OpenSSF Diagrammers Society, 9 Mar 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: OpenSSF Diagrammers Society (March 9, 2023)

Description

Meeting minutes: https://docs.google.com/document/d/14i9v7WuQcLzWpvLe9B0sl-kf90JLwxNwrZkRXLWmEdQ/edit#heading=h.9m0zi4b0wnne

A

A

A

A

A

Hi David, how are you.

B

Hi I'm doing well I'm supposed to be in two places at the same time, which, even in the electronics.

C

I mean look good for somebody. Who's split in half.

B

Yeah, it's all smoking mirrors.

B

Alrighty so now I know that crop had presented to the attack on the governing board. So I'm not sure what this this group is going to do right now, I can tell you what I'm hoping to do, which is pitch for I, need a deck, so I actually have a very specific need, but I don't think I'm alone, which is I, need a couple slides in Google Docs.

A

B

Do some of these diagrams, at the very least the hierarchical and the cicd one and I would recommend at least maintaining a few slides that way, so that when somebody needs, because if you want to do a PowerPoint presentation, for example, you can grab it convert it, bring it over, you can grab the Google Docs slide, so everybody can.

D

B

It um and uh you know now granted there are many needs for explaining things, but one is to be able to present to others. In fact, I'm I have to create a presentation soon for um well Boeing. Oh, not not terrible. It's not a big secret so anyway, occasionally I have to give presentations. So having slides that are maintained is a good thing. Hi.

A

Jennifer, hello, how's it going.

B

I'm doing fine I'm trying I'm, not sure I'm keeping up with your requests, but.

D

B

At least made the attempt yeah.

A

I've uh said a few across apologies: oh.

B

Got nothing to apologize for I'm. You know trying to juggle too many things at once, so um I'm supposed to be another meaning simultaneous that's a little hard.

B

um So really what I was planning to do is just appeal briefly to the diagrammers uh group that uh I really need and I think many other people need a couple just Google Docs, slides that present these kind of diagrams ah and there he is.

B

Grove, aha, so I have an apology to make I'm supposed to be at two places. At the same time, even with electronics, that's hard so I have and uh the critical projects working group is simul. Yeah scheduled okay,.

E

I know that you love to Doodle, so you are not no judgment. If you go talk to some other people who don't love you as much as we do. Oh.

B

Wow all right so, but that's um all right, I I'm feeling the guilt I'm already going to fly down to the floor, um so I have a request uh really for that. You know and I guess it's somewhat selfish, but I don't think it is I. Think other people are in the same boat. I am, which is I, occasionally need to go talk about the open, ssf and generally. What they want is slides. Okay.

B

So, basically, what I would like to see is Google Docs of a shared deck of just a couple, slides that explains the open ssf that people can grab and steal from.

B

um uh We have some uh you've already done. You know at least like the hierarchy and the CI, CD and I think we can do several I'm happy to to create a Google doc of the versions that I have. If people want to replace that with better versions, that's great um but I, I think for at least now I realize that some of them, like the one, the Mind map, one that is probably not practical to put in a slide deck. That's.

E

Not gotten a lot of votes, okay,.

B

Well, I I I'm not trying to exclude anything it's much more of the having a common Google deck of hey. You need to present about the open ssf. Here you go uh that basically Builds on the ideas. I have a couple slides I can artists provide if you'd like me, mine, if you've got better ones great and um if other people have slides for some of these other views?

B

That would make sense, that's great, and if you have a better approach, it's great, but you know in the end, what I need are some slides, probably Google docs for that purpose. This.

E

Is a topic that Jennifer and I have discussed in other meetings? Okay and uh we are in agreement. This is a thing that should happen. um So if you have some Source material, I'm glad to help facilitate and coordinate and get things in an appropriately brand uh approved style, deck.

B

So Jennifer, if I just create a Google, doc and posts and just start putting things in and then other people can edit, uh is that a reasonable way to proceed. I mean we can presumably move things around later, but.

E

You know this is something specifically. The governance subcommittee has asked for.

A

Okay, this is for the visual you mean.

E

It would include the visual but he's thinking more broadly, of a walking around deck, an elevator pitch deck for the foundation right.

B

At least you know, heck I don't think it's a crazy idea to have a general elevator pitch deck. uh Jennifer I know: we've we've done some things for new members, but you know I'm thinking specifically of diagrams. If we want to have just a more General here's, the open, ssf I mean that would be. That would be quite reasonable. I was just thinking of the diagrams, but if we want to have a general open, ssf pitch deck- and this has is part of it- well, that's awesome too um yeah.

A

I'd love to do both okay.

B

A

But yeah I'm gonna get started, um dropping that in um we should have a new uh other news. We should have a new um template for slides I believe this week, so I will be sure to share that it is still with creative services, but they have been working on it and it's looking really good.

B

Okay, uh I have existing slides, so would it be okay to just start with something I already have and then sure yeah you know we can uh if it turns out to be a horrible terrible thing.

E

If this group has shown nothing else, it's much easier to start with existing art than a blank page, David.

A

Well, it actually dropped the um the template uh in the the new template based on our new style guide uh in the the meeting chat there. um It's not quite final, but it's almost.

B

Okay um wow: this is a really different format.

E

B

E

B

E

Want to share your deck David, we can collaborate and figure out what needs incorporated into an ultimate kind of walking around deck. As my friend Gunner used to call it.

A

E

A

And no matter what you start with, you know we can kind of apply the style later. That's fine! Okay,.

B

All right, so what so? The amazing process that I intend to do then is I'm going to create a new. Oh I, can't I'll create a deck with just a few slides, I'm sure that it needs improving, and uh then we can and.

E

Then, if you want to drop it in the notes or to the mailing address to the slack, we can collaborate on that and.

B

I'm happy to do it, yeah I'm, currently looking for the copy. This slide thing, which I know is here somewhere for some reason: I can't find it. Where are you.

E

B

No, no, no I'm trying to copy the whole the whole Google doc and I they've moved something I. Think I'm, not sure you.

E

Could Google and find out which.

D

B

Oh, you know what I have to go out and then right click on it. Okay,.

E

A

E

Think that's um the worthwhile project for us to collaborate on is helping get that set, and you know pass it off to whomever, ultimately, whether it's the the marketing uh committee um Outreach folks, you know kind of get to its ultimate home, but yeah. We can definitely assist okay.

B

All right, so that's that's my slightly selfish but I think I I, although I originally had the idea of just the slides from the frankly. A walking around deck is a very, very good idea, I sort of have one anyway, but it keeps getting mutated for particular audiences. So but.

E

If we get Jennifer to do it, then it's official so.

B

It's uh walking around a deck, that's right at least the starting walking around pick. Okay, I! Don't know why I can't find the button that says make a copy of me, but I will find it. It's moved, oh there. It is all right.

B

uh I'm gonna call this open ssf introduction.

B

And they're very darn, well that.

C

C

B

Actually, you know what um I'm gonna start: I'm Gonna Leave in some things and.

B

Okay, um I'm gonna, I'm gonna, actually use I'm gonna just provide the slide deck that I've used for the Big, Fix sure um and I know that it needs changing. That's okay.

B

um Format, changes, content changes, but this is at least um let's see here.

B

uh All right and I'm gonna make sure probe. You are editor an editor of this thing.

B

Okay, so here is something to diverge from.

A

B

Okay, uh the actual figures that I use are just the two: the hierarchy and the um uh you know the the CI CD.

B

Come here, I'm gonna, add CI, CD View, oh and I have a separate copy of it. I'm, not sure why I know it needs uh some updates, but this at least it will give you something to uh now. Why do I? Have it twice, I, don't know why I have it twice that will confuse everybody. Let's remove that now. It's only there once.

B

So there we go.

E

Yeah I like this new uh Foundation Temple, though.

B

Yeah I didn't use that obviously I didn't didn't, have it, but.

E

B

New yeah absolutely and.

A

I just want to emphasize there's still a couple changes to be made, so don't start you using it and sharing it around broadly, until I can get those made. It's.

E

B

Awesome, that's right, but uh you can see what I've I've done. uh I sometimes skip some of these slides, and sometimes things change around I chose this as a starting point, because it's a relatively brief introduction and talks about some specific projects and.

E

The subcommittee idea was um Arun, called it 33 30 that you have basically a one pager. That kind of is more like an infographic of what the foundation is. You have a short little deck that you could do in three minutes. It gives a kind of a higher level overview, and then you have a more in-depth version that would be like 30 minutes long to kind of tell more um more richly develop the story, but yeah this.

E

We could definitely start with something like this and uh kind of collaborate on that to see where it goes, and once we get that finalized template it'll be super pretty.

B

Awesome: okay! Well, uh let's see here who else needs uh edit access? uh Let's see here and I'm, not I'm, going to oh, it's restricted, I! Don't know why it's restricted! I'm gonna make it so anybody with the link can at least comment on it.

B

And let's see here.

B

Okay, I'm guess up and I see. Rosaria has already made the request. Thank you. I will.

B

And- and it's here.

B

B

Yeah so I I again, my original concept was just a slides with the pictures, but broadening it to a general intro doesn't seem crazy.

B

So all right, I hope that is helpful.

E

D is anything else before you leave us, since you don't love us.

B

Thank you. How about this? Thank you to everybody. Who's worked on this because you know it was pretty clear early on. There were not one way to do this stuff, so.

A

Thank you awesome.

E

Cool cool so to uh Circle back. uh Does anyone have any other opens? uh Please add those into the meeting agenda. I'll dump that into the uh Zoom chat. There I have a couple things I'd like to chat about uh the cicd diagram and then, if we have time we could talk about the continuation that Jay started about working group and sigma charity review.

E

If anyone has any other topics, please uh put that in the opens underneath Mr Wheeler's item.

E

All right, so uh I have had the great opportunity to give our thousands of words presentation uh to several working groups throughout across the foundation and overall, a very positive response into the collective work that this group has been toiling away at, uh depending on which set of stakeholders we're talking with.

E

There were different opinions on which of the diagrams they liked better than another, uh but at the the one that received the most accolades and desire for continued refinement uh was the cicd diagram that David did the initial draft of and then based off of kind of current state of things in the foundation. I did an update.

E

There is a link there to the the Ping file if you're curious, to see the embellishments I've added to the initial diagram, so I'd like to uh see if we would like to invest some time to you know double check are all the boxes in the right place? uh Are we happy with the colors? Do we have many kind of objections or criticisms, or anything we'd like to change about it, so I'll uh open it up to the floor here? What are your thoughts on the cicd diagram.

E

Thank you. This is completely unlike another conversation I've had today. uh This is this group is the opposite of providing me an extensive amount of feedback on a topic so.

C

I was just scrolling through it because I'm seeing it for the first time sure and.

E

It's is this: the same Core diagram that David shared with us a while back and again I've just uh updated it so that we, it reflects um at the time uh things that were documented in the git repositories.

E

Here, in my Derpy little thing,.

E

Here's what I will do.

E

All right, can you all see my screen.

A

E

So this is the update and kind of the my suggested placement. uh Do we want to spend some time to um you know shuffle the boxes around? Are we happy? Is this good enough? Do we want to actually start to go out and maybe talk to some of the working groups to get their uh agreement and buy-in and adjustments, or is this good enough? We send it to the artist.

B

In the Google Doc I do have a version of this diagram already um so just FYI um I think the the version the Google Doc actually is active, hyperlinks and I would encourage whatever you do to have active hyperlinks.

E

Yeah, of course again, this is just uh I. Don't get paid a dime for doing any of this I'm donating everything, because I love me some open source. uh This is not a final workout, but, okay, all righty. You know somebody else has a better idea, I'm glad for them to take lead.

B

I've got to run I'm so sorry.

C

It looks good to me, okay,.

E

So do I think this is a fairly good representation of where things would lie for the best practices, vulnerability, disclosure and end user working groups uh again I'm we're welcome to uh feedback on those three in particular.

E

um Do we have anyone here that goes to any of the other working groups that is interested in checking my work, I made a guess based off of what David originally had and kind of where I felt logically for me to place them, but do we have anyone that participates in like the the security threats or tooling or supply chain groups that might be able to give us some more expert feedback on placement.

A

E

Or better, yet, is anyone interested in going to go sit in some of those working group calls sharing our work and getting that group's feedback.

C

Yeah go to the I, go to the identifying security threats. I was just looking down the list and.

D

C

Security reviews.

D

I was going to say: I do the same, I mean I actually lead um so one of the things under there the risk. Well, here's uh security Matrix is risk dashboard. So you can actually lead that thing. So so I can that's one that could be that could be looked at there, but I'm not sure if Alpha Omega sits under the um working group. I want to say that that's a project that sits outside of the working group now I know it used to sit there but I, know I, believe it's a project.

D

That's outside of that net.

E

Alpha and Omega is a special, delicate snowflake.

E

um They are currently listed within that working groups, GitHub repository as part of that working group interesting, but if it needs to go somewhere else like Sig store, if it needs to get moved over to projects well,.

D

We have no deep emotional investment, that's you know like but like where six stories, but one of the projects, so one of the sifts I've seen that I know it used to be there, but if it's still, there I think that needs to be changed, or it needs to be clear, clarified that that's where it is, but everywhere else I've seen it is like the alpha omega and six store. I was surprised.

D

I I was surprised to see six store where it is so early on as in not having originated in the place and then being a Sith like that. That that surprised me I knew how alpha omega originated, and then, where was that I thought? That was a graduation six.

E

Door was purely, and it was a donated project it existed before. um You know it started around the same time. The foundation was starting and then that Community uh petitioned to become part of the foundation and it got put into a a Sith for and they've changed the name to project now.

D

Yeah I thought Alpha Omega, it's just a natural graduation and I thought that that was the process. So on.

E

The website, that's what it says in the git repo.

D

E

It so that is, we've um and part of like Matt's Journey. uh Through the Mind map uh recognized we have a ton of inconsistencies and duplication missing elements. So that's why I think it'd be great. If we actually went to that working group officially and saying here's, here's what we think the picture is, can you please adjust it for us, so it accurately reflects your work and your ideas. Yeah.

D

We can well either Christine or I. It doesn't matter when we have the next working group being we'll we'll bring it up. Excellent, okay,.

E

Anyone have a relationship with like the tooling or critical projects.

C

So you may have covered this in a different call, but is there a difference between say, developer and consumer I was looking specifically at the security metrics and see it makes sense in the in the package.

C

um Information again.

E

This we'd have to ask David um because he's the one that gave me the original diagram but I believe in the context of this diagram developer is someone is writing. Software and consumer is more of an end consumer like a bank or Best Buy, or you know, Lloyd's of London, okay,.

C

So it's not about them. It's.

E

Like an Enterprise, okay,.

C

It's not about them using the open source software to then build their products.

E

No! No, so if that organization was doing that, then I would assume they would be on that developer, bubble. Gotcha, okay,.

C

E

But again, we'd have to clarify with David.

E

um Anyone work with the supply chain, Integrity group, that we could um potentially double check my homework.

D

Do that there too uh right now, that's exactly what it looks like Okay um being a member of of that of that work. That's a that's exactly what it looks like I.

A

D

That we're also thinking about uh the creation of a supply chain security framework, a a governing one I know that that's been talked about. I, don't think that we've put a proposal together just yet for it like that, but right now those are the three items that are in play and I want to say that I mean Fresca's there, but I still think Fresca is in uh Community um and communities, status, I'm, not sure and full disclosure. The last meeting was a little.

D

uh What the last meeting was a little touch and go for me, I I, you know the discussion in the last meeting was like almost to the effect of you know, we'd like to continue this is there you know: do we have somebody that can help with XYZ and I was like Wow you'd like to continue? That's where we're at. So that's that's a shrug to show the moment like I.

D

Don't I don't know if um but anyway well go back to the working group and really hold down I know: salsa I know, s2c2f I know all the other things that happened now, but we talk about Fresca as if it's part of the I'm not sure about that. So that's surprised that I'll ask and.

E

Do you think the where I place the little black boxes on top w x and y and do those seem appropriate.

D

C

D

Yeah yeah well, the the build one for salsa is good, because that's uh version, one feels is just the build track.

D

um Their work to have a source track, that's being talked about as well, so that'll go off into the source portion, Source, Integrity, okay, um so that part's, fine, the the Fret the Fresco one, though the Fresco one is kind of a a bridge from if you go from The Source, all the way to the consumer right so build. It's like that. Build pipeline, um so that that might span across um S2 c2f is is is good where it's at um you know good, where it's.

E

At do you think we have uh multiple projects that um would span across the multiple bubbles that we would need to account for that, or should I just copy and paste under their box for Fresca over to source.

D

Yeah I I, don't I, don't that's a great question, uh I'm, not sure if any of the other working groups are working on something that spans across like that too.

D

um But but as far as Fresca is concerned, that's what it is and then also there's questions in Fresca about you know scope, so so that that there's even that kind of that kind of question in there too.

D

Oh yeah give me one second sure.

E

uh Yes, Matt, the actual source of authority is open. Ssf scorecard.

E

Using the power of my computer.

E

Get them represented correctly and then for Alpha and Omega um All-Star is not included they. Basically it's a lot of the same people doing the development and they hold a conjoined uh working. uh Sig call, but officially All-Stars uh sits underneath another group in the git repo, uh uh where it all starts sitting under securing critical projects and again maybe that needs to change. Maybe we do need to officially put them together.

E

But it's you know, this is the same five or six folks uh lower onto azim and Jeff, and everybody.

E

And then your statement around Alpha and Omega, is it correct where it is or underneath the security threat group, or does it need to move under project? You think.

F

No I, just I was confirmed. I I go back back to my mind, Map My Links. If I look to see you know where they, you know, if the work group claims them and they claim them so yeah cool. Thank you.

E

Yeah and then you know that may not be again, we I think we I feel we should go to each of these groups and ask them to verify and then potentially we might need to do some uh restructuring.

F

The new memory safety work is that included too.

E

um Well, that doesn't exist yet yeah that gets proposed next week. Okay uh and then we'll go through another vote, which is just going great uh with the most today so.

C

E

How that goes with the memory safety, if that's contentious or not.

F

I, don't think so. It doesn't have the word specification. So.

E

See it's open source people have opinions, but yeah theoretically, there'll be one there and then um you know like the s-bombs everywhere is going to officially uh do a plan revamp so they'll be kind of more formally attacked onto the mobilization plan at some point soon.

F

No I have to see I I'm impressed I mean I've, always liked David's diagram I was always worried about it being imbalanced in terms of where things would fall, but it looks like you, you know it the way it's presented here. It looks like there's a. It appears, there's a good balance. Let me put it that way: I.

E

Hope so you know if it represents things accurately. I I agree, um yeah, it's a it's a solid thing to start with and we can easily. You know make changes.

E

We can make sure it adapts to the appropriate brand palette and.

F

It any developer, I mean this. Whole thing is about supply chain security. So, having that view just.

C

E

F

E

Mm-Hmm and I know like the end users group, would love to actually do a like a reference architect, a real reference architecture to hand to somebody that here's how you implement the things so I'll Circle back with them to make sure that it kind of feeds into their reference architecture, work.

F

Yeah I, the only thing that you know if this is captured, I mean now Graphics designers can do miracles in these things, but the I, the one thing I tried to factor out was which things are. If there was some way in the the bull ties list or some indicator or something to indicate a code project distinguish a code project, something had a GitHub repo. Somehow.

E

um And the the foundation came down pretty clearly on that. If it's code, it's labeled a project. If it's um like a white paper or a guide, that is a Sig, uh so we can go through and again, that'll require working with those working groups to make sure that they get the names adjusted correctly and maybe we change. Maybe the projects are diamond and uh yeah.

F

I mean even even sub categories, underneath the the colored bars would be saying here are my sigs. Here are my projects you know just to seeing that repeated in each of those sections would be really helpful. Yeah.

E

Yeah- and we probably this needs to have a legend and uh other stuff, let me get that into the notes.

E

Any other thoughts um will I be able to enlist a couple of you to kind of go out and talk to some of these working groups and verify for us, yeah James.

E

Is there any groups we're missing that we might need to make a special trip for like do? We have coverage on everybody.

D

We have any coverage from all the working groups. I mean these working groups are all here, I think uh securing critical projects, I mean I, have to go back and attend some of those meetings in the secure software. Repos I gotta go into some of the means too, because I haven't been to been to many of those, but all the other ones. I've uh or security.

D

Tooling, too I think I hit one of those, maybe once every month, just to see if they're talking about anything different but but all the other ones I have I have to dip in and now.

E

Yeah I think that the tooling collides with our education, Dei group, yeah.

F

Yeah I've been trying to attend the Straits only again since things kind of pick back up a little bit um if no one's volunteered for that I can volunteer for that. If.

E

You can that would be really helpful. Matt just even kind of pop in show the diagram and get breastsers to give us feedback all right. Could you share the canonical link?

E

um Well, this is a Vizio file which is not necessarily open source friendly um I have it in a PNG and I can see if I can convert it to like a lucid chart, but lucidchart has its own complications with Google IDs.

E

um So how would you like to or I can make it a PDF? How would you like to have it well.

F

What's the reasons for you, PNG works I mean okay, so.

E

The PNG is in the repo right now and I have a link in the agenda and I'll put it here. Thanks you're welcome.

F

So, let's add it to my personal daily notes: cool.

E

And then you know, don't lose your mind map stuff, because I I think there are a couple things in motion that we might need to uh leverage that, as we actually kind of go through and start to audit uh some things across the foundation, so that my map is very useful to do that. Activity.

F

Whatever you need to do.

E

Or any additional uh thoughts or commentary on the diagram before we move on to maturity.

E

All right Jay: do you want to talk about continue our conversation around um maturity, Matrix kind of requirements for things or do you want to defer that today.

D

D

Let's deferred for today, uh I think, there's a few other things that a few other things that we I would like to tease out on on the proposal in general, like I, think there's a there's a lot of stuff that we need to I want to I want to get done with the bulk of that document, we're working on yeah and then because I don't want to talk about it separately. I think I. Think I don't want to talk about separately.

E

Yeah I I think that's fair, uh so Jay and I are working on a uh a proposal to help try to maybe get the foundation a little more structure and rigor around things like the gaps. The Mind map exercise highlighted. So we'll um definitely come back to this group. Once we have a more fully formed idea more than like three words on a blank document and kind of get your feedback on that, and then this actually ties in with something that the governance subcommittee is looking into.

E

So hopefully we'll be able to kind of triangulate and get some action and try to help get things a little more consistent across the board.

E

Any additional thoughts or anything else, we'd like to talk about today.

E

Well again, I thank you for your time and attention your collaboration, and um we will talk again in two weeks. If you need anything sooner uh mailing list and slack channel are always there. Thanks all have a great day idea.