►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
I'm
afraid
so
I
have
some,
unfortunately
critical
family
stuff.
I
have
to
deal
with.
A
B
B
C
C
B
I'm
yeah
family
family
family
having
to
step
away
for
family
is
not
something
like
deal
with
that.
It's
not
yeah.
I
had
it
yeah,
I'm
sorry
that
whatever
you're
going
through
you're
going
through-
and
I
I
hope
that
I
hope
that
you
have
everybody
comes
out
of
it.
Okay
or
thank
you.
That's
possible.
A
I'm
on
a
record,
this
is
being
recorded
if
we
in
another
situation,
if
we're
not
being
recorded
I'll,
be
more
candid,
so.
B
I
looked
at
my
calendar
today
and
I
have
a
meeting
with
somebody
at
google
and
I'm
like
how
did
that
end?
How
did
that
end
up
on
my
calendar?
Who
would
how
what
you
know
who
which
which
conversation,
did
I
end
up,
sending
a
calendly
link
to
somebody
to
have
them
end
up
sending
it
or
having
an
invite
on
my
calendar.
C
Hello,
everybody
we
will
get
started
in
a
couple
minutes
after
the
hour
posted
a
link
to
our
agenda
in
the
zoom
chat.
We
should
be
joined
today
by
some
very
special
guests
from
the
far
off
exotic
lands
of
the
european
union,
but
I
have
a
couple
points
to
talk
about.
First
before
we
have
a
discussion
with
the
around
security
maturity.
B
B
A
All
right
yeah
so
for
I'll
I'll,
be
less
coy
on
a
not
recorded
line,
but
for
family
reasons.
I
am
unfortunately,
only
able
to
connect
in
by
phone
and
I'm
actually
driving
so.
C
So
if
I
could
have
folks
sign
in
on
the
agenda,
that'll
be
great.
I
have
a
couple
quick
topics
and
then
we're
going
to
be
talking
about
a
hopefully
open
source
security
maturity
model
very
quickly,
and
if
you
have
any
other
items,
you
want
to
talk
about.
Please
post,
that
on
the
agenda.
A
While
we're
waiting,
I
will
just
note
that
discussions
about
the
open,
ssf,
best
practices
badge
logo
continue
on
the
relevant
github
issue.
I
can't
post
it
here,
but
it's
been
posted
earlier.
So
if
you
have
opinions
on
various
artistic
directions,
we'd
love
to
hear
from
you.
I
I'm
actually
not
excited
about
logo
discussions,
but
I
know
they're
important,
and
so
we
do
them.
A
C
Everybody
should
too
all
right.
It
is
three.
After
the
hour
I
will
post
a
link
to
the
agenda.
One
last
time.
Welcome
everybody
to
the
february
15th
edition
of
the
open,
ssf's
developer
security,
best
practices
working
group.
There
are
words
and
stuff.
C
We
are
here
today
to
have
some
exciting
discussions
around
open
source,
secure
development.
First
off
I
wanted
to
let
everyone
know
we
finally
worked
out
all
the
bugs
and
with
jen's
help
we
are
now
officially
on
the
youtubes.
C
C
One
thing
I
wanted
to
make
everyone
aware
is:
on
february
23rd
the
open
ssf
is
having
a
town
hall.
I've
been
invited
to
come
talk
about
the
progress
of
this
group
and
other
working
groups,
so
I
have
posted
what
I
propose.
C
I
will
talk
about
kind
of
describing
what
the
group
has
done
over
the
last
several
months
and
kind
of
what
some
of
our
upcoming
objectives
are.
If
anybody
has
any
feedback
about
that
feel
free
to
either
chime
in
now
or
make
comments
or
additions,
changes
on
the
agenda
and
I'll,
basically
kind
of
use
that,
as
some
of
the
high
point
highlights,
I
want
to
get
kind
of
highlighting
all
of
the
great
work
that
this
group
has
helped
contribute
to
any
comments
on
that.
C
Very
exciting
stuff
did
rob,
or
anyone
from
rob's
group
show
up
to
talk
about
open
source
security,
maturity
models.
A
C
Yeah,
I
hope
not,
but
we
will,
if
rob
or
h
or
d
are
the
names
I
have.
If
anyone
from
that
contingency
shows
up,
we
can
circle
back.
So
I
will
open
up
the
floor
to
the
group.
What
items
are
we
interested
in
talking
about
today?
Do
we
maybe
want
to
start
on
our
newbie
view
for
oss
developers,
or
does
somebody
else
have
any
pressing
items
they
wish
to
share.
A
This
is
david
wheeler,
just
very
small
items.
I
just
mentioned
earlier.
The
best
practices
badge
folks
we're
trying
to
switch
over
slow
from
the
old
cii
to
the
open,
ssf
we've
got
a
logo
contest,
so
comments
welcome.
A
Eventually
we
do
plan
to
move
over
to
best
practices.dev
we're
not
there
right.
Now,
that's
one
of
those
things
where
it's
just
it
takes
some
time
to
do
for
the
for
the
fundamentals,
courses
we're
I'm
brian
and
I
are
going
to
be
talking
with
clyde,
said
from
lf
education
to
find
out
various
options.
They
have
there
and
I
hope
to
share
with
the
group
more
here
once
I
learn
more
myself.
C
Thank
you
for
those
updates.
I
see
glenn
furiously
typing
away.
You
have
anything
you'd
like
to
share
today,
glenn
about
skf.
D
D
D
Maybe
people
have
some
feedback
because
we're
in
the
beginning
stage,
I
would
say,
of
creating
these
wireframes
so
also
we
had
a
chat
with
one
of
my
olaf's
people
who
specializes
in
flows
and
actually
he
he
gave
us
an
the
realization
that
our
application
currently
sucks
a
bit
because,
like
hey,
here's,
an
awesome
feature,
here's
an
awesome
feature
and
here
and
here
and
the
app
itself,
doesn't
really
explain
or
has
a
good
flow.
D
You
know
to
facilitate
how
you
use
all
those
features,
and
so
one
of
the
first
things
we
want
to
do
actually
is
revisit
a
bit
of
the
landing
page
where
we
have
like
three
inflows
now,
where
first
well,
the
one
where
I'm
going
to
focus
on
now
in
this
draft
is
the
learning
platform
for
learning
and
increasing
skill
sets.
But
we
also
going
to
change
the
you
know
if
you
know
skf,
it's
also
about
getting
the
right
security
requirements.
D
There
is
a
wizard,
so
we
also
going
to
create
a
flow
around
that
more
for
the
different
phases
as
well.
The
the
plan
do
and
act
phase.
So
for
the
plan
phase,
you
get
the
security
requirements,
the
wizard,
for
you
know
fine-tuning
which
requirements
the
do
phase
is
like
okay,
so
you
want
to.
I
don't
know,
test
something:
here's
the
testing
guide
or
here's
some
other
document
where
you
can
test
off
and
the
act
phase.
I
believe
it's
more
like
these
type
of
tooling
and
other
resources.
D
So
it's
it's
going
to
be
a
better
flow.
Of
course.
Knowing
this
now
and
and
like
hey,
we
need
to
create
flows,
we
thought
of
okay.
How
would
this
learning
engagement?
Look
like?
So,
if
you
click
on
the
learning
stuff,
you
get
like
the
different
learning
profiles
for
the
mvp
that
we
want
to
release
in
skf
in
well.
Like
one
and
a
half
month,
we
identified
three
profiles:
actually
one
for
secure
development,
one
for
web
api
pen
testing
and
one
for
ops
infra.
D
D
A
welcome
message,
a
bit
about
the
the
course
and
when
you
click
on
one
of
the
main
topics,
then
the
idea
was
that
we
have
like
a
sort
of
video
that
we
should
where
we
explain
like
the
yeah,
the
basis
concepts
of
you
know
the
topic
and
really
you
know
like
a
video
type
of
delivery
and
then
under
the
main
topics
we
have
topics
and
the
subtopics
well,
we
can
also
make
it
full
screen
and
in
the
subtopics
we
basically
have
like
a
sort
of
slides
that
you
can
view.
The
idea
is
also.
D
Why
is
this
in
a
slide
format
and
presented
in
a
web
application,
because
actually
we
want
to
make
the
slides
from
markdown.
So
then,
later
it's
easier
to
add
new
topics
or
enrich
the
material
and
also
easier
to
contribute
actually
right.
It's
just
adding
new
markdowns
or
changing
the
markdowns,
and
you
can
enrich
the
material
that's
there.
So
this
is
then
yeah
the
slides.
D
After
the
slides,
we
wanted
to
do
a
sort
of
questionnaire
just
to
capture,
like
you
know,
did
the
person
really
understood?
You
know
the
key
messages
in
there
after
we
went
over
all
the
the
questionnaires,
there
will
be
the
button
hey
now
you
can
start
the
hands-on
and
basically
that
one
will
spin
up
in
our
kubernetes
cluster.
D
The
lab
the
lab
will
be
like
this
with
some
information.
You
know
like
very
minimal
guidance,
because
we
already
have
very
detailed
right
tips
for
every
lab,
like
from
a
to
z.
So
here's
just
the
basics,
like
hey,
remember,
you're,
doing
an
sql
injection
lab
or
you
need
to
fix
sql
code.
D
Also.
The
idea
is
that
you
can
start
it
in
a
full
screen
mode,
sort
of
say
and
also
for
the
labs
itself.
As
you
know,
now
the
labs
are
basically
just
a
web
application,
that's
being
spinned
up,
but
we're
looking
into
using
apache
guacamole
to
connect
actually
using
html5
to
an
rdp
over
real,
like
a
debian
machine
or
whatever.
Where
is
also
an
editor,
a
browser,
the
code,
some
security,
tooling,
you
know
because,
ideally
already
looking
into
the
future,
we
would
also
like
to
have
another
profile.
D
Learning
pod
for
security
tools
like
hey
here
is
the
open,
ssf,
best
practice,
codequill
or
whatever
tool.
You
know
that
you
can
practice
or
here's
oval
zop
where
you
can
scan
stuff
or,
and
so
on,
so
for
that
we
also
need,
then
a
fully
like
real
operating
system
where
you
actually
can
install
stuff.
So
we're
also
thinking
of
replacing
the
labs
with
more
like
yeah,
this
apache
guacamole
type
of
technology.
D
Then,
of
course,
when
you
did
the
lab
and
it's
all
finished-
you
go
back
to
the
first
one
and
you
have
her
well
green.
Like
hey
awesome,
you
did
it
the
only
thing
we're
going
to
do
and
what
is
also
key
important.
That
is
my
second
topic
that
I
put
on
in
the
chat
as
well.
As
you
know,
I've
been
working
also
very
hard.
D
The
last
couple
of
well
months
actually
to
implement
the
single
sign-on
solution.
Technology
stack
into
skf.
D
It
used
to
be
that
you
needed
to
create
locally
all
the
accounts
and
users,
but
of
course,
now
we
want
to
make
it
available
and,
having
like
a
professional
production
instance
for
everybody,
we
also
want
to
really
invent
the
single
sign-on
solution
so
that,
for
example,
with
a
github
user,
you
can
just
log
in
and
start
the
the
learning
platforms,
and
we
can
also
then
track
that
user
id
how
far
this
person
was,
how
much
time
it
spent
in
in
skf
and
so
on,
because
one
of
the
other
things
that
we
had
in
the
to-do
list
was
to
build
this
hook.
D
Api
system,
for
you
know
a
github
or
other
organizations
to
pull
metrics
out
of
their
user
stats
right
how
long
they
were
in
what
they
were
doing,
what
trainings
that
they
completed
or
started,
and
so
on
yeah.
So
two
major
things.
This
thing
that
has
been
developed,
like
I
said
in
the
last
meeting,
we're
going
for
the
secure
developer,
actually,
four
programming
languages,
the
python,
the
node.js
javascript
and
the
java,
the
node.js.
Actually
all
the
17
labs
are
already
completed.
D
They
have
also
been
merged
already
and
the
write-ups
are
already
there
for
for
those
labs
as
well.
I
think
we're
now
30
with
the
java
labs
and
for
the.net
labs.
You
still
need
to
start
yeah,
so
that
is
ongoing.
The
release
date
should
be
end
of
march,
so
still
a
lot
to
do
and
for
the
single
sign-on
solution
we're
now
actually
making
a
documentation
fine-tuning
it.
We
still
need
to
to
make
the
cube.
D
We
need
this
files
to
properly
be
able
to
deploy
it,
but
it
locally
tested
very
nicely
with
docker
compose
and
we're
making
a
blog
post
as
well.
That
can
be
released
and
and
yeah
where
we,
you
know
it's
a
bit
like
a
story
where
we
came
from.
You
know
that
we
refactored
skf
already
like
three
or
four
times
in
the
past
seven
years,
and
you
know
we
had
this
stack
now.
We
have
this
and
this
blah
blah
the
new
stack.
So
it's
a
nice
read,
I
would
say
as
well.
D
You
know
on
the
improvements
we
did
for
the
single
sign-on
solution
and
with
the
open,
ssf
community
yeah,
and
you
know
I
hope,
when
I
have
some
more
functional
stuff
ready
to
also
hopefully
involve
a
couple
of
you
guys,
especially
when
we're
going
to
define
you
know
and
build
the
curriculum
and
the
slides.
D
You
know
from
a
coverage
point
of
view.
I
was
thinking
to
use
the
asvs
as
a
as
a
threat.
You
know
what
to
teach
to
developers
because
it
touches
many
of
the
different
topics,
maybe
also
map
it
with
with
nist
and
other
frameworks
to
see
if
there
are
still
some
gaps
and
based
on
that
yeah
create
the
video
materials
and
and
the
slides
to
accomplish
that.
D
That
is
more
for
the
secure
coding
part
for
web
api.
Well,
you
know,
that's
pretty
straightforward.
I
was
thinking
there
to
use
the
os
testing
guide
because
it's
like
this
very
mature
again
very
covering
a
lot
of
good
topics
for
pen
testers
right
how
to
do
things
and
which
what
things
to
test
and
the
last
one
the
ops
infra
it
is
basically
very
inspired
by
filmhip.
D
I
don't
know
if
the
people
know:
filmhead
filner
is
an
open
source
community
as
well,
and
they
created,
like,
I,
don't
know,
600
different
type
of
virtual
machines,
which
all
have
like
misconfigurations
missing
patches
and
it's
a
bit
like
the
oscp
stealth.
D
Hacking,
like
the
infrared
finding
gaps,
exploit
them,
do
privilege,
escalation
and
those
actually
lessons
and
and
example,
cases
are
great
for
ops
and
infra
people,
because
I've
been
poking
that
for
the
last
half
year
in
the
company
I
worked
for
and
they
were
very
excited
because
they
gave
finally
a
glimpse
into
yeah.
What
hackers
would
abuse
when
they
don't
put
the
dots
on
the
eye
right
and
now
they
can
do
them
gain
access.
Do
privilege
escalation
from
there
hop
on.
D
D
C
A
D
That
is
great
out
there
in
the
details.
Yeah
yeah,
if
you
can,
you
know,
hook
me
up
or
email.
You
know
with
some,
maybe
also
test
environment
where
we
can
try
the
connection
and
and
the
integration
that
would
be
great
yeah.
A
Okay,
I
I'm
not
sure
exactly
who
to
connect
you
to,
but
I'll
I'll,
try
to
connect
you
to
somebody
and
we'll
figure
it
out
from
there
and
see
if
it
makes
sense.
Even
but
if
you
know
a
doesn't
make
sense
and
b.
If
so,
what's
the
next
step,
I'm
not
sure
what
the
answers
are,
but
it
seems
like
at
least
worth
a
discussion.
C
I
have
a
question:
what
can
we
do
to
assist
you?
This
seems
to
be
very
worthwhile
work.
You
mentioned,
you
know
helping
with
content.
Is
there
anything
the
group
can
help
with
now
or
when
would
you
expect
you
might.
D
Yeah
yeah,
I
I
think
honestly
like
in
so
the
the
two
guys
are
now.
Actually
you
know
who
are
responsible
for
creating
this
wireframe
to
angular
and
to
api
endpoint
calls
they
actually
started
yesterday
on
it.
D
So
we
help
them
setting
up
an
environment
and
everything,
so
I
hope,
like
they
have
something
in
like
a
week
or
two.
So
probably
in
our
next
meeting
in
two
weeks,
I
can
hopefully
you
know
point
you
to
like
okay,
these
are
examples
of
the
slides.
This
is
the
examples
of
the
content
we
have
here.
We
can
correlate
them
to
labs.
Here
are
the
labs
by
the
way
that
we
have
yeah.
D
So
I
really
have
hope
to
have
something
like
two
weeks
ready
and
then
basically
it
would
be
indeed
like
helping
defining
the
content
on
the
slides.
D
Also
there
we
have
already
a
lot
because,
well,
you
know
just
some
context
this
this
type
of
approach
we
already
did
only
internally
at
the
company
I
was
working
for
so
there
are
already
a
lot
of
slides,
but
now
we're
going
to
well
update
the
slides,
enrich
it
and
make
everything
open
source
basically,
but
that
will,
I
think,
only
cover
like
60
of
what
we
want
to
achieve.
So
there's
still
yeah
like
a
good
40
that
new,
slides
and
new
content
needs
to
create
be
created.
D
I
will
be
myself,
of
course,
doing
that
and
and
made
a
blog
reserve,
the
blog
for
it,
but
you
know
yeah,
I'm
only
me,
and
there
are
other
great
minds
and
people
here
in
the
cold.
So
I
would
really
yeah
love
to
to
see
some
help.
There
yeah.
D
Exactly
yes,
I'm
looking
at
the
the
phone
here
I
can
dave
but
yeah
we
will.
You
know
when
the
time
is
there
we
definitely
will
hook
up
and
yeah
utilize
everybody
who's
interested
to
share
yeah.
A
Excellent
yeah
yeah,
quick
and
david
again
glenn.
You
know
it's
been
a
little
while
we
we
posted
the
fundamentals
course
materials
as
markdown
on
github
a
while
back,
but
I
don't
know
if
you've
had
a
chance
to
look
at
that.
You
might
be
able
to
use
some
of
that
material
in
the
skf
work.
A
You
guys
are
using,
but
ours
is
creative
commons
contribution.
D
Yeah,
well,
that
is
maybe
also
something
we
need
to
discuss
separately,
because
we
have
the
new
apache
or
the
new
v3
license,
but
that's
more
from
a
software
point
of
view,
and
actually
I
don't
remember,
we
ever
put
a
license
model
for
all
the
material
and
content
we
created.
You
know
the
text
and
all
that
stuff
that
we
utilize
in
sql.
So
probably
that's
also
yeah
a
good
one
to
revisit
that
again
and
make
sure
we
also
have
something
in
place
for
that.
A
Alignment
yeah
that
project
yeah,
but
the
content
needs
to
be
licensed
and
apache
and
someone
are
not
really
the
best
licenses
for
that.
The
usual
rule
for
the
for
this
group,
I
I
realize
your
situation
is
a
little
different
is
creative
commons.
You
know
the
cc
buy
attribution
license.
B
A
All
at
least
so,
if,
if
you
did
that,
then
we
don't
have
to
have
the
argument
about
license
compatibility
because
then
we're
using
the
same
license,
which
I
I
like
simplicity.
But
so
I
would
encourage
you
to
do
that
and
if
not
let's
talk,
but
it
would,
it
would
make
sense
to
have
them
licensed
in
the
same
way.
And
then
we
can
just
share
content
back
and
forth
as
appropriate.
D
Yep,
no
for
sure
and
that's
sounds
good,
so
we
definitely
will
put
that
as
well
in
the
to-do
list.
B
Yeah
sure
so
I'm
I'm
new
and
don't
have
a
lot
of
background.
So
I
apologize
in
advance
but
welcome
I
I
do
a
lot
of
devsecops
from
the
pipeline
integrations
perspective.
I
see
there's
an
ops
section
there
is
there
going
to
be
things
like
the
best
practices
for
types
of
scans
to
embed
in
a
pipeline.
B
Some
of
the
general
concepts
there
around
software
supply
chain
and
the
like
is
that
the
kind
of
stuff
that's
going
to
go
in
there
or
like
how
to
harden
images.
What's
the
type
of
content
you're
looking
for
there,
because
we
have
a
lot
of
it
in
in
my
organization.
I
don't
think
we
could
donate
it,
but
I
could
definitely
go
in
and
retype
some
of
it
in
a
more
neutral
language.
D
For
me,
it
sounds
like
a
new
learning
path
in
in
itself,
actually,
because
how
we
envisioned
the
ops
infa
that
was
more
like
okay,
talking
about
the
bear
basics
like
firewalls
and
and
patch
management
and
isolations,
that
type
of
stuff
right
still
really
basic
stuff.
And
if
I
hear
you
talking
about
it,
it
sounds
more
like
a
new
fourth
learning,
both
actually.
D
B
I
look
at
automating
all
the
things
so
for
me,
it's
a
little
bit
of
a
blending
of
the
two,
but
I
can
definitely
see
how
that
would
be
a
separate
one
as
well
yeah.
I
do
think
that
that's
you
know.
That's
a
big
conversation.
That's
happening
in
general.
I'd
love
to
be
able
to
point
people
out
a
resource
like
this
to
be
able
to
get
that
that
basic
primer
and
that
information
yeah.
D
Yeah,
because,
to
be
honest,
you
know
when
I
was
thinking
about
and
saying
about
the
vision
you
know,
like
I
hope
in
the
future.
We
have
like
a
fourth
to
fifth
or
you
know
more
of
those
profiles
that
we
can
offer
to
people
to
to
learn
from,
and
like
I
mentioned,
you
know,
I
would
love
to
also
have
like
pipeline
tools
like
codequill
hey.
How
do
you
do
this?
How
to
set
it
up,
how
to
make
your
own
code
fill
rules
or
hey
all?
D
What's
up,
how
do
you
configure
and
run
it
or
dependency
check
or
well
other,
like
tools,
you
would
normally
you
know
embed
in
your
pipeline
right
and
also
in
the
openssf
group.
We
have
great
tools
like
the
badge
project
and
the
score
and
yeah.
How
do
you
do
that
right
so
that
could
all
fit,
maybe
under
there
or
maybe
separate
ones?
I
don't
know,
but
it
sounds
to
me
like
a
very
interesting
edition
learning
path.
Actually
only
the
inaudible.
D
Yeah
yeah.
What
I
would
then
recommend
is
just
to
wait,
a
tiny
bit
till
things
crystallize
a
bit,
because
it's
really
in
flex
now
and
also
you
know.
If
we
have
like
these
these
learning
profiles
already
in
there,
then
probably
a
lot
of
the
things
you
can
re-utilize
right.
So
that
makes
it
your
life
also
a
lot
easier
if
you
want
to
to
contribute
and
make
this
new
learning
path.
D
So
I'm
very
excited
to
hear
you
know
that
you
have
a
lot
of
content
and
willing
to
to
work
on
that
yeah.
So
please
give
us
a
like
a
month
because
in
like
two
weeks
I
have-
hopefully
you
know
the
the
skeleton
there
that
we
can
actually
enrich
the
current
profiles
and
then
like
hopefully
in
a
month,
we
can
actually.
I
can
help
you
on
board,
maybe
to
do
the
the
additional
learning
part
that
you
just
mentioned
about
the
pipeline
and
supply
chain.
Examples,
for
example,.
C
Spyros
had
a
question
comment
for
you
glenn.
Do
you
want
to
speak
to
that
spyros.
B
Hi,
yes,
sure
so,
is
there
any
chance?
We
can
link
the
content
to
crs
which
should
help
you,
you
and
the
users
of
skf,
discover
and
link
to
way
more
contents,
content
that
you
currently
have,
and
also
it
should
allow
you
to
maintain
the
links
long
term
right.
D
B
It
should
help
it
should
help
you
like
get
rid
of
a
couple
of
hits.
D
Yes,
no
fully
fully
agree
and
for
the
people
who
are
not
familiar
with
the
cre.
So
this
is
the
our
inventory
project
right
here
at
open
ssf
and
this
working
group
and
also
with
skf.
D
So
yeah,
definitely,
you
know
we're
now
looking
into
how
to
also
implement
the
cre
into
skf.
So,
together
with
myself,
my
brother
and
spyros
we're
looking
to
replace
a
good
chunk
of
the
content
in
skf
with
the
structure
and
data
from
cre,
because
they're
actually
sort
of
the
same,
and
indeed
I
asked
spyros
for
some
help
here,
because
currently
the
data
and
the
correlation
that
we
have
in
skf
from
checklist
to
knowledgebase
items
to
references
like
urls,
cwe
data
and
so
on.
D
I
call
it
indeed
a
three-headed
dragon
and
if
we
don't
do
anything
about
it,
it
becomes
a
four-headed
dragon
yeah,
and
I
don't
want
that.
So
that's
why
yeah
definitely
inspire
us
to
come
back
on
your
question.
We
should
be
able
to
do
something
like
that.
Yeah.
C
All
right,
arnott,
please,
you
have
a
question
about
the
great
mfa,
distribution.
E
Yes,
that's
right
thanks!
Well,
first,
I
have
a
quick
question.
I
want
to
make
sure
david
received
my
latest
email
regarding
the
connective
request.
E
The
canadian
group
finally
or
you
know
project,
give
me
the
least
of
people
who
would
like
to
have
a
yubikey
token.
I
sent
that
to
you.
A
E
A
E
No,
no,
but
it's
okay,
I
mean.
Obviously
they
were
very
slow
to
respond
and
I'm
still
working
with
the
kubernetes
project
as
well.
I
expect
to
have
the
final
list
soon,
but
you
know
I
keep
having
to
prob
them
and
they
say
oh
yeah,
yeah
yeah.
Please
thanks
for
pinging
us.
We
really
want
some,
and
but
you
know
so.
This
is
a
bit
of
phenomenal.
A
Yeah,
we
don't
actually
have
to
have
the
individual
names.
If
we
have
a
person
at
the
project
who
can
who
can
help
us?
Do
the
distribution
an
account,
we
can
just
send
the
codes
to
that
person
who
and
then
we
we
often
let
projects
figure
out
how
to
send
them
within
the
project.
Simply
because
some
projects
don't
want
us
to
know
the
exact
email
address
of
everybody.
That's
fine.
A
E
A
They
get
the
github
folks
in
order
to
that's
why
they
have
a
two-step
process.
The
github
does
need
it,
but
we,
the
open,
ssf,
don't.
E
A
And
sorry
for
those
of
you
who
are
familiar
with
this,
but
for
if
you
want
to
get
the
github
tokens,
there's
a
validation
code
and
a
coupon
code,
we
send
the
validation
codes
to
the
project,
so
projects
use
the
send
those
to
their
developers.
A
A
All
this
nonsense
is
to
try
to
provide
as
maximum
privacy
as
possible.
E
E
Yes,
I
understand,
but
so
so
that
brings
me
to
my
last
question
on
this,
which
is
broader
is
that
you
know.
I
know
we
made
a
really
a
strong
push
on
this
at
the
end
of
last
year
and
I
think
a
lot
of
us
I
mean
I
have
quite
a
few
projects,
never
responded,
and
I
know
looking
at
the
spreadsheet,
that's
been
the
case
for
quite
a
few
of
us,
and
my
question
is
yeah.
How
are
we
you
know?
A
Yeah,
I
I
don't
know
well
how's
this.
I
do
think
we
ought
to
take
another
bite
at
it.
I
I
also
think
that
our
our
short
deadline
during
a
holiday
season
was
probably
a
a
problem
for
some
folks,
although,
frankly,
the
advantage
of
short
time
frames
is
that
people
are
more
likely
to
respond.
A
Some
people
are
more
likely
to
respond,
so,
yes,
we
should
take
another
crack.
My
suspicion
is
that
the
so
here's
what
I'm
thinking
going
forward,
but
we
haven't,
discussed
this
within
this
group
and
we
need
to
the
critical
projects
working
group
is
talking
about
updating
their
list
and
they're
seriously
talking
about
starting
over
with
all
the
new
data
that
they're
they're
expected
to
be
getting.
So
what
so?
A
My
current
theory
is
letting
the
critical
projects
working
group
come
up
with
a
newer,
better
list
and
then
using
that
to
take
another
stab
you
know
and
for
the
projects
that
didn't
respond
before
maybe
but
are
still
in
this
new
list,
then
try
again
and
maybe
they'll
respond
this
time.
You
know
this.
I
don't
want
to
try
to
send
you,
but
I
don't
know
if
anybody
thinks
that's
a
terrible
idea
or
not,
but
it
was
a
lot
of
work.
A
I
think
it
was
worth
it
doing,
but
I
think
we
need
to
do
some
other
things
get
us
get
a
break
and
then
come
back
to
this
in
a
little
while
I.
C
C
Time
to
coordinate,
as
the
contactors
saying
you
know,
this
is
how
I
contacted
kubernetes
and
I
didn't
get
a
response.
Does
anyone
have
a
better
vehicle
to
get
in?
It's
like
a
15-minute
coordination
chat
or
something
on
slack?
I
think
that
would
help
us
potentially
overcome
some
of
the
yeah
on
responses.
A
Well,
I
will
say
we
kept
a
spreadsheet
of
for
each
project.
We
recorded
how
we
contacted
them
for
a
lot
of
projects.
Really
the
only
way
to
contact
them
was
to
create
an
issue
say
on
github,
but
they
don't
really
have
an
easy
match.
This
is
not
a
bug
and
it's
not
a
feature
request,
so
I
think
for
a
lot
of
projects.
It
wasn't
at
all
obvious
how
to
even
contact
the
project.
A
In
many
cases
I
put
it
in
as
an
enhancement,
because
it's
not
a
bug
a
lot
of
projects,
don't
really
monitor
that
much
they're
overwhelmed
with
ideas.
They
just
want
pull
requests
so
or
merge
requests.
So
I
I'm
not
sure
that
coordination
within
ourselves
is
the
primary
challenge.
I
think
the
primary
challenge
is
is
figuring
out
how
to
better
contact
individual
projects,
and
it's
not
clear
that
there
is
in
fact
an
answer.
C
A
couple
of
the
projects
I
communicated
to,
they
only
offered
up
a
security
team
message.
Mail
account
and
those
I
had
like
a
one
out
of
four
response
rate
on
for
the
security
team
responded
back.
B
Exactly
the
the
the
generic
issue
about
gordon
enhancement
in
my
case
actually
worked
better
than
reaching
out
to
the
to
the
security
folks.
A
A
Problem
is
that
we
don't
fit
in
any
of
their
buckets.
This
is
not
a
bug.
It's
not
a
feature
request,
it's
not
a
vulnerability,
and
so
I
think
a
lot
of
projects
get
that
message
and
frankly,
don't
know
what
to
do
with
it.
That's
so
good
I'll
deal
with
that
when
I
have
free
time
which
never
happens,
file.
B
But
coming
back
to
your
proposal,
david
of
like
let's
first
get
a
new
version
of
the
critical
self
list
that
I
think
makes
sense
just
want
to.
A
So,
but
to
answer
your
earlier
question:
yes,
I
think
we
should
do
it
again.
Let's
take
a
breather.
Let's
let
the
folks
update
some
of
this
information
but
yeah.
I
think
I
I
think
it
was
successful.
We
a
lot
of
projects
didn't
respond,
but
we
we
had
no
id.
We
knew
some.
Wouldn't
we
just
didn't
know
the
numbers,
but
we
certainly
got
responses
and
we
got
results
and
that's
what
we
were
hoping
for.
B
C
C
So
I
found
out
what
happened
with
rob
and
his
friends
is:
there
was
a
miscommunication.
They
were
sitting
on
their
own
zoom
call
as
opposed
to
you
know,
12
of
us
joining
them
joining
our
call.
So
I
will
try
to
reschedule
anyone
that
I
will
attempt
to
get
them
to
come
to
this
meeting.
But
if
not,
I
may
I'll
put
the
invite
out
if
it's
at
an
alternate
time
or
an
alternate
dial-in,
and
anyone
that
can
attend
and
is
interested
is
welcome.
C
All
right,
if
no
one
has
any
other
topics,
I
will
let
you
all
run
free
15
minutes
of
unbooked
time
enjoy
it.
I
know
I,
like
15
minutes
out
of
my
day
to
go,
run
and
think
and
walk
around
and
pet
the
cat
and
whatnot.
So
everyone
else
have
a
great
day.
Thank
you
for
your
attendance
and
we
will
see
you
again
in
two
weeks
and
don't
forget.
The
town
hall
will
be
on
the
23rd
have
a
great
day.
Everybody
thanks.
Everybody.