►
From YouTube: End Users Working Group (February 2, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
B
Happy
meeting
day
happy
meeting
day,
indeed,.
A
Surprise
people
joining
from
Seattle
or
other
places.
A
A
So
people
may
maybe
in
Seattle
we
don't
know
we'll
see
how
it
goes.
But
if
anyone
in
the
call
could
sign
in
that'd
be
great
and
just
share
the
notes.
C
Yeah
I
mean
I
suppose
if
you're
going
to
be
stuck
somewhere
coming
back
from
cool
holidays,
not
a
bad
way
to
do
it.
Yeah.
D
A
Welcome
do
you
want,
to
just
add
your
name
to
the
notes
we'll
get
kicked
off
in
a
couple
of
minutes.
A
If
anyone
has
any
topics
they'd
like
to
discuss,
if
you
just
add
to
the
agenda,
I'd,
be
appreciated
to.
A
A
Some
of
the
worst
that
were
some
of
the
best
note-taking
I've,
seen
to
be
fair,
I,
think
people
do
from
General
feedback.
They
do
go
back
in
and
and
re-read
the
notes,
which
is
quite
cool,
so
it
is,
it
is
used
and
useful
I
think
so
then,
right
next
item,
any
new
friends.
So
a
couple
of
people
on
here
I,
don't
recognize
you
and
if,
if
you
want
to,
would
you
like
to
introduce
yourself?
Perhaps
that
would
be
the
time.
F
Oh
hi,
everyone,
my
name,
is
Leslie.
G
I'll
introduce
myself
even
though
I
introduced
myself
in
the
previous
meeting
I
was
I
was
I
I
I
I
also
was
in
the
the
best
working
group.
Best
practices
work
in
group
meeting,
so
I'm
still
Robert
I'm
I'm
still
from
Norway
and
I
still
do
stuff,
with
platform,
engineering,
security
and
so
on,
and
so
forth,
so
nice
to
meet
you,
and
this
is
the
third
time
that
I
tried
to
get
into
this
particular
meeting.
G
But
you
know
I'm,
really
I'm
really
crappy
with
time
zones
weirdly
enough.
So
it
is
what
it
is,
but
I'm
here
now
show
up
every
time.
You're.
A
Welcome
and
it's
glad
that
you're
still
there
right
and
and
I'm
not
great
at
tensions
either
so
I
I've
actually
now
put
on
our.
If
people
need
to
take
a
look
at
it,
going
forward,
I've
put
on
the
top
of
our
end
users,
slack
channel
the
link
to
zoom
and
the
times
in
multiple
different
time
zones,
because
I
realized.
If
I
didn't
do
that,
I
was
turning
up
like
or
just
panicking
towards
the
end.
G
It
is,
it
is
definitely
appreciated
and
and
I
I
I
mainly
have
had
troubles
with
like
cncf
meetings,
where
some
is
opted
in
the
calendar.
Some
is
not.
Some
is
like
verbally
said
that
it's
supposed
to
be
this
time,
and
then
you
have
the
the
between
summer
and
then
you.
A
About
right,
indeed,
all
right
excellent.
Thank
you
very
much
and
welcome
to
the
group
welcome
again
right
so
in
ways
of
updates,
I'll
give
a
few
and
pass
on
to
others,
and
then
it'd
be
great.
If
we
had
any
other
topics,
people
wanted
to
to
table
as
well
starting
off
with
GitHub.
A
So
one
of
the
things
that
we
had
as
an
action
the
last
session
and
the
session
before
was
to
update
the
GitHub
pages,
and
we
had
Jeff
did
some
phenomenal
work
on
our
GitHub
pages.
So,
thank
you
very
much.
Thank
you
for
that.
You,
you
had
some
feedback
from
a
couple
of
other
people,
I
think
chipping
into
that
is
that
right.
F
Yes,
I,
don't
see
anyone
I
think
on
this
call,
but
maybe
not
because
it
was
GitHub
handles.
So
anyone
please
speak
up,
but
yeah
there's
a
bunch
more
to
do
too
so
I
don't
know
if
you
want
to
point
me
to
other
things
or
if
you
want
to
send
information,
I'm
happy
to
to
add
edits,
like
you
know,
members
and
Leadership,
and
things
like
that.
A
Yeah
I
think
I
think
we
need
to
right
just
just
to
bottom
that
out
you
find
taking
a
look
at
I.
I
did
look
when
it
came
through.
It
looked
really
good
great
start
with
the
all
the
appropriate
information
on
it.
But
if
we
go
down
current
work,
related
activities.
A
Maybe
we
should
actually
add
some
of
the
projects
we're
working
on
in
that
current
work.
Thing
I,
think!
That's
that's
reasonable
right,
so
you
know
we're
going
to
go
through
it
in
a
second,
but
there's
the
taxonomy
work.
Does
the
architecture
work?
A
There's
the
supply
chain
repository
work
that
we're
putting
together
so
a
couple
of
items
there
you
can.
We
can
add
in
maybe
if
we
put
that
in
the
notes,
I'll
take
a
look,
and
maybe,
if
start
with
you
Jeff
work
on
that
between
the
next
session.
That'd
be
great
yeah.
A
Thank
you,
man
probe
in
terms
of
General
good
order,
and
you
know
how
a
working
group
should
have
documentation
in
place.
Is
there
anything
else
that
we
need
to
do?
Over
and
above
the
awesome
work,
jump
and
Jeff
put
in
on
the
GitHub
page,
the.
B
B
So
that's
a
great
place
and
I
love
the
idea
of
putting
the
current
projects
that
are
incubating
getting
those
listed
and
actually
what
I
found
is
useful
is
if
we
are
looking
for
collaboration
on
anything
State
we're
doing
this
taxonomy,
we
would
love
feedback
on
you
know
these
areas
maybe
be
prescriptive
about
how
you
would
like
to
have
help
or
where
what
areas
you
would
like
to
help
Focus
new
people
too,.
A
Awesome,
let
me,
let's
think
about
that,
and
we'll
perhaps
add
to
that
over
the
next
couple
of
weeks.
What
one
other
thing
that
I
had
thought
about
was
with
the
working
sessions
that
we're
having
that
we're
having
multiple
different
ad
hoc
meetings
around
the
side.
I
wonder
if
we
sort
of
published
that
discuss
it
in
this
meeting
and
also
publish
that
as
a
Time
on
the
community
calendar.
B
A
D
Music
yeah
I
was
just
thinking
the
riffing
on
my
Crow
was
saying
about
where
we
are
where
we
are,
where
we
have
work
items
where
we're
looking
for
people's
feedback,
that
might
having
some
issue
templates
or
having
an
issue.
D
Template
might
be
a
good
idea
as
well,
so
that
you
know
if
we
want
people
to
raise
issues
with
us,
then
we
could
at
least
say:
what's
the
thing
you're
raising
the
issue
about
you
know
or
and
I'm
happy
to
work
on
an
issue
template
for
the
for
the
repo
that
so
I'm
I
can
take
that
action.
D
I
mean
it
just
I,
don't
feel
like
some.
Sometimes
you
can
have
like
when
there
are
multiple
work
items
in
a
particular
repo.
Sometimes
it
might
make
sense
to
have
multiple
issue
templates
so
that
when
you
open
up
a
new
issue,
you
go.
You
first
asks
you.
Are
you
opening
that
this
kind
of
issue,
this
kind
of
issue
I,
don't
think
we
need
to
be
that
fancy
right
now,
but
what
we
can
do
is
simply
have
an
issue
template
that
says
you
know
has
like
a
pick
list
of
the
things
that
you're.
D
What
do
you?
What
do
you
you?
What
which
work
item?
Are
you
opening
up
this
issue
on
and
then
automatically
sets
the
an
a
a
label
of
some
kind,
yeah
I.
A
A
Be
awesome,
I
think
it's
a
great
idea,
very
cool,
good
idea
and
actions
and
you're
going
to
do
the
work
as
well
I
mean.
Could
we
ask
her
anymore,
fantastic,
all
right,
great,
so
moving
on
to
the
next
one,
the
taxonomy
work
and
taxonomy
update,
so
I
can
provide
a
bit
of
an
update
on
that,
but
Henrik
you're
on
the
call.
Do
you
want
to
give
a
bit
of
an
update
on
the
conversations
we've
been
having
with
Andy
and
Justin.
H
Yes,
I
can
do
this,
but,
as
you
like,
don't
have
any
preference.
If
you
go
first
or
I
go
later,
doesn't
it
no.
H
Okay,
so
I
think
the
the
biggest
discussion
point
was
again
mostly
and
please
disagree
or
correct.
If
I
got
it
wrong
about
the
scope
of
the
taxonomy,
which
kind
of
attacks
are
in
and
out
and
what
we
were,
we
had
one
work
meeting,
let's
say:
I
think
that
took
place
two
weeks
ago,
if
I'm
mistaken
or
one
my
time
flies
and
with
Justin
and
Andy
from
control.
Plane
I
think
is
the
the
company's
name
yeah
and
Indiana
colleague.
H
They
were
going
through
another
list
of
supply
chain
attacks
trying
to
map
those
to
the
different
attack,
vectors
of
the
taxonomy,
and
we
were
basically
going
through
that
list
and
commented
on
whether
the
assignment
they
did
was
correct
or
not.
In
our
understanding
and
again,
as
I
said
at
the
very
beginning,
it
boiled
down
to
defining
better
the
scope.
What
is
in
and
one
maybe
take
away.
H
There
were
a
couple
of
cases
where
software
organizations
were
attacked
where
their
credentials
were
stolen
or
maybe
where
their
IP
was
stolen
or
kind
of
just
deleted
compromised
and
some
are
the
other
way.
But
there
was
no
impact
on
the
software
products
products
that
they
produce
and
that
they
Supply
to
their
Downstream
consumers,
and
so
there
was
this
question
about.
Should
our
taxonomy
include
such
a
text
that
do
not
have
an
impact
on
the
Integrity
of
what
their
software
products
or
not
right?
H
Now,
the
Texas
enemy,
as
we
designed
it
in
the
past,
doesn't
yeah,
and
so
that
is
maybe
one
of
the
questions
and
another
topic
which
I
thought
or
which
we
kept
back.
Then
out
of
the
scope
again
to
be
discussed.
H
Whether
to
include
is
the
impact
that
the
consumption
of
compromised
products
had
on
the
consumer
right
so,
whether
again
on
the
the
consumer,
whether
he's
I
don't
know
whether
there
are
any
secrets
exfiltrated
or
whether
there
is
a
ransomware
attack
or
denial
of
service,
whatever
this
is
kind
of
the
impact
of
what
the
malicious
code
does
to
the
consumer,
which
is
yeah
always
which
has
been
kept
aside.
Let's
say
when
we
designed
the
taxonomy
back
in
2021.,
anything
to
add
Jonathan.
A
Just
just
a
few
little
bit
so
so
I
think
we've
had
a
couple
of
meetings,
so
we
had
one
with
Justin
and
then
a
couple
of
follow-ups
with
Andy
to
go
through
it
and
I.
Think
the
whilst
I
had
personally
gone
through
the
incutel
repository
of
supply
chain
attacks,
there's
a
GitHub
repo
with
a
lot
of
data
in
there
Andy
went
through
all
right,
I
think
he's
still
going
through
the
cncf
repository
now,
I
think
there's
quite
a
lot
of
commonality
and
I
think
the
inkital
that
it
does
reference.
A
Some
of
that,
but
I
think
it's
great.
We
just
have
a
diff
additional
people
going
through
it
for
a
start,
because
some
of
it
is
subjective,
but
also
going
through
a
different
repository.
I
think
that's
valuable
too
I
think
there's
a
lot
of
commonality
in
the
end,
Leaf
notes,
so
that
looks
reasonable.
I'm.
A
Notwithstanding
that
the
statement
Henrik
made
that
there's
the
question
of
scope
and
what
you
do-
or
you
don't
include
within
that
the
the
one
thing
that
we're
sort
of
going
back
and
forwards
on
as
a
small
group
is
one
thing
that
came
to
is
kind
of
the
lens
that
you're
looking
at
that
taxonomy
through,
whereas
the
end
nodes
are
relatively
self-explanatory.
A
You
know
you
stole
the
credentials,
you
did
a
bad
thing,
but
when
you
try
to
aggregate
them
in
the
middle
and
if
you
think
about
it,
like
the
attack
tree
as
it's
built
out
in
the
risk,
Explorer,
the
the
taxonomy
and
the
words
that
you
use
to
describe
those
middle
States
could
depend
upon
how
you're,
looking
at
the
taxonomy
in
general.
A
Are
you
looking
at
it
from
an
attacker's
Viewpoint
to
try
and
cause
an
attack,
or
are
you
looking
at
it
from
a
defender's
point
of
view,
where
you're
trying
to
identify
choke
points
to
defend
the
infrastructure
and,
depending
upon
that
lens,
you
may
have
slightly
different
groupings.
As
you
group,
those
different
endpoints
I
thought.
That
was
quite
interesting
when
Justin
campus
went
through
it
from
my
perspective,
because
it
did
change
some
of
my
thinking
around
some
of
the
middle
middle
nodes
and
we're
still
fair
enough.
A
That
was
just
an
observation
from
from
that
really
really
useful
conversation
that
we've
been
having
and
and
I
think
we're
at
a
point
now,
where
these
conversations
about
the
taxonomy,
we
should
sort
of
upgrade
that
conversation
into
a
wider
conversation
that
we
put
perhaps
on
the
the
community
calendar
for
other
people
to
apply
and
contribute
to
I.
Think
there's
enough
feedback
coming
in
to
suggest
we're
still
going
to
be
refining
and
going
through
this
work
and
be
great
to
get
additional
people's
viewpoints.
D
Just
seems
to
me
that
to
your
what
you
were
talking,
I
wasn't
part
of
the
discussion,
so
apologies,
but
if
you're
talking
about
the
point
of
view,
it
does
feel
to
me.
Well,
we
are
in
the
end
user
working
group,
so
we
should
be
thinking
about
it
from
the
end
user
point
of
view.
D
As
far
as
this
group
defines
the
term
end
user
and
also
the
on
the
question
of
should
the
taxonomy
include
impacts
that
are
not
directly
related
to
the
delivery
of
the
software
product,
but
may
have
resulted
in
loss
of
Ip
or
or
some
other
kind
of
problem
for
the
organization.
My
initial
kind
of
knee-jerk
reaction
is
yes,
because
that's
a
key
issue
from
from
from
an
end
user
point
of
view,
right
I
mean,
don't
you
think
so
sorry
to
to
kind
of
let
I
don't
know.
D
H
H
They
cannot
provide
new
versions,
provide
any
bug
fixes
for
whatever
reasons
that,
of
course
is
relevant,
but
it
somehow
opens
this
to
a
huge
kind
of
availability
discussion,
because
there
could
also
be
all
kind
of
you
know:
physical
threats
to
the
availability
of
that
supplier
and,
and
so
it
opens
up
just
an
entire
new
topic,
while
the
initial
scope
was
more
really
on
the
Integrity
of
the
products
consumed,
and
so
we
didn't
want
to
go
down
the
route
of
you
know,
power
cuts
and
whatever
its
threats
could
happen
to
the
supplier.
I
Yeah,
my
gut
instinct,
is
exactly
the
opposite.
Keep
it
simple
the
the
difficulty
with
my
first,
my
first
understanding
of
it
was
like
impact
on
a
Defender
who
gets
hit
by
one
of
these
supply
chain
attacks,
and
that
would
be
no
because
everybody's
impacts
are
different.
We
don't
have
omissions
last
I
checked,
but
even
then
like
to
henrik's
point,
expanding
the
taxonomy
to
include
quote
unquote,
everything
would
make
it
unwieldy,
like
I
wanna,
keep
it
manageable.
I
This
is
this
is
the
problem
with
taxonomies
that
don't
align
with
natural
laws,
because
there
are
none
in
this
case
and
it's
like
anything,
you
know
we
have
to
accept
a
boundary
to
what
risks
we
consider
in
and
out
of
bounds
like,
for
example,
it's
possible
not
likely
not
plausible,
but
possible
that
you
know
your
data
set.
It
gets
hit
by
a
meteorite,
but
I.
Don't
think
that
should
be
in
the
taxonomy
yeah
right,
so
my
instinct
would
be
to
say
no
to
the
degree
possible.
A
Do
we
include
that
I
know,
and
if
we
do,
then
it
just
explodes
into
you
know
also
meteor
showers
and
all
sorts
of
Madness
and
that's
what
the
difficulty,
but
it's
still
I
think
it's
a
valuable
conversation
to
have
right,
because
I
think
that
needs
to
be
documented
at
what's
in
and
out
of
scope
and
reasoned
about
and
I
think
we
need
different
viewpoints
to
figure
out,
as
I
was
saying,
with
a
different
lens,
if
you're
in
charge
of
making
sure
that
your
supply
chain
is
physically
secured-
and
you
probably
do
want
to
know
about
that.
A
But
you
might
not
be
in
The
Wider
taxonomy,
so
maybe
there's
an
adjunct.
Long
short
I
think
that
there's
a
good
conversation
that
we
had
here
and
I
think
we
need
to
expand
that
and
yeah
start
putting
meteorite
hits
into
the
taxonomy,
maybe
maybe
not
so
I
think
as
an
action
we
should.
We
should
try
and
get
a
a
date
in
the
diary.
A
A
regular
conversation
going
I
think
it's
useful
to
go
back
to
the
attack
just
to
give
some
sort
of
progress
update,
perhaps
because,
if
you'd
recall,
we
did
present
to
the
attack
as
a
we
should.
We
should
adopt
this
from
an
ossf
perspective
and
I
think
what
is
kicked
off
is
a
longer
conversation
which
I
think
is
is
great,
but
I,
don't
think
it's
something
that
would
expect
the
tank
to
sort
of
rubber
stamp,
even
if
that
is
a
thing
right
now.
A
The
other
point
I
I
was
going
to
add
was
this
is
a
completely
open
collaboration
as
they
always
are,
but
it's
also
linking
with
the
cncf
who,
whilst
they
don't
have
necessary
attacks
on
me,
I,
don't
believe
they're
they're
having
similar
thoughts.
So
it's
trying
to
make
sure
that
we
bring
people
together,
have
a
common
conversation
about
it.
A
Pretty
good
so
so
more
to
come
on
that
that
one
I'd
recommend
people
join
that
conversation
because
it
was.
It
was
really
fascinating.
The
last
couple
of
sessions,
some
some
good
insights
there.
A
Next
one
up
was
the
supply
chain,
attack,
repository
or
supply
chain
total
or
whatever
we're
calling
it
these
days.
So
I
took
an
action
to
set
up
a
meeting
on
that
I
think
it
was
last
week
with
Jack
your
great
help.
With
the
secure
positives
team,
we
had
a
good
turnout,
I
think
a
sort
of
10
12
people
to
that
initial
conversation
and
I
think
that's
another
one
where
we
probably
do
want
a
running
conversation
to
figure
out
where
that
goes.
A
If
I
can
provide
a
readout
readout
of
that
and
maybe
Jack
you
can
add
in
but
definitely
interest
in
doing
something
along
those
lines.
It
didn't
seem
like
in
the
open
source
Arena
anything
in
particularly
been
attempted
as
yet,
but
there
was
a
lot
of
interest
in
collating
the
metadata,
perhaps
binary,
as
well
as
source
code
data
as
well
for
malicious
supply
chain
attacks
for
subsequent
analysis.
A
There
was
a
participant
who
had
done
some
research
work
in
looking
at
different
attacks
and
trying
to
piece
them
together,
figuring
out
whether
it
was
could
have
been
mitigated
from
salsa
or
other
approaches
and
try
to
map
that
and
her
feedback
was.
This
sort
of
database
would
have
been
invaluable
and
she's
trying
to
make
that
happen.
So
it's
it's.
Definitely
something
of
Interest
next
sort
of
steps
of
trying
to
figure
out
what
that
would
take,
Define
a
scope,
Define.
A
A
I
had
also
subsequently
straight
after
that
call
was
pinged
by
a
couple
of
groups
who
stated
they
did
have
a
database
like
this,
but
it
was
part
of
a
Venture
exactly
right
it
was
it
was
they
weren't
selling
it
to
be
clear
right,
but
it
was
just
a
statement
that
they
do
have
that
data,
and
at
least
one
of
them
was
interested
in
figuring
out.
How
they
could
open
it
up
for
others
to
access,
so
good
news.
I.
Think
for
me
is
that
someone
is
collating
that
data
Jack.
I
I'd
had
the
slight
color
a
slight
color
to
the
the
vendor
question,
because
there
were
folks
there
who
described
what
was
it
that
there
was
some
data
sharing
group
of
vendors.
I
can't
remember
the
name.
Oh.
I
But
but
by
analogy
you
know
like
a
a
Clearinghouse,
that
vendors
could
also
contribute,
as
well
as
researchers
and
package
repositories
receiving
reports,
that
sort
of
thing
and
the
asterisk
that
sort
of
hovered
over
the
top
of
it
was
that
we
would
want
the
Linux
Foundation
lawyers
to
clear
us
on
antitrust
questions,
and
but
that
was
that
was
really
like
more
of
a
technicality,
I
think
more
than
like
a
fatal
hurdle.
Since
these
things
already
exist
in
other
other
areas,.
E
A
Had
an
industry
thing,
yep,
that's
exactly
right!
So
long
and
short,
look
I
think
that's
another
project
that
we've
talked
about
here.
We've
talked
about
getting
people
together
and
figuring
out
how
to
do
it.
We've
definitely
got
a
signal
from
other
groups
they're
interested
in
it.
Some
of
them
potentially
have
a
vendor
product
that
has
this
as
an
side
effect
of
what
they're
building.
So
with
continued
pressure
to
see
if
we
can
get
something
like
this
stood
up.
A
So
another
action
is
bring
that
up
as
a
working
group
meeting
and
we'll
distribute
that
accordingly,
but
it
did
seem
like
there
was
prior
art
there
that
perhaps
could
be
influenced
to
open
up
for
appropriate
researchers.
A
It
was
mentioned
as
well
the
access
management
to
make
sure
it's
not
available.
You
know,
obviously
it's
malicious
software,
so
we
need
to
be
somewhat
careful
about
that.
I
You
know
excluding
people
and
family
blah
blah
blah.
So
can
you
tell
I
used
to
study
well.
A
D
Otherwise,
I'll
go
to
the
next
one.
There
are
specific
open
data
licenses
that
that's
that's
a
point
that
I
just
wanted
to
throw
in
there.
So
if
we're
talking
about
data,
I
know
that
from
working
in
the
open
data
community
that
there
are
open
like
open
data,
Institute
I,
don't
know
if
you've
ever
come
across
a
pandate
Institute
Jonathan,
but
they
they
have.
They
have
a
lot
of
ideas
about
how
data
should
be
shared
differently
from
open
source.
D
So
we
might
want
to
look
at
promoting
the
use
of
an
open
data
license
I,
don't
know
quite
what
openssfs
or
Linux
foundation's
views
on
that
are.
A
A
But
for
the
point
station
you
were
racing
right,
fantastic,
all,
right,
very
good,
so
moving
on
to
any
notes
from
working
groups,
so
we
have
one
about
diagrams,
but
I
think
it'd
be
worthwhile
digging
into
that
a
little
bit.
Is
there
any
other
working
groups?
People
want
to
share
before
we
dig
into
the
background.
One.
B
All
right
well,
thank
you.
Jonathan
I
have
put
together
a
short
presentation.
I've
been
sharing
with
a
couple
groups.
Can
you
see
my
screen.
B
Traffic,
so
there
is
a
group
of
us
that
get
together
called
the
diagrammer
society
and
we're
trying
to
figure
out
the
problem
of
how
to
describe
what
the
open
ssf
is,
what
we
do
and
try
to
get
people
to
participate.
B
More
kind
of
our
objective
and
whatnot
I
should
simply
provide
examples
of
how
we're
organized
what
challenges
are
working
groups
and
sigs
are
seeking
to
solve
and
how
those
components
relate
to
each
other,
so
we've
thrown
together
multiple
views
of
how
we
think
the
foundation
could
be
shared
and
I
would
love
to
get
this
group's
feedback,
since
this
represents
the
kind
of
consumer
of
Open
Source
Community
to
see.
B
If
anything
here
is
particularly
interesting
to
that
perspective,
that
we
want
to
further
develop
and
get
professional
artists
to
do
what
not
and
have
hyperlinks
the
first
way
we
documented
the
foundation
was
a
hierarchy
View
at
the
top
is
the
governing
board
and
below
that
is
the
pack,
and
then
we
have
the
working
groups.
So
a
diagram
like
this
yes
yeah
it
already
is
in
the
minutes
down
very
simple
diagram.
B
Anyone
that
works
at
a
company
can
understand
kind
of
what
this
is,
and
it
basically
speaks
to
where
people
live
in
the
hierarchy
and
all
of
these
things,
so
you
could
hyperlink
off
and
dive
into
the
end
users
working
group
and
jump
right
to
the
readme,
see
what
awesome
projects
they're
working
on
or
have
a
second
level
diagram
that
shows
a
listing
of
projects.
So
this
is
one
style
of
you
and
all
these
diagrams
not
only
are
in
this
presentation,
they're
up
in
our
GitHub
repository.
B
B
The
next
view
I
lovingly
call
the
bubbles
universe,
so
we
picked
a
object,
type,
a
circle
to
represent
working
groups.
We
picked
these
squares
to
represent
projects
and
initiatives
hexagons
to
represent
cigs
and
basically
started
to
dive
into.
This
is
the
different
work
areas
of
the
foundation.
These
are
the
projects
they're
working
on,
and
if
this
style
diagram
was
interesting,
we
could
move.
B
We
could
put
the
end
users
group
in
the
middle,
because
you
know
the
end:
users
are
obviously
the
center
of
the
universe
and
show
kind
of
align
things
where
there's
Affinity,
so
the
supply
chain,
Integrity
working
group
might
work
a
lot
with
a
security
tooling
working
group.
So
we
might
cluster
those
types
of
work
together.
So
that's
another
style
of
diagram.
We
could
use
the
next
one
that
actually
got
pretty
good
feedback
from
the
few
governing
board.
B
Folks,
we've
shown
this
to
is
laying
the
foundation
over
top
of
a
process
like
a
CI
CD
pipeline
and
David
wheeler
put
this
particular
diagram
together,
where
he
had
a
very
simple
CI,
CD
Pipeline
and
then
started
to
plot,
where
the
different
working
groups
and
projects
were
relevant
to
those
particular
areas.
B
I
took
inspiration
from
that
and
took
a
standard,
sdlc
urobaros,
Circle
and
I
plotted
roughly
where
the
working
groups
could
land
and
then
again
as
if
we
like
the
style
diagram
as
the
viewer
was
looking
at
it
as
you
hovered
over
the
vulnerability
disclosures
working
group.
Theoretically,
you
could
have
this
bubble
blow
up
and
show
more
detail
yeah
and
just
so.
Everyone
knows
these
are
all
kind
of
a
snapshot
in
time
view
of
things.
B
These
are
not
100
percent
accurate
and
if
a
particular
style
of
diagram
was
desired,
we
would
want
to
work
with
the
individual
working
groups
to
make
sure
they
agreed
like.
Yes,
we
think
identifying
security
threats
is
part
of
operations
and
maintenance,
phase
of
sdlc,
for
example,
and
then
a
last
step
any
diagrams
we
do
would
have
to
go
through
usability
and
accessibility
review
because,
while
I
enjoy
colors,
we
have
people
that
are
colorblind
and
the
colors
might
all
look
the
same
to
them.
B
Another
style
which
my
diagramming
tools
completely
failed
me
on
is
a
devsecops
infinity
loop,
so
everyone's
seeing
the
devsecops
infinity
loop
with
the
seven
air,
eight
seven
phases
of
devsec
opsing
and
a
technique
you
can
use
is
called
race
track
where
you
can
take
arrows,
laying
over
top
of
that
infinity
sign
and
show,
where
they're
relevant
to
the
different
phases.
B
So,
for
example,
we
feel
that
the
best
practices
working
group
is
relevant
to
All
Phases
of
devsecops,
whereas
the
vulnerable
disclosures
working
group
is
really
only
relevant
to
release,
configure
and
monitor,
for
example,
and
so
that's
a
style
and
again
the
tool
failed
me.
I
couldn't
actually
get
that
to
wrap
a
circle
over
top
of
an
infinity
loop.
So
that's
kind
of
still
in
progress.
B
Another
view
which
our
friend
Matt
put
together
is
a
mind
map
and
this
one
is
actually
I
think
very
useful
from
a
tactical
level
and
if
anyone's
interested
in
actually
seeing
the
diagram,
you
can
go
to
issue
one.
You
need
to
download
a
mind
map
tool
to
be
able
to
get
the
ability
to
zoom.
In
basically
Matt
sat
down,
took
an
inventory
of
the
foundation.
B
Went
to
every
working
group's
readme
file,
which
is
why
the
readme
files
are
so
important
and
I
kind
of
read
what
the
current
group
activities
were
and
he
started
to
categorize
it.
He
has
a
color
coding
system
here
and
then
another
friend
of
ours,
our
no
kind
of
took
this
base
and
refined
it
a
little
bit,
but
basically
the
Styles.
B
We
could
have
a
mind
map
and
this
is
a
style
diagram
recommending
for
the
tack
to
use,
as
we
start
to
go
through
the
working
group
reviews
to
make
sure
we
don't
have
duplicative
effort
across
the
working
groups
and
sigs,
and
also
make
sure
that
everybody's
kind
of
aligning
to
the
tack
overall
vision
and
goals,
but
that's
a
style
with
which
to
present
information.
It's
very
dense
and,
as
you
can
see
very
tiny
on
my
picture,
another
style
of
view
is
focusing
in
on
a
Persona,
so
as
an
open
source
developer.
B
I
want
to
write
more
secure
code.
Well,
if
I
want
to
do
that,
go
talk
to
the
best
practices
group.
If
you
want
to
be
able
to
scan
your
code
well,
you
know
the
tooling
group
has
some
pretty
cool
stuff
and
then
we
also
have
scorecards
an
All-Star
another
way.
So
basically,
we
could
agree
upon
a
group
of
personas
talk
about
what
user
stories
we're
trying
to
exemplify
and
then
map
out.
You
know
where
elements
of
the
foundation
are
applicable
to
that
particular
story
or
Journey.
B
B
This
one
I
just
did
I
call
it
the
stickers
view.
This
is
if
anyone's
familiar
with
American
NASCAR
racing,
where
the
cars
will
have
a
bunch
of
stickers
slapped
on
the
side
for
their
sponsors.
So,
basically,
I
picked
three
categories:
plan
build
and
run
and
I
sat
down
and
kind
of
lined
up
each
of
the
working
groups
and
their
Associated
projects
and
initiatives
or
sigs
and
kind
of
shoved
it
into
the
plan.
Bill
run
categories
and
we
would
want
to
have
badges
or
stickers
that
users
could
click
on
hey.
B
B
Thank
you
shocked,
yes
and
then
one
I
didn't
get
to
is
a
trail
map.
So,
if
anyone's
seen,
the
cncf
trail
map
it's
a
very
simple
graphic
and
uses
the
metaphor
of
a
map
somebody's
going
on
a
journey
and
while
that
doesn't
showcase
everything
the
cncf
does,
it
shows
the
high
points,
the
most
common
things
along
the
journey
and
you
can
click
on
it
and
dive,
be
you
know,
put
right
to
those
potential
areas,
you're
interested
in
so
as
I
mentioned
yeah
as
we're
circulating
this
around
trying
to
get
feedback
you
know
is.
B
Is
this
interesting
is
this?
Do
anyone
feel
this
is
useful
work?
Should
we
continue
doing
it
and
refine
anything
were
any
of
the
pictures
particularly
interesting?
Did
they
spark
joy
and
excitement?
Did
you
want
to
learn
more
or
have
it
refined?
B
You
know
what
areas
would
we'd
like
to
try
to
focus
this
group
on
the
diagrammers
to
help,
explain
and
get
documentation
out
for
people
and
ultimately,
we
would
like
to
have
whatever
diagrams.
We
feel
there's
going
to
be
a
couple
different
views
they're
the
finalists.
B
We
would
probably
want
to
work
with
professional
graphic
designers
to
get
it
cleaned
up,
because
you
know
I'm
just
an
artist
in
my
spare
time,
and
it's
in
my
job
has
nothing
to
do
with
open
source,
even
though
I
love
drawing
pictures
all
day,
but
we
want
to
get
a
professional
to
make
it
look
nice
and
then
all
as
I
mentioned,
we
want
to
make
sure
we
have
everything
vetted
by
accessibility
and
usability
people
to
get
those
perspectives
put
in.
B
B
B
Loved
that
one
okay
Bob
from
the
attack
he
and
I,
like
the
Persona,
View
and
I-
think
that's
something
we're
going
to
pursue.
Regardless
of
what
the
GB
decides.
I
think
it's
useful
to
have
a
user
store.
You
actually
have
some
simple
ways
for
people
to
jump
on
and
then
slide
eight,
which
was
slight
eight.
A
What's
the
the
best
value
to
them,
I
think
the
the
one
thing
I
I'd
love
to
see,
and
it's
completely
down
to
me
to
raise
a
pull
request
and
get
off
my
backside
and
do
it
is
like
the
maybe
it's
partial,
cicd
or
partial
Persona
view,
but
it's
kind
of
showing
a
threat
model
of
given
an
architecture.
This
is
actually
where
the
different
working
groups
fit,
and
this
is
where
the
different
projects
fit,
or
this
is
where
salsa
fits
or
scorecard
or
whatever.
A
Just
so
that
new
end
users
can
come
to
the
table
and
think
look.
That's
where
I
think
I've
got
a
problem
now.
I
clearly
know
that
that's
a
problem,
that's
a
way
of
of
mitigating
or
where
to
go,
to
help
and
and
totally
down
to
me
to
go
and
help
and
edit
it
and
put
it
in,
but
but
I
think.
Maybe
it's
somewhere
between
already
the
the
good
work,
that's
in
there
and
the
cicd
and
the
Persona
view.
So
so
more
power
to
you,
keep
going
and
I'll
help.
If
now,
I
can
thank.
G
Yeah,
just
a
quick
question
is:
is
the
idea
of
like?
Are
we
supposed
to
choose
one
or
a
couple
or
like.
B
Being
that
I
drew
every
single
one
of
these,
except
three
of
them,
I
would
appreciate
having
more
focus
on
what
people
found
useful
as
opposed
to
trying
to
manage
like
20
diagrams.
So
if
we
had
a
couple
that
were
useful,
we
could
again
explore
and
get
more
up
to
date,
we'd
like
to
show
like
project
maturity
or
where
things
are
incubating.
I
think
that's
another
interesting
aspect
we
could
share
in
a
diagram
but
yeah.
If
you
had
feedback
I
like
1,
5
and
12,
that
would
be
more
beneficial
to
my
time.
G
Yeah
I
think
I
think
like
if
you
look
at,
for
instance,
like
the
cncf
Landscapes
there,
there
are
several
ways
of
sorting
and,
like
you,
press
a
couple
buttons
and
everything
changes
to
do
something.
There
are
some
of
these
that
I
find
more
appealing
from
like,
for
instance,
like
the
I,
like
the
bubbles,
one,
the
bubbles
are
cool,
not
just
because
I
got
ADHD,
but
you
know
bubbles
yeah
and
even
though
I
made
fun
of
it.
G
The
the
sdlc
view,
like
asset
concept
having
that
kind
of
like
Circle,
and
you
can
like
pinpoint
and
go
into
it,
and
you
can
especially
when
considering
like
the
the
borderline,
the
borderline
categories,
so
to
speak,
where
like
having
a
good
way
of
splitting
that
up
not
only
by
color
but
obviously
you
know
in
other
ways,
so
people
that
can't
see
colors
make
they
say.
Yes,.
B
Yeah
and
I
chose
to
experience
just
to
show
that
there
are
some
that
cross
the
borders.
Obviously,
we
would
want
to
have
a
professional
designer
pick
better
colors.
G
In
my
mind,
like
the
bubbles
one
like,
if
you
had
an
alternative
view,
which
was
the
stlc,
they
would
have
the
same
content.
So
to
speak.
Yes,
yes,
and
if
you
could
kind
of
like
toggle
between
those
two
depending
on
how
you
want
to
look
at
it
and
how
you
want
to
process
it
and
and
again,
at
the
same
time,
you
have
the
the
persona
view
like
if
you're
trying
to
figure
out
where
to
go.
G
That
would
make
it
easier,
but
at
the
same
time
like
we
can't
like
choose
everyone
like
we
want,
we
don't
want
them
all
so
yeah.
The
original
question
is
really
large.
How
are
we
are
we?
Can
we
choose
a
couple
like?
Could
we
both
for
having
a
couple
of
them
in
and
maybe
absolutely
spend
time
making
that
work?
Somehow,
not
us
I
guess.
B
B
Yep,
but
if
anyone
has
any
further
suggestions,
don't
hesitate
to
you
know,
file
an
issue
or
a
PR
in
the
repo
all
the
diagrams,
except
the
stickers
are
up
there
I'm
going
to
get
the
stickers
up
later
today,
so
you
can
actually
look
at
it
and
kind
of
zoom
in
and
monkey
around
with
it.
If
you
desire
and
source
files
can
be
shared.
If
someone
wanted
to
take
this
and
run
with
it
with
a
different
direction,
different
colors,
whatever.
B
Sure,
right
now
the
diagrammer
society
meets
every
other
Thursday
at
3
pm
Eastern
and
that's
because
I
had
so
little
feedback
from
the
group
about
what
the
best
time
was
and
I
didn't
have.
I
had
one
person
from
Europe
State
they
wanted
to
participate.
So
that's
why
we
ended
up
with
kind
of
a
U.S
Centric
time,
but
if
we
had
people
from
Europe
or
APAC
or
wherever
that
wanted
to
participate,
we're
definitely
open
to
reconsidering
moving
that.
B
A
B
Well,
do
you
give
me
some
suggestions
of
how
you
would
like
to
see
the
goose
staged
and
dressed
and
I'll
be
glad
to
scribble
that
up
for
you.
A
Very
cool
paints
a
picture
very
good,
all
right,
any
any
other
business
any
anything.
Anyone
would
like
to
raise.
J
J
Hand,
this
is
Rob
Underwood
for
some
folks
who
I
know
some
folks
on
the
phone.
I
was
the
leader
of
the
open
source
program
office
at
Goldman,
Sachs
until
being
laid
off
a
couple
weeks
ago.
J
So
if,
if
there's
anything,
I
can
do
to
help
I
know
Jonathan
pretty
well
a
few
of
the
folks
who
are
in
the
capital
markets,
industry
but
happy
to
roll
my
sleeves
and
help.
This
I
think
is
an
important
initiative,
love
the
fact
that
you're
building
some
connectivity
I
think
there's
a
lot
of
connect
connectivity
that
can
be
built,
especially
with
some
of
the
initiatives
that
are
happening
in
capital
markets
and
financial
services,
so
I'm
ready,
willing
and
able
to
pick
up.
A
A
Excellent
okay,
one
other
topic
I
was
going
to
raise,
was
just
sort
of
changing
the
or
suggesting
changing
the
meeting
around
a
little
bit.
A
You
know
we've
now
got
to
the
point
where
we've
got
a
couple
of
little
working
groups
going
on
or
extra
meetings
that
we're
having
alongside
this
I,
just
wonder
if
it
would
be
useful
to
bring
some
of
that
content
into
this
call,
because
we
we
sort
of
segued
a
little
bit
into
like
an
update
of
what
we're
doing
elsewhere
outside
of
the
meeting,
and
it
just
kind
of
occurs
to
me
that
a
lot
of
people
we
want
to
have
together
actually
in
this
call
anyway.
A
So
we
can
have
the
extra
meeting
to
put
some
additional
power
behind
it,
but
it
might
make
sense
to
actually
have
some
that
conversation
directly
here,
rather
than
just
a
bit
of
an
update,
I,
just
something
that
occurred
to
me.
I
got
a
bit
of
advice
on
that
last
week.
Any
thoughts,
thumb
thumb,
thumb
three
or
four
thumbs
all
right.
Let's
do
that,
then,
so
I
think
going
forward.
A
We
will
set
this
these
different
meetings
up,
because
I
think
it
gives
people
ability
to
to
add
additional
work
into
it.
I
think
it's
more,
unfortunately,
going
to
take
more
than
one
hour,
but
I'll
make
sure
that
when
we
put
this
agenda
together
going
forward,
it
won't
just
be
the
updates
from
those
groups.
It'll
be
active
sessions
too.
I
think
that's
great,
all
right,
very
good
thanks
very
much
everyone!
Well
thanks
for
your
time,
thanks
for
attending
and
have
a
great
couple
of
weeks
and
we'll
see
you
back
soon
right,
thanks
very
much.
A
D
It's
Dan
I
was
just
wondering,
are
you?
Are
you
heading
to
the?
Are
you
aware
of
the
state
of
open
conference?
That's
happening
next
week,
the.