►
From YouTube: Education SIG (May 3, 2023)
Description
Agenda – https://docs.google.com/document/d/18GBwvQJNcPnwxKrnp43DhBZC7K1JM0xzGkDoKh5mu8U/edit#
Slack – https://openssf.slack.com/archives/C03FW3YGXH9
Mailing List – https://lists.openssf.org/g/openssf-sig-education
Git Repo - https://github.com/ossf/education
C
A
A
It
would
be
wonderful
if
we
could
get
the
readme
setup
like
we
do
for
best
practice
or
the
education
Sig
just
so
as
because
with
it
being
live.
If
people
go
to
the
root
of
our
git
repo
for
the
foundation,
it'll
show
up
and
if
they're
curious,
they'll
click
on
it
and
it'll
say
nothing
which
will
make
them
sad.
A
B
A
A
B
A
I
had
noted
the
the
European
open
source
Summit,
the
call
for
papers
closed
yesterday,
and
they
will
be
opening
up
a
open,
ssf
day
track
coffee
papers,
soonish
I,
don't
know
when
Jennifer
was
planning
on
doing
that,
but
that'll
be
in
the
coming
weeks,
and
it
might
be
a
great
idea
for
all
working
groups
and
sigs
to
think
about
it.
But
I
would
love
to
have
education
represented
and
also,
if
we
can
get,
the
Deni
group
represented.
That
would
be
amazing.
A
A
B
B
A
A
B
B
B
So
it
kind
of
just
goes
into
tips
and
tricks,
like
I
guess
from
the
dni
team,
we
can
write
out,
like
top
X
tips,
on
like
submitting
your
application
for
a
scholarship
or
interview,
and
then
that's
a
piece
of
blog.
If
you
want
to
split
this
into
multiple
series,
I
think
we
can
just
continue
with
that.
A
A
I
think
that
would
be
a
very
useful
resource
yeah
and
that's
something
that,
depending
on
I,
imagine
that
the
foundation
has
the
ability
to
do
you
know
metrics,
so
we
can
kind
of
see
what
kind
of
Impressions
we
got
and
how
many
you
know,
monthly
viewers
we
had
so
I
think
that
could
be
useful
to
kind
of
show
that
this
is
pretty
important
topic
and
there's
a
lot
of
interest
outside
there
in
the
community.
Yeah.
A
B
A
B
A
A
We'll
see
I
know,
I
had
had
conversations
personally
with
sisa.
They
are
a
government
agency
here
in
the
United
States
and
they
were
very
interested
in
things
like
the
open
source,
piece,
cert
and
also
the
education
plan,
because
that's
a
big
strategy
here
in
the
states
is
trying
to
increase
cyber
security
education,
so
they're
very
interested
for
more
details
about
the
education
plan.
A
A
And
Christina
was
working
on
a
response
with
Nicole
to
potentially
we
might
get
an
invite
for
that
group
to
go
talk
to
the
White
House
about
kind
of
our.
What
what
our
deal
is
and
what
we're
kind
of
our
goals
are
what
we
want
to
achieve
so
again,
I
think
that
would
be
amazing
engagement
to
be
able
to
have
that
opportunity
to
talk
and
Express
their
concerns
and
see
if
we
can
get
some
some
traction
and
resources
behind
this
important
effort.
C
Yeah
for
sure,
I
think
I
think
you
know
the
the
year
one
always
looked
like
a
pilot
or
a
kind
of
a
seed
round.
If
you
like
of
of
all
of
it
right
before
getting
the
the
corporate
engagement
that
we're
all
hoping
for
and
I
guess
still
expecting
and
I
mean
you
know,
government
and
and
public
sector
engagement
is,
is
fantastic
as
well
and
there's
there's
certainly
a
lot
of
funding
as
I
understand
it
out
there
in
the
US
government.
Behind
the
topic
I
mean
the
timing
is
really
good
as
well.
C
You
know,
with
with
the
objective
of
graduating
out
of
programs
and
getting
into
opportunities
the
following
summer.
You
know
so
it's
absolutely
the
right
time
in
the
next
month
or
so
to
be
thinking
about
you
know
how
do
we
start
ramping,
Up
Programs
to
engage
students,
whether
it's
you
know,
High
School
College?
B
C
B
C
C
The
two
cycles
that
we
see
a
lot
of
our
community
members
looking
for
looking
for
opportunities
and
and
being
engaged-
and
you
know
making
time
commitments
which
is
ultimately
what
I
need
people
to
do
right,
I
think
you
know
people
need
to
put
in
a
50
to
100
hours,
minimum
right
to
like
get
into
cyber
security.
Whatever
the
structure
of
that
is
and
I
know,
education
and
GUI
isn't
isn't
all
just
about
young
people
in
early
careers,
but
you
know
that's
the
Next
Generation,
that's
the
future!
C
That's
where
the
hundreds
of
thousands
pipeline
again
I
come
from
right.
There
they're
not
going
to
be.
You
know,
they're
not
going
to
be
physical
security.
People
who
are
really
trained,
I
think
that's
definitely
Partners
For,
That
I
think
there's
there's
a
huge
gap
which
is
going
to
have
to
be
filled
by
by
the
Next
Generation,
and
you
know,
organizations
that
really
Drive
changes
in
there
and
they're
represent
in
the
representativeness
of
their
Workforce
by
doing
so
kind
of
bottom
up
right.
C
B
B
B
C
B
C
A
Swaths
of
types
of
learners
and
kind
of
let's
try
to
focus
in
on
where
we
can
get
the
reach
the
largest
audience,
for
you
know
the
least
amount
of
effort.
So
if
we
think
that
you
know
Young
Learners,
we
do
have
a
lot
of
content
already
available
kind
of
at
that
entry
level.
So
maybe
our
first
steps
could
be.
If
that's
our
largest
population,
our
largest
Target
population.
We
could
take
a
look
at
the
content
and
see
what
do
we
need
to
tailor
what
is
missing
to
help
those
Young
Learners
getting
into
a
career?
A
So
we
talked
about
you
know,
learning
how
to
work
with
Git
and
commits-
and
you
know
these
some
of
these
more
interpersonal
fight
type
things
that
might
not
be
part
of
the
Technical
Training,
but
you
have
to
have.
As
a
software
engineer,
you
have
to
understand
how
to
to
work
within
cicd
pipelines
and
how
to
work
with
source
code
management.
So
maybe
we
kind
of
look
at
the
content
and
try
to
augment
a
couple
of
those
pieces.
A
We
think
would
benefit
younger
Learners
first
and
then
we
can,
you
know
once
we
have
things
in
place.
There
then
we
can
move
on
to
whatever
we
think
the
next
most
beneficial
Target
group
could
be
so
maybe
that
would
be
retraining
maybe
and
what
types
of
things
do
you
need
to
do?
Reskilling
and
yeah
100.
C
So
thinking
about
cyber
security
for
application
developer,
cyber
security
for
infrastructure,
Engineers,
cyber
security
for
web
developers,
cyber
security
for
UI,
Engineers
right,
you,
you
name
it
right.
Cyber
security
for,
for
you
know,
QA
and
testing
all
of
the
like
adjacent
roles,
and
it
happens
to
be
more
or
less
the
same
content
right
as
people
start
coming
through
that
some
people
are
going
to
make
that
reskilling
career
pivot.
Other
people
are
going
to
go
and
pursue.
C
A
B
C
With
with
City
like
approval,
something
kind
of
the
budget
and
the
plan
correct
is
that
is
that
kind
of
I
don't
want
to
say
a
formality?
Is
it
likely
to
be
a
case
of
a
waiting
game
to
get
the
plan
approved?
Is
that
kind
of
the
right
buy-in
or
is
it
likely
to
be?
You
know
the
some
kind
of
this
going
in
the
right
direction,
but
you
know
all
of
this:
stuff's
gonna
have
to
change.
We
need
to
adapt
the
planet
XY.
This
is
anyways.
A
A
So
I
have
exactly
zero
dollar
zero
Euros
in
funding.
So
if
we
want
to
reward
so
if
we
want
to
give
a
developer
a
scholarship
or
a
grant-
or
you
know,
conference
tickets
to
use
Knicks
or
whatever,
whatever
we
think
the
best
reward
is
I'm
not
able
to
do
any
of
that.
But
any
of
the
content
that
is,
you
know,
volunteer
based
like
we
want
to
develop
a
secure
quality,
UA
testing
module.
We
are
empowered
to
do
that.
There's
no
stopping
at
and
then
secondarily
I
need.
A
I
would
love
for
the
governing
board
to
say
this
is
a
great
idea:
I
have
a
sdlc
team
at
my
mega
Corp
organization.
I
would
love
those
people
to
help
work
with
you
and
either
donate
content
or
volunteer
to
give
the
boot
camp
class.
So
I'm
looking
for
people
as
well
volunteers
as
well,
but
anything
that
you
know
we
all
can
accomplish
for
zero
dollars.
We
can
there's
nothing
stopping
us
from
doing
that
today,
but
you
can
I
I
need
to
have
budget
and
I
would
love
to
have
more
volunteers.
C
That
makes
a
lot
of
sense.
Getting
the
volunteers
tends
to
be
I,
don't
want
to
say
easy,
but
if
you,
if
you
build
out
the
program,
start
getting
people
into
it
and
you
prove
you've
got
to
reach
and-
and
that
probably
is
some
element
of
of
stipends
right,
otherwise
necessarily
enable
people
from
all
different
backgrounds
and
walks
of
life
to
get
in
we've,
run
stipended
and
unstipended
programs
and
both
works.
Well,
there
is
a
difference
in
terms
of
the
turnout.
There's
no
doubt
about
that.
C
You
know
it's
the
same
as
people
who
can
do
unpaid
internships
right
that
it
isn't
a
representative
cross-section
who
are
able
to
do
that.
I.
Just
people
would
like
to
yeah,
but
once
you've
got
a
program
set
up
right
and
you're
kind
of
going
hey,
we
need
somebody
to
you
know,
run
a
mentorship
session
on
you
know:
CI
CD,
security,
best
practices
or
or
whatever
it
is.
C
A
Yeah
and
that's
exactly
the
thing
Max
is
I
need
to
have
a
concrete
ask
for
the
governing
board.
So
if
I
want
to
have
a
CI,
CD
expert
come
give
that
class.
I
need
to
I
need
to
a
identify,
that's
a
gap
for
us
and
then
B
I
need
to
ask
for
that
specific
thing,
as
opposed
to
I
need
development
help
secure
development
help.
So
if
I,
if
the
more
precise
we
can
get
in
the
request,
so
we
identify
we
have
these
specific
gaps.
A
C
For
sure
I
I'm,
just
thinking
creatively,
I,
do
wonder
if
you
can
close
together
a
training
program.
Folks
to
you
know
in
an
unpaid,
Manner
and
then
drop
into
a
code
contribution
program
where
they
pair
up
with
like
some
of
those
Alpha
Omega
projects
and
that
long
tail
of
of
you
know
increasing
increasing
numbers
of
identified
projects
with
security
gaps
and
then
get
paired
up
with
the
mentorship,
and
they
do
you
know
some
actual
code
contribution
and
because,
suddenly
that's
you
know,
that's
the
best
of
all
worlds.
That's
a
great
idea.
C
Making
that
a
bit
of
a
the
the
reward
and
the
end
goal
right
rather
than
paying
people
to
do,
training,
which
I
always
think
is
a
bit
problematic,
I
mean
some
people
might
look
at
doing
the
training
as
the
outcome
itself,
which
which
we
hope
it
isn't
it's
what
people
can
do
once
they
have
that
training?
That's
the
outcome.
A
A
But
the
Omega
is
the
you
know
the
bottom
10
000
projects
and
that's
really
where
that's
I
think
somebody
could
jump
in
and
cut
their
teeth
on
and
add
value
with
that
kind
of
guided
mentorship
and
then,
as
they
prove
themselves,
that
maybe
they
do
actually
get
handed
more
work
like
from
the
more
professional
style
audits
like
what
you're
doing
with
openssl.
For
example,
you
know,
maybe
they
pair
up
with
a
mirror-
and
you
know
they
get
to
Shadow
a
real
pen,
tester
security
auditor,
and
that
would
you
know
again
experience
for
the
resume.
C
C
You
know
you're
having
to
work
on
Enterprise
code
bases
for
the
first
time
and
and
work
with
a
a
team
of
of
maintainers
and
you
are
securing
software-
that's
used
by
millions
of
people.
So
it's
it's.
It's
really
really
valuable
experience
and
work,
but
I'm
just
think
I'm,
just
sort
of
starting
to
think.
You
know
a
bit
creatively
about
ways
to
amplify
right
and
then
and
I.
A
Well
and
touching
on
that
my
organization
I
know
every
organization
I've
worked
at
in
my
career
typically
has
a
very
robust
internship
program.
So
it's
just
a
matter
of
kind
of
getting
in
plugged
into
that
internally
for
me,
finding
out
what
their
schedule
is.
So
if
I
could
you
know
earmark?
Can
I
get
four
internships
for
open
source
code
development?
A
You
know
I
can
see
if
I
can
get
on
that
train
internally,
and
then
you
know
if,
if
we
get
four
other
big
companies
to
do
the
same,
then
we
have
a
larger
pool
of
folks
that
people
can
get
internships
on
and
also
get
that
real
career.
Large
corporation
experience,
they're
working
on
those
large
code
bases,
as
you
mentioned
so
again,
I
I.
C
A
C
Bet,
I
bet
security,
you
know
security,
engineering
or
you
know
appsack
or,
however,
we
want
to
cut
the
exact
Focus
here,
right,
I'm
sure,
you'd
really
struggle
to
hire
folks
who
could
drop
into
who
you
know
could
get
through
the
interviews
to
be
an
internship
in
an
internship.
Even
if
there
are
you
know
top
computer
science
schools,
because
they
will
only
you
know
they,
they
might
memorize
the
RSA
algorithm,
which
which
I
I
can
still
probably
yell
at
a
whiteboard
15
years
on.
But
you
know
what
use
is
that
to
anyone
right.
B
A
I
I
am
sad
that
it's
just
a
couple
of
us
here,
but
I
I
think
maybe
I
will
spend
some
time
formulating
an
ask
for
the
group
and
maybe
I'll
shoot
it
out
to
the
mailing
list
and
slack
to
see
if
we
can
get
more
people
thinking
about.
How
can
we
creatively
start
to
take
action
and
connect
thing
connect
people
to
real
work,
I,
like
the
idea
of
you,
know
the
Alpha
and
Omega
connections
and
like
internship
with
large
companies.
A
So
let's
see
how
we
can
do
that
and
then
there's
a
we
have
a
spreadsheet
with
a
bunch
of
stuff
on
it.
I
just
don't
know
that
that
stuff
is
exactly
helpful
for
those
learner
paths.
So
again
we
I
think
David
has
the
security
fundamentals
like
security
architecture,
Concepts
and
principles.
I
think
those
are
pretty
well
done
and
then
some
fundamental
coding,
things
I
think
are
pretty
well
covered.
B
A
C
Don't
know
how
much
it's
really
interesting
right,
because
as
soon
as
you
put
a
tangible
end
goal
and
and
set
of
capabilities
that
you
need
someone
to
have
have
learned
right,
for
example,
being
able
to
contribute
to
one
of
the
Omega
projects
and
once
they've
done
I,
don't
know
a
couple
of
months
of
work
without
being
eligible
for
an
internship
as
a
security
engineer.
Suddenly
it
becomes
very
clear
what
the
the
learning
path
is
right.
C
C
C
So
I
think
this
is
probably
a
really
fantastic
way
of.
Actually,
you
know
making
all
of
that
real
and
thinking
about
right.
You
know
how
can
we
get
some
people,
you
know
getting
PR's
merged
by
the
end
of
the
year?
Who
right
now
are
in
I,
don't
know
their
second
year
of
college
and
they
they
haven't
even
decided
what
their
major
is
going
to
be,
let
alone
realize.
Yet
they
want
to
be
a
cyber
security
engineer
when
they
grow
up.
B
Firefighter-
and
this
is
interesting
because
we're
we're
kind
of
on
the
alpha
omega
side-
we're
kind
of
figuring
out
how
to
handle
the
sensitivity
of
data
with
collaborators
and
and
volunteers
and
our
interns,
because
we'll
be
having
the
triage
portal,
which
is
limited
to
just
us
us
and
you
know,
respected
parties
that
they
flow
through
these
steps.
So
I
think
that's
that's
an
interesting
approach.
We
can
probably
do
like
GitHub
like
badges
or
something
I,
don't
know
how
that
works,
but
something
to
show
that
they're
not
eligible
to
move
forward.
So.
C
C
A
Yeah-
and
that
was
part
of
our
section-
three
reward
strategy
is
some
type
of
digital
badging,
that,
as
people
prove
themselves,
they
earn
Awards
and
I.
Think
that
that's
an
excellent
idea
to
say
this.
This
person
is
certified
okay
by
the
open
ssf.
They
can.
They
have
these
skills
and
they
are
here
to
help
yeah
you're
a
qualified
contributor.
A
A
And
what
whatever
the
Derpy
thing
is
credly
or
something
everyone
sends
me
these
silly
little
credly
badges
you
could
put
on
your
profile,
but
it's
you
know
it.
A
kind
of
a
digitally
assigned
URL
is
all
it
is,
so
somebody
could
put
that
as
a
c
and
part
of
their
CV
or
their.
You
know,
body
of
work
doesn't
necessarily
have
to
live
inside
of
GitHub
or
whatever.
B
A
C
I
mean
that's,
that's
the
big
thing
that's
been
been
floating
around
my
mind.
Really,
you
know
is:
what
are
the
outcomes
that
we
want
to
get
people
to?
What
what
is
our
real
Focus?
How
can
we
prove
value
in
like
a
three
to
six
month
time
scale?
How
do
we
put
together?
All
of
the
the
you
know,
the
Dei
objectives,
with
the
training
objectives
with
like
heck,
you
know
what
what
are
the
actual
outcomes
that
we
we
want
and
and
I
think
the
outcomes
are
pretty
clearly.
C
C
You
know
honestly
and
I
think
if
we,
if
we
can
tune
the
centralization
model
right,
yeah,
there's
an
awful
lot
that
we
can
do
there.
I
know
that
you
know
from
our
side
from
from
mlh.
We
could
definitely
Source
the
the
hopper
of
participants
to
to
come
into
a
program
like
that.
You
know
pretty
quickly
and
I
think
from
across
our
six.
We
could
we
could
easily
Source
the
the
kind
of
infrastructure
and
support
to
make
that
kind
of
program
work.
C
It
probably
does
need
a
a
little
infusion
of
cash
to
begin
with,
right
and
I
think
that's,
probably
the
right
sorts
of
numbers
that
are
in
in
the
plan,
as
is
to
kick
something
off
because
to
make
it
sustainable.
You
know
the
industry
that
benefits
from
those
those
code
contributions
and
that
Talent
creation
need
to
be
funding
it
right
because
then
it
then
it
it
grows
and
grows
and
lives
forever.
A
Yeah
that
that's
excellent,
so
I
have
to
pick
up
my
child
it's
his
last
day
of
his
freshman
year
of
college
today.
So
when
I
get
back
from
that,
I
will
ponder
a
an
email
out
to
the
group
to
try
to
give
a
concrete
ass
to
get
start
to
get
people's
thoughts
aligned.
With
our
conversation
today,
I
I
like
how
this
has
turned.
A
C
A
A
C
B
C
Mommy
died,
yes,
it's
there
check
it
out.
I'll,
send
you
like
I'll,
say:
I'll,
send
you
both
a
hackathon
to
check
out
yeah
we'd
love
to
have
you
there
if,
if
you're,
free,
genuinely
I'll
ping,
the
team
here
running
it
swing
by
check
it
out
meet
some
of
our
community
I.
Think
Microsoft
are
doing
some
stuff
there,
but.