►
From YouTube: OpenSSF Diagrammers Society (June 1, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/14i9v7WuQcLzWpvLe9B0sl-kf90JLwxNwrZkRXLWmEdQ/edit#heading=h.9m0zi4b0wnne
A
A
D
A
A
All
right
before
our
no
has
his
pile
of
items
for
us
to
talk
about
I'd
like
to
mention
that
the
project
formally
known
as
the
Sterling
tool
chain,
officially
kicked
off
the
inaugural
weekly
meetings.
They
will
be
held
Tuesdays
at
noon
eastern
time
and,
like
everything,
those
calls
are
recorded,
their
notes
are
cataloged.
Actually
we
had
a
really
great
Note
Taker,
so
the
notes
from
Tuesday
were
quite
extensive.
B
Yeah,
so
let
me
jump
in
so
you
know.
As
you
know,
we
received
some
very
interesting
feedback
from
the
a
maintainer
of
the
Drupal
community
and
you
know
I
thought
for
those
who
haven't
seen
it.
This
was
posted
as
an
issue
to
on
the
Thai
people
and
basically
we
had
a
maintainer
say:
hey
guys,
sorry
to
tell
you-
and
this
was
done
in
a
very
polite
way-
and
you
know
very
respectful
and
and
well
wishing
well
intended
clearly
to
say,
look
I.
B
Think
you're
missing
out
on
your
mission,
in
the
sense
that
most
of
the
communication
is
essentially
oriented
towards
members
or
potential
members.
Meaning
corporations
and
part
of
your
mission
is
really
to
try
to
change
the
community
of
Open
Source
developers
and
maintainers
in
particular,
and
you're
missing
you're
missing
the
target.
Basically,
the
message
is
very
clear
and
it
was
you
know.
Other
people
not
always
so
politely
said
yes,
what
what
she
said
and
and
it
you
know
basically
you're
missing,
you're
missing
the
target
to
the
point
where
we
as.
B
Based
on
that
feedback,
we
appear
to
fail,
addressing
and
so
right
away.
I
thought.
Okay,
we
need
to
have
a
strong
look
here.
We
talked
about
you
know.
We
have
a
whole
collection
of
diagrams.
A
lot
of
them
we
have
to
thank
crop
for
because
he
seemed
to
have
like
a
bubbling
mind
to
just
come.
He
keeps
coming
up
with
new
ideas
on
how
to
represent
this
stuff,
but
at
the
same
time,
like
yeah,
the
one
that
we
seem
to
have
mostly
settled
on.
At
least
you
know
it's
part
of
the
deck.
It's
it's.
B
Basically,
the
governance
structure
based
one
which
they
tell
us.
Clearly
this
might
be
useful
for
corporate
member,
but
for
developer
out
there
is
trying
to
say
hey
what
should
I
learn
from
openness.
I
said
what
should
I
care
about?
This
is
completely
unhelpful,
and
so
my
my
takeaway
is
okay.
Specific
to
this
group
was
okay.
Is
there
one
diagram
that
we
should
focus
on?
Is
there
one
that
to
Mongol
the
collection
we
already
have
that's
close
enough
and
or
is
there
something
else
we
need
to
to
develop?
B
A
A
A
very
well
put
together
issue,
and
it
was
also
incredibly
nice
that
she
went
put
forth
the
effort
to
give
us
some
suggestion.
Solutions
Jennifer
and
I
had
talked
not
about
the
issue,
but
a
little
bit
about
the
idea
of
we
need
to
start
taking
some
action
on
some
of
our
diagrams.
Yesterday
we
met
with
some
of
the
creative
folks
from
LF
about
geese
pictures,
but
then
we
kind
of
moved
into.
How
can
we
potentially
modify
the
website
to
show
to
be
more
inviting
and
kind
of
focus
in
on?
A
You
know:
om
cars
parlance's
use
cases
I
prefer
personas,
but
you
know
that'll
be
a
wonderful
potato
potato
debate
between
he
and
I.
Once
we
get
a
chance
to
chat
and
I'll
point
you
to,
we
did
we
had
a
suggestion
pretty
early
on
about
a
way
to
present
the
foundation
was
kind
of
looking
at
personas
and
kind
of
looking
at
the
user,
Journey
that
that
Persona
might
go
through
as
they
would
engage
with
the
foundation.
So
there's
a
a
Persona
View
and
we
didn't
develop
it
very
far.
A
For
example,
again
this
was
a
real,
fast
and
dirty
attempt
at
just
showing
a
possibility,
and
if
this
group
likes
that
and
if
that's
just
kind
of
the
thinking
of
how
we
might
want
to
present
the
foundation,
we
definitely
could
take
that
user.
Journey
Persona
of
viewpoint,
as
we
think
about
retooling
some
of
the
web
artifacts
like
our
git
repo
and
then
the
web
page,
there's
potential
ways
you
could
you
could
have.
You
could
put
four
questions
up.
You
know
who
are
you?
A
B
I'm
thinking
of
it
and
I
I,
agree,
I
I
think
this
is
indeed
the
the
kind
of
stuff
that's
probably
closer
to
what
they
are
looking
for.
That
would
be
better
fitted
to
to
address
this.
This
need
that
is
being
expressed
right
and
and
I
agree.
We
haven't
really
developed
this
further,
but
maybe
this
is
worth
spending
time
on
well,.
C
That
gravy
train
growing
ask
the
question,
or
this
person
wants
to
use
these
tools
or
get
this
level
of
understanding
of
we
stay
true
to
people.
Processing
technology
that
should
comprise
the
tool
chain
becomes,
then
it
would
be
if
you
want
this
information
go
to
these
people.
Who
will
give
you
this
process
which
should
have
access
to
this
technology,
something
like
that
either
way
it
works.
You
know
not
just
for
this
particular
use
case,
but
for
other
use
cases.
F
A
So
not
holding
your
feet
to
the
fire
for
a
specific
date,
but
if
we
decided,
we
wanted
to,
you
know,
take
up
this
work
and
we
actually
had
our
together
and
we
were
organized
and
we
had
kind
of
a
flow,
a
problem,
but
approximately
how
long
from
we're
done
until
we
could
get
it
to
the
web.
Might
that
be
I.
F
Mean
it
really
depends
on
the
time
of
year,
I'll
say
like
around
open
source
Summit
the
design
team
gets
slammed.
So
if
we'd
be
looking
before,
then
we'd
want
to
get
that
done.
You
know
ASAP
to
so
it
can
really
depend.
It
might
be
something
like
four
weeks.
It
might
be
something
closer
to
12
weeks.
You
know
it
can
really
depend
right,
and
it
also
it
depends
on
how
complex
it
is
that
we
want
it
to
be
so
I
I,
don't
I,
don't
feel
comfortable,
giving
them
more
specific
answer
than
that.
Yeah.
A
B
A
A
There's
there's
no
centralization
around
that,
so
I
have
a
Jay
and
I,
and
a
couple
folks
have
been
poking
at
a
proposal
to
restructure
things
within
the
foundation
and
one
of
the
ideas
was
creating
kind
of
an
architecture.
The
name
will
need
to
be
determined,
but
an
architecture
working
group
and
underneath
that
would
be
like
personas.
There
will
be
a
group
that
focuses
in
on
centralizing
the
personas
around
taxonomy,
because
we
have
a
couple
different
dictionaries
floating
around
that
conflict
a
little
bit
and
wouldn't
be
great.
A
If
we
just
had
a
common
dictionary,
we
all
used
when
we
were
talking
about
the
open,
ssf
and
then
I
I
would
propose
that
this
group
kind
of
gets
a
line
to
that
that
effort.
But
you
know
I
have
a
couple
personas.
We
could
look
at
immediately,
but
there
are
I
know
that
there's
at
least
one
or
two
other
groups
that
have
personas
and
that
we
would
need
to
refine.
You
know
when
we
talk
about
the
developer.
Are
we
just
focused
on
a
new
developer?
A
B
A
A
But
that's
what
I
agree:
Jim!
We
probably
want
to
get
consensus
on
what
the
most
important
personas
would
be
to
put
that
on
the
front
page
of
the
foundation
and
then
fit
map
out
kind
of
what
the
talk
through
like
what
those
customers,
those
Persona
Journeys,
would
be
and
like
for
this
I,
you
know
I,
don't
account
for
open,
ssf,
member
or
other
open
source
Foundation
that
type
of
stuff.
So
we're
missing
a
couple
things
like
that.
But
again
this
is
tailored
towards
cvd.
F
A
G
E
A
A
B
B
A
B
A
E
F
A
A
But
so
if
we
were
thinking
about
personas
that
the
foundation
serves
or
interacts
with,
who
do
we
think
those
types
of
people
are?
Do
we
want
to
distinguish
between
developer
or
maintainer?
Are
those
unique
enough
jobs
that
we
should
have
two
personas
or
have
one
big
Persona
with
maybe
little
baby
personas
underneath.
C
I
think
we
can
make
an
argument
that
there's
a
difference
between
Developers
and
then
and
then
you
just
you
just
gotta,
you
know
Define
them
very,
very
well,
and
then
people
will
be
able
to
make
it
better
educated
decision
on
which
one
did
they
fall
into
I
I.
Think
the
unique
part
about
I
say
this.
At
the
same
time,
I
can
already
see
the
issue
with
the
issue
plot.
The
unique
part
about
this
is
we
can
Define
with
a
maintainer.
Is
a
development
risk
for
the
openness
itself?
That's
controversial,
I
know,
I
said
it.
C
We're
ready
for
that
one,
but
but
but
you
know
and
Truth
we
can
do
that
and
we
just
have
to
get
that.
Get
those
two
definitions:
tight,
nice
and
tight
because
I
agree:
I,
don't
think
you
know
it's
not
easy
to
say
that
that
you
know
a
developer.
A
maintainer
doesn't
have
to
be
a
developer,
but
every
developer
is
a
maintainer.
No,
that's
not
the
case.
If
you
can't
say
that
it's
not
if
you
can't
make
the
the
and
it's
it's
an
or
that
way,
then
that
means
you
have
to
Define
both.
A
C
B
C
I
think
it'll
matter
to
enough
people
where
we'll
only
end
up
doing
it
anyway.
She
does
do
it
in
the
beginning.
That
way,
you
can
let
them
fight
over
what,
because
that
them
fight
over
the
exact
definition,
let's
not
fight
over
whether
it's
there
at
all
at
the
like
11th
Hour
right,
the
the
people
only
end
up
wanting
to
see
what
they
want
to
see
anyway.
Whatever
makes
them
feel
good,
I'd
rather
have
the
argument
for
than
against,
and
only
end
up
doing.
It.
A
A
B
Yeah
I
agree
I.
You
know
from
the
website
point
of
view
for
sure
we
don't
want
to
have
basically
blown
up
to
so
many
categories
because
becomes
unmanageable
and
even
for
people
to
find
their
way
through,
it
can
like
too
much
of
a
pain,
so
I
agree.
We
need
to
try
to
reduce
it
so
that
it's
relevant
enough,
but
not
like
go
crazy
on
the
number
of
persona
we
end
up
with.
C
I
will
also
say
that
in
doing
that
and
make
sure
that
we're
yeah
look
at
what
we're
impacting
with
the
implication
of
that
is
the
stuff
that's
already
been
developed.
You
know
guides
yeah
Frameworks
Etc.
What
have
we
been
using
across
the
openness
and
stuff
that
conflicts
one
way
or
the
other
of
what
one
Persona
is
in
one
working
group
and
one
Sig,
eight,
no
one
person
and
one
sick
ain't,
necessarily
the
personally
used
in
the
working
group.
The
death
State
belongs
under
I
mean
we
have
to
sit
there
and
boost
that
up.
A
A
And
then
having
gone
through
that
bike
shed
years
ago
with
first
and
miter
and
everyone,
the
security
industry
has
agreed
upon
the
term
finder
to
represent
any
kind
of
researcher,
a
hacker,
anyone
that
discovers
a
vulnerability
and
reports
it.
That's
just
that
I've
got
art,
Mania
and
I
got,
and
we
were
involved
in
so
many
arguments
over
that.
Not
he
and
I
arguing.
But
just
people
arguing
around
us
about
that.
C
A
C
Things
that
we're
going
to
only
end
up
fighting
about
later
on
yeah,
say
finder
I
promise
you
I
could
think
of
one
person
that
we
know
fondly.
That's
not
going
to
call
himself
a
finder
and
that's
Jonathan,
yeah
I'm,
not
going
to
say,
find
it.
Jonathan
is
going
to
always
say
researcher
who
loves
the
term
researcher
he's
never
going
to
use
binding.
So
I
I
was
just
oh,
my
God.
This
is
going
to
get
fun.
C
C
A
And
vendor
in
the
CBD
world
we
had
supplier,
because
there
are
think
about
something
like
the
Fedora
team
for
Red
Hat.
They
are,
they
don't
have
a
product,
they
aren't
a
vendor
themselves,
it's
Community
Driven,
but
they
do
Supply
a
unique
set
of
functionality,
whereas
red
hat
is
the
vendor,
but
they
both
are
kind
of
suppliers.
B
B
C
Well,
I'm
saying
that,
because
all
schools
in
traditional
articles
are
supposed
to
manage
both,
you
call
it
inbound
and
outbound
instead
of
inbound
and
outbound
and-
and
you
suddenly
hear
those
terms
anymore,
but
inbound
and
outbound
possible
is
a
man
to
know
so.
I
mean
consumers,
but
also
losers.
Yeah.
A
A
A
H
H
H
B
B
H
B
H
G
C
H
Claim
the
time
the
title
hacker,
because
I
don't
have
a
enough
of
the
hacker
ethos
type
but
I
do
I,
do
have
a
history
of
pushing
things
and
seeing
how
they
break
just
for
curiosity's
sake,
and
that
has
gotten
me
into
trouble,
as
evidenced
by
my
currently
being
subpoenaed
in
a
federal
class
action
lawsuit
between
zoom
and
zoom's
investors.
So
you
know
I
mean,
like
is
yeah
I.
H
B
A
H
H
Be
completely
honest
to
you
all
here
the
amount
of
effort
that
it
takes
to
actually
find
a
security
vulnerability
anywhere
in
this
industry
is
actually
way
lower
than
I
thought
it
was
like
vulnerabilities,
are
a
dime
a
dozen
and
you
just
need
to
start
sneezing
and
you'll,
find
them.
I
thought
that
you
needed
proper
training.
Proper
education
I
thought
you
needed
to
take
classes.
H
A
H
A
C
C
I
could
have
put
money
on
him
taking
five
to
ten
minutes
on
the
back
end
too
I
could
have
did
that
as
well.
I
took
the
over
easily
I
told
you
Jonathan.
So
let
me
explain
to
you
what
occurred
before
you
got
here.
Pro
put
out,
finder
I
said:
look,
I
can
tell
you
right
now.
We
know
of
one
person
who
I
definitely
know
didn't,
have
a
problem
with
finder
definitively.
He
calls
himself
a
security
research
he's,
never
gonna
call
himself
a
finder
he's.
Gonna
have
us
think
about
it.
C
H
So,
actually,
on
my
on
my
job
description
or
on
the
title
that
I
was
given.
Originally,
it
was
security,
researchers,
security
and
slash
security,
analyst
on
the
title
and
I'm
like
I.
The
security
analyst
is
not
a
you
know,
it
seems
like
a
freaking.
You
know
unsexy
sort
of.
Like
so
I
said,
can
you
please
make
it
security
researcher?
Also?
H
E
H
Proud
I'm,
proud
of
my
title
as
being
a
security
researcher
I
thought
that
it
was
it's.
It's
been
a
space
that
I've
always
like
kind
of
looked
in
on
and
been
like.
Oh
that'd,
be
cool
to
be
that
someday
and
I
feel
like
I've
ended
up
there,
even
though
I
feel,
like
you
know,
we've
all
got
our
own
brand
of
imposter
syndrome
and
I
still
have
mine.
So.
E
G
B
H
A
A
I
will,
after
I
write
my
email
to
Ops
to
get
the
meeting
name
change
in
the
calendar.
I
will
send
an
email
to
this
mailing
list
as
soliciting
additional
thoughts
around
the
personas
that
we
may
want
to
invest
more
time
in
kind
of
mapping
out
how
things
line
up
and
serve
those
communities.
I
think
that'll
also
help
with
the
Sterling
nonsense
that
we
probably
have
some
gaps
like
this.
B
C
A
H
G
H
H
H
H
Yeah
this
one:
this
is
the
code
behind
that
state
diagram,
hey
who
I
thought
that
was
kind
of
fun.
I
figured
that
state
diagrams
should
live
with
the
codes.
I
wrote
that
in
the
in
in
mermaid,
because
it
was
more
relevant
anyways.
So
this
is
a
state
diagram
version
of
this
flow
graph,
so
this
flow
graph
describes
or
proposes
a
flow
for
automated
vulnerability
disclosure
disclosure
across
open
source.
G
H
H
The
idea
is,
it's
you,
you
have
a
vulnerability
and
you
after
you
ask
the
repository
like
host,
or
you
know
like
GitHub
bit
bucket.
You
know
I
was
like.
Is
there
a
support?
So
PM
people?
Let
me
just
start
down
here.
The
key
would
be
a
good
starting
point.
Pmpvr,
which
is
a
programmatic
means
of
private
vulnerability.
Reporting
which
forget
up
is
PVR
for
gitlab
is
private,
private
pull
requests
start
Terminator
decisions
Fork
joins
are
places
where
we
have
two
concurrent
threads
breaking
off.
Ores
are
where
things
come
together,
delays.
H
H
H
G
H
If
not
has
90
days
elapsed
since
the
process
began,
if
not,
has
the
public
pool
acrossed
been
open
if
no,
as
the
repository
had
pmpavr
enabled
we
just
iterate
over
this
continuously
and
if
we
have
pmpvr
enabled
we
go
to
the
yes
case?
If
it's
been
at
least
90
days,
we
go
down
here
and
we
create
a
public
pull
request.
Otherwise
we're
going
through
this
flow
over
here.
This
flow
happens
concurrently
with
that
Loop
over
there.
So
we
go.
We
try
to
find
the
vulnerability.
H
Truly
go
up
here
and
if
we
find
emails,
then
we
go
and
branch
and
do
two
two
parallel
flows
here.
Otherwise
we
you
know
if
we,
if
we
have
repository
issues,
enabled
but
no
emails,
we
go
down
this
route.
If
we
have
no
pmpvr
and
it
or
issues
are
not
enabled,
then
we
just
go
the
email
route.
If
we
have
no
issues,
enabled
no
pmpvr
and
no
emails,
we
just
create
a
public
color
request.
Otherwise
you
zoom
out
of
here
that's
not
much
more
than
a
hair.
H
We
go
into
these
two
flows.
The
top
one
is
focused
on
issue
based
disclosure.
Where
we,
where
we
either
open
an
existing,
we
create
and
exist.
We
use
an
existing
issue
or
we
sorry.
We
use
an
existing
issue
or
we
create
a
new
issue
and
then
for
this
flow.
We.
If
the
issue
was
closed
or
deleted
without
a
response,
then
we
are
finished.
Otherwise
we
wait
at
least
35
days
for
the
issue
to
be
open
before
completing
the
issue
phase,
which
is
basically
asking
the
maintainer.
H
H
If
not,
you
have
an
option
of
either
waiting
90
days
or
waiting
for
a
response.
That
is
not
a
vulnerability
or
the
proposed
fix
is
invalid,
or
at
least
90
days
has
occurred
since
the
email
was
sent
and
those
three
complete
this
flow
as
well,
and
then
at
the
end
of
the
waiting
for
email
and
for
the
issue.
At
that
point,
we
check
again
to
see
if
pmpvr
is
enabled.
If
it's
not
still
at
that
point,
we
open
a
public
pull
request.
Otherwise
we
end
yeah,
that's
that's
the
that's.
The
flow.
H
H
If
they
say
the
proposed
fix
is
invalid,
because
the
code
that
we've
given
them
is
not
right,
then
it
just
doesn't
happen.
I
don't
have
a.
You
know
that
that
probably
means
that
your
code,
that
you're
generating
is
wrong,
and
you
should
you
know,
go
back
to
the
drawing
board
and
consider
trying
to
fix
it.
For
that
case,
yeah
there's
one
thing:
that's
not
handled
in
here
that
I
just
throw
in
here
there's
a
case
of
like.
G
H
H
The
this
conforms
to
the
90-day
disclosure
policy
for
the
for
the
open
source
security
Foundation
they
get
a
little
bit
more
of
a
I
mean.
Currently
it's
not
really
defined
if
we
disclose
via
PM
PBR,
if
they
get
like
an
additional
time
at
that
point,
right,
like
they're
like
okay,
like
let's
say
that
they
they
take.
You
know
30
days
to
to
get
pmpvr
enabled
do
we
then
give
them
90
days
here
in
this
phase,
or
does
the
original
30-day
disclosure
window
continue
to
apply
from
this
point
forward
and
I?
H
Think
that's
a
problem
because,
like
that,
like
generally,
is
a
problem
from
like
determining
when
the
start
is
because
like
what,
if
we
don't
find
an
email,
but
we
are
able
to
open
an
issue
right
like
that,
could
be
nebulous
and
kind
of
difficult
I'm
inclined
to
just
keep
it
simple
and
try
to
like
handle
this
with
a
90-day
disclosure
window
as
soon
as
this
is
enabled,
but
I
am
happy
to
hear
dissenting
opinions
on
that.
One.
H
H
Up
calls
it
PVR,
but
I
didn't
want
to
have
it
be
get
up.
Centric
I
mean
I,
know
we're
using
issues
as
a
term
as
it
is
so
you
know,
and
other
people
use
tickets,
and
you
know
all
that
stuff
and
I
was
just
like
you
know.
Let's
make
it
programmatic
means
of
also
PVR
is
just
private
vulnerability.
Reporting
programmatic
means
is
the
API
sort
of
way.
You
know.
A
And
I
I
do
need
to
drop
for
my
real
job.
I
have
to
record
a
podcast,
so
I
need
to
reboot,
because
my
computer's
about
ready
to
explode
yeah,
but
please
feel
free
to
continue.
Yeah,
I
I
think
it's
good
work.
If
you
folks
have
feedback
for
Jonathan.
Please
share
it
with
him,
and
I
would
also
send
this
to
our
mailing
list.
Jonathan.
Just
because
there's
a
couple
folks
that
participate
that
aren't
here
today,
the.