►
From YouTube: OpenSSF Diagrammers Society (May 4, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/14i9v7WuQcLzWpvLe9B0sl-kf90JLwxNwrZkRXLWmEdQ/edit#heading=h.9m0zi4b0wnne
A
A
C
B
C
A
C
F
B
I
guess
we
should
probably
remove,
but
but
if
I
I
think
you
had
sent
some
of
these
slides
off
to
Graphics
folks
to
try
to
make
a
more
clean
and
better
version-
and
maybe
you
know,
maybe
that
would
be
a
useful
topic
of
conversation
because
I
I
think
you
saw
it
and
you
had
questions
so
I'm,
not
sure
if
they
went
anywhere
but
but
I
know
you
haven't
been
I,
know
you've
actually
been
busy
and
been
doing
stuff.
B
E
E
The
slides
that
I
asked
for
Vision
on
from
our
design
team
were
related
to
our
onboarding.
Whenever
we
welcome
a
new
member,
they
were
starting
to
get
a
little
stale
and
one
of
the
graphics
that
we
have
in
there
is
one
of
the
the
OG
the
original
kind
of
here's
everything
in
the
open
ssf.
That
was
kind
of
hard
to
dig
into
hard
to
read.
E
B
Think
the
challenge
is
that
they're
going
to
do
that
I
would
want
them
to
use
the
current
versions.
Maybe
you
know
because
like,
for
example,
just
yeah.
B
C
C
B
Yeah
because,
for
example,
we
just
renamed
GTI
and.
C
B
B
No,
it
changed
it
changed
this
week,
we're
getting
recorded.
You
know
what
this
was
public
information.
We
got
a
a
formal
letter
from
a
lawyer
from
the
gnu
folks
saying:
please
don't
use
gnu
as
part
of
their
name
now,
I
think.
Frankly,
if
we
want
it
from
a
legal
perspective,
I
think,
first
of
all,
let
me
let
me
make
a
preface
I'm,
not
a
lawyer,
I,
don't
even
play
one
on
TV,
okay,
my
understanding
is
that
doing
work
to
support
somebody
else's
thing
and
mentioning
their
name
saying
I'm
going
to
help.
B
This
is
reasonable
use
because
you
know
it's
a
you
know.
You
know
you're
referring
to
something
that
has
a
trademark
and
therefore
it's
okay,
to
use
a
trademark
to
refer
to
the
thing,
however,
regardless
as
a
general
policy,
the
LF
does
its
best
to
try
to
work
with
people
and
not
cause
unnecessary
problems.
So
as
soon
as
they
raise
the
hey,
we
don't
like
you
using
the
name
I,
although
we
could
have
possibly
fought
it
back.
Basically,
we're
not
we're
here
to
be
helpful.
B
These
projects
not
cause
stirs
and
problems
that
just
doesn't
make
any
sense.
So
we
just
said:
oh
okay,
well
we're
surprised
by
that
they
normally
aren't
like
that,
and
we've
worked
with
them
before.
But
okay,
if
that's
what
you
want,
let's
rename
them
it's
not
even
a
project
so
much
as
it's
a
funding
vehicle.
So
fine,
if,
if
renaming
it
is
what
they
would
like
to
do
great,
let's
go.
Do
that
and
make
sure
their
logo
doesn't
have
a
canoe
and
just
you
know
just
make
it
really
really
clear.
B
You
know,
because
we're
trying
to
be
helpful
not
trying
to
create
some
sort
of
legal.
Just
not
you
know
not
worth
it
so
anyway.
The
reason
I
mention
all
this
is
because
that
only
happened
this
week.
So
if,
if
they
use
some
information
as
old
as
last
week,
Jennifer
it's
already
out
of
date
and.
E
B
Exactly
right,
that's
exactly
right
and
while
I
think
there
are
other
formats
having
something
where
I
can
go,
click
and
get
where
you
can
go
click
and
give
a
presentation
on
I
mean
I'll,
have
to
admit.
There's
I,
guess
a
slightly
selfish
viewpoint,
but
I
don't
think
it's
just
me.
I
think
all
of
us
at
one
time
or
other
are
suddenly
asked
hey.
B
What's
this
open
ssf
thing,
please
explain,
and
while
there
are
many
other
reasons
to
have
the
results
of
the
diagram
or
Society
I,
think
being
able
to
show
up
and
hear
some
diagrams
that
attempt
you
to
help.
You
understand
something
with
a
lot
of
moving
Parts
I
think
is
I.
Think
it's
really
helpful.
It
certainly
helps
me
and
my
expectation
is
it
helps
others.
B
So
if
the
diagram
of
society
wants
to
have
other
results,
that's
awesome,
but
if
one
of
those
formats
could
be
a
presentation
that
makes
it
really
easy
for
a
lot
of
us
by
the
way
Brian
likes
to
call
this
a
circus.
So
I'll
have
to
pull
up
my
standard
circus
tickets
here
for
my
grandfather's
grandfather's
circus.
C
E
I
mean:
do
you
want
me
to
share
my
screen
real,
quick
and
you
can
kind
of
see
what
this
looks
like
okay,
so
this
is
from
the
onboarding
deck
we
have
this
guy,
which
I
think
we
can
update
I.
Don't
necessarily
think
we
need
to
revisit
that
here.
E
We
have
this
one
and
then
this
one
and
I
just
changed
the
name
by
the
way
to
CTX.
That
was
quick.
So
maybe
we
look
at
this
one
and
like
what
kind
of
feedback
do
we
want
to
provide
to
the
design
team
to
help
us
get
back?
What
we.
B
I
I
can
give
you
one
right
away
and,
first
of
all,
oh
I'm,
sorry
Crow!
You
wanna
go
first.
E
It
has
not
changed
so
I
think
did.
E
Feedback
that
they
gave
no
no,
this
is
this
is
part
of
our
retainer.
This
is
not.
We
did
not
pay
for
this
specifically,
but
yes,
it
is
just
a
change
of
colors.
What
I
asked
for
was
in
response
back
to
this
is
like.
Can
we
break
this
down
into
like
a
different
format
where,
like
maybe
we
put
boxes
or
kind
of
clean
it
up
in
some
ways
and
make
the
text
a
little
more
legible?
E
B
Yeah
so
I'm
recording,
but
as
far
as
I
I'm,
not
I'm,
not
terribly
private,
about
this
matter.
I
like
10
of
males,
I'm,
colorblind
I,
can't
see
colors,
but
I
have
trouble
distinguishing
some,
especially
if
they're
small
you
know.
So,
if
you
give
me
a
big
Swatch,
I
can
see
color
differences
if
they're
small
little
boxes,
hello,
it
gets
harder.
B
B
But
since
there's
a
fairly
large
number
of
people
who
have
colorblindness
and
my
particular
one
is
the
most
common
I
think
it
will
be
helpful
where
we
can
to
try
to
use
more
distinctive
colors.
Even
for
those
who
have
more
struggle
with
color
blindness
is
because
I
said
it's
fairly
common,
then
that'd
be
these
colors.
Just
you
know,
I
can't
tell
the
difference.
B
For
example,
the
on
this
one
best
practices
badge
on
identifying
security
threats,
same
color,
vulnerability,
disclosures,
end
users,
same
color,
same
color,
on
security,
tooling
supply
chain,
Integrity,
securing
software
repositories
and
then
the
last
two
look
mostly
the
same
too.
B
So
it's
just
you
know,
they're,
not
very
distinctive
I
am
confused
now
I
do
say
that
there's
a
gradient
of
color,
that's
kind
of
cool,
looking
I'm,
not
sure
it's
worth
it,
but
sure
why
not
just
a
quick
FYI-
and
this
may
not
be
obvious
for
the
diagram
in
the
upper
part
here.
B
I
believe
that
the
implication
here
is
that
the
big
boxes
are
data
and
that
the
curled
one
is
a
build
which
is
a
process
and
that
I
would
think
that
the
bottom
ones
probably
should
be
dashed
boxes
as
well,
because
they're
all
information
as
well.
But
you
know
we
can
argue
about
that
point.
I.
F
Yes,
so-
and
this
is
a
almost
piggybacking
on
what
with
what
David
was
saying,
I
think
if
this
is
going
out
and
and
formally
in
any
type
of
way
what
we
did
before
for
accessibility
purposes
as
we
italicize
some
things,
we
bolded
some
things
color
wise
like
these
colors.
They
they
look
snazzy
but
the
the
the
the
the
they're
all
they
all
look
the
same
they're
the
same
color
with
different
gradients.
F
They
got
to
be
different,
different
colors
on
different
gradient
scales.
They
they
can't
and
then,
after
that,
it's
got
to
be.
You
know
and
then
I'm
talking
about
just
for
accessibility
purposes,
also
a
legend
of
what
the
arrows
mean,
what
the
boxes
mean,
what
the
dotted
things
mean,
what
the
little
small
squares
mean.
F
All
of
that
stuff
that
that
has
to
there
has
to
be
a
legend
somewhere
that
talks
to
each
one
of
those
things
just
for
just
so
that
at
the
smallest
lowest
education
level
can
read
this
and
say
I
know
what's
happening
here.
E
B
I'll
tell
you
how
I
use
it
and
I
think
that's
and
for
those
I
mean
every
you
know:
I
I'm,
a
Believer
in
the
you
know,
pictures
worth
a
thousand
words,
but
the
question
is:
which
thousand
words
are
you
needing
here?
B
I
often
I
often
do
use
this
slide,
but
what
I
do
is
I,
don't
go
through
every
detail.
What
I
usually
do
is
say:
hey.
You
know.
Code
starts
with
source
code.
It
gets
built
producing
packages
focusing
on
those
things
at
the
top
and
then
noticing
that
there's
a
bunch
of
working
groups
that
produce
a
bunch
of
sigs
and
projects
which
associate
around
those
things
or
the
back
channel
from
those
processes.
B
Now
once
I
say
that
I
can
then
say,
I
can
talk
about
any
one
of
these
specifically
now
most
The
Times
They,
don't.
But
the
fact
that
it's
on
this
chart
makes
it
super
easy
to
jump
in
and
explain
if
they've
got
a
specific
interest,
because
some
folks
have
specific
interests
showing
them
that
there's
a
broader
thing
it
lives
in
I
mean
you
know
a
stupid
example.
You
know
OSS
fuzzing.
Oh,
that's
part
of
the
securing
tooling
working
group
and
look.
You
can
see
that
and
show
where
it
is
in
this
chart.
B
So
you
know
so
I
I
think
well.
Well,
I
I
think
it's
helpful
for
some
purposes,
but
not
others
depends
on
what
story
you're,
trying
to
tell
I.
F
Don't
think
you
can
have
this
slide
without
the
two
previous
ones.
I'll
tell
you
that
I
think
the
first
Slide
line
just
gives
you
an
outline
of
of
what
of
of
outline
of
the
working
groups
period.
So
these
are
the
working
groups.
The
second
slide
gives
you
what's
happening
under
each
working
group
and
that's
where
you
begin
to
introduce
a
further
introduced,
the
what's
bolded
with
italicized
the
colors
of
each
working
group.
F
Whatever
you
you
simply,
you
ins,
you
Implement
that
form
of
the
conversation
and
then
the
last
slide
gives
you
a
detail
of
how
all
of
that
fits
together
from
a
CI,
CD
View,
and
you
have
to
explain
it
like
that.
F
Right,
I,
don't
think
that
this
Slide
by
itself
can
live
successfully,
but
I
think
this
slide
has
a
as
a
story
based
on
the
sum
memory
told
of
the
first,
and
the
second
is
key
and
I
think
that
all
three
of
these
as
a
way
to
for
a
incomer
and
a
person
coming
in
if
you're
saying
this
is
the
open,
ssf
I,
think
that's
a
great
story
to
tell
the
three
sides
together.
I
think
this
last
one
by
itself
will
confuse
a
living
hell
out
of
people.
You
need
the
other
two.
B
About
Jay
said
it
better
than
I
did
and
I
will
admit
by
the
way
that,
although
I
didn't
say
it
as
clearly
as
he
did
when
I
present
I
do
actually
present
all
three
in
sequence,
because
the
first
one
actually
is
under
easy
understand.
I
mean
that
first
one
I
mean
yeah.
Okay,
you
know
hey,
there's
these
a
government
board
attack
a
bunch
of
working
groups
that
actually
doesn't
cause
anybody.
Any
troubles
and
the.
F
C
C
Away
whenever
I
have
shared
this
information,
I
either
do
as
David
does,
where
you
show
the
sequence
in
Rapid
succession
or
I,
show
Slide
three
by
itself
and
it's
Grobe
Story
Time,
where.
C
F
E
B
Although
I've
forgotten,
what's
the
name
of
the
guy,
who
does
images,
who
shows
the
the
map
of
the
French
troops
going
off
to
fight
Russia,
Napoleon
Gulf
to
fight
Russia,
there
is
a
view
there
are
a
number
of
folks
who
actually
believe
that
busy
slides
can
be
really
really
helpful
if
they
show
all
the
information,
because
then
that,
basically
is
helpful
for
sure,
for
is
it
for
what
probe
is
talking
about?
You
know
it's
a
it's
a
backdrop
for
you
to
talk.
B
C
C
You
know,
take
that
information
and
make
it
make
it
more
available
to
all
a
wider
audience
to
simplify
it
kind
of,
like
the
I,
think
it's
the
cncf
trail
map,
where
they
have
the
metaphor
of
you're.
Looking
at
a
map
and
here's
your
following
the
map
along
all
the
amazing
cncf
stuff.
E
E
C
Oh
and
and
if
people
follow
the
rules
like
they
should,
this
could
be
a
very
simple
exercise
of
grabbing
all
of
the
working
group,
tack
updates,
where
they
provide
all
this
information
about
their
active
projects
and
just
be
a
matter
of
copying
and
pasting.
But
I
don't
know
that
that
has
consistently
been
executed
across
the
all
groups.
C
C
A
E
And
then
I
there's
other
other
than
the
cicd
view.
If
there's
anything
else,
we
want
to
pass
along
to
the
design
team.
At
this
point
it
might
not
necessarily
be
already
embedded
within
a
slide
deck
that
we
give
regularly,
but
if
there's
something
that
we
want
to
have
them
work
on
important
for
everybody
at
this.
C
Point
one
that
I've
shared
internally
at
Intel
that
the
viewers
got
a
lot
of
benefit
out
of
was
I,
call
it
stickers.
So
that's
like
the
landscape,
the
cncf
landscape.
The
viewers
got
a
lot
of
value
out
of
that
kind
of
understanding,
all
the
little
boxes
and
what
lives
inside
the
boxes.
C
F
E
I
think,
once
we
have
our
sort
of
family
of
design,
a
family
of
logos
for
each
of
the
working
groups
and
sigs
and
projects
that'll
be
really
great
to
display
it
in
that
way,
I
like
that
sticker
view
team.
B
So
why,
while
you're
looking
I
added
some
notes
for
things
today,
so
colors
need
to
make
them
more
distinct,
especially
for
colorblind
colors
need
to
be
the
same
for
each
working
group
across
all
three
slides.
You
need
to
add
a
key
for
CI
CD
slide.
I,
think
that
made
the
key
may
be
a
separate
slide.
Frankly,
unless
we
can
slip
it
in.
D
F
D
B
G
B
All
right
so.
B
B
I
do
agree
with
you,
Crow
I,
think
in
the
short
term,
actually
probably
today,
and
if
you
want
I
could
even
add
a
proposed
pull
request.
Do
the
link
but
I
think
we
can
link
from
the
best
practices
to
this.
So
at
least
it's
easily
more
much
more
easily
found
in
the
longer
term
if
we
can
find
a
way
to
put
it
on
the
website.
That
would
be
awesome,
but
the
only
way
to
do
that
is
to
make
it
uneditable
I
think
that's
a
trade
not
worth
making,
because
we
know
it's.
B
B
Exactly
one
person
has
access
to,
and-
and
you
know,
but
don't
worry
it
only
takes
it'll
only
take
us
a
two
week
or
four
week
turnaround
to
make
a
change.
I'm,
not
saying
that
this
has
ever
happened
in
my
previous
organization.
Mind
you,
but
but
but
imagine
that
facts
could
happen
in
some
organizations
but
and
I
really
you
know,
but
but
I
think
that's
a
key
issue
is
that
if
we
can't
update
it,
then
we're
going
to
constantly
be
stuck
with.
Oh
hey,
Matt
welcome
yeah.
B
What
what
just
if
you're,
quick
context
for
you
Matt
the
GTI
for
per
request
of
the
free
software
Foundation,
has
been
renewed
to
the
court
dual
infrastructure
to
the
CTI,
where
the
C
has
become
core
and
adding
new
working
groups
adding
new
projects
changing
things.
It
happens
all
the
time.
So
we
just
need
to
be
prepared
for
that.
C
B
Mean
for
for
some
things,
I
think
the
I
mean
Google.
Docs
are
helpful,
but
you're.
C
B
Well,
I
think
the
challenge
is
for
for
for
presentations.
It's
not
clear
how
to
deal
with
that!
Well,.
C
All
right
were
there
other
topics
you
wanted
to
talk
about
today.
Again
from
your
perspective,
Jennifer
is
there
anything
you
know
we
can
deliver
to
you
to
help
get
the
feedback
to
the
design
team.
Is
there
anything
you
yeah.
E
Yeah
I
mean,
if
there's,
if
there's
specific
feedback
on
any
of
it
in
terms
of
like
what
we
can
do,
I
mean
I.
Think
then
the
the
obvious
Next
Step
will
be
website
as
well.
Get
a
nice
diagram
going
there
and
once
again,
I'd
love
it
to
not
just
be
an
image.
I
would
prefer
it
be
embedded
where
we
can
easily
edit
yeah.
C
Well-
and
you
know
the
the
intention
like
at
least
within
the
slide
delivery,
everything
is
hyperlinked
and
that
makes
it
more
much
more
useful
and
interactive
for
a
user.
B
All
right,
I'm
gonna,
have
to
ask
a
meta
question:
I've
been
assuming
that
the
diagram
or
Society
is
a
working
group
of
the
best
practices
or
is
a
part
of
the
best
practices
it.
C
C
C
B
B
C
B
F
B
Man,
as
I
said
I,
just
I
will
just
have
to
bow.
I
have
I,
have
no
words
all
right,
yeah,
so
I
will
create
a
pull
request
to
link
to
the
slide
deck,
and
that
will.
C
From
there,
okay,
yeah
and
then
I
will
work
on
getting
that
the
Plumbing
appropriately
set
from
the
tack
to
the
diagrammers.
But
again
we
mentioned
it
in
the
last
call
that
there
is
a
proposal.
A
couple
of
us
are
working
on
to
create
kind
of
a
centralized
working
group
that
would
account
for
things
like
personas
and
taxonomies
and
then
I
would
propose.
This
gets
slid
under
there.
F
F
B
All
right,
you
know
what,
because
this
was
originally
cobbled
from
a
presentation
I
gave.
The
first
slide
has
my
name:
why
don't
I
just
remove
my
name
from
it?
I?
Don't
it
doesn't
matter,
and
then
people
can
put
their
name
in
or
not?
Okay,
but
I,
don't
I'm,
not
ashamed.
I'm
very
glad
I
was
able
to
help,
but
it's
a
group
effort
and
I.
Don't
want
putting
my
name
here
to
interfere
with
somebody
thinking
they
can
use
this
all
right,
so
I
will
I
will
get
that
done.
Yeah.
C
I'll
work
on
that
tomorrow
morning.
C
Are
there
other
topics
or
drawings?
We
would
like
to
talk
about
today.
F
Of
working
on
one
getting
one
scrubbed
and
there
was
one
that
Adrian
actually
presented
during
his
talk
at
RSA.
D
F
I
think
it's
wonderful
and
I
think
it's
wonderful,
because
it
takes
everything
that
that
we're
doing
across
this
one
is
just
basically
across
salsa
and
then
S2
c2f,
but
then
the
foundational
element
underneath
a
zero
trust
principles
which
I
thought
was
something
that
was
like
really
cool
that
that
Daddy
did.
We
just
got
to
make
sure
we
get
the
clearance
on
or
I.
Well,
we
scrub
it
enough
to
where
it's
it's.
It
could
be
put
to
what
we
want
to
do
here
in
the
in
the
openness
and
stuff
I'm.
F
C
I'd,
love
and
I
think
an
evolution
of
this
group
in
the
future
will
be
working
with
the
assorted
working
groups
trying
to
help
them
articulate
themselves
applying
against
things
like
the
cyber
security
framework
or
ssdf
things
like
that
to
try
to
help
show
those
connections.
I
love
the
idea
look
forward
to
seeing
it
absolutely
yeah.
C
Any
other
items
people
would
like
to
discuss,
or
you
want
to
look
at
the
vexcuse
again.
B
A
question
on
the
dot
on
this
openness
of
intro:
everybody
can
can
access
this
I
believe,
okay,
yeah
anybody
can
comment
on
it.
In
fact,
I
don't
know
if
we
want,
maybe
eventually
we
don't
do
that,
but
that's
how
we
are
right
now.
Is
there
anybody
who
wants
edit
access
to
it
that
doesn't
have
edit
access
to
it
yet
crowbe
I
know
you've
got
it.
Jay
I
know
you've
got
it.
Jennifer
I
know
you've
got
it.
Is
who's
missing.
A
I
want
to
test
the
publish
option
and
see
if
I
could
get
that
into
an
iframe
and
then
put
it
online
and
how
that
frequency
changes.
B
F
B
A
F
A
B
Yes,
yeah
all
right,
so,
okay,
so
Amanda
you
are,
you
are
on
the
privileged
few
I
mean
we
can't
always
add
others.
We
just
need
to
know.
B
B
You
know
I
I'm,
hoping
that
you're
not
going
to
write
a
lot
of
code
in
what
for
a
slide
deck.
Although
I
certainly
know
people
who
have
written
code
to
create
slide
decks
before
so
I.
G
B
G
B
B
So
any
case,
all
right,
so
I
have
updated
access
and
I
will
create
a
pull
request,
and
this,
hopefully,
will
make
a
little
easier
to
find.
And
how
do
we
make
this
more
easily
fun,
because
I
think
that
just
putting
it
in
the
diagram,
Setters
page
isn't
email,
I'll,.
B
D
Yeah
I
missed
my
favorite
meeting
for
some
good
reason,
but
I
just
wonder
the
because
I
from
this
meeting
I
understand
from
a
quote
that
this
openss
is
about
application,
Level
kind
of
security
software,
so
I,
don't
know
so
things
like
kubernetes
infrastructure.
Is
that
part
of
the
discussion.
C
So
we
do
have
some
people,
so
there
will
be
like
the
best
practices
is
working
on
like
source
code
management,
hardening
guides
kubernetes
itself.
We
probably
would
defer
to
the
project,
but
we
do
have
like
the
education.
Sig
is
probably
going
to
work
on
some
type
of
collateral
educational
materials
on
how
an
operator
could
config
Harden
their
kubernetes
instance.
B
They
do
I
I
I
can
talk
through
this
a
little
bit
actually
I
mean
the
kubernetes
is
part
of
the
cncf
cncf
and
then
cncf
actually
has
its
own
security
Sig,
which
has
been
working
on
some
things,
including
supply
chain.
B
What
I
tell
people
in
general
is
the
open.
Ssf
is
not
here
to
rewrite
all
open
source
code
in
the
universe
and
taking
over
all
the
open
source
projects.
Okay,
this
is
not
me.
I
I
say
that
laughingly,
because
I
think
most
people
understand
that
can't
possibly
be
work.
So
we
know
it
can't
be
that
so
individual
open
source
projects,
we
expect
them
to
work
on
their
own
security.
So
if
the
goal
is
hey
kubernetes
I
need
to
you
know
it
has
a
bug,
I
need
it
fixed.
B
B
On
the
other
hand,
if
you're
looking
for
guidance
on
how
to
write
code
that
you
know
the
Cooper
is
in
these
instants
might
use
absolutely
happy
to
provide.
You
know
various
kinds
of
guidance,
I
think
the
overlap
is
and
things
like,
Alpha
Omega,
where
and
critical
projects
where
we
identify
some
projects
that
are
important
but
again
we're
not
taking
over
a
project.
B
The
goal
is
to
pull
pull
funding
together,
to
go
work
with
that
project,
help
them
they're
doing
the
work
we're
just
there
to
to
give
I
guess
you
know
to
be
a
supporting
organization,
they're
the
support
dead
organization,
so.
D
So
yeah
there
was
anything
like,
for
example,
kubernetes,
the
the
whole
supply
chain
of
developing
and
deploying
kubernetes
that's
covered,
but
the
actual
kubernetes
security
sales.
That's
the
kubernetes
products,
business
right
right.
B
Exactly
now,
where
there's
overlap
is
things
like
Hey?
How
do
you
use
kubernetes
securely
if
the
kubernetes
folks
have
a
guidance
doc
on
how
to
use
kubernetes
security
for
securely,
for
example,
we
would
say
fabulous,
you
know,
and
you
know
big
thumbs
up
and
I
think
in
general,
when
you're
talking
about
guidance
for
a
very
specific
tool,
I
think
that's
generally
best
handled
by
the
folks
who
make
that
tool,
but
when
it
suddenly
crosses
over
to
how
do
you
create?
B
You
know
software,
but
in
a
much
more
General
way,
then
I
think
I
mean
we're
not
if
somebody
else
wants
to
do
it.
That's
fabulous
we'll
point
to
it,
but
it
certainly
would
be
within
scope
for
us
to
do
it.
Okay,
thanks
yeah,
but
we,
for
example,
I
mean
your
obasp.
Is
that
there's
actually
o
r
star's
representation
on
the
governing
board?
If
owas
has
something
cool,
that's
helpful
or
you
know
cncf
or
something
else.
We
are
delighted
to
refer
to
it.
B
C
Wherever
possible,
we
try
to
Federate
with
good.
You
know
external
things.
If
there's
ever
a
collaboration
opportunity,
you
know
we
would
definitely
we
wouldn't
turn
away
the
cubes
folks
if
they
wanted
to
have
us
help
craft
something
but
yeah
again
that's
kind
of
their
wheelhouse.
We
leave
them
to
it.
D
C
But
there
is
no
I
am
unaware
of
any
specific
Sig
anywhere
in
any
organization
that
focuses
on
like
UEFI
or
firmware
yet
I
know
there
are
some
plans
in
the
works,
but
that
won't
be
part
of
openssf.
D
I
know
the
open,
compute
foundations,
they
do
talk
about
this
bomb
and
all
that.
B
C
C
Won't
be
affiliated
with
the
open
ssf,
it's
more
a
broader
industry,
thing,
oems
and
ibvs,
and
things
got
it
and
then
they're
like
who's,
the
fellow
from
Red
Hat.
There
is
a
very
active
open
source
firmware
project.
They
do
some
really
good
work
and
that
that
group
we
would
partner
with
but
yeah
it's
like
firmware
and
such
there
is
no
body
yet.
A
B
G
Actually,
ironically,
I
had
a
conversation
yesterday
with
somebody
in
the
dependency
track
project
at
OAS
foundation,
and
they
just
joined
a
couple
months
ago.
Their
private
build
root.
If.
G
Crate
bills
and
materials
that
then,
would
can
be
translated
to
salsa,
but
very
early
conversations
anyways,
but
build
group
is
basically
like,
creates
firmware
and
you
basically
it's
like
a
checklist,
and
it
said:
I
want
these
device
drivers
for
this
architecture
and
it
builds
you
a
embedded,
Linux
image.
Basically.
B
So
generally
you're,
not
you
know
you're
you're,
installing
software
at
build
time,
but
you
know,
then
you
then
you
burn
it
in
and
hopefully
don't
have
to
make
many
changes
once
it's
out
in
the
field
so
and
they
again
they
end
up
generating
s-bombs
and
got
to
make
sure
that
all
the
components
actually
work
together
and
all
that
good
stuff
and
and
I
think
the
embedded
world
is
really
fragmented.
There's
a
thousand
different
organizations
and
very
very
hard
to
keep
track
of
everybody.
Yeah.
G
It
sounds
like
that,
like
this
group
has
a
has
a
standard
log
format
they
put
out
and
it
would
be
a
simple
I'm
talking
about
mapping
it
to
an
s-bomb,
and
so
it
can
be
uploaded
into
pensy
track.
That's
the
goal,
and
so
then
diffs
or
Deltas
over
time,
and
they
can
be
connected
to
mvds
stuff
like
that.
So
right.
B
G
B
Might
want
to
talk
to
the
Octo
folks,
it
wouldn't
be
surprising,
you
know
different
Tech,
so
you
can't
borrow
everything,
but
there
might
be
some
useful,
I,
don't
know
you
know.
For
each
side
they
may
have
partially
solved
a
problem.
The
other
hasn't
gotten
to
yet
so
anyway,
I.
B
C
Call
for
any
items
to
talk
about
in
our
last
nine
minutes
together.
B
I
will
post
the
pr
that
I,
just
oh
I,
actually
already
did
I
posted
a
PR
that
I
will
add
a
link
to
the
the
slides
from
the
diagrammer
society
page
and
then
I
guess
I
I
would
prefer
there
be
some
way
for
somebody
to
find
the
diagrams
without
looking
at
the
diagram,
Society
page
but
I
guess
maybe
you're
not
comfortable
doing
it
from
the
tax.
So
I.
C
B
I
would
be
happy
to
get
around
okay.
I
mean
I
would
be
I'd,
be
happy
to
propose
that
the
attack
include
main
page
include
a
link
to
the
diagrammers
society
diagram,
in
addition
to
the
dining
room,
Society
repo.
C
Awesome
and
then
you
know,
the
real
Target
should
be
the
actual
website
that
you
know
the
working
groups
are
all
represented.
There.
E
Can
we
so
just
quick
question?
Could
we
make
it
automatic
where
the
the
working
groups
are
like
can
updated
and
then
it'll
automatically
update
on
the
website
like
if
something
could
change.
B
B
Now
Amanda
doesn't
like
that
approach.
But
if
you
don't
like
that
approach,
then,
as
I
said,
there's
the
easy
way
and
there's
the
hard
way.
That's
the
easy
way.
The
hard
way
is
figuring
out
what
your
alternative
is
and
the
open
ssf
main
websites
a
WordPress
document,
a
WordPress
system
which
is
which
is
everyone's
favorite
and
figuring
out
how
to
make
turn
those
diagrams
into
something
else
is
is
kind
of
rough,
so
I'm
not
sure
how
to
deal
with
that.
B
I'm
of
the
I
worry
less
about
UI
and
more
about
getting
the
information
out
so
I'm
good
with
making
the
link,
but
that
doesn't
mean
other
people
will
be.
B
Openssf.Org
I
don't
know
that
I
have
let's
go
look
looking
at
the
working
groups
list
join.
E
B
A
F
B
B
Yeah
I
mean
okay,
let's
see
I
guess
the
links
do
work.
So
all
right,
I,
I,
just
I
I
guess
you
know
doing
an
up
a
manual
update,
but
it's
merely
a
a
command
run.
This
conversion
isn't
so
bad.
D
B
I
mean
that's,
not
bad,
it
certainly
makes
it.
It
certainly
gives
a
quick
overview
of
the
actual
projects
within
the
various
working
groups
and
that
and
the
six
and
that
helps
we
could
certainly
do.
We
can
certainly
do
worse
than
this.
This
is
I
think
this
is
an
improvement.
There's.
B
B
B
C
Well,
thank
you,
everyone
very
interesting
conversation
today
we
will
talk
to
you
all
in
two
weeks,
if
not
sooner
in
Vancouver
cheers
everybody
enjoy
the
rest.