►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Sure
I
have
a
couple
openjs
world:
it's
always
great
announcements.
We
opened
our
cfps
deadline
is
february
14th,
so
please
get
those
in.
If
you
have
questions,
we
will
be
having
a
sort
of
like
a
and
ask
me
anything
that
we're
pulling
together.
We
have
one
from
last
year
and
we
also
have
a
cfp
mentorship
channel
on
slack.
B
A
A
Just
looking
something
really
quickly
here,
yeah
cool
all
right.
Well,
we
will
get
into
the
agenda
folks
on
the
call,
don't
forget
to
add
yourselves
to
the
to
the
minutes
and
we
moved
license
check,
support
and
tooling
to
the
top
of
the
list
to
take
advantage
of
having
schubert
here
to
talk
to
us
about
some
linux
foundation
tooling.
A
So
this
is
issue
8
15.,
I
don't
know
if
you
schubert
or
robin
how
you
want
to
do
it
if
you
want
to
present
or
talk
or
whatever
you
want
to
do.
The
floor
is
yours.
B
I'll,
let
shuber
run
with
it
and
michael
you,
please
weigh
in
on
helping
us
set
some
context.
B
Shubra
runs
the
product
team
for
the
linux
foundation,
including
lfx,
which
is
a
tool
you
all
may
be
familiar
with
lots
of
great
resources
there
so
and
shubra
used
to
be
part
of
the
node
foundation
for
many
years.
So
he's
an
old
friend
so.
C
Absolutely
yeah
good
to
see
familiar
faces
again,
yeah
joe
and
michael.
I
think
we
have
spoken
in
the
past
right.
So
let
me
see
if
I
can
share
my
screen
and
before
I
do
so
com
you
know
calculating
like
which
packages
use
what
licenses?
What
are
the
upstream
dependencies?
You
know
it's
kind
of
comes
back
to
what
the
software
bill
of
materials
is
for
an
entire
open
source
project.
So
we
had
multiple
initiatives
and
I'll
probably
show
you
all
that
we
have
been
working
right.
C
D
I
think
also
it
might
be
worthwhile
to
just
give
you
a
little
bit
of
the
context
of
you
know
the.
If
you
know
I'm
looking
right
now.
The
node.js
project
has
201
repositories
and
we
have
a
second
organization
which
is
pkgs
and
it
has
like
another
10
20.
I
don't
know
so
that
the
reason
I
opened
it
in
the
first
place
is
not
necessarily
the
full
like
the
the
the
bill
of
materials
side
of
things.
D
It's
just
that
we've
got
a
large
number
of
repos,
we
add
new
repos
and
so
even
the
license
at
our
top
level.
Do
we
have
one
in
all
200
of
those
repos?
Is
it
one?
You
know
we
moved
over
a
repo,
and
so,
as
part
of
that
move
over,
we
take
a
look,
but
did
we
get
that
right
and
make
sure
that
it
was
one
that's
on
our
approved
list,
so
it
just
made
me
think
this
is
probably
a
common
problem
for
projects,
and
so
it's
not
it's
not
managing
the
license
for
all
their
dependencies.
D
That's
that's
another
separate
figure
problem,
but
the
simpler
problem
is:
how
can
I
be
sure,
as
one
of
the
maintainers
all
of
these
200
repos
has
a
license.
It
has
the
right
license
and
when
I
move
one
over
and
we
make
a
mistake
or
something
or
somebody
creates
one,
and
we
don't
quite
get
it
right-
that
we
quickly
find
that
so
it's
sort
of
in
that
context,
you
know
what
kind
of
tools
are
there
and
hopefully
it's
you
know
it's
the
reason
we
were
saying
like.
D
Maybe
this
is
a
linux
foundation
thing
that
can
be
can
help
us
is
like
this
is
going
to
be
a
problem
for
every
single
one
of
the
members
of
a
foundation,
certainly
for
all
the
openjs
ones,
because
we
say
here
are
acceptable
licenses
and
I
guess
if
it's
outside
that
we
should
know
that.
So
I
would
all
I
was
looking
for
was
like
something
that
would.
D
B
C
Yeah,
no,
absolutely,
and
thanks
for
setting
the
context,
michael,
it's
very
helpful
and
I'll
tell
you
like
you
know
up
front,
you
know
the
things
we
have
been
building.
We
don't
have
the
entire
solution,
but
I
think
we
can
get
there.
So
let
me
see
my
share
my
screen.
Are
you
guys
able
to
see
my
screen?
C
Okay,
yep,
so
at
the
lf
like
internally,
we
have
and
again
this
is
kind
of
you
know
we
are
inviting
other
project
maintainers
to
come,
and
so
this
you
know,
do
these
scalability
of
the
project.
We
use
this
tool
called
project
control
center
internally
today
and
you
can
see
all
the
projects
are
here
right,
like
700
800
projects
at
the
lf,
and
I
think,
even
if
you
look
at
openjs
under
the
open,
js
foundation,
these
are
you
know.
These
are
all
the
projects
that
we
have
right
now
in
these
projects.
C
You
know
we
have
a
bunch
of
services
or
tools
that
we
can
just
turn
on
or
off.
One
of
the
tools
is
security.
Now
we
didn't
have
like
one
just
for
license
checking,
but
when
we
turned
on
the
security
scanning
we
did
actually
as
one
of
the
key
functionalities
we
got.
There
was
like
licenses
that
are
used
by
the
core
package
as
well.
As
you
know,
based
on
the
manifest
file,
you
know
if
you
traverse
down
the
application
path.
C
What
licenses
are
used
by
the
packages,
including
of
transitive
dependencies
now
I'll,
show
you
what
the
data
looks
like.
What
we
don't
have
today
is
michael
what
you
were
mentioning
around
like
a
policy
engine
right
now.
I've
been
thinking
about
like
hey.
Is
it
time
to
write
a
policy
engine?
It's
not
hard
to
build
and
I'll
also
share
the
source
code
for
this,
but
you
know
just
as
an
example
right
now.
You
know
if
I
click
this
security
tab.
What
we
do
is
like
you
can
see
here.
C
This
is,
we
have
an
onboarded
openjs,
but
if
I
search
for
another
project
you
mentioned,
like
you,
know,
200
plus
repositories
right
and
if
I
look
at
like
security
for
this
yeah
a
little
load.
This
is
just
the
admin
portion
of
it
and
I'll
have
to
set
it
up,
but
then
I'll
show
you
what
results
it's
produced.
It's
pulling
up
like
all
the
repositories
from
you
know.
C
Hyperledger
probably
has
a
thousand
repositories
right,
so
this
kind
of
takes
our
time
a
little
bit
to
load,
but
once
you
set
it
up,
I'm
going
to
show
you
one
example
here.
So
this
is
a
project
that
we
wrote
called
ezcla,
that
many
projects
actually
use
to.
You
know
enforce
a
cla
agreement
right,
and
so,
if
I
look
at
these
dashboards,
I've
already
bypassed.
There
is
a
gating
mechanism
to
this.
C
But
if
I
look
at
yeah,
we
do
collect
all
the
issues
and
you
know
like,
if
you
remember
this
log
4j,
that
happened
right
like
we
use
a
lot
of
third-party
scanners
behind
the
scenes.
One
of
the
scanners
we
use
is
sneak
now
sneak,
doesn't
actually
inspect
source
code.
It
typically
looks
at
like
your
manifest
files
right
your
package.jsons
and
pulls
down
all
the
dependencies
from
there,
and
then
you
start
looking
into
you
know
the
entire
dependency
tree
and
all
dependencies
and
any
of
these
dependencies
that
might
have
issues
going
on
right.
C
So
one
of
the
key
things
here
is
think
about
this.
Easy
cla
is
my
core
package,
but
in
my
core
package
I
am
basically
pulling
down.
Other
packages
like
serverless
framework
is
something
we
use
behind
the
scenes
right
and
if
I
say,
okay,
you
know
in
this
serverless
framework
I
have
like
in
strip
and
psy.
There
is
like
a
vulnerability.
I
can
see
that
right.
So
I
can
see
what
that
vulnerability
is
cwe,
cwe
and
like
how
to
mediate
all
that.
So
that's,
okay.
C
You
know
that's
basically
what
you're
getting
bonus
you
don't
have
to
necessarily
use
that,
but
I
think
what
one
of
the
functionalities
we
have
within
this
tool
is
license
detection.
So
here
you
can
see.
You
know
whether
it's
obsd,
apache,
2
or
bsd3,
whatever
license,
are
used
by
that
repo
right,
which
is
basically
and
it
could
be
a
group
of
repos
right.
C
So
what
we
do
is
some
aggregation
for
me,
so
it's
not
just
one
repo
at
a
time
like
my
easy
cla
project,
it's
probably
using
like
six
seven
ten
repositories
and
then,
if
I
look
at
like
okay,
let's
look
at
as
an
example
apache
2.0
and
which
all
packages
in
my
application
stream
am
I
using
apache
2.0
and
I'm
saying
okay.
These
are
like
the
serverless
components
that
I'm
pulling
down
and
in
that
serverless
component,
how
am
I
actually
pulling
down
that
module?
The
reference
is
in
this
particular
package.json.
C
So
that's
where
you
know
like
I'm,
I'm
referencing
that
third-party
module
in
my
case
right,
so
we
traverse
the
tree
and
you
can
actually
download
that
entire
report
right,
there's
a
well.
I
probably
don't
have
access
to
this,
but
basically
that
download
reports
lets
you
pull
down
all
the
licenses
and
the
associated
packages
and
the
manifest
files
which
actually
refer
to
those
in
one
kind
of
a
spreadsheet
report
right.
So
this
is
kind
of
bare
minimum
that
we
have.
C
We
do
scan
like
you
know
the
code
base
the
source
control
itself,
and
these
are
like
based
on
pattern
matching.
You
know
so
I
have
some
pattern
matching
that
I've
set
up.
These
are
based
on
like
regular
expressions
and
I'll
show
you
how
we
do
it
on
the
configuration
side,
but
in
this
case
I'm
pulling
down
like
things
like
code
secrets
or
I'm
also
scanning
the
code
base
and
pulling
down
things
like
non-inclusive
language
right,
so
things
like
master
blacklist,
whitelist,
dark
and
whatever.
C
This
is
like
actual
source
code
scan
right,
the
sneak
stuff
that
we
pull
down
issues
and
dependencies
and
licenses.
Those
are
not
based
on
source
code
span
or
static
code
analysis.
Those
are
purely
right
now,
at
least
based
on
manifest
inspection
and
reverse
application
mapping,
and
but
we
do
pull
down
the
licenses
in
each
repository
or
if
you
have
repositories
within
repositories
embedded.
We
do
actually
discover
so
there's
that
discoverability
part
right
so
today,
now
what
you
don't
have,
which
michael
was
what
you
were
pointing
at
is.
C
If
I
look
at
these
licenses
right
and
say,
I
want
to
set
up
some
kind
of
a
policy
saying
in
my
core
package
or
any
of
the
dependent
packages.
If
I
am
finding
like
I'm
just
making
stuff
up
right,
lgpl,
whatever
version
right,
should
I
trigger
an
alert
that
that
part
we
don't
have.
We
have
an
alerting
mechanism
and
these
scans
run
on
a
daily
basis.
C
So
if
you
look
at
and
again
we
have
kind
of
stepped
back
and
we
are
working
with
projects
one
at
a
time,
so
we
are
working
with
aswf
or
cloud
foundry
or
cd
foundation,
lfai
or
like,
for
example,
you
know
like
this
is
aswf,
and
you
know
you
could
have
one
repo.
You
could
have
sub
projects.
Think
about
like
this
concept
like,
if
you
think
about
cncf,
it
has
like
100
sub
projects
like
kubernetes
being
one
of
them.
So
each
of
those
projects
we
basically
say
okay.
C
What
is
the
repository
groups
which
are
mapped
to,
for
example,
open
queue?
So
let
me
pull
this
thing
up,
so
here's
an
example
for
hyperledger
right
and
we
look
at
like
okay,
this
is
the
repository.
There
are
146
repositories
under
the
main
package
and
14
under
the
dash
ci
cd
package
and
what
not
and
then
what
we
can
do
is
what
we
do
is
we
actually
install
a
bot
right?
It's
that
bot
is
installed
with
administrative
privileges
and
that's
why
we
have
not
tried
to
clone
it.
C
We
actually
work
with
the
maintainers
to
install
the
bot.
You
know,
because
we
cannot
right,
you
need
to
have
admin
permissions
on
that
repo
and
once
the
bot
is
installed,
it
starts
scanning
and
you
can
decide
like
okay
out
of
these
repositories,
like
you
can
see,
like
you
know,
I
don't
actually
have
up
the
bot
configured
on
everything
I
can
just
selectively
go
and
say:
okay
for
these
ones.
I
want
to
turn
on
the
bot
or
not
turn
on
the
bot
right.
C
So
here
you
can
clearly
see
the
security
bot
is
not
configured,
but
it's
more
like
a
github
app
that
you
install
and
it
starts
scanning
and
producing
the
results.
The
next
day
make
sense.
This
is
kind
of
one
core
tool
that
we
have
and
we
have
been
collaborating.
This
is
more
like
an
open
industry
collaboration.
We
have
worked
with
snake
for
the
security
scanning
licensing.
We
have
worked
with
blue
bracket
for
code
secrets
and
non-inclusive.
C
Now
we
are
working
with
the
microsoft
folks
with
code
qlsml,
where
we
can
actually
pull
in
static
code
analysis
data
as
well
into
the
single
governance
plane.
Okay,
so
that
is
one
the
code
base
for
this
is
in
two
places
one
is
under.
You
know
we
have
an
lf
engineering
repository,
but
we
have
been
open
sourcing
this
one
by
one.
So
here's
the
lfx
engineering
repository
and
you
can
see
we
are
basically
putting
all
the
scanners
in
there,
so
the
license
scanner.
C
We
still
have
to
do
it,
but
I
think
we
should
be
done
in
the
next
couple
of
weeks
right.
The
other
part
I
did.
I
know
it's
probably
not
deep
focus,
but
I
wanted
to
mention.
Is
we
basically
created
an
s-bomb
generator
again?
It
goes
and
works
with
the
spd-x
framework,
as
the
backend
we'll
probably
add,
other
frameworks
like
cyclone
dx
or
whatnot,
but
we
do
support
like
multiple
languages
and
multiple
package
managers
and
it's
a
cli
based
generator
tool,
which
obviously
runs
on
any
platform.
C
But
you
can
essentially
point
at
a
github
org
or
a
basically
a
set
of
github
repositories,
and
it
actually
creates
the
entire
package
description
and
what
packages
are
being
used.
What
licenses
are
being
used
in
that
project?
But
again
this
is
more.
Like
a
you
know,
a
cli
tool.
It's
not
an
actively
scanning
tool
right,
which,
which
runs
on
a
container
kind
of
thing,
makes
sense.
C
So
this-
and
you
know,
obviously
you
can
put
it
into
a
docker
image
and
whatnot
right
and
we
actually
again
the
same
thing
here:
to
create
the
bill
of
materials
we
go
and
traverse
the
entire
dependency
based
stack
right,
based
on
whatever
package
manager
is
used
behind
the
scenes
right.
So
I
can
share
this
url
with
you
as
well.
It's
used
to
be
called
spdx
generator.
We
have
now
just
renamed,
it
opens
bomb
generator.
D
D
I
want
to
scan
the
full
depth
of
the
tree
to
understand
you
know
am
I
am
I
you
know
what
licenses
are
being
used
and
so
forth.
My
use
case
was:
was
the
simpler
word
maintainer,
the
foundation
like
has
approved
certain
licenses
is
all
at
the
top
level,
so
it
doesn't
matter
to
me
what's
in
our
package,
that
jason,
because
we're
not
we're
not
pulling
that
code
into
our
repository
itself.
D
D
So
I
I
think
you
know
jordan's
mentioned
he's,
got
a
tool
that
does
that,
so
I'm
just
like
I
don't.
I
don't
see
it
as
an
extension
to
the
license.
Checking
that
you
showed
us,
but
it
would
be
another
check
that
would
be
useful
as
like
a
maintainer
to
say.
Okay,
I
want
to
look
at
my
repos
across
my
org
and
basically
you
know
the
the
view
you
showed
us
there.
D
That's
like
what
licenses
are
being
used
in
the
tree
is
interesting
but
like,
if
gpl
shows
up
in
there
because
of
one
of
the
dependencies.
That's
not
the
thing,
I'm
looking
for
I'm
looking
for
like
for
all
my
repos.
Are
they
all
green
in
terms
of
they've
got
a
license
and
it
matches
one?
That's
on
our
list.
Yeah.
C
And
that's
essentially
what
I
meant
by
the
policy
engine,
because
you
need
to
decline
some
policies
in
there
saying:
okay,
these
are
the
set
of
permissible
licenses,
and
these
are
not
now
in
openness
at
the
lf
there
have
been
couple
of
people
on
our
legal
team,
steve
winslow
used
to
be
one
of
them.
He
used
to
use
tools
like
white
source
and
to
basically
create
those
license
package
reports
at
the
core
level
and
like
based
on
like
the
policy
compliance
right,
but.
D
E
E
For
for
reasons
the
other
is
I'm
a
maintainer
of
one
or
more
projects,
and
I
want
to
know
stuff
about
the
projects
I
maintain
and
the
third
is
I
manage
an
organization
but
don't
necessarily
maintain
every
project
within
it.
So
like
it's
a
corporation
or
it's
something
like
node
or
whatever,
and-
and
I
want
to
make
sure
that
all
of
the
disparate
repos
in
my
organization
match
some
sort
of
policies,
and
I
don't
know
exactly,
I
can.
E
I
have
a
guess,
but
I
don't
know
exactly
which
one
of
those
or
ones
of
those
your
tool
is
more
optimized
for,
but
it
sounds
to
me
like
what
michael
wants
is.
More
of
the
second
sorry
more.
The
third
case
I
have
the
node
in
package.js.
E
C
E
I
think
it
could
double
for
michael's
things
and
I
have
no
attachment
to
whether
it
solves
michael's
problem
or
not
like
meaning
if
a
better
tool
solves
it
great,
if
michael
solved
it
great
but
but
yeah
just
kind
of
I,
it's
probably
useful
to
clarify
those
sort
of
user
story
use
cases
and
if
there's
four
or
five
or
six
or
more
like
or
you
know
greatly,
we
should
document
those
somewhere
but
like
because
that
would
probably
help
understand
the
usefulness
of
of
all
of
our
tools
and
projects.
C
Yeah,
no
absolutely
you're
spot
on.
So
this.
This
kind
of
aggregation
of
what
projects
are
what
repos
are
under
a
particular
project,
for
example
right
like
if
you're
looking
at
cd
foundation
or
just
cloud
foundry,
this
is
not
an
individual
user.
This
is
essentially
what's
mapped
under
that
cloud.
Foundry
org
right.
So
these
are
those
563
repositories
out
of
those
we
have
scanning
121,
you
know.
C
So
there
is
the
list
of
all
the
orgs
but
yeah,
absolutely
like
michael
what
you
are
looking
for,
that
part
like
that
policy
management
and
all
that
we
don't
have
today
right
now.
That
being
said,
just
one
note
before
you
look
at
it,
so
there
is
a
couple
of
things
we
do
here.
I'm
gonna
just
show
you
in
terms.
D
C
D
Good
I'll
just
add
that
you
know
jordan's
characterization
is
exactly
right
because
there's
other
things
like
do.
We
have
a
code
of
conduct
link
in
every
repo
right.
That
equivalently
is
like.
We
got
a
whole
bunch
of
repos.
Do
we
meet?
Do
we
have
the
things
that
we've
said
we'd
have
to
reach
for
organizations
without
even
caring,
actually,
what's
in
the
repo
itself,.
C
Yeah
yeah,
so
this
is
basically
the
other
part
that
we
had
again.
These
are
not
saying
this
is
perfect,
but
like,
for
example,
right
like
we
had
a
set
of
keywords
that
we
basically
when
we
triggered
the
scanning-
it's
not
just
for
the
vulnerabilities
and
the
licenses,
but
also
like
actual
keyword
that
you
can
find
in
the
code
right.
Remember,
I
told
you
about
the
whites.
You
know
the
things
that
white
hat
insane.
C
You
know
man
our
mankind,
those
kind
of
keywords
which
we
think
about
are
in
non-inclusive
language,
now
think
about
it
like
if
you
had
a
pattern
that
you
are
matching
right
like
based
on
the
source
code,
if
there's
a
license
dot
md
file
right,
so
we
have
the
ability,
but
it's
not
productized
in
a
way
that
you
can
consume
it
today.
C
D
E
D
C
Exactly
so
here
when
we
set
up
these
keywords,
I'm
basically
triggering
the
scan
of
500
repositories
and
creating
an
aggregate
report
at
the
org
level
right
or
it
could
be
multiple
orders
right,
but
if
we
are
most
of
our
reporting,
we
do
it
at
a
project
by
project
level,
so
it
could
be
like
an
angular
report.
It
could
be
a
you
know:
node.js
core
or
node.js,
whatever
app
or
express.js
package
level
reports
as
well.
Okay,
so
that's
kind
of
you
know
what
I
had
so
I'm
not
you
know.
My
main
thing
is
like.
C
Is
there
a
way
we
can
collaborate
to
build
this
right?
Like
we
have
two
capabilities,
we
have
the
license:
detection
at
the
core
as
well
as
upstream.
The
second
capability
we
have
is
for
scanning
the
source
code
for
keywords
right,
just
think
about
it.
Those
are
the
two
capabilities
we
have
now.
If
we
have
some
kind
of
policy
enforcement
or
like
some
kind
of
rules,
engine
where
we
can
say
hey,
you
know
this
is
a
permittable
license.
This
is
not,
and
you
know,
trigger
an
alert.
C
That
is
something
we
can
build
relatively
quickly
and
add
it
as
a
functionality,
but
that
will
take
some
time
right
in
openness
like
it
will
probably
take
us
like
two
three
months
to
bid
okay,
but
in
the
short
term,
if
you
have
a
cli
based
thing
that
you
know
jordan,
you
have
built,
you
know
we
could
I'm
pretty
open
like
we
can.
We
can
purpose
that
for
the
short
term
as
well.
D
Because
I
think
I
guess,
like
the
generic
capability
to
be
able
to
say
you
know,
have
have
somebody
within
the
project
log
in
and
say
for
my
sub
for
the
repos
in
my
orgs.
Here's
what
I'd
like
to
check
and
like
one
of
them
could
be
the
license.
Then
you
could
see
extending
that
to
like
do.
I
have
a
code
of
conduct.
You
could
see
extending
it
to
whatever
list
of
things
like
that.
That
framework
seems
useful
within
what
you've
got
there
and
then
the
back
end.
Like
jordan,
I
don't
I
haven't.
E
You
know
yeah
and
the
initial
scope
of
the
tool
was
like
for
like
branch
protections
and
all
the
little
checkboxes
and
twiddles
and
github's
settings
and
with
a
stretch,
goal
of
eventually
adding
support
for
checking
files
and
stuff.
So,
like
my
personal
wish
list
includes,
I
want
to
make
sure
I
want
to
be
able
to
check.
E
Do
all
my
repos
have
the
same
github
action,
workflow
files
from
the
same
reusable
actions
and
or
do
they
have
branch
protection
set
up
with
those
actions,
and
things
like
that
so,
like
the
it
doesn't
currently
support,
checking
files
like
licenses
and
codes
of
conduct,
but
so
it
would
need
to
be
added
there
as
well,
but
the
you
know
the
framework
is
exists,
just
like
it
does
on
the
dashboard.
It.
D
E
D
A
Emily
has
their
hand
up
again:
okay,.
F
Yeah
two
questions
possibly
for
I
don't
know
both
jordan
and
sugra.
F
One
is
that,
are
you
looking
at
all
at,
or
I
don't
know,
does
github
expose
the
the
results
of
their
license
scanning
that
they
do
and
can
we
kind
of
do,
cross-validation
that
what
we
are
scanning
in
a
repo
is
also
matched
by
what
github
is
reporting
effectively
to
ensure
that
at
least
you
know,
it
shows
up
right
and
then.
The
second
question
is
how
about
repositories
that
are
mono
repos
that
hold
in
themselves
multiple
packages
that
can
and
are
published
separately
on,
for
instance,
nvm?
C
Right
yeah,
so
the
the
scanner
that
we
are
using
today
we
handle
the
mono
repo
use
case,
so
it
doesn't
have
to
be.
You
know,
coming
in
from
package.json
dependency
per
se
right,
so
we
do
have
that
and
I'm
I'm
not
sure,
I'm
not
checked
on
the
github
public
api,
whether
I'm
I'll
be
able
to
get
the
license
file
across
that
particular
repository.
If
that
is
an
open
api,
we
can
definitely
validate
that
right
right
now,
yeah.
C
So
you
know
that
that's
that,
but
I
think
in
terms
of
let's
say
you
add
an
or
and
additional
repos
get
added
right.
You
don't
want
to
go
back
again
and
turn
on
turn
off
stuff.
So
the
auto
discovery
part
what
repositories
are
inside
a
package
or
or
basically
what
licenses
are
within
the
repo
and
then,
if
you
add
another
repo
to
an
or
you
know
it
should
be
auto,
discovered
and
added
to
that
list
that
automation
we
have
built
right.
You
know.
E
And
then
yeah
for
mine,
it's
so
I've
remembered
now
we
do
check
the
license
because
github
api
does
report
it
it's
whatever
they've
detected
and
displays
in
the
sidebar.
That's
what
the
github
api
reports
that
does
not,
I
believe,
support
monorepos.
E
So
thus
my
tool
doesn't
either,
but
it
would
be
a
relatively
difficult
but
trivial
extension
to
once
you've
located
a
repo
that
has
package
json
files,
not
at
the
root
you
could
spider
through
them
and
look
at
the
spedix
identifier
in
the
package,
json
or
something
you
know
whatever
heuristic
you
wanted,
but
you
know
that
that
yeah,
my
tool
is
likely
gonna
largely
stick
with
what's
available
on
the
github
api.
C
So
I
don't
know
what
the
next
steps
are.
I
do
need
to
run
for
the
next
meeting,
but
would
it
be
okay?
If
we,
maybe
you
know
when
we
don't
need
the
whole
group?
But
maybe
you
know
we
collaborate
and
I
can
have
some
of
my
other
lead
engineers
in
there
as
well,
jordan
and
michael,
and
we
can.
You
know,
think
this
too
how
to
like
come
up
with
a
solution,
because
I
think
the
there
are
multiple
moving
pieces.
We
have
some,
you
have
some,
some
of
them
don't
exist.
C
Right,
makes
sense,
yeah,
okay
and
and
just
fi
right,
like
all
these
scanning,
we
are
doing
it's.
You
know
like
for
any
project
which
is
associated
with
the
linux
foundation.
We
are
basically
any
scanning
cost
or
whatever
there's
no
cost
associated.
It's
all.
We
are
doing
it
for
free
and
we
are
open
sourcing
I'll,
send
you
the
repo
links
as
well,
where
we
can
cross
collaborate.
B
B
On
that
next,
one
and
brian
I
know
is
covering
with
some
other
action
items
and,
of
course,
joe's
got.
A
C
C
D
A
Great
cool
I
I
would
have-
I
think
that
was
informative.
If
we
didn't
have
such
a
light
agenda,
I
would
have
maybe
time
box
it
a
little
bit,
but
I
think
that
was
that
was
good.
So,
thanks
to
them
and
to
everyone
cool
that
being
said,
let
me
find
the
agenda
again
and
we
can
kind
of
roll
through
the
rest
of
this
stuff.
Oh
look
at
that.
Somebody
was
taking
great
notes.
Thank
you
very
much
get
something
extra
in
your
stocking
this
year.
A
G
Yeah,
absolutely
so
it's
we're
getting
into
mentorship
season
and
internship
season.
I
put
out
an
issue
on
the
on
the
repo.
Basically,
if
there
are
any
projects
which
would
like
to
consolidate
their
application,
underneath
the
open.js
foundation
certainly
happy
to
help
with
that
and
help
organize
it.
I
also
put
in
there
I
know
there's
some
projects
which
apply
on
their
own
and
that's
totally
fine
and
totally
encouraged
too.
G
I
think
the
the
big
question
really
on
my
end
is
just
you
know:
locating
people
who
are
both
you
know
willing
to
submit
projects
and
people
who
are
willing
to
mentor.
The
other
thing
that
I
bring
up
here
as
well
is
that
this
is
specific
to
the
timeline
of
google
summer
of
code.
There
are,
of
course,
others
there
are.
You
know
mentorship
programs
which
are
run
through
the
linux
foundation
as
well.
G
Ultimately,
I
think
the
question
really
is
you
know
which,
which
one
do
we
have
folks
to
be
able
to
mentor
and
and
where
do
we
have
interesting
projects?
So,
if
you're
interested
in
doing
this
or
if
your
projects
are
interested
in
doing
this,
just
you
know
drop
a
response
on
that
issue.
I
set
a
deadline
of,
I
believe
the
27
I'd
have
to
go
back
and
take
a
look
at
it,
which
is
the
date
that
the
application
period
opens.
G
Basically,
you
know
after
that
point
we
need
to
be
focused
on
assembling
the
application
making
sure
we
have
good
responses.
So
if
we
don't
have
any
responses
by
then
I'll
assume
that
projects
are
moving
forward
on
their
own
and
that's
everything
I
had
on
that,
unless.
H
A
I
don't
have
any
questions,
but
I
I'd
like
to
try
to
dig
into
this
further
and
see
how
we
could
take
advantage
of
this
if
possible.
You
know
either
at
the
foundation
here
or
node
or
wherever.
G
Yes,
so
there
are
so
yeah,
so,
basically,
at
a
high
level,
google
provides
funding
for
the
mentee.
I
believe
there's
also
mentor
stipend
as
well.
Although
it's
you
know
reasonably
small.
G
The
idea
here,
though,
is
this
would
take
the
place
of
a
summer
internship,
and
if
you
were
watching
it
last
year
they
had
changed
the
program
a
bit
and
it
was
you
know
the
the
mentorship
programs
were
basically
cut
in
half
in
terms
of
timeline
this
year,
they're
going
back
to
the
original
length
of
projects
which
is
you
know,
effectively
full
summer
break
and
then
also
including
the
option
for
smaller
projects.
G
H
Yeah
just
to
for
the
notes,
the
deadline
you
mentioned
was
february
7th.
Is
that
right?
Let
me
just
check
and
see
you
check
the
issue
going
off
memory
here.
A
Yeah,
it
says
I'd
like
to
recommend
the
following
process:
please
add
any
ideas
or
indicate
willingness
to
be
a
mentor
and
comments
on
this
thread
prior
to
february
7th,
which
is
when
I
think
it
officially
opens
up.
It
says
february,
7th
february
21
is
application
period.
That's
right!
A
Okay,
yeah!
I
wonder
about
this
for
node
and
the
work
that
we're
trying
to
do
in
the
website.
Redesign
stuff-
I
just
don't
know
if
we
have
the
ability
on
the
mentor
side
and
any
of
the
sort
of
getting
things
ready
and
defined,
and
you
know
they'd
be
ready
for
success
on
something
like
this.
G
Yeah,
yeah
and-
and
I
think
the
other
side
of
this
is
that
there
are
different
ways
that
we
could
be
thinking
of
the
of
the
proposals.
Here
I
mean
it
could
be
something
specific
to
one
of
the
projects.
It
could
be
something
general
across
all
the
projects.
It
could
be
something
specific
to
the
cpc
or
to
one
of
the
working
groups
or
the
you
know,
the
collaboration
spaces.
So
they're
really,
you
know
in
my
experience
in
the
past,
there
hasn't
really
been
any
limitation
on
the
scope.
G
D
Right,
the
challenge,
I
guess,
is
the
mentor
time
commitment.
I
guess
right
because,
like
we
could
probably
come
up
with
things
like
that
say
like
so
I'll
just
use
a
concrete
example.
So
on
the
node
api
team
in
the
node.js
repo,
we
have,
you
know
a
whole
bunch
of
good
first
issues,
helping
to
get
the
the
additional
tests
per
node
ad
on
api.
D
We
also
have
like
a
weekly
meeting,
so
we've
actually
had
like
mentees
through
our
own
mentorship
program.
Who've
come
in
and
and
but
really
the
only
the
only
mentorship
we
provide
is
that
one
hour
meeting
they
they
come
there.
We
can
provide
questions
and
they've
been
able
to
be
pretty
successful
that
way,
but
my
guess
is
that
doesn't
meet
the
mentorship
requirement
for
this
kind
of
program.
G
Yeah,
that's
just
looking
at
past
projects
which
have
done
this.
The
projects
that
are
successful
are
the
ones
that
are
able
to
assign
you
know
effective,
well,
not
a
sign,
but
somebody
volunteers
to
effectively
be
the
lead
mentor
for
you
know,
given
mentee
and
other
people
do
pitch
in
and
help.
But
really
you
know
there
are
multiple
checkpoints
that
are
involved
here.
If
somebody
needs
to
put
together
the
guidance
for
the
person
who's
coming
in,
they
need
to
be
able
to
evaluate
them.
Multiple.
G
You
know
multiple
points
and
at
the
same
time
the
mentees
themselves
are
expecting
to
have
somebody
to
engage
with
because
they're
choosing
this,
as
opposed
to
a
different
summer,
internship
everybody
who
comes
through
this
through
this
program,
they're
all
college
students.
So
you
know
they
would
be
looking
at
the
various
different
options
that
they
have
and
wanting
to
know
that
they'll
get
something
out
of
it.
D
Yeah,
okay,
so
I
said
yeah.
That
was
my
impression.
I
just
wanted
to
make
sure
that
it's
not
it's
not
a
way.
We
could
fund
people
who
want
to
work
in
the
project
which
would
be
nice,
but
without,
but
it,
but
it
it's.
It's
almost
like
it
has
to
be
like
they're
joining
an
organization
where
there's
a
manager
and
or
a
tech
lead
who's
gonna
help
them
through
it,
which
is
where
we'll
struggle,
I
think,
to
get
people
yeah.
G
That's
that's
a
great
clarification.
I
would
just
point
out
that
if
the
goal
is
to
do
something
else,
google
season
of
docs
is
not
limited
to
college
students.
That's
you
know
general
tech
writers
for
open
source
projects.
If
there
were
you
know,
if
we
were
looking
to
have
somebody
come
in
who
wasn't
looking
at
this
as
a
you
know,
as
an
internship,
there
are
other
ways
to
fund
that
as
well.
A
G
A
All
right:
well,
let's
kick
this
around,
you
know
at
the
foundation
level
and
also
in
project
level
and
see
what
we
can
come
up
with.
Thank
you,
brian.
I
appreciate
it.
G
A
Cool
all
right
with
that,
we'll
we'll
move
on.
We
got
about
14
minutes
left,
which
is
fine.
The
next
issue,
if
I
was
reading
that
correctly,
is
add,
dates
and
reminders.
The
bi-weekly
cpc
meeting
template.
We
created
this
couple
weeks
ago
out
of
the
work
that
we're
doing
on
dates
and
reminders,
I
added
it
to
the
the
templates
michael
or
whoever
else
is
on
the
call
who
could
take
a
look
at
that
and
approve.
A
That
would
be
great
I'll
drop
it
in
the
chat
here
and
put
in
the
notes,
if
need
be,
let's
see
so
that
that
should
be
good
and
then
we'll
have
this.
You
know
nudge
in
our
meeting
minutes
to
check
the
dates
and
reminders
so
that
we're
aware
you
know,
with
plenty
of
advanced
notice
on
anything
like
elections
and
things
that
we
need
to.
A
A
That
would
be
february
8th,
so
the
next
working
meeting
we
had
set
aside
to
look
at
tech
strategy
and
review
candidate
repo
content,
and
then
that
would
be
january
25th
next
week
and
then
you
know
the
the
following
working
session.
We
have
set
aside
for
clarify
requirements
around
coc
violation.
A
A
Cool,
I
will
just
put
a
note
here:
have
a
working
session
plan
for
feb
8.
I
believe
I
was
great.
You
know
I'll
move
along
on
the
agenda
here.
Unless
anybody
stops
me
feel
free
to
jump
in
issue.
756
is
create
proposals
community
fund,
I
commented
an
hour
ago
sharing
that
the
last
working
session
we
worked
on
this
and
I'll
drop.
This
link
in
the
chat
we
created
a
community
fund
repository
and
started
to
outline.
A
The
programs
and
initiatives
feel
free
to
look
at
that
repo
browse
what
we
have
written.
It
was
really
a
first
stab
in
in
an
hour
meeting
trying
to
take
what
we
had
outlined
in
that
document
from
a
previous
working
session
and
putting
it
into
a
repository
with
some.
You
know,
bike
shedding
and
organizing
and
whatnot
naming
note
that
there
are
a
bunch
of
open
issues.
A
I
tried
to
capture
all
the
things
that
we
felt
like
we
didn't
have
the
time
to
further
flesh
out
in
that
one
hour,
so
feel
free
to
jump
in
there,
and
you
know
help
us
there
or
comment.
You
know
we
can
have
some
discussions
and
some
of
those
issues
as
we
flesh
out.
In
fact,
most
of
them
are
titled
flesh
out
x,
flesh
out
y,
so
feel
free
to
to
take
a
look
and
comment
and
whatnot
any
thoughts
or
comments
for
that
one.
While
we're
here.
A
If
not
I'll,
keep
moving
on,
which
is
our
last
issue
list
documents
maintained
by
the
cpc,
I
noticed
that
toby
opened
a
pr
this
morning
to
nope.
That's
not
the
one.
I
was
looking
for
to
to
move
this
along.
A
There's
the
oh,
it's
the
one
that
he
had
opened
but
changed
it
from
draft
to
you
know
an
open
pr
which
now
I'm
having
trouble
getting
actually
to
it.
Why
doesn't
it
link
to
it
for
me?
There
we
go.
Maybe
that
will
do
it?
No,
that's
not
what
I
wanted.
A
Oh
I'm
sorry.
What
am
I
thinking?
This
is
the
pull
request?
Isn't
it
yeah
789
is
now
not
a
work
in
progress,
and
I
think
toby
added
some
stuff
to
it
this
morning.
A
So
I
don't
know
if
anybody
has
any
comments
on
on
this,
but
I
would
encourage
folks
to
review
it
and
we
can
kind
of
move
this
forward.
I
don't
know
if,
if
this
is
considered
complete-
or
if
this
is,
you
know
an
initial
take
on
this
document
that
will
list
the
documents
that
we
are
managing.
A
Anyone
anything
if
not
that's
fine,
too
feel
free
to
take
a
look
at
that
repo.
I
mean
that
pull
request
and
see
if
things
look
good
and
if
you
have
a
moment
to
see
if
that
makes
sense
in
terms
of
its
completeness,
that
would
be
great.
I
will
re-review
it
as
well,
otherwise,
the
I
believe
that
we
already
have-
let
me
just
put
a
note
here:
toby
has
removed
the
progress,
prefix
and
draft
status
of
this
pr.
A
We
have
set
aside
the
next
couple
of
working
sessions
already
you
know
this
is
another
kind
of
item
on
our
agenda
of
sorts
is
to
just
figure
out
what
our
working
sessions
are.
So
I'll
just
reiterate
that
next
week
is
the
tech
strategy
the
week
after
that
is
coc,
violation
clarifications,
and
we
can,
you
know,
figure
out
more
beyond
that
as
we
go.
A
I
also
wanted
to
just
quickly
check
the
dates
and
reminders,
but
otherwise,
I
think
we're
we're
about
at
the
end
of
our
agenda
here.
So
if
anyone
has
any
comments
or
questions
or
anything
feel
free
to
speak
up.
F
I
got
one
calling
back
actually
to
the
repo
repository
and
license,
and
so
on
discussion.
I
realized,
I
have
a
question
that
I
hope
is
theoretical:
what's
our
policy
on
dependencies
that
are
vendored
in
to
their
repositories,
for
whatever
reason
are
those
allowed
to
have
any
license,
or
do
those
also
end
up
needing
to
have
this
or
a
license
from
the
list
of
our
approved
licenses?.
A
I
don't
know
I
don't
know
if
brian
or
or
michael
or
or
anyone
really
have
any
thoughts
on
that
or
their
experience
in
previous
and
other
orgs
and
such.
F
D
I
think
it
should
apply
to
things
that
are
vendored
in,
like
those
become
part
of
our
licenses,
and
so
I
mean
the
they
are
like
because
they're
in
our
repos
and
people.
I
guess
you
know
it's
it's,
maybe
not
it
is
it's
gonna
get
complicated
because
there'll
be
cases
where,
like
it's
not
shipped
with
the
product.
D
D
So
I
guess
the
question
is
like
I
don't
have
an
answer
off
the
top
of
my
head
for
the
every
single
case.
If
you
have
a
specific
case,
we
might
be
able
to
help,
but.
D
Think
I
think
it's
like
in
general,
if
it's,
if
it's
a
license,
that's
in
that
list
that
we
have
for
the
the
opengs
foundation
great,
you
know
you're
good.
If
it's
a
license,
that's
outside
of
that,
then
it
needs
some
more.
You
know
some
more
looking
at
to
say.
Well
is
this
okay
and
that's
the
second
problem
that
I
didn't
bring
up
in
the
initial
thing
I
had
about
just
making
sure
our
licenses
are
okay,
but
every
time
a
new
license
gets
pulled
into
node.
D
G
I'd
concur
on
all
of
that
I
mean
you
know
it's
it's
a
great
question
because,
effectively,
if
you're
vendoring,
a
dependency
you're
distributing
the
dependency,
and
so
my
interpretation,
that
would
also
be
that
whatever
the
ip
policy
is
for
the
project
and
whatever
the
acceptable
licenses
are
under.
That
would
also
extend
the
dependencies
that
are,
you
know,
being
rendered
by
the
project,
and
it
brings
up
an
interesting
question
of
how
do
you
detect
all
of
those,
particularly
in
situations
where
people
are
using
snippets
of
of
projects?
G
I
I'm
aware
of
commercial
tooling
that
will
scan
for
that
there's
a
substantial
amount
of
overhead,
that's
involved
in
actually
evaluating
those
those
reports,
but
it
can
be
incredibly
effective,
just
basically
looking
for
slices
of
code
because
you
know
sometimes
the
dependency
is
one.
That's
there
explicitly,
because
it's
not
being
distributed
somewhere
else.
Sometimes
the
dependency
is
there,
because
somebody
found
something
that
was
useful
and
just
brought
the
file
in
and
maybe
didn't,
declare
it.
So
typically
what
we
would
say
you
know
in
most
of
our
projects.
These
are.
A
A
We
only
have
about
a
minute
and
a
half
left,
so
unless
anybody
has
anything
else
feel
free
to
speak
up,
I'm
noticing
a
bunch
of
our
pr's
are
failing
because
of
some
broken
links.
So
I'm
going
to
fix
those
real
quickly
I'll
try
to
get
that
in
and
then
rerun
all
of
our
tests
to
get
to
be
able
to
merge
in
our
other
prs.
C
A
Feel
free
to
take
a
look
at
our
issues
and
our
prs
in
the
meantime-
and
you
know-
hopefully
some
of
you
folks
will
have
time
to
join
us
next
week
for
our
working
session.
That'd
be
awesome.
A
Otherwise,
thanks
for
attending
this
session,
always
happy
to
see
you
all
and
see
you
around
soon
talk
to
you
later.