►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everybody
and
welcome
to
the
january
18th
2022
edition
of
the
developer
best
practices
working
group.
I
posted
a
link
to
our
agenda
in
the
zoom
chat.
If
you
could,
please
mark
your
attendance
if
you
have
any
items
you
wish
to
add
to
our
agenda,
please
do
so
we'll
get
started
now.
Welcome
everybody.
I
just
want
to
prepare
you.
All.
2022
is
the
most
important
year
in
open
source,
developer
security.
A
B
That
would
be
me
hi
everybody.
My
name
is
judy
kelly
and
I'm
a
threat
modeler
on
the
secure
development
engineering
group
in
red
hat.
I'm
really
excited
to
be
here.
First
of
all,
I
I
I
don't
know
how
I
it's
going
to
look
how
I
can
contribute.
I
would
really
interested
in
threat
modeling,
and
what
can
we
do
around
threat
modeling
for
2022,
and
so
I'm
excited
to
learn
from
all
you
guys
where
he
stand
on
that
and
yeah
excited
to
be
here
also,
I
need
to
apologize.
B
C
Hi,
my
name
is
xiao
ruiz,
I'm
connecting
from
switzerland,
but
I'm
from
mexico
work.
I
work
for
jfro
recently
joined
to
jfrog.
So
before
that
I
was
a
consultant
and
yes,
sir,
I've
been
working
with
open
source
since
a
long
time,
so
I'm
very
very
happy
to
join
the
group.
D
A
A
All
right,
or
we
jump
into
our
first
item,
a
couple
small
points.
Last
year
the
group
had
talked
about
wanting
to
potentially
go
out
and
evangelize
open
source
secure
development
practices
a
little
more
so
I
started
to
compile
a
list
of
conferences.
That'll
occur
this
year.
There's
a
link
there
on
the
agenda.
Everybody
has
the
ability
to
comment
and
add
items.
If
there's
a
local
conference,
they
think
would
benefit
from
some
attention.
A
Some
open
source,
developer
security-
love,
let
me
know-
and
maybe
we
may
wish
to
in
a
future-
call
brainstorm
a
little
bit-
maybe
strategically
it's
in
our
best
interest
to
build
some
type
of
deck
or
have
some
type
of
presence
at
some
of
these
conferences,
so
consider
that
going
forward,
I'm
going
to
skip
david
for
a
second
and
then
note.
Last
year,
one
of
our
little
projects
was
working
on
existing
guidelines
for
secure
development
practices.
A
I
finally
got
off
my
butt
over
the
holidays
and
did
the
first
draft
in
markdown
in
our
get
lab.
Unfortunately,
I
have
a
typo
somewhere,
so
the
formatting
at
the
end
is
a
little
wonky.
So
if
anybody
has
any
free
time,
they
want
to
donate
and
make
some
suggestions
and
changes.
That's
one
of
the
first
items
we
collaborated
on
as
a
group
and
we're
glad
to
have
that
mostly
available
now
to
the
internet.
A
Let
us
jump
back
talked
with
a
little
bit
with
zav
over
last
week,
and
laurent
wants
to
come
in
and
talk
about
npm
security,
best
practices,
so
I'll
yield
the
floor
to
you,
sir,
why
don't
you
take
it
away.
E
E
But
anyway,
I
I'm
glad
that
they
are
taking
a
look
and
yeah.
Hopefully
in
a
few
weeks
we'll
have
something
that
is
ready
to
be
published
so
yeah.
That
was
the
first
update
I
had,
and
I
also
met
with
excel
who's
on
the
on
in
the
call
here.
Hi
we
talk
and
so
excel
is
an
expert
on
tooling.
So
she
basically
presented
me
some
of
the
tools
that
we
can
use.
E
You
know
to
to
provide
documentation
for
best
security
practices
and
yeah.
I
think
I'm
gonna
let
excel
mention
some
of
the
tools
that
she
described
to
me
because
she
knows
better.
C
Okay,
so
I
in
the
first
calls
I've
just
provided
a
little
bit
of
feedback.
So
how
do
we
make
more
accessible
documentation
how
we
can
make
it
more
easy
to
for
people
to
come
to
contribute?
So
I
I
mentioned
tools
and
formats
like,
for
example,
I
propose
ascii
doctor
and
use
antora
different
plugins
for
searching
making
it
more
structured
and
easy
to
write
it
down
and
then
publish
in
different
formats
and
with
different
styles.
C
So
I
will.
I
will
work
on
that
to
create
a
the
template
and
to
help
this
in
the
entire
tool
chain.
So
it's
from
building
the
sites
creating
the
disk
folding
for
the
documentation
and
preparing
everything
for
push
for
continuous
releases
of
the
documentation,
but
any
if
anybody
is
interested
is
I'm
a
developer.
So
it's
documentation
as
code.
Basically.
F
Yeah,
so
if
I
wanted
to
yeah,
I
wanted
to
to
to
get
a
formal
agreement
from
this
group
to
to
include
that
or
not
into
our
streams,
because
it's
not
yet
in
our
well
in
this
working
group
official
streams.
So
I
wanted
first
to
get
a
decision
from
this
group.
F
Do
we
include
data
stream,
and
one
thing
that
I
that
I
was
a
bit
concerned
about-
is
that
this
documentation,
as
it
is
evolving,
it's
kind
of
an
automatic
guide
about
how
you
are
doing
security
with
npm?
So
I
I
think
that
if
we
want
to
to
publish
it
as
an
authoritative
guide
from
the
opencsf,
we
need
to
have
the
commitment
from
the
npm
team
that,
yes,
they
will
review
it
and
they
will
continue
to
do
so
in
the
future
and
maintain
it
in
the
future
right
and
so
yeah.
F
So
these
are
the
two
points
I
think
we
need
to
to.
We
need
to
confirm
so
lauren
to
do
the
second
point,
I'm
asking
you
because
I
know
that
so
I
I
I
wanted
you
to
mice
and
darcy.
So
do
you
have
their
commitment
that,
yes,
they
are
going
to
maintain
this
open-source
guide
in
the
future
and
and
and
yes,
and
after
that,
this
group
has
to
decide
if
it
is
because
this
is
a
bit.
This
is
a
bit
particular
right
to
to
to
say
a
first
opponent.
F
E
E
E
We
want
the
npm
security
team
to
give
us
like
a
seal
of
approval,
that
this
is
what
they
think
are
the
best
security
practices
since
so
that's
the
first
point
and
then
long-term
maintenance.
I
haven't
talked
to
them
about
this,
so
I'm
gonna
talk
to
them.
Yeah,
that's
a
good
point.
E
F
In
your
team,
so
you
talk
well
they're,
not
in
my
team
exactly,
but
I
I
I
will
talk
to
them.
I
work
for
jersey
in
on
other
things
under
the
mfa
distribution,
but
that's
not
about
him
and
then
the
the
other
question
was
for
the
group.
Basically
do
we
is
it
and
yeah?
Are
we
the
best
practice
group?
Are
we
going
to
publish
these
authoritative
guides
on
products?
What
are
the
whatever
they
are
so.
F
But
well,
npm
is
a
product,
you
know,
so
we
can
take
an
approach
like
hey.
We
are
experts
in
in
in
in
using
this
product
and
we're
giving
you
a
guide
that
we
are
writing,
as
as
users
consumers
they.
This
is
how
we
do
it
and
then
we
can
take
an
approach
like
hey.
This
is
the
ultimate
authoritative
guide.
This
is
how
you
do
security
on
npm.
F
I
have
no
concern
with
the
first
approach.
Like
hey,
I
mean
I've
been
using
it
since
years
and
I'm
an
expert-
and
this
is
how
I
do
it-
the
second
approach,
given
that
it's
a
commercial
product
right,
we
we
need
to
to
to
decide
if
we
are
going
to
do
to
do
this
kind
of
stuff,
I'm
I'm
not
against
it,
but
I
think
that
we
need
to
raise
a
question
to
the
group.
A
So
my
first
question
is:
are
the
documents
available
for
the
group
to
take
a
look
at
and
review?
I'm
sure
a
couple
of
us
here
have
used
npm
and
may
have
some
thoughts
that
they
might
want
to
contribute.
E
A
But
we
might
have
bots
that
could
help
or
could
get
in
the
way
who
knows
so
I'll
open
the
floor.
What
does
the
what's
the
team
think
about
this?
Do
we
want
to
kind
of
take
on
this
responsibility?
I,
like
the
approach
of
having
the
involvement
of
the
security
team.
I
think
that's
important
for
us
to
consider.
We
probably
would
need
to
think
about
what
the
ongoing
maintenance
commitment
is
going
to
be
for
us
to.
A
H
Well,
what
is
actually
the
overall
approach,
for
you
know
open
sf
and
commercial
products
and
and
helping
and
stuff
like
that,
I
mean
if
it's
not
in
line
with
that
mission,
then
we
already
have
a
bit
of
an
issue
then,
but
personally,
I
think
there's
a
huge
need
for
it
right.
So
I
think
it's
a
great
initiative.
H
It
needs
to
be
there.
So
from
that
point
I
would
say
yay
yeah
and
if
it
doesn't
clash
with
the
open,
ssf
vision
mission
and
how
to
deal
with
like
commercial
products,
I
think
then
it's
good
for
me.
I
think
it's
good.
You
should
do
it,
but.
I
The
requirement
is
that
we
improve
the
security
of
open
source
software
there's.
As
far
as
I
know
now,
I'm
relatively
new
to
the
lf.
I
don't
know
how
much
longer
I
get
to
play
that
card,
but
yeah
crow.
You.
You
still
have
a
little
time
to
play
that
card
too,
but
I
don't
know
of
any
particular
limitation
on
that.
You
know
as
long
as
long
as
we're
improving
the
security
of
open
source
software,
we
should
expect
that
we're
going
to
interact
with
commercial
organization,
that's
kind
of
inevitable.
I
That
doesn't
mean
that
we
should
necessarily
take
this
on.
So
I
I'm
intentionally
trying
to
stay
out
because
I'm
not
sure
there's
pros
and
cons,
but
I
I
don't
see
any
reason
not
to
but,
but
I
think
that
was
mentioned
earlier
was
key-
is
that
we
want
the
to
collaborate
with
the
mvm
folks.
A
Do
we
want
to
do
this,
and
I
will
check,
with
the
tac
during
the
next
tac,
call
to
see
if
there's
any,
if
they're
aware
of
any
limitations,
but
I
think
absolute
bare
minimum,
we
absolutely
add
it
to
our
existing
best
practice
guidance
and
I
think
if
this
group
wants
to
collaborate
and
continue
to
help
work
on
it,
I
feel
it's
a
very
worthy
mission
since
looking
at
the
size
of
npm
in
our
ecosystems,
any
additional
thoughts
or
questions
before
we
move
on.
A
Yeah
so
actions
for
laurent,
if
you
could
send
an
email
to
the
group
kind
of
formally
requesting
the
mailing
list,
it's
like
do.
We
wish
to
take
this
on
and
if
you
could
get
us
just
a
link
so
that
folks
could
take
a
look
at
it
and
provide
any
feedback
if
they
have
thoughts.
That'd
be
awesome.
A
I
Well,
to
be
honest,
I
need
to
go
back
and
get
the
real
recap
figures,
but
I
I
you
basically
this
I'm
at
this
meeting,
I'm
realizing.
Oh,
I
probably
should
have
some
numbers
so
well.
I'm
gonna
add
that
note.
Now
we
need
to
get
the
better
number
of
the
more
accurate
numbers.
I
I
but
basically
I
can
quickly
pull
up
at
least
the
original
project
request
numbers.
There
were
requests
from
various
critical
open
source
projects
for
102,
ubi
keys
from
github
and
65
titans
from
google.
I
We
actually
sent
more
because
once
we
set
an
initial
draft,
whereas
oh
we've
got
extras
project
said
hey,
can
you
give
us
some
more?
Oh,
okay,
hey
look
at
this
now
wait
a
minute
why
yeah
we've
got
a
weird
discrepancy
here
between
xavier's
number
and
my
number.
So
I
don't
know
what
that
means.
F
Perhaps
they
didn't
yet
made
the
request.
Perhaps
they
they
get
the
that's
right,
because
yeah.
F
F
I
End
of
december,
whereas
the
titan
folks,
I
tried
to
make
it
very
very
clear:
they
had
to
redeem
them
at
the
end
of
december,
which
is
why
we
were
rush
rushing
but
anyway,
so
you
know
somewhere
between
150
200
tokens
were
sent
out.
That
turned
out
to
be
a
whole
lot
of
work,
because
we
were
interacting
individually
with
each
of
the
different
projects.
So
my
thanks
to
all
the
notifiers,
because
you
know
a
number
of
projects
said
you
know
didn't
reply.
I
I
realized
near
the
end
of
the
year
and
it
was
hard
not
to
look
like
a
spammer
and
even
for
the
ones
who
did
reply.
Some
folks
replied
and
said,
like
the
linux
kernel,
folks,
basically
said
we're
good,
everybody
has
one.
So,
okay,
that's
a
that's
a
fine
answer.
We
are
okay
with
that
answer,
but
you
know
we
we,
I,
I
think,
the
better
way
to
view
this
is
every
single
one
of
those
is
a
one
one
in
one
more
method
of
attack.
I
J
So
but
david
speaking
of
this
I
mean
I
sent
an
email
actually
because
the
kubernetes
of
all
people
right,
the
kubernetes
community-
did
not
respond
initially,
oh
this,
they
said.
Oh
yeah,
well,
we'll
open
an
issue
and
then
this
thing
kind
of
felt
dormant
over
the
holidays
and
now
they're
waking
up,
saying
hey.
This
is
like
a
great
project.
Can
we
have
some
keys
and
I
said
well,
let
me
check,
I
don't
know
what
the
status
is.
Do
we
still?
I
understand
the
titan
with
the
coupon
was
expiring,
but
what
about
ub
keys.
I
The
ub
keys
are
still
available
and
we'll
we'll
we'll
see
if
we
can
probably
I
mean,
ask
our
friends
at
google,
so
you
know
they're
too
big
to
be
fair.
You
know,
google
folks,
I
I
I
honestly
I
do
mean
in
all
sincerity.
Thank
you.
The
the
time
limit
was
imposed
by
just
their
internal
processes.
We're
still
grateful.
I
So
we've
got
ubi
keys.
We
can
hand
them
out
right
now
the
tokens
of
the
yubikeys,
sorry,
the
the
titans.
We
might
be
able
to
re-get
them
in
the
future,
but
we
don't
have
access
to
them
at
this
instant
in
time
right.
Does
that
help.
I
No,
I
know
I
I
I
think,
all
right.
The
the
reason
for
the
five
keys
was
that
we
didn't
want
to
make
promises.
We
couldn't
keep
you
know,
and
so
I
intentionally.
J
I
Oh,
I
think
we
can
spare
a
few
more.
We
didn't
know
what
kind
of
response
we
would
get
to
be.
I
mean
first
time
this
has
ever
been
done
in
the
world.
As
far
as
I
know
so
you
you
have
no
idea.
What's
going
to
happen.
J
No,
I
I'm
with
you,
I
I
was
there
and
I
agreed
with
that
approach
and
so,
like
you
know,
this
is
a
reasonable
way,
but
so
that's
why
I
asked
about
the
status
because
now
the
they
are
actively
trying
to
you
know,
figuring
out
who
needs
a
key
and
so
they're
asking
me
questions.
I
said
I
think,
there's
still
a
possibility
to
get
ub
keys
and
I'll.
Let
you
know
how
many
so.
I
Yeah
so
let's
see
by
the
numbers,
you
know
we
have
something
a
little
over
350
left.
So
I
don't.
I
don't.
I
But
you
know,
let's
get
at
least,
let's
get
a
whole
bunch
out
to
them
sitting
around
not
doing
anything
is
not
helping.
J
D
Yeah,
so
I
just
I
guess
I
should
mention
I
happen
to
be
on
the
steering
committee
for
kubernetes
and
I'm
an
emeritus
lead
of
the
sig
release
over
there
also,
so
I
think
our
priority
would
be
to
get
keys
for
the
core
release
people.
I
think
initially
people
thought
hey.
Maybe
we
should
get
all
reviewer
and
approvers
and
like
really
really
bump
this
up,
that's
where
you
get
to
like
a
300
plus
number.
D
If
we
want
to
do
that
as
a
project,
we
will
make
sure
we
fund
that
I
I'll
just
kind
of
throw
that
out
there.
I
think,
from
a
steering
committee
perspective,
we
need
to
figure
out
how
to
solve
that.
Not
just
get
free
ones
from
openssf
for
someone
else.
So
if
you
hear
a
huge
number,
let
me
know
but
I'll
make
sure,
on
the
other
side
of
things
that
we're
focusing
on
the
core
initially.
I
A
Absolutely
well
that
actually
ties
into
a
question
I
had
david.
I
was
one
of
the
notifiers
and
I
got
to
figure
out
how
the
hell
do
these
different
projects
wish
to
be
engaged
over
the
holidays,
which
was
a
treat.
Let
me
say
now
that
we've
passed
the
deadline.
A
What
do
we
want
to
do
with
the
folks
that
didn't
respond
or
responded,
but
never
followed
up?
Do
we
want
to
as
a
group
reapproach
them
now
that
we're
past
the
big
holiday?
Well
we're
moving
into
chinese
new
year
next,
but
now
that
we're
past
a
major
holiday
set,
do
we
want
to
go
out
and
reapproach
those
folks
that
either
didn't
respond
or
didn't
seal
the
deal
so
to
speak?.
I
I
think
it'd
be
a
good
idea.
I
will
say
that
I
have
limited
bandwidth
so
at
this
point
I'm
trying
to
do
other
things,
but
I
think
if
a
project
shows
up
and
says
hey
can
we
have
some
tokens?
I
would
say
yes,
let's
just
do
it
that
we
we
ex
we
were
at
the
outside.
We
were
concerned
we
about
too
many
people
asking
for
too
much,
but
in
fact
that
didn't
happen.
I
I
It
did,
it
did
doing
it
over
christmas
season
was
not
easy
for
a
lot
of
folks
and
just
wrote
in
the
short
time
frame.
On
the
other
hand,
it
did
make
us
actually
go
to
it,
and
I
will
say
that
this
this
may
seem
strange,
but
I,
I
think
a
whole
lot
of
people
really
appreciated
being
able
to
point
to
a
hey,
open,
ssf
doesn't
just
write
some
docs.
I
A
J
One
question
the:
I
know
that
this
top
100
list
was
kind
of
very
much
work
in
progress
when
we
adopted
it.
Is
there
what's
the
state?
Basically,
on
that
front
it
will.
What
I
mean
is:
will
it
be
reworked
in
a
way
or
extended,
revised
that
there
will
be
additional
projects
coming
in
so,
in
addition
to
reaching
out
to
the
ones
that
have
not
yet
responded?
Are
there
more
projects
that
will
end
up
on
that
list,
maybe
lock
for
jay
or.
I
Now,
and
now
you
mentioned
log
for
j,
we
we
we,
we
have
a
story
for
you
there,
the
critical
projects
working
group
has
added
log
for
j,
and
so
we
added
it
to
the
mfa.
So
in
fact
the
log
for
j
folks
are
some
of
the
folks
who
responded
and
already
have
tokens.
J
Yeah,
I
saw
you
kind
of
proposing
that
on
the
mailing
list.
I
So
so
so
the
log
for
j
folks
got
some
tokens,
so
the
critical
projects
working
group
is
going
to
update
their
list
and
we
should
probably
try
to
send
out
new.
I
I
think
we
can
probably
handle
those
as
deltas.
In
other
words,
as
they
add
projects
they
can,
they
can
say,
hey
we
added
blah
blah
blah,
and
then
we
can
try
to
contact
them.
But
without
quite
the
frenzy
of
chris
chris
was
coming
hurry
up.
G
A
I
Actually,
you
should
be
grateful
that
you
had
a
mailing
list
to
contact.
I.
I
Well,
yeah,
except
that
my
experience
was
that
they
were
less
responsive
than
the
mailing
lists,
one,
because
if,
if
it
was
on
the
issue
list,
oh
it's
it's
not
a
crisis,
you
know
off,
we
go,
and
so
I
yeah
you
know
what
we
we
contacted.
We
attempted
to
make
contact
everybody
and
we
did
what
we
could
with
a
very
very
short
fuse,
and
we
had
some
we
had
I.
I
would
count
this
as
a
success.
A
All
right
before
we
go
to
opens,
does
any
of
our
member
projects
have
any
updates.
They
want
to
share
anything
any
amazing
new
things.
A
During
the
new
year.
You
want
to
share.
G
Okay
sure,
so
I
wanted
to
share
some
updates
about
the
upcoming
scorecard
before
release.
So
I
don't
know,
do
you
want
me
to
present
my
screen
or
do
you
want
to
share
your
screen?
G
Hey
can
folks
hear
me
now
all
right
much
better.
G
Okay
cool,
so
so
we
are
coming
up
with
a
new
scorecard
before
release,
so
just
to
be
clear.
The
announcement
the
public
announcement
is
going
to
happen
tomorrow,
we're
going
to
have
a
blog
on
both
open,
ssf,
google
and
github.
So
we
are
doing
some
partnership
work
with
github,
which
I'll
talk
about
so
what's
new
in
scorecard
v4
is
we're
coming
up
with
this
github
actions,
so
I
kind
of
want
to
walk,
walk
through
this
with
folks.
G
So
we
have
a
new
scorecard
github
action
that
we
have
created
in
before,
and
what
we've
done
is
we've
partnered
with
github
to
basically
have
it
installed,
not
just
in
the
marketplace,
but
in
your
repository.
So
if
you
go
to
your
security
settings
in
your
repository,
you'll
basically
see
a
tab.
Saying
add
us
security
news
code,
scanning
tools
and
scorecard
will
show
up
as
one
of
the
tools
there
and
we
have
a
pre-created
template
that
you
can
just
use
to
add
scorecard
as
a
constantly
running
monitoring
tool
to
your
repository.
G
So
you
can
see
the
instructions
for
it
available
on
ossf
scorecard
action.
Next,
we
have
we've
added
like
scanning
for
about
one
million
projects.
We
scan
these
projects
every
week
and
the
data
for
that
is
available
through
our
bigtable
database.
So
the
link
here
shows
how
to
access
this
database
and
how,
to
you
know,
query
and
figure
out
some
interesting
things
about
the
open,
ssf
ecosystem.
G
The
next
thing
is
we
added
a
few
new
checks.
One
of
the
interesting
one
we
had
was
the
check
on
database
workflows.
So
what
this
does
is
it
can
look
into
github
our
workflows
and
it
can
figure
out
if
you
are
potential
for
leaking
any
of
your
secrets.
So,
for
example,
let's
say
you're
doing
something
like
a
code
checkout
and
then
building
it
directly
in
let's
say
a
full
request
target
and
instead
of
a
full
request,
it
can
figure
out
those
this
kind
of
dangerous
workflow
settings.
G
G
The
final
thing
we
had
is:
we
had
far
more
greater
collaborations.
We
had
more
people
that
we
worked
with.
We
had
projects
like
co,
go
releaser.
G
Showed
interest
in
scorecards
they
wanted
to
kind
of
you
know,
add
some
features
out,
so
that
was
good.
G
So,
having
done
that,
I
think
the
one
thing
I
kind
of
want
to
mention
is
our
next
step
is
really
to
increase
the
adoption
of
scorecard,
make
sure
that
more
and
more
people
have
the
scorecard
github
action
installed.
G
So
I
want
to
ask
folks
here
if
you
are
maintainers
of
any
open
source
projects,
please
do
check
out
the
scorecard
action
and
see
if
you
can
install
it.
If
you
are
in
touch
with
other
maintainers
of
open
source
projects,
you
can
either
let
them
know
or
like
let
us
you
know,
we
can
get
us
in
touch
with
them,
so
that
we
can
ask
and
work
with
them
to
get
this
installed.
G
Our
we
are
also
working
for
our
next
versions
to
work
with
other
projects
across
open
ssf,
like
all-star,
to
create
more
interesting
policies
and
compliance
using
scorecards
and
the
last
two
things
are
something
that
david
spoke
about
through
his
exact
meeting,
which
is
that
we
want
to
add
support
for
non-github
repositories
and
at
the
same
time,
we
want
to
support
more
tools.
Recognition
and
scorecard
so
that's
pretty
much.
It
folks
have
any
questions.
Maybe
I
can
go
through
that.
A
G
Sure
yeah
I
can
I
can
like
either
ping
on
slack
or,
if,
if
you
think
any
other
way,
I
can
do
that
too.
A
A
H
Yeah
I
wanted
to
give
a
small
update
on
the
skf
learning
platform,
so
we
actually
started
already
to
build
the
use
cases
to
be
able
to
deliver
the
learning
platform
somewhere
in
queue
end
of
q1,
and
we
identified,
like
I
mentioned
before
three
learning
paths,
so
one
for
secure
development,
one
for
web
api
security
and
one
for
info,
slash,
ops.
H
I
have
now
around
four
people
from
my
company
helping
me
and
working
on
those.
So
that
is
great
and
myself.
I
will
start
soon
making
videos
and
slides
yeah.
What
else
to
say.
Let
me
think:
I'm
also
almost
done
with
the
sso
implementation.
H
There
was
a
thing
I
was
also
working
on
and
over
there.
What
I
now
add
everything
works
using
the
docker
compose.
So
now
it's
only
a
matter
of
yeah
making
kubernetes
of
yaml
files
as
well
for
the
additional
gateway.
Key
cloak
servers
tied
up
together,
write
a
bit
of
documentation,
so
that
is
also
finished,
then
yeah
and
in
terms
of
the
learning
project.
So
what
we
also
have
now
is
around
60
node.js
labs
that
you
also
can
do
so.
The
idea
is
that,
well,
we
already
had
python
labs
in
skf.
H
So
those
are
mainly
going
to
be
used
for
the
secure
development
track,
so
everybody
can
at
least
pick
a
language
that
they
yeah
that's
popular
and
that
they're
familiar
with.
H
So
that's
going
really
full
full
speed
ahead.
Let
me
think
well
I
already
mentioned
I,
I
moved
the
whole
skf
demo
side
to
the
microsoft
azure,
using
thanks
to
their
credits
that
they
hand
out
to
the
open
source
projects.
That's
running
like
a
sunshine.
Like
really
great.
H
Let
me
think,
oh
yeah,
and
there
was
another
thing
I
wanted
to
discuss
before
the
great
mfa
project.
We
actually
were
also
busy
with
that
landing
page
loop
yeah.
So
I
wanted
to
to
check.
How
do
we
proceed
with
that?
You
know.
Is
somebody
going
to
pick
it
up?
Do
it?
Do
we
do
it
collectively
as
a
group
or
just
to
to
get
your
thoughts
on
how
to
move
forward
with
that
one.
H
Yeah,
I
I
think
I
even
pushed
it
to
our
repository,
so
at
least
I
didn't
lose
it
and
good.
I
did
because
my
computer
crashed
three
weeks
ago
anyhow,
so
I
pushed
it
there
and
it's
basically
like
this
landing
page,
for
at
least
that
was
the
idea
landing
page
for
developers
where
we
can
promote
in
every
different
stage
of
development,
the
different
tools,
the
tools
from
the
tooling
working
group,
our
projects,
yeah.
That
thing.
A
Yeah
we
talked
about
it
several
times,
trying
to
have
like
a
a
one-pager
or
like
an
intro
crash
course
for
developers
on,
if
you're
doing
a
specific
task
in
the
development
infinity
life
cycle,
it
would
showcase
different
best
practices
or
tools
or
videos
or
whatever
we
talked
about
a
few
times
here.
I
I
A
It
and
maybe
how
about
we
carve
out
some
time
in
the
next
meeting
if
everyone
could
take
a
little
homework
reflect
on
the
diagram
if
you
have
any
feedback
for
us,
let's,
let's
talk
about
it
as
the
group
next
next
time
and
I'll
get
the
right
link.
I
So
I
actually,
I
have
two
requests.
Please
do
that
one
we
can
post
out
to
the
mailing
list,
the
link,
you
know,
hey
everybody,
look
at
this
we're
going
to
talk
about
in
the
next
meeting.
Ideally
we
have
you
know
if
you
have
some
specific
ideas
of
what
you
think
the
next
steps
would
be
glenn
and
then,
let's
you
know,
I'm
sure
there
are
things
we
can
do,
but.