►
From YouTube: Education SIG (August 10, 2022)
Description
Meeting minutes: https://docs.google.com/document/d/1Lt8uGpiMFfgws8VF36xtTMaJAeHufha-7Dqz1tjrPGY/edit
A
B
C
D
C
C
A
C
A
A
Oh
alrighty,
I
think
for
like,
for
example,
the
vulnerability
disclosures
working
group.
We
have
a
document
that
is
about
ready
for
publication,
so
I
think
that's
something
we'll
probably
submit
to
talk
and
open
ssf
day,
but
if
we
had
anything
or
even
if
we
were
looking
to
potentially
do
some
type
of
meetup
or
targeted
collaboration.
A
C
D
A
B
Hi
david
hi,
I
mean
one
thing
we
can
measure
which
in
fact
we
at
openssf
already
do
is
just
at
least
measure
the
number
of
people
signing
up
for
a
course
for
not
at
x.
We
also
may
measure
the
number
of
completions
too,
as
it
may
seem.
We
we
can't
get
that
data
from
edx.
Apparently
I
don't
know
the
full
story
there,
but
we
at
least
measure
number
of
people
who
started
and
ideally
number
of
people
who
completed
the
course.
A
A
B
B
So
I
can
tell
you
how
many
people
have
started
and
I
can
tell
you
how
many
have
completed,
but
I
can't
tell
you
the
percentage,
because
there's
a
pipeline
between
those
two
state
stages
does
that
make
that
make
sense
so,
but
I
can
give
you
numbers
for
the
number
of
completed
for
the
lf
training
one.
If
you
give
me
a
couple
minutes,
I
can
go
hunt
that
up.
F
B
Okay,
yeah,
I
I
will
say
we
had
something
like
400
over
400
red
people,
starting
the
course
in
the
last
two
weeks,
which
is
what
I
remember
and,
of
course,
the
number
of
people
who
complete
is
going
to
be
far
smaller
both
for
time
and
also
people
drop.
I
I
don't
actually
think
that's
a
that's
a
a
failure
by
the
way.
If
someone
starts
a
course
and
doesn't
finish,
they
still
know
more
than
when
they
started.
A
F
F
A
Now
the
boggle,
with
scorecard,
for
example,
is
not
everyone
that
participates
in
scorecard
is
going
to
be
taking
the
class
or
reading
our
output,
so
we'll
have
some
influence
on
some
subset
so
that
the
it
won't
be
a
direct
core.
The
metric
won't
be
a
direct
correlation
of
our
efforts,
but
I
think
it's
a
nice
one.
C
A
E
Yes,
so
I'm
curious
a
lot
of
the
metrics
and
discussion
and
other
information
in
this
plan
is
largely
focused
on
individuals
that
have
already
reached
a
professionalization
level,
either
in
their
maintainership
work
as
a
hobby
or
as
part
of
their
career
growth.
There's
nothing
in
here
to
cover
any
outreach
with
pre-university
level,
education
systems
or
any
intent.
E
It
looks
like
to
focus
on
potential
success
criteria
beyond
a
one
or
a
two
year
mark
for
whether
or
not
a
higher
lower
primary
education
is
actually
going
to
be
effective
over
time
for
like
high
school
age
going
into
university
and
evaluating
whether
or
not
that
early
level
of
engagement
was
successful
and
improving
outcomes
at
the
university
level.
So
I'm
I
know
this
is
a
broader
question
and
I
apologize
that
I
am
late
to
this
group
in
asking
it.
But
what
is
defined
as
success
underneath
of
the
mobilization
plan?
E
A
My
personal
boggle
is,
I
very
much
support
it
and
we
can
put
whatever
we
want
to
in
the
plan
we're
going
to
need
to
have
people
that
are
willing
to
willing
and
have
expertise
in
focusing
on
those
areas.
I
can't
do
that
myself,
but
I
definitely
if
the
group
wants
to
go
that
way
and
have
specific
metrics,
for
example.
I
I
fully
endorse
that,
but
we'll
need
to
find
people
that
are
going
to
do
it.
A
B
A
B
Funny
you
should
mention
that
crow,
because
I
just
finished
writing
a
little
article.
Don't
tell
anybody,
but
I
actually
have
a
position
on
that
which
is
perhaps
a
little
cynical
is
the
wrong
term,
because
I
don't
actually
think
it's
cynical.
I
think
it's
a
realist.
Basically
my
view
right
now
is
that
grassroots
education
requires
grass.
B
Mentorship
is
great,
I'm
all
for
mentorship.
We
have
two
with,
but
the
mentorship
implies
a
relatively
small
number
of
learners
matching
to
a
mentor.
We
just
don't.
We
have
too
many
developers
who
don't
know
enough
yet
so
I
I'm
not
that's
not
saying
that
we
that
mentorship
can't
happen
it
can,
but
at
the
scale
of
the
lack
of
knowledge
that
we're
talking
about.
I
I
think
that
we've
we
got
to
be
careful
to
not
oversell
what
we
can
frankly
do
with
a
mentorship
program.
B
We,
you
know,
I
think
you
know
computer-based
computer
based
training,
I'm
sorry,
I'm
muggling
over
my
words,
but
you
know
computer-based
training
or
you
know
you
know
one
person
for
many
students,
I
think,
is
going
to
be
a
key
part
at
least
for
for
for
starting
out
and
then
we
can.
Of
course
you
know
if
now,
if
we
can
do
what
was
that?
What
was
the
other
thing?
The
you
know
he
asked
ask
me
anything.
B
F
Yeah,
so
I
have
done
this
before
right
for
cloud
computing
and
neuroscience.
No
one
knew
how
to
do
it,
and
a
year
later
we
had
2
000
people
up
skilled
in
being
able
to
do
this
on
azure
or
aws
right.
So
that's
where
I'm
pulling
from
with
all
this.
I
think
we
need
to
be
clear
about
our
year.
One
versus
your
two
goals.
I
do
want
numbers
in
year,
two
around
successful
mentorship
and
mentorship
for
me-
means
to
professionalization
right.
I
don't
care
where
they
come
from.
I
care
where
they
can.
F
So
I
do
believe
right.
What
we
need
to
do
in
this
first
year
is
make
sure
that
we
get
several
thousand
people
through
this
basic
security
training.
We
need
the
maintainers
to
have
their
basic
functionings
up
right
now.
You
can't
do
a
lot
of
security
contributions
to
a
lot
of
these
projects,
because
they
simply
have
not
set
up
a
way
to
do
that
standardly.
F
A
B
G
Yeah,
so
just
to
kind
of
piggyback
a
little
off
of
that,
we
talked
a
little
bit
previously
about
the
potential,
or
at
least
I
did
and
had
some
comments
on
it
about
potentially
building
a
something
of
a
mastery
program
which
provides
the
levels
as
people
get
trained
up
in
this
capability.
Obviously
they're
experts
in
the
industry
already,
but
it's
something
of
a
adding
a
train,
the
trainer
type
of
of
capability
to
this
and
really
starting
to
get
to
a
point
where
you
have
these
experts.
G
G
So
that's
that's
one
kind
of
question
and
the
other
part
is
what
you
were
just
talking
about.
Is
it
potentially,
you
know
we
have
best
practices,
badges
for
applications
to
be
secure
and
being,
and
knowing
that
some
of
these
projects
are
smaller
and
they
don't
necessarily
have
a
a
budget
where
they
could
hire
somebody
in
that
role,
but
would
require
a
volunteer
for
that
security
resource
on
every
project.
G
Is
it
a
scenario
where
the
incentive
is
some
sort
of
industry,
recognition
or
linux
foundation,
where
you
know
they
have
to
certify
at
a
higher
level
by
providing
that
resource
consistently
on
their
projects,
not
just
getting
the
best
practice
badge.
It
becomes
maybe
an
advanced
best
practices
or
a
you
know,
master
security
project
or
something
to
that.
That
degree
and
just
some
thoughts.
A
D
Yes,
david
two
things
first
thing
is,
I
I
think,
there's
a
lot
of
good
suggestions
and
conversation
here.
We
want
to
try
and
avoid
digging
too
deeply
into
the
weeds
on
these,
so
we
can
get
through
the
rest
of
the
plan.
Hopefully,
today
again
there
will
be
smaller
groups
created
for
for
each
for
some
of
these
tasks,
and
that's
where
I
think
a
lot
of
the
details
will
will
come
out.
The
second
and
more
important
thing
is
emily,
suggested.
D
A
A
A
A
E
B
E
A
There's
a
clue
at
the
start
of
that
sentence:
localization
that
to
me
means
translation
and
that
would
be
spoken
in
verbal.
We
address
computer
languages
above,
but
this
particular
item
is.
We
want
to
make
sure
we
would
like
to
have
the
the
contents
translated
to
mandarin
to
spanish
to
portuguese.
But
you
know
whatever
the
most
important
languages
we
have
and
then
I
ideally
make
a
plan
to
continue
that
effort
to
additional
languages,
vicky.
C
C
And
that's
a
completely
different
sort
of
target
than
year
two,
so
I
do
want
to
make
sure
that
you
know
we're
not
trying
to
bite
off
more
than
we
can
shoot.
I
perhaps
setting
a
percentage
that
by
end
of
year,
two
we
will
have
at
least
75
of
our
resources
translated
into
at
least
one
other
human
language,
or
something
like
that
to
to
get
us
going,
and
that
certainly
is
a
stretch
goal
that
I
just
threw
out
there.
But
you
know.
E
Emily,
so
I
know
that
this
is
for
year,
two
within
cncf.
Within
the
security
tag,
we've
always
had
open,
prs
or
open
issues
for
the
community
to
provide
translation
services,
particularly
if
they
are
experts
in
a
domain
area
as
well
as
well
known
within
their
region,
because
they're
they're
going
to
be
speaking
fluently
and
they'll
understand
the
english.
E
A
H
C
A
Right
and
just
you
know
going
forward
we're
going
to
propose
this
plan
is
going
to
be
funded,
however,
that
process
ends
up
being
and
then
at
the
end
of
year.
One
I
would
imagine
the
program
is
going
to
evaluate
how
we
did
adjust
the
year
to
and
beyond
plans,
and
I
think
this
will
be
a
continual
kind
of
road
map
tweaking
and
adjusting.
So
you
write
it
down
today.
It
doesn't
mean
that
in
year
three
nothing
happens
or
we
stop
translating,
but
just
directionally.
B
We
will
have
to
deal
with
figuring
out
exactly
which
languages
we,
I
will
say
that
gets
you
know.
Life
gets
complicated.
Okay,
chinese,
are
we
talking
simplified
chinese?
I'm
guessing
hindu
hindi.
Well,
wait
a
minute
that
there's
also
urdu,
so
he
just
life
is
complicated,
but
the
world
has
got
a
complicated.
C
C
F
Style
I
cut
you
off.
I
apologize
sorry,
I
cut
you
off.
No,
I
do
think
the
cncf's
community
approach
to
this
is
really
good,
because
what
we're
talking
about,
I
mean
realize
that
a
lot
of
this
was
developed
in
english
and
there's
a
lot
of
weird
language,
that's
very
colloquial
to
white
western
culture.
B
Yeah,
I
actually
have
having
run
some
translation
efforts
on
the
badging
application.
I
will
say
that,
generally
having
someone
lead
for
each
language
to
deal
with
things
like.
Oh
your
sal
example's,
a
great
one.
How
do
I
translate
supply
chain?
You
know
they're,
you
know
it
word
for
word
is
rarely
the
correct
answer.
B
So
I
mean
sometimes
that's
the
right
answer,
but
you
know
basically
making
a
call
having
the
discussion
and
then
being
able
to
stick
with
it,
so
that
it's
cons,
because
if
you
have
to
define
a
term
I
mean
you
have
to
do
the
null
languages,
but
once
you
define
the
term
consistently
using
that
term
is,
I
think,
a
big
trick,
I'm
frankly
not
that
different
from
writing
in
any
language.
Frankly,
as
far
as
consistent
use
consistent
terms
whatever
they
are.
D
B
A
A
We
had
talked
about
earlier
in
the
plan
about
hiring
people
that
are
going
to
be
focused
on
higher
education
or
particular
groups
like
historically
black
colleges
or
anything
that
requires
a
kind
of
specialized
skill
set.
So
this
item,
5-2,
is
just
expanding
the
people
that
already
exist.
We
probably
should
note
what
this
builds
upon.
A
F
Do
have
two
notes
on
this
because
we're
I
mean
this
is
above
and
beyond
the
initial
support
that
we're
giving
the
two
labels
that
I
think
would
be
really
important
here,
for
these
two
roles
would
be
a
focus
on
traditionally
underrepresented
in
tech
and
one
specifically
focusing
on
untraditional
pathways
to
professional
careers.
Okay,
that's
a
different
skill
set.
It's
going
to
need
a
strong
digital
skill
set,
but
I
think
that
would
really
make
sure
that
we
can
meet
our
goals.
D
A
A
A
D
E
B
Yeah,
I
I
would
ask
for
let's
not
forget
the
traditional
universities
as
well,
so
because
we
we
want
to
hit
all
cylinders,
I'm
fine
with
by
the
way,
the
traditional
non-traditional
pathway
division,
but
I'd
like
to
deserve
at
least
the
numbers
that
I've
seen.
It's
only
something
like
a
little
over
half
of
developers
go
through
traditional
universities
to
learn
how
to
develop
software.
I
mean
it,
it
isn't
a
non.
It
is
a
significant
number,
but
it's
also
a
huge
number
who
don't.
A
D
D
B
D
H
A
H
A
D
A
C
A
A
D
D
B
A
B
D
B
Okay,
so
I
do
know,
please
excuse
me
a
little
background
on
this.
There's
actually
several
papers
that
found
that
you
know
they're
they're
trying
to
go
backwards
to
see.
Where
did
this
insecure
software
come
from
and
the
if
the
answer
was
it's
a
stack
overflow
answer,
then
you're
doomed,
because
I
feel
because
the
correct
answer
for
many
software
developers
is
how
do
I
do
something?
I
google
stock
overflow
and
I
copy
the
first
answer
into
my
code.
F
So
I
think
that
this
makes
I
mean
this
would
be
a
clear,
quantifiable
outcome
of
the
language
domain,
specific
ones
right,
if
they're
creating
content,
they
should
also
be
able
to
reach
out
it's
a
little
bit
more
of
like
a
security
researcher
feeling
role
but
yeah.
I
would
I
mean
this.
This
would
be
really
high
priority
for
me.
F
A
H
Thank
you.
I
wanted
to
point
out
that
stack
overflow
may
not
be
the
best
place
to
do
this
kind
of
correction
and
well
not
to
say
that
developers
don't
copy
code
but
stack
overflow.
Answers
are
distributed
under
a
creative
commons
license
and
those
are
becoming
increasingly
unpopular
as
code
licenses,
because
they
don't
have
provisions
for
patents,
and
so
it
seems
to
me
as
if
the
general
sentiment
is
that
c
c
code
is
not
false
and
should
not
be
included
in
foss
software.
I'm
not
sure
it
necessarily
matches
the
open,
ssf
attitude.
B
If
I'm
even
so
bold,
I
don't
think
your
developer
knows
or
cares
they
don't
know
what
a
cc
is
in
many
cases,
what's
a
cc,
what's
a
license?
Does
copyright
apply?
I
mean
there's,
there's
still
a
large
number
of
people
who
argue
that
copyright
doesn't
apply.
I'm
not
saying
that's
a
good
viewpoint.
I
I
I
will
tell
you
by
the
way
the
law
has
not
lost,
not
been
repealed
and
laws
apply,
but
the
reality
is.
If
you
want
to
get
code
snippets,
this
is
where
they
get
where
they
get
acquired.
B
I
don't
know
of
any
other
places,
I'm
sure
there
are
some
but
I'll
bet.
It's
the
90,
it's
the
98
2
rule.
You
know
the
vast
vast
vast
majority
of
folks
right
now
are
getting
it
from
stack
overflow
unless
things
have
radically
changed
in
last
year,
which
case
I'm,
you
know,
of
course,
I'm
certainly
willing
to
be
educated,
but
we
can
talk
about
the
licensing
issues.
I
have
some
opinions
on
that,
but
that's
I
think
the
the
problem
is
right.
Now
we
need
to
reach
people
where
they
are.
H
B
Right
but
and
of
course,
there's
the
other
problem
that
you
know
for
a
lot
of
cases,
we're
talking
very
short
snippets
where
it's
unclear
that
copyright
applies
de
minimis
and
then
we
can
have
legal
discussions
and
bring
in
the
lawyers.
I
you
know
if
we
submitted
code
snippets
and
added
to
them
license
statements.
That
would
be
awesome,
but
I
think
step
one
is:
where
are
the
developers?
Where
are
they
getting
the
code
snippets
that
are
vulnerable
and
at
least
all
the
research
that
I
have?
B
B
H
F
Yeah
I
mean
this
is
a
bridge.
I
think
we
can
be
crossing
in
a
year
to
see
what
the
integration
can
look
like,
but
actually
I
think
what
would
be
beneficial
is
and
we're
not
here
to
replace
every
answer
to
cyber
security
questions
on
stack
overflow
right,
but
if
we
can
find
a
way
to
highlight
and
just
say,
hey
look
this
snippet
type-
or
this
has
been
known
to
be
a
cbe.
B
Not
in
all
k,
the
goal
was
to
identify
the
top
ones.
Just
like
we
can't
rewrite.
We
can't
deal
with
all
open
source
packages,
but
we
can
identify
the
critical
ones
and
there
are
existing
papers
that
basically
go
back
and
do
this
they.
Basically
you
know,
why
does
this
vulnerability
keep
happening?
And
the
answer
is
because
that's
the
top
answer
on
stack
overflow,
that's
the
answer
and
I
do
agree.
I
I
think
we
ought
to
add
to
our
comments.
D
B
B
A
When
we
turn
into
small
groups
and
focus
in
on,
you
know
fleshing
out
what
this
point
means
think
about
what
resources
we
may
need
people
we
need
to
deputize
or
if
we
need
to
make
this
somebody's
job
to
think
through
those
items,
or
do
they
need
tools
to
help
looking
at
in
our
last
10
minutes,
this
will
be
our
last
one.
For
today
I
think
5'4.
A
We
have
a
suggestion
to
add
a
statement
in
the
middle,
so
it
would
read,
implement
a
system
to
track
over
time.
The
number
of
people
who've
earned
various
certifications
and
number
of
oss
projects
who
have
maintainer
who's,
earned
certification
had
a
bad
certificate
for
maintainers
who
have
security
training
partner
with
other
organizations
to
make
information
easily
available.
So
we've
talked
about
this
before
in
other
points.
Earlier
in
the
first
year
on
the
plan,
are
we
okay
with
that
addition?
Do
we
think
a
hundred
thousand
dollars
to
put
towards
that
effort
is
enough.