►
From YouTube: Education SIG (June 14, 2023)
Description
Agenda – https://docs.google.com/document/d/18GBwvQJNcPnwxKrnp43DhBZC7K1JM0xzGkDoKh5mu8U/edit#
Slack – https://openssf.slack.com/archives/C03FW3YGXH9
Mailing List – https://lists.openssf.org/g/openssf-sig-education
Git Repo - https://github.com/ossf/education
B
D
So
I'm
going
to
disappoint
you
krobe
and
not
disappoint.
You
I
do
have
the
breakfast
sandwich,
which
I
pretty
much
eat
every
day.
The
background
is
not
the
nice
one,
because
it's
supposed
to
rain
soon,
and
so
that
kind
of
makes
it
all
lame,
but
hopefully
I'll
get
out
there
later
today,
during
the
s-bombarama
of
that
this
is
putting
on.
A
C
C
A
A
B
C
A
A
Talk
to
my
friends
inside
our
secure
training
center
of
excellence
within
my
company
and
the
Intel
developer
manager
class
is
almost
scrubbed
they're
doing
one
last
review.
They
were
looking
at
there's
a
bunch
of
images
they
have
in
the
slide
deck,
so
they
were
looking
to
see
what
the
copyright
on
those
were
in
either
remove
them
or
replace
them
with
open
source
images.
A
A
We
will
get
that
and
the
person
mentioned
that
we
we
had
asked
to
review
several
other
of
the
Intel
classes
and
they
expect
that
the
review
and
scrubbing
process
will
be
much
more
accelerated
now
that
they
know
what
to
look
for
and
how
to
coach
the
legal
team
to
use
their
red
pens.
So,
hopefully,
future
donations
will
be
accelerated.
We
should
have
I
think
we
identified
a
couple
different
classes.
A
A
D
E
This
yeah,
it
has
to
be
right,
because
this
is
this-
is
an
IP
transfer
of
a
developing
domain.
So
you
would
expect
that
they're,
probably
going
to
do
either
an
annual
or
buy
it
like
biannual
review
of
that
when
they
do
what
we
need
to
provide
to
them.
If
we
can
are
traced,
statistics
so
I
would
love
what
they
need
or
not
just
like
who
finishes
the
course,
but,
like
literally
what
pages
get
seen
the
most
what's
getting
most
coverage
and
that
helps
us
a
lot.
A
A
A
D
Yeah
so
I'm,
assuming
we
won't
be
able
to
get.
You
know
like
people,
look
at
a
particular
slide
slide
or
whatever,
but
we
can
certainly
get
things
like.
How
often
is
it
downloaded
or
stats
like
that,
although
you
know
frankly
that
may
be
a
challenge
in
particular
for
the
instructor-led,
because
one
person
downloads
it
once
they
may
present
it
to
a
thousand
people
and
a
hun
and
and
50
000
bucks,
May
download
and
never
to
be
seen
Again
by
the
Light
of
the
day.
So
I'm
not
sure
we
count
that,
but.
E
At
some
point,
I
mean
all
of
this
stuff.
There's
an
entire
field
around
this
and
there's
conferences
around
how
you
organize
this
information
and
I
go
to
them
because
they're
the
most
fun
conferences,
but
like
one
of
the
best
things
you
can
do
for
this
is
like,
let's
have
a
separate
like
ossf
or
Linux
email
subscription
that
goes
out
once
a
month
that
lets
them
know
any
updates,
and
that
also
does
a
month-to-month
survey.
That
says:
did
you
utilize
any
of
these
resources,
or
are
you
aware
of
these
new
resources?
E
So
it
does
your
exposure,
your
retention
and
your
statistics
in
a
way,
that's
non-intrusive
and
that
solves
the
problem
of
not
being
able
to
capture,
especially
because
a
non-zero
amount
of
the
people
are
going
to
be
using
vpns.
So
that's
why
it's
always
hard
for
me
to
get
stats
around
cyber
security.
It's
a
unique
user!
E
E
D
A
C
E
F
D
C
D
B
D
E
Yeah
I
gotta
go
back
and
find
there
used
to
be
I'm
stealing
this
all
from
there
used
to
be
this
conference
in
Seattle,
and
it
was
all
about
this
and
as
soon
as
I
remember
what
it
is.
It
used
to
be
out
of,
like
Microsoft
like
experience
design
but
yeah.
No,
it's
really
it's
just
about
like
it's
cognitive
design
for
Education
right.
So
how
do
you
like
distill?
And
so
it's
not
just
like
individual?
This
is
more
about.
E
So
over
the
next
year,
I
really
want
us
to
figure
out
what
does
like
exactly.
How
is
it
that
We're
translating
into
very
tractable
courseware?
If
we
do
that,
I
can
get
us
something
that
would
literally
like
we're
not.
We
would
no
longer
be
sort
of
like
chasing
the
coattails.
We
could
actually
be
building
robust
categorically
robust
systems,
so
I've
got
my
fingers
crossed
on
that,
and
we've
got
a
grant
that
will
be
going
out
for
that
and
if
we
get
that,
it's
absolutely
going
to
be
positioned
for
this.
E
A
A
Particular
opinion
on
one
or
the
other,
then
we
can
start
to
get
together
the
actual
docket
of
what
they
plan
to
talk
about
during
the
future
office
hours
and
start
to
socialize
that
get
that
out
via
LinkedIn
and
Mastodon
and
the
tweeters
and
all
that
nonsense.
So
we
hopefully
can
get
some
more
folks
joining
us
on
that
kind
of
educational
session.
A
All
right,
so,
let's
talk
to
Cassidy.
She
I
met
her
last
year
at
the
Dublin
OSS
site
and
we
had
a
hallway
talk
outside
of
the
the
beautiful
Convention
Center
there
and
then
I
promptly
lost
her
business
card,
traveling,
home
and
but
she
reached
out
and
she's
here
and
she's
working
on
an
idea
of
some
not
necessarily
security,
education
training
but
training
around
the
open
ssf.
So
maybe
a
Cassie
you're
going
to
kind
of
talk
about
your
idea
a
little
bit
and
share
with
us
some
of
your
ideas.
B
The
course
development
should
not
take
too
long
for
these
courses.
That
is
only
about
30
minutes
of
material,
so
I,
don't
foresee
it
taking
too
long
to
do
these.
I
just
need
I
need
the
brains.
I
need
the
sneeze
to
help
execute
this,
so
we're
trying
to
do
them
under
the
different
umbrellas
and
open
ssf
idea
around
the
working
groups
is
one
of
the
ideas
that
I
had
so
I'm
open
to
questions
and
feedback.
E
Oh,
my
God.
Yes,
thank
you!
So
what
I've
been
trying
to
get
done
so
I've
been
like
trying
to
get
like
three
blogs
out,
but
as
a
volunteer
I
don't
want
to
do
this.
This
is
very
much
a
Linux
thing,
so
I'm
so
glad
you're
going
to
do
this.
What
we've
been
trying
to
get
so
basically
I
have
to
field
phone
calls
right
now,
like
Zoom
calls
from
ospo's
all
around
the
globe,
asking
me
how
they
can
get
involved
in
ossf
and
I,
say:
I,
don't
work
for
them.
Stop
making
me
take
these
calls.
E
So
there's
two
different
types
of
profiles
that
we
need
to
explicitly
create
a
journey
for
most
important
I
need
a
Blog
out
like
yesterday
that
talks
about
the
right
working
groups
for
an
ospo
specifically,
so
that
there
can
be
a
better
understanding
of
people
with
money
Pockets.
Where
do
they
need
to
go?
E
And
let's
not
put
them
into
the
working
groups,
where
they're
not
going
to
feel
valued
first
thing
right,
but
when
the
high-powered
ones
so
ospo
journey
and
then
hobbyist
or
volunteer
Journey
or
developer
Journey,
so
getting
them
to
know
which
are
the
like
hard
engineering,
Pathways
and
then
a
third
one
which
we
can
have
a
lower
priority,
but
is
clearly
very
important
and
the
need
for
tractability
of
contributors,
a
student
portal
or
student
Journey,
but
I
need
that
aspo
on
like
right
away.
We
all
need
it.
So
that'll
be
great.
So.
A
The
blog
we
can
work
with
Jennifer
Bly
on
and
we
can
do
that
at
any
time.
There's
no
blocker
there
at
all.
We
can
start
so
if
you
want
to
either
start
an
email
thread
or
open
an
issue
and
tag
me
on
it,
we
can
start
to
collaborate
and
work
on
that
back
and
forth,
and
I'll
get
Jennifer
looped
in
I.
Don't
know
if
Cassidy
has
any
other
ideas,
but
the
blog
is
simple
and
we
can
start
today.
B
Yeah
so
with
the
working
groups,
I
kind
of
saw
them
each
as
separate,
but
what
we
could
do
as
well
is
Target
those
areas
that
you
were
mentioning
and
just
kind
of
group
them
together.
The
only
thing
I
worry
about
is
the
vast
amount
of
information
it
just
being
a
small
course
having
one
for
each.
There
could
also
be
a
learning
path
that
would
take.
You
could
group
them
into
different
learning
paths
and
have
a
few
for
each.
E
Yeah
yeah
I,
think
I
mean
better
explanations
and
onboarding
for
each
little
working
groups,
but
it
very
much
is-
and
this
is
why
people
are
on
phone
calls
with
me
and
not
in
your
working
groups.
There
are
very
much
specific
clusters
that
specific
identities
need
to
be
involved
in,
and
you
have
a
really
high
loss
rate
right
now,
because
the
wrong
people
go
to
the
wrong
places
and
never
come
back.
C
B
E
D
D
A
F
I
had
a
conversation
where
we
had
a
conversation
at
LF
about
the
quality
of
blog
posts,
so
I
decided
to
use
GPT
and
Mojo
and
build
my
own
live
blog
generator.
Just
so
you
know
it
works
really
really
well,
like
actually
kind
of
on
can't
like
it's
really
weird
but
yeah.
You
could
just
give
it
even
a
sentence
and
it'll
generate
like
5
000
words
on
you
for.
D
C
D
A
And
then
to
Circle
back
to
Cassidy's
idea
about
the
working
group.
Trainings
I'm
also
plugging
her
in
with
Catherine
druckman,
who
is
going
to
be
leading
the
new
devrel
committee
and
they
are
focused
on
how
to
get
developers
and
maintainers
engaged
and
that's
you
know,
kind
of
a
slightly
different
persona,
but
I
think
that
you'll
also
see
some
good
partnership
there
to
try
to
help
figure
out
the
messaging
and
who
we
are
and
they
can
get
you
connected
with
subject
matter.
Experts
to
provide
you
that
so
yeah.
E
E
And
bringing
you
can
bring
on
a
person
from
each
working
group
given
the
time
to
speak
about
it,
but
I,
just
in
terms
of
getting
this
implemented,
I
would
make
that
high
priority.
I
would
make
it
30
minute
training
that
is
verifiable
in
some
way,
because
as
a
manager
right,
if
I
hire
someone
in
hospital
I'm
gonna
say
day,
one
take
this
training.
Gotta
know
that
you
did
it.
E
E
And
also
the
badge
for
Community
entry
is
a
really
nice
touch,
it's
something
that
they
do
in
some
other
developer
communities
and
it
gets
rid
of
imposter
syndrome
before
they
get
on
the
call
right.
So
just
cognitively,
that's
a
really
nice
way.
Low
effort,
High
return,
I,
think
that
would
help
a
lot.
B
D
E
D
E
Yeah
well,
I
suppose,
typically
on
board,
now
a
lot
of
their
developer
class,
so
they'll
jump
in
first
to
see
where
they're
going
to
engage,
see
where
they
want
to
pay
to
engage
and
then
have
them
strategically
jump
in
so
I
think
that
would
be
a
really
really
helpful
and
at
the
end
of
it
just
like
point
to
developer
resources,
all
the
stuff,
the
stuff
that
we're
already
creating.
So
it's
a
super
nice
Zone.
A
A
D
D
D
That's
a
very
broad,
I'm!
Sorry
issue!
169.
there
you
go
I
mean
there's
some
awesome
ideas
in
there.
I
have
drafted
a
starter
developer,
landing
page.
You
know
which
does
not
completely
resolve
that
issue,
but
at
least
I
I
basically
pulled
out
a
piece
of
it
and
tried
to
get
get
started
on
it.
So
there's
a
link
right
there
to
this
early
draft
landing
page.
You
know
I'm
going
to
include
in
there
a
link
to
the
current
drop.
D
A
And
that
particular
issue
was
incredibly
well
written
observation
of
how
the
foundation
is
not
accessible
from
the
maintainer,
Persona
and
I
thought
I.
Think
the
ladies
handle
is
web.
Chick
I
can't
recall
what
her
name
was,
but
she
had
an
incredibly
well
thought
through
issue
she
filed
and
actually
provided
some
suggested.
Solutions
and
again
it
cries
to
the
fact
the
need,
for
you
know
the
training
with
Cassie
is
trying
to
put
together
these
accelerated
learnings.
We
need
to
have
this
type
of
stuff
to
get
those
communities
involved
with
us.
A
A
A
Another
variation
on
the
developer,
maintainer
Persona
is
we've
had
a
lot
of
interactions
with
newcomers.
Recent
graduates,
people
looking
to
get
into
open
source,
Development
Career
changes.
So
to
speak.
So
we
started
the
idea
of
assembling
information
on
an
intro
to
working
with
open
source
OSS
for
newbies,
and
my
friend
Max
from
Major
League
hacking
went
through
and
added
a
couple
added.
A
D
I
I
think
it's
it's
value.
It's
certainly
valuable.
The
look!
Oh
and
I'm.
Sorry
Cassidy
had
to
go
right
when
I
was
gonna.
Ask
her
a
question
because
the
LF
actually
does
have
some
courses.
I,
don't
know
if
any
of
them
really
meet
this
particular
desire,
but
I
think
before
we
create
before
creating
new
course.
Let's
make
sure
that
one
doesn't
already
exist
and
in
particular,
if
one
almost
does
it,
but
it
has
some
weaknesses
we
might
be
able
to
take.
You
know:
okay,
it's
80.
D
A
A
And
I
would
absolutely
agree.
We
don't
want
to
recreate
the
wheel
and
if
our
value
add,
is
federating
and
aggregating
all
the
existing
material
and
making
a
nice
presentation
layer
delivery
of
this
hey.
Here's
all
these
things
that
a
newbie
can
do
and
tick
off
the
box
so
to
speak.
That
would
be,
you
know
as
good,
but
if
there
are
gaps,
I
think
it's
great,
we
could
add.
Supplementary
training
contribute
back
to
those
classes.
A
Here's
some
additional
things
to
help
address
this
particular
Persona,
because
the
intention
might
not
of
those
I
imagine
those
classes
may
not
be
thinking
about
the
the
newcomer
Journey.
Potentially
you
know,
I'm
fresh
out
of
college
I,
don't
have
a
lot
of
actual
working
experience.
I
know
how
do
I
get
integrated
and
start
to
become
a
contributor.
D
I
will
add-
and
this
is
you
know,
unfortunately,
but
I
I'm
speaking
of
someone
who
is
who
teaches
actually
at
a
university.
You
know
it
is
remarkable.
Yeah
I
have
a
number
of
students
who
are
on
the
workforce
and
a
number
of
students
who
have
never
been
in
the
workforce,
and
it
is
remarkable,
even
after
years
of
going
through
school,
how
many
of
the
basics,
the
folks
who've
only
been
through
school.
Don't
know
you
know.
D
D
D
D
D
D
Know
this
is
what
we're
talking
about,
because
you're
saying,
even
if
you
go
to
university,
you
don't
know
this
so
so
yeah,
there's
a
need
for
for
this
regardless
and
I
haven't
seen
the
latest
stats
I.
Think
it's
about
half
and
half
about
half
of
the
current
developers
go
to
universities
and
colleges
to
learn
this
and
the
other
half.
Don't.
A
And
just
for
some
context
of
this
group
has
a
proposal
on
how
to
improve
security,
secure
development,
education
and
our
approach
was
very
multi-focused,
where
we
wanted
to
focus
in
on
primary
and
secondary
education.
University
College
trade
school
people
are
already
in
the
career
and
looking
to
upskill
or
change
careers.
So
we
have
a
couple
different
personas
we're
looking
at
addressing
and
many
different
paths
to
get
that
information
out
to
the
different
Learners
and
it
would
be
a
company.
A
There
would
be
some
traditional
classes,
there
might
be
boot
camps,
there
could
be.
We
have
a
training
tool
that
Randall
and
team
helped
manage
for
us.
The
SKF
security
knowledge
framework
that
actually
is
like
Hands-On
Labs.
So
we
have
a
lot
of
different
techniques
and
approaches
to
get
this
stuff
out.
J.
G
Yeah
I've
long
since
you
know
raised
the
argument.
It's
just
like
it's
just
like
well,
I
could
always
say
argument,
like
the
bachelor's
degree,
is
a
new
high
school
diploma.
I
I
I've
raised
that
argument,
but
I
say
the
same
thing
on
the
security
side.
You
know
we,
we
got
supply
chain
security,
you
know,
which
is
seems
to
be
a
subset
of
now.
Cyber
security-
and
you
know
I
I,
say
to
people
I
was
I,
was
studying
this
stuff
before
was
sexy
so
that
this
is
back
when
it
was
just.
G
You
know
straight
up
you,
software
engineering,
you
learn
something
about
Arrow
checking
and
error
handling,
and
then
you
merge
over
into
what
is
called
information.
Security
period
point
point
black
period,
information
security
of
my
firm
opinion.
There
needs
to
be
an
information
security
course.
That's
foundational
that
gives
you
a
basic
foundational
understanding
of
what
information
security
is
because,
if
I
sit
in
another
meeting
with
somebody
who
should
know
better
says,
what's
the
difference
between
a
security
framework
and
compliance
requirements,
I
I
might
lose
my
mind.
D
Yeah
we
already
do
have
a
course
on
how
to
develop,
secure
software
there
and
there's
a
and
it
does
actually
talk
about
things
like
the
CIA
Triad
and
that
sort
of
thing,
if,
if
it's
relative
I'm
pretty
sure
it
doesn't
cover
that
specific
point.
But
if
it's
a
couple
key
points,
it's
missing.
We
could
add
it
or
again,
but
but
you
know
the
developer
course.
Obviously
it's
drilling
down
into
eurosoft
for
developer.
It's
obviously
not
tuned
right.
It's
not
tuned
to
folks
who
aren't
developing
software.
D
A
G
You
know
we
got,
we
got
to
crawl
before
we
walk
and
walk
before
we
run,
I
mean
how
like
I
I,
don't
know
when
it
became
okay
to
just
jump
to
like
something
so
complex
as
supply
chain.
Security
today
expect
and
health.
We
didn't
even
finish
our
breakfast
on
that
before
now
we're
talking
about
secure
use
of
AIML
and
developing
software
and
Services
I
mean
we
didn't
even
finish
our
breakfast
on
supply
chain
and
we're
still
developing
stuff
that
nobody
understands
right
so
I
like
it,
but
but
to
go
back
and
say
well.
G
What
is
the
foundational
you
talk
about
the
CIA
trial?
Who
knows
today
now,
if
you
say
CIA
Triad,
if
I
was
to
say
okay?
Well,
then,
let's
talk
about
Dad.
Let's
talk
about
dad
who
the
hell,
you
know,
I
mean
nobody,
you
we
don't.
We
don't.
Even
you
know
so
so,
like
like
I,
said
dude,
we
need
to
have
a
come
to
come
to
the
Mountaintop
moment
and
just
say:
let's
take
a
step
back
and
teach
people
some
foundational
elements
of
this
stuff.
Exactly
you
know,
I
mean
you
know
it's
about.
Oh,
don't
hey!
G
G
D
Here's
the
thing
I'm
gonna,
try
to
share
this.
Your
soapbox
briefly
I'll
put
my
stick
my
toe
on
there.
So
once
Intel's
material
comes
over
first
of
all
for
for
instructor-led
I
think
you
know
that
I
mean
we
haven't
seen
the
material.
Yet
my
expectation
is
that
it's
going
to
be
great,
we're
gonna
have
some
oh.
What
about
this
is
we'll
propose
some
improvements
and
Intel
will
be
happier
their
course
will
be
better,
we'll
be
happier
I
mean
things
will
be
better.
D
F
D
A
Again,
thinking
back
to
our
proposed
Triad
that
you
know
our
strategy
is,
we
have
instructor-led
classes,
we
have
computer-based
Hands-On
learning
like
SKF
and
then
we
have
that
other
third
area
right.
It's
boot
camps,
podcasts
blogs,
webinars
to
you,
know
it's
all
based
off
of
a
that
core
content
and
it's
just
adjusted
for
the
the
venue.
The
channel
I
can't
find
I
lost
all
my
awesome
bookmarks,
so
I
can't
find
our
spreadsheet
and
if
Dave
was
here,
you
could
point
me
to
the
damn
spreadsheet
but
yeah.
A
We
probably
need
to
sit
down
seriously
in
one
of
these
calls
and
do
the
assessment
of
what
content
we
have
what
we
want
to
present
and
what
gaps
do
we
have?
We
have?
We
have
not
done
that
kind
of
Gap
assessment.
We
did
the
log
if
we've
found
all
this
stuff,
but
we've
not
synthesized
that
into
useful
wisdom.
Yet.