09:00 to 12:00 and 13:30 to 17:00

Meeting Location:

John McIntyre Conference Centre
Pollock Halls
18 Holyrood Park Rd.
Edinburgh, UK
+44(0)131 651 2189

Meeting Logistics:

Ada Connection, Edinburgh, UK

Local Contact information:

John Benito, +1 831 600-5547

Agenda

1. Opening activities

1.1 Opening Comments (Benito)

The meeting begins at approximately 9:15. Later in the meeting, Tom Anderson visited and welcomed us.

1.2 Introduction of Participants/Roll Call

The following persons attended all or part of the meeting: Larry Wagoner (phone), Jim Moore (secretary), Erhard Ploedereder (WG9), Clive Pygott (UK), John Benito (convener), Jim Johnson (DoD), Steve Michell (phone), Tullio Vardanega, Tom Plum (phone)

1.3 Procedures for this Meeting (Benito)

No formal voting. Anyone can participate.

1.4 Approval of previous Minutes (Moore) [N0315]

The minutes were approved.

1.5 Review of previous actions items and resolutions, Action Item and Decision Logs

[Note from secretary: The updates that I made to the status of existing action items were lost in a computer failure. You are invited to remind me of what those updates were. New action items assigned at Meeting #18 are correctly recorded.]

Erhard: Reviewers of language annexes should be careful to reconcile the annex with the base document because some of the descriptions have been rearranged. Also some vulnerabilities are described in the annexes but not the base document.

[Note from secretary: I originally minuted the following as an action item. I have instead converted it to a future agenda item.]

Perform a side-by-side review of the annexes to look for mismatches of content (additional vulnerabilities, vulnerabilities in wrong sections).

ACTION #18-01 [Wagoner]: Draft a C++ annex to use as a starter. Clive and John will support.

1.6 Approval of Agenda [N0334]

Agenda is approved.

1.7 Information on Future Meetings

1.7.1 Future Meeting Schedule
Concurrency workshop 2011-09-14/16 Santander, Spain Session on concurrency vulnerabilities in conjunction with RT Ada Workshop  
WG 23 #19 2011-09-21/23 UPDATED Copenhagen, Denmark WG 23 Meeting #19 (in conjunction with SC 22 plenary meeting)  
WG 23 #20 2011-12-14/16 CHANGED McLean, VA WG23 Meeting #20 .
WG23 #21 2012-03 TBD Stuttgart, Germany    
WG23 #22 2012-06 TBD Ottawa, Canada    
WG23 #23 2012-09 TBD Geneva, Switzerland Colocated with SC 22 plenary meeting  
WG23 #24 2012-12 TBD Kona, Hawaii, USA    

Danish Standards wants to charge us a fee for meeting with the SC22 plenary. We decide to have an all-electronic meeting instead. Participants can Skype to the MeetingPlace telecon. We decide to conduct Meeting #19 as an all-electronic meeting on 5-7 October, 3 hours per day, beginning 4 am Hawaii/7 am California/10 am Eastern USA/3 pm UK/4 pm Europe. [If I am incorrect in any of the timezone calculations, the definite time is 10 am US ET.] ACTION #18-02 [Moore]: Set up MeetingPlace for web conference.

ACTION #18-03 [Benito, Ploedereder]: Pick dates for Meeting #21.

ACTION #18-04 [Benito, Michell]: Reconfirm the Ottawa venue for Meeting #22 and select dates.

1.7.2 Future Agenda Items

Perform a side-by-side review of the annexes to look for mismatches of content (additional vulnerabilities, vulnerabilities in wrong sections).

2. Reports on Liaison Activities

2.1 SC 22

SC22 hasn't met since our last meeting.

2.2 PL22.3/WG5 (Fortran)

No report.

2.3 PL22.4/WG4 (COBOL)

No report.

2.4 WG9 (Ada)

WG9 is meeting later this week.

2.5 PL22.11/WG14 (C)

WG14 has not met since our last meeting.

2.6 PL22.16/WG21 (C++)

C++ is in FDIS ballot. However, defect reports are already being received and may occupy the group following publication. They meet next later this summer.

2.7 Ecma International, TC49/TG2 (C#)

No report.

2.8 Ecma International, TC39 (ECMAScript)

No report.

2.9 MISRA (C)

Clive reports that MISRA C new edition will be published later this summer. There are some concerns about fitness for publication, and it might be delayed. A MISRA C representative has attended recent C meetings.

2.10 MISRA (C++)

No recent action.

2.11 MISRA L (MISRA L)

We have a Category C liaison with MISRA L, but there has been no activity. ACTION [Benito]: Request SC22 to terminate the Category C liaison relationship without prejudice. Send an email note to Chris Hills before taking action.

2.12 SPARK

The SPARK annex has been updated and sent to both WG9 and to Rod Chapman. He will defer action until after WG9 makes updates to the Ada Annex.

2.13 MDC (MUMPS)

No report.

2.14 SC7/WG19 (UML)

No report.

2.15 Other Liaison Activities or National body reports

None.

3. Document Review 

3.0 Calendar for producing next edition [N0333]

We update the details of our schedule for Edition 2 and save the result as [N0341].

We discuss the process for adding vulnerabilities. We decide to maintain a standing document in addition to the current working draft of the TR. It would have two parts:

ACTION #18-05 [Moore]: Create a new document register for standing documents.

3.1 Disposition of comments from MISRA [N0340]:

From previous minutes. (See document [N0250].): Note Action Item #13-07 re MISRA comments. These will be reviewed at the Edinburgh meeting. The convener will map the comments to the new version of the document [Action Item #17-05].

The editor's proposed disposition was reviewed and markups were made. The result is saved as [N0342].

3.2 Contributed documents:

N0336 2011-05-04   Proposed change to Clause 6 introduction, contributed by Jim Moore [docx, pdf]

Updates were made and the result stored as [N0343].

N0337 2011-06-01   Concurrency vulnerability descriptions, contributed by Steve Michell [zip, dir]

The proposals are marked up and the result is saved as [N0345]. Overnight, Steve sent in an additional description, CGE, which was added to [N0337]. It was marked up and saved as part of [N0345].

N0338 2011-06-02 Replaces [N0335] Revised Baseline draft of 24772, Ed 2, contributed by editor [pdf]

Changes to the baseline draft are marked in [N0344].

ACTION #18-06 [Moore]: Draft additional text for 4.3 "How to Use this Document" that describes the language-specific annexes.

We take a look at Michael Walsh's comments on the Ruby annex [N0349] and provide dispositions. The result is saved as [N0350].

3.3 SQL and Python Annexes

In addition, we decide to look at the Python and SQL annexes. (They were not distributed in advance of the meeting.) The draft Python annex is saved as [N0347]. The draft SQL annex is saved as [N0348]. It was noted that one of the standard numbers at the beginning appears to be odd. We decide that the Python annex appears to be in good enough shape that we will try to include it in Edition 2. On the other hand, the SQL annex appears to present some difficulties. It will probably end up in our standing document for inclusion in a future edition of the TR. ACTION ITEM #18-07 [Johnson] Consult with his SQL contact to attempt some of the open questions and will revise the draft annex accordingly.

Larry mentioned that his group is beginning work on annexes for PHP and C++.

3.4 Vetting presentation to Ada-Europe

We modified the presentation prepared by Larry Wagoner so that Jim Johnson can present it on Wednesday to the Ada Connection Conference. The result is saved as [N0346].

4. Other Business

There was no other business.

5. Resolutions

There were no resolutions. We thank the host, Ada-Connection, and Tom Anderson.

6. Adjournment

We adjourn at approximately 4:05 pm on Monday.