►
B
C
All
right
folks,
we
will
start
the
meeting.
Do
we
have
anyone
that
is
interested
in
helping
us
take
meeting,
notes
and
scribe
today?
Please.
C
Alrighty,
as
is
tradition
with
this
group,
welcome
to
the
august
16th
edition
of
the
best
working
group.
Do
we
have
any
new
friends
that
wanted
to
introduce
themselves
to
the
group
and
say
hello?
Hey
can
I
see
your
hand
hi.
D
My
name
is
dan
applequist,
I'm
just
joining
sneak
and
I'm
here,
because
I
really
really
think
developer
education
and
best
practice
is
like
the
key
important
topic.
But
what
do
I
know?
I'm
the
new
guy
so
yeah,
that's
kind
of
me,
oh
by
the
way,
I
also
have.
I
also
participated
in
a
lot
of
activities
around
web
standards.
So
if
you're
familiar
with
w3c,
you
may
have
seen
my
name
around.
C
C
All
right
well
again
welcome
dan
we're
looking
forward
to
having
you
in
our
little
family
here
first
off.
Does
anyone
have
any
opens?
They
want
to
add
all
right.
So,
let's
touch
on
those
after
I
talk
about
a
couple
things
here,
my
prop.
We
have
some
petitioners
that
are
interested
in
joining
our
group.
E
Vicky,
so
are
they
considering
having
this
being
an
official
project
that
they're
going
to
donate
to
openssf,
and
it
will
be
under
the
auspices
of
this
working
group.
C
Yes,
that
is
their
proposal,
and
that
is
why
you'll
see
I
have
some
administrivia
that
we'll
need
to
deal
with
next
meeting
kind
of
more
formalizing
some
stuff
and
we
will
have
them
come,
do
a
presentation
and
we
will
vote
to
see
if
the
group
thinks
this
is
a
good
project
to
add
in.
C
E
A
I
welcome
all
new
participants,
but
is
there
not
a
supply
chain
specific
team
in
the
ossf,
the
supply
chain,
integrity
team?
There.
C
Is
and
for
a
little
more
context,
mr
wheeler
and
I
have
talked
with
these
folks
a
couple
times-
a
nice
group
of
folks
and
we
initially
thought
well.
How
does
this
compare
to
salsa
and
salsa
is
more
focused
on
those
that
maintain
ci
cd
infrastructure,
whereas
the
the
new
proposed
framework
is
focused
more
on
consumers,
helping
them
evaluate
it
was
assault.
Was
software
made
properly?
C
Did
they
follow
good
security
practices
so
again,
we'll
have
them
come
in
and
talk
and
see
we'll
see
if
it's
a
good
fit
here
or
not,
or
if
we
want
to
steer
them
more
towards
a
supply
chain,
but
this
is
definitely
not
a.
This
is
more
of
a
complementary
piece
of
work
to
salsa
than
would
be
a
competitor.
E
Something
we
should
keep
in
mind
is
that
there
is
a
new
nascent,
little
baby
fledgling
metaphor
working
group
for
end
users
specifically,
and
this
might
be
the
sort
of
thing
that
would
make
sense
there
or
at
least
be
a
collaborative
effort
on
that
side
as
well.
So
I
will
bring
that
up
in
the
end
users
call
later
this
week
and
see
whether
we
can
at
least
get
some
of
them
to
show
up
to
our
call
next.
E
The
next
time
we
have
a
call
to
see
whether
you
know
they're
interested,
stop
babbling
and
multitasking.
C
E
And
this
week
there's
going
to
be
a
discussion,
whether
that
is
a
bi-weekly
call
or
what,
but
it
should
remain
at
7
00
a.m:
pacific
on
thursdays.
This
will
be
our
fifth
call
for
the
group.
E
It
is
not
yet
on
the
oss
calendar
laurent,
because
it
is
not
yet
an
official
working
group.
Hopefully
that
will
be
happening
happening
imminently,
since
this
is
the
fifth
call
of
the.
C
Yep,
that's
one
of
the
requirements
as
you
need
to
have
so
many
participants,
and
so
many
contiguous
calls
so
cool
that
it
is
not
lauren
as
she
mentions
it's
not
in
the
calendar
yet,
but
hopefully
we'll
be
very
soon
and
again.
I
will
encourage
jay
and
that
crew
to
come
here
to
present
to
us
to
see
if
we
think
it's
a
fit
or
not
or
if
we
have
a
suggestions
for
him
as
well.
F
C
D
B
Hey
so
the
first
one
I
want
to
show
and
we're
really
happy
with
this
one.
B
So
if
I'm
correct,
you
see
the
format
of
the
old
labs
that
we
have
right
now.
Yes,
so
initially,
we
hope
that
we
could
just
to
search
and
replace,
because
somebody
helped
us
with
the
designs,
but
as
it
turned
out
that
wasn't
the
deal.
So
we
had
to
do
this
copy
casework
for
270
laps,
but
at
least
we
did
it
in
a
way
that
if
we
want
to
refactor
it
the
next
time
that
we
can
do
search
and
replace
so
we
fix
that.
B
B
Oh
sorry,
on
the
skf
labs
repository
on
the
separate
branch,
and
we
will
probably
merge
that
somewhere
this
week
and
then
all
the
labs
are
updated
and
then
well.
We
have
this
nice
new
format
for
all
the
labs.
So
now
that
it's
changed
to
this,
this
suddenly
looks
really
old,
really
funny
how
quick
that
goes.
B
B
So
what
we
did
pretty
much
is
we
created
an
app
that
has
a
bit
more
functionality
than
normal
labs
would
have
normally
a
lab
would
have
just
one
problem
case
like
a
cross-site
scripting
across
that
request
forgery,
whatever
this
has
a
couple
of
problems
in
it.
So
this
one
has
cross-site
scripting
cross-site,
request
forgery.
B
It
has
insecure
randomness
when
generating
password
reset
tokens.
It
has
a
sql
injection,
hidden
somewhere
and
all
that
good
stuff.
So
we
have
the
app
right
here
and
what
we
did
around
this
lab,
and
we
will
also
put
this
in
the
right
tip.
Is
we
also
for
this
use
case
created
like
used,
face
or
fake
use
stories
and
that
you
can
dive
into
like
hey,
there's
a
description
as
a
registered
user?
You
want
to
be
able
to
authenticate
yourself
and
then
also
add
in
a
couple
of
sequence,
diagrams
that
you
can
use
for
the
threat.
B
Modeling
a
wireframe
because
it
looks
nice
and
then
guides
people
through
how
to
do
list
centric,
based
threat,
modeling
approaches
and
ideally
then
well
use
skf
and
the
asps
with
this
to
generate
the
right
security
requirements
that
we're
also
looking
at
using
kpec
somewhere
somehow
in
this,
but
I'm
still
not
really
sure
on
how
I
want
to
do
this
because
we
started
recently
working
on
it.
So
you
have
like
the
the
use
stories
here.
B
You
have
a
more
or
less
finished
used
stories
with
some
asvs
controls
that
are
generated
with
the
asvs,
so
we
want
to
put
these
contoured
or
these
examples
in
the
right
tip
that
we
would
normally
have
where
we
would
guide
everybody
through
the
reconnaissance
phase
and
the
exploitation
phase
and
all
that
good
stuff,
but
instead
of
doing
that,
while
really
guiding
through
the
used
stories
and
how
to
track
model
this
and
how
we
derive
the
security
requirements
for
this.
B
So
yeah
we're
kind
of
working
on
this
one
right
now.
So
it's
a
fairly
simple
app.
It
has
a
user,
the
user
can
log
in
you
can
reset
a
password.
B
It
can
read
and
write
some
notes
and
then
we
put
for
the
use
cases,
some
abuse
cases
and
we
try
to
correlate
them
but
yeah
and
then
also
guide
you
through
the
whole
process
and
how
you
would
use
something
like
skf
to
derive
the
right,
asps
requirements
for
your
news
stories
that
you
see
here
so
yeah
long
story
short.
That's
what
we've
been
working
on,
because
I
kind
of
wanted
to
give
the
threat
modeling
training
for
our
software
developers.
B
Internally,
where
I
work
and
I
found
like
yeah,
it's
not
really
anything
that
I
can
just
grab
from
the
internet
and
use.
As
is
that's,
why
we
decided
like
hey,
let's,
create
an
app
and
also
make
the
use
stories
for
create
some
fancy
diagrams
that
people
then
can
later
again.
Then
later
we
use.
If
you
want
to
do
the
same
thing
or
also,
if
you
want
to
learn
about
it
and
then
go
through
the
the
write-ups
that
we
have.
C
B
That
would
be
perfect,
really
awesome.
So
if
we
could
make
this
extensive
enough,
it
could
even
be
a
separate
training
track
in
the
learning
paths,
so
that
would
be
brilliant,
but
I
first
wanted
to
have
something
at
least
something
you
know,
and
then
we
have
something
to
to
create
good
discussions
around.
C
C
B
C
Excellent,
all
right,
let
us
let's
talk
to.
F
Yes,
hi
everyone,
yeah
jeff
and
I
have
been
working
on
the
npm
best
practice
document
with
a
focus
on
supply
chain.
So
not
not
how
you
implement
proper.
You
know
javascript
code,
but
more
like
how
do
you
handle
dependencies
and
what
the
best
practices
are
around.
You
know
dependency
management,
so
I
I
put
a
link
in
the
doc.
It's
the
final
pr
that
will
finally
tag
the
document
as
v.
F
1.0
we've
had
a
lot
of
help
from
people,
especially
from
you
know,
people
who
know
about
npm
and
node.js
better
than
we
do
so
yeah.
Thanks
a
lot
to
them.
We
we're
preparing
a
small
blog
post
to
announce
it.
I
hope
in
the
next
two
weeks
we
should
be
able
to
get
it
out
if
you
have
any
ideas
of
what
we
should
write
in
the
blog
post
yeah.
Let
me
know
I'm
not
the
best
at
writing.
So
yeah
any
help
is
welcome.
C
C
G
Alrighty,
so
we
have
it's
really
hard
to
talk
about
this
guide
without
talking
about
the
other
guide,
which
is
about
how
to
develop
secure
software,
because
each
document
refers
to
the
other.
But
let's
talk
about
the
evaluating
the
concise
guide
for
evaluating
open
source
software
first,
so
let
me
quickly,
I'm
gonna
repost
in
the
chat,
a
link
to
the
google
doc.
G
I
think
we're
getting
a
lot
closer,
you'll
notice,
there's
a
lot
of
just
little
tweaks
here
and
there
we
had
a
section,
the
very
bottom
of
a
to
do,
which
is
more
just
kind
of
listing
other
documents
we
can
point
to.
So
what
I
did
is
I
just
turned
that
into
an
other
resources.
G
So
I'm
hoping
that
we're
getting
more
towards
that
state
for
the
rest
of
it
there's
a
lot
of
little
creeks
here
and
there
somebody
was
saying
that
the
you
know
various
questions
need
full
pages
by
themselves.
G
E
Yeah,
since
we
have
this
new
project
on
the
horizon,
it
looks
like
there
might
be
rather
a
lot
of
overlap
between
what
it
covers
and
what
this
covers,
as
far
as
from
a
consumer
perspective,
how
to
evaluate
projects
so,
according
to
yes,
he's
pointing
at
a
thing,
so
I'm
wondering
yeah.
E
Yeah
and
so
I'm
wondering
am
concerned
about
putting
a
lot
of
effort
into
this
when
we
may
have
to
shift
gears
for
the
other
project
and
crop
looks
like
you
have
an
answer
for
us.
C
I
would
propose,
since
no
one
has
shown
up
and
shared
any
materials.
Yet
that
means
that
that
is
not
a
blocker
for
our
existing
work.
We've
been
toiling
away
at
this
for
a
while
now,
so
I
don't
want
to
impede
it
like
david.
I
think
it's
better
to
get
a
80
complete
product
out
there
and
used,
and
then
we
can
refine
it
in
the
future,
and
so
I
would
not
wait
for
something
that
may
or
may
not
occur.
The
group
might
say
this
is
something
supply
chain
or
end
user
group
is
more
applicable.
F
A
David,
I
I
agree
with
with
that
statement.
In
fact,
I
suggest
that
we
put
a
plan
together
for
at
least
the
timeline
for
this
document,
so
we
can
have
some
milestones
and
dates.
Try
and
finish
it
up.
The
the
one
pager
is
is
great,
a
lot
of
good
content
there.
It
took
a
long
time
took
a
long
time
for
us
to
get
there.
We
have
a
lot
of
good
feedback
on
this
document
as
well.
G
A
G
I
have
left
things
unchanged
if
somebody
put
in
a
comment,
I
just
left
it
as
a
comment,
if
I
have
tried
to
only
add
suggested
text
so
that
people
can
decide
whether
or
not
they
approve
it
as
opposed
to
just
making
changes
to
the
doc.
But
if
we
went
over
and
just
didn't,
accept
all-
and
I
think
most
of
this,
I
I
need
to
walk
through
all
the
comments,
because
I
don't
know
if
all
of
it,
I'm
hoping
that
most
of
the
comments
have
since
been
resolved,
probably
need
to
walk,
do
a
pass
through.
G
We
also
need
to
talk
about
the
other
doc,
because
the
two
are
connected.
The
guide
for
developing
more
secure
software.
C
G
Okay,
I
mean,
I
think,
the
main
thing
to
be
done
on
the
one
page
was
there
was
a
discussion
about
how
to
reorder
and
the
way
I've
been
trying
to
solve
it
is
by
reordering
as
a
pain.
Let
me
let's
talk
about
that
when
we
get
to
that
topic.
G
Let's
talk
about
the
evaluating
open
source,
though
what
I
propose
is,
let's
start
by
just
accepting
the
changes
that
have
been
made
that
are
currently
listed
as
suggestions,
and
then,
let's
see,
if
there's
anything
else
that,
because
I
think
we
just
accept
all
the
changes
we'll
we
will
we've
gotten
fairly
close
for
both
well
for
this
document
at
least.
G
Okay,
so
let's,
let's
accept
all,
and
if
you,
if
you
after
that,
it'll
be
easy
to
review,
nobody
has
any
any
ideas
and
proposals.
However,
I
think
at
this
point
comments
are
helpful,
but
not
very
helpful.
We
really
need
change
x
to
y
as
suggested
text.
G
C
G
It's
here
somewhere
anyway,
yeah,
okay,
so
how's
this.
Let's,
let's,
let's
do
that
and
if
you've
made
a
comment,
but
not
a
change,
see
if
you
can
figure
out
a
proposed
way
to
actually
make
that
change.
Oh
somebody
already
accepted
some
of
that.
I'm.
G
E
It's
under
tools,
tools,
review,
suggested,
edits
and.
G
Excellent,
I
know
where
it
is
in
word
and
open
office.
I
got
to
find
out
on
this.
One
oh,
but
looks
like
krobe
has
beaten
me
to
it
so
awesome
so.
G
Yeah,
I
guess
the
other
issue,
probably
the
one
of
the
first
comments.
This
is
by
vicki,
which
I
think
is
is
worth
discussion
here
is
aren't
maybes
covered
by
the
developing
secure
software
one
pager
a
number
of
these
are,
I
think,
it's
worth
highlighting
a
few
of
them
as
especially
important
for
the
evidence
that
developers
work
to
make
it
secure.
So
my
theory
was
let's
list
someone
some
that
are
especially
important
and
then
link
to
the
other
document
that
doesn't
make
it
the
right
solution.
G
That
was
just
the
suggested
solution,
so
I
probably
should
put
that
last
then
I
don't
know
if
anybody
objected
so
so
I
was
hoping
that
that
would
kind
of
deal
with
with
that
particular
issue.
But
if
that's,
if
that
doesn't
then,
let's
let
us
know.
A
C
C
E
Wait,
quick,
quick
one!
Yes!
Yes,
please!
Rather
than
putting
it
in
the
in
the
meeting
notes
where
it
can
get
kind
of
buried
and
a
lot
of
meeting
notes
to
take
a
page
from
an
earlier
conversation
in
the
last
meeting.
Could
we
just
open
issues
for
each
of
these.
E
For
things
that
we
would
like
to
do
in
the
future,
rather
than
adding
them
as
notes
to
the
meeting
notes,
agenda
move
them
from
the
document
to
an
issue
in
our
repository
in
our
github
repository,
so
we
can
then
track
them
and
work
on
them
there.
For
instance,
if
somebody
says
this
would
make
a
great
blog
post
awesome
whip
up
a
quick
issue
open
it
up,
we
can
track
that.
Oh.
E
G
E
E
As
we
move
through,
and
we
look
at
the
comments
in
the
document,
the
things
that
we
can
address
for
the
document
that
are
relevant
to
the
document
take
care
of
those
anything
else.
Air
lift
them
out
and
drop
them
very
gently
and
kindly
into
an
issue.
C
G
Yeah,
so
maybe
we
need
to
have
a
deadline.
Pens
down,
let's
see
here
if
we
can
have
all
proposed
changes
by
next
week.
Seven
days
I
mean
this
thing's
been
open
for
a
while.
So
it's
not
like.
You
only
have
seven
days
to
write,
but
you
know
if
we
can
get
all
proposed
changes
in
by
next
week.
The
problem
is,
I
don't
want
to
just
unilaterally
make
decisions.
I
really
do
want
this
to
be
a
group
and
I'm
sure
crow
feels
the
same
way.
We
want
this
to
be
a
group
decision.
G
C
I
would
suggest
we
set
up
a
doodle
and
anyone
interested
and
able
attend
that
call
to
go
through
the
focus
on
the
document
and
then
come
back
and
present.
Those
final
proposal
to
the
group
next
time.
A
I
think
it's
reasonable
to
ask
for
all
input
to
be
in
the
document
by
a
week
from
today.
G
Yeah
so
all
and
and
then
we'll
try
to
set
up
between
seven
days
and
14
days
and
we'll
do
a
doodle
poll.
Hopefully
I
know
I'm
interested
krobe
you're,
probably
interested
vicki,
I've,
gotta,
guess
you're
interested
and
if
not
maybe
I
can
talk
into
it
but
but.
E
G
G
So
let's
get
those
folks,
especially
you
know,
whoever
you
are,
let's
take
that
last
pass
and
and
then
we'll
have
two
docs
and
you
know
what
it's
okay,
if
later
on,
there's,
I
would
not
expect
there
to
be
no
changes
in
either
these.
I
would
expect
these
to
be
updated
and
improved
and
frankly,
the
first
time
we'll
release
it.
We'll
get
a
whole
bunch
of
suggestions
and
that's
so,
let's
get
that
process
started.
G
Yeah
two
docs
marta
one
is
the
one
page
guy
for
developing
more
secure
software,
and
the
other
is
the
concise
guide
for
evaluating
open
source
software.
H
And
my
point
was
that
it
was
whom,
who
posted
link
to
the
existing
existing
guidelines
for
developing
that?
I
don't
know
if
we
finished
or
not.
G
C
Remember
last
year
we
went
through
and
assembled
a
bunch
of
existing
security
guides
and
good
practices.
That's
already
right,
yeah,
that's
a
resource,
that's
different
than
these
two
things.
G
Right
right,
but
the
the
the
guide
for
developing
more
secure
software
does
not
try
to
list
all
resources
available.
It
is
very
much
a
a
curated
list.
G
Crook,
okay,
so
let's
move
on
because
they're
really,
in
my
mind
at
least
they're
a
pair,
so
the
the
key
thing
about
the
one
page
guide
is,
I
mean
really
it's
been
mostly
done
for
a
while.
There's
a
couple
comments
and
comments
in
there,
but
really
the
the
big
challenge
here
has
been
figuring
out.
The
order
of
the
suggestions,
I
think
part
of
the
problem
is
that
people
have
disagreed
on
how
we
should
order
things
eric
tyson's
had
a
number
of,
I
think
very
helpful
comments
and
is
eric.
Are
you
here?
I
I
just
wanted
one
quick,
quick
note,
since
you
called
me
out,
I
did
have
my
development
team
go
through
all
of
this.
Oh
okay,
they
all
agreed.
It
was
very
helpful.
They
didn't
have
any
major
updates
other
than
order
similar
to
what
I
had
but
yeah.
Overall,
they
found
it
to
be
a
very
good
initial
guide
to
help
them
out.
G
Oh
fantastic,
all
right,
so
I'm
trying
to
deal
with
a
technical
limitation
and
that's
that
in
google
docs
you
can
easily
suggest
you
know
word
changes,
but
it's
kind
of
hard
to
track
order.
Changes
they
just
kind
of
happen.
I
mean
you
can
leave.
You
know,
leave
all
the
ordering
changes
and
suggestions,
but
what
you
get
is
a
whole
bunch
of
line
outs.
It's
not
at
all
obvious
where
things
moved.
G
So
I
don't
know
if
it
was
the
best
way
to
handle
it.
But
what
I
did
is
I
just
copied
the
items
below
and
then
tried
to
reorder
them.
Eric
tyse
suggested
that
I
actually
probably
should
ask
you
to
to
just
complain,
but
I
interpret
it
as
put
the
more
focused
easily
done
items
first
and
then
later
either
the
more
general
or
you
know
harder
to
do
for
various
reasons
later.
G
So
it's
semi-ordered
in
terms
of
priority-
and
you
know
you
do
this
than
this
than
this-
a
semi
temporal
order
eric.
If
I
misrepresented
you,
please
correct
what
I
just
said.
I
No,
I
think
the
reality
is
in
certain
points
with
that
within
it.
There
are
things
that
are
precursors
like
when
you
mention
tooling,
and
then
you
mention
you
know,
package
managers
and
other
things.
You
know
if
you're
fairly
new
to
this,
if
you're
not
as
an
experienced
developer,
you're,
not
as
familiar
with
the
the
the
different
areas
that
are
being
brought
up
in
this
document,
it's
helpful
to
just
kind
of
nudge
them
into
it.
Not
everybody
who's
going
to
be
using.
This
is
going
to
be
a
senior
developer.
I
A
number
of
people
may
be
more
junior,
so
getting
them
into
each
aspect
of
it
at
a
as
it
will
help
their
application,
and
some
of
these
things
you
know
just
inherently-
are
good
best
practices
regardless
of
security,
but
it
just
that's
my
feeling,
as
and
all
of
them
kind
of
build
up
to
attaining
that
best
practices
badge
at
the
end.
I
G
Okay-
let's
see
here
it,
I
think
the
main
change
in
the
or
so
we
we've
been
busting
around
with
the
ordering.
It
looks
to
me
like
one
of
the
main
questions
left,
is
moving
seven,
eight
and
nine
between
three
and
four
in
the
second
list.
So
basically
it
would
be
use
a
combo
of
tools
to
evaluate
your
pipeline
and
then
evaluate
software
before
selecting
it
use
package
managers,
use
automated
tests
and
then
monitor
for
known
vulnerabilities
is
that
is
that
a
reasonable
reorder?
G
G
Okay,
I
will
take
on
the
job
of
making
the
actual
test
above
text
above
matt
below,
but
there's
just
you
know
sorry
about
this
weird
thing
of
handling
order,
but
I
just
couldn't
figure
out
a
better
way
of
making
it.
So
people
could
see
what
was
being
changed
while
it
was
be
see
the
proposal
without
just
having
it
happen.
G
G
Okay,
yeah
so
basically
yeah,
so
the
list
shows
up
this
one
page
guide:
it's
listed
twice.
The
first
is
the
actual
text
and
the
second
is
just
the
proposed
reordering
all
right.
So
in
fact,
we've
already
done
two
of
those
all
right,
so
I
will
take
on
the
task
of
making
it
one
big,
happy
family
and
I
think
we're
pretty
close.
I
mean
we
can
always
make
improvements,
but
I
think
we're
getting
pretty
close
for
this
one
page
guy
we've
been
beating
on
it
for
a
while
marta.
H
Yeah
I
have,
I
got
a
number
of
comments
from
developers.
I
put
them
as
as
comments
in
the
document
when
they
apply,
but
this
one
there
was
one
recurring
thing
that
that
multiple
people
reported.
H
I
summarized
that,
as
this
guide
for
them
looks
more
like
an
integration
guide
and
less
as
a
guide
for
for
the
developing
on
its
own.
So
the
thing
they
don't
missing
is,
for
example,
code
reviews,
doing
code
reviews
and
doing
code
reviews
from
security
experts
or
security-minded
people
from
the
project
to
improve
the
general
quality.
G
Okay,
good,
I
I
mean
I
I
think
one
challenge,
of
course,
is.
G
You
know
that
not
all
projects
have
multiple
people,
but
all
right.
So
let's
talk
about
that.
Where
would
that
go
in
our
list?.
C
F
C
H
G
C
So
could
you
change
the
line
to
highlight
conduct
an
internal
code
review
and
then
at
the
end
of
that
statement,
say,
and
if
you
have
resources
and
time
consider,
a
third
party
review
make
the
third
party
kind
of
an
afterthought,
because
we
again
we're
balancing
budget
here
we
only
have
so
many
lines
on
our.
G
Right
right,
complete
security
code
how's,
this
complete
secure
security
code,
audit,
slash
review
at
least
to
internal,
consider
doing
an
external,
but
I
think
the
problem
is
no
matter
what
it's
going
to
be
two
lines:
yeah.
Well,
that's,
okay,
but
I
would
like
that
case.
We
may
as
well
have
in
separate
bullets,
because
I
think
adding
the
internal
review
is
going
to
happen
long
before
you
do
the
external
I
I
wouldn't.
C
D
Hi,
sorry,
I
am
the
new
person,
so
I'm
going
to
be
very
prone
to
asking
stupid
questions,
but
one
thing
that
occurred
to
me
when
I
was
reviewing
the
one
pager
here
is
that
you're
talking
about
scanning
for
known
dependencies
you're
talking
about
creating
a
security
advisory
on
github,
in
particular
around
secure
scanning
for
dependencies.
I
know
this
has
been
a
sensitive
point
in
sneak
where
people
are.
F
D
Towards
dependable
and
there
and
I've
seen
a
lot
of
discussion
internally
about
wanting
to
ensure
that
openssf
language
is
vendor
neutral,
so
yeah,
I'm
probably
that's
what
I
ought
to
be
inputting
or
pushing
out
there.
I
don't
know
how
to
make
that
better,
neutral,
obviously
being
a
member
of
the
community.
I
know
this
is
valuable
advice,
but,
but
also,
I
I
do
think,
maybe
there's
some
way
that
it
could
be
made
more
vendor
neutral
without
necessarily
listing
all
different
products
that
somebody
might
use.
C
That
is
absolutely
one
of
our
goals
and
how
we've
been
operating
dan.
We
typically
will,
if
there's
a
good
exemplar,
we'll
say
here's
the
practice
as
an
example.
If
you're
in
github
here's
dependable
achievements,
so
we
try,
we
do
try
to
do
that.
We
may
have
missed
reading
normally
aza
from
github
is
the
harshest
critic
there
is.
He
wants
us
to
be
as
neutral
as
possible,
but
he's
not
here
today
to
yell
at.
G
G
F
F
No,
I
was
thinking
like
your
brand
first
guide
to
whatever
that
guide
is
to
keep
all
the
guides
similar
entitled.
G
G
Well,
I
understand
that's
why
I'm
suggesting-
maybe
I
should
give
up
on
one
page,
because
I
think
some
people
call
this
a
tweet.
That
was
one
of
the
comments,
but
I
like
concise,
because
it's
concise.
F
G
I'm
just
worried
about
the
the
number
of
characters
in
it.
To
be
honest,
is
everybody
okay,
with
concise
that
for
the
title.
G
Having
the
whole
group
just
figure
out,
what
the
title
is
of
the
thing,
they're
producing
seems
reasonable
enough
all
right,
very
good,
all
right,
so
we
are
at
least
being
consistent.
G
All
right,
so
I
will
try
to
work
out
a
scheduled
doodle
poll
I'll
I'll
try
to
work
out
a
doodle
poll,
everybody
comments
by
next
week.
This
time
the
title
should
be
locked
and
then
we
will
try
to
wrap
this
up.
So
the
goal
is
by
two
weeks
from
today
next
meeting
to
have
final
versions
as
final
of
these
things
ever
again,.
C
Yeah
and
in
parallel,
referring
to
the
awesomest
new
issue
in
our
git
lab
number
71,
if
anyone's
interested
in
starting
to
compose
a
blog
that
talks
about
these
and
why
they're
these
guides
are
important.
Please
kind
of
raise
your
hand
to
start
to
collaborate
on
that.
So,
ideally,
as
we
get
ready
to
publish
these,
we
might
have
the
supporting
marketing
material
ready
as
well.
C
All
right,
so
our
next
call
I
would
like
to
review
our
working
group
charter
and
get
that
formally
approved.
F
E
I
know
I'm
sorry,
but
the
tac
was
working
on
a
single
kind
of
template
charter
that
would
apply
to
all
working
groups,
and
I
know
this
because.
E
It
to
me-
and
I
haven't
finished
it
yet
because
they
were
so
busy
wrangling-
the
infamous
issue
112.
E
Is
now
yeah,
so
I
don't
know
where
that
is,
but
would
we
like
to
hold
off
on
that
until
we,
so
we
don't
have
to
vote
twice
on
that
sort
of
thing
all
those
there
are
certain
things
like
you
know,
looking
at
attendance
and
stuff
that
will
be
required
regardless,
but
the
definition
of
who
is
a
maintainer
who
is
a
core
all
that
sort
of
lovely
stuff
is
potentially
going
to
change
or
otherwise,
possibly
right.
E
E
Yeah,
I
will
fully
admit
just
thankfully,
I'm
I'm
very
grateful
not
to
be
a
tech
member,
so
I
don't
have
to
be
as
clued
into
that
and
I
can
just
watch
the
comments
go
by,
but
I
do
know
that
standardizing
now
for
all
working
groups
is
something
they
want
to
do
so
I
I
support
the
effort,
but
I
don't
want
to
duplicate
it.
C
So
we've
had
that
item
out
and
ignored
it
for
a
very
long
time
we
need
to.
I
want
this
group
to
democratically
decide.
Do
we
want
to
ada,
be
a
big
brother,
big
sister
to
the
microsoft
people
for
their
proposal,
and
then
I
also
need
to
propose
to
the
group.
I
want
to
give
people
the
ability
to
express
their
opinions
on.
Are
they
happy
with
how
the
group
is
being
led?
Do
they
want
to
make
any
changes
there?
I
want
to
give
us
some
structure
on
that.
C
Why
am
I
all
fuzzy
on
how
the
group
is
conducted,
so
I
want
to
make
sure
I'm
giving
everyone
fair
ability
to
express
themselves
and
make
any
changes
that
might
be
desired
from
the
team.
E
E
So
maybe
there
is
some
sort
of
interim
measure
that
can
accomplish
the
same
goals
and
do
I
have
suggestions
for
you?
No,
I'm
not
going
to
be
helpful.
That
way,
but.
C
I
will
divide
us
up
into
the
three
categories
of
maintainer
collaborator
and
contributor,
so
we
kind
of
understand
how
that
might
look
in
the
future
and
then
we
will
vote
on
like
things
like
microsoft
or
if
we
want
to
potentially
make
changes
to
how
this
group
is
land
or
run.
E
I
think
that's
a
great
start.
One
thing
we
should
certainly.
E
C
E
C
A
So,
based
on
that
decision,
what
is
the
homework
for
everybody
here
to
prepare
for
that
exercise?
Next
week,.
C
C
E
I
F
C
C
C
All
right,
thank
you
all.
I
really
appreciate
all
the
help
on
these
two
concise
guides
very
excited
to
see
those
almost
done
and
we're
looking
forward
to
talking
to
you
very
soon
have
a
great
day
and
if
anyone
wants
to
help
with
the
blog
issue,
71
just
note
that
and
I'll
set
up
something
to
a
straw.
Man
for
that
blog
thanks,
see
everybody.