►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
Oh
I'm
doing
okay
still
in
the
car,
so
it's
not
about
don't
make
a
lot
of
notes
now.
C
But
so
far
we're
still
waiting
on
that
more
people,
so
I
would
say:
let's
give
it
a
couple
of
minutes
and
see
how
many
people
we
have
for
today.
B
C
C
There
are
there,
we
have
our
friend
David.
C
It's
nice
that
you
could
join
us.
D
Oh
me,
too,
I'm
having
a
weird
computer
problem,
so
I
may
have
to
return,
but
hopefully
it'll
work
itself
out.
C
Perfect
all
right
yeah,
maybe
any
new
people
that
do
want
your
short
intro,
Anthony
Maybe.
A
Sure
well,
I'm,
a
web
dev,
mainly
I
work
on
Astro
I've,
never
heard
of
it
how
to
use
a
little
bit
of
go
and
working
a
little
bit
on
a
compiler,
so
yeah
about
security.
I
know
the
basics,
I'm
still
learning
some,
you
know
more
advanced
stuff
and
I
mean
working
with
random,
so
yeah.
C
All
right,
thank
you
and
glad
to
see
you
joining
this
meeting.
C
One
actually
was
on
me
and
Randall
the
idea
that
we
we're
going
to
have
a
chat
with
Fabian
from
code
Trail
to
see
actually
how
we
could
tackle
the
topic
of
the
stack
Overflow.
You
know
that
was
also
part
of
our
scope
that
we
wanted
to
help
and
improve,
and
so
actually
Randall
and
myself.
We
had
a
meeting
with
the
clerkier
and
there
were
a
couple
of
yeah,
interesting
outcomes
that
we
could
do
and
we
could
have
a
collaboration,
basically
with
code
ql
Randall.
C
Do
you
want
to
highlight
a
bit
what
the
actual
yeah
discussions
were
with
the
Xavier.
C
I
had
the
discussion
with
the
Xavier
and
basically
two
ideas
came
out
of
it,
the
first
one,
if
I
Remember
by
heart,
because
I'm
in
the
car
that
was
actually
that
he
said
like
yeah.
It
would
be
ideal
that,
for
example,
we
could
create
like
a
sort
of
skeleton
app
set,
because
one
of
the
limitations
of
code
ql
is
that
it
needs
to
be
compilable
runnable,
correct
code,
which
most
of
the
SEC
overflow
Snippets
are
actually
not
right.
C
So
we
thought
of
okay.
Let's
make
some
basic,
basically
some
very
simple
templates,
where
we
could
paste
in
those
code
Snippets,
so
we
were
able
to
run
it
with
code
ql
and
see
you
know
if
it
detects
the
vulnerability
and
I
believe
he
also
mentioned.
That
could
then
also
be
an
extension
of
the
big
Bounty
program
right
that
they
also
have
going
on
with
Coach
Trail.
B
B
No
I
have
it
right
in
front
of
me
if
you
like,
I
could
read
it,
but
yeah.
F
No
you're
right
on
you're
right
on
the
money
he
also
mentioned,
possibly
using
you're
using
the
most
critical
projects
list
that
should
be
coming
out
of
the
critical
projects
working
group
as
something
of
a
base
for
what
week
or
what
the
program
could
entail.
F
C
So
those
were
the
two
things
actually
and
you
know-
but
it's
maybe
good
to
discuss
here
in
this
group
yeah.
What
we
feel
about
it
personally,
I
think
like
the
first
idea
to
create
like
a
sort
of
skeleton,
tiny
apps
in
different
languages
sounds
actually
quite
interesting,
not
only
because
we
can
use
those.
C
You
know
those
type
of
skeleton
apps
and
the
vulnerable
coach
Snippets
to
create
like
new
levels,
for
example
in
the
SDF
for
it,
but
also,
if
we
do
this
this
properly
and
we
can
make
all
that
metrics
and
that
data
we
actually
can
well
build
a
sort
of
data
set
of
like
learnable
code
Snippets
and
maybe
correct
code
Snippets
and
then
also
be
oh
yeah.
Sorry.
C
Yeah,
that
would
be
awesome
because
you
know,
basically,
if
we
have
that
type
of
data
right
of
all
those
burnable
code
Snippets.
C
We
basically
can
also
help
in
like
our
other
tools
that
are
out
there
to
to
use
those
codes
if
it
also
has
a
benchmark
right
to
further
improve
and
further
tune
their
capabilities
as
well
yeah.
It's
not
only
yeah
making
code
Grill
good,
but
you
know
other
type
of
tools
that
are
out.
There
could
also
potentially
use
them
yeah
all
those
skeleton
apps,
and
that
we
then
collect
over
time
right.
B
C
And
I
would
say,
as
a
natural
progression
then
also
using
something
like
this
and
building
this,
for
example,
extension
in
a
browser
to
check
even
more
while
you're
browsing
well
you're.
Looking
at
certain
code,
Snippets
would
be,
in
my
opinion,
also
more
usable,
easily
doable
in
the
in
that
case
to
them.
E
F
Ahead,
what
I
was
going
to
add
to
the
compilable
feature?
Glenn
Anthony
have
and
I
have
been
digging
into
this
a
little
bit.
So
what
code
ql
does
is
that
it
basically
has
a
unified
like
AST,
that
it
converts
to
I
think
that's
what
he
meant
by
it
needs
to
be
compilable
in.
In
other
words,
it
needs
to
be
like
the
AST
like,
because
code
ql
actually
runs
on
that
AST
that
gets
generated
so
I
think
what
he
was
trying
to
say
is
that
the
code
needs
to
be
like
compilable
to
the
AST.
D
D
I
do
want
to
make
sure
that
we
don't
lose
the
original
Bubble
that
started
us
down
this
path,
which
was
basically
work
with
folks,
like
stack
Overflow
to
stop
the
bleeding,
in
other
words,
not
just
find
it
where
it
already
is,
but
stop
it
from
getting
in
by
changing
the
answers
in
the
in
these
top
vulnerable
pieces,
so
that
they're
no
longer
so
that
the
top
answers
aren't
the
wrong
answers.
C
C
No
I
think
you're
right,
so
we
have
had
the
discussion
and
we
so
indeed
like
yeah.
We
should
do
this.
Only
then,
of
course,
the
other
indication
right
like
okay
but
yeah.
That
means
somebody
has
to
review
it
and
and
determine
right.
So
that's
why
we
were
looking
more
in
a
sort
of
automated
way
how
we
yeah
actually
could
achieve
this.
C
D
Yeah
I'm
not
so
sure
that
we
have
to
do
that
part.
There's
already
a
number
of
papers
that
identify
you
know
here
is
known
well
bad
code
in
stack,
overflow
I
would
start
there,
I,
don't
think
we
need
to
go
hunting
and
finding
every
answer.
That's
wrong!
No!.
F
F
It's
just
a
matter
of
like
the
question
has
always
been:
how
can
they
go
about
it
and
like
how
there's
also
certain
like
gotchas,
if
you
will
to
the
to
the
to
them
doing
that,
but
what
they
had
originally
thought
was
that
they
can
go,
maybe
towards
like
some
of
the
bigger
answers
that
are
most
used,
that
are
vulnerable
and
they
actually
do
have
a
sample
of
where
they
did
find
one
answer
that
was
vulnerable
and
they
have
like
I,
think
a
blog
post,
if
I'm
not
mistaken
that
I
we
have
here
in
the
slack,
if
I'm
not
mistaken,
that
I
can
but
anyway,
the
long
story
short
is
that
that's
I
think
what
they
were
looking
or
like.
F
D
Exactly
yeah
and
I
I
would
start
with
the
ones
that
have
already
been
identified
and
try
to
work
out.
What's
the
right
answer
and
work
with
stock
overflow
and
so
on,
to
correct
it
and
then
yes,
absolutely
if
we
can
use
tools
to
find
where
it's
been
implemented
wrongly
then
use
the
wrong
code.
That's
great,
but
we
I
I,
just
I,
just
I'm
afraid
that
we'll
keep
fixing
it
forever
but
not
fix
the
source
of
the
problem.
F
D
No,
no
stop
right
there.
What
you're
talking
about
is
programming
correct,
no,
no!
No!
No!
What
I
mean
is
if
you're
copying
and
pasting
from
stock
overflow
from
most
developers
I
would
make
an
argument
that
that's
what
they
mean
by
programming,
we're
not
going
to
stop
it
right.
It's
not
right!
Yeah!
Assuming
we're
going
to
stop.
It
is
never
going
to
work,
so
we
gotta
we
gotta
meet
the
developers
where
they
are
I.
Do
agree
with
you
that
copying
without
knowing
what
you're
doing
is
a
bad
idea,
but
I
I,
don't
think
we're.
D
F
Well,
I
mean
I,
guess
what
I
was
saying
more.
Is
that
like,
at
least
from
my
experience
of
helping
a
lot
of
people
out
and
gen
2.,
you
know
a
lot
of
people
like
to
describe
symptoms.
They
don't
actually
describe
problems
and
then
what
I
noticed
a
lot
of
times
is
that
people
give
answers
about
how
to
essentially
make
the
CIS
the
symptom
stop
persisting,
but
it
doesn't
really
fix
the
problem.
You
know
you.
F
D
My
worry
is,
is
it
sounds
like
we're
actually
in
agreement
here,
we're
not
going
to
stop
people
from
going
to
stack
Overflow
and
looking
up
the
correct
the
top
answers.
We
just
want
to
make
sure
that
the
top
answers
are
as
right
as
we
can
make
them
right.
F
Or
when
I
was
also
suggesting
with
the
educational
bit
is
you
know,
I
have
been
going
through
a
lot
of
the
educational
documentation
of
much
of
which
is
yours
in
SKF,
but
I
also
think
that
it
would
be
good-
and
we
also
mentioned
this-
to
Xavier
to
actually
Point
people
where,
like
they
could
get
like.
F
Maybe
another
context
to
that
answer
me
like
and
maybe
add
more
to
that,
because,
as
I
said,
like
a
lot
of
things
on
stack,
Overflow
are
not
that
they
are
incorrect
is
just
the
fact
that,
like
they
don't
have
the
whole
situation
like
you're,
not
painting
a
very
good
picture
of
what
exactly
you're
doing
so
right.
You.
D
Know
this
is
probably
the
wrong
group
to
to
have
an
anti-education
discussion.
I
think
we're
all
in
agreement:
education,
good
linking
to
the
education
good,
so
yeah.
If
we
can
link
off
to
the
here's,
the
answer
and
here's
more
context
to
help.
You
understand,
understand
that
and
use
it
appropriately.
I
think
that's
great
yeah.
D
C
Well,
what
we
could
do,
because
this
is
also
a
thing
that
I
wanted
to
do
actually
for
all
the
labs
that
we
have
in
SKF
and
all
the
code
Snippets.
It's
actually
also
providing
the
secure
implementation.
Now
there
is
two
two
sides
of
this
coin:
one
if
we
would
link
and
stack
Overflow
to
that
Resources
with
your
material.
C
The
code
snippet
right
with
the
fix
live
environment
where
you
can
play
and
test
and
verify
stuff
and
get
that
context
like
Randall
was
saying,
at
least
you
know,
we
have
one
source
and
if
we,
you
know,
do
a
review
and
we
update
those
code
Snippets
and
those
speakers
and
Sprite
that
we
provide
that
they
probably
will
copy
paste.
At
least
we
can
update
and
maintain
it
in
one
server
because
we're
all
linking
it
at
the
education
board
to
that
source
of
fix
it.
C
D
B
F
D
Now
now
there
we
may
actually
have
I
I
have
an
idea,
but
I
haven't
pursued
it.
Somebody
else
may
do
I've
I've,
of
course,
use
I've
used
stack,
Overflow
lots
of
people
have
but
I
haven't.
You
know,
given
you
know,
infinite
number
of
answers
before
my
understanding
and
please
correct
me,
someone
if
I'm
wrong
is
that
if
you
provide
enough
answers
and
so
on,
you
can
get
I
forgot
what
the
scoring
mechanism
but
I'm
going
to
call
it
karma
I,
don't
know
if
that's
their
their
name
for
I.
D
Think
everybody
knows
what
I
mean
I.
Think
if
you
have
a
high
level
of
karma
you
actually
can
you
know
re
or
sort
the
answers,
at
least
in
certain
cases,
so
we
might
not
need
I
think
we
might
be
able
to
work
within
the
stock
overflow
mechanisms,
finding
those
people
who
are
really
motivated
to
give
right
answers
and
work
with
them
the
basically
these
highly
trusted
people.
F
E
D
I
I,
don't
think
we
if
something
I
mean
done
one
of
two
ways,
but
neither
one
is
better
than
the
other
I.
Don't
think
we
should
get
involved.
It's
when
there's
a
top
answer.
That's
insecure
and
there's
a
better
way.
That's
secure
that
we
and
and
where
a
lot
of
people
are
using
the
insecure
way
where
we
get
involved.
So
hopefully,
hopefully
we
can.
We
can
cut
it
to
clear
cases
where
it's
bad.
You
know
you
know
clearly
bad
to
clearly
good.
F
Would
it
be,
would
it
be
a
good
idea,
or
what
would
your
opinions
David
be
if
Forex,
because
I
know
that
code
ql
has
like
GitHub
actions
and
I
know
that
we're
getting
back
to
this
whole?
But
what
about?
If
we
use
gitlab
and
I,
haven't
thought
it
that
far,
but
just
saying
I
mean
theoretically,
it
would
be
somewhat
easy
to
basically
make
a
bunch
of
Rules
from
like
the
top
answers,
and
we
could
maybe
even
prototype
this
with
something
like
JavaScript.
That's
very
easy
to
do
or
like
it's
syntax
is
easy
to
write.
F
You
know
we
could
try
it
out
and
we
could
try
linking
it
because
I
mean
SKF
has
a
bunch
of
documentation
about
like
how
to
do
JavaScript
stuff
already
too
so.
I
think
it'd
just
be
easy
to
see
how
it
goes
and
see,
because
then
we
can
implement
it
in
a
GitHub
action
for
someone,
that's
just
basic
or
just
normal.
They
could
just
implement
it,
use
it
and
there
you
go.
D
I,
don't
understand
how
that
helps
with
the
bad
answers
on
stack
Overflow,
though
it's
still
there,
it's
still
getting
copied
in
over
and
over
again.
F
D
Is
true
that
does
it
I
I
think
for
Education
that
the
goal
for
the
education
was
to
fix
that
if
we
want
to
help
get
tools
better,
we
can
share
that
information
with
like
the
tools
working
group
and
get
them
to
work
on
that.
Okay,.
D
Yeah
I
know
it's
not
a
crazy
idea:
I
think
it
has
legs,
but
I
I
think
the
goal
of
Step
One
is
to
stop
the
old.
You
know
you
know,
step
one,
stop
the
bleeding
right
and
right
now,
every
time
somebody
goes
to
stack,
Overflow,
they're,
bleeding
and
you're
right.
In
some
cases
they
might
be
on
GitHub
and
they
might
use
a
get
up
action
that
might
look
for
it.
D
F
B
F
But
otherwise
the
idea
of
Xavier
would
be
to
see
how
judicious,
just
like,
as
an
open,
ssf
thing
David
how
we
would
be
able
to
align,
because
they
are
interested
in
kind
of
what
we
can
align
with,
because
yeah.
There
are
a
lot
of
things,
I
think
in
open
ssf,
that
Xavier
thinks
could
potentially
be
of
benefit
for
code
ql
or
it
can
be
done
by
code.
Ql,
I,
think,
okay
and
I
think
that
has
to
do
with
the
bounties
and
he's
kind
of
in
control
of
that
in
charge
of
the
bounties.
D
Right
right,
I,
encourage
thinking
up
ideas
and
making
stuff
happen.
I
just
think
we
ought
to
you
know
in
order
to
make
sure
that
we
don't
try
to
do
10
000
things,
none
of
them.
Well,
if
it's
education-
or
you
know,
teaching
and
I-
think
fixing
stack
Overflow
answers
is
relevant.
We
should
work
it
if
it's
more
of
a
write,
some
tools,
great,
let's
find
a
way
to
get
that
to
happen.
We
may
end
up
dumping
it
in
a
different
working
group
in
the
open
ssf
and
that's
just
fine.
B
F
D
I,
don't
want
to
get
it
stuck
forever,
but
I
think
I.
Think
I
would
love
to
wait
another
week
at
least
and
maybe
send
her
a
reminder.
You
know:
hey
have
you
had
any
success?
I
mean
it's
not
just
her
I
mean
she
make.
You
are
darndest
and
they
never
return.
Her
calls
right.
So
I
I
don't
want
it's
unfair
to
make
to
stop
the
world
because
you
know
she
suddenly
gets
overwhelmed
or
they
don't
answer
her
calls,
but
I
do
think.
We
ought
to
at
least
make
an
honest
try.
F
Okay,
I
will
message
her
on
slack
and
I
will
find
out
for
us
and
okay.
If
she
is
overloaded,
I
will
draft
an
email
and
I
will
share
it
with
you
and
I
will
share
it
also
with
Glenn,
and
that
way
we
could
get
on
the
same
page
of
what
we're
going
to
be
sending
out.
D
F
D
Wrong
answer
is
that
you've
got
some
answers
that
are
our
top
answers
that
are
insecure,
we'd,
like
to
find
a
way
to
help.
You
fix
that
right.
F
D
D
C
Well,
I
I
think,
according
to
our
previous
meeting,
when
we
Define
the
scope
of
what
we're
going
to
do
and
what
we're
not
going
to
do.
It
also
came
to
the
attention
that
we
actually
also
for
the
other
item
about
curating
and
obtaining
new
material.
C
What
is
actually
in
scope
of
what
we
want
to
deliver
in
terms
of
secure
development
I
mean
is
that
web
API
related?
Is
it
including
mobile?
Is
it
including
I,
don't
know
desktop
applications?
Do
we
think
we
should
also
spend
time
on
that
to
to
carve
out
the
scope
of
our
area
where
we
want
to
offer
secure
software
developments,
education.
G
G
If
you
were
to
break
the
education
elements
into
the
functional
areas
that
software
Engineers
exist,
Within,
if
that
is
front-end
development,
there
is
a
whole
Cadre
of
different
Focus
areas
within
that.
If
it's
back
end,
those
are
different
and
then
there's
obviously
full
stack
which
will
have
elements
of
each
of
those
together.
D
Yeah
and
I
would
well
I
think
full
stack.
You
can
cover
with
front
and
back
I
would
also
add
embedded,
which
is
another
whole
area
and
isn't
really
covered
in
the
by
either
front
end
or
back
end
very
well,
and
you
might
need
to
divide
it
up
further.
For
example,
usually
I
try
to
break
things
into
programming
languages
because
then
you
can
you
know,
then
you
can
point
out
specific
constructs.
D
F
C
Oh
sorry,
yeah
I
just
want
to
say
we
have
of
course
year
one
and
and
year
two
and
and
further
so
I
would
say.
Maybe
first
you
know
to
focus
on
what
is
really
burning
in
the
world
right
where
we
can
add
the
most
value
and
and
reach
the
most
people
and
building
secure
software,
and
maybe
then
divide
go
in
the
second
year
or
the
third
year,
whatever
to
go
a
bit
more
in
the
harder,
more
complicated
areas,
because,
like
embedded,
you
know.
C
Well,
yes,
it's
also
a
bit
of
a
burning
topic,
but
ideally
yeah,
but
that's
more.
My
personal
preference
I
would
then
also
to
have
like
you
know,
people
to
be
able
to
flash
I,
don't
know
their
own
ESP
or
Hardware
device.
A
simple
thing
that
cost
like
five
bucks
to
to
also
practice
Real
Time
with
things
and
and
try
things
out
right,
and
that
takes
of
course,
some
research
and
then
be
able
to
well
also
build
those
labs
for
those
things
where
they
can
practice
Etc,
so
yeah,
I
I
do
agree.
C
I
I
see
also
a
need
for
that,
but
should
it
be
in
our
first
year
goal
or
in
our
second
year
goal,
yeah
I
think
that's
also
important
to
think
of
right
when
we
Define
a
scope.
D
Yeah
I
mean,
if
you,
if
you
stuck
a
gun
to
my
head,
I,
would
say
start
with
back
end
with
some
specific,
widely
used
programming
languages
and
then
kind
of
expand
from
there.
One
thing
that
worries
me
on
the
front
end
is
that
really
for
so
much
that
stuff
you're
talking
about
either
JavaScript
or
well-type
script
webassembly
running
on
a
web
client
on
a
machine?
You
can't
possibly
trust
anyway.
So
why
are
you
worrying
about
security?
For
the
most
part?
It's
you
know
anything
you
do
that
security
relevant
is
wrong.
D
It's
not
quite
true,
but
so
much
of
this
stuff
really
needs
to
be
done
in
the
back
end
and
not
the
front
end
same
for
mobile
apps.
There's
some
things,
although
that's
you
know,
there's
definitely
things
you
need
to
do
for
security
on
mobile
apps
and
yes,
a
lot
of
people
are
writing
mobile
apps.
D
C
Yep
yeah
I
must
say
indeed
when
we
talk
about
mobile.
You
know,
I
know
a
bit
the
mases
right,
the
mobile
application,
security
verification
standard
and
indeed
it's
more
about
hey.
If
you're,
storing
sensitive
data
use
ABC
or
do
this
don't
do
that
so
yeah,
but
again
indeed
you're
right
most
of
the
the
things
that
do
matter
there
are,
hopefully
all
in
the
API
backend
right
and
then
you
have
the
back
end
stack
again.
So.
D
Yeah,
if
the
front
end
folks
stick
in
Security
checks,
but
they're
doubled
again
in
the
in
the
back
end
you're.
Okay,
that
said,
there
are
definitely
things
you
can
do
in
the
front
end
that
are
disasters,
things
like
obviously
Security
checks
only
in
the
front
end
or
slipping
in
private
keys
in
the
on
the
front
end
that
are
shared
among
users
because
boy.
That's
a
great
idea.
E
C
Yeah,
indeed,
and
token
or
public
private
key
generation
based
on
predictable,
metrics
and
well
activities
that
are
not
shielded
from
other
applications
and
you.
F
C
Yeah
and
The
Enclave
right
of
iOS
and
at
least
I
know
there
are
some
good
open
source
projects
actually,
where
you
can
practice
these
things
right
as
well
for
Android
as
iOS.
It's
only
yeah.
We
need
to
have
a
capability
then
to
simulate,
or
you
know,
to
to
also
again
give
this
possibility
for
them
to
to
in
a
safe
environment,
to
play
with
these
things.
B
C
It
is
more
I,
say,
more
doable,
I
would
say
in
the
short
term,
for
a
first
year,
yeah
MVP,
sort
of
thing
right.
D
Yeah
now
I
mean
that's
that's
to
say
that,
for
example,
mobile
applications,
clearly
there's
a
lot
to
do
and
in
particular
I
think
one
of
the
problems
on
the
mobile
app
space
is
not
protecting
yourself
against
the
other
apps.
You
know.
Oh
we're
all
one
big
happy
family,
no
you're,
not
but
yeah,
but
but
again,
as
I
said,
if
somebody
put
a
gun
to
my
head,
I
would
probably
prioritize
the
back
end.
C
Yeah
indeed,
on
top
of
my
mind,
I
think
we
did
make
a
list
of
programming
languages
that
we
wanted
to
cover
I
think
it
was
Java
python,
.net,
core
rough,
go.
D
D
I,
don't
know
the
facts,
so
I
think
I
think
step.
One
is
to
figure
out
what
to
be
what's
to
do.
F
Because
I
know
that
we
have
a
like
I
know
that
we
have
and
I've
been
going
through
SKF
and
it's
very
impressive
Glenn's
actually
been
helping
me
and
me
and
Anthony
have
been
actually
we're.
Gonna
be
picking
up
a
lot
of
the
work
on
there,
but
I
know
that
your
guide
is
out
there
because
we've
been
reading
it.
The
the
course
your
course
David
uh-huh.
D
D
Yeah
yeah
it's
in
there
and
I
haven't
seen
how
Glenn
tried
to
integrate
the
two.
So
sometime
Glenn
we
ought
to
see
if
there's
a
better
way
to
do
things,
but.
F
This
is
what
I'm
getting
at.
So
what
what
we
were
going
to
do
in
SKF
is.
We
were
going
to
overhaul
like
most
of
the
front
end
like
me,
and
a
group
of
like
five
people,
so
I
wonder
if
we
could
like
take
care
of
some
stuff
in
the
process
because,
for
example,
I
know
that
for
red
team
or
for
testing
we're
using
the
all
SWAP
testing
guide
and
that's
I,
think
a
slightly
out
of
date.
F
So
I
mean
there's
I,
think
there's
a
lot
that
that's
already
in
there
is
all
I'm
saying
I,
just
think
that
we
should
inventory.
Maybe
what
we
do
already
have
on
there,
because
open
ssf
is
on
there.
So
we
can
inventory
what
we
have
and
then
figure
out
what
we're
missing,
because
I
think
honestly
for
most
of
web
applications.
Most
of
that
is
pretty
taken
care
of
I,
I
would
say.
C
No
in
SKF
for
mobile,
we
only
have
the
security
requirements,
the
wizard,
the
knowledge
base,
items
and
stuff
like
that,
and
indeed
for
web
application
and
API.
We
have
70
labs
for
python,
74,
node.js
and
70
for
Java.
C
So
we
actually
do
have
a
lot
and
I
do
agree
with
you
David
as
well,
that
we
need
to
yeah
I
have
a
but
I
think
also
in
this
in
this
setup,
we're
in
the
training
and
education
I
think
we
should
also
be
able
to
further
do
more
calibration
collaboration
with
you
to
extend
actually
your
software
Foundation
fundamentals
course
to
yeah.
C
Add
the
missing
categories:
the
missing
items
in
there
right
to
to
have
like
a
full
coverage,
and-
and
that's
why
you
know
I
was
really
keen
on
on
you-
know
not
trying
to
reinvent
the
wheel
but
yeah
to
really
collaborate
with
all
the
other
projects
that
are
out
there,
like
the
the
testing
guide
for
the
offensive
stuff
right
for
you
for
the
secure
development
part
yeah.
Instead
of
trying
to
do
all
the
things
ourselves
I
rather
want
to.
C
You
know
reach
out
to
the
different
other
open
source
projects
contribute
back
to
them
as
well,
make
their
project
more
awesome
which
make
skm
as
a
platform
more
awesome,
which
yeah
every
project
owns
their
own
sort
of
responsibility
and
also
their
expertise
right,
which
we
can
all
then
increase,
I,
say
improve
using
yeah
the
feedback
and
the
people
using
the,
for
example.
The
FTF
platform.
D
Right,
yeah
I'm,
all
for
for
collaboration,
I
mean
obviously
these
two
things
were
done
independently.
It
shows,
but
that's
okay,
you
know,
that's
it's
where
we
are
and
I'm
I'm
all
for
collaboration.
D
D
No,
we
we
I
I'm
delighted
to
blame
Mac
OS.
Thank.
A
F
I
was
gonna,
say
I
I,
all
I
would
I
would
like
I
think
this
would
be
beneficial,
for
everything
is
I,
think
if
we
could
have
a
unified
spot
that
where
we
have
the
edge
or
where
one
can
go
to
consume
the
educational
material.
I
really
like
that
idea,
because
I
feel
like,
if
not
you
just
get
stuff
everywhere
and
I
feel
like
to
some
degree,
that's
already
happening,
and
it
gets
really
hard
to
really
track.
D
Yeah
I'm
not
I'm,
not
as
quite
as
convinced
that
every
the
one,
the
the
one
platform,
Uber
Alice
I
I,
actually
don't
think
that's
gonna
work
for
a
variety
of
reasons
for
one
I,
don't
think
SKF
is
form
compliant
at
all
and
for
a
lot
of
organizations.
That's
the
end.
It's
not
squirm!
We're
already
done
we're
not
even
talking
to
you
you're,
not
relevant
Fair,.
B
D
And
scorm
has
its
own
limitations,
so
the
the
the
fundamentals
course
is
scorm
compliant
and
we're
delivering
on
storm
connect
with
storm
connect.
Right
now,
but
squirm
creates
all
sorts
of
limitations.
You're
not
going
to
be,
for
example,
able
to
implement
the
I,
have
a
bunch
of
running
code
and
I'm
gonna
go,
you
know,
compile
it
and
check
it
out.
That's
just
not
something
scorm
supports
scrum
thinks
of
in
things
in
terms
of
little
modules
of
education
and
quizzes
and
tests.
D
So
I
I,
you
know
just
from
that
alone,
I
don't
think
you're
gonna
have
you
know,
at
least
for
all
cases,
a
single
platform,
but
that
said
we
could.
We
can
bring
it
to
a
small
set
and
try
to
make
things
work
better,
where
we
can.
D
Yeah
I
do
believe
that
trying
to
do
all
possible
platforms
is
a
little
hopeless,
but
it
is
weird
like
the
little
SK
the
course
we're
still
supporting
edx.
D
It
costs
more,
that's
totally
weird,
and
yet
there
are
a
lot
of
people
who
show
up
because
it's
on
edx
and
don't
go
to
the
other
one,
even
though
the
other
one's
free-
and
you
know,
there's
no
time
limits
and
just
I
think
it's
overall.
You
know
for
that
particular
course.
D
It's
hard
to
see
why
people
choose
the
edx
course,
but
it's
clear
that
people
really
do
prefer
the
edx
course
in
some
circumstances.
So,
okay,
that's
a
little
surprising
to
me,
but
the
LF
training
folks
called
and
said:
hey
there
are
people
who
only
do
the
edx
and
you'll
get
visibility.
You
wouldn't
get
otherwise.
So
great.
Let's
help
people
learn.
D
Possibly
possibly
I'm
saying
I
was
just
saying
from
the
point
of
view
of
costs.
It
doesn't
make
any
sense,
but
clearly
there
must
be
reasons.
People
are
choosing
one
or
the
other.
So,
okay,
fine,
we
learn
let.
F
Me
ask
you
another
question:
David.
If
we
were
to
to
be
working
on
the
user
interface
and
let's
say
we
were
to
like
really
polish
it
up,
would
it
be
better
to
build
this,
maybe
as
something
that's
open-ended
and
can
be
consumed
by
other
work
groups
or
or
by
other
people
that
may
be
down?
The
line
might
want
to
make
the
scorm
course
or
something.
D
B
F
So
should
for
homework,
maybe
for
myself
and
Anthony
that
we
could
do
is
maybe
bring
an
inventory
to
the
next
meeting
of
what
we
do
have
in
SKF
and
Glenn
could
possibly
help
with
that
as
well.
D
Yeah
I
think
that's
a
good
idea,
yeah
and
in
fact,
we've
we
have
the
that
list.
That
document
that's
supposed
to
list
the
various
existing
materials.
It's
really
rough,
it
needs
it
needs
a
cleanup.
But
yes,
let's
create
that
little
list
of
what's
in
SKF
now
and
cop
at
least
copy
paste
it
into
our
document
about
what
the
materials
that
exist,
because
that
way,
at
least
that
information
is
easily
accessible
and
won't
be
a
mystery
to
anybody.
D
D
Yeah
I
mean,
and
you
can
always
enter
the
languages.
You
know
you're,
throwing
a
ruby
thrown
at
this,
throw
to
that.
But
once
you
have
some
it'll
probably
be
a
lot
easier
to
add
more
with
you
know,
eight
similar
topics
but
different
language.
B
C
Well,
there
was
another
thing
actually
because
if
I
remember
correctly,
there
was
also
a
sort
of
documents
how
you
say
it
published
on
the
14th
in
the
USA.
It's
about
the
enhancing
the
security
software
supply
chain
through
secure
software
development
practices.
Do.
D
Yeah
I
I
just
recently
read
that
I
read
that
what
was
it
yesterday
yeah
yesterday,
myself,
I,
didn't
I
didn't
and
I
never
got
a
chance
to
review
it
ahead
of
time.
C
Yeah,
okay,
yeah,
because
actually
today,
I
that's
why
I
am
still
in
the
car.
I
went
to
the
cyber
security
Alliance,
which
also
are
looking
into
the
well
the
issue
at
hand
right
providing
Education
and
Training,
and
they
also
brought
up
that.
Actually,
indeed,
you
know
this
document
was
published
and
they
also
mentioned
that
this
will
also
be
initiated
here
in
Europe
by
our
government
as
well
yeah,
so
yeah
I
just
wanted
to
see.
If
you
guys
were
already
yeah
aware
of
it
or
maybe
could
share
some
insights.
D
I
would
have
more
opinions
if
I
was
allowed
to
view
my
my
my
desktop
window,
but
let's
see
here
so
let
me
just
say
from
memory
I
mean
there's
I
I
I
wrote
up
something
I'm
gonna
see
if
I
can
share
that
vlog
off
the
first
stretch
it
out
first,
but
I
mean
the
good
news.
Is
that
they're
carrying
and
that
sort
of
stuff?
And
that's
all
good,
but
there
are
definitely
problems
with
the
document.
D
I
mean
you
know
it's
it's
very
much
written
for
the
U.S
government,
assuming
that
all
software
development
projects
are
very
large
projects
with
many
many
people
in
them.
You
know,
hey
ever
make
sure
you
review
every
line
of
code.
I,
don't
know
how
a
one-person
project
does
that
they
want
to
review
every.
They
want
self
attestations
from
every
supplier,
and
it's
not
entirely
clear
to
me,
but
it
sounds
like
they
want
the
suppliers,
not
just
immediate,
but
all
the
transitive
suppliers.
D
That's
going
to
be
interesting,
the
only
and
earlier
versions
from
documents
from
this
said
they
weren't
going
to
ask
for
that
for
the
open
source
projects,
but
now
they
don't
seem
to
be
having
that
exception.
The
only
only
solution
they
have
is.
If
somebody
doesn't
want
to
fill
in
the
form
they,
then
they
can
get
information
from
a
trusted.
Third
party
who
has
gone
through
fisma
or
similar
so
that'll
be
interesting.
What
is
that
form?
An
excellent
question?
C
All
right,
yes,
I
I,
also
heard
a
bit
of
the
same
noise
actually
from
a
couple
of
other
people
who
said
it's
sort
of
similar
worry
that
they
have
just
like
you
just
mentioned.
D
Yeah
now
you
know
what
I
now
I
have
I
I'm
kind
of.
Please
please,
forgive
me
I'm
kind
of
noodling.
This,
so
don't
hold
me
too
much
to
this.
But
you
know:
a
lot
of
people
have
complained
that
hey
I,
do
this
open
source
project
but
I
where's,
the
money
I
get
paid.
If
this
is
a
side
project
and
the
government
US
Government
wants
all
these
forms
filled
out,
you
know-
and
it
probably
is
going
to
take
eight
to
ten
hours
to
fill
in
the
form
and
I'm
thinking.
D
You
know
this
is
a
match
made
in
heaven.
You
want
me
to
fill
in
a
form
about
my
open
source
project.
Great
I
might
I
charge
a
hundred
dollars
an
hour.
It's
gonna.
Take
me
10
hours.
Send
me
the
check
for
a
thousand
dollars.
I'll
fill
in
your
form
and
then
we'll
see
how
many
U.S
government
folks
are
serious.
D
D
E
D
F
You
know
what
I'm
talking
about.
There
was
another
one,
though
that
was
on
Twitter,
about,
like
some
open
source
project
got
this
like
24
page
questionnaire
from
epic
games
about
like
their
open
source
project
and
yeah.
They
were
like
expecting
a
reply
and
they
had
a
deadline
for
when
they
wanted
to
like
get
the
reply.
D
Yeah
now
see
this
way.
In
my
viewpoint,
if
somebody
wants
you
to
do
something,
especially
if
they
have
a
deadline,
that's
that's
the
time
to
begin
the
negotiation
great.
How
much
are
you
willing
to
pay
and
the
answer
is
I
want
it
for
free
I,
wouldn't
tell
them
pound
sand.
I
would
say
no
thank
you
I'd
like
to
just
I'm
going
to
do
something
else.
D
If
you
want
me
to
change
my
decision,
let's,
let's
talk
cash,
all
right,
I,
I,
don't
you
know,
I,
don't
understand
these
organizations
who
think
that
they
can
get
asked
for
people
to
fill
in
forms
for
Stuff,
where
they're
not
paying.
Sorry,
that's
not
reasonable.
D
D
So
you
know
so
so,
let's
so
I
think
that's
that's
actually
a
fabulous
Subway.
So
let's
bring
this
back
to
hey.
Do
we
have
an
education
role
related
to
these
forms?
D
I,
don't
think
it's
at
all
crazy
to
have
either
a
part
of
a
course
or
maybe
even
a
separate
little
course
about
hey
you've
been
sent
a
request.
How
would
I
answer
such
a
thing?
D
I
could
even
imagine,
since
these
things
are
all
supposed
to
be
about
security,
primarily
so
securing
sustainment
I
could
easily
see
an
open,
ssf
role
in
helping
folks
fill
that
in
I
mean
we
do
want
projects
to
have
good
security.
Behavior
I,
don't
know
how
well
their
forms
are
going
to
end
up
being
related
to
good
security
Behavior.
Unfortunately,.
F
F
Best
practices
badge
program-
we
have
actually
has
a
lot
of
the
same
questions.
D
D
The
problem
is:
there's
not
enough
of
a
match
and
I
thought
at
first
there's
got
there's
just
one
form
and
I,
then
I
was
rudely
awakened
that
in
fact
there
isn't
one
form,
but
the
US
government
actually
worked
with
industry
and
creates
a
standardized
form
for
Central
quests
then,
and
it's
actually
decent.
Then
we
could
probably
find
a
way
to
help
here's
my
fear.
So
far.
The
US
government
has
essentially
not
been
in
any
way
interacting
with
industry.
D
D
Yeah
so
I,
if
the
US
government
is
continues
to
gaze
at
its
own
Naval
and
write
docs
without
any
consultation
from
the
outside
world
who
write
most
of
the
software
I
I.
Think
that
I
don't
know
what
will
result
but
I
feel
pretty
confident
that
we'll
be
garbage.
F
Let
me
also
say
this,
because
this
has
come
up
twice
in
different
working
groups,
that,
like
a
the
U.S,
has
a
way
of
of
imposing
things.
In
other
words,
if
it
becomes
a
standard
in
the
U.S
people,
kind
of
feel,
like
it'll,
become
a
standard
everywhere
sooner.
D
Or
later
right,
but
the
problem
well,
but
there's
an
if
there,
usually
that
only
works.
If
the
US
government
does
it
and
at
least
some
U.S
companies
buy
into
it,
the
U.S
government's
actually
pretty
famous
for
things
that
says
that
didn't
go
anywhere,
because
no
almost
because
very
very
few
people
in
Industry
supported
it.
So.
E
D
Know
so,
but
I
think
you're
right
to
a
certain
extent,
but
I
think
it's
because
when
they
do
it
well,
it's
actually
they
can
produce
really
great
stuff
right.
D
So
I
just
right
now,
I'm
worried
about
that
lack
of
interaction
because,
like
for
example,
that
that
report
that
we
just
talked
about
one
of
the
other
things
it
has
is
make
sure
your
developer
never
has
access
to
email
or
the
internet.
B
D
No,
no,
the
assumption
is
you're
using
your
organization's
internal
Network
that
isn't
connected
to
the
internet.
There,
okay!
Well,
it's
I
mean
it's
obviously
the
one
true
way
to
develop
software
and
tackling
at
this
because
I
work
in
an
organization
that
doesn't
even
have
an
internal
Network
yo
legs
Foundation
doesn't
have
an
internal
organizational
Network.
D
It's
not
the
80s,
no,
no,
that's
and-
and
you
know
what
I
think
they've
got
some
good
ideas
in
there
too.
We've
just
I
think
those
problems
like
that
can
be
resolved
if
they
solve
the
fundamental
problem
of
they've
got
to
interact
with
industry
they.
You
know
there
could
be
disagreements,
but
there
needs
to
be
that
interaction.
D
No
I
mean
we're
not
responsible
for
what
the
US
government
chooses
to
do.
I
do
think
it's
reasonable
to
say:
hey
I
want
to
raise
the
flag
somewhere
and
I
don't
mean
a
national
national
flag.
You
just
hey
I'm
concerned:
you
seem
to
create
keep
creating
stuff
without
talking
to
Industry
shouldn't
that
stop
and
never
ever
happen
again
right,
so
I'm
not
sure
exactly
how
to
raise
it.
F
We're
good,
Glenn
and
I
are
actually
going
to
have
a
meeting
about
front
end
tomorrow,
which
is
why
some
of
these
questions
came
up
but
yeah.
We
are
planning
on
revamping
that
and
we
would
love
also
David
I'm
sure
to
have
your
input
so
that
we
could,
you
know,
try
to
knock
off
as
many
things
at
once.
Okay,.
D
Okay,
love
to
chat
with
you
on
that
and
I,
don't
know
if
I
can
do
it
tomorrow.
Unfortunately,
no.
D
Work
better
together
and
you
know:
how
can
we
make
different
parts?
I
I
do
think.
For
example,
I
I
do
see
that
we're
gonna
have
multiple
platforms
indefinitely.
If,
for
no
other
reasons-
and
you
know
there
are
a
lot
of
folks
who
really
only
want
the
simple
past
multi
multiple
guests,
I
can
bring
it
into
my
arbitrary
learning
management
system
approach
and
then
there's
the
other.
Oh
my
you
know:
hey
I
wanted
to
interactive
software
development.
You
know
get
answers,
you
know
Hands-On
code,
I
think.
D
D
Right
right
and
Glenn,
speaking
of
which
I
Rose
were
kind
of
running
over,
but
I
I,
think
it's
an
important
point.
We're
running
over
on
I've
made
some
updates
to
the
course
I.
Don't
know
if
how
you
handle
updates
from
the
fundamentals
course.
These
are
the
SKF
very.
D
D
But
I
can't
I'd,
send
you
a
link,
but
I
can't
do
it.
But
if
you
go
to
openssf.org
and
click
on
training,
it'll
it'll,
it
includes
a
link
to
the
GitHub
repo.
B
B
D
And
there's
some
weirdness
in
the
markdown
file,
because
the
quizzes
are
there
too,
not
the
big
section
tests,
because
those
can't
be
public
but
the
internal
little
quizzes.
You
know
knowledge
quizzes.
Those
are
there
in
the
edx
format,
so
everyone,
let's
all
use
some,
see
some
weird
lists
of
questions,
that's
in
its
own
special
format,
but
other
than
that.
It's
straight
up.
Markdown.
D
C
And
David,
actually,
the
meeting
I
have
tomorrow
with
the
guys
of
Randall,
is
at
this
time
now
tomorrow
evening,
so
I
I
can
send
you
the
invite.
Maybe
you
can
join,
maybe
not,
but
I
will
at
least
forward
to
you
damn
and
otherwise
we
will
just
think
up
another
time.
That's
also
fine.
D
Okay,
that
would
be
awesome,
yeah,
d-wheeler,
Linux
foundation.org,
just
my
usual
work.
Email
address,
that'd
be
fabulous
all.