Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Alan DeKok <aland@deployingradius.com>]

On Apr 17, 2018, at 10:15 AM, Douglas Gash (dcmgash) <dcmgash@cisco.com> wrote:
> Initially (up to around version 5) we included just a very simple security section admitting that T+ was insecure and that the second document would address the issue. This was deemed to be insufficient, and instead the WG collectively determined that more detail should be added to enumerate some of the issues, you kindly catalogued some of these, providing a proposed text which we took to be a genuine suggestion for text for the document.

  Which it was.

  The point I've been trying to make for over a year is apparently still unclear.

  There was no excuse for plagiarizing the text in the first place.  Using it verbatim was fine, so long as attribution was given.

  There was no excuse for ignoring every single email I made to the list asking about this issue.

  There was no excuse for *continuing* to plagiarize the text for over a year, across four separate revisions of the document.

> Subsequently we interpreted your proposal more accurately (as just a suggestion of the points to cover), and so we made sure that these were covered, but without verbatim reuse of the text.  We hope that we have covered the thrust of your issues (and others), but without the plagiarism.

  I have no idea.  Because at this point, I'm pretty much done reviewing the document.

> 2) Reactivity of the Authors.
> 
> As far as I know, we have responded to most posts regarding the content of the document, with point-by-point replies,

  No.

  See the list archives, especially May 2017.  There are multiple people suggesting that you have *not* done this, and that you *should* do this.

  See line-by-line reviews done by me, which were generally ignored.  Despite that, I did *multiple* such reviews, until such time as it became clear that such reviews were entirely unproductive.

> but there has been, for various logistic reasons, long delays in submitting the resulting new documents. Hopefully this has been addresses in last versions and we will continue with more rapid uploads until process completes one way or other.

  The issue isn't rapid uploads.  The issue is engagement.  It's not productive to ignore the messages on the mailing list for 6 months, and then to issue a new release saying "we fixed stuff".

> We have not generally responded to posts regarding procedural matters, and would leave such discussions to more knowledgeable stewards of the lists where possible,

  You haven't responded to posts where I ask about the plagiarism.  A simple reply of "oops, sorry, I'll fix it ASAP" has taken over a year to write.

> 3) Change Tracking
> 
> The uploads have generally had extensive changes relating to comments (which should generally have been summarized by previous email responses to comments). 

  Which I admit did happen sometimes, but not nearly as often as it should have.  Again, see mailing list archives from May 2017.  I'm not the only person who holds this opinion.  I'm just the main one pushing the point.

> Because of this, unless the updates have been for specific purposes (such as the recent update of the security section) then I would leave the changes to the diff tool which works pretty effectively.

  The diff tool lets us know what changed in the document.  It doesn't let us know if those changes addressed issues raise on the mailing list.

  To summarize:

* we have no idea if this revision of the document addresses multiple WG reviews

* we have no idea if the document even describes TACACS+ as currently implemented

  As such, it should not be put into working group last call, or much less published until such time as those issues are addressed.

  Alan DeKok.