►
From YouTube: Best Practices for Open Source Developers (May 24, 2022)
A
B
A
C
A
Everybody
healthy
over
there
zav
good,
excellent
everything
is
back
to
normal
good
good,
good.
A
All
right
folks,
I
posted
a
link
to
our
agenda
in
the
zoom
chat.
If
you
have
not
yet
please
mark
your
attendance
and
if
you
have
any
opens,
you
would
like
to
add
first
off.
Let
me
ask:
is
there
anyone
interested
in
helping
us
scribe
the
meeting
notes?
We
have
a
couple
of
us
that
tap
away,
but
if
anyone's
interested
in
helping
thank
you
vicky,
please
feel
free
to
participate
in
the
note
taking
now
do
we
have
any
new
friends
that
wanted
to
introduce
themselves
today
and
say
hello
to
the
group.
A
Let
us
move
along,
as
you
have
any
items
you
want
to
add,
as
opens,
please
go
ahead
and
type
away.
Let's
get
a
brief
update
from
our
it
used
to
be
called
projects,
things
that
used
to
be
called
member
projects.
If
you
would
like
to
provide
some
updates,
mr
wheeler's
been
busy
tippy-tapping
away.
You
want
to
start,
sir.
B
Sure,
first
of
all,
open
ssf,
best
practices,
badge
no
change,
see
that
was
easy
right,
yeah
yeah,
we'll
we'll
probably
have
some
more
changes
and
updates
for
the
fundamentals
course
actually
quite
a
bit
going
on.
In
spite
of
the
fact
that
I've
been
completely
overwhelmed,
the
washington
dc
thing
we've
been
working
for
a
while
a
big
update
of
the
sql
injection
section,
which
has
finally
landed.
It
separates
the
whole
concepts
of
parameterized
versus
prepared
statements
in
some
libraries.
B
Those
aren't
different
things,
but
in
some
systems
they
very
much
are
so
it
was
confusing
using
diff.
You
know
when,
for
for
some
folks,
we
also
explained
application
versus
dbms
side
application.
Libraries,
all
that
stuff
is
merged
in
you,
can
see
the
pull
request
there.
B
This
is
eventually
going
to
get
out
to
lf
and
at
x2,
I'm
sorry
to
edx
and
to
the
lf
training,
certification
platforms
and
someone's
already
offered
to
get
some
of
this
information
over
owasp,
because
while
we
were
doing
research,
we
found
some
problems
that
were
just
reported
this
year
that
really
aren't
noted
elsewhere,
but
they're
pretty
significant.
B
We
have
some
draft
early
prs
from
olivia
and
I'm
very
sorry
I
don't
know
how
to
pronounce
your
last
name.
Galoci
gallucci,
I
believe
anyway,
rit
student
has
started
proposing
pull
requests.
We
thank
her
we're
gonna
start,
we've
already
started
reviewing
them
and
I'm
gonna
do
a
teaser.
We
plan
to
have
an
announcement
on
open
ssf
day
about
ways
to
further
disseminate
the
the
fundamentals
course
materials.
How
you
ask
well
come
to
open
ssf
day
and
find
out.
D
D
Is
dave
russo,
I
don't
know
my
camera's
not
working
for
some
reason:
okay
anyway,
so
general
question
david.
If
if
if
there
are
folks
like
some
of
my
cohorts
here,
we've
been
talking
about
who
want
to
contribute
some
additional
information
to
the
the
fundamentals
course
such
as
maybe
threat
modeling?
B
Well,
it
turns
out
there's
a
github
repo
and
you
would
file
issues
and
pull
requests
on
said
things
now.
There
is
already
a
section
about
attack
modeling
threat
modeling,
so
presumably
the
information
would
go
there.
Now
we
do
have
to
be
careful.
The
goal
here
is
to
not.
This
is
not
a
data
dump.
B
This
is
not
a
learn,
everything
possible,
so
we
somehow
have
to
you
know
it's
more
than
awareness,
but
the
goal
is
to
not
know
everything
so
somehow
we're
gonna
have
to
thread
the
needle
of
what
does
a
typical
developer
need
to
know
at
the
at
the
very
minimum,
but
that
said,
certainly
we
can.
B
We
would
love
to
hear
improvements
to
the
course
so
yeah,
that's
and
that's
how
we
do
it
now,
once
the
that
the
pull
requests
are
merged,
there's
a
separate,
weird
process
to
actually
get
them
out.
Oh,
my
goodness,
you
have
a
face.
It
worked
shocking.
I
know.
Okay,
how
do
you
have
a
face?
You
probably
have
a
body
attached
to
it.
C
B
Believe
it
or
not,
you
know
I
only
I
only
live
up
down
to
here.
Everything.
B
So
anyway,
after
it's
merged,
there's
a
weird,
complicated
process
to
get
it
from
github
out
to
edx
and
to
the
lf
training
site.
The
good
news
is
that
it
is
not
your
problem,
it
is
my
problem,
but
it
is
not
your
problem.
So
so,
really
from
your
point
of
view,
it's
the
get
it
to
get
up
and
once
it's
merged
in
on
the
main
line,
and
it
is
the
main
branch
then,
as
I
said,
there's
some
weirdness.
So
we
have
to
be
careful
when
we
do
emerge.
A
A
B
B
Okay,
yeah
and-
and
we
never
anticipated
that
the
fundamentals
course
was
going
to
be
the
only
possible
course.
I
mean
that
isn't
even
true
now
and
you've
got
skf
right
now,
so
yeah,
so
you
know
anyway
carry
on.
Thank
you.
Thank
you
right.
Any.
A
A
Ruby
groovy
all
right.
Let
us
move
on
to
our
opens.
As
I
teased
moments
ago,
there
is
a
new,
exciting
potential
project
we
all
could
get
to
work
on.
If
you
were
not
aware,
the
foundation
went
to
washington
dc
and
met
with
members
from
the
white
house
and
other
government
officials
to
talk
about
a
open
source
software
security
mobilization
plan.
A
This
is
a
plan
laid
out
in
10
parts
that
is
proposed
to
create
projects
and
work
streams
that
improve
different
areas
of
open
source
security.
So
I
open
source
yeah
resource
security,
so
we
had
sent
that
out
to
the
mailing
list
and
I
hope
everyone's
had
a
chance
to
look
at
the
mobilization
plan.
A
Have
we
see
a
couple
head
nods
all
right,
so
I
would
like
to
talk
with
the
group
about,
in
particular,
a
stream
one
which
is
a
deliver
baseline,
secure
software,
development,
education
and
certification
to
all
work
stream,
and,
let's
open
up
with,
has
anyone
had
a
chance
to
read
stream
one?
What
are
your
thoughts
about
some
of
the
ideas
proposed
in
there.
D
C
A
I
am
very
glad
that
you,
you
must
be
my
straight
woman
again.
I
am
so
before
we
move
on
when
we
are
done
with
our
discussion
today.
I
am
going
to
propose
to
the
group
that
this
working
group
adopts
stream
one
as
a
special
interest
group
and
a
any
number
of
us
could
participate
to
do
exactly
what
you
question.
Vicky
is
refine
that
proposal
zero
in
on
where
we
can
add
value
and
make
plans
for
the
future.
A
So
you
know
if
we
think
we
want
to
have
some
education
for
all
levels
of
education.
You
know
a
person
to
graduate
student
great
if
we
want
to
focus
in
on
other
stuff.
That's
what
a
a
group
a
subgroup
of
us
could
work
on,
and
I
can.
I
will
set
up
a
series
of
dedicated
meetings
for
us
to
continue
to
refine
that
if
people
are
interested,
I
think
I
saw
did
I
answer
your
question.
Ish.
C
C
I
will
also
confess
bias
in
this
since
I'm
a
vice
chair
of
the
linux,
professional
institute
and
lpi
is
developing
their
own
security,
certifications
and
the
like,
and
they
already
have
relationships
with
a
large
number
of
academic
institutions
of
all
varieties
across
the
world,
and
so
I
think,
there's
something
that
we
could
probably
leverage
there.
A
Nice
excellent,
I
believe
I
saw
mr
wheeler's
hand
next.
B
Yeah,
so
I
actually
led
the
discussion
there,
but
lead
is
probably
the
wrong
term.
I
I
heard
yeah
yeah.
Well,
I
didn't
even
heard
them.
I
was
there
in
the
front
trying
to
observe
the
next
cat,
but
there
were
there's.
You
really
need
to
look
at
the
notes
and
my
thanks
to
the
folks
who
took
the
notes.
I
did
not
and
it
was
good.
You
know
helpful
stuff.
B
One
thing
that
really
struck
me-
and
I
copied
it
in
here-
is
the
separating
of
university
k-12
boot
camps
and
all,
although
it's
not
really
noticed
also,
you
know
also
continuing
education,
because
a
lot
of
folks
they're
already
out
there
and
you
know.
So
how
do
you
know?
How
do
you
reach
these
different
groups
of
folks,
I
think
was
there's
many
many
things
that
were
noticed,
but
I
think
that's
that's
one
of
them.
A
Agreed
all
right
eric,
I
saw
your
hand
next.
E
Yeah
I
mean
I
was
lucky
enough
to
be
included
on
some
of
the
discussions
with
that
stream.
One
together-
and
you
know,
some
of
the
things
we
talked
about
early
on
is
the
variance
in
in
curriculum,
not
just
college
and
potentially
the
training
and
certification
that
exists,
but
also
bringing
this
to
a
broader
group
of
people,
some
of
the
underrepresented
groups
within
the
industry,
trade
schools.
E
E
It
really
needs
to
be
broken
out
into
phases,
but
you
know
my
opinion
and
certainly
always
up
for
debate
is
that
we
can't
limit
the
scope
to
you,
know
a
specific
area
and
say:
okay,
well,
we'll
tackle
college,
because
that
seems
like
the
most
relevant,
but
I
think
the
special
interest
group
can
solve
that
problem,
and
I
I
want
to
be
included
in
that.
Please,
and
you
know,
want
to
contribute
as
much
as
I
can
there,
but
I
think
that
that's
where
we
really
need
to
define
this
a
little
bit
further.
E
I
think
the
certifications
are
great,
but
you
know:
do
we
start
at
the
the
conference
in
special
interest
group
kind
of
areas
to
get
those
broader
categories
so
that
it's
some
of
these,
like
girls
who
code
and
and
all
these
other
groups,
you
know
really
ramped
up
on
things
where
they
may
not
get
the
same
materials.
E
You
know
that's
just
one
of
the
ones.
I
know
off
the
top
of
my
head,
but
certainly
so
I
think
just
in
in
general.
This
is
a
hugely
important
initiative
and
we
have
an
opportunity-
and
hopefully
vicky's
contacts
and
the
other
group
can
open
some
doors,
but
but
definitely
include
me
in
those
conversations,
because
I
want
to
help
out
as
much
as
I
can
excellent.
A
We
would
start
off
with
refining
the
scope
and
goals
and
then
eventually,
that
group
could
move
into
either
collecting
crafting
content.
It
might
spin
off
into
little
groups.
Maybe
we
have
a
group
focused
on
academia.
A
group
focused
on
kind
of
the
boot
camp
type
thing,
so
we
will
figure
out
how
we
proceed
afterwards.
A
A
I
am
unaware
of
anyone
else
at
this
time.
Obviously,
if
we
spin
this
up,
everybody
would
be
welcome,
but
this
would
be
kind
of
the
the
shepard.
B
A
A
What
I
will
do
is
I
will
create
a
doodle,
invite
and
send
out
to
this
mailing
list
and
also
the
larger,
open,
ssf
mailing
list
to
solicit
people's
calendar
time
and
we'll
see
if
we
can
find
a
good
time
with
which
to
have
the
special
interest
group
now
most
likely,
this,
the
sig
will
meet
a
little
more
frequently
if
you
might
do
weekly
meetings
for
a
while
until
we
get
the
scope,
better,
refined
and
laid
out,
and
then
we
might,
depending
on
what
is
needed,
maybe
people
that
are
making
content
or
training
trainers
or
whatever
going
out
and
petitioning
academic
bodies.
F
A
Yeah,
I
have
not
heard
anyone
throughout
any
of
my
conversations.
Building
the
document
or
through
the
tact
anyone's
really
mentioned
any
kind
of
interest
aside
from
couple
the
folks
here
on
the
line,
but
that
doesn't
mean
that
people
won't
be
willing
to
contribute
if
they're
part
of
a
different
group,
we'd
love
to
have.
Of
course,
all
patches
are
welcome.
F
A
Absolutely
yeah
and
I'll
get
that
note
out
hopefully
today,
so
we
can
maybe
get
a
kickoff
call
for
the
sig
in
the
next
week
or
two.
A
But
probably
educate
the
open
source
security
education
saying
most
like
something
along
those
lines:
yeah.
F
I
I
actually
strongly
support
david's
point
there,
because
you
know
I'm
involved
in
some
standards
organization
where
everything
is
by
numbers
and
it's
absolutely
horrendous
when
you're
a
newcomer,
you
know
it's
like
this
is
sc38,
and
it's
like.
What's
that?
Oh
it's
cloud!
Well,
can't
you
just
call
it
cloud,
then.
A
I
like
that,
we'll
go
with
that.
Of
course,
all
right,
so
next
point
of
order,
brian
bellendorf
had
sent
a
note
to
our
mailing
list
and
we
had
a
couple
people
chime
in.
I
wanted
to
make
sure
that
the
whole
group
was
okay
with
it.
We'd
had
the
opportunity
to
discuss
it.
A
There
is
a
proposal
to
create
another
sig
that
would
potent
would
be
housed
underneath
this
working
group
focused
on
developer
best
practices,
but
this
particular
sig
would
be
focused
on
the
china
region,
because
there's
some
there's
a
belief
that,
through
technical,
cultural
and
language
barriers
that
that
group
probably
would
benefit
from
some
dedicated,
focused
attention,
and
so
the
proposal,
as
you
saw
brian
layout,
is
to
create
a
sig
that
would
periodically
report
back
to
us
or
collaborate
with
this
group
here
for
assistance
trying
to
create
materials
or
help
that
particular
open
source
development
community.
A
A
A
Chinese
mandarin
would
be
the
language
and
it
would
be.
You
would
have
folks
that
understand
the
language
it
can
speak.
It
would
help
guide
the
any
developers
that
participated
in
the
sig
there.
D
Okay,
then
my
then
my
experience
is
that
it
requires
really
frequent
reporting
back
and
forth
and
communication
between
two
groups
so
that
they
do
not
become
completely
separate.
A
Agreed-
and
I
guess
there
is
a
gentleman
that
is
located
in
hong
kong-
that
has
an
affiliation
with
the
open
ssf
for
linux
foundation
and
I
I
believe
he
got
nominated
to
be
the
sig
lead
and
coordinator.
So
ideally,
that
person
would
be
our
conduit
between
the
two
groups
unless
we
had
any
people
that
had
chinese
linguistic
skills
were
interested
in
participating.
F
So
if
I
may
add
a
little
bit
here
because
I
have
you
know,
I
share
some
background
with
brian,
with
the
hyperledger,
where
we
both
work
and
and-
and
you
know
some
of
this
is
actually
can
be
as
simple
as
the
communication
tools
we
use.
People
in
china
can't
really
use
doc,
google
docs,
for
instance,
just
as
a
starter
and
semi.
You
know,
instead
of
slack
they
use
wechat,
which
you
know
most
of
us
don't
use,
and
so
there
are
things
that
are
so
simple
like
this.
F
That
just
makes
it
easier
for
them
to
to
talk
to
one
another,
and
it
has
been
said
before
it
can
be
the
language,
but
I've
had
colleagues
at
least
two
said:
it's
not
often
the
language,
that's
the
most.
You
know
the
biggest
barrier,
it's
really
more
like
time
zones
and
then
their
focus
and-
and
you
know,
there's
a
so
there's
a
whole
group
of
things,
and
I
mean
our
experience
for
the
hyperledger.
Is
we
set
that
up
and
we
were
not
too
sure
it
would
work
out?
Obviously
we
had
similar
concerns
about.
F
F
D
Sammy,
yes,
well,
I
think
great
initiative,
but
but
maybe
just
something
to
consider
is
ensuring
alignment
right,
so
different
meetings
and
different
language
with
different
tools.
I
think
one
of
our
biggest
challenges,
ensuring
you
know,
we're
all
growing
in
the
same
direction.
D
It's
just
something
to
consider
how
we're
going
to
do
that
through
checkpoints
or.
A
Yeah
very
good
point
we'll
need
to
figure
out
process
and
meeting
checkpoints.
Those
of
if
anyone
is
interested
in
help
providing
some
type
of
liaison
function.
Even
if
it's
meeting
with
the
sig
leaders
there'll
be
some
additional
potential
time
commitments
for
us
to
sync
up
with
those
folks
to
make
sure
and
also
having
as
our
non-mentioned
the
tools
to
be
able
to
share
data
back
and
forth
will
be
something
that
needs
worked
out.
D
A
A
I
feel
that
would
be
a
better
means,
but
I
think
this
is
an
interesting
way.
We
potentially
kick
start
it
try
it
out
and
while
the
tool
like
wechat
isn't
a
tool,
we
could
use
other
places.
We
could
at
least
potentially
use
this
as
a
template
to
spin
up
other
sigs
that
are
focused
in
on
different
areas
around
the
globe.
I
saw
vicki's
hand
first.
C
Sorry
got
distracted
by
little
beeps
from
side.
There
was
an
individual
on
the
hash
general
channel
this
morning
asking
whether
members
from
africa
were
welcome
and
I
think
this
would
be
a
great
opportunity
to
reach
out
to
them
and
say:
yes,
please
join
the
best
working
group,
the
best
practices
working
group.
It's
right.
B
D
B
C
And
then
maybe
we
could
get
them
to
start
with
an
african
sig
because
they
really
did
seem
quite
they
had
experience
and
it
seemed
like
something.
Maybe
we
could
get
going
there.
A
C
And
I've
got
a
number
of
content
contacts
now
through
lpi.
We
do
a
lot
of
work
in
africa.
A
Nice
excellent
david.
B
Yeah
so
too
quickly.
I
actually
did
reply
specifically
about
the
hey
white,
china,
specifically
and
brian's
reply,
and
I
think
he
just
replied
to
everybody
who's.
Basically,
I
mean
it's,
it's
not
the
there's,
a
moral
opposition,
but
he
thought
that
china
in
particular,
was
one
of
the
most
challenging
and
therefore
was
one
that
needed
help
the
most
or
first
or
whatever,
because
of
things
like
you
know
the
great
firewall
and
so
on.
As
far
as
africa
I
mean
obviously
hey
you
know
more
the
merrier.
B
I
will
quickly
note
that
the
best
practices
badge
we
actually
have
a
start
at
a
swahili
translation,
but
our
swahili
translator,
well
I'll
call
him
out
now
now
he
basically
has
has
stopped
contributing
recently.
So
I
will
shake
my
finger
because
I
mean
you
know
I
I
may
have
his
pay.
You
know
with
the
zero
on
top.
I
don't
know
what
the
new
number
is,
but
you
know
but
but
you
know
we
would
love
more.
You
know
you
know,
translation
work
is
actually,
I
think,
one
of
the
more
obvious
for
really
worldwide
participation.
B
There's
a
number
of
languages.
We've
got
a
lot
of
materials
where
just
translating
them
would
be
a
huge
improvement.
I
realize
that
doesn't
solve
all
interaction
problems.
Things
like
can't
access,
google
docs,
which
is
to
my
knowledge.
You
know
I
mean
that's
a
china
problem.
I
don't
think
that's
an
africa
problem,
but
you
know.
Certainly
there
are
challenges
in
many
places.
C
So,
with
regards
to
swahili,
what
we
find
at
lpi
is
that
it's
not
actually
necessary.
C
It's
not
even
the
primary
language
in
most
of
the
regions
so
and
they
all
speak
whatever
colonial
language
quite
well
very
fluently.
And
so,
while
we
do
have
a
number
of
resources
translated
into
swahili,
our
tests,
it
turns
out,
don't
have
to
be.
B
Yeah,
well,
you
know,
I
we
we
support
english.
We
support
french.
We
support
many
other
languages,
but
I
am.
I
am
not
opposed
to
adding
more
translations.
A
And
to
put
a
blatant
plug
in
for
stream
one
again,
one
of
the
ideas
we
had
was
more
localization
of
the
content.
Whether
existing
or
generated
content
is
to
try
to
find
ways
to
get
this
out
to
different
different
native
speakers.
B
I
don't
think
that's
our
first
choice
but
but
but
you
know,
there's
there's
a
lot
of
people
around
the
world
who
speak
different
languages,
but
it'd
be
great
to
support
I'll.
A
All
right,
any
other
commentary
around
the
proposed
china
best
china
developer
best
practices,
sig
kind
of
being
shepherded
by
this
group
here.
A
So
it
feels
like
we're,
okay,
that
I
can
reply
back
to
brian
with
an
official.
Yes,
we
were
good
to
help
out
and
try
to
assist
and
set
some
exploratory
meetings
in
the
near
future
to
talk
through
that,
a
little
more
that
sound,
acceptable.
A
Scrolling
scrolling
scrolling
10
30.,
so
do
we
we
had
talked
about
next
item.
Do
we
want
to
focus
the
balance
of
our
time
on
the
one
pager
for
existing
guidelines
for
developing
and
distributing
secure
software,
something
that
might
be
really
useful
translated
into
mandarin.
A
B
Yeah:
okay:
let's
do
it
unmuted
this
time
yeah,
so
I
I
think
for
many
of
us
we
were
totally
overwhelmed
by
the
gathering
in
washington
dc.
So
I
at
least
for
me
yeah
exactly
I
I
just
for
those
of
you
didn't
know.
I
had
a
10
hour,
zoom
meeting
with
brian
just
you
know,
to
to
cr
to
turn
all
the
various
pieces
into
some
flowing
hole.
B
So
I
have
not
really
had
time
to
work
on
this
and
I
think
that's
the
truth
for
many
other
folks,
so
I
would
propose
let's
just
keep
working
on
this
for
the
next
two
weeks
and
revisit
this
when
we've
had
a
chance
to
actually
really
really
take
it
take
some
work
at
it.
I
I
don't
think
it'll
take
that
that
this
is
not
a
a
multi-year
endeavor,
but
I
think
many
of
us
have
been
too
distracted.
B
Absolutely
I
won't
be
at
rsa,
so
I'm
fine
with
that.
A
I
get
to
be
a
booth
babe
at
rsa,
so
it'll
be
great
looking
forward
to
it.
Oh.
A
And
and
then,
if
we
push
it
another
two
weeks,
that'll
be
the
open
source
summit
week.
B
I
I
realize
we
can't
fully
win,
but
I
I
still,
I
still
think
at
least
giving
us
two
more
weeks.
A
I'm
just
I
kid
because
I
love
vicky,
you
have
a
question
or
comment.
B
A
B
B
F
That
looks
better.
Thank
you.
A
So
please
please
look
at
the
one
one-ish
pager
and
provide
your
feedback
during
the
week.
If
we
need
to,
we
will
go
through
and
adjudicate
comments
at
our
next
call.
F
F
B
You're,
absolutely
right
and
and
by
the
way,
I
believe
that
the
only
way
we
can
achieve
something
that
isn't
one
point
font
is
by
not
trying
to
list
everything
in
in
this
directly,
but
instead
linking
out
to
these
other
materials
right,
but
so
so,
basically,
this
is
that
if
you
look
at
a
pyramid,
this
is
the
top.
This
is
the
top
piece
that
brings
you
to
everything
else,
but
for
a
lot
of
folks
who
don't
have
the
background?
A
A
All
right,
ladies
and
gentlemen,
thank
you
for
your
time
and
conversation
today.
You
will
see
a
note
from
me
about
with
a
doodle
invite
to
try
to
find
some
time
for
the
first
of
the
sigs,
and
then
please
also
do
your
homework
and
review.
The
one
page
document
provide
any
last
feedback
on
that,
and
you
will
also
see
a
note
to
mr
bellandorf
talking
about
the
china
developer
sig
and
hopefully
that
will
be
the
first
of
many
potential
expansion
opportunities
to
get
our
content
in
the
hands
of
developers.