►
B
B
B
C
B
F
G
E
B
B
B
B
B
H
I
didn't
really
review
it,
yet
I'm
just
reading
through
it
now
and
I'm
just
wondering
how
it
would
work.
For
example,
in
case
of
you
know,
a
project
like
like
myself,
eskia,
which
is
actually
you
know,
part
of
two
open
source
communities
right,
the
old
wasp
and
as
well
the
openness
step
yeah.
It
is
a
bit
I
think,
conflicting
with
our
and
what
I
mean
are
the
oldest
community
assets,
the
intellectual
property
policy
etc,
and
I
also
don't
see
really
any
so
far.
A
B
E
A
I
A
B
C
A
E
A
A
I
C
B
G
G
A
G
B
Yeah,
I
remember
we
we
already
had
this
debate
a
lot
about
the
tools
and
yeah.
I
think
we
said
we
said
that.
Basically,
if
I
remember
correctly,
I
think
we
said
yes,
let's,
let's
leave
everything
towards
the
tools
working
group
and
every
time
we
we
have
well,
we
need
to
coordinate
with
them.
Then
we
coded
it
with
them
or
we.
B
B
G
B
Okay,
okay,
so
yeah,
so
for
this
charter
we
will
get
the
scope
and
probably
point
of
contact
added
to
that
we
will
so
I
I'm
asking
this
group
all
of
you
to
kind
of
look
for
look
out
for
a
pull
request
on
this
of
this
charter
and
review
it
together.
I
think,
and
then
after
I
think
that
after
a
few
few
rounds
of
review,
we
will
submit
it
to
the
tag.
That's
okay,.
A
C
C
A
A
B
D
B
D
D
It
sounds
like
preferably
physically,
but
also
virtually
in
this
day
of
focusing
on
the
open,
ssf,
so
they'd
like
each
of
the
working
groups
to
come
and
talk
about
what
they're
doing
current
activities
and
plans
to
help
try
to
waste
some
awareness
before
that
conference
gets
into
full
swing.
If
I
miss
any
details,
david
or
jewelry,.
I
I
D
I
For
those
who
are
interested
in
virtual
attendance,
I'm
working
to
get
more
clarity
on
what
that
experience
is
going
to
be
like,
and
I
apologize.
I
I
don't
don't
know
all
the
answers
we'll
be
doing
whatever
the
other
events
are
doing
and
I'm
not
just,
unfortunately,
not
fully
briefed
on
what
those
what
that
is-
and
I
hope
to
get
more
answers
for
y'all
by
the
tac
meeting.
D
Everybody
please
consider
it
should
be
a
good
event
and
the
conference
overall,
the
the
security
summit
is
looking
very
good.
I've
had
a
chance
to
review
some
of
the
abstracts
for
the
supply
chain
piece,
there's
some
some
really
good
talks
and
just
kind
of
peeked
around
at
some
of
the
other
mini
summits,
and
they
look
pretty
good
quality.
D
I
know
that
the
supply
chain
we
had
the
late
entry
that
we
had
to
go
vote.
I
need
to
cast
my
vote
actually
before
I
run
down
to
my
meeting.
I
think
they'll
be
done.
I
don't
know
the
progress
of
the
other
things
like
the
vulnerability
summit
or
any
of
the
other
little
mini
activities.
I
hope
soon.
I
think
soon.
B
B
E
Just
a
quick
note,
I
clicked
on
the
link
and
trying
to
go.
Do
the
registration
for
it.
It
seems
to
only
give
you
options
for
virtual,
at
least
it's
only
giving
me
only
virtual
options,
even
though
it's
supposed
to
be
in
person,
so
the
link
might
need
to
be
updated
somehow
something
to
look
into
for
someone
I'll
track
that
down.
A
A
Really,
I
think,
what
they're
asking
for
is
a
place
to
start
where
you
know
hey,
I
hear
there
are
other
things
like
salsa
and
scorecards
and
training,
and
so
on
give
me
a
a
place
where
I
can
jump
off
to
so
I
have
you
know,
and
so
I
have
attempted
to
create
such
a
thing
well,
for
if
you're
developing
secure
software,
where
do
you
go?
I
think
that
I
can
cheat
slightly
by
having
the.
A
How
do
I
evaluate
software
for
bringing
it
potentially
in
as
a
as
a
separate
one
pager,
but
be
that
as
it
may,
I
I
do
think
that
there's
value
in
having
a
a
single
home
page
where
people
can
go
start
so,
instead
of
just
saying,
hey,
that's
an
idea.
Let's
see
so,
I've
got
here
for
developers
and
then
the
draft
for
evaluation
draft
for
evaluation.
A
Let's
make
sure
correctly
all
right,
so
I
don't
know
if,
if
anybody's
taking
a
look,
if
you
can
just
click
on
the
draft
for
the
developer
guide,
you
know
it's
what's
supposed
to
it's.
What
it's
saying
on
the
tin,
it's
trying
to
be
a
single
page
that
you
can
go,
look
at
click
whatever
and
go
off
to
the
other
things.
A
My
current
theory
is,
you
know
we
need
to
put
it
somewhere,
eventually,
maybe
on
the
open,
ssf,
best
practices
or
maybe
just
a
on
the
open,
ssf
website
itself,
but
the
the
idea
would
be
a
place,
a
single
place
to
start
a
couple.
People
have
already
made
comments
about
it,
and
that's
great.
Thank
you
so,
but
before
we
work
on,
do
any
work
on,
I
I
see
you
yes
crop.
I
I
see
your
hand
up
so
the
question.
D
I
feel
incredibly
strongly
that
this
is
a
work
item.
This
group
should
work
on
those
of
you
that
have
been
here
a
very
long
time
might
remember.
I
proposed
such
a
thing
like
a
year
and
a
half
two
years
ago,
so
I
feel
very
strongly
so
my
strong
endorsement
is
yes.
I
have
already
participated
in
the
document
and
you're
watching
open
source
in
action.
D
We
have
two
gentlemen,
that
I
love
very
dearly
and
we
have
a
little
bit
of
a
disagreement
and
that's
okay,
that's
how
open
source
works,
we're
collaborating
to
have
the
best
solution
for
the
community,
so
I
would
encourage
everyone
to
go
in
there.
Express
yourselves
comment
on
the
document.
Make
suggestions
and
I
think
very,
I
feel
very
strongly.
This
should
be
a
work
product
of
this
group
and
should
belong
here.
B
F
E
E
E
A
We
had
worked
on
that
a
while
ago,
but
I
think
the
the
challenge
is
that
was
really
focused
only
on
alpha
omega.
I
don't
think
there's
anything
wrong
with
alpha
omega
deciding
that
for
funding
purposes.
They
want
to
prioritize
things
differently,
so
I
don't
think
it
has
to
supersede,
but
I
think
that
the
the
the
challenge
with
that
list
is
that
it
was
really
only
intended
for
alpha
and
omega,
and
I
think
we
need
something
for
everybody
now.
A
If
it
turns
out
that
they
do
basically
the
same
thing,
then
I
think
we
should
just
merge
it
all,
but
I
think
the
one
that
we
need
most
is
the
one
that
everyone
uses
and
if
alpha
omega
says
you
know,
you
know
we,
you
know
we
want
to
prioritize
certain
things
differently.
That's
great
alpha
omega
says:
you
know
what
they
did
here
was
great
and
we'll
just
use
that
and
that's
fine
too,
but
I
don't
think
they
have
to
be
or
necessarily
should
be,
the
same
thing.
D
They're
kind
of
for
purposes,
alpha
and
omegas
focus
more
on,
like
a
security
audit,
trying
to
get
a
handful
of
projects
up
to
an
acceptable
level
of
criteria,
whereas
we're
focused
more
broadly
on
helping
developers,
do
a
better
job.
Writing
better
code,
using
better
tools
to
secure
themselves,
a
slightly
different
objectives,
they're
very
related
that
I
you
know
I
I
don't
know
that
there
has
to
be
one,
but
if
we
can
be
harmonized
them
that'd
be
nice
too.
D
E
C
Two
two
responses:
first
krobe:
I
really
liked
how
you
put
that
for
a
second,
the
the
overlap
between
this
working
group's
charter
and
alpha
omega
is
superficial.
I
think
their
their
scopes
are
alpha
makers
narrower,
as
you
put
it
in
the
impact
it
wants
to
have,
and
this
one's
focused
more
on
the
educational
side,
but
I'd
love
to
see
more
active
communication
between
both.
I
think
there
is
a
lot
of
alignment
there
and
it'd
be
great
to
have
that
any
way
that
that
can
be
formalized
or
operationalized.
C
Yes,
you
know
if
I
can
help
route
requests
around
or
encourage
people
to
cross,
join
meetings,
love
it
and
the
cncf's
secure
software
factory,
ssf
document
came
out
of
the
cncf
tag,
security
or
technical
advisor
group,
hyphen
security.
It
was
focused
narrowly
on
cloud
native
development
models
and
tooling,
and
our
purview
is
necessarily
broader,
but
I
would
love
for
us
to
reference
the
output
of
that
work
and
the
working
group
itself
and
they
might
even
join
the
open,
ssf
or
perform
some
better
collaboration.
Who
knows,
but
more
cross-pollination,
there
is
good.
B
E
Hi
new
to
the
group
overall,
but
usually
when
I'm
doing
documentation
or
trying
to
point
people
in
a
new
direction,
I
always
have
a
a
one
page
or
something
like
this.
I
think
it's
a
great
idea.
The
the
section
I
also
always
include
is
where
to
look
for
more
information,
and
then
I
link
out
to
those
other
sources,
so
yeah
100
agreed
with
what
everyone
is
saying:
let's
try
and
keep
things
in
sync,
but
also
link,
there's
a
lot
of
great
information
out
there.
E
B
F
Thank
you.
The
other
thing
I
think
is
worth
considering
is
that
it's
great
that
the
lf
has
made
the
three
training
courses
that
david's
work
so
hard
to
create
available
free
and
we're
now
talking
kind
of
about
a
one
pager,
it
seems
like
there
might
be
a
also
a
somewhere
in
the
middle,
because
I
think
david.
If
you'd
agree,
I
think
the
hours
required
for
that.
Those
three
courses
are
something
like
between
12
and
20,
depending
upon
the
take
rate,
but.
F
So
I
think,
there's
a
an
opportunity
to
try
and
carve
out
something
that's
more
than
a
one
that
pager
developer,
that
might
not
invest.
You
know
a
half
a
week
or
you
know
time
over
a
period
to
try
and
get
them
at
least
onto
an
on-ramp
through
like
a
half
day
course
or
something
like
that
yeah.
Yes,
you
know.
A
B
Yeah
and
just
if
you
look
at
the
document,
you
will
see
that
I
had
kind
of
the
same
debatable
question
in
the
document
you
you
will
see
that
I
was
telling
david
hey.
Perhaps
we
could
add
a
bit
more
of
that
and
that
to
make
it
more
actionable,
etc,
but
then,
on
second
thought,
I
think
that
I
think
that
yes,
we
we
need
the
one
pager.
B
B
A
A
What
I
would
propose
I
mean
I
don't
know
if
we
need
to
do
a
formal
vote
or
not,
but
if
that's
a
general
consensus
of
the
working
group,
I
think
what
the
tac
wants
is
whenever
we
start
a
new
project
to
raise
it
up
to
the
attack
and
just
say,
hey
we're.
They
were
currently
planning
to
add
this
as
a
project.
D
D
All
right,
so
I
will
take
the
action
item
to
send
the
tac
and
email
thursday
when
I
get
back
home
and
we'll
talk
about
it
at
the
next
call.
If
they
are
interested
to
learn
more
and
I'll
respond
back
to
the
group
I'll
give
you
an
update
on
what
the
tax
says.
How
that
develops
any
questions
or
alternative
suggestions
to
that
course.
A
Security
guys
I'm
the
constant
troublemaker.
Sorry
about
that.
This
one
isn't
really
a
call
for
this
working
group
to
do
anything
special.
It's
just
that
I
got
contacted
from
the
lead
of
open
chain
open
chain.
Historically,
is
a
it's
an
iso
standard,
iso
ic
standard
for
ingest
of
open
source
software.
Historically,
they
have
focused
on
licensing.
A
A
G
That
is
how
these
best
practices
guides
will
be
published,
or
you
know,
proposed
rfc
period
and
then
officially
published
one
of
the
main
concerns
also
of
the
the
npm
authors
was
maintenance,
so
I
did
cover
you
know
what
we're
going
to
do
to
maintain
it
so
laurent
and
I
will
be
like
administrators
or
facilitators
of
the
repo.
You
know
doing
things
like
triaging
issues,
but
not
necessarily
writing.
Writing
the
guides
or
or
keeping
them
up
to
date.
There's
a
few
items
there
in
the
process.
G
But
the
main
thing
is
for
the
proposal
of
new
guides
to
do
that.
We're
going
to
have
like
a
drafts
directory
where
people
can
submit
a
guide
that
they're
working
on
and
then
once
it's
ready
for
review,
there'll,
be
a
review
directory
and
then
we'll
you
know,
send
an
announcement
out
to
the
working
group
or
to
the
mailing
lists
and
say
this.
This
document
is
out
for
review.
G
Please
submit
comments
in
the
form
of
github
issues
and
then
at
a
minimum
of
a
30-day
period
where
comments
can
be
put
in
and
they
all
will
need
to
be
addressed
before
the
guide
can
be
like
marked
as
published,
and
I've
actually
gone
ahead
and
submitted.
I
converted
the
npm
guide
from
google
doc
to
markdown
and
put
it
into
the
drafts
folder.
G
A
A
A
G
B
Yeah,
I
think
jackson
had
the
same
confusion,
but
but
I
think
we
discussed
that
when
we
when
we
started
with
the
npm
doc-
and
we
said
oh,
there
is
a
working
group
that
is
going
to
be
formed,
but
it
wasn't
at
that
time.
So
we
said:
okay,
it's
a
it's
a
best
practices
guide
so
and
we
are
the
best
practice
supporting
group.
So,
let's,
let's
start
it
into
the
best
practice
working
group,
so
I
I
think
it's
it
might
be
it
might.
B
It
might
move
to
the
package
manager
working
group
later,
but
but
we
decided
at
that
time
to
to
start
it
within
this
work.
Okay,
yeah.
I
have
a
question
jack,
so
I
guess
that
in
the
in
the
dark
itself
there
will
be
a
there
will
be
a
call
for
two
readers
to
submit
issues
into
the
repo
if
they
see
something
if
they
want
to
give
feedback
or.
G
Yeah,
absolutely
so
so
in
step
four
on
the
process,
the
doc
can
be
like
once
the
authors
are
done,
you
know
in
the
draft
phase,
they
move
to
the
review
phase
and
then
we
will
send
out
an
announcement
to
this.
Well,
it
was
was
this
working
group
and
the
mailing
list,
and
slack
and
say
this
is
kind
of
entered
the
review
phase.
It'll
be
a
minimum
of
30
days
for
comments
to
be
made
in
the
form
of
issues
in
the
github
repo.
B
B
A
I
You
are
wrong
and
they
are
on
the
public
calendar.
Let
me
I
believe
their
next
meeting
is
tomorrow
and
that's
wednesday.
The
13th
at
6
p.m,
eastern
time
us
and
that's
on
the
public
calendar.
They
also
have
a
channel
in
our
slack
workspace
called
securing
underscore
software
underscore
repos,
so
you
can
check
them
out
there
and
they
are
they're
getting
a
github
repo
spun
up
under
our
org
as
well
to
do
their
sort
of
incorporation
work.
So
those
are
the
three
spaces
and
I'll
drop
links
for
you.
I
A
You
yeah,
so
if
I
recall
correctly,
the
usual
rule
for
creating
a
new
working
group
is
they
have
to
meet
a
certain
number
of
times
and
have
you
know
more
than
one
org?
I
don't
remember
the
exact
details,
but
basically
they're
in
the
process
of
that.
I
think
their
next
meeting
either
they've
already
had,
or
their
next
meeting
will
fulfill
the
number
of
meeting
requirements.
Again.
You
probably
know
the
procedural
stuff
much
better
than
I
do
so.
G
G
A
A
Yes,
I
have
a
key
project
update.
I
mentioned
this
earlier,
but
it's
one
of
those
things
that
may
not
be
important
to
anybody
else,
but
it
certainly
is
driving
what
I
do
because
of
that.
We
our
our
courses,
our
our
fundamentals
course
is
released
on
both
the
lf
training
platform
and
on
edx.
It's
actually
developed
and
the
skf
folks
also
have
a
copy.
I
I
don't
want.
One
challenge
is
that
edx
has
certain
rules
about
how
updates
can
happen
and
so,
as
a
result,
significant
updates
of
content.
A
They
want
done
basically,
when
you
look
at
the
backing
up
times
and
so
on.
Basically,
we
need
to
have
our
updates
done
by
april
17..
The
lf
platform
can
update
whenever
but,
and
we
can't
update
for
small
things
like
typos
anytime,
but
they
really
want
significant
changes
done
at
by
particular
increments.
So
I
am
currently
in
the
process
of
updating
to
so
adding
all
the
material
from
the
2021
cwe
top
25,
which
is
actually
40
items
and
and
as
a
stretch
goal.
A
I
also
want
to
update
to
the
2021
owasp
top
10
for
web
apps.
If
there's
other
major
changes
that
you
want
to
see
in
those
courses
by
then
please,
you
know
post
a
a
pull
request
or
something
but
we're
gonna
have
to
get
those
in
quickly.
I
all
the
change.
I've
made
a
number
of
changes,
I'm
having
non-trivial
changes,
get
reviewed,
but
other
reviews
are
are
graciously
welcome.
A
H
Indeed,
you
know
I,
I
would
really
love
to
work
a
bit
more
in
the
future
to
add
more
content
as
well
to
it
because
yeah
I
mean
it
is
already
a
very
impressive
book
that
you
created
in
the
knowledge
but
of
course
yeah.
We
can
always
extend
it
with
more,
so
I
was
thinking
to
indeed
also
dedicate
some
time
you
know
in
like
q3
q4,
but
you
know
at
that
time.
A
A
The
fundamentals
course
is,
you
know
aimed
to
be
about
two
days
of
time,
the
plus,
and
it
specifically
points
to
the
skf
for
hey.
You
got
more
time.
You
want
to
do
hands-on.
Hands-On
has
many
advantages.
I'm
never
opposed
to
hands-on
the
challenge
with
hands-on.
Is
that
takes
more
time,
so
we
very
much
point
to
it
and
skf.
I
guess
is
now
including
at
least
a
version
of
the
course.
So
you
know
we're
all
trying
to
work
together
for
different
people's
needs
time
availability.
A
B
A
H
Yeah
well,
on
the
first
of
april,
we
did
like
the
soft
release
of
the
security
knowledge
framework,
the
new
module,
the
training
platform
module.
Actually,
I
also
used
it
in
the
workshop,
secure
coding
and
offensive
security
at
the
alas
benelux
day
yeah,
and
it
was
actually
yeah
very
well
received
by
the
audience.
H
B
B
Okay,
otherwise
I
can
use
this
three
minutes
to
get
a
coffee
before
my
next
meeting.
So
thank
you,
everyone,
and
so
please,
please,
review
or
look
out
for
the
pr
on
the
charter
and
let's
conclude
that
within
two
weeks
before
our
next
meeting.
Thank
you.
Everyone
welcome
again
for
the
to
the
newcomers,
see
you
next
time,
bye.