►
From YouTube: Education SIG (August 10, 2022)
Description
Meeting minutes: https://docs.google.com/document/d/1Lt8uGpiMFfgws8VF36xtTMaJAeHufha-7Dqz1tjrPGY/edit
A
B
C
A
I
thank
you.
It's
one
of
eight
I'll
be
wearing
during
our
podcast
we're
recording
this
week.
D
C
C
A
All
right
group
do
we
have
any
new
friends
stopping
by
today
to
say
hello
and
help
us
with
education.
A
It
doesn't
look
like
it,
but
my
eyes
are
terrible.
Do
we
have
anyone,
that's
willing
to
help
dave,
and
I
take
notes.
C
A
Thank
you.
I
appreciate
the
help.
Do
we
have
anyone
that
has
any
opens
they'd
like
to
talk
about
before
we
move
on
to
our
continuation
of
the
plan
review.
A
Okey
dokey,
but
I
have
one
open.
The
open
ssf
is
having
their
european
conference
in.
A
Oh
alrighty,
I
think
for
like,
for
example,
the
vulnerability
disclosures
working
group.
We
have
a
document
that
is
about
ready
for
publication,
so
I
think
that's
something
we'll
probably
submit
to
talk
and
open
ssf
day,
but
if
we
had
anything
or
even
if
we
were
looking
to
potentially
do
some
type
of
meetup
or
targeted
collaboration.
A
C
D
A
A
All
right,
let
us
look
at
plan
2.0,
section
411
is
very
sparse,
but
we
decided
we
would
like
to
have
some
type
of
measure
of
success
criteria.
B
Hi
david
hi,
I
mean
one
thing
we
can
measure
which
in
fact
we
at
openssf
already
do
is
just
at
least
measure
the
number
of
people
signing
up
for
a
course
for
not
at
x.
We
also
may
measure
the
number
of
completions
too,
as
it
may
seem.
We
we
can't
get
that
data
from
edx.
Apparently
I
don't
know
the
full
story
there,
but
we
at
least
measure
number
of
people
who
started
and
ideally
number
of
people
who
completed
the
course.
A
It
right
I'm
sorry.
We
also
could
do
number
of
certifications
achieved.
A
F
What
the
current
completion
rate
is
for
your
cyber
security
cert.
B
No,
for
several
reasons.
First
of
all,
we
don't
get
the
data
from
edx.
We
do
get
certain
numbers
from
from
ls
training
certification,
but
it's
a
little
misleading
because,
first
of
all
not
only
do
a
lot
of
people
not
finish,
but
you
know
people
take
a
varying
amount
of
time.
B
So
I
can
tell
you
how
many
people
have
started
and
I
can
tell
you
how
many
have
completed,
but
I
can't
tell
you
the
percentage,
because
there's
a
pipeline
between
those
two
state
stages
does
that
make
that
make
sense
so,
but
I
can
give
you
numbers
for
the
number
of
completed
for
the
lf
training
one.
If
you
give
me
a
couple
minutes,
I
can
go
hunt
that
up.
F
B
Okay,
yeah,
I
I
will
say
we
had
something
like
400
over
400
red
people,
starting
the
course
in
the
last
two
weeks,
which
is
what
I
remember
and,
of
course,
the
number
of
people
who
complete
is
going
to
be
far
smaller
both
for
time
and
also
people
drop.
I
I
don't
actually
think
that's
a
that's
a
a
failure
by
the
way.
If
someone
starts
a
course
and
doesn't
finish,
they
still
know
more
than
when
they
started.
A
F
F
A
Now
the
boggle,
with
scorecard,
for
example,
is
not
everyone
that
participates
in
scorecard
is
going
to
be
taking
the
class
or
reading
our
output,
so
we'll
have
some
influence
on
some
subset
so
that
the
it
won't
be
a
direct
core.
The
metric
won't
be
a
direct
correlation
of
our
efforts,
but
I
think
it's
a
nice
one.
C
A
E
Yes,
so
I'm
curious
a
lot
of
the
metrics
and
discussion
and
other
information
in
this
plan
is
largely
focused
on
individuals
that
have
already
reached
a
professionalization
level,
either
in
their
maintainership
work
as
a
hobby
or
as
part
of
their
career
growth.
There's
nothing
in
here
to
cover
any
outreach
with
pre-university
level,
education
systems
or
any
intent.
E
It
looks
like
to
focus
on
potential
success
criteria
beyond
a
one
or
a
two
year
mark
for
whether
or
not
a
higher
lower
primary
education
is
actually
going
to
be
effective
over
time
for
like
high
school
age
going
into
university
and
evaluating
whether
or
not
that
early
level
of
engagement
was
successful
and
improving
outcomes
at
the
university
level.
So
I'm
I
know
this
is
a
broader
question
and
I
apologize
that
I
am
late
to
this
group
in
asking
it.
But
what
is
defined
as
success
underneath
of
the
mobilization
plan?
E
Is
it
purely
at
the
university
and
professional
career
level
for
maintainers
or
other
individuals
in
the
software
development
ecosystem,
or
is
the
intent
to
actually
expand
that
and
go
beyond
just
what?
On
the
surface
is
the
majority
of
the
open
source
community?
This
is
a
lot
deeper
than
that.
A
My
personal
boggle
is,
I
very
much
support
it
and
we
can
put
whatever
we
want
to
in
the
plan
we're
going
to
need
to
have
people
that
are
willing
to
willing
and
have
expertise
in
focusing
on
those
areas.
I
can't
do
that
myself,
but
I
definitely
if
the
group
wants
to
go
that
way
and
have
specific
metrics,
for
example.
I
I
fully
endorse
that,
but
we'll
need
to
find
people
that
are
going
to
do
it.
E
So
then,
my
recommendation
for
this
particular
section
is
that
any
of
the
success
criteria
should
be
limited
in
scope,
at
least
for
year,
one
and
year
two
to
the
trade
school
and
university
and
professional
maintainer
level
that
we're
focused
on
and
should
not
exclude
any
potential
success
criteria
of
early
development
programs.
A
B
B
If
what
what
age
you
are,
I
mean
if
you're,
if
you're,
if
you're
nine
years
old
and
you
cannot
handle
it,
go
for
it,
but
I
do
think
that
there's
gonna
be
a
need
for
things
that
are
more
specialized,
for
you
know
particular
high
school
and
so
on,
and
it
would
be
great
to
figure
out
measures
for
that.
A
B
Funny
you
should
mention
that
crow,
because
I
just
finished
writing
a
little
article.
Don't
tell
anybody,
but
I
actually
have
a
position
on
that
which
is
perhaps
a
little
cynical
is
the
wrong
term,
because
I
don't
actually
think
it's
cynical.
I
think
it's
a
realist.
Basically
my
view
right
now
is
that
grassroots
education
requires
grass.
B
Mentorship
is
great,
I'm
all
for
mentorship.
We
have
two
with,
but
the
mentorship
implies
a
relatively
small
number
of
learners
matching
to
a
mentor.
We
just
don't.
We
have
too
many
developers
who
don't
know
enough
yet
so
I
I'm
not
that's
not
saying
that
we
that
mentorship
can't
happen
it
can,
but
at
the
scale
of
the
lack
of
knowledge
that
we're
talking
about.
I
I
think
that
we've
we
got
to
be
careful
to
not
oversell
what
we
can
frankly
do
with
a
mentorship
program.
B
We,
you
know,
I
think
you
know
computer-based
computer
based
training,
I'm
sorry,
I'm
muggling
over
my
words,
but
you
know
computer-based
training
or
you
know
you
know
one
person
for
many
students,
I
think,
is
going
to
be
a
key
part
at
least
for
for
for
starting
out
and
then
we
can.
Of
course
you
know
if
now,
if
we
can
do
what
was
that?
What
was
the
other
thing?
The
you
know
he
asked
ask
me
anything.
B
F
Yeah,
so
I
have
done
this
before
right
for
cloud
computing
and
neuroscience.
No
one
knew
how
to
do
it,
and
a
year
later
we
had
2
000
people
up
skilled
in
being
able
to
do
this
on
azure
or
aws
right.
So
that's
where
I'm
pulling
from
with
all
this.
I
think
we
need
to
be
clear
about
our
year.
One
versus
your
two
goals.
I
do
want
numbers
in
year,
two
around
successful
mentorship
and
mentorship
for
me-
means
to
professionalization
right.
I
don't
care
where
they
come
from.
I
care
where
they
can.
F
So
I
do
believe
right.
What
we
need
to
do
in
this
first
year
is
make
sure
that
we
get
several
thousand
people
through
this
basic
security
training.
We
need
the
maintainers
to
have
their
basic
functionings
up
right
now.
You
can't
do
a
lot
of
security
contributions
to
a
lot
of
these
projects,
because
they
simply
have
not
set
up
a
way
to
do
that
standardly.
F
But
if
we
are
successful
here-
and
this
is
really
my
end
goal-
I
do
want
on
every
major
project
at
least
one
formally
identified
cyber
security
maintainer
on
every
major
project
right
that
for
me
it
would
be
a
very
good
success.
Metric.
A
What
does
the
team
feel
about
that?
Do
we
want
to
maybe
commit
to
that
for
a
year
two
goal,
each
you
know
of
the
top
100
critical
projects.
Everyone
has
a
trained
cyber
security
application
security
person
on
as
part
of
the
team,
core
team.
B
I
think
it's
an
awesome
goal.
I
don't
think
you'll
achieve
it,
because
people
actually
have
to
agree
to
it.
But
that's:
okay!
You
you,
you
shoot
for
the
moon
and
you
get
higher
than
you
were
before
we're
gonna.
A
Love
it
eric.
G
Yeah,
so
just
to
kind
of
piggyback
a
little
off
of
that,
we
talked
a
little
bit
previously
about
the
potential,
or
at
least
I
did
and
had
some
comments
on
it
about
potentially
building
a
something
of
a
mastery
program
which
provides
the
levels
as
people
get
trained
up
in
this
capability.
Obviously
they're
experts
in
the
industry
already,
but
it's
something
of
a
adding
a
train,
the
trainer
type
of
of
capability
to
this
and
really
starting
to
get
to
a
point
where
you
have
these
experts.
G
G
Just
taking
the
certification
classes
to
have
a
scope
of
those
where
the
office
hours
is
one
potential
option,
but
also
a
cue
of
of
you
know:
where
are
these
types
of
potential
security,
beneficial
webinars,
where
people
can
fix
requests
for
that
information
or
ideas
to
continue
to
build
out
that
series
versus
you
know
having
somebody
live
consistently,
knowing
that
the
the
pool
of
people
to
do
that
is
smaller?
G
So
that's
that's
one
kind
of
question
and
the
other
part
is
what
you
were
just
talking
about.
Is
it
potentially,
you
know
we
have
best
practices,
badges
for
applications
to
be
secure
and
being,
and
knowing
that
some
of
these
projects
are
smaller
and
they
don't
necessarily
have
a
a
budget
where
they
could
hire
somebody
in
that
role,
but
would
require
a
volunteer
for
that
security
resource
on
every
project.
G
Is
it
a
scenario
where
the
incentive
is
some
sort
of
industry,
recognition
or
linux
foundation,
where
you
know
they
have
to
certify
at
a
higher
level
by
providing
that
resource
consistently
on
their
projects,
not
just
getting
the
best
practice
badge.
It
becomes
maybe
an
advanced
best
practices
or
a
you
know,
master
security
project
or
something
to
that.
That
degree
and
just
some
thoughts.
A
Yeah,
we
have
a
lot
of
tools
that
we
can.
You
know
throw
at
this,
and
you
know:
electronic
badges
is
one
one
of
the
easiest
and
it's
kind
of
up
to
us
to
help
formulate
how
ways
we
want
to
entice
people
to
entice
and
reward
people
to
do
this.
D
Yes,
david
two
things
first
thing
is,
I
I
think,
there's
a
lot
of
good
suggestions
and
conversation
here.
We
want
to
try
and
avoid
digging
too
deeply
into
the
weeds
on
these,
so
we
can
get
through
the
rest
of
the
plan.
Hopefully,
today
again
there
will
be
smaller
groups
created
for
for
each
for
some
of
these
tasks,
and
that's
where
I
think
a
lot
of
the
details
will
will
come
out.
The
second
and
more
important
thing
is
emily,
suggested.
D
A
A
A
A
Section
five
is
our
desire
with
five
one
that
the
most
critical
education
materials
are
localized
into
five
languages,
which
sure
sounds
like
a
measurable
okr
for
me.
So
do
we
agree
after
year,
one
we
want
to
target
little
more
globalization
of
the
materials.
E
B
E
A
There's
a
clue
at
the
start
of
that
sentence:
localization
that
to
me
means
translation
and
that
would
be
spoken
in
verbal.
We
address
computer
languages
above,
but
this
particular
item
is.
We
want
to
make
sure
we
would
like
to
have
the
the
contents
translated
to
mandarin
to
spanish
to
portuguese.
But
you
know
whatever
the
most
important
languages
we
have
and
then
I
ideally
make
a
plan
to
continue
that
effort
to
additional
languages,
vicky.
C
I
am
a
huge
fan
of
localization
of
all
the
things
yay,
but
I
also
would
like
to
be
realistic.
Is
this
something
that's
possible
in
the
first
year.
C
And
that's
a
completely
different
sort
of
target
than
year
two,
so
I
do
want
to
make
sure
that
you
know
we're
not
trying
to
bite
off
more
than
we
can
shoot.
I
perhaps
setting
a
percentage
that
by
end
of
year,
two
we
will
have
at
least
75
of
our
resources
translated
into
at
least
one
other
human
language,
or
something
like
that
to
to
get
us
going,
and
that
certainly
is
a
stretch
goal
that
I
just
threw
out
there.
But
you
know.
C
Yeah,
no,
I
agree
totally
yeah.
E
Emily,
so
I
know
that
this
is
for
year,
two
within
cncf.
Within
the
security
tag,
we've
always
had
open,
prs
or
open
issues
for
the
community
to
provide
translation
services,
particularly
if
they
are
experts
in
a
domain
area
as
well
as
well
known
within
their
region,
because
they're
they're
going
to
be
speaking
fluently
and
they'll
understand
the
english.
E
Is
there
anything
within
this
document
or
any
reason
that
we
would
want
to
prevent
community
members
who
are
language
experts,
because
it's
native
to
them
from
actually
translating
that
material
prior
to
the
year
two
mark
at
the
very
least,
to
to
start
those
discussions?
I.
A
A
H
C
A
Right
and
just
you
know
going
forward
we're
going
to
propose
this
plan
is
going
to
be
funded,
however,
that
process
ends
up
being
and
then
at
the
end
of
year.
One
I
would
imagine
the
program
is
going
to
evaluate
how
we
did
adjust
the
year
to
and
beyond
plans,
and
I
think
this
will
be
a
continual
kind
of
road
map
tweaking
and
adjusting.
So
you
write
it
down
today.
It
doesn't
mean
that
in
year
three
nothing
happens
or
we
stop
translating,
but
just
directionally.
B
We
will
have
to
deal
with
figuring
out
exactly
which
languages
we,
I
will
say
that
gets
you
know.
Life
gets
complicated.
Okay,
chinese,
are
we
talking
simplified
chinese?
I'm
guessing
hindu
hindi.
Well,
wait
a
minute
that
there's
also
urdu,
so
he
just
life
is
complicated,
but
the
world
has
got
a
complicated.
C
Place
yeah
and
a
lot
of
that's
going
to
come
into
who's
available
and
who's
willing.
You
know
if
we've
got
someone
who
comes
along
and
they
want
to
translate
it
into
something,
a
bit
more
obscure.
C
Then
great,
let's
start
there,
but
you
know
it
there's
only
so
much
we
can
define
there.
This
is
open
source.
I'm
sorry.
F
Style
I
cut
you
off.
I
apologize
sorry,
I
cut
you
off.
No,
I
do
think
the
cncf's
community
approach
to
this
is
really
good,
because
what
we're
talking
about,
I
mean
realize
that
a
lot
of
this
was
developed
in
english
and
there's
a
lot
of
weird
language,
that's
very
colloquial
to
white
western
culture.
F
So
when
you're
translating
it
like
supply
chain
right,
there's
it's
hard
to
say
that
in
some
languages,
but
so
I
really
like
the
approach
that
cncf
has
taken,
where
I
think,
if
we
do
want
to
identify
leaders,
so
this
may
not
be
a
full-time
role.
B
Yeah,
I
actually
have
having
run
some
translation
efforts
on
the
badging
application.
I
will
say
that,
generally
having
someone
lead
for
each
language
to
deal
with
things
like.
Oh
your
sal
example's,
a
great
one.
How
do
I
translate
supply
chain?
You
know
they're,
you
know
it
word
for
word
is
rarely
the
correct
answer.
B
So
I
mean
sometimes
that's
the
right
answer,
but
you
know
basically
making
a
call
having
the
discussion
and
then
being
able
to
stick
with
it,
so
that
it's
cons,
because
if
you
have
to
define
a
term
I
mean
you
have
to
do
the
null
languages,
but
once
you
define
the
term
consistently
using
that
term
is,
I
think,
a
big
trick,
I'm
frankly
not
that
different
from
writing
in
any
language.
Frankly,
as
far
as
consistent
use
consistent
terms
whatever
they
are.
D
B
A
A
We
had
talked
about
earlier
in
the
plan
about
hiring
people
that
are
going
to
be
focused
on
higher
education
or
particular
groups
like
historically
black
colleges
or
anything
that
requires
a
kind
of
specialized
skill
set.
So
this
item,
5-2,
is
just
expanding
the
people
that
already
exist.
We
probably
should
note
what
this
builds
upon.
F
Do
have
two
notes
on
this
because
we're
I
mean
this
is
above
and
beyond
the
initial
support
that
we're
giving
the
two
labels
that
I
think
would
be
really
important
here,
for
these
two
roles
would
be
a
focus
on
traditionally
underrepresented
in
tech
and
one
specifically
focusing
on
untraditional
pathways
to
professional
careers.
Okay,
that's
a
different
skill
set.
It's
going
to
need
a
strong
digital
skill
set,
but
I
think
that
would
really
make
sure
that
we
can
meet
our
goals.
A
I,
like
the
specificity,
can
I
get
you
to
potentially
type
that
in.
D
A
Again,
one
of
our
other
goals
is
we
want
to
make.
I
think
in
general
content
is
delivered
to
a
standard
group
of
people
fairly
well-ish.
I
mean
one
we're
trying
to
focus
on
expanding
the
reach,
especially
trying
to
draw
more
people
into
the
field
from
all
walks
of
life.
A
A
I,
like
that,
any
additional
thoughts
about
expanding
the
relationships
of
the
program.
A
D
E
B
Yeah,
I
I
would
ask
for
let's
not
forget
the
traditional
universities
as
well,
so
because
we
we
want
to
hit
all
cylinders,
I'm
fine
with
by
the
way,
the
traditional
non-traditional
pathway
division,
but
I'd
like
to
deserve
at
least
the
numbers
that
I've
seen.
It's
only
something
like
a
little
over
half
of
developers
go
through
traditional
universities
to
learn
how
to
develop
software.
I
mean
it,
it
isn't
a
non.
It
is
a
significant
number,
but
it's
also
a
huge
number
who
don't.
A
Okay-
and
it
should
be
our
one
of
our
goals-
to
try
to
address
as
many
pathways
in
as
possible
writing
tools.
Things
like
skf
for
people
who
want
to
do
it
hands-on,
we're
trying
to
sit
down.
D
So
emily's.
D
D
Okay,
I'm
going
to
accept
it
and,
let's
mark
it,
and
david
david
has
the
third
role
on
there,
which
would
have
us
increase
the
total
people
to
three
people
instead
of
two
people.
I
remember.
B
A
So
we
talked
about
hiring
a
librarian,
and
this
5
3
address
is
that
where
we
create
and
curate
development
security
practices,
library
in
an
open
educational
resource
platform,
so
we
have
some
dollars
for
a
person
to
be
the
librarian
and
some
money
for
some
type
of
platform
with
which
to
store
our
resources.
D
H
A
A
But
this
this
is
a
particular
we're
going
to.
We
have
a
bunch
of
material
today
we're
going
to
be
making
new
material
or
finding
links
we're
going
to
need
to
have
somebody
to
help
curate
and
organize
it
for
us,
that's
what
this
is.
The
intention
of
this
is.
H
A
You're
welcome
and
yeah.
We
haven't
really
talked
about
the
attack
framework
and
I
think
that
that
potentially
is
maybe
an
advanced,
secure
development
course.
A
Any
additional
thoughts
on
5'3
and
thank
you
for
that
suggestion,
sebastian.
D
A
We
are
hiring
a
librarian.
We
have
zero
details,
so
group
do
we
feel
before
I
move
to
avocado.
Let
me
ask
a
question:
do
we
feel
we
want
to
hire
this
librarian
person
year
one
or
defer
to
year
two?
C
A
C
Isn't
going
to
work
well
and
you're
going
to
need
more
than
one
librarian
and
an
extra
budget
just
for
bourbon.
C
I
am
not
an
mlis,
but
I
do
know
several
and
I
know
exactly
where
to
go
posting
that.
A
So
we
have
a
strong
endorsement
to
move
to
year,
one
any
seconds
or
alternate
thoughts,
thumbs.
A
So
we'll
move
to
year,
one
and
avishay,
I'm
sorry!
I
interrupted
you.
A
D
So
the
follow-up
question
on
that
and
there's
some
more
chat,
stuff.
I've
looked
at
the
follow-up
question
on
that
is
the
next
two
rows
are
actually
sub-rows
of
this
task,
so
I'm
not
sure
if
they
need
to
be
moved
up
as
well.
D
B
A
B
D
B
Okay,
so
I
do
know,
please
excuse
me
a
little
background
on
this.
There's
actually
several
papers
that
found
that
you
know
they're
they're
trying
to
go
backwards
to
see.
Where
did
this
insecure
software
come
from
and
the
if
the
answer
was
it's
a
stack
overflow
answer,
then
you're
doomed,
because
I
feel
because
the
correct
answer
for
many
software
developers
is
how
do
I
do
something?
I
google
stock
overflow
and
I
copy
the
first
answer
into
my
code.
B
There
are
no
other
answers,
and
so,
if
an
insecure
answer
gets
to
the
top
of
a
stock
overflow
chain,
there
is
no
hope
today,
because
there's
no
currently
no
mechanism
in
stack
overflow
to
say
you
know
from
an
organizational
there
are
some
mechanisms
to
do
it,
but
it's
not
something
that
they
normally
try
to
counter
how's,
that
there
are
some
people
who
have
very,
very
high
stack
overflow
to
karma
I've
forgotten
their
metric
name,
but
anyway
they
have
a
very,
very
high
value
and
can
actually
influence
this
kind
of
thing.
F
So
I
think
that
this
makes
I
mean
this
would
be
a
clear,
quantifiable
outcome
of
the
language
domain,
specific
ones
right,
if
they're
creating
content,
they
should
also
be
able
to
reach
out
it's
a
little
bit
more
of
like
a
security
researcher
feeling
role
but
yeah.
I
would
I
mean
this.
This
would
be
really
high
priority
for
me.
F
A
H
Thank
you.
I
wanted
to
point
out
that
stack
overflow
may
not
be
the
best
place
to
do
this
kind
of
correction
and
well
not
to
say
that
developers
don't
copy
code
but
stack
overflow.
Answers
are
distributed
under
a
creative
commons
license
and
those
are
becoming
increasingly
unpopular
as
code
licenses,
because
they
don't
have
provisions
for
patents,
and
so
it
seems
to
me
as
if
the
general
sentiment
is
that
c
c
code
is
not
false
and
should
not
be
included
in
foss
software.
I'm
not
sure
it
necessarily
matches
the
open,
ssf
attitude.
B
If
I'm
even
so
bold,
I
don't
think
your
developer
knows
or
cares
they
don't
know
what
a
cc
is
in
many
cases,
what's
a
cc,
what's
a
license?
Does
copyright
apply?
I
mean
there's,
there's
still
a
large
number
of
people
who
argue
that
copyright
doesn't
apply.
I'm
not
saying
that's
a
good
viewpoint.
I
I
I
will
tell
you
by
the
way
the
law
has
not
lost,
not
been
repealed
and
laws
apply,
but
the
reality
is.
If
you
want
to
get
code
snippets,
this
is
where
they
get
where
they
get
acquired.
B
I
don't
know
of
any
other
places,
I'm
sure
there
are
some
but
I'll
bet.
It's
the
90,
it's
the
98
2
rule.
You
know
the
vast
vast
vast
majority
of
folks
right
now
are
getting
it
from
stack
overflow
unless
things
have
radically
changed
in
last
year,
which
case
I'm,
you
know,
of
course,
I'm
certainly
willing
to
be
educated,
but
we
can
talk
about
the
licensing
issues.
I
have
some
opinions
on
that,
but
that's
I
think
the
the
problem
is
right.
Now
we
need
to
reach
people
where
they
are.
H
B
Sure
nothing
forbids
you
from
also
licensing
code
snippets
under
other
licenses
like
mit
and
so
on,
you're
thinking
specifically
of
cc0,
I
think-
and
I
don't
remember,
which
license
stack
overflow
uses
cc0.
H
I
don't
think
any
of
the
creative
commons
licenses
have
explicit
permissions
for
patents,
but
yes,
you're
right,
you
can
use
other
licenses
if
you
explicitly
state
them
right.
B
Right
but
and
of
course,
there's
the
other
problem
that
you
know
for
a
lot
of
cases,
we're
talking
very
short
snippets
where
it's
unclear
that
copyright
applies
de
minimis
and
then
we
can
have
legal
discussions
and
bring
in
the
lawyers.
I
you
know
if
we
submitted
code
snippets
and
added
to
them
license
statements.
That
would
be
awesome,
but
I
think
step
one
is:
where
are
the
developers?
Where
are
they
getting
the
code
snippets
that
are
vulnerable
and
at
least
all
the
research
that
I
have?
B
I
mean
there's
several
papers
about
this
and
all
the
research
seems
to
flow
back
to
it's
all
from
stack
overflow.
That's
where
they're
getting
them
the
the
vulnerable
code
and
that's
where
it
never
ends,
because
once
something
gets
voted
highly
because
it
works.
B
H
Yeah,
thank
you
that
that
sounds
good
it.
It
sounds
like
a
an
operational
consideration
for
the
licensing
rather
yeah.
B
It's
a
good
point:
go
ahead,
sal
and
dave.
F
Yeah
I
mean
this
is
a
bridge.
I
think
we
can
be
crossing
in
a
year
to
see
what
the
integration
can
look
like,
but
actually
I
think
what
would
be
beneficial
is
and
we're
not
here
to
replace
every
answer
to
cyber
security
questions
on
stack
overflow
right,
but
if
we
can
find
a
way
to
highlight
and
just
say,
hey
look
this
snippet
type-
or
this
has
been
known
to
be
a
cbe.
B
Not
in
all
k,
the
goal
was
to
identify
the
top
ones.
Just
like
we
can't
rewrite.
We
can't
deal
with
all
open
source
packages,
but
we
can
identify
the
critical
ones
and
there
are
existing
papers
that
basically
go
back
and
do
this
they.
Basically
you
know,
why
does
this
vulnerability
keep
happening?
And
the
answer
is
because
that's
the
top
answer
on
stack
overflow,
that's
the
answer
and
I
do
agree.
I
I
think
we
ought
to
add
to
our
comments.
D
So
we've
got
there's
some
suggested
rewarding
going
on
which
I
I
I
agree
with
the
points
that
that
book,
david
and
sal
made
stack.
Overflow
is
by
far
the
most
used
one.
It's
not
all,
it's,
not
the
only
one,
but
it's
by
far
the
most
used
one.
So
I
think.
D
I
also
suggest
that
we
make
this
one,
the
new
5.3
just
to
keep
stuff
organized,
because
it's
still
going
to
remain
a
year
two
task
and
that
will
disconnect
it
from
the
stuff
from
moving
up
regarding
the
librarian.
A
I
second
that
suggestion-
and
I
also.
D
Is
everyone
done
making
their
suggested
changes
to
the
the
text
updates
to
work
on
it.
B
B
B
You
know
what
I
would
say
build
on
existing
research
in
this
area.
B
A
When
we
turn
into
small
groups
and
focus
in
on,
you
know
fleshing
out
what
this
point
means
think
about
what
resources
we
may
need
people
we
need
to
deputize
or
if
we
need
to
make
this
somebody's
job
to
think
through
those
items,
or
do
they
need
tools
to
help
looking
at
in
our
last
10
minutes,
this
will
be
our
last
one.
For
today
I
think
5'4.
A
We
have
a
suggestion
to
add
a
statement
in
the
middle,
so
it
would
read,
implement
a
system
to
track
over
time.
The
number
of
people
who've
earned
various
certifications
and
number
of
oss
projects
who
have
maintainer
who's,
earned
certification
had
a
bad
certificate
for
maintainers
who
have
security
training
partner
with
other
organizations
to
make
information
easily
available.
So
we've
talked
about
this
before
in
other
points.
Earlier
in
the
first
year
on
the
plan,
are
we
okay
with
that
addition?
Do
we
think
a
hundred
thousand
dollars
to
put
towards
that
effort
is
enough.
A
A
B
And
I
will
let
emily
talk
about.
Indeed,
what
was
the
other
one
linkedin.
C
E
B
C
A
Something
that
is
resourced,
it's
just
something
an
obligation.
We
have
to
provide.
B
B
A
D
B
A
A
Yeah
it's
excellent
commentary
today.
I
appreciate
everyone's
help
and
words
and
thoughts.
If
there
are
no
other
topics
to
talk
about,
we
will
start
at
stack
overflow
5.3
next
week.
Thank
you,
everybody.
I
appreciate
the
collaboration
enjoy
your
day.