►
From YouTube: CPC Meeting - 2022-0201
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Great,
I
think
we're
live.
Thank
you.
Everyone
for
tuning
in
to
another
episode
of
the
cross
project
council,
meeting
open,
js
foundation
today
is
the
first
of
february
and
the
year
2022.
A
I
think
we're
going
to
usurp
the
agenda
today
and
and
just
kind
of
dig
into
the
first
item
on
the
agenda,
which
is
an
issue
around
security
at
the
open,
js
foundation,
and
let
me
just
say
that
is
issue
number
826
and
I
think
you
know
this
issue
was
opened
by
robin
with
a
a
good
comment
by
toby,
but
I
will
turn
it
over
to
you
robin
to
to
kick
things
off.
B
Great,
thank
you
yeah.
I
opened
it,
but
after
many
discussions
with,
I
think
all
of
you
throughout
the
past
couple
years,
conversations
with
my
colleagues
at
the
linux
foundation
and
then
more
deeper
conversations
with
brian
bellendorf
and
some
of
the
folks
affiliated
with
the
open
source
security
foundation.
B
So
I
thought
we
would
use
this
time.
It's
just
sort
of
the
first
of
many
meetings
to
figure
out
sort
of
what
are
some
concrete
things
that
we
can
do
to
make
a
difference
to
to
move
the
needle
and
to
bring
you
all
the
help
that
you
need
and
that
you
all
can
help
each
other.
So
I
just
threw
together
a
couple
of
slides
just
to
sort
of
maybe
shape
the
conversation
a
little
bit
there.
We
go.
B
Great,
I
love
you
all,
so
how
many
are
not?
Who
is
not
familiar
with
the
open
source
security
foundation?
I
think
we
all
are.
They
also
launched
officially
a
new
program
today
called
alpha
omega,
so
I
would
definitely
check
it
out.
We
tweeted
we
retweeted
on
openjs
alpha
omega
is
a
kind
of
an
additional
funding
under
the
open
source
security
foundation.
B
Alpha
is
going
to
be
providing
additional
funds
directly
for
some
top
key
projects,
and
then
omega
will
be
sort
of
that.
Long
tail
and
omega
is
essentially
kind
of
going
to
be
kind
of
a
tooling
and
people
who
will
look
at
the
long
tail
of
like
10
000
projects.
B
Alpha
will
probably
be
like
the
top
100.
So
just
like
an
fyi
we've
had
a
couple
of
conversations
with
the
alpha
omega
folks
and
those
leads
are
related
to
the
node
project.
B
They
are
identifying
which
priority
projects
based
on
the
security
vulnerability,
not
the
security
or
vulnerability
the
criticality
scoring,
which
I've
provided
a
link
in
the
issue
and
also
harvard
has
a
study
as
well,
where
they
have
identified
some
key
projects.
B
So
today
I
just
thought
we
would
sort
of
start
with
an
open
discussion.
It's
great
to
have
so
many
different
maintainers
here
and
talk
about
some
of
the
challenges
and
gaps
that
you
see
talk
about.
Should
we
form
a
security
cloud
space
who
are
our
security
people
talk
about
maybe
some
requirements
that
we
should
mandate.
We
do
mandate
other
things
like
code
of
conducts
and
licenses.
Should
we
look
at
mandates
on
security?
B
Ask
ourselves:
how
do
we
prioritize
projects?
How
can
openjs
support
the
projects
and
then
gosh?
If
we
secure
funding?
How
would
we
do
it,
and
these
are
probably
working
sessions
that
come
out
of
it,
but
I
thought
at
least
kind
of
a
good
start
any
feedback,
or
should
we
jump
right
in
to
kind
of
that
open
discussion.
B
There
isn't
really
requirements
in
that
space.
You
know,
as
brian
belinder
said,
the
philosophy
is
like.
We
don't
really
tell
you
how
to
run
your
projects,
it's
let
a
thousand
flowers
bloom.
I
know
that,
for
example,
talking
to
the
other
executive
directors,
some
do
require
a
number
of
things.
So
you
know
those
are
just
decisions.
I
think
we
need
to
make
at
the
foundation.
C
D
Yeah,
I
think
the
so
I
have
to
step
out
pretty
soon,
so
it's
not
100
relevant
to
the
slide.
But
I
wanted
to
say
that
the
I
think
that
a
focus
on
security
is
important
and
we
need
to
be
very
careful
about
the
developer
experience
because
the
consumers
and
maintainers
that
care
about
security
already
are
already
doing
most
of
the
things
they
need
to
do,
and
so
we
can
make
their
life
better,
but
they
they
don't
need
to
be
persuaded.
D
There's
a
much
larger
contingent
of
maintainers
and
consumers
that
may
care
ideologically,
but
doesn't
actually
do
anything
about
it,
isn't
aware
or
isn't
willing
to
deal
with
the
inconvenience
of
the
steps
that
it
requires
and
things
that
improve
security,
but
aren't
actually
convenient
enough
for
the
masses
to
adopt,
don't
actually
improve
security.
So,
for
example,
there
was
recently
this
giveaway,
where
they
sent
out
these
security
keys
to
like
prolific
open
source
projects.
D
So
I
have
two
of
them
right
here
and
I
tried
to
set
them
up
and
in
the
process
realized
it's
much
more
convenient
for
me
to
use
touch
id
on
my
laptop
than
to
use
the
security
keys
for
github,
so
the
security
keys.
Don't
actually
do
anything
for
me
and
because
I
use
my
mobile
devices,
the
security
keys
don't
work
well
there,
because
I
have
ios
devices,
and
so
they
also
don't
do
anything
good
for
me.
D
There
so
like
I'm
still
using
the
same,
like
google
authenticator
style
approach
that
I've
been
using,
which
is
perfectly
secure
not
quite
as
secure
as
hardware
keys,
but
like
that's
a
sort
of
dx
gap.
Yeah.
It's
like
it's
like
my
real
world
experience
with
that
right
and
the
and
like
yeah
and
it's
the
and
the
keys,
are
nfc,
so
they're
theoretically
supposed
to
work
with
mobile
devices,
but
the
google
app
for
setting
that
up
crashes.
D
Every
time
I
try
and
you
know
I
just
I
couldn't
get
it
working
and
I
already
have
something
working:
that's
two
factors.
So
it's
like
a
highly
motivated
package
maintainer
who
understands
security.
I
I
wasn't
able
to
really
do
anything
useful
with
these
keys,
yet
I'm
hopeful
that
I'll
still
figure
it
out,
but
in
general
I
think,
like
I've
had
a
lot
of
discussions
with
folks
about
package
signing-
and
you
know
the
all
of
the
high
profile
incidents
in
the
npm
ecosystem
were
about
people
with
legitimate
access.
D
Doing
something
unacceptable
package
signing
doesn't
help
you
there
so
like
efforts
to
improve
package
signing
like
that's
just
security
theater,
it's
not
actually
going
to
make
things
better,
even
though
package
signing
is
good
right
and
so
like.
Similarly,
I
think
we
need
to
have
a
very
critical
eye
with
all
of
the
things
we
try
to
do,
because
things
that
solve
theoretical
problems
are
irrelevant,
if
they're
not
solving,
actually
exploited
problems,
and
those
are
what
I
hope
we
focus
on.
That's
my
little
rant.
F
Yeah,
so
just
like
really
quickly
on
the
keys,
I
think
those
are
all
really
interesting
points.
There's
this
like
catch
22
with
it,
where,
like
you,
want
to
make
onboarding
way
way
better
and
that's
actually
something.
I've
personally
been
thinking
a
lot
about,
as
we've
been
rebuilding
how
we
enroll
folks
in
2fa
for
npm,
but
there
now
becomes
this
point
of
diminishing
returns
where,
if
you
like,
make
it
so
easy
to
set
it
up
that
people
don't
think
twice
about
it
and
then
they
lose
it
and
they're
locked
out
of
their
account.
F
It's
like
that
much
harder
to
restore
their
account
access.
This
is
more
like
you
know,
just
thinking
out
loud,
but
those
are
kind
of,
I
guess,
like
interesting
platform
problems
that
that
need
to
be
solved
at
the
same
time
where
we
continue
to
make
it
easier
to
use,
2fa
devices
will
also
you
know
not
making
it
easier
for
you
to
completely
lose
access
to
your
account,
which
is
an
outcome
that
no
one
wants
to
see
happen.
E
C
I
think
it's
I
I
can
always
throw
in
the
you
know.
If
it's
going
to
take
more
work,
where
does
that
work
come
from?
You
know
it's
it's.
I
don't
think
if
we
just
if
we
just
end
up
saying
hey
projects,
you
need
to
do
x,
that's
not
going
to
be
terribly
successful.
If
we
can
come
and
say
hey
projects,
we
think
this
is
important
and
here's
how
we're
helping
you
do
x,
we'll
be
more
successful.
C
You
know
for,
for
example,
you
know
if
we
want
to
have
you
know,
make
sure
that
every
project
has
a
way
that
vulnerabilities
can
be
reported.
You
know,
what
can
we
do
to
make
that
easier
for
projects?
Do
we
act
as
the
front
door
for
that
in
some
cases
or
whatever,
but
like
that?
C
That's
the
kind
of
thing
where,
as
opposed
to
just
saying
you
must
do
this,
you
know
figuring
out
what
we
can
do
as
a
foundation,
I
think,
will
make
it
more
effective
and
hopefully
you
know,
have
the
uptake
work
out
better,
but
that
of
course,
will
take
people
in
time.
So
it's
like,
you
said:
if
we
get
funding
that
can
help
when
that
side
of
things.
H
H
It
is
a
field
where
I
think
in
particular,
it
would
be
valuable
if
we
could
offer
actual
human
assistance
to
individual
projects,
for
example,
in
the
shape
of
a
security,
focused
code
review,
or
something
like
this,
so
not
just
providing
tools
and
guidelines
and
requirements,
but
actual
directed
human
assistance
that
that,
I
believe,
could
have
a
real
world
impact,
and
I
at
least
as
a
project
maintainer
small
project
maintainer,
would
highly
value
help
like
that.
B
E
Agreed
toby
yeah
on
this
front,
I'd
like
to
suggest
and
sort
of
like
building
what
michael
was
saying.
One
of
the
things
that
we
do
for
code
of
conducts
is
we
let
projects
decide
that
they
want
to
implement
their
their
own
escalation
mechanism
etc,
or
they
can
just
rely
on
the
foundation
providing
this,
and
this
could
be
something
that
would
work
for
security
for
the
declaring
security
issues
right.
It
could
be
something
that
would
could
happen
at
the
foundation
level.
Somehow
not
only
at
the
project
level
was
a
similar
mechanism.
C
C
D
Yeah,
just
another
thing
to
add
here
is
that
the
the
security
implications
of
a
single
unfunded
maintainer
of
packages
should
probably
not
be
understated
and
simply
vomiting
money
at
a
project
does
not
solve
that
problem,
but
almost
very
virtually
no
companies
have
actually
tried
that
solution,
yet
either
so.
D
Yeah,
I
think
any
company
who
claims
to
care
about
security
and
isn't
putting
us
like
at
least
a
single
digit
percentage
of
their
revenue
towards
their
open
source
dependencies
doesn't
actually
care
about
security.
So
I
really
hope
that
that
we
also
account
for
that.
In
any
recommendations
we
make.
B
C
Is
also
helping
to
surface
that
information
so
that
it's
obvious
who
who
like
is
speaking
with
their
actions
versus
asking
for
you,
know,
asking
other
people
to
do
work
versus
actually
helping
to
do
the
work.
If
we
can
help
surplus
and
make
that
very
clear,
I
think
that
that
will
hopefully
help
motivate
more
companies
to
say.
Well,
I
guess
we
better
be
doing
our
part.
E
We
can
sort
of
dance
around
this
for
another
couple
of
years,
but
like
the
the
this,
what
we're
seeing
in
open
source
right
now
is
literally
not
sustainable,
and
we
have
to
really
start
thinking
about
solving
this
from
at
a
systems
level
right,
not
just
sort
of
like
scotch
taping
things
on
top,
but
actually
really
trying
to
understand
the
underlying
dynamics
and
actually
doing
something
about
them.
I
think
it's
really
important.
This
is
like
the
only
way
we're
going
to
be
able
to
build
something,
sustainable,
long-term
and
solid
right.
E
So
I
think
it's
good
that
we
have
stop
gap
solutions,
but
it's
also
good
that
we
think
about
how
can
we
handle
this
more
deeply
and
I
think
the
foundation
can
decide
to
be
at
the
forefront
of
this
or
sort
of
like
lack
behind
and
play
catch-up,
and
it's
kind
of
like
a
decision
that
we
have
to
make,
but,
but
I
think
we
like,
we
should
address
this
question
and
decide.
B
I
was
just
gonna,
ask
a
quick
follow-up
when
you
talk
about
underlying
dynamics.
What
are
you
thinking,
toby.
E
Maintainer
project
is
a
one
maintainer
project
like
that:
that's
extremely
fragile
on
a
whole
different
on
the
whole
set
of
different
from
different
perspectives
right
and
we
have
to
figure
out
what
that
means,
and
what
can
we
do
about
it
right,
and
so
you
know
right
now,
as
as
people
were
saying
before,
like
the
smallest
solutions
that
we've
had
well,
the
biggest
solution
so
far
is
throw
a
tiny,
tiny
bit
of
money
at
some
projects
to
see
what
happens
right
and
the
way
this
has
worked
so
far
is
essentially
that
tiny
bit
of
money
has
gone
to
new
features
right,
and
so
you
know
before
we
had
one
maintainer,
maintaining
n
features,
and
after
sponsoring
you
have
one
maintainer
still,
you
know
still
not
paying
maintaining
n
plus
one
features
right
and
so
we're
making
the
problem
worse,
not
better,
and
yet
the
problem
is
real.
E
Like
the
you
know,
this
problem
is
real:
we're
essentially
building
on
infrastructure
that
is
maintained
by
in
lots
of
cases.
Volunteers,
unpaid,
volunteers,
right,
and
that
is
a
problem.
I
don't
have
a
there's,
not
one,
there's,
not
one
solution
to
this.
There
are
multiple
things
that
we
can
try
to
do
and
like
I
just
sincerely
believe
that
that
is
not
sustainable
like
it's.
It's
not
something
we
can
just
rush
off
and
I
think
that's
what
I
want
to
meet.
E
Things
like
caller.js
or
you
know
other
sort
of
like
all
of
these
small
packages
right
or
they
become
part
of
maybe
a
standards,
library
that
is
maintained
in
a
different
way
or
we
find
a
way
to
fund
these
or
to
to
at
least
make
those
more
sustainable.
I
I
think
we've
all
kind
of
like
elucidated
the
problem
and
that
it's
a
huge
problem.
I
think
that
is
accurate,
not
no
one's
disputing
it.
That's
what's
saying
a
question
I
have
is:
can
we
do
this
well,
like?
Are
we
the
ones
to
do
this?
Well,
is
or
and
by
having
our
own
solution
or
is?
Does
this
look
like?
I
We
can
best
empower
because,
like
the
worst
case
scenario,
I
think
there's
two
like
worst
case
scenarios,
it's
like
we
try
to
put
something
up
together,
try
to
help,
and
then
it's
kind
of
like
security
theater
or
it's
just
like
it
actually
doesn't
help.
I
Another
scenario
is
remember:
when
openjs
went
full
on
into
security,
that
was
weird,
but
you
know
like
there's
probably
beneficial,
but
it's
hard
to
approve
sometimes
or
is
that
are
there
is
this
is
the
best
way
we
can
set
our
maintainers
up
for
success
and
project
numbers
for
success
is
by
facilitating
the
conversations
that
they
that
would
help
them
with
the
organization,
so
it
helps
them
the
best.
C
Like
do
we
lead
or
do
we
follow,
and
you
know
it's,
what
does
it
actually
make
sense
to
do
in
our
scope
on
our
own
versus
participating
with
other
groups
that
are
doing
it
across
the
you
know?
We're
not
the
only
javascript
isn't
the
only
open
source,
there's
tons
of
open
source
out
there.
That
has
a
similar
issue
right.
I
Yeah
exactly
and
not
just
like
horizontal
space
of
of
should
it
be
broader,
but
also
like
should
who
is
doing
this
have
more
expertise
than
we
do,
because
I
can
only
speak
for
myself
when
I
say
that
I
understand
security,
I'm
not
the
person
to
that.
You
want
to
trust
with
securing
all
of
making
sure
that
all
of
our
projects
have
the
tools
they
need
to
be
successful
there.
So
we.
I
People
on
the
cpc
or
on
the
board-
and
that
would
be
great
but
but
there's
definitely
organizations
that
have
probably
more
expertise.
A
I
I
should
have
raised
my
hand,
I'm
sorry
to
just
jump
in
here
real
quickly,
toby.
My
thinking
with
this
is
that
you
know
we're
part
of
the
linux
foundation
family
and
I
imagine
you
know
this
will
be
like
sort
of
a
multi-pronged
approach
and
we're
just
starting
to
figure
out
what
makes
sense
for
us
and
our
projects
and
maintainers
and
community
and
and
hopefully
we'll
work
in
concert
with
them
to
you
know,
figure
things
out,
but
also
potentially
funding
and
infrastructure
and
all
those
kinds
of
things,
that's
my
hope.
E
E
I
mean
there's
a
security
problem
and
there's
a
sustainability
problem,
and
these
two
things
are
related
and
you
can't
treat
the
security
problem
long
term
without
addressing
the
sustainability
problem,
but
we
also
want
to
treat
them
as
they're
tied,
but
we
also
want
to
treat
them
as
separate
things.
They
probably
will
require
different
kinds
of
answers
coming
from
different
places
at
perhaps
different
levels,
even
if
they're
connected.
F
I
think
that
this
is,
you
know
something
that
was
being
discussed
at
a
high
level.
You
know
we
have
projects,
we
have
volunteers,
and
I
think
that
there
is
a
a
conflict
here
whereby,
like
you
know,
we
want
to
support
the
people
who
are
coming
in
and
want
to
volunteer.
F
We
don't
want
to
like
replace
the
work
that
volunteers
are
doing
or
make
it
feel
like
they
are
not
that
work
was
not
valuable
now,
at
the
same
time,
there
is
a
conflict
here
where,
like
you
know,
at
its
core,
these
projects
are
in
our
foundation
is
about
javascript.
Our
core
mission
is
not
about
security.
F
Well,
security
is
part
of
like
we
care
about
things
being
secure
in
the
same
way
that
our
core
mission
isn't
like
scalable,
build
infrastructure
or
amazing
release
processes,
and
I
say
this
particularly
because
there's
a
lot
of
these
things
that
become
part
of
overall
maintenance
of
a
project
that
you
know
can
bring
in
a
whole
bunch
of
different
types
of
volunteers,
which
is
awesome,
but
don't
necessarily
match
clearly
to
the
expertise
or
skills
of
like
the
core
group
of
people
that
we're
talking
about
working
with
in
the
organization
that
I
work
with.
F
We
have
a
security
team
and
at
github,
when
vulnerabilities
are,
you
know,
reported
that
team
is
responsible
for
triaging
them,
then
bringing
them
to
the
engineering
team
working
with
the
engineering
team
to
determine
what
an
actual
solution
looks
like
vetting
the
potential
solution
that
the
engineering
team
comes
up
with.
Looking
and
thinking
about
analysis
to
make
sure
that,
like
these
things
are
not
reproduced
and
we
like
really
truly
patch
it
and
then,
if
needed,
work
with
the
engineering
team
on
the
solution.
F
If
there
are
some
gaps
in
the
team's
expertise
on
this,
we've
been
seeing.
Some
of
this
with
the
work
that
we've
been
doing
in
node
with
trail
of
bits
that
has
been
awesome
and
I
would
love
to
see
if
there's
ways
that
we
could
reproduce
this,
and
this
is
not
to
say
that
I
want
to
replace
this
expertise
or
these
volunteer
roles
within
organizations
or
or
projects.
But
you
know
there
are
experts
and
I
would
even
go
a
step
further
when
we
talk
about
like
sustainable,
open
source
and
the
role
of
the
foundation.
F
That's
a
great
way
of
kind
of
like
sustaining
the
people
who
who
care
and
work
on
our
stuff-
and
these
are
the
kind
of
interesting
relationships
that
I
think
are
are
worth
exploring,
and
you
know
something
that
toby
mentioned
earlier.
Is
you
know?
Sustenance
of
a
maintainer
is
very
different
than
the
sustainability
of
the
project,
and
I
would
argue
at
times
sometimes
they
can
be
in
conflict
with
each
other
when
you're
raising
money
for
a
project
as
an
individual.
F
It's
as
if
all
of
these
projects
are
existing
in
a
larger
company
like
what's
the
structure
that
you
would
have
on
an
engineering
team
inside
of
a
fortune,
500
company,
to
make
you
just
like
the
best
possible
engineer
that
you
could
be
so
you
could
focus
on
your
core
mission
and
ship.
The
things
that
you
care
about,
and
I
think
that
it's
our
goal
as
a
foundation
to
create
those
similar
kind
of
structures
for
our
volunteers
and
those
working
on
our
projects.
C
Right
and
the
model
yeah,
because
that's
interesting
that
that's
like
there's
different
models
for
achieving
that
end.
There's
like
finding
people
to
do
specific
work,
there's
funding
just
general
maintainers
so
that
it's
part
of
their
work
and
I
think,
there's
probably
a
few
others
we
could
think
of,
but
yeah
figuring
out
what
model
we
think
is
is
going
to
work.
The
best
is
interesting.
C
E
Yeah
I
mean
I
was
along
the
lines
of
what
michael
was
saying
that
and
to
mile's
earlier
point.
There
are
multiple
ways
of
doing
this
right.
One
way
is
miles
put.
E
It
is
actually
to
have
companies
that
are
that
rely
on
on
this
on
all
of
these
projects
to
fund
their
maintenance
and
support
through
their
own
employees
being
dedicated
either
full-time
or
part-time
to
working
on
these
projects,
and
that's
one
solution,
for
example
that
doesn't
require
anything
specific
from
the
foundation
except
sort
of
like
guidance
and
direction
as
to
what
projects
needs.
E
What
but
doesn't
require
like,
for
example,
like
payroll
of
developers
of
that
sort,
and
then
there
were
completely
different
options
where
a
pain,
a
payroll
part,
a
part
of
a
some
contracting
work
for
specific
maintenance
of
specific
project
would
require
either
some
form
of
perhaps
legal
change
at
the
foundation
level
or
relying
on
some
service
providers
that
are
increasingly
used
for
remote
work
nowadays,
for
example.
So
I
think,
like
all
of
these
options
or
there's
lots
of
options,
but
to
emily
to
your
point.
E
Well,
rather,
as
a
counterpoint
to
your
point,
I
think
we
need
first
to
decide
whether
we
care
about
this
and
we
care
to
drive
this
or
whether
and
then
we
can,
secondly,
sort
of
like
figure
out
okay.
How
do
we
do
it
what's
feasible,
what's
complicated
to
to
put
in
place?
What
are
the?
E
What
are
the
low-hanging
fruits
that
we
can
sort
of
rely
on
first,
so
I
think
we
should
really
first
decide
whether
we
believe
that
this
is
a
role
and
if
and
then,
if
we
do
try
to
figure
out
what
solutions
we
can
use
and
which
ones
which
are
the
ones
we
can
start
with.
B
H
Yeah
had
one
more
thought,
specifically,
I
mean
harking
back
to
the
log
for
jay
and
and
having
seen
some
some
basically
messages
being
shared
by
open
source
developers
that
had
big
corporations
reach
out
to
them
and
ask
or
demand
responses
for
them
about
log4j
vulnerabilities
and
and
work
around
this
and
and
one
and
some
of
the
responses.
There
were
effectively
realistically
saying,
yeah
sure
I'll
answer
you.
H
You
know
once
we
sort
out
a
support
contract
and
that
that
got
me
thinking
that
I
would
be
very
happy
if
there
was
a
framework
or
a
way
of
somehow
me
offering
a
support
contract
for
the
open
source
work
that
I
do
for
parties
that
are
interested
in
that
that
you
know
had
terms
and
and
shape
of
a
contract
like
this.
That
would
like
protect
my
interest
and
be
sensible,
but
I
don't
know
any
such
thing
exists.
H
F
I
do
wonder
if-
and
maybe
this
is
something
that
we
could
explore
would
be.
What
can
we
do
to
help
our
maintainers,
who
are
interested
in
creating
their
own
businesses,
that
that
could
focus
on
these
kinds
of
services
be
successful?
The
lf
has
worked
with
many
vendors
in
this
space
and
there's
probably
mentor
programs
that
we
could
set
up,
maybe
like.
I
think
there
starts
to
become
maybe
a
conflict
of
interest
when
it
gets
to
the
like.
F
We
can
tell
you
what
accountant
to
use,
but
like
we,
thankfully
have
lawyers
that
we
could
talk
to
to
help
figure
that
out,
but
that
could
be
a
really
really
interesting
thing
that
we
could
offer
as
a
foundation
would
be
like
helping
people,
bootstrap,
businesses
that
are
focused
on
services
for
open
source
and
our
own
projects.
B
Boy,
I'm
just
gonna
quickly
share
with
you.
Some
of
the
looks
like
some
of
this
is
being
managed.
Here's
some
things
to
think
about
for
suggesting
mandates
for
our
projects,
two-factor
authentication.
It
looks
like
a
lot
of
that
is
happening
already.
B
Jordan
gave
some
great
feedback,
though
establishing
a
mailing
list
dedicated
to
reporting
security
issues.
I
know
this
is
mandated
at
the
lfai
foundation.
B
We
talked
about
the
cci
or
the
cii
badge,
which
is
now
the
open
source
security
foundation,
security
badge
rebranded.
That
is
a
requirement
at
cncf,
and
then
some
of
these
others
are
recommendations
like
the
s-bombs
and
the
trainings,
just
touching
on
those
things
so
something
to
maybe
noodle
on
for
a
follow-up
discussion.
B
I
also
just
wanted
to
sort
of
flag
and
I'm
going
to
bring
shubert
in
to
give
a
demo.
He
had
touched
on
this
in
our
last
cpc
meeting
about
the
lfx
security
tool.
It's
a
dashboard
provided
by
the
linux
foundation.
You
need
to
have
a
linux
foundation
id
which
I
think
many
of
you
already
do
because
you're
on
our
mailing
list.
B
But
if
you
don't
it's
really
easy
to
do
that
and
if
we
want
to
bring
super
brat
shoe
bra
back,
he
can
give
a
little
demo
on
lfx
security
and
that's
essentially
a
dashboard
powered
by
some
other
companies
like
snake
and
blue
brackets,
so
easy
way
to
get
our
projects
on
board.
So
they
have
greater
visibility.
It's
very
tightly
access
controlled.
B
B
C
It's
like:
are
there
basically
zero
to
little
low
effort
recommendations
that
we
think
yeah
are
worth.
You
know
working
figuring
out
how
to
enable
projects
to
do
so,
for
example,
the
one
on
turning
on
2fa
right
like
if
we
understood
what
stops
projects
from
turning
that
on
and
you
know,
is
there
work
like
that's
one
where
it
seems
to
me
like,
at
least
for
me:
that's
not
a
huge
amount,
extra
effort
for
our
project.
Now,
maybe
there's
there's
reasons
that
I
don't
understand.
So,
like
that's
something
that
I
say.
C
C
B
C
Year,
I
have
yet
to
find
anybody
who
looks
forward
to
that
or
says
yeah.
I
learned
a
lot
of
stuff
right
so
like
well,
that's
fair!
It's
the
like!
Let's,
let's
start
with
the
ones,
we
think
are
low
overhead
and
likely
to
say
yeah,
oh
yeah,
that
you
know
2fa
totally
makes
sense,
and
it's
not
that
much
work
so
and
we
get
a
big
return
on
that.
F
A
I
I
I
feel
like
we
should
have
some
sort
of
you
know:
brainstorming
session,
for
lack
of
a
better
term
and
figure
out
the
variety
of
problems
we
want
to
try
to
solve
and
the
variety
of
things
that
we
could
offer
and
then
you
know
we
can
find
like
you're,
saying
michael,
the
low-hanging
fruit,
the
things
that
are
obvious,
that
aren't
that
have
impact,
but
aren't
too
disruptive,
but
also
allow
us
to
think
about
bigger
picture
things
and
start
to
you
know,
perhaps
collaborate
with
other
foundations
or
start
to
develop
other
resources,
or
things
like
that.
A
E
Be
interesting,
yeah,
toby,
yeah
miles
talked
earlier
about
supporting
projects.
What
can
the
foundation
do
to
support,
and
I
really
like
that
that
mindset
right
and
I'm
wondering,
could
we
ask
the
project
what
they
would
need
or
what
we,
what
the
foundation
could
help
them
with
in
that
in
that
space,
yeah.
B
B
Yeah
again,
I
think
this
is
just
you
know,
one
of
many
conversations
I
want
to
be
really
pragmatic
about
it
baby
steps.
I
don't
want
to
boil
the
ocean,
but
I
don't
want
to
do
nothing
and
even
like
asking
for
grants
or
money,
you
need
to
have
something
concrete
to
fund
and
I
right
now
I
don't
feel
like
we
have
anything
cohesive
enough
for
a
recommendation
to
ask.
We
have
at
the
project
level
a
little
bit
in
conversations
with
the
node
project,
but
collectively
on
how
we
help
the
broader
open,
js
foundation.
B
Absolutely
I
know
we
have
some
security
folks
as
well,
who
could
make
it
today
we
can
invite
them,
make
it
for
make
it
time
zone
friendly
for
them
to
join.
I
know
this
is
a
hard
one.
A
Okay,
should
we
create
a
security
slack
channel?
Should
we
just
talk
a
little
bit
yeah.
B
Security
slack,
we
have
our
working
sessions,
pretty
mapped
out.
I
think
for
the
next
two,
maybe
a
separate
working
group.
A
I
agree,
I
agree
just
well,
you
know
a
different
meeting
time,
something
to
I
hate
booking
meetings,
but
it
seems
like
it
would
make
sense
for
us
to
just
try
to
find
some
time
to
get
together.
A
Yes,
yes,
both,
I,
I
would
say
yes,
so
cool
great,
which
makes
me
wonder
you
know,
is
this
something
that
we
should
consider
a
collab
space
and
try
to
even
just
invite
folks
from
the
community
to
to
get
involved
and
whatnot.
C
B
A
Yeah
thanks
everybody.
I
think
it
was
a
good
session
just
getting
things
started.
So
I
look.
I
look
forward
to
more.
You
know
robin,
and
I
will
probably
work
on
this.
Some
we'll
send
messages
in
slack,
open
up
slack
channels,
look
at
a
collab
space
and
try
to
get
things
rolling.