►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everybody
we'll
get
started
in
a
few
minutes.
Please
sign
in
to
our
agenda
and
add
any
items
we're
interested
in
discussing
today
and
we'll
just
start
a
few
minutes.
A
A
Welcome
to
the
march
1st
edition
of
the
open,
ssf's
developer,
best
practices
working
group,
I'm
going
to
post
a
link
to
our
agenda
in
the
zoom
chat.
If
you
could
sign
in
and
add
anything,
you
wanted
to
talk
about
just
one
thing
so
far
to
talk
about
and
we'll
see
what
else
everyone
is
interested
in
discussing
today.
A
A
note:
we've
been
approached
by
a
group
that
is
being
funded
by
the
european
union
to
do
some
research
in
developing
an
open
source
security
maturity
model,
so
that
call
will
be
tomorrow
at
10
a.m.
Eastern
in
a
an
alternate
zoom
call.
So
if
you
subscribe
to
the
open
ssf's
google
calendar,
you
should
be
able
to
see
it
there.
I've
also
sent
a
link
out
to
our
mailing
list.
A
Anyone
that's
interested
in
coming
and
talking
to
these
folks
about
security
maturity
models
and
how
that
might
either
leverage
our
work
or
how
we
might
be
able
to
contribute
to
that
everybody's.
Welcome.
So
we'll
see
you
in
about
24
hours
from
now
for
all
folks
that
are
curious
and
want
to
join
in
so
interesting,
eric
cool.
B
I
can
confirm
it
that
the
link
is
well
in
their
agenda
in
the
in
the
calendar.
I
could
say
it
and
I
plan
to
come.
A
No
worries
so
again
we're
meeting
with
a
group
from
the
european
union
tomorrow
morning,
24
hours
from
now,
everybody
in
this
group
and
the
vulnerability
disclosures
working
group
is
welcome
to
attend
and
kind
of
listen
to
what
these
folks
are
preparing
and
see.
If
there's
any
collaboration
opportunities
there.
D
D
I
and
several
of
my
team
members
have
actually
joined
the
call
as
well.
Today
we
are,
we
joined
wipro
as
an
organization,
and
our
ospo
group
has
joined
openssf
as
a
premier
member
we're
working
on
a
number
of
initiatives.
This
year.
D
I've
got
my
coe
starting
to
adopt
the
best
practices
put
forward
by
this
and
other
groups,
but
you
know
we
certainly
hope
to
contribute
to
some
of
the
best
practices,
tooling,
vulnerability,
assessment
for
observability
and
other
components
as
well,
so
definitely
see
a
lot
of
overlaps
and
we're
pretty
excited
to
take
part
and
be
proactive
contributors.
A
All
right,
while
mr
wheeler
furiously
types,
some
updates,
does
anyone
have
any
items
they
wanted
to
discuss
more
in
depth
today.
A
E
Hi
note
maths
has
changed
since
last
in
the
last
two
weeks.
E
We've
started
with
parsers
for
the
formats
used
by
several
os
projects,
but
if
anybody
in
the
hall
has
a
project
that
would
fit
into
opencre.org
or
if
by
any
chance,
there
is
somebody
who
works
with
standards
writers
out
there
please
reach
out.
I
would
be
very
interested
in
writing
a
parser
to
automatically
add
every
single
section,
subsection
of
your
standard
or
project
into
opencarry.org
and
make
it
automatically
linked
to
other
things.
A
C
Sure
step
one:
can
you
hear
me
excellent?
Okay,
no
big!
No!
I
don't
think
I
mentioned
this
before
so
I
wanted
to
mention
it.
We
had
someone
create
12
fraudulent
badge
entries.
I
guess
there's
the
good
news
that
you
know
it's
visible
enough
that
people
want
to
start
doing
some
fraudulent
things.
They
clearly
knew
what
they're
they
were
doing
enough
to
adding
just
enough
data
to
fool
the
various
automated
detection
systems.
C
Boo
hiss,
however,
the
one
of
the
main
points
that
we've
always
made
is
we
make
all
the
answers
public.
So
anybody
can
look
at
this
and
you
know
immediately.
People
are
asking
wait
a
minute
this.
This
is
this
claim.
This
claims
this
that's
clearly,
not
true
repeat.
So
we
deleted
all
the
badge
entries.
We've
suspended,
the
user
account.
C
So
you
know
you
know
sad,
but
yeah
cool
though
it
is
at
least
cool
that
we
can
be
yeah
famous.
I
I
I
I'm
gonna
try
to
take
the
positive
view
here
I
mean
we've
had
spammers
before
actually
many
times,
but
this
one's
a
lot
more.
This
one
was
a
whole
lot
more
eager
to
work
at
it,
but
you
know
we
do
we
can
we
had
to
depend
vulnerability
into
dependency?
C
We
updated
we'd
made
a
password
change
that
we
didn't
realize
would
also
make
a
change,
a
key
rotation
change,
so
that
was
fun.
We
now
know
that.
So
I
mean
updating.
Dependencies
is
something
we
do
all
the
time,
but
we
had
to
track
down.
Why?
Suddenly
we
couldn't
do
the
updates
anymore.
I
mean
it
was
a
very
minor
foot
shooting
so
all
is
well
nice.
A
All
right,
I.
C
See
yeah
yeah,
there's
actually
a
question
in
the
chat.
Is
it
more
work
to
try
to
fool
the
results
than
complying
with
the
results?
Well,
I
mean
it's
clearly
somebody
thought
it
was
better.
It
was
easier
to
fool
the
results
than
comply.
I'll
be
honest,
I
don't
think
that
they
were,
I
mean
the
most
part.
There's
no.
There
was
no
source
code,
they
were
just
trying
to
earn
badges
without
actually
providing
any
value
to
the
community.
C
Yeah
hooray,
so
I
mean
it's
a
whole
lot
easier
to
not
do
work
than
do
work.
I
guess,
but
I
think
in
the
end,
while
it's
not
you
know,
you
want
to
prevent
this
perfectly
in
all
possible
situations.
Forcing
a
public
visibility
is
a
is
a
decent
last
defense.
C
So
I
that's
all
I
can
say
about
that.
I
guess
thanks.
A
All
right
and
since
you're
here
now
lauren
do
you
want
to
share
any
any
updates
on
scorecard
in
their
recent
history.
F
I
don't
have
any
specific
updates
right
now.
Sorry
did.
A
F
Yeah,
I
I
guess
one
update,
I
could
say,
is
since
the
v4
release
we've
seen
a
lot
more
people
coming
to
the
bayou
team
meetings,
which
is
which
is
really
good,
but
yeah
we're
just
continuing
on
we're
working
right
now
on
crowdsourcing
the
by
week,
the
weekly
scans
that
we
have
on
scorecard,
crowdsourcing
them
and
using
the
results
of
the
github
action
that
people
install.
So
we
don't
have
to
run
everything
else.
It
helps.
A
E
Sorry
there
is
a
standard
called
the
open
threat
model
definition
and
I'm
trying
to
find
ways
to
parse
it
and
that's
for
opencr
and
I
haven't
found
any.
Is
there
any?
Does
anyone
know
of
any
leverage.
E
C
Yeah,
I
I
take
it,
it's
not
just
something
like
gamma
or
json.
It's
a
bespoke
format.
E
Not
really,
I
know
a
couple
of
commercial
and
open
source
threat
modeling
as
code
projects
that
use
it.
For
example,
pytm.
I
think
it's,
the
other
one
is
called
videos
risk
or
something
it's
based
somewhere.
E
A
Don't
know
that
it's
exactly
what
you're
looking
for,
but
judy
posted
a
note
in
chat
about
an
awesome
threat,
modeling
project
on
github-
I
don't
know
if
that's
related
or
in
the
direction
of
what
you're
looking
for.
B
I'm
not
sure
if
this
the
right
moment
or
you
want
to
cover
it
later,
but
I
I've
noticed
that
we
haven't
talked
about
the
our
guide
on
the
existing
standards
for
for
some
time.
So.
A
An
excellent
segue,
I
will
send
you
a
starbucks
gift
card
later.
Thank
you.
A
So,
as
marta
mentioned,
we
had
spent
a
lot
of
time
last
year
working
on
the
existing
guidelines
for
developing
and
distributing
secure
software,
and
I
believe
I
fixed
the
link
that
goes
to
our
oh.
It
doesn't
go
oh
well
hold
on
I'll
give
you
an
even
better
link
powered
by
my
friend,
xavier.
A
We
have
a
resource
out
on
our
git
lab
that
echoes
the
google
document,
and
so
I
wanted
to
take
a
minute
as
everyone
aware
of
this
resource
and
do
we
have
any
we
like
to
spend
some
time
kind
of
cruising
through
it,
making
sure
it
kind
of
meets
some
of
our
objectives
and
if
there's
anything
else,
we
wanted
to
add.
If
there
were
any
gaps.
A
I
am
just
the
worst
dad
try
to
track
that
down
those
so
patches.
Welcome
there.
If
you
see
any
typos
feel
free
to
submit
a
pull
request
to
correct
them,.
A
So
our
intention
with
this
artifact
was
to
identify
good
sources
of
secure
development
practices
and
any
frameworks
training,
anything
that
would
be
useful
to
a
maintainer
or
a
developer
on
an
open
source
project
and
try
to
provide
them
links
and
suggestions
on
where
to
go.
To
get
more
information.
For
example,
cody
and
c
voting
in
java
see
we
have
java
twice
that's
great
I'll
work
to
fix
that
free
rails.
So
we
had
hits
many
of
the
big
programming
languages.
F
Yeah,
on
that
note,
we
have
the
npm
security
best
practices.
We
we
plan
to
have
it
like,
send
a
pr
and
maybe
have
it
like
in
a
sort
of
draft
mode
where
people
can
start.
You
know
rfc
kind
of
mode
like
request
for
comment,
so
we're
still
thinking
about
this.
In
fact,
if
anyone
has
ideas
about
you
know
what
should
be
the
process
when
we
add
recommendations
so
that
some
folks
have
time
to
comment
or-
and
how
do
we
resolve?
F
You
know,
arguments
or
different
views?
I
think
that's
something
that
we
want
to.
We.
We
want
to
write
a
little
dock
on
like
what
what's
the
process,
how
long
it's
going
to
stay
in
rxt
mode
so
that
it's
clear
for
everyone
we
haven't
done
so
yet,
but
I'm
hoping
in
the
next
few
weeks.
We
can
do
that
and
if
anyone
is
interested,
please
let
me
let
me
know
so
we
can.
We
can
discuss.
C
So
so
krobe
I
started
making
some
edits
to
the
google
doc,
not
realizing
that
you
had
started
moving
to
moved
it
to
github
are
we?
Are
we
officially
saying
don't
use
the
google
doc
anymore.
A
C
Yeah,
I
think
the
only
challenge
is
it's
a
little.
You
know
there
are
a
number
of
things
that
need
to
be
fixed,
but
I
mean
at
some
time
sooner
or
later
we
need
to
make
the
transition
so.
A
It
was
interesting
going
through
the
dock
to
markup
transition.
C
C
A
Went
through
and
did
a
little
html
style,
editing
on
the
formatting.
C
A
C
C
Yeah,
I
don't
know
what
sins
you
committed
all
right,
so
in
that
case
I
would
suggest
that
we
clearly
mark
this
as
obsolete
or
agree,
not
edit.
A
Going
forward,
we
will
officially
use
pull
requests
and
all
the
awesomeness
of
git
to
maintain
the
artifact
going
forward.
So
I
get
as
people
have
suggestions.
Please
submit
prs.
A
C
That's
right
and
actually
on
the
readme
of
the
edx.
I
describe
the
tools
I
used
and
the
some
alternative
approaches
I
found
after
the
fact
too,
but
it's
all
painful,
it
just
depends
on
which
kind
of
pain
you
want.
There
are
some
automated
tools
that
do
a
a
decent
job.
In
many
cases
yeah,
that's
you
know
what
what
can
I
say
yeah
so
actually
you
know
what
I
will.
C
I
will
quickly
grab
from
the
edx
folks
and
the
edx
get
up
conversion
and
and
link
to
that
within
our
notes
today.
So
everybody
else
wants
to
find
it.
It
will
hopefully
help
okay.
C
I
didn't
mean
to
stop
the
conversation.
Oh
no.
A
So
again,
looking
at
the
the
file
aside
from
typos,
do
we
see
anything
glaringly
missing?
Did
we
miss
any
awesome
languages
that
are
very
popular,
that
we
want
to
try
to
find
curate
some
good
practice
for?
Does
anyone
have
any
favorite,
trainings
or
checklists
or
guidance
around
secure
coding
for
any
of
these
languages?.
C
A
C
Yes,
we
are
well,
I
don't
know
why
you're
laughing,
if
anybody
likes
to
get
paychecks
or
use
a
bank
you're
using
cobalt,
there
is.
C
We
actually
have
in
the
open
mainframe
project.
That's
enough
foundation.
Okay,
the
lens
foundation
has
many
foundations.
One
of
them
is
the
open
mainframe
foundation.
They
have
a
lot
of
cobalt
stuff.
They
even
have
a
course
on
developing
on
how
to
on
on
cobalt
learning
cobol.
So
I
think
if
that
would
be
the
group
I
would
immediately
connect
to
you
know
you
may
be
laughing
I'm
totally
serious.
E
C
Well
so
yeah
back
when
the
pandemic
was
first
starting.
They
they
were.
There
was
a
short
on
cobalt
programmers
to
change
everything,
so
we
could
get
checks
distributed
in
the
u.s,
so
there
was
actually
a
rush
on
education
on
cobalt
so
that
these
systems
could
handle
new
new
requirements
quickly.
So
I
would
have
I'm
gonna
have
to
do
a
little
digging,
but
I
have
talked
with
those
folks
before
I
don't
know
if
they
have
anything,
but
they
would
be
the
they
they
would
be
the
first
folks.
A
I
think
that'd
be
an
excellent
addition.
If
you
have
the
opportunity
to
make
a
connection
david,
I
I
think
that
would
be
very
worthwhile
to
add
to
the
guide.
I.
A
I
see,
golang
is
listed
twice,
java's
also
listed
twice
we're
missing
c
sharp
angular.
A
I
think
once
we
have
the
work
that
laurent
is
working
on
for
the
mpm
security
guide,
that
might
be
a
nice
fit
for
that
section
and
we
we
knew
that
the
javascript
piece
was
pretty
light
when
we
first
started
out.
A
So
if
anyone
has
any
ideas
wants
to
do
a
little
research
to
see
if
we
can
find
secure
coding
guides
secure
practices
for
any
of
these
listed
or
unlisted
languages.
Please
do.
C
All
right-
and
I
am
adding
to
the
notes,
some
ways
I
have
found
to
do
the
google
docs
to
mark
down
conversion.
There
may
be
better
if
I
guess
ava's
had
to
do
this
pain
crowd.
You've
had
to
do
this
pain.
This
does
seem
like
something
that
you
know
it's
one
of
those
things
that
pops
up
occasionally
within
this
working
group.
C
So
if
we
can
find,
I
I
will
say
at
the
very
least
I
don't
think
either
ones
I
just
pointed
to
are-
are
well
or
really
maintained
at
all,
but
they
work.
If
there's
one
that's
and
the
second's
the
fork
of
a
fork
of
the
first
one.
If
there's
a
better
way,
that's
actually
being
maintained,
that'd
be
awesome
heck,
we
could
even
say
we'll
take
over
a
fork,
but
I
don't
know
that
we
want
to
do
that.
A
Eric
mentions:
are
we
interested
in
pointing
to
frameworks
like
salsa,
yet
I
don't
know
in
this
I
think
in
general,
as
a
good
practice
for
developers.
Yes,
this
artifact
is
targeted
around
development
languages,
so
I
don't
know
that
that
would
be
exactly
the
right
place,
but
you
know
using
the
power
of
adding
a
new
file.
We
easily
can
start
to
create
another
artifact
that
talks
about
framework,
so
we
could
get
into
a
conversation
on
threat,
modeling
or
supply
chain
management.
Other
sdl-like
activities.
C
A
And
for
our
other
future
project,
we're
interested
in
developing
kind
of
a
newbies
view
to
secure
development
and
open
source
and
salsa
was
absolutely
pointed
out
there,
where
glenn
has
a
graphic
of
the
infinity
loop
for
development
and
we
were
going
to
tag
tools
or
frameworks
at
each
stage
of
the
development
life
cycle,
and
I
think
that
is
absolutely
very
appropriate
there
and
again
if
we
want
to
put
it
in
the
document
here
at
the
top,
I
think
that's
perfectly
appropriate
as
well.
Yes,
we
are
missing
docker,
specifically.
A
A
Any
additional
thoughts
on
things
we'd
like
to
add.
E
A
C
Can
I
speak
up
a
little
bit
about
this,
because
I
have
done
some
actually
quite
a
bit
of
research
on
this
year
ago?
I
I
think
we
should
scope
this
to
within
security.
You
know
not
just
generic
model
training.
How
welcome
to
do
so.
I
even
have
some
slides
on
this
for
my
graduate
class.
I
have
to
admit,
though,
the
problem
that
I
have
there
is,
I
don't
believe,
there's
any
useful
guidance
that
we
can
give.
C
Anyone
in
particular
in
particular
countering
adversarial
inputs
is
a
is
an
is
a
research
problem
with
no
with
no
working
solutions.
G
There
there
have
been
a
number
of
talks
at
infosight
conferences
on
that
topic,
describing
best
practices
for
building
training
systems.
Yes,
you
know
the
the
practices
behind
it,
not
the
actual
pipeline,
the
practices
behind
how
you
evaluate
data
into
the
system
to
decrease
the
ease
with
which
someone
can
trick
a
model.
C
This
okay:
this
is
all
right,
you're
talking
about
a
different
problem,
so
I
was
talking
about
specifically
adversarial
inputs,
not
subversion
of
models
now
subversion
models.
I
do
agree
that
we
can
certainly
provide
advice
for
that.
G
They
I
believe
they
are
very
tightly
coupled
problems
because
but
we're
getting
off
topic.
It
sounds
like
the
answer
is
in
scope.
If
we
can
keep
the
scope
of
that
topic,
narrow.
C
Yes,
how
is
this
totally
agree
with
you
in
scope?
There
are
several
different
problems,
there's
one
particular
problem
that
a
lot
of
folks
are
worried
about
that.
I
don't
know
of
any
working
solution
and
I
actually
did
a
lot
of
research
there's
a
lot
of
papers.
That
say
they
have
solutions,
and
then
you
find
out
that
they
work
really
great
as
long
as
there's
no
ad
as
long
as
the
adversary
is
remarkably
stupid,.
G
But
he
doesn't
know
that
they're
building
it
that
way.
C
Right,
but
I
totally
agree
with
you
that
there's
definitely
ways
to
counter
malicious
model
training.
You
know
and
there's
some
other
attacks
that
you
could
certainly
counter.
We
can
do
that
and
you
know
what
what
I'll
do.
I
will
post
a
link
as
soon
as
I
can
get
it
to
some
stuff
that
I
provide
to
some
graduate
students-
and
you
know
I
mean
that's
very
much,
and
you
know
that
would
be
might
be
useful
for
this
purpose.
C
So
because
I'm
very
concerned
about
this-
and
you
know
ava
if
it
turns
out
I'm
wrong
and
there
have
been
breakthroughs
in
this
area.
I
would
be
so
so
delighted.
C
Okay
for
the
specifically
for
the
machine
learning,
what
I'm
going
to
do
is
I'm
going
to
post
an
issue
against
the
doc
and
with
a
link
to
basic
it's
a
little
powerpoint.
But
it's
it's
it's
where
I
put
a
lot
of
this
information
and
and
then
we
can
turn
that
into
some
pull
requests
and
such
and
it
sounds
like
ava
had
knows
some
information.
I
don't
and
you
know
well,
that's
not
new
for
me.
G
I
don't
claim
to
have
the
answers.
I
just
have
seen
enough
talks
on
this
topic
at
security
conferences,
to
have
the
sense
that,
if
there's
a
body
of
work
out
there
that
even
is
in
its
early
stages,
it's
good
for
us
to
link
to
it.
A
I
would
like
to
turn
our
attention
to
a
topic
related
to
what
spyros
notes
in
the
chat.
A
B
C
All
right,
I've
added
a
link
to
the
new
issue
in
the
in
our
working
in
our
notes.
Here.
G
C
G
Yeah
and
I
a
lot
of
what
I'm
remembering,
is
focus
to
a
specific
domain
right.
C
You
know
what
focused
solutions
are
still
solutions
are
clearly,
so
you
know,
I
don't
think
that's
out
of
scope
now.
If
this
becomes
huge.
This
might
be
one
of
those
we
need
to
break
it
off
as
its
own
separate
thing.
G
And
I
raised
the
question
just
to
step
back
a
second,
I
raised
the
question
more
from
the
perspective
of
is
ml
in
scope
for
this
kind
of
work
and
the
open
ssf.
G
C
Obviously,
ml
isn't
necessarily
open
source
but
clearly
there's
a
huge
amount
of
machine
learning
tools,
libraries
and
uses
that
are
open
source.
So
I
think
it's
I
think
it's
I
just.
I
think
it's
still.
The
answer
is
yes,
but
you
know
if
this
becomes
its
own
thing,
then
maybe
we
pull
it
out
as
a
see
this
other
doc
or
something
and
maybe
coordinate.
Well
with
the
I
mean,
there's
some
ai
machine
learning
groups,
but
let's
see
if
we
need
to
go
there
first.
A
All
right,
I've
completely
failed
trying
to
find
glenn's
diagram.
C
A
Does
well,
I
was
looking
to
try
to
pull
it
up
hold
on.
So
if
you
would
gaze
upon
our
agenda
the
second
item,
above
under
future
working
group
collaboration,
the
newbies
view,
you
started
a
powerpoint
that
has
kind
of
a
rough
swag
he's
improved
the
diagram
since.
A
But
we
were
thinking
about
trying
to
put
together
a
some
documentation
for
new
developers
or
people
looking
to
improve
themselves
and
then
the
idea
of
having
a
graphic
on
a
web
page
that
you
could
hover
over
and
as
you
did,
it
would
list
different
interesting
tools,
and
this
was
a
very
old
diagram
of
his.
A
So
what
are
our
thoughts
about
contributing
some
time
to
start
to
enhance
this
with
things
like
as
a
byros
mentions
cheat
sheets?
So
if
there
was
a
cheat
sheet
for
good
practices
in
key
rotation
within
a
kubernetes
cluster,
you
could
kind
of
attach
that
into
the
diagram
and
underneath
the
ci
cd
portion
or
the
maintenance
portion
of
the
the
life
cycle.
B
I
like
that,
and
I
would
like
to
add,
also
a
support
of
not
a
model
or
development
where
you
do
not
do
continues
the
deployment
where
you
do
a
release
and
and
then
you
do
maintenance
of
the
release.
E
Yeah
sure
I
just
didn't
want
to
interrupt
so
we've.
I
have
a
pr
open
for
the
crd
project
and
apologies
for
repeating
the
project.
It's
just
we.
The
conversation.
This
time
is
around
mapping
things
to
each
other,
which
is
what
we
do
so
have
a
pr
open
for
the
cre
project
to
present
well
pretty
much
the
underlying
structure,
which
is
a
graph
as
a
graph.
E
We
could
start
like.
We
could
transform
this
to
map
it
to
circles
or
this
dlc,
which
is
kind
of
great.
That's
how
we
started
manually
with
like
or
what
project,
and
if
we
do
this
manually,
it
will
mean
it
will
be
obsolete
very
soon
because
project
fallout
or
support
or
things
change.
E
But
if
we
do
this
using
opencl
by
mapping
specific
projects
to
specific
cres
and
things
like
that,
we
can
sort
of
automatically
check
if
a
project
on
github
or
gitlab
has
downloads
or
is
active
and
indicate
that
in
crd-
and
this
is
not
very
hard
to
do
likely-
both
github
and
gitlab
have
a
very
decent
api
yeah.
Just
that.
F
So
scorecard
actually
does
this
in
the
check
called
packaging.
So
I
don't
know
if
that's
useful
for
you
to
reuse
but
yeah,
just
letting
you
know
that
we
do
this
on
in
the
scorecard
check.
A
Excellent,
I
will
commit
to
the
group
to
get
glenn's
proposed
diagram
with
phases
and
we
can
start
brainstorming
together
as
a
group.
What
practices,
what
checklists,
what
tools
and
what
other
foundation
projects
or
external
projects
are
applicable
in
these
different
areas.
So
we
can
start
to
figure
out
how
we
want
to
tie
this
together
and
I
think,
wherever
there's
an
opportunity
to
automate
and
keep
things
continually,
refreshed
is
best,
as
opposed
to
manually
much
like
my
journey
from
google
docs
to
markdown,
which
was
a
very
manual
process.
So
I'm
going
to
avoid
that.
A
So
I
will
get
that
list
and
the
diagram
so
that
we
can
look
at
that
and
start
to
directly
contribute
ideas
to
how
we
might
start
shaping
this,
but
do
do
we
all
agree
that
these
two
things
updating
the
guide
and
then
having
this
some
type
of
series
of
artifacts
around
first
new
developers
are
those
two
worthwhile
things
we
want
to
collaborate
on
together.
A
C
By
the
way,
krobe
I've
been
trying
to
do
two
things
at
once.
You
know-
and
I
have
I'm
about
to
send
an
email
to
the
leads
of
the
cobalt
programming
project
from
the
open,
mainframe
project,
nice,
and
you
know
that
lead
and
colleague-
and
you
know,
there's
no
guarantee
that
they'll
have
this
information,
but
they
seem
like
the
right
folks
to
contact
and
I'll
also
contact
the
open
mainframe
project
in
general,
we'll
see
what
they've
come
up
with.
A
A
Computer
explosive
alarms
all
right
well,
I
appreciate
everyone's
time
and
contributions
today.
Remember
that
tomorrow,
we're
meeting
with
the
folks
from
the
eu.
If
you're
interested
in
talking
about
open
source
security
maturity
models,
we
would
love
to
have
you
details
are
on
the
mailing
list
and
also
in
the
foundations
calendar.
You
can
get
a
link
to
the
zoom
call.