►
From YouTube: Best Practices for Open Source Developers (July 5, 2022)
B
A
All
right,
if
your
name's,
not
already
in
the
in
our
little
meeting
notes,
please
add
it.
A
A
C
C
Well,
welcome
everybody
to
the
July
5th
edition
of
my
favorite
working
group,
best
working
group.
Do
we
have
any
new
friends
that
wanted
to
say
hello
and
introduce
themselves
to
the
group.
B
Hi
everyone
I'm
a
new
member
here,
I'm
avishai
from
Israel
I
work
at
Microsoft,
I,
maintain
open
source
project
through
Microsoft
and
really
excited
to
be
here
to
be
listening
in
and
hope
to
bring
value
nice
to
meet.
B
Hey
well,
this
is
tapas
from
Red
Hat
I
have
been
attending.
This
is
my
second
time
to
this
meeting,
yeah
and
I'm,
looking
forward
to
contribute
in
this
working
group.
Yeah
thank.
C
D
C
A
Yeah.
This
should
be
real,
quick,
best
practices,
badge
we've
updated
lots
of
dependencies
as
we
do
routinely,
so
we
won't
be
surprised
when
there's
a
a
fix
and
we've
had
what
I
believe
is
our
first
gdpr
deletion,
because
if
because,
if
somebody
says
Hey
I
want
to
delete
my
account,
we
honor
that.
So
we
did
that
fundamentals
course
I.
Think.
Most
of
you
know
we
had
a
big
announcement
there's
for
scorm
connect.
This
makes
it
a
lot
easier
for
universities.
A
Big
organizations
to
include
the
course
make
it
look
as
if
it's
just
part
of
their
regular
offerings.
We
have
a
pull
request
for
adding
a
dollar
two
generated
image
in
this
case
for
race
conditions,
I,
don't
think.
There's
any
legal
issues
in
particular,
open
AI
said
that
our
use
was
fine.
I
did
send
a
jira
legal
ticket
just
to
make
sure,
because
this
is
different
than
what
we've
done
before
I'm,
not
expecting
any
problems,
and
that's
it.
A
Okay,
well,
let's
see
here
the
give
me
a
moment:
I
will
I,
it's
I
mean
it's
off,
it's
it's
off
the
pull
request,
but
I
will
try
to
give
you
a
direct
link
to
the
actual
image,
because
I
think
that's
what
you're
actually
asking
me
for
all
right.
So,
let's
see
here.
A
All
right,
I'm
gonna
shove
that
into
the
notes,
actual
image.
A
So
that
is
completely
generated
by
a
machine
which
is
kind
of
cool,
so
the
the
idea
is
to
try
to
use
these
images,
but
to
make
the
course
a
little
more
visually
interesting
and
illustrate
you
know,
you
know
what,
when
you
say,
race
conditions.
Are
we
talking
about
races
of
humans?
No,
no!
No!
We're
talking
about
like
racing
cars.
So,
hopefully
you
know
sticking
images
into
people's
head
makes
it
a
lot
easier
for
them
to
understand
what
some
of
these
phrases
mean
in
a
visceral
way.
C
E
C
Any
comments
for
David
on
either
the
badges
or
the
fundamentals
update.
C
All
right,
I
see
our
friend
Glenn
is
here,
do
you
have
any
updates?
You
wanted
to
share
Glenn.
D
Hey
everybody
yeah.
We
are
actually
quite
busy
with
the
single
sign-on
solution
implementation.
Finally,
so
that's
good.
We
also
got
some
nice
feedback
now
people
are
actually
using
the
platforms
and
also
well
I'm
being
using
it
in
all
my
training.
D
So
far,
so
that's
pretty
awesome,
and
lately
we
also
looking
into
the
the
new
ux
design,
because
it
was
well
technically
all
nice
and
working,
but
as
you
notice,
I'm,
not
a
design
specialist,
so
I,
actually,
you
know
asked
a
bit
of
help
of
a
specialist
over
there
and
we
have
revamped
a
bit
of
the
the
content.
Maybe
won't
take
that
long.
Let
me
share
quickly
my
screen,
so
at
least
you
all
get
an
idea
of
what
we're
doing
so.
D
I
asked
a
specialist
in
this
area
to
look
at
it.
Basically
looked
at
all
the
story
links
the
phones,
the
colors.
They
all
look
and
feel
I
said
like
okay,
you
can
do
some
better
things
here,
like
better
icons
that
makes
more
sense,
also
decluttering
the
menu
and
make
it
more
yeah
easier
for
the
eye,
some
different
items
you
know
to
use
instead
of
the
ones
that
we
have
also
removing
icons
from
the
menu,
because
it
didn't
make
sense
according
to
him
the
grid
system
that
we
should
use.
D
Luckily,
we
already
use
it
only
not
this
color
scheme,
so
that
is
going
to
be
also
applied
everywhere.
D
As
you
know,
we
also
have
now
a
whole
training
menu
where
you
have
a
cell
service
training
capability
using
David
Wheeler's
course.
For
example,
now
it
technically,
like
I,
said
works,
but
it
wasn't
the
feeling
that
well,
so
this
is
like
the
new
Left
overview
of
all
the
categories
and
how
they
would
look
like
and
where
you're
done
with
them,
yeah
a
bit
more.
You
know
about
the
colors
and
but
yeah
so
also
a
progress
indicator.
D
So
you
know
how
far
you
are
into
the
course
and
how
much
time
you
actually
still
need
to
spend
some
nice
little
colors
into
it.
D
Let
me
see
yeah
a
bit
bundled
information
yeah,
and
this
is
what
the
new
overview
should
look
like.
So
a
bit
more
yeah
styled,
also
centered
content.
Also,
when
you
make
it
a
full
screen,
you
have
a
center
page,
not
using
all
the
space
there
again.
A
couple
of
new
icons,
introduction,
correct
usage
of
the
colors
like
I,
said
progress
bar
that
we're
going
to
add.
D
We
also
going
to
make
these
are
nice
training
parts
yeah
and
the
other
important
thing
that
we
actually
wanted
to
do
was
the
dashboard
redesign
and
make
it
a
sort
of
Arcadium
based
menu
because
also
another.
You
know
ux
designer
and
Journey
expert.
He
said
like
look.
You
have
an
amazing
website,
but
yeah
I'm
I,
don't
know
how
to
use
it
so
to
solve
that.
Basically,
what
we
want
to
do
is
make
a
a
dashboard,
a
landing
page
where
you
have
hey
the
journey
for
a
developer.
D
The
journey
for
a
pen,
tester,
hey
I,
only
want
to
do
trainings
or
hey
I
want
to
start
customizing
SPF
with
the
checklist,
the
requirements
and
everything
that
those
belongs
to
that
one.
So
hopefully,
with
this
Improvement,
it
will
also
be
easier
for
people
to
actually
yeah
use
it.
If
you're
new
to
SKF
right
because
yeah
you
can
go
there
for
trainings,
but
you
also
as
developer,
can
use
it
for
getting
the
right
security
requirements.
D
So
if
you
go
to
the
training
in
SKF,
you
will
get
them
these
yeah
nice
boxes,
then
in
the
red
one.
You
see
the
different
levels
and
skills
that
you
can
take
then,
and
when
you
yeah
start
them,
you
get
like
this
nice
overview
of
how
it
would
look
like
full
screen.
That
is
the
full
screen
mode.
It's
also
very
nicely
done
yeah
and
for
the
people
who
are
maybe
not
aware.
D
So
how
does
it
not
look
like
like
this
I
mean
technically
it
works,
but
as
you
see
it's
a
huge
Improvement
of
what
the
ux
designer
did
actually
right
so
yeah.
So
that
is
that
also
next
year
that
we're
busy
with
the
Google
summer
of
code,
we
were
selected
thank
to
the
mentors
in
Google
for
mentoring
and
other
students
and
what
is
also
interesting.
There
is
actually
that
we
are
building
a
sort
of
a
video
editor.
D
This
video
editor
can
actually
you
can
feed
it
markdown,
and
then
it
will
load.
All
the
content
generate
videos
that
you
then
can
yeah
publish
right
and
for
us
it's
interesting,
because
actually,
every
main
section
like
requirement,
design
and
reuse
for
example
in
this
case,
should
have
like
a
video
explaining
already
about
all
the
content
and
the
topics
about
it
yeah.
So
that
is
also
something
we're
experimenting
with.
F
D
That's
working
and
going
well.
The
idea
is
there
also
to
use
some
deep,
fake
and
wave
to
lip
functionality,
so
you
can
actually
also
have
an
instructor.
You
know
in
the
corner,
explaining
and
speaking
everything
they're
using
some
deep,
fake
and
wave
to
live
functionality
so
technically
also
in
other
languages,
because
we
have
the
what
is
it
the
Google
project
as
well,
the
Google
wave
Max?
What
was
it
and
yeah?
So
it's
going
to
be
very
interesting.
D
You
know
when
that
is
done
actually,
because
then
we
can
also
offer
in
video
at
least
the
materials
in
many
different
other
languages
as
well
yeah,
so
that
is
pretty
nice.
So
there
was
a
small
equation.
D
Sorry,
human
languages,
you
thank
you
a
good
point
indeed.
Yes,
yeah.
A
B
A
Actually
have
one
more
general
for
Glenn,
which
is,
if
you
start
doing
translations
into
other
human
languages.
Let
me
know
you
know
how
you
approach
that,
because
there
are
other
materials
that
could
be
translated,
also
we'd
love
to
hear
you
know,
suggestions
or
experience.
D
Yeah
yeah
well,
for
now,
what
we're
going
to
do
is
at
least
for
the
editor
right
so
because
we're
creating
videos
from
the
material-
and
it's
called
the
Google
wavenet.
Sorry
now
it
popped
into
my
mind:
Google
wavenet.
So
with
this
one
we
could
yeah
use
to
synthesize
text,
voices
and
well
Google,
as
you
know,
has
very
good
translations.
Also
this
week
that's
forced
very
hard
into
getting
the
right
tones
in
the
different
languages.
D
So
we're
going
to
experiment
with
that.
So
let
SPF.
F
D
Play
guard
and
for
that
and
if
it's
fruitful,
then
I
will
definitely
share
back
the
yeah
the
results
here.
So
maybe
it's
also
useful
for
other
projects
right.
B
C
It's
very
cool
in
a
semi-related
note,
before
I
move
on
tomorrow
at
9
00
a.m.
Eastern
we
are
having
our
education,
our
very
first
education,
Sig
call
where
we'll
be
reviewing
the
stream.
One
of
the
openness
assessed,
mobilization
plan,
and
so
it's
focused
on
education,
so
we'll
be
taking
some
of
the
content
from
this
group
and
kind
of
repackaging
it
augmenting
it
and
I
would
expect
Glenn
some
of
the
things
some
of
the
efforts
out
of
that
Sig
will
potentially
touch
on
to
SKF,
because
people
learn
differently.
C
D
Very
excited
to
see
yeah
I
think
it
was
also
open
right,
so
we
can
also
join
so
I
will
try
my
best
to
also
be
there
tomorrow
and
here
I'll
see
how
we
can
contribute
or
help
yeah
for
sure
awesome.
C
Everybody's
welcome,
if
you
want
to
join
the
education
Sig
call
tomorrow,
I'll
post
things
into
slack
tomorrow
and
then
also
related.
Many
of
us
were
at
the
Austin
open
source
Summit
in
Texas
two
weeks
back
and
there
will
be
a
similar
Conference
held
in
Dublin
Ireland
in
the
fall.
C
The
open
ssf
had
the
very
first
day
of
the
conference,
and
we
had
nearly
a
thousand
people
between
300
physical
and
almost
700
virtual
watch
open
ssf
day,
so
the
foundation
is
going
to
be
putting
out
a
call
for
papers.
So
if
anyone
is
interested
in
going
to
Europe
in
the
fall
to
talk
about
things
like
SKF
or
David's,
you
know
Foundation
scorm
connect
transformation.
C
C
C
Say
getting
back
from
back
to
the
States
from
Dublin
was
an
adventure?
Hopefully
my
European
friends
won't
have
the
same
troubles.
36
hours
took
me
terrible
all
right,
so
our
other
member
projects
does
anyone
have
any
updates?
They
want
to
share
whether
inventory
or
scorecard
anything
new
that
I
share.
F
I
have
something
please
speed
us
from
Seattle.
Here
we
we
just
finished
our
major
integration,
with
o
wasp
asvas
asvs,
being
one
of
the
major
standards
in
West
and
now
asbs
uses
Cris
to
link
to
other
standards,
which
is
great
and
in
preparation
for
more
Integrations.
We
are
working
on
mapping
and
releasing
governance
related
cres,
maybe
later
this
summer,
our
goal
is
September
by
end
of
August
3rd
of
September,
which
should
allow
us
to
link
to
the
CSA
controls,
mapping
standard,
and
it
was
some
PCI
and
ISO.
C
F
That
would
be
fantastic
yeah
in
the
meantime,
if
you
have,
if
there
are
any
security
related
like
standards
writers
in
the
foundation
that
would
be
interested
in
getting
in
touch,
we
would
be
happy
to
talk
to
them.
C
Why
don't
you
and
I
talk
offline?
We
can
send
a
note
out,
hopefully
through
the
announcements
channel,
to
see
if
we
can
get
some
broader.
C
All
righty,
let
us
jump
into
but
I
hope
our
last
conversation
for
1.0
of
the
awesome
one
pager
I
put
a
link
in
the
chat,
and
it's
also
in
our
meeting
notes.
Here
If,
You,
Could,
Turn
Your
Eyes
to
the
one
pager
for
developing
more
secure
software.
I
will
yield
the
floor
over
to
a
data,
see
if
we
can
get
this
done
today,
who.
A
Will
try
to
remember
yeah
we'll
try
to
remember
to
turn
off
mute
all
right?
Okay,
so,
basically,
lots
of
people
had
lots
of
great
ideas.
Thank
you.
So
much
and
I
tried
to
make
changes
and
accept
things.
The
only
thing
I
didn't
do
was
deal
with.
There
were
some
general
some
comments
that
and-
and
so
basically,
if
you
don't
mind
what
I'd
like
to
do
is
first
just
note
that
we
have
straight
up
text
with
links
with
no
changes.
A
But
let's
see
here
so
are
we
good
with
just
walking
through
the
high
level
comments
and
then
seeing
if
anybody
has
objections
and
then
marking
them
off
and
after
we're
done
with
that
we're
at
least
done
with
this
one,
though
there's
of
course,
the
other
evaluation,
one
that
I
think
will
work
on
and
try
to
complete.
My
next
meeting
sound
like
a
plan
group.
A
All
right,
so,
let's
start
from
the
top,
maybe
I
should
share
my
screen.
That
would
be
an
amazing
construct.
Let's
see
here,
if
I
click
on
shares
screen
desktop,
share,
Bad,
Things,
No
Doubt
will
happen
all
right.
Okay,
so
if
you
go
from
the
top
and
I'm
gonna
have
to
narrow
this
down
a
little
bit
so
that
I
can
see.
The
comments
first
comment
is:
are
we
developing
software
or
just
secure
open
source
software?
And
frankly,
almost
all
this
is
just
software.
A
A
It's
the
same
old
problems,
so
I'm
going
to
mark
that
as
resolved
and
the
title
I
tweaked
slightly,
because
there
were
questions
about
hey.
Are
we
doing
Ultimate
Security?
Well,
no,
we
want
more
secure.
It's
really
a
you
know.
This
is
a
so
I'm,
so
I'm
hoping
that
we
have
resolved
that
with
adding
the
word
more
I
changed
the
font
size
we
can
dismiss.
That
goal
is
one
page.
A
Should
we
be
providing
specific
blueprints
on
how
to
accomplish
this
I
I?
This
is
the
goal
is
one
page,
so
we
can
link
to
it.
If
somebody
has
done
that
I
don't
know
of
anybody.
That's
done
that
so
I'm
going
to
mark
that
as
done
just
because
I
don't
think
we
know
of
anybody.
That's
done
that
we
can
always
make
changes.
A
If
somebody
finds
something,
let's
see
here,
dividing
it
up
into
sections
it's
one
page,
I,
don't
think
we
need
to
divide
one
page
into
sections,
so
so
I'm
gonna
try
to
claim
that.
As
done
I
mean
the
the
bullets
are
themselves
grouping.
A
Things
try
to
divide
it
by
sort
of
what
to
do
in
order
tried
to
make
a
stab
at
that,
and
then
I
realized
that
everybody
was
referring
to
the
numbers
and
if
you
only
refer
things
by
number
and
you
move
things
around,
it's
not
clear
what
was
meant
so
an
attempt
was
made
and
we
can
make
changes
if
people
hate
it.
What
about
downloading
and
testing
the
source
code
I'm
building
it
instead
of
trusting
the
binary,
that's
I
think
an
interesting
one,
but
there's
two
comments.
A
First
of
all,
this
was
a
comment
about
evaluating
software.
I
think,
even
if
you
rebuild,
you
still
need
to
evaluate.
You
know
things
like.
Is
this
the
right
software,
or
is
this
a
type
of
squatting?
Rebuilding
a
type
of
squatting
attack
doesn't
help,
so
we
still
need
to
evaluate
it.
Now.
It's
true
that
we
could
recommend
rebuilding
the
counter
subverted,
builds
I.
Think
for
some
folks
where
security
is
really
critical.
A
Awesome
I,
don't
think
that
the
vast
more
majority
of
people
are
going
to
do
that
they're
going
to
do
npm
install
blank
and
they're
going
to
do
pip
install
blank
anything
that
involves
downloading
the
instructions.
Re-Downloading
all
the
details
about
how
to
rebuild
it.
It's
not
going
to
happen
so
I
I
think
that's
specializing
enough
that
it's
not
worth
putting
in
the
one
pager.
That's
I.
However,
that's
an
opinion.
That's
not
necessarily
shared
by
others.
Comments.
A
Thank
you.
Okay,
I
see
a
thumbs
up
from
crowbe
I,
don't
hear
any
negatives
so
far,
although
maybe
it's
because
I'm
missing
something
alrighty
I
see
things
in
chat
but
nobody's
all
right,
so
I'm,
just
gonna
I'm,
just
gonna
Mark
that
as
done
for
the
moment,
okay,
add
a
note
about
scoping
about
specific
tools.
A
I
think
it's
reasonable
to
recommend
if
you're
using
GitHub,
if
you're
using
get
lab,
because
that's
so
broad,
but
as
soon
as
we
say,
let's
talk
about
very
specific
tools:
oh
my
gosh,
there's
hundreds
of
them
just
a
list
wouldn't
fit
in
one
page,
so
I
think
we
ought
to
link
off
to
something
else
that
goes
into
it,
but
not
here.
C
A
Yeah,
but
but
yeah
in
fact,
there's
a
there
is
a
document
put
out
by
the
tools
working
group
about
the
different
types
of
tools.
A
I
will
say
having
written
another
similar
document
having
a
list
of
it's
at
least
example
tools.
It's
really
really
hard
to
give
specific
examples,
in
particular
because
of
DeWit
Clauses.
We
often
aren't
allowed
to
publish
benchmarks,
but
we
can
at
least
list
examples,
but
I
think
it
belongs
in
the
document
that
describes
types
of
tools,
here's
a
type
of
tool.
A
Here's
several
tools
that
do
that
and
if
we
can
publish
benchmarks-
and
that's
awesome,
though
I,
don't
I-
think
for
legal
reasons,
we're
not
going
to
be
able
to
do
that
anytime
soon,
but
we
can.
At
least
you
know
so.
Recommendations
are
hard,
but
at
least
lists
are
easy,
but
I
would
say
put
that
in
the
tools
list.
Okay,
now
here's
one
yeah,
okay,
good,
all
right,
I,
don't
see
any
vast
disagreements
and
here's
this
next
one.
Really.
This
is
a
formatting
thing,
but
it's
a
I
mean
they're.
A
Both
both
points
I
think
have
have
their
have
their
advantages.
So
Vicki
says
suggested:
split,
okay,
enable
rapid
updates
of
dependencies
via
package
managers
and
automated
tests.
Vicki
had
said:
hey
wait,
a
minute
package
register
and
tests
are
on
and
automate
tests
are
different
and
that's
absolutely
true,
and
then
she
suggested
splitting
them
to
which
I
said
it's
not
insane
to
split
them.
However,
both
of
them
help
you
do
rapid
updates
and
by
saying
putting
them
together.
A
It
lets
us
to
say
emphasize
the
need
to
do
rapid
updates,
Twi
twice
so
I
had
put
them
those
two
together,
even
though
yes
you're
right,
they
certainly
could
be
split
apart,
I
mean
Vicky.
You
have
a
very
strong
feeling
about
this
or
yes,.
B
I
think
they
are
distinct
enough
and
important
enough
that
they
require
each
their
own
separate
thing
and
I
know
that
adds
another
Line
Feed
and
potentially
some
additional
lines,
and
it's
gonna
be
you
know,
then
you're
gonna
have
to
start
to
mess
with
the
margins,
but
I
think
it's
important
enough
to
call
out
as
a
separate
item.
A
B
Try
it
it
looks
like
Marta
has
something
to
say
so.
Maybe
she
believes
that
they
should
be
the
same
thing
all
in
one,
so
go
ahead.
Mark
I
actually
agree
with
you
who's
the
argument
that
in
some
cases
you
do
not
have
package
managers.
B
A
Okay,
I
can
try
to
split
this
real,
quick,
okay
but
how's
this.
Let
me
try
to
to
avoid
writing
text
right
this
second,
so,
let's
just
I'm
happy
to
split
it.
So
I
I've
added
this
Mark
that
says
split.
If
we
can
do
that
today,
that's
awesome,
but
if
not
so,
let's
keep
going
through.
So,
let's,
let's
split
it
up,
that's
fine!
It's
certainly
not
a
hill
I'm
gonna
die
on
all
right.
Let's
see
here
the
next
one
here
is
signing
releases.
A
This
is
strange!
Sorry,
I'm,
trying
to
fight
my
computer
here,
sign
the
releases
and.
A
That's
true,
but
I
think
that's
even
less
common
than
signing
so
I
I.
Think
for
the
moment.
Let's
leave
it
as
it
is
and-
and
you
notice
that
we
don't
even
say
you
have
to
use
Sig
stories.
Just
you
know,
sign
I
I.
Think
it's
also
Providence
long
term
is
good,
but
that's
not
something
that
we
can
widely
point
to.
That's
something
that
means
the
salsa
folks
are
still
at
version.
0.1
we're
working
it
we're
working
it.
A
So,
let's,
let's
come
back
to
this
once
things
are
a
little
more
mature
and
we
have
more
worked
examples.
A
A
Oh
I,
don't
know
if
there
are
or
not
one,
that's
actually
one
of
the
reasons
I
put
this
down
further,
so
I
agree
with
you.
Let's
try
to
do
that.
In
fact,
maybe
we
should
leave
that
a
little
bit
if
somebody
has
some
guide
stocks,
but
otherwise
we
can
say
that
and
then,
as
guidance
docs
get
created,
we
can
point
to
them.
C
Suggest
that
if
someone
is
interested
in
creating
or
participating
in
the
creation
of
those
artifacts,
there
will
be
a
whole
work
stream.
Slash
Sig
focused
on
s-bombs
everywhere.
So
if
you
are
passionate
about
that
and
helping
provide
good
guidance,
that
could
be
an
area
where
you
can
contribute.
C
Yeah
I
don't
know
that
anything
really
exists.
It's
kind
of
based
off
of
your
particular
circumstances,
but
the
foundation
will
be
focusing
in
on
that.
A
little
dedicated
work
stream
on
that.
So,
but
we
can
always
come
back
and
add
that
reference
once
that
work
is
done.
A
D
Saying
this
user.
B
Knows
one
inside
consider
using
guest
PDX,
so
is
this
like
a
an
open
ssf
like
recommended
standard
as
opposed
to
segment
DX?
For
example,
foreign.
A
I
mean
that's
up
to
the
open
ssf
to
decide.
The
original
goal
was
to
reference,
something
you
can
use.
So
there's
a
little
bit
complicated.
You
know,
spdx,
spdx
and
Cyclone
DX
have
have,
you
know,
are
both
in
use.
There
are
we.
There
are
different
folks
who
have
have
strong
opinions
on
one
side
of
the
other,
and
I
can
talk
about
the
pluses
and
minuses
of
each.
B
A
Yeah-
let's
see
here,
the
we
can
certainly
do.
That
is
that,
does
anyone
have
a
strong
opinion
one
way
or
the
other
here?
B
I've
never
used
Cyclone
digs
everything.
Is
there
open
source
tools
to
link
to
to
use
it
yeah,
so
I
know
that
gripes,
for
example,
supports
both
formats
and
like
there.
There
is
always
a
discussion
around
there,
but
usually
tools
try
to
support
both
at
the
moment
from
what
I
know.
A
Yeah
there
are
open
source
tools
that
support
both
I
mean.
There's
controversies
involving
this
I
mean
if
well
you
know,
I
I
could
go
down
that
path
I'm
tempted
to,
but
in
the
interest
of
time
let's
do
another
day.
A
Okay
on
board
your
project,
LFX
security.
If
you
manage
an
LF
project,
there
are
enough
Linux,
Foundation
projects.
I
think
this
is
worth
including
we
are
actually
talking
about
trying
to
extend
LFX
security
for
situations
where
you're
not
an
LFX
brand
lens
Foundation
project
also,
but
this
basically
gives
you
a
lot
of
insights,
cncf,
okay,
oh
let
me
I
was
trying
to
move
only
on
the
ones
where
somebody
has
a
comment.
Is
this
comment?
Neo
is
the?
Can
you
afford
it
comment?
A
It's
true
that
all
of
these
are
you
know
if
you
can't
afford
it,
but
for
the
most
part
most
of
these
there's
not
significant
costs.
Third
party
code,
reviews
and
audits.
If
you're
talking
about
serious
review
by
someone
who
actually
knows
about
stuff
typically
is
going
to
run
you
actual
money,
you
know
at
least
five
more
likely,
six
and
sometimes
seven
digits,
which
is
way
more
than
these
other
items.
So
I
I
think
it's
worth
warning
people
you
know
not
that
this
is
bad.
It's
not
bad!
It's
a!
A
C
Like
I
think,
for
example,
with
Omega
they're
bucketing
around
two
hundred
thousand
dollars
per
code
review
or
on
it
so.
A
E
I
know
I
know
we
tried
to
whistle
quickly
past
15.,
but
I'd
like
to
get
back
I'd
like
to
just
understand
what
consume
means
because
consumes
seems
rather
Broad
I,
don't
you
know
in
I
think
of
terms
in
terms
of
life
cycle
of
s-bomb
and
connecting
it
to
vulnerabilities,
that's
what
I
infer
by
consume,
but
it
seems
very
broad
so
not
to
yeah.
A
E
D
A
E
E
A
Yeah
I'm
not
actually
sure
it
lets
them
verify
inventory,
but
I'll
I'll
go
ahead
and
take
it,
but
really
doesn't
let
them
verify
the
amount.
E
A
Oh
okay,
so
reordered
to
a
verb
as
it
lets
users
verify
inventory,
yeah
I'm
trying
to
do
this
in
few
words,
so
I.
A
A
A
E
A
Yeah
inventory
to
know
when
a
future
vulnerability
shows
up.
You
know
it's
there
identify
known
vulnerabilities
either
because
it's
in
the
s-bomb
or
because
you
can
map
it
to
us
to
vulnerability,
lists
and
identify
potential
legal
issues,
because
you
get
licensing
information.
Is
that
not
right
good
enough
uncle
I
tried
the
thing
is
I
I
agree
with
what
you
said
earlier:
I'm
trying
to
capture
it
all.
In
few
words.
A
Awesome:
okay,
let's
see
here
if
you
can
afford
it
our
folks,
okay,
with
the
warning
that
this
is
expensive
or
want
to
reword
this,
or
just
it's
not
worth
it,
I
mean
we
can
remove
that
comment.
Obviously,.
B
Do
we
have
enough
space
to
tell
roadly
how
much
it
can
cost?
So,
that's
you
know.
People
most
people
won't
know
that.
A
I
think
the
problem
is
there,
isn't
if
you
want
to
do
the
a
thorough
security
audit
of
the
entire
Linux
kernel,
you're
not
going
to
do
that
for
less
than
Millions.
If
you're
going
to
review
is
odd,
I'll
bet,
even
I
can
do
that
so
they're
often
50
to
100K,
but
it's
I
think
it's
so
variable
I
mean
we
could
just
say
this
can
be
costly,
but
I
I.
Don't
think
we
can
give
a
simple
answer
to
that
question.
B
I
would
assume
something
like
expect
more
than
25k,
because
someone
may
say
exactly
you're
better
than
50k
someone.
Someone
may
may
assume
okay
expensive
what
it
means
500.
A
All
right,
it
is
a
problem
that
it's
really
hard
to
estimate,
but
that's
something
that
gets
us
at
least
a
hint.
A
Invest
in
a
culture
of
invest
in
a
culture
of
security
and.
A
E
Mean
just
to
raise
awareness,
I
mean
just
just
last
week
on
these
curing
software
repositories.
Call
it
was.
There
is
a
tool
called
cargo
vet
that
was
demonstrated
claiming
they're,
creating
and
actually
kind
of
inviting
other
package
managers
to
do
the
same
to
do
auditing
on
their
packages
repository.
So
you
know.
E
E
Cargo
vet
took
a
lot
of
commentary
around
having
a
you
know.
What
what
does
an
audit
mean,
and
we
know
how
do
you
verify
the
trust,
changes
and
things
like
those?
So
we
we
probably
need
to
come
back
to
that
at
some
point
and
factor
in
you
know
other
you
know
if
these
things
become
commonplace,
either
with
sigster
or
other
thing.
Other
things
you
know,
I
didn't
I,
didn't
you
know
verifying
I
didn't
use
an
audit
and
scorecard
I.
Don't
know
we
need
to
define
a
framework.
A
Right
I've
actually
talked
with
ostev,
specifically
because
they
have
a
particular
meaning
and
yes,
they
go
in
and
review
specific
lines
and
you
know
and
and
that
sort
of
thing,
but
you
but
you're
and
I-
don't
actually
expect
there
to
be
a
single
answer
which
is
I,
think
part
of
the
problem.
A
E
A
A
A
A
I
mean
we
could
try
to
do
something
about
that
or
no.
What
do
you
think.
C
No
I
I
think
she
has
a
very
valid
point.
It
generically
falls
under
continuous
Improvement,
but
you
know
kind
of.
E
Well
I'm
saying
when,
when
people
came
to
me
at
recent
Summits
and
they
asked
me
how
to
secure
my
project,
they
need
they
need
a
starting
point.
So
oftentimes
I
send
them
to
look
at
Salsa
and
runs
scorecard
so
I'm
hoping
that's,
you
know,
I
mean
as
a
starting
point
and
see
where
you
fall
in
the
salsa
spectrum
and
where
do
you?
What
is
your
score
for
for
scorecard?
That's
you
know
from
an
open,
ssf
point
of
view.
You
know,
that's
the
starting
point.
E
C
Which
we've
cited
both
scorecards
and
salsa
I
think
we've
covered
those
bases
here:
yeah,
I,
I,
like
your
or
even
have
a
security
mindset
or
Outlook
I,
don't
know
about
it.
Everyone,
okay,
with
cultural
security
for
phrasing,.
E
A
A
E
I'm
saying
that
in
my
in
my
mind,
when
I
try
to
get
them
to
use
them
to
use
these
in
continuous
delivery
and
integration,
delivery
processes,
which
means
integration
of
Scar
card
and
integration
of
automation,
integration
of
the
of
the
controls
that
you
would
add
to
enforce
things
required
by
salsa
levels.
So
I.
A
E
A
E
A
E
F
E
B
A
Let
me
go
I,
don't
really
have
the
pen
I'm
I'm,
actually
trying
to
get
the
wisdom
of
the
crowd
here,
so
so
I
think
I've
got.
Although,
though,
have
a
security
mindset
improve
scores?
That
was
your
point.
Matt
look
for
tips
and
apply
as
appropriate.
E
Send
out
I
I
mean
I
know
you
want
to
wrap
up
and
I
said
we're
at
the
top
of
the
hour,
but
manages
I
think
that
the
big
thing
we
look
for
is
governance
processes
that
you
know,
governance
processes
that
have
a
clear
means
to
elect
and
and
maintain
a
healthy
set
of
maintainers.
So
it's
about
more
about
governance
of
the
process
than
adding
trust
and
it's
having
a
process.
A
A
All
righty
I
think
basically
I'm
going
to
try
to
split
it
and
send
an
email
on
the
mailing
list,
but
I
I
think
we
can
do
this
asynchronously,
but
I
think
we
basically
have
this.
Let's
see
what
people
think
about
the
splitting
and
making
last
minute
changes,
but
I
think
we've
we
are
getting
here
so.
C
E
I
was
saying
that
it's
not
about
adding
just
adding
maintainers
the
key
is
meaning
a
healthy
set
of
maintainers
because
maintainers
come
and
go
they.
You
know
great
minds
drift
to
other
projects,
so
they
might
leave.
So
you
need
to
call
those
lists
as
well.
So
I
don't
know.
How
do
you
want
to
it's
basically
having
an
appropriate
healthy
set
of
maintainers
active
set
of
maintainers
anyway,
all
done
yeah
because
we
have
maintainers
on
a
project
I
have
that
haven't
showed
up
for
two
years.
E
C
All
right
team.
Thank
you
all.
We
good
conversation,
anyone
interested
in
the
education
Sig,
we'll,
hopefully
see
you
tomorrow.
Otherwise
this
group
will
reconvene
in
two
weeks
cheers.