►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Are
you
actually
on
sites
in
place.
B
Yeah,
I'm
actually
at
a
hospital
I
had
to
drive
in
my
dad
and
be
for
driving
my
dad
for
a
scheduled
operation.
So
oh
goodbye,
yep,
so
yeah,
I
hope
all
goes
well
me
too
me
too.
The
expectations
will
be
fine,
but
you
know
duty
calls
absolutely
no
worries.
D
D
Guys
to
serve
man
yeah.
B
Yes,
can
those
of
you
who
have
not
yet
added
your
names
to
the
roster?
I
will
you
know
please.
Please
do
so.
B
Maybe
we
ought
to
put
the
template
in
the
bottom
to
you
know,
trying
to
anticipate
errors
and
fix
them
ahead
of
time.
B
A
E
D
We'll
get
started
in
a
few
minutes
after
the
hour,
if
folks
have
either
updates
to
projects
that
they're
involved
with
that
are
part
of
this
working
group,
or
if
you
have
some
opens,
you
want
to
discuss
with
the
group.
We
have
a
couple
things
from
laurent
to
talk
about
shortly,
but
if
anyone
has
any
additional
topics,
please
add
them.
D
All
right
folks,
mr
wheeler,
has
put
a
link
to
the
agenda
in
the
chat.
If
you
could,
please
mark
your
attendance,
that
would
be
super
awesome.
If
you
have
any
opens
you'd
like
to
discuss,
please
put
those
down
a
little
bit
further
in
the
agenda.
A
Well
I'll
raise
my
hand
on
that
one
actually
I'll,
maybe
even
turn
on
our
videos
at
work.
It
is
yay
hi
everyone.
I
am
me
ambrose,
but
we're
all
friends
here.
You
can
call
me
vicky.
Oh
my
gosh
david
you're
wearing
a
mask
how
weird
yeah
hi
I
am
director
and
senior
strategy
advisor
at
wipro
limited.
Oh,
oh
now,
I'm
feeling
left
out
yeah.
A
So
I
am
starting
to
lurk
on
a
whole
bunch
of
open
ssf
calls
to
kind
of
get
the
lay
of
the
land
and
see
how
we
can
make
the
most
the
biggest
impact
or
any
impact
and
try
and
contribute
so
I'll,
probably
just
sit
around
and
shut
up
most
of
the
time
and
listen
to
all
the
great
stuff
that
you
all
have
already
done
and
see
where
I
can
bring
in
some
people
to
help
us.
D
A
D
Right,
if
you
have
any
items
you
want
to
add
to
the
agenda,
please
put
them
down
here
in
the
open
section.
Looking
at
our
member
projects,
does
anyone
have
any
really
important
information
they
want
to
share
with
the
group
any
updates
from
our
projects.
D
B
Excellent,
so
the
open,
ssf
best
practices
badge.
You
know,
as
I
think
most
of
you
know,
this
was
used
to
be
named
the
cii
best
practices
badge.
It's
now
been
renamed
because
of
that
we
need
to
change
the
logo,
and
you
know
renaming
things
and
changing
logos
is
one
of
those
things
that's
important,
but
it's
absolutely
a
bike
shedding
event
and
there's
no
getting
around
it.
But
it's
important
to
have
one
because
it's
what
you
know
it
helps
people
remember.
B
We
have
some
several
draft
logos
that
are
posted
some
discussions
about
it.
You
know,
if
you
have
opinions
on
this.
I
please
just
posted
that
github
issue
and
let's
hear
it
because
we
wanted
to
get
this
resolved
and
have
a
new
logo
that
actually,
oh
and
you're,
going
to
follow
the
links
you
can
actually
show
all
the
so
right
there
you're
seeing
the
old
logo
that
says
cii.
B
So
we
have
to
fix
that
if
you
drag
further
down
below
there
were
questions
about
the
goose
and
the
trophy,
but
neither
both
were
too
generic.
So
the
idea
is,
we
want
to
combine
a
trophy
and
a
goose
somehow.
So
if
you
keep
going
down,
keep
scrolling
down
there
group
there's
there.
B
All
right,
so
we
have
three
option:
a
b
and
c
are
the
current
proposals,
all
combined
the
goose
and
the
trophy.
Somehow
several
folks
like
this
trophy
on
a
shield
but-
and
somebody
actually
created
a
fourth
one
I'll
call
it
option
d,
you
know
tell
us
which
one
you
like,
if
you
don't,
if
you
would
propose
like
something
else,
instead
tell
us
that
too,
but
just
you
know
now
is
the
time.
If
you
have
thoughts
about
logos,
tell
us
and
let's
get
that
done,
okay,
c
or
d,
all
right.
B
No,
no!
The
the
zoom
chat
is
the
wrong
place
that
will
lead
in
end
as
soon
as
this
zoom
call
ends.
So
if
you
want
your
opinion
to
actually
be
listened,
to
put
it
in
the
issues
where
everybody
else's
are
so
that
everybody
sees
the
thoughts.
Okay,
so
do
want
your
thoughts
but
make
sure
they're
there
they're
in
that
place,
so
everybody
sees
them
and
they're
recorded
and
all
that
good
stuff
other
than
that.
B
D
That's
what
I
thought
excellent
thank
you.
Do
any
of
our
other
member
projects
have
updates,
and
please
listen
as
david
mentioned,
go
to
that
github
issue
and
vote.
It's
important
get
your
feedback,
but
did
any
other
member
projects
have
anything
they
wish
to
share.
F
Maybe
from
the
skf
team,
so
we
actually
started
one
half
week
ago
with
the
skf
learning
platform,
so
I
briefly
mentioned
it.
The
last
time
we
had
the
meeting
to
really
create,
like
this
self-study,
hands-on
learning
capability
with
the
three
profiles
so
secure
development
web
api
penetration
testing
and
option
infra.
F
So
we
actually
started
with
that.
The
team.
You
know
the
company
that
I
work
for
they
heavily
invest
in
resources
and
make
people
available
to
well
achieve
this.
Actually
one
already
delivered,
he
converted
all
the
python
labs
that
we
have
like
75
labs,
convert
them
into
node.js
labs,
so
that
is
yeah
already
a
nice
addition,
and
now
also
other
colleagues,
are
busy
mapping
them
to
java
and
to.net.
F
F
Also,
in
the
meantime,
I'm
finishing
up
wrapping
up
the
single
sign-on
solution,
so
we
tested
it
in
a
docker-composed,
local
installation.
It
seems
all
to
be
working
so
now
we're
also
writing
a
blog
and
doing
the
documentation.
F
Then
a
small
part
converted
to
kubernetes.
So
that's
also
done
and
then
we're
basically
ready
for
that
big
release.
Yeah
a
lot
of
stuff
actually
happening
there
yeah
we
have
like
four
or
five
people
now
working
on
it
actually
yeah.
So
that's
going
to
be
pretty
amazing.
Also.
We
need
to
see
at
the
time
when
it's
ready
and
done
to
also
involve
the
open,
ssf
marketing
team.
F
I
don't
know
if
we
have
one,
but
you
do
okay,
of
course,
a
stupid
question
because
you
know,
as
you
know,
so,
the
company
I
work
for
they're
very,
going
to
publish
it
big,
but
also-
probably
it's
not
100
sure,
but
also
other
partners
and
companies
want
to
help
and
provide
resources.
So
you
know
from
all
of
us
open
ssf
the
companies
who.
F
And
contributed
we
actually
want
to
align
to
come
to
a
nice,
yeah,
marketing,
announcement
and
stuff
like
that.
So
if
it's
yeah
ready-ish,
I
will
you
know,
involve
and
ask
for
people
who
we
can
involve
in
that
to
also
help
with
with
getting
that
message
out.
Yeah.
D
We'll
loop
jennifer
in
and
she
has
access
to
the
folks
back
at
the
lf
that
we
can
marketing
comps
folks,
so
we'll
see
what
we
can
do
to
augment
that
messaging.
F
Perfect-
and
you
know,
I
also
when
I
look
a
bit
more
in
the
future-
I
also
spoke
at
least
in
the
ovals
organization,
and
they
said,
like
hey,
you
know
we
could
actually,
hopefully,
in
the
future,
also
have
like
a
fourth
profile,
saying:
hey,
oh,
what's
tooling,.
A
F
You
have
like
the
possibility
to
really
play
with
the
other
projects
and,
to
be
honest,
I
also
think
we
should
have
in
the
future
an
open,
ssf
profile
track
as
well,
where
you
can
play
with
all
the
open,
ssf
tools
right
in
a
lab
environment
and
try
things
out
right,
but
for
now
there
is
future
music,
a
lot
of
things
and
then
vision
there.
F
But
first
we
want
to
deliver
the
three
tracks
itself
right:
the
secure
coding
web
api
and
the
ops
infra
and
then
from
there
we
will
well,
hopefully
you
know,
get
more
things
in
it
and
more
profiles
and
tracks.
So
I'm
really
excited
about
that.
A
G
Yeah
I
can
go.
I
don't
know
if
azim
is
in
the
call,
so
I'll
talk
on
behalf
of
the
scorecard
team.
I
think
we
launched
a
v4
that
was
last
week.
I
copied
the
blog
the
link
to
the
ossf
blog
post
and
right
now
we're
working
with
the
project
by
if
company,
which
is
a
ux
company
based
in
london,
we
worked
with
them
on
salsa
that
they
have
six
dollar
dev
and
we're
working
with
them
now
for
a
score
called
their
website.
H
Sorry,
I
I
just
wanted
to
add
to
lawrence
point.
I
I
think
I
brought
this
up
last
week
also,
but
if
folks
maintain
your,
if
you
guys
maintain
any
repos
or
projects
we'll
be
very
happy
to
get
some
feedback
on
the
scorecard
action
that
lauren
just
launched
in
before
so
yeah,
please
do
install
it
on
your
repositories
and
provide
some
feedback
and
they'll
also
get
us
some
eyeballs,
so
that
we
can
say
that
some
important
reports
are
actually
using
this
tool.
I
Hi
yeah,
I'm
speedos.
Yes,
this
you
have
an
excellent
memory.
This
is
exactly
it,
so
we
went
away
for
a
while
developing
a
bunch
of
new
features
and
adding
a
ton
of
new
data.
Now
since
september,
since
yeah
the
september
or
was
20th
anniversary
conference,
we
launched
opencra.org
a
little
bit
more
publicly.
I
Now
it
has
links
between
several
standards
for
now,
including
most
of
the
wasp
documentation.
I
And
if
you
go
on
the
repository,
there
are
two
chunky:
pull
requests
open
to
want
to
add
also
tooling
and
code
as
nodes
that
can
be
linked
to
and
one
to
map,
zap
wasps
up
alerts
to
cwe
and
other
crs.
And
there
is
another
pull
request
coming
this
week
to
add
significant
parts
of
skf.
The
security
knowledge
framework
that
glenn
is
developing
to
crea
as
well.
I
The
plan
for
like
the
vision
for
the
project
is
to
be
able
to
to
be
like
a
one-stop
shop,
also
queryable,
via
machines
for
pretty
much
any
security
related
like
information
or
links
between
standards.
I
It's
not
a
content
hosting
platform,
but
it
gives
you
the
links
of
where
the
content
you're
looking
for
is
hosted
and
how
it
relates
to
each
other,
and
it
starts
from
like
regulation
all
the
way
down
to
you
know:
here's
the
code
or
terraform
that
allows
you
to
do
this,
which
should
be
pretty
handy
for,
as
I
said,
like
any
machine
or
human
who
wants
to
to
find
out
the
links
between
high
level
and
any
other
level
concepts.
D
D
And
we
have
somebody
wanted
to
talk
about
get
bomb.
J
Sorry
about
that
was
fighting
with
zoom
couldn't
get
it
to
unmute.
J
Just
dropping
a
note
and
a
mention
for
those
who've
been
aware
of
the
project
should
be
launching
you
know
any
day
now,
and
I
wanted
to
ask
this
group
if
this
is
a
good
forum
to
talk
about
it
in
the
future
or
if
that
would
be
a
different
group,
and
I
can
give
a
quick
summary
on
it.
If
folks,
who
don't
know
what
it
is,.
J
It
is
a
proposed
mechanism
for
automatic
artifact
automatic
and
verifiable
artifact
resolution
so
being
able
to
go
from
source
files
in
any
build
process
for
any
language
and
have
them
automatically
traceable
all
the
way
to
a
whatever.
The
final
build
is,
if
it's
a
executable,
a
library,
a
docker
image
doesn't
matter.
J
J
We've
got
a
white
paper.
Some
folks
have
seen
my
draft
of
that.
It's
getting
some
updates
we're
about
to
launch
a
website
for
it
and
community
meetings.
Things
like
that.
So
I
just
kind
of
wanted
to
give
a
little
update
and
ask
if
this
is
a
good
group
to
continue
sort
of
coming
back
in
every
so
often
dropping
more
updates
here
or
if
I
should
do
it
in
a
different,
open,
ssf
working
group.
E
J
The
end
results
if
we're
successful
in
building
this,
which
it
looks
like
it
shouldn't
be
that
hard
to
do,
is
that
for
any
binary
that
you
have,
you
could
scan
the
binary
using
a
very
small
fingerprint
embedded
in
it
to
then
cross-reference
all
source
files,
regardless
of
language,
regardless
of
the
depth
of
the
tree
against
you
know,
source
files
that
are
known
to
contain
a
compromise
or
be
of
a
vulnerable
version.
You
can
cross-reference
at
runtime
or
at
launch
time
the
source
tree
for
any,
given
binary
that
you
have
in
hand.
E
B
Yeah,
a
lot
of
people
may
not
understand
if
I
can
try
to
summarize
a
comp
something
longer
in
one
sentence.
It's
the
the
goal
is
to
insert
a
bunch
of
cryptographic.
Hashes
into
the
produced
results
feel
free
to
correct
me
av
it's
your
idea.
J
Yeah,
that's
that's
a
fair
enough
summary
insert
a
20,
byte
hash
or
you
know
on
that
scale
into
all
binaries
in
a
consistent
manner,
so
that
they
can
be
chained
together
at
each
step
of
the
build
process.
You
can
point
to
the
binary
points
to
the
the
hash
of
the
binary
in
the
previous
step.
G
J
B
Ava
to
answer
your
original
question
I
mean
neither.
It
clearly
is
related
to
this
working
group.
You
could
also
make
a
good
case.
It
relates
to
the
supply
chain
working
group.
Indeed,
I
I
frankly,
I
don't
see
any
reason
why
we
can't
hear
about
it
in
both.
But
okay,
I
mean
that's
having
knowledge,
as
opposed
to
a
lack
of
knowledge,
is
probably
the
better
thing
yeah,
but.
J
A
A
Er
fits
into
the
tooling
working
group.
J
C
Is
that
well
I'm
definitely
interested
in
that,
so
I
would
like
to
at
least
have
updates
for
sure.
Okay,
I
I
think
that
it,
for
I
mean
to
to
get
more,
to
get
things
going
and
to
work
on
it
and
to
actually
work
on
it.
I
think
the
tuning
working
group
as
mata
said
it
is
a
better
working
group,
but
I
would
definitely
want
to
to
not
to
have
a
date.
C
I
mean
if
it's
not
part
of
this
working
group,
I
will
definitely
go
and
lurk
into
the
working
group
where
it
is.
J
At
the
moment,
our
we're
running
we're
going
to
run
it
as
a
separate
project
outside
of
any
foundation.
For
now,
the
what
I
anticipate
happening
is
get
bomb
will
have
two
high-level
working
groups
of
its
own
one,
the
the
spec
discussion
and
one
for
languages,
and
that
one
will
probably
fragment
into
different
discussions
for
the
implementation
for
each
language
or
compiler.
J
J
K
So
this
is,
I
know,
I'm
sorry,
I
I
know
I'm
confused.
If
are
you
proposing
to
bring
this
to
this
group
or
not
because
it
sounded
initially,
you
were
proposing
this
group
to
land
here,
possibly
or
some
other
group,
and
then
you
just
said,
but
this
is
going
to
stay
outside.
So
what
is
it
that
we're
going
to
do
here
or
somewhere
else
within
open
ssf.
J
I'm
not
proposing
this
group
take
on
any
new
work.
I
was
asking
if
this
is
a
group
that
would
want
updates
on
the
project
if
there
is
a
way
that
it
fits
into
this
group's
work
or
not.
K
With
what
you
said
before
that
it
seems
to
me
that
this
would
be
in
the
tools
working
group,
but
you
know
I
have
to
admit,
even
after
a
few
months
now,
around
open
ssf,
I'm
still
unsure
how
things
get
you
know
organized
around
the
different
working
group
or
maybe
disorganized.
I
should
say.
K
A
K
Sorry,
I
think
we
can
conclude
that
this
is
relevant
for
many
working
groups
and
if
it's
primarily
about
disseminating
information
about
this
going
on,
I
think
nobody
would
be
offended
if
you
for
sure
send
it
to
more
working
groups.
Maybe
presenting
it.
Just
once
is
fine,
but
inviting
the
others
over
would
be
like
an
obvious
thing
to
do,
but
I
guess
we're
all
interested
in
that
kind
of
we
shouldn't
travel
about
where
exactly
that
is
going
to
be
presented,
and
you
don't
need
to
do
it
like
five
times
over.
D
Yeah,
I
think
group
overwhelmingly
is
very
interested
to
learn
more
and
I
think
we
definitely
could
assist
in
evangelism
is
kind
of
sharing
good
practice
with
the
open
source
development
community.
We
can
figure
out
a
way.
It's
easy
for
your
community
to
get
updates
here.
Whether
you
know
you
go
to
something
like
the
tac
and
then
we
bring
that
back
here
or
we
have
a
special
request
periodically
for
you
folks
to
come
in
and
maybe
give
us
a
little
five
minute
update,
we'll
we'll
work
out
those
details
sounds
good.
D
All
right
laurent
wanted
to
talk
about
some
general
security
guidelines.
A
G
G
G
So
yeah
I'd
like
to
discuss
this
first
and
know
whether
yeah
there's
any
feedback
or
concerns.
D
G
G
All
right
so
yeah,
maybe
maybe
don't
show
the
omega
project.
I
think
it's
confusing
so
so
we
started
writing
a
doc
on
npm
best
security
practices.
We
have
a
draft
and
it's
being
reviewed
by
the
npm
security
folks
right
now,
they're
busy
they're
busy
on
something
else.
So
you
know
I'm
still
talking
with
them.
We're
gonna
get
back
to
the
draft
soon,
and
we
also
want
to
start
working
on
the
pip
best
security
practices
and
we
have
someone
from
the
python
foundation
who's
happy
to
help
us
there.
G
So
yeah
I'd
like
to
know
if
it's
fine
to
make
you
know
package
managers,
best
security
practices,
a
work
stream
of
this
working
group.
I
guess
that's
my
question.
D
B
I
definitely
think
it's
within
scope.
We
need
to
define
what
it
is
a
little
more
deep.
You
know
you
know
title:
what
are
we
going
to
cover?
What's
not
going
to
be
covered,
but
I
mean,
as
far
as
best
practices
go
absolutely.
This
makes
complete
sense
to
me.
A
I
have
to
hop
off
at
another
meeting
right
now,
but
laura
I
used
to
work
for
cradle.
I
I
used
to
be
on
the
security
team
for
gradle.
If
you
want
to
hit
me
up
around
cradle
and
the
java
ecosystem,
please
dm
me
in
the
slack
I
I'm
happy
to
sit
down
and
have
a
conversation
with
you.
I
don't
have
time
to
write
anything
down,
but
I'm
more
than
happy,
and
I
also
agree
that
you
know
best
practices
for
package
managers
very,
very
relevant
so
but
yeah.
A
Please,
please
don't
hesitate
to
reach
out
to
me
by
the
slack
when
you
get
some
time.
I'd
love
to
chat
with
you
more
one-on-one.
G
Okay,
can
you
add
a
comment
in
this
doc
so
that
I
have,
I
don't
have.
A
It
I
don't,
have
it
open
right
now,
I'm
probably
on
my
phone,
so
jonathan
likes
you
if
somebody
could
have
that
for
me,
that'd
be
great.
B
I'm
hearing
a
bunch
of
positive
and
no
negative,
so
I
think
if
this
is
a
thumbs
up
crave
or
xavier,
will
you
add
that
to
the
read
me
to
identify
this
as
a
working
group
task
and
our
first
task
will
be
figuring
out?
The
task
is,
as
it
were
not
well
working
out
the
scope
of
this,
but
that's
okay,
and
I
presume
that
that
will
be
a
common
topic
for
next
meeting
is
trying
to
to
refine
that
and
start
working
on
the
the
contents.
G
Okay,
so
I'll
move
on
to
the
next
quick
update.
So
I
said
earlier
that
we
as
the
scorecard
team,
we're
working
with
this
ux
company
called
project
by
if
to
set
up
the
scorecards
at
that
website.
G
This
company
is
the
company
we
worked
with
for
the
salsa
their
website
and
the
six
store
the
dev
website,
and
something
that
we're
trying
to
do
with
them,
as
the
next
project
is
having
a
landing
page
for
that,
basically
ties
all
these
different
tools
that
the
ossf
is
developing,
the
motivation
being
that,
from
a
user's
point
of
view,
it's
pretty
hard
to
see
how
you
know
six
store
and
cosine
and
salsa
all
tied
together.
G
So
we'd
like
to
have
a
central
point
where
we
can
explain
all
this
more
in
detail.
G
So
that's
so
I
wanted
to
have
some
feedback
with
this,
and
here
we're
looking
also
for
a
domain
name.
That
would
be
a
good
domain
name
for
this
central
landing
page
and
I'd
like
to
have
some
feedback
and
from
everyone
about
this.
As.
G
So
this
would
be,
I
think,
more
on
behalf
of
the
foundation,
because
this
is
I
mean
this-
isn't
something
we
really
have
this.
We
we
haven't
yet
discussed,
but
since
it's
going
to
you
know,
have
all
the
you
know
the
the
the
different
toolings
I
guess
it
would
be,
it
would
make
more
sense
to
have
it
on
behalf
of
the
foundation,
but
if
you
think
that
should
be
a
separate
project,
I
guess
that's
also
fine.
B
G
So
so,
but
by
data
I
meant
more
about
tutorial
and
guidelines
and
how,
as
a
as
an
engineer
as
a
developer,
what's
your
journey
to
secure
your
supply
chain,
for
example,
it's
not
about
data
as
matrix
data,
it's
more
about!
How
do
you
take
me
from
where
I
am
right
now
to
you
know
to
the
next
step,
where
I
I
secure
my
development
cycle
and
how
do
I
deal
with
scorecard
and
things.
F
It
sounds
a
bit
like
the
initiative
we
we
started
a
while
ago
with
this
landing
page,
this
one
pager,
where
we
also
reference
right.
So
you
have
like
the
developer
coming,
wants
to
learn
something
or
implement
a
certain
piece
in
the
sdlc,
for
example,
and
then
clicks
on.
You
know
that
part
sees
the
tooling
click
on
it.
You
go
to
the
tooling
and
there
you
have
them
documentation
and
guidance
right
on
how
to
do
it
so
yeah.
I
I
think
it's
a
bit
like
yeah
like
that
one
indeed,.
D
It's
so
around,
like
naming
the
domain,
I
think
I
would
suggest
we
take
this
to
the
tac
to
see
kind
of
how
the
foundation
feels
about
it
and
potentially
get
something
aligned
with
the
open,
ssf
existing
domains.
B
D
If
you'd
like
to
maybe
put
out
a
proposal
like
get
google
doc
together
with
some
of
your
ideas,
I'll
be
glad
to
work
with
you
and
then
we
can
go
and
kind
of
talk
about
it
with
attack,
and
I
do
like
glenn's
idea.
We've
been
talking
in
this
group
for
a
long
time
and
we've
just
not
had
time
to
get
back
to.
It
is
having
an
infographic
to
help
people,
and
that
may
be
something
we
can
incorporate
there
as
well.
M
Tell
me
to
take
this
one
lauren
yeah,
please
go
ahead
and
he's
been
talking
a
lot
so
yeah,
just
as
a
quick
reminder
for
everybody.
M
The
omega
project
is
a
the
sister
project
to
the
alpha
project,
where,
on
the
alpha
side,
the
project
is
to
engage
to
do
like
a
high
touch
engage
on
a
few
number
of
projects.
M
So
one
of
the
requests
that
lauren
and
I
agreed
to
to
take
a
stab
at
from
the
project,
was
to
take
some
of
these
security
recommendations
that
we
have,
whether
they're
from
the
scorecard
project
or
from
the
badge
or
other
projects
that
we've
been
doing,
research
on
and
also
including
some
of
these,
the
research
on
the
the
the
project.
I'm
sorry,
the
package
manager
guidelines
that
have
come
up
that
lauren
was
just
proposing.
M
M
We
organized
it
by
you
know,
let's
say
like
two
through
six
or
things
you
just
flip
on,
whereas
some
of
the
other
ones
are
a
little
bit
more
involved
involved
auditing,
your
your
your
things
like
your
ci
cd
or
your
permissions,
but
anyways
we
came
up
with
this
list.
M
Each
one
of
these
items
is
going
to
need
a
a
document
written
on
it
and
for
the
documentation
for
the
omega
project.
We
want
to
keep
pretty
high
level
because
we're
not
because
the
the
more
detailed
docs
we
want
to
go.
We
want
to
go
in
that
other
project,
the
general
security
recommendations
project,
not
not
something
that's
pigeonholed
to
omega
specifically,
but
we
do
want
to
come
up
with
this
top
10
list,
as
here
are
the
things
you
can
go,
do
and
and
improve
your
security.
So
we
want
feedback
here.
Are
we
missing
something
big?
M
Do
we
have
the
order
wrong?
Do
we
have
something
on
here?
That
is
not
very
important.
Click
on
it
provide
feedback
and
would
be
very
happy
to
to
get
that.
Sorry
for
the
sharing.
B
Yeah,
have
you
looked
at
the
badges?
Have
you
looked
at
the
at
the
best
practices
badge
because
that's
also
the
point
of
that
yeah.
So
I
want
to
talk
about
that
at
some
point.
B
You
know
some
of
these
things
like,
for
example,
multi-party
review,
I'm
I'm
all
for
that,
of
course,
for
the
vast
number
of
projects
that,
where
there's
only
one
developer,
this
is
probably
not
a
reasonable
thing
to
ask
them
to
do
the
certainly
turning
on
the
updates
and
in
general.
Turning
on
all
these
things
is
a
good
plan
pending
dependencies,
good
idea
for
apps
terrible
idea
for
libraries.
M
Yeah,
well,
I
think,
there's
a
lot
of
specifics
on
the
package
manager
system
there
as
well
so
again,
like
a
lot
of
these
are
going
to
be
the
recommendations,
and
then
you
know
the
top
level
headline
is
what
we're
looking
for
to
to
settle
on
here
and
then
that
the
specific
recommendations
will
be.
You
know,
need
to
be
developed.
Yeah.
A
Yeah,
so
as
I
skim
over
this,
one
of
the
things
that
really
stands
out
to
me
is
that
a
number
of
these
are
fairly
github
specific,
and
if
you
go
looking
at
the
critical
boss
projects
out
there,
a
large
number
of
those
are
not
on
github,
they
might
be
on
gate
lab,
they
might
be
an
apache,
they
might
be
an
eclipse
but
they're,
not
necessarily
on
github.
So
relying
on
github
for
security
recommendations,
I
think,
is
maybe
not
the
best
idea.
J
I
would
strongly
agree
with
that
and,
as
I've
said,
it's
been
a
while.
I
urge
folks
to
consider
that
open
source
is
very
broad
and
I'll
drop.
A
link
in
chat.
The
very
first
study
I've
ever
seen
trying
to
measure
how
much
open
source
is
not
on
github.
It
was
there's
a
preprint
available
I'll
drop,
a
link
in
that.
It's
really
interesting.
B
J
B
If
you're,
if
you
have
a
simple
rule,
that's
wrong.
That's
worse
than
a
than
a
complicated
rule,
I'm
not
big
for
complicated
rules.
But
if
you
know
that
if
the
simple
rule
is
obviously
wrong,
you
lose
your
audience
because
they
look
and
they
know
you're
wrong
and
you
are
not
to
be
trusted.
M
Is
is
you
know
for
each
so
sorry
where
it
says
template
there
for
each
guideline?
The
plan
here
is
to
develop
again
a
small
doc
like
a
one
pager
that
says
the.
Why
the
what
the,
how
and
then
here's
to
to
to
read
more
so
that
that's
going
to
really
explain
you
when
when
this
applies,
you
know
those
answers
to
that
conversation.
David.
E
Okay,
I
have
some
comments.
I
totally
agree
with
having
this
template,
so
we
can
verify
that
the
if
it's
pertinent
to
apply
to
whatever
pro
the
project
we're
working
on.
I
totally
agreed
to
have
something
very
abstract
but
again
having
like,
for
example,
like
this,
enable
multiple
reviewers,
for
example,
in
github.
Is
this
and
for
example,
in
gitlab?
It's
like
the
the
key
word
is
like
that
and
guitea
maybe
doesn't
support,
but
you
are
at
least
giving
hints
to
the
majority
of
the
of
the
community.
E
I
already
comment,
but
this
is
a
general
comment.
I
prefer,
because
this
is
like
the
condensed
quick
wins
for
for
security
is
for
me
it
will
be
like
a
checklist,
so
it
should
for
me
for
me
and
checklist.
E
I
like
to
start
with
the
easiest
steps
at
the
beginning,
so
you
can
close
down
as
many
as
possible.
This
gives
you
a
sense
of
oh
I'm
going
forward,
so
I
will
always
start
with
like
the
easiest
one,
and
we
already
have
some
some
feedback
there
or
communication
with
you
jeff,
and
this
is
something
from
the
other
topic
about
dependency
check.
I
added
some
of
the
common
tools
that
are
for
java,
for
example,
x-ray
sneak
the
gradle
and
mabel
pro
plugins
for
dependency
check
that
connects
to
os
or
wasp
and
yeah.
M
Thank
you
so
yeah.
So
if
I
and
I
saw
those
your
comments
in
the
doc,
I
really
appreciate
that.
If,
if
anybody
has
comments,
please,
you
know
feel
free
to
comment
in
the
doc.
We
have
some
comments,
somebody
taking
notes
from
this
meeting.
Thank
you
very
much.
M
Yes,
I'll
provide
access.
Unfortunately,
I
can't
I
can
only
assign
access
to
a
google
group
or
an
individual,
but
the
next
iteration
I'll
try
to
solve
this
doc
issue.
J
And
I
I
just
really
want
to
reiterate
from
what
I
can
see
on
the
screen
right
now.
It's
only
like
nine
through
14..
A
lot
of
these
are
perhaps
good
practices
for
projects
that
have
grown
up
on
github,
but
they
countermand
a
lot
of
the
standard
best
practices
for
older
projects
that
evolved
off
of
github
and
that's
going
to
not
land
well.
A
Yeah
and
I
think
we're
going
to
find
that
some
of
the
most
critical
projects
also
are
the
ones
with
the
greatest
longevity.
So
we
do
have
to
do
a
little
balance.
There
sorry
rob.
D
Zav
go
and
then
I'll
go.
Oh.
C
Thanks
rob
yeah,
I
have
a
general
question.
This
dog
is
it
for
the
well.
What
is
the
audience?
It
is
for
the
projects
themselves
or
is
it
for
the
the
the
omega
team
who
will
go
and
who
will
nudge
the
project
to
adopt
it?
C
Because
if
it's
for
the
for
the
people
of
the
omega
project
who
will
go
to
to
the
project
and
then
they
will
get
this
list
as
a
kind
of
guideline
for
them,
but
then
they
will
adapt
when
they
talk
to
the
project,
and
so
they
will
adapt
whether
they
are
on
github
gitlab
or
duplicate
or
whatever.
Or
is
it
something
that
we
want
to
kind
of
send
to
the
project
and
say:
hey
follow
that,
because
this
was
not
my
initial
understanding
of
the
omega
project.
M
My
understanding
is
that,
due
to
the
scale,
we
would
want
to
be
able
to
send
this
and
again
it
wouldn't
be
this
exact
doc.
This
is
just
the
brainstorming
of
the
the
titles
of
the
list.
Each
each
item
on
this
list
would
have
a
a
one
pager
with
that.
What
why,
how
and
and
further
links
is
what
we
would
want.
Yes,.
G
So
I
think
some
some
context
about
this
is
this:
isn't
something
that
you
would
send
up
front
to
the
team
on
github?
This
is
something
that,
after
the
omega
project
has
worked
with
a
team
that
say
hey,
you
know
what
here's
a
list
of
things
that
you
should
be
that
that
you
can
keep
with
you
and
try
to
work
on
to
improve.
C
Sense,
well,
I'm
I'm
not
sure,
then
I
I
got
two
different
answers
here,
so
it
will
be
sent
after
the
first
contact.
G
G
The
first
contact
after
after
you
worked
with
the
team
for
maybe
a
month
and
once
you've
completely
finished
working
with
them,
you
say:
hey,
you
know
what
to-do
list
for
you
guys
something
to
remember
that
you
you
can
try
to
improve
on.
So
I
guess.
C
So
it's
not
directly
sent
high-skilled
to
everyone,
so
it
can
be
adapted
to
the
specific
case
of
the.
So
this
is
not
exactly
what
what
I
got
from
from
the
first
answer:
okay,
okay,
so
so
yeah!
I
I
think
in
this
case
the
they
will
adapt,
what
they
send
to
the
to
the
to
the
projector.
M
But
it's
a
good
point:
what,
if,
if
we
don't
I
mean,
can
we
have
this
as
a
doc
that
is
sent
that
it's
self-explanatory?
Where
it
you
know,
the
the
explanation
for
each
item
lets
the
the
project
know
whether
this
applies
or
not.
I
mean
like
what
is
your
concern
on
sending
it
if
we
don't,
if
it's
not
customized
or
ready
by
the
omega
project,.
C
Well,
I
was
just
building
on
the
on
the
very
valid
comments
that,
if
I
made
I
mean
I'm
from
github,
and
I
know
that
I
wouldn't
like
a
document
from
open
ssf
talking
only
about
github,
because
I
know
that
a
lot
of
critical
resources
are
not
there.
So
so
yeah.
B
If
I
could
jump
in
here
I
mean
I
have
a
specific
opinion,
which
is
you
know
the
omega
folks
they're
talking
about
10,
000,
plus
projects,
thinking
that
the
omega
project
is
going
to
tailor
a
document
for
each
of
10.
000
projects
is
kind
of
mind-boggling
to
me.
I
don't
think
that's
going
to
happen.
I
just
don't
think
so.
So
I
think
this
document
has
to
be
written
so
that
you
know
to
xavier's
point.
B
It
can
be
used
by
a
project
on
github,
but
it
doesn't
require
that
it
doesn't
require
you
to
be
on
github
or
only
work
if
you're
in
gecko,
because
we
want
people
to
be
able
to
not
have
secure
software
regardless
of
the
platforms
it's
on.
G
Oh,
so
I
wanted
to
say
that
we'll
we'll
talk
again
with
with
michael,
but
I
think
the
first
goal
was
for
the
alpha
project.
So
we
keep
saying
omega.
I
think
the
first
audience
was
the
omega,
the
alpha
project,
so
the
actually
the
project
where
you
you're
working
with
not
not
the
omega
side
of
the
project,
but
I
think
once
we've
we've
kind
of
ironed
out
how
how
the
document
should
look
like.
D
So
if
I
may
two
questions
first
off,
does
the
group
feel
it
is
appropriate
for
us
to
contribute
to
this?
Since
we
are
the
open,
ssf,
developer,
best
practices
working
group-
I'd
like
to
get
a
kind
of
straw
poll
here,
dude?
Is
this
something
we
feel
we
need
to
contribute
to.
A
D
M
So
go
ahead,
I
mean
within
a
week
would
be
great
again
we're,
I
think,
we're
gonna.
You
know,
go
ahead
and
and
start
taking
some
of
these,
these
line
items
and
so
another
another
item
on
the
on
the
agenda
was
we
wanted
to
ask
for
help
if
anybody
is
interested
in
helping
write
one
of
these
documents,
the?
Why
the
what
and
how
for
one
of
the
the
top
line
items
and
that's
a
longer
project
but
comments
on
the
top.
You
know
the
top
list.
M
We
would
like
pretty
soon,
because
we
want
to
go
ahead
and
start
working
on
them
and-
and
you
know,
if
you
strongly
feel
like
one
of
these
shouldn't
be
there-
then
we
wouldn't
want
to
waste
waste
that
work.
B
Yeah,
I
I
do
have
a
question
about
overlaps.
You
know
a
number
of
these,
like
you
know,
if
you,
if
you
use
scorecards
you're
automatically
going
to
see
pinning
a
number
of
these
things
are
going
to
show
up.
If
you
do
the
best
practices
badge,
it's
okay,
to
repeat
something,
but
I
mean
how
much
repeating
do
you
need
to
do
since
so
many
of
these
are
also
covered
by
the
badge,
for
example,.
E
My
my
only
argument
there
is
how
easy
is
for
your
particular
project
to
implement
one
or
the
other
if
you
cannot,
for
whatever
reason,
go
with
option
a
at
least
you're
going
to
cover
some
other
things
by
going
with
option
b.
So
it's
a
matter
as
we
have
been
discussing.
Probably
there
are
large
projects
where
we
can
or
we
cannot.
So
if
this
remains
small
and
actionable,
and
I
think
it's
worth
it.
J
Yeah-
and
I
just
want
to
re-echo
for
this
to
be
to
work-
it
has
to
be
something
that
can
be
implemented
by
smaller
projects,
folks,
that
aren't
on
github
folks
that
have
been
around
a
while
that
have
two
maintainers
in
their
spare
time.
Working
on
the
project
and
a
whole
lot
of
this
is
right
now.
It
reads
as
though
it's
really
biased
towards
large
well-funded
corporate
projects,
which
is
the
purpose
of
alpha
or
the
effect
alpha's
having.
B
G
So
I
think
also,
realistically
we're
not
going
to
cover
everything
you
know
the
first
iteration
of
the
document
is
going
to
be
somehow
biased
or
github.
Probably
because
that's
where
you
know
most,
that's
where
we
feel
more
comfortable
but
and
that's
why
we
need
community
help
to
help
you
know
drive,
you
know
for
different,
maybe
different,
ci
cd
places.
G
J
G
B
B
M
So
I'm
going
to
say
feedback
well
taken.
I
completely
agree,
and-
and
I
do
think
that
was
the
intention
here,
but
it
didn't
come
out
in
the
titles
that
that
we
wrote
so,
for
example,
you
know
on
number
four
require
multi-party
review,
like
we
made
an
attempt
there
like
we're,
not
going
to
say
turn
on
github
branch
protection
as
the
title,
we're
going
to
say,
require
multi-party
review
and
then,
in
the
description,
describe
how
you
would
do
that
on
a
few
popular
platforms
like
github
and
gitlab.
M
I
do
kind
of
have
a
concern,
though,
on
some
of
these,
like
the
github
apps
and
oauth
apps
like
I
think
that
is
a
top
recommendation
for
projects
on
github.
I
don't
know
how
to
generate
like
some
of
these.
I
may
not
be
generous
generally
made
able
to
make
generic,
so
that's
going
to
be
something
that
I
think
we're
going
to
have
to
work
on
and
think
about.
D
Our
last
minute,
yodam
has
his
hand
up
and
nazim
after
that.
L
Maybe
when
we
think
of
the
ordering
of
it,
we
can
maybe
divide
it
into
things
that
can
be
verifiable,
whether
it's
on
github
or
any
other
source
code
platform,
for
example,
if
you
enable
some
kind
of
flag
what
I'm
thinking
is
kind
of
some
something
like
the
cis
benchmark
to
have
like
a
complementary
project
that
you
can
verify
some
of
these
things
that
are
verifiable,
then
you
can
run
a
simple
script
and
it
tells
you
okay,
one
two,
five
you're
good,
maybe
put
that
as
the
top
five
things
that
you
can
verify,
whether
it's
if
you're
in
bitbucket,
it
will
do
something
specific.
L
If
it's
on
github,
it
will
check
something
else,
but
the
tests
can
be
automated
and
then
things
that
are
more
soft,
maybe
will
be
on
the
bottom
of
the
list.
H
Yeah
I
mean
I
didn't
want
to
take
up
too
much
time,
so
I
I
guess
I
was
just
playing
jeff
and
lauren.
Maybe
given
all
the
feedback
we
have
seen
so
far,
probably
our
best
action
item
to
take
here
would
be
to
say,
let's
flush
out
scope
for
this
document
to
say
that,
even
if
we
are
focusing
purely
on
github
projects,
let's
make
it
clear-
or
at
least
if
you
are
planning
to
go
for
more,
let's
figure
out.
H
What's
the
exact
scope,
what
kind
of
projects
and
what
kind
of
open
source
repositories
are
we
targeting?
And
then
we
can
like
probably
look
into
these
one
to
ten
so
probably
next
week
or
maybe
in
two
weeks
when
we
meet
probably
that's
the
discussion
or
that's
the
feedback
we
should
be
discussing.
So
you
know
at
least
we
know
that,
there's
an
action
item
for
us
and
also
for
the
working
group
for
the
next
two
weeks.
B
Azim,
are
you
familiar
with
the
best
practices
badge?
Maybe
we
should
talk
offline
because
you're
duplicating
that
work.
I
don't
understand
why
you're
redoing
it
we
spent
five
years
working
on
it.
Why
are
we
redoing
it?
So,
let's
talk
about
this
things
like
the
2fa.
We
can
just
move
that
as
an
example
of
what's
already
covered
in
something
else.
Instead
of
you
redoing
the
work
of
last
couple
years,.
F
H
B
H
Enough
so
david,
how
about
so
I'm
just
trying
to
figure
out
what
action
items
should
we
take,
so
maybe
the
two
questions
we
want
to
clear
out
is
like
how
how
is
this
actually
different
than
the
best
practices
badge
and
also
like?
What's
what's
the
scope
like
what
projects
are
we
actually
trying
to
cover
here?
So
maybe
that
those
are
the
two
like
narrow
down
questions?
We
should
actually
try
to
answer
and
like
have
that
responses
ready
by
next
working
group
got.
B
D
Let
me
stop
sharing
yeah
and
please
everyone.
That's
still
around
make
or
watching
the
video
on
youtube,
make
comments,
and
let's
continue
this
conversation,
I
think
it's
worthwhile
work.
A
B
B
D
B
B
A
M
D
If
you
want
to
continue,
if
it's
interesting
for
posterity,
I
could
catch
up
later.
That
would
be
interesting.
D
From
my
opinion,
as
the
chair
here,
I
think
this
is
something
worthwhile
work
for
the
group
to
do.
I
agree
with
david
we're
already
doing
a
lot
of
work
in
the
best
practices
badge
and
I
hate
rework
it's
one
of
my
biggest
pet
peeves,
so
it
whatever
we
can
do
to
leverage
that
an
existing
body
great
and
I
will
catch
up,
and
if
we
need
to
have
another
additional
conversation,
we
can
get
that
set
up
via
email.
D
M
B
M
The
first
question
is
like
I,
from
my
understanding
of
what
what
we're
trying
to
do
here
is
come
up
with
a
10,
a
list
of
10.
and
if,
if
we
just
say,
do
everything
in
the
badge
that
might
be
things
that
we
like
we're
trying
to
scope
it
down
to
a
list.
That
is
some
some
size
that
the
project,
the
omega
project
considers
is
the
right
size
to
send
yeah.
G
Right
something
that
I
think
we
also
want
is
we
don't
want
to
just
say
or
turn
on
branch
protection.
We
want
to
to
link
to
actually
the
documentation
to
do
that,
which
I
think
is
I
don't.
I
don't
find
it
on
the
ci
badge
best
practices.
It
tells
me
you
have
to
do
this
and
then
for
my
platform.
I
have
to
figure
it
out,
so
I
think
that's.
We
want
to
make
it
as
easy
as
possible.
Okay,.
A
B
L
B
It
and
then
it's
added
for
everybody
so
and
what's
great
about
that,
is
that
means
that
everybody
can
then
see
it,
and
we
already
have
several
thousand
projects
participating.
So
you
know
we.
We
already
have
people
pipelining
through
the
badge.
So
if
we
can
do
that,
that's
that
would
be
fantastic.
Okay,.
G
So
I'd
say:
that's
that's
first
one
david.
The
second
point
is
we
also
want
to
focus
on
things
that
can
be
automated
and
I
think
the
ci
badge
practices.
You
said
mostly
focuses
on
things
that
have
to
have
a
human
behind
the
wheel
to
to
check.
A
G
B
Well,
here
here's
the
of
course
here's
the
problem.
If
you
want
full
automated
checking,
that's
what
scorecards
is
for
scorecards
focuses
on
what's
automatable
automatically
checkable,
but
in
terms
of
can
we
check
whether
or
not
the
project
does
it?
B
The
best
practices
badge
focuses
on
what's
important,
whether
or
not
it's
easily
checked
okay
and
it
does
have
some
that
are
can
be
checked
automatically,
but
actually,
whether
or
not
you
check
it
automatically
or
check
it.
Have
a
human
humans
have
to
be
involved
in
the
change
yeah.
So
if
you're
going
to
change
something,
it
doesn't
matter
whether
which
approach
you
use,
you
still
have
to
have
a
human
to
prove
the
changes.
G
B
Oh
well
for
branch
protection.
Sure,
although
you
have
to
be
careful,
I
don't
know,
I
don't
have
the
exact
numbers,
but
the
majority
of
open
source
projects
that
I
see
are
single
person,
yeah
yeah.
So
so
saying
you
must
protect
it.
When
there's
only
one
user,
it
doesn't
make
any
sense.
G
I
I
I
I
think
this
whole
thing
about
we,
you
you're
overblowing
it
on.
Oh,
we
are
telling
people
to
use
to
lgtm
we're
not
gonna
say
you
should
do
that.
We
say
we
recommend
doing
it.
If
you
can
do
it,
I
mean
that's
what
jeff
and
I
had
in
the
in
in
the
in
the
dark.
I
think
that
has
been
kind
of
exaggerated,
like
that's
not
where
we're
going
with
this,
but.
G
The
ci
batch
practices-
I
think,
if
so
we
can,
if
we
don't
want
to
re-duplicate,
because
I
think
that
makes
sense,
but
I
think
it
requires
a
lot
of
changes
on
the
ci
badge
practices
side
like
like
today.
It's
pretty
generic
and
if
you
want
to
start
having
a
broader
documentation
like
how
do
you
do
that,
like,
for
example,
people
have
been
saying?
Oh,
how
do
you
do
it
on
maven?
And
how
do
you
do
this
on
the
and
ci
batch
practices?
Doesn't
do
this
so
there's
a.
B
B
G
M
M
B
I
think
we
draft
it
first
before
we
figure
out
where
it
lives
but
sure,
but
if
it's,
if
it's
going
to
be
resulting
from
the
omega
project,
I
mean
you
could
live
under
the
omega
project,
they
do
have
their
own
repo.
I
don't
know
if
that's
public
yet,
but
it's
it's
about
to
become
public
if
it
hasn't
become
public.
Yet.
M
B
B
B
Then
a
discussion,
no
it's!
There
is
a
single
page.
If
you
wanted
to
use,
you
want
to
see
just
the
criteria.
There
is
a
page
that
shows
that
all
to
you
give
me
a
second
I'll
I'll
drop
the
link
here,
let's
see
best
practices.
A
B
B
B
H
What
is
exactly
the
context
here
like
because
I
I
kind
of
do
agree
with
david
in
the
sense
that
if
we
do,
if
you
want
to
come
up
with
a
new
set
of
best
practices,
for
let's
say
the
omega
project,
is
there
a
reason
why
we
can't
extend
the
cii,
the
web
page
or
the
badge
itself
to
do
it?
Like
I
mean.
B
B
I
would
add
state
number
three
work
on
your
salt
on
salsa
now,
each
of
those
obviously
drill
down
to
other
things,
but
you
know
having
a
short
list
that
covers
many
other
things,
because
they're
designed
to
cover
lots
of
other
things,
is
okay.
M
Yeah,
but
I
think
that's,
I
think,
that's
too
big
of
a
can
of
worms
for
a
project
that
we
want
us
like.
If
we
want
a
project
to
spend
10
minutes,
we
want
them
to
make
like
measurable
progress
like
we
want
the
tough
if
the
top
10
things
are
like
flip.
These
10
settings
like
if
they
could
just
do
that.
That
would
be
awesome,
but
if
it's
do
best
practice
badge
do
scorecards
do
salsa
people
are
just
going
to
say.
Oh,
I
can't
do
that
right
in
10
minutes.
H
So,
if
I
understand,
are
we
saying
that
best
practice
is
bad,
since
we
are
asking
to
asking
folks
to
get
go,
get
a
badge
that
might
be
too
much
work
instead,
should
we
rather
just
expand
the
website
and
say
that
these
are
the
best
practices
and
here's
a
way
where
you
can
like
get
a
swag
out
of
it,
but
by
telling
us
we'll
actually
give
you
a
badge
like?
Would
that
work.
B
Yeah
most
the
projects
that
are
well
run,
they
get
a
badge
in
20
minutes.
So
I'm
you
know
now
the
problem
isn't
usually
hey.
There's
all
these
questions,
especially
since
a
lot
of
them
are
some
are
automated
anyway.
The
problem
is,
you
know.
One
of
the
requirements,
for
example,
is
you
must
tell
us
how
to
report
vulnerabilities
and
they
don't
well
they're,
going
to
have
to
change
something
like
you
know,
adding
a
security.md
file
and
saying
where
to
send
the
emails
to
or
whatever
they
want
to
do.
B
But
but
you
know
things
like
you
know,
I
I
just
I
just
hate
this:
hey,
I'm,
let's
do
coordinated
disclosure.
We've
already
said
discuss
this
earlier
and
maybe
it
needs
to
be
extended
or
whatever,
but
I
I
just
re,
I
hate
redoing
the
same
things
again
and
again.
B
Yeah
and
by
the
way
that
don't
release
build
releases
on
developer
machines,
you
will
not
get
universal
agreement
on
that
yeah.
You
you'll
in
fact
hear
the
I.
I
trust
my
machine
better
than
the
better
than
some
external
cloud
system.
B
B
Yeah,
okay,
but
is
that
your
opinion,
or
is
that
you
know?
Do
you
see
what
I
mean,
for
example,
a
lot
of
people?
Don't
like
the
way
the
linux
kernel
developers,
work
or
the
way
kubernetes
works
because
they
don't
like
you
know
they
they'll.
Tell
you
straight
up.
Github
fit
is
a
total
failure
for
them?
It's
not
that
it's
a
failure
in
general,
it's
that
it
doesn't
work
for
their
project,
so
they
roll
their
head.
Yeah
right.
M
B
Well,
that's
in
fact
the
lynx
kernel
folks
do
they.
The
linux
foundation
actually
pays
a
non-trivial
amount
of
money
specifically
for
the
infrastructure
of
the
linux
kernel.
It's
too
big
github
won't
handle
it.
B
B
Yeah
and
now
we
got
to
start
talking
about
this,
and
I
I
had
this
problem-
I've
had
this
problem
for
years
on
the
best
practices
badge
is
the
what
we,
what
I
did
is
I
I
work
with
a
bunch
of
people.
We
came
up
with
hundreds
of
recommendations
and
then
we
went
out
and
talked
to
curl.
B
We
talked
to
the
linux
kernel
developers,
we
talked
to
all
sorts
of
folks
and
they
they
came
back
and
said
yes
or
no,
or
we
agree
with
their
goal,
but
not
the
way,
you've
written
it
because
you
have
assumed
a
particular
implementation.
That's
not
true!
So
it's
going
to
take
you
a
while
to
come
up
with
these
and
where
you
can
it's
much
better
to
borrow
folks
who've
already
gone
through
this
pain,
so.
B
H
H
No,
I
don't
mean
hope
that
way
I
mean
like.
Is
there
a
reason
why
we
shouldn't
be
extending
cia
best
practices
and
like
what
is
part
of
the
thing
that
you're
trying
to
achieve
that
does
not
fall
into
ci,
best
practices,
scope
and
like
it's?
Maybe
that's
that's
the
first,
like
you
know,
blocker
that
we
need
to.
H
M
B
A
B
B
Right,
which
is
why
I,
I
think,
you're
better
off
reusing,
existing
work.
That
says,
for
example,
for
let
me
point
specifically
the
best
practices
batch,
because
I'm
familiar
with
that
every
time
you
do
something
the
best
practice
is
badge
you
get
a
higher
score.
You
start
well,
technically,
you
start
at
zero
they're.
Very,
very
usually
most
people
get
quite
a
bit
from
the
automated
tools.
M
B
M
Okay,
well
again,
this
isn't
I
can't
I.
I
can't
speak
for
michael
the
michaels
right.
Neither
can
I
yeah
so
right
right.
If
I
I
think,
based
on
what
I've
heard
is,
was
the
you
know
the
request?
I
I
still
think
we
need
a
list
of
ten.
However,
you
know
if
we
talk.
If
we
talk
this
over
with
them
or
the
project,
and
they
say
no,
we
actually
don't
need
it.
This
is
fine
and
that's
cool.
For
me,.
B
M
B
Yeah
but
but
but
I
but
yeah,
I
think
you're
you're
you're,
risking
that
because
you're
focusing
on
very
specific
things
to
do
in
10
minutes
instead
of
the
broader
lists
like
get
a
best
practices,
badge
get
scorecard
work
on
your
salsa
level.
Now,
that's
already
going
to
cover
a
lot
of
other
things.
If
it
doesn't
cover
some
important
things,
then
let's
talk
about
getting
those
into
our
existing
projects.
B
A
M
G
A
G
For
further,
no,
what
I
mean
is
the
the
first
few
things
are,
the
one
are
the
ones
that
are
easy
to
do,
but
then
we
want
to
keep
a
long-term
relationship,
so
ci
badges
would
definitely
be
like
start,
your
ci
badge,
so
they
can
get.
You
know
continue
further
reading
install
scorecards,
so
you
see
alerts
as
we
add
new
stuff.
So
I
guess
what
yeah.
B
I
mean
if
you
want
to
put
those
yeah
if
you
want
to
put
those
last
and
say:
do
these
first
and
then
do
these
larger
things.
I
mean
that
that
would
make
sense
to
me.
Okay,
if
that's
where
you,
where
you
want
to
go,
but
I
I
just
I
would
hate
what
I
would
hate
to
see
would
be
the
turn
on
2fa
and
put
a
tool
in
and
you're
good
to
go.
I
think
we
all
agree,
that's
not
really
where
we
want
them
to
think
about.
B
B
The
other
is,
I
think,
the
other
things
are
the
things
we've
already
talked
about,
which
I
think
are
totally
workable.
Just
tweak
the
text
in
terms
of
you
know
not
making
it
github
specific,
making
it's
clear
that
you
know.
I
don't
know
just
the
way
it
was
worded.
It
says
recommendations,
but
they
sure
look
like
requirements
to
me.
So
we
can
we
we
can
work
that
text
I
mean.
That's
not
I.
I
totally
understand
that
problem
cool
and
I
will
say
that
boy.
It
is
hard
to
get
good
text.
B
M
G
G
B
Right,
so
I
think
if
you
pull
in
the
best
practices,
bag,
score
cards
and
salsa,
and
maybe
a
little
explanation
there
about
why
all
of
them,
I
think
you're
going
to
be
able
to
bring
in
those
bigger
pictures.
I
certainly
don't
object
to
saying
here's
a
couple
things.
We
want
you
to
do
first
and
no
objection
there
awesome
as
long
as
there
are
reasonable
things
to
do
that.
B
That
would
be
my
other
concern,
because
I
I
will
say
that
now
we
we
have
the
badging
had
an
advantage,
because
when
we
showed
up,
we
already
had
commitments
from
a
whole
bunch
of
projects.
You
might
want
to
do
that
too.
By
the
way
before
you
release
here's
the
list
get
a
whole
bunch
of
well-known
projects
to
endorse
it.
B
So
when
greg
kh
from
the
colonel
and
dan
stenbet
from
curl
and
the
node.js
folks
and
lots
of
other
projects
said
yes,
you
know,
we've
we've
already
got
a
badge
and
we
already
like
this
list.
It
made
a
big
difference
now
you're
coming
in
with
money
that
helps
but
you're
not
giving
the
money
the
project,
so
it
doesn't
help
very
much.
B
So
I
I
think
you're
going
to
get
more
buy-in
if
you
make
a
list
and
then
interact
with
a
lot
of
projects
to
make
sure
it's
the
right
short
list
as
it
were.
M
H
G
A
G
B
B
I
will
say
that
we
made
a
huge
number
of
adjustments
when
we
interacted
with
various
projects,
even
though
we
knew
about
them
in
general.
But
just
you
know
it's
not
that
we
weren't
new.
We
knew
about
the
you
know
talking.
The
actual
project
leads
who
live
at
day.
You
know
all
the
time.
There's
nothing
like
that,
so
yeah
all
right.
I
got
to
go
off
to
another
meeting
and
you
probably
do
too.
So
thanks
for
your
time.
Thank
you,
yeah.
Thank
you
for.