Zoom
Topic: SC 22/WG 23 Meeting 77
Stephen Michell – convenor
Erhard Ploedereder –
liaison SIGAda
Clive Pygott - UK
Bill Ash – SC 22
committee manager
YW Lee – Korea
Dr.
HS Jung - Korea,
Dr. Chelsang Yoon – Korea
Dr. CH
Yoon – Korea
Dr. JW Park – Korea
Ulrich Neumerkel
– Austria
Mr. Shiv Maddinmath (BIS)
David Keaton –
SC 22 Chair
Regrets
Tullio Vardanega, with position on issues
Not reviewed
Approved
The main meeting schedule is to progress documents in sub-WG meetings. On an as-needed basis a meeting of the full group is scheduled to progress work to SC 22 for ISO balloting, to propose to SC 22 add or remove documents from the WG 23 schedule and to manage general WG 23 work.
As required to address ballot comments on documents
Planned - 10 Sep 2025, immediately after the SC 22 2026 plenary
WG 9 eagerly awaiting ballot progression and free availability
WG 14 eagerly awaiting ballot progression and free availability
MISRA is about to publish the C secure coding document.
MISRA has published the C++ secure coding document.
Same as Ada.
Only 1 meeting from being ready to submit for ballot.
Developed in WG 23 without an ISO/IEC committee support. Oracle has Copyright on Java and has not been completely supportive. Further discussion follows on progressing the Java vulnerabilities document.
The main topic of this meeting is the free availability of ISO/IEC 24772, all parts. Note from the SC 22 chair:
Today
in a meeting of JTC 1/AHG 5, the JTC 1 chair announced that ISO and
IEC have largely approved our request to improve the criteria for
no-cost availability of deliverables.
This
directly affects some SC 22 documents favorably, notably at the
moment a suite of documents in development in WG 23, but also
others.
I
have attached two documents that show the results. If ISO
incorrectly rejects your application for no-cost availability, you
can show them these documents to explain why they should have been
accepted.
The
new criteria are laid out clearly on the last page of the first
document, JTC 1/AHG 5 N 49. Most importantly to us, amendments and
revisions of documents that were previously approved for free
availability will now be approved as long as their scope has not been
expanded.
There are a few things to note.
ISO and IEC have approved these new criteria for a one-year trial period (as shown in the second attached document). The JTC 1 chair notes that it will probably not be exactly a year; it could be anywhere from 9-18 months. Consequently, now is the time to push through any documents that you want to get approved under the new criteria. There is a good chance the new criteria will be extended after the trial period, but there are no guarantees.
Technical Reports and Technical Specifications have had their eligibility for free availability restored. There is no longer a need to upgrade a document to a standard for the sole purpose of getting it approved for no-cost availability.
There will be a new web site for free downloads, and it will require people to create an account for themselves and tell ISO and IEC who they are. This does not affect their ability to get documents for free; ISO and IEC are just frustrated that currently there are no data on how widely no-cost documents are being used, and they want to collect some.
The
current free download web site says that the documents are being
made available for purposes of standardization. ISO and IEC
recognize that this statement is meaningless because *all* documents
are available for free for the purpose of standardization. They
recognize that because everyone knows this, they will see that the
statement on the web site as
meaningless and will ignore it. However, they are going to retain
the wording because some companies have downloaded free ISO and IEC
documents and bundled them into larger libraries for sale, and there
needs to be some kind of statement that says they can't do that. The
current statement is not ideal for that purpose, but they are
retaining it while they decide
what to do.
I want to acknowledge the JTC 1 chair for leading the charge and pressing our case to ISO and IEC. The current success would not have been achieved without his enthusiastic support.
The documents that the SC 22 chair talks about are registered as WG 23 documents N1384 and 1385.
24772-1 has been balloted and approved as an International Standard. However, it is possible that we will want to ballot the other parts, 24772-2 Ada, 24772-3 C, etc. as TR's. This topic is open for discussion.
Proposal (Erhard, Bill) to stagger ballots every 3 to 6 months if we go as DIS ballots. Discussion. A WG position is posted below.
The convenor has put the following documents on the web site formatted as international standards. They have had some wording changes to meet with the ISO editorial demands, such as no “shall” or “may”. The no “shall” is because we have always considered the documents as providing “avoidance mechanisms” that the organization, team or individual apply as demanded by other safety standards, security standards, or organization requirements. The no “may” rule is that ISO regards “may” as explicit permission to make a decision to undertake an action, not the common English meaning. Therefore we must use “can” to express uncontrolled occurrences.
ISO/IEC 24772-2 Ada, document N1411
ISO/IEC 2472-3 C, document N1413 (Now 1419)
ISO/IEC 24772-6 SPARK, document N1410
ISO/IEC 24772-8 Fortran, document N1396
ISO/IEC 24772-4 Python, document 1417
N1396 Fortran,
N1410 SPARK,
N1411 Ada,
N1413 C
were discussed, but not reviewed in the meeting. Members are
encouraged to read each and comment. The convenor edited all of these
documents mostly for wording to align them with the editorial changes
applied as part of the FDIS submission of 24772-1. However, the
convenor did add some material where it was obvious that items were
absent, such as discussion in clause 6.X.1 to justify a
recommendation in 6.X.2.
N1413 C had more significant edits since it had not been touched in a while and was also missing clause 6.65 Modifying constants. The convenor drafted a clause for 6.65 and worked with Clive Pygott to develop code examples. This will be reviewed by the C experts before submission for ballot.
A discussion is required as to how we edit/correct/approve these documents and get them into DIS ballot.
Discussion, standards or Technical reports – No statements for Technical reports – Consensus to produce as standards. Stephen and SC 22 Committee Manager will prepare Form 4 documents for each.
Comments:
Tullio Vardanega - My
view to the meeting is that the documents as we have finalized should
be standards: we have spent considerable effort to making them so,
and it was a useful exercise. They are certainly more comprehensive
than TRs.
I
am confident that the argument to have them freely available based on
the 2010 and 2012 precedents should hold.
Python and Java publications. Lack of standards groups for these two documents is a concern. Java/Oracle was a concern. Sc 22 Committee Manager suggests having a Committee Internal Ballot to evaluate National Body support for those documents. A possible approach is to leave Java as a TR, or to register it for a CD ballot and see if National Bodies object.
Additional items could be selected for inclusion, such as Rust. At this point in time, we would need experts in the language(s) we consider, so we will explore further.
While ISO/IEC 24772-1 was going through the final touch-up and balloting phases, we encountered another vulnerability that we believe needs adding to all documents as 6.66.
The issue is that the 32-bit character set includes characters that can be problematic for many languages. There are three identified issues:
characters that are visually identical to some of the basic ASCII characters can create named entities that appear identical to the human reader but are understood to be distinct to the language processor, leading to behaviour that is not predictable to humans.
the presence of text direction-changing characters can at a minimum mask illicit behaviour.
Changes in behaviour and the presence of text direction-changing characters can at a minimum mask illicit behaviour.
The convenor proposes that WG 23 initiate an amendment to ISO/IEC 24772-1:2020 to capture this vulnerability and others that are arising, to be followed by amendments to the other documents that are published within the next 18 months. At the 2024 SC 22 Plenary, the Convenor requested and received approval from SC 22 for this step. If WG 23 agrees, the SC 22 Committee Manager and WG 23 Convenor will initiate the amendment.
Unanimous agreement.
77-1
ISO/IEC/JTC 1/SC 22/WG 23 agrees to forward the
completion of ISO/IEC WD 24772-2 Ada to the SC 22 committee manager
for registration as an international strandard and DIS balloting.
77-2
ISO/IEC/JTC 1/SC 22/WG 23 agrees to forward the
completion of ISO/IEC WD 24772-3 C to the SC 22 committee manager for
registration and DIS balloting as an international standard
77-3
ISO/IEC/JTC 1/SC 22/WG 23 agrees to forward the
completion of ISO/IEC WD 24772-4 Python to the SC 22 committee
manager for registration and DIS balloting as an international
standard
77-4
ISO/IEC/JTC 1/SC 22/WG 23 agrees to forward the
completion of ISO/IEC WD 24772-6 SPARK to the SC 22 committee manager
for registration and DIS balloting as an international standard
77-5
ISO/IEC/JTC 1/SC 22/WG 23 agrees to forward the
completion of ISO/IEC WD 24772-8 Fortran to the SC 22 committee
manager for registration and DIS balloting as an international
standard
77-6
ISO/IEC/JTC 1/SC 22/WG 23 agrees to initiate a Committee
Draft Ballot or a Committee Internal Ballot for ISO/IEC WD 24772-11
Java before we submit -11 as a DIS ballot.
77-7
ISO/IEC/JTC 1/SC 22/WG 23 will agrees to submit the
above language documents at 3 month intervals to permit the WG 23
editorial group sufficient time to process documents.
77-8
ISO/IEC/JTC 1/SC 22/WG 23 agrees to confirm the request
to SC 22 to create a new project for the amendment of ISO/IEC 24772-1
to add new vulnerabilities, in particular the vulnerability of source
code hiding of program elements, and to add similar material to the
other vulnerability documents undergoing ballot.
Wg 23 expresses its appreciation to the SC 22 chair, David Keaton, and JTC 1 chair, Phil Wennblom, for their diligent work in convincing ISO that free availability of standards was essential.
WG 23 expresses its appreciation to the SC 22 Committee Manager, Bill Ash, for his assistance in managing the meetings communication technology.