►
From YouTube: Best Practices for Open Source Developers (July 5, 2022)
B
A
A
C
C
B
C
D
A
Yeah.
This
should
be
real,
quick,
best
practices,
badge
we've
updated
lots
of
dependencies
as
we
do
routinely,
so
we
won't
be
surprised
when
there's
a
a
fix
and
we've
had
what
I
believe
is
our
first
gdpr
deletion,
because
if
because,
if
somebody
says
Hey
I
want
to
delete
my
account,
we
honor
that.
So
we
did
that
fundamentals
course
I.
Think.
Most
of
you
know
we
had
a
big
announcement
there's
for
scorm
connect.
This
makes
it
a
lot
easier
for
universities.
A
Big
organizations
to
include
the
course
make
it
look
as
if
it's
just
part
of
their
regular
offerings.
We
have
a
pull
request
for
adding
a
dollar
two
generated
image
in
this
case
for
race
conditions,
I,
don't
think.
There's
any
legal
issues
in
particular,
open
AI
said
that
our
use
was
fine.
I
did
send
a
jira
legal
ticket
just
to
make
sure,
because
this
is
different
than
what
we've
done
before
I'm,
not
expecting
any
problems,
and
that's
it.
A
A
So
that
is
completely
generated
by
a
machine
which
is
kind
of
cool,
so
the
the
idea
is
to
try
to
use
these
images,
but
to
make
the
course
a
little
more
visually
interesting
and
illustrate
you
know,
you
know
what,
when
you
say,
race
conditions.
Are
we
talking
about
races
of
humans?
No,
no!
No!
We're
talking
about
like
racing
cars.
So,
hopefully
you
know
sticking
images
into
people's
head
makes
it
a
lot
easier
for
them
to
understand
what
some
of
these
phrases
mean
in
a
visceral
way.
C
E
D
D
So
far,
so
that's
pretty
awesome,
and
lately
we
also
looking
into
the
the
new
ux
design,
because
it
was
well
technically
all
nice
and
working,
but
as
you
notice,
I'm,
not
a
design
specialist,
so
I,
actually,
you
know
asked
a
bit
of
help
of
a
specialist
over
there
and
we
have
revamped
a
bit
of
the
the
content.
Maybe
won't
take
that
long.
Let
me
share
quickly
my
screen,
so
at
least
you
all
get
an
idea
of
what
we're
doing
so.
D
I
asked
a
specialist
in
this
area
to
look
at
it.
Basically
looked
at
all
the
story
links
the
phones,
the
colors.
They
all
look
and
feel
I
said
like
okay,
you
can
do
some
better
things
here,
like
better
icons
that
makes
more
sense,
also
decluttering
the
menu
and
make
it
more
yeah
easier
for
the
eye,
some
different
items
you
know
to
use
instead
of
the
ones
that
we
have
also
removing
icons
from
the
menu,
because
it
didn't
make
sense
according
to
him
the
grid
system
that
we
should
use.
D
As
you
know,
we
also
have
now
a
whole
training
menu
where
you
have
a
cell
service
training
capability
using
David
Wheeler's
course.
For
example,
now
it
technically,
like
I,
said
works,
but
it
wasn't
the
feeling
that
well,
so
this
is
like
the
new
Left
overview
of
all
the
categories
and
how
they
would
look
like
and
where
you're
done
with
them,
yeah
a
bit
more.
You
know
about
the
colors
and
but
yeah
so
also
a
progress
indicator.
D
Let
me
see
yeah
a
bit
bundled
information
yeah,
and
this
is
what
the
new
overview
should
look
like.
So
a
bit
more
yeah
styled,
also
centered
content.
Also,
when
you
make
it
a
full
screen,
you
have
a
center
page,
not
using
all
the
space
there
again.
A
couple
of
new
icons,
introduction,
correct
usage
of
the
colors
like
I,
said
progress
bar
that
we're
going
to
add.
D
We
also
going
to
make
these
are
nice
training
parts
yeah
and
the
other
important
thing
that
we
actually
wanted
to
do
was
the
dashboard
redesign
and
make
it
a
sort
of
Arcadium
based
menu
because
also
another.
You
know
ux
designer
and
Journey
expert.
He
said
like
look.
You
have
an
amazing
website,
but
yeah
I'm
I,
don't
know
how
to
use
it
so
to
solve
that.
Basically,
what
we
want
to
do
is
make
a
a
dashboard,
a
landing
page
where
you
have
hey
the
journey
for
a
developer.
D
The
journey
for
a
pen,
tester,
hey
I,
only
want
to
do
trainings
or
hey
I
want
to
start
customizing
SPF
with
the
checklist,
the
requirements
and
everything
that
those
belongs
to
that
one.
So
hopefully,
with
this
Improvement,
it
will
also
be
easier
for
people
to
actually
yeah
use
it.
If
you're
new
to
SKF
right
because
yeah
you
can
go
there
for
trainings,
but
you
also
as
developer,
can
use
it
for
getting
the
right
security
requirements.
D
So
if
you
go
to
the
training
in
SKF,
you
will
get
them
these
yeah
nice
boxes,
then
in
the
red
one.
You
see
the
different
levels
and
skills
that
you
can
take
then,
and
when
you
yeah
start
them,
you
get
like
this
nice
overview
of
how
it
would
look
like
full
screen.
That
is
the
full
screen
mode.
It's
also
very
nicely
done
yeah
and
for
the
people
who
are
maybe
not
aware.
D
So
how
does
it
not
look
like
like
this
I
mean
technically
it
works,
but
as
you
see
it's
a
huge
Improvement
of
what
the
ux
designer
did
actually
right
so
yeah.
So
that
is
that
also
next
year
that
we're
busy
with
the
Google
summer
of
code,
we
were
selected
thank
to
the
mentors
in
Google
for
mentoring
and
other
students
and
what
is
also
interesting.
There
is
actually
that
we
are
building
a
sort
of
a
video
editor.
D
This
video
editor
can
actually
you
can
feed
it
markdown,
and
then
it
will
load.
All
the
content
generate
videos
that
you
then
can
yeah
publish
right
and
for
us
it's
interesting,
because
actually,
every
main
section
like
requirement,
design
and
reuse
for
example
in
this
case,
should
have
like
a
video
explaining
already
about
all
the
content
and
the
topics
about
it
yeah.
So
that
is
also
something
we're
experimenting
with.
F
D
That's
working
and
going
well.
The
idea
is
there
also
to
use
some
deep,
fake
and
wave
to
lip
functionality,
so
you
can
actually
also
have
an
instructor.
You
know
in
the
corner,
explaining
and
speaking
everything
they're
using
some
deep,
fake
and
wave
to
live
functionality
so
technically
also
in
other
languages,
because
we
have
the
what
is
it
the
Google
project
as
well,
the
Google
wave
Max?
What
was
it
and
yeah?
So
it's
going
to
be
very
interesting.
D
A
B
A
D
Yeah
yeah
well,
for
now,
what
we're
going
to
do
is
at
least
for
the
editor
right
so
because
we're
creating
videos
from
the
material-
and
it's
called
the
Google
wavenet.
Sorry
now
it
popped
into
my
mind:
Google
wavenet.
So
with
this
one
we
could
yeah
use
to
synthesize
text,
voices
and
well
Google,
as
you
know,
has
very
good
translations.
Also
this
week
that's
forced
very
hard
into
getting
the
right
tones
in
the
different
languages.
F
D
B
C
It's
very
cool
in
a
semi-related
note,
before
I
move
on
tomorrow
at
9
00
a.m.
Eastern
we
are
having
our
education,
our
very
first
education,
Sig
call
where
we'll
be
reviewing
the
stream.
One
of
the
openness
assessed,
mobilization
plan,
and
so
it's
focused
on
education,
so
we'll
be
taking
some
of
the
content
from
this
group
and
kind
of
repackaging
it
augmenting
it
and
I
would
expect
Glenn
some
of
the
things
some
of
the
efforts
out
of
that
Sig
will
potentially
touch
on
to
SKF,
because
people
learn
differently.
C
C
C
The
open
ssf
had
the
very
first
day
of
the
conference,
and
we
had
nearly
a
thousand
people
between
300
physical
and
almost
700
virtual
watch
open
ssf
day,
so
the
foundation
is
going
to
be
putting
out
a
call
for
papers.
So
if
anyone
is
interested
in
going
to
Europe
in
the
fall
to
talk
about
things
like
SKF
or
David's,
you
know
Foundation
scorm
connect
transformation.
C
C
Say
getting
back
from
back
to
the
States
from
Dublin
was
an
adventure?
Hopefully
my
European
friends
won't
have
the
same
troubles.
36
hours
took
me
terrible
all
right,
so
our
other
member
projects
does
anyone
have
any
updates?
They
want
to
share
whether
inventory
or
scorecard
anything
new
that
I
share.
F
I
have
something
please
speed
us
from
Seattle.
Here
we
we
just
finished
our
major
integration,
with
o
wasp
asvas
asvs,
being
one
of
the
major
standards
in
West
and
now
asbs
uses
Cris
to
link
to
other
standards,
which
is
great
and
in
preparation
for
more
Integrations.
We
are
working
on
mapping
and
releasing
governance
related
cres,
maybe
later
this
summer,
our
goal
is
September
by
end
of
August
3rd
of
September,
which
should
allow
us
to
link
to
the
CSA
controls,
mapping
standard,
and
it
was
some
PCI
and
ISO.
C
C
C
All
righty,
let
us
jump
into
but
I
hope
our
last
conversation
for
1.0
of
the
awesome
one
pager
I
put
a
link
in
the
chat,
and
it's
also
in
our
meeting
notes.
Here
If,
You,
Could,
Turn
Your
Eyes
to
the
one
pager
for
developing
more
secure
software.
I
will
yield
the
floor
over
to
a
data,
see
if
we
can
get
this
done
today,
who.
A
Will
try
to
remember
yeah
we'll
try
to
remember
to
turn
off
mute
all
right?
Okay,
so,
basically,
lots
of
people
had
lots
of
great
ideas.
Thank
you.
So
much
and
I
tried
to
make
changes
and
accept
things.
The
only
thing
I
didn't
do
was
deal
with.
There
were
some
general
some
comments
that
and-
and
so
basically,
if
you
don't
mind
what
I'd
like
to
do
is
first
just
note
that
we
have
straight
up
text
with
links
with
no
changes.
A
But
let's
see
here
so
are
we
good
with
just
walking
through
the
high
level
comments
and
then
seeing
if
anybody
has
objections
and
then
marking
them
off
and
after
we're
done
with
that
we're
at
least
done
with
this
one,
though
there's
of
course,
the
other
evaluation,
one
that
I
think
will
work
on
and
try
to
complete.
My
next
meeting
sound
like
a
plan
group.
A
All
right,
so,
let's
start
from
the
top,
maybe
I
should
share
my
screen.
That
would
be
an
amazing
construct.
Let's
see
here,
if
I
click
on
shares
screen
desktop,
share,
Bad,
Things,
No
Doubt
will
happen
all
right.
Okay,
so
if
you
go
from
the
top
and
I'm
gonna
have
to
narrow
this
down
a
little
bit
so
that
I
can
see.
The
comments
first
comment
is:
are
we
developing
software
or
just
secure
open
source
software?
And
frankly,
almost
all
this
is
just
software.
A
A
It's
the
same
old
problems,
so
I'm
going
to
mark
that
as
resolved
and
the
title
I
tweaked
slightly,
because
there
were
questions
about
hey.
Are
we
doing
Ultimate
Security?
Well,
no,
we
want
more
secure.
It's
really
a
you
know.
This
is
a
so
I'm,
so
I'm
hoping
that
we
have
resolved
that
with
adding
the
word
more
I
changed
the
font
size
we
can
dismiss.
That
goal
is
one
page.
A
Should
we
be
providing
specific
blueprints
on
how
to
accomplish
this
I
I?
This
is
the
goal
is
one
page,
so
we
can
link
to
it.
If
somebody
has
done
that
I
don't
know
of
anybody.
That's
done
that
so
I'm
going
to
mark
that
as
done
just
because
I
don't
think
we
know
of
anybody.
That's
done
that
we
can
always
make
changes.
A
A
Things
try
to
divide
it
by
sort
of
what
to
do
in
order
tried
to
make
a
stab
at
that,
and
then
I
realized
that
everybody
was
referring
to
the
numbers
and
if
you
only
refer
things
by
number
and
you
move
things
around,
it's
not
clear
what
was
meant
so
an
attempt
was
made
and
we
can
make
changes
if
people
hate
it.
What
about
downloading
and
testing
the
source
code
I'm
building
it
instead
of
trusting
the
binary,
that's
I
think
an
interesting
one,
but
there's
two
comments.
A
First
of
all,
this
was
a
comment
about
evaluating
software.
I
think,
even
if
you
rebuild,
you
still
need
to
evaluate.
You
know
things
like.
Is
this
the
right
software,
or
is
this
a
type
of
squatting?
Rebuilding
a
type
of
squatting
attack
doesn't
help,
so
we
still
need
to
evaluate
it.
Now.
It's
true
that
we
could
recommend
rebuilding
the
counter
subverted,
builds
I.
Think
for
some
folks
where
security
is
really
critical.
A
Awesome
I,
don't
think
that
the
vast
more
majority
of
people
are
going
to
do
that
they're
going
to
do
npm
install
blank
and
they're
going
to
do
pip
install
blank
anything
that
involves
downloading
the
instructions.
Re-Downloading
all
the
details
about
how
to
rebuild
it.
It's
not
going
to
happen
so
I
I
think
that's
specializing
enough
that
it's
not
worth
putting
in
the
one
pager.
That's
I.
However,
that's
an
opinion.
That's
not
necessarily
shared
by
others.
Comments.
A
Thank
you.
Okay,
I
see
a
thumbs
up
from
crowbe
I,
don't
hear
any
negatives
so
far,
although
maybe
it's
because
I'm
missing
something
alrighty
I
see
things
in
chat
but
nobody's
all
right,
so
I'm,
just
gonna
I'm,
just
gonna
Mark
that
as
done
for
the
moment,
okay,
add
a
note
about
scoping
about
specific
tools.
C
A
I
will
say
having
written
another
similar
document
having
a
list
of
it's
at
least
example
tools.
It's
really
really
hard
to
give
specific
examples,
in
particular
because
of
DeWit
Clauses.
We
often
aren't
allowed
to
publish
benchmarks,
but
we
can
at
least
list
examples,
but
I
think
it
belongs
in
the
document
that
describes
types
of
tools,
here's
a
type
of
tool.
A
Here's
several
tools
that
do
that
and
if
we
can
publish
benchmarks-
and
that's
awesome,
though
I,
don't
I-
think
for
legal
reasons,
we're
not
going
to
be
able
to
do
that
anytime
soon,
but
we
can.
At
least
you
know
so.
Recommendations
are
hard,
but
at
least
lists
are
easy,
but
I
would
say
put
that
in
the
tools
list.
Okay,
now
here's
one
yeah,
okay,
good,
all
right,
I,
don't
see
any
vast
disagreements
and
here's
this
next
one.
Really.
This
is
a
formatting
thing,
but
it's
a
I
mean
they're.
A
Both
both
points
I
think
have
have
their
have
their
advantages.
So
Vicki
says
suggested:
split,
okay,
enable
rapid
updates
of
dependencies
via
package
managers
and
automated
tests.
Vicki
had
said:
hey
wait,
a
minute
package
register
and
tests
are
on
and
automate
tests
are
different
and
that's
absolutely
true,
and
then
she
suggested
splitting
them
to
which
I
said
it's
not
insane
to
split
them.
However,
both
of
them
help
you
do
rapid
updates
and
by
saying
putting
them
together.
A
A
B
A
Okay,
I
can
try
to
split
this
real,
quick,
okay
but
how's
this.
Let
me
try
to
to
avoid
writing
text
right
this
second,
so,
let's
just
I'm
happy
to
split
it.
So
I
I've
added
this
Mark
that
says
split.
If
we
can
do
that
today,
that's
awesome,
but
if
not
so,
let's
keep
going
through.
So,
let's,
let's
split
it
up,
that's
fine!
It's
certainly
not
a
hill
I'm
gonna
die
on
all
right.
Let's
see
here
the
next
one
here
is
signing
releases.
A
That's
true,
but
I
think
that's
even
less
common
than
signing
so
I
I.
Think
for
the
moment.
Let's
leave
it
as
it
is
and-
and
you
notice
that
we
don't
even
say
you
have
to
use
Sig
stories.
Just
you
know,
sign
I
I.
Think
it's
also
Providence
long
term
is
good,
but
that's
not
something
that
we
can
widely
point
to.
That's
something
that
means
the
salsa
folks
are
still
at
version.
0.1
we're
working
it
we're
working
it.
A
A
Oh
I,
don't
know
if
there
are
or
not
one,
that's
actually
one
of
the
reasons
I
put
this
down
further,
so
I
agree
with
you.
Let's
try
to
do
that.
In
fact,
maybe
we
should
leave
that
a
little
bit
if
somebody
has
some
guide
stocks,
but
otherwise
we
can
say
that
and
then,
as
guidance
docs
get
created,
we
can
point
to
them.
C
C
A
B
A
I
mean
that's
up
to
the
open
ssf
to
decide.
The
original
goal
was
to
reference,
something
you
can
use.
So
there's
a
little
bit
complicated.
You
know,
spdx,
spdx
and
Cyclone
DX
have
have,
you
know,
are
both
in
use.
There
are
we.
There
are
different
folks
who
have
have
strong
opinions
on
one
side
of
the
other,
and
I
can
talk
about
the
pluses
and
minuses
of
each.
A
B
A
C
A
Okay
on
board
your
project,
LFX
security.
If
you
manage
an
LF
project,
there
are
enough
Linux,
Foundation
projects.
I
think
this
is
worth
including
we
are
actually
talking
about
trying
to
extend
LFX
security
for
situations
where
you're
not
an
LFX
brand
lens
Foundation
project
also,
but
this
basically
gives
you
a
lot
of
insights,
cncf,
okay,
oh
let
me
I
was
trying
to
move
only
on
the
ones
where
somebody
has
a
comment.
Is
this
comment?
Neo
is
the?
Can
you
afford
it
comment?
A
It's
true
that
all
of
these
are
you
know
if
you
can't
afford
it,
but
for
the
most
part
most
of
these
there's
not
significant
costs.
Third
party
code,
reviews
and
audits.
If
you're
talking
about
serious
review
by
someone
who
actually
knows
about
stuff
typically
is
going
to
run
you
actual
money,
you
know
at
least
five
more
likely,
six
and
sometimes
seven
digits,
which
is
way
more
than
these
other
items.
So
I
I
think
it's
worth
warning
people
you
know
not
that
this
is
bad.
It's
not
bad!
It's
a!
A
A
A
E
D
A
E
E
E
A
A
A
E
A
Yeah
inventory
to
know
when
a
future
vulnerability
shows
up.
You
know
it's
there
identify
known
vulnerabilities
either
because
it's
in
the
s-bomb
or
because
you
can
map
it
to
us
to
vulnerability,
lists
and
identify
potential
legal
issues,
because
you
get
licensing
information.
Is
that
not
right
good
enough
uncle
I
tried
the
thing
is
I
I
agree
with
what
you
said
earlier:
I'm
trying
to
capture
it
all.
In
few
words.
A
B
A
I
think
the
problem
is
there,
isn't
if
you
want
to
do
the
a
thorough
security
audit
of
the
entire
Linux
kernel,
you're
not
going
to
do
that
for
less
than
Millions.
If
you're
going
to
review
is
odd,
I'll
bet,
even
I
can
do
that
so
they're
often
50
to
100K,
but
it's
I
think
it's
so
variable
I
mean
we
could
just
say
this
can
be
costly,
but
I
I.
Don't
think
we
can
give
a
simple
answer
to
that
question.
B
A
E
Mean
just
to
raise
awareness,
I
mean
just
just
last
week
on
these
curing
software
repositories.
Call
it
was.
There
is
a
tool
called
cargo
vet
that
was
demonstrated
claiming
they're,
creating
and
actually
kind
of
inviting
other
package
managers
to
do
the
same
to
do
auditing
on
their
packages
repository.
So
you
know.
E
E
Cargo
vet
took
a
lot
of
commentary
around
having
a
you
know.
What
what
does
an
audit
mean,
and
we
know
how
do
you
verify
the
trust,
changes
and
things
like
those?
So
we
we
probably
need
to
come
back
to
that
at
some
point
and
factor
in
you
know
other
you
know
if
these
things
become
commonplace,
either
with
sigster
or
other
thing.
Other
things
you
know,
I
didn't
I,
didn't
you
know
verifying
I
didn't
use
an
audit
and
scorecard
I.
Don't
know
we
need
to
define
a
framework.
A
E
A
A
A
C
E
Well
I'm
saying
when,
when
people
came
to
me
at
recent
Summits
and
they
asked
me
how
to
secure
my
project,
they
need
they
need
a
starting
point.
So
oftentimes
I
send
them
to
look
at
Salsa
and
runs
scorecard
so
I'm
hoping
that's,
you
know,
I
mean
as
a
starting
point
and
see
where
you
fall
in
the
salsa
spectrum
and
where
do
you?
What
is
your
score
for
for
scorecard?
That's
you
know
from
an
open,
ssf
point
of
view.
You
know,
that's
the
starting
point.
E
C
E
A
A
E
I'm
saying
that
in
my
in
my
mind,
when
I
try
to
get
them
to
use
them
to
use
these
in
continuous
delivery
and
integration,
delivery
processes,
which
means
integration
of
Scar
card
and
integration
of
automation,
integration
of
the
of
the
controls
that
you
would
add
to
enforce
things
required
by
salsa
levels.
So
I.
A
E
A
E
A
E
F
E
B
A
E
Send
out
I
I
mean
I
know
you
want
to
wrap
up
and
I
said
we're
at
the
top
of
the
hour,
but
manages
I
think
that
the
big
thing
we
look
for
is
governance
processes
that
you
know,
governance
processes
that
have
a
clear
means
to
elect
and
and
maintain
a
healthy
set
of
maintainers.
So
it's
about
more
about
governance
of
the
process
than
adding
trust
and
it's
having
a
process.
A
A
C
E
I
was
saying
that
it's
not
about
adding
just
adding
maintainers
the
key
is
meaning
a
healthy
set
of
maintainers
because
maintainers
come
and
go
they.
You
know
great
minds
drift
to
other
projects,
so
they
might
leave.
So
you
need
to
call
those
lists
as
well.
So
I
don't
know.
How
do
you
want
to
it's
basically
having
an
appropriate
healthy
set
of
maintainers
active
set
of
maintainers
anyway,
all
done
yeah
because
we
have
maintainers
on
a
project
I
have
that
haven't
showed
up
for
two
years.