►
From YouTube: End Users Working Group (June 22, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I
A
Today,
everyone
we'll
get
started
in
a
few
minutes,
happy
time
of
day
Chuck.
Yes,
it
is
time
of
day.
It
seems
to
happen
after
time
of
day
minus
n
and
proceed.
Then
in
two
times
a
day,
plus
n
ope
magnets.
That
strange
pattern
just
keeps
happening.
A
A
A
Looks
like
it's
all
familiar
faces
all
right.
So,
let's,
let's
turn
to
the
first
item
on
the
agenda,
which
was
the
question
of
Logistics
and
by
Logistics
it's
mostly
agenda
Logistics.
A
What
we're
trying
to
do
now
is
to
raise
items
for
the
agenda
through
the
GitHub
repo,
so
we're
trying
to
create
a
some
something
of
a
paper
trail
and
allowing
discussion
to
occur.
Asynchronously
is
the
the
thinking
there
please
feel
free
to
open
new
issues
on
the
repo
with
agenda
items.
You
would
like
to
discuss
that
helps
us
as
I
said,
to
keep
track
of
things
over
time.
A
The
main
focus,
as
we
know,
has
been
the
threat
model
or
the
threat
modeling
over
the
last
several
weeks
months.
Even
but
first
in
the
agenda
of
list
of
items
is
the
ingestion
Manifesto.
A
A
Issue.
Five
is
a
great
place
to
give
some
feedback.
Joshua
kicked
that
off
with
a
question
about
recall.
I
was
wondering
if
anyone
wanted
to
sort
of
talk
about
that.
That
analogy
recall
if
that
rings
a
bell
to
anybody,
maybe
I
should
try
and
dig
out
the
Manifesto
link
for
folks.
Give
me
a
second.
C
Yeah
I
think
I
can
speak
a
little
to
that
someone
we
don't
have
to
keep
that
watch.
My
camera
keeps
growing
up.
I
think
recall,
is
something
like
Brian.
Fox
has
used
a
number
of
times
and
sort
of
the
idea
there,
but
maybe
we
need
to
explain
it.
C
A
bit
further
is
is
not
like
a
physical
recall
of
software,
but
sort
of
the
way
a
recall
notification
works
when
there's
a
defect
or
a
safety
issue
with
a
product
so
where
the
manufacturer
has
the
responsibility
and
the
liability
to
communicate
that
defect,
to
customers
versus
sort
of
the
the
de
facto
approach
today,
or
at
least
like
when
you
look
with
the
executive
order
and
some
of
the
other
legislation
in
the
U.S,
where
it's
basically
like,
let's
just
ship
this
with
a
you,
know
an
s-bomb
or
a
bill
of
materials,
and
then
the
customer
needs
to
look
through
that
and
determine.
C
If
something
is
there,
and
so
the
idea
is
that
by
a
customer
tracking,
their
consumption
of
Open
Source,
they
can
much
more
easily
identify
that
themselves
meet
that
responsibility
and
then
communicate
to
the
customer
the
way
another
manufacturer
would
we
can
add
that
and
we
can
remove
the
recall
language
happy
to
do
either
or
I.
Don't
know
if
that
helps.
A
Speaking
only
for
myself,
I
think
it
causes
more
confusion
then
then
gain
just
at
the
second
would
be
my
feedback
and
I'll
I'll.
Leave
that
on
the
issue
later,
that's
the
best
place
to
do
it.
A
A
You
know
all
makes,
makes
people
uninstall
something
if
that
makes
sense,
I
don't
know
what
do
other
people
think.
B
B
You
know,
rather
than
using
the
word
recall
which,
which
could
be
confusing
I,
don't
know
I'm,
just
trying
I
I'm
struggling
to
think
what
it
could
be,
but
but
I'm
I
just
wonder
if
it
could
be
if
it
could
be
Rewritten
without
the
word
recall
doing
you
to
incorporate
that
notion.
That
idea
that
we
will
be
working
together
on.
B
Developing
the
tooling
and
the
processes
that
support
a
more
robust
you
know
set
of
mechanisms
for
for
him
for
handling
vulnerability
problems
as
they
arise.
You
know,
rather
than
talking
about
recall.
C
Yeah
I
think
that's
reasonable.
I've
been
away
from
this
for
a
couple
weeks
because
I
was
on
vacation.
So
if
you
want
I'll,
take
a
look
I'll
take
this.
These
suggestions,
I,
don't
think
recall,
is
necessarily
needed.
I.
C
Think
the
spirit
of
it
is
again
that,
like
driving
a
commitment
to
understand
your
consumption,
so
you
can
better
communicate
right
like
which
is
the
spirit
of
a
recall
at
the
end
of
the
day
right,
because
you
can't,
even
if
you
recall
a
product,
you
can't
force
anyone
really
to
bring
it
in
the
the
magic
of
a
recall
is
that
you've
communicated
something
through
any
number
of
pipelines
or
channels
to
say,
hey,
there's
something
here
that
may
be
unsafe
or
there's
something
that's
defective
and
needs
to
be
repaired.
C
Here's
the
issue
make
your
judgments
about
it.
We
recommend
you
bring
it
in
so
again
we
don't
have
to
recall
we
don't
have
to
get
wrapped
around
the
axle
so
to
speaking,
to
use
a
auto
metaphor
but
I
think
to
to
Dan's
comment.
Maybe
we
can
capture
the
spirit
of
that
in
in
this
here.
D
Or
yeah
one
way
somebody
could
you
know
issue
this
air
quotes
recall
would
be
through
Technologies
like
vex.
That's
a
way
to
describe
that.
There's
a
problem
and
kind
of
how
the
component
is
affected
and
the
foundation
has
an
implementation
of
Vex
called
openvx,
but
that's
a
way
that
you
know
a
good
good
citizen
of
the
open
source.
Community
could
be
as
I
have
problems,
I
use
signaling
like
Vex,
or
something
to
share
that
with
the
downstream.
C
There's
there's
so
many
nuances
and
that's
the
thing
we're
trying
to
get
away
from,
but
yeah
I
think
to
your
point,
like
the
CBD
process,
you
know
with
cesa,
like
sort
of
aligns
with
that
too,
where
it's
you
know,
how
do
you
even
begin
to
start
that
disclosure
process,
if
you
have
no
idea
what
you're
consuming
so
I
think
that's
the
spirit
of
of
this
so
I
can
take
all
this
I.
Think
there's
enough
here
to
to
remove
recall
and
capture
the
spirit
with
maybe
even
an
example
or
two.
A
Cool
productive
chat,
any
any
more
sort
of
thoughts
about
the
the
RICO
language
on
ingestion
Manifesto.
What
would
we
like
to
move
on
all
right?
Let's
move
on
so
the
next
one
is
Issue,
Number
Nine,
which
is
the
threat
model
this.
This
is
sort
of
like
a
placeholder
or
an
identifier
for
the
work.
That's
been
done,
I've
linked
there,
the
working
dock
from
the
Sig.
A
That's
been
working
on
this,
it's
good
reading,
as
it
says
there,
we
we
need
more
people
and
I
am
guilty
of
not
going
because
I
am
slack
and
a
terrible
person.
No
just
slack
actually
I'm
a
fine
person
I'm
just
Slack.
A
There
is
a
new
time
for
it.
Coming
up,
I'm,
not
sure
what
was
meant
by
update
new
threats.
Perhaps
Henrik
knows.
E
Yeah
I
can
hey
everybody,
I
can
say
a
few
words,
so
first
thing
is
so
the
vote
is
open.
I
think
we
circulated
the
do
the
last
week
or
so
the
vote
is
open
until
Friday
tomorrow,
but
it
looks
like
Monday
half
past
six
European
summer
time
will
be
the
new
schedule,
which
is
a
little
bit
more
friendly
for
people
from
the
US.
E
So
that
is
the
one
thing
we
will
start
with
this
new
schedule
as
of
July
I.
Think
it's
the
second
or
the
third.
But
let's
see
maybe
there
are
another
20
people
voting
until
tomorrow
evening
on
another
day,
and
so
it
will
not
be
the
Monday.
Let's,
let's
see
so
far,
it's
just
six
people
or
so
overboarded.
F
And
the
other
thing
is
yes:
I
was
just
I
wanted
to
remind
that.
July
4th
is
a
holiday
here
in
U.S
and
like
right,
the
Tuesday.
If
you
want
to
start
maybe
the
next
week,
just
pointing
it
out
I
know
we
wanted
to
start
a
new
schedule,
so
yeah.
E
Yeah
I
don't
know
so.
If
we
go
for
Monday,
it
would
be
July
3rd,
but
I
guess
that
many
people
maybe
take
the
bridge
day
and
yeah
we'll
be
out
nevertheless
yeah
true
yeah,
true
so
yeah.
You
can
also
do
it
the
week
after
which
would
be
then
the
10th
or
so
and
yeah.
E
The
second,
maybe
update
on
the
document
itself,
is
that
we
shifted
a
little
bit
gear
in
the
sense
that
until
last
week
or
this
week,
we
basically
developed
and
discussed
all
those
threads
together
and
added
them,
while,
while
being
in
this
Workshop
in
the
meantime,
John
added
another
bunch
of
threads
to
different
systems
of
this
development
infrastructure.
So
I
guess
this
will
accelerate
the
content
creation
but
then
of
course,
changes
a
little
bit
the
maybe
also
the
the
nature
of
those
meetings.
E
So
we
rather
go
into
reviewing,
which
was
to
be
a
lot
of
great
discussions.
I
suppose
I
did
the
count
just
a
few
minutes
ago.
So
by
now
we
have
like
20
something
different
threads
listed
in
this
table
like
format
but
yeah.
Let's
see,
maybe
some
of
them
will
be
merged
or
split
or
maybe
disappear
altogether
in
later
versions.
D
I've
been
lucky
enough
to
mostly
participate
with
Henrik
he's
been
leading
us
through
the
exercise
and
I
would
encourage
everybody
to
take
a
look
at
the
work
and
if
you
have
inclination,
please
try
to
participate.
I
think
this
is
really
valuable
work
for
a
work
product
for
this
group
to
kind
of
share
with
the
community
at
large.
So
please
participate.
If
you
can
I.
A
Actually
had
a
question:
how
do
you,
how
do
you
see
this
fitting
into
the
initiative
of
yet
undetermined
name,
formerly
known
as
Sterling
tool
chain.
D
A
I
just
want
to
check
when,
when
we
talk
about
top
health,
people
feel
like
they
know
what
we're
talking
about
or
is
that
a
mystery,
yeah,
okay,
cool
I'm
gonna
flick
it
back
to
Craig
if
you'd
like
to
give
a
like
a
product
summary.
Certainly.
D
I
can
so
the
governing
board
last
year
decided
they
want
wanted
to
kind
of
set
some
direction
to
help,
motivate
the
working
groups
and
inform
the
work
of
the
foundation
moving
forward,
and
the
idea
initially
was
the
much
hated
name
Sterling
tool
chain.
So
that's
why
you
know
Jacques
pokes
fun
at
me.
D
We're
trying
to
figure
out
a
name
for
what
to
call
this
thing,
but
the
tldr
of
it
is
essentially
developing
a
a
reference
architecture
for
how
soft
open
source
software
should
be
developed,
managed
and
then
consumed,
and
then
we'll
do
activities
like
threat
modeling
to
identify
where
we
might
want
to
try
to
spin
up
additional
projects
or
groups
to
help
focus
in
on
some
of
those
problems.
D
We
gives
us
an
opportunity
to
identify
what
existing
work
we
have
and
then
you
know,
wherever
possible,
there
might
be
opportunity
for
partners
potentially
to
fill
some
of
these
needs
to
help
ensure
we
have
some
of
these
capabilities
like
a
secure,
CI,
CD
system,
potentially
maybe
there's
some
open
and
closed
Source
solutions
that
might
help
a
consumer
or
a
producer
a
and
help
them
have
that
capability.
So
that's
what
you
know
we're
trying
to
have
a
a
unifying
idea
of
how
we
can
motivate
the
work
of
the
foundation
going
forward.
D
So
that's
the
the
whole
security
tool
belt
idea
and
I
will
post
a
link
to
the
meeting
notes
if
anyone
is
interested
in
participating,
we've
got
about
15
folks
that
have
been
helping
us
kind
of
shape.
This
idea
so
far,
many
of
these
smiling
faces
here
on
the
call,
but
patches
are
always
welcome.
We
would
love
feedback
and
especially
as
we
get
into
more
of
the
architectury
and
threat
modely
pieces
of
this
exercise,
I'll
definitely
need
some
kind
of
some
seasoned
infosec
opinions
on
helping
us
helping
us
make
sure
we're
doing
things
right.
A
Is
that
help
Henrik
cool
any
more
thoughts
about
the
the
threat
model
and
the
threat
model
work
that
folks
had.
A
Oh
we're
making
good
time
today.
That
brings
us
to
number
eight,
which
is
the
technical,
Charter
I'm
gonna,
just
call
that
up
on
my
screen,
so
I
have
correctly
in
my
head.
What
am
I
talking
about?
F
So
I
can
maybe
try
to
do
right.
I
was
I
was
working
with
John
about
this,
and
he
mentioned
that
we
should
open,
like
initiative,
see
and
review
the
technical
territor
and
make
necessary
updates.
You
know
that
are
required
for
it
from
the
team.
So
that's
why
you
know
I
had
opened
that
one
and
anybody
who
wants
to
take
a
look
and
review
with
this
team
or
the
thread
modeling
game
that
joins
on
the
other
quickly
call
can
add
an
update
and
review,
and
we
want
to
make
it
a
little
bit
more
robust.
F
You
know
and
comparing
with
other
opennesses,
if
you
know
Charters
and
looking
at
it
and
I
did
actually,
it
seemed
almost
similar
to
me
to
be
honest,
you
know,
but
anything
that
is
make
makes
it
much
more
specific
for
our
team
here,
end
user
working
group
as
well
as
for
the
you
know,
threat
modeling
to
be
extended
and
making
made
more
detail,
and
you
know
the
oriented
orientation
towards
that
would
be
helpful.
That's
the
idea
behind
that
yeah.
D
Yeah
things
like
the
charter
and
the
group's
readme
file
are
just
invaluable
to
document
what
the
group's
doing
so
that
new
participants
can
potentially
be
enticed
to
come
in,
and
then
the
charter
helps
Define
how
this
group
wants
to
operate.
So
it's
important
to
have
these
things
documented.
Like
do
we
want
to
hold
votes
or
you
know.
How
often
do
we
meet
this
type
of
so
documenting
so
that
participants
understand
kind
of
what
the
guidelines
are
for
how
we
operate.
So
it's
you
know
very
important
and
again
I
much
like
the
threat.
D
Modeling
I
would
encourage
participation
here.
You
know
take
a
look
at
that,
give
some
good
feedback
of
how
we
want
this
community
to
work,
and
then
you
know
make
sure
we
get
things
in
the
readme
so
that
external
people
that
are
kind
of
browsing
the
foundation
trying
to
find
where
to
hop
on
they
can
have
a
clear
understanding
of
what
we're
doing
and
how
they
can
contribute
to
that.
F
Yeah
I
think
we
should
look
at
the
you
know,
guidelines
on
how
we
are
going
to
engage
with.
You
know
the
engagement
model
with
external
as
well
as
what
would
be
the
decision
points
and
how
we're
how
we
are
doing
the
controls.
You
know
to
keep
it
clean
and
open
for
everybody
and
without
any
bias,
if
I
might
say,
because
we
all
come
from
different
organizations,
as
you
all
know,
so
those
are
the
main
things
that
we
want
to.
F
A
F
I
think,
like
a
like
a
like
a
session
to
do
a
Sprint,
Spike
session
kind
of
to
sit
on
it
and
you
know
like,
like
Henrik,
does
with
this
threat.
Modeling
dog,
you
know
he.
A
A
F
B
B
However,
like
when
I
came
into
the
open,
ssf
I
was
used
to
looking
at
Charters
as
a
way
to
understand
what
technical
work
is
going
on
in
a
group,
and
that's
because
that's
just
because
in
the
other
initiatives
that
I've
Standards
Initiative
I've
been
involved
in
like
w3c
or
ITF,
that
tends
to
be
listed
in
the
charter
right,
like
the
the
working
mode
and
the
kind
of
deliverables
of
the
group,
whereas
I
think
in
this
in
general,
in
open
SF.
B
The
charter
is
more
like
there
to
talk
about
how
the
group
runs
and
is
not
necessarily
talking
about
the
the
content,
but
I
really
think
it
should
be
talking
about
the
content
for
exactly
this
reason.
That
Krab
mentioned
that
to
make
it
more
friendly
to
use
to
external
people
who
may
not
be
familiar
with
openssf
and
how
we're
working.
B
So
the
first
thing
they're
going
to
look
at,
is
they're
going
to
look
at
this
repo
they're
going
to
look
at
the
readme
and
they're
going
to
look
at
the
charter,
because
Charter
is
like,
especially
if
you've
been.
If
you're.
If
you're
familiar
with
working
groups,
then
you
might
look
at
the
charter
and
I
think
it.
It
is
important
to
have
some
some
info
in
there
I'm
happy
to
help
I'm,
not
an
end
user,
but
I'm
happy
to
help.
A
Yeah
yeah
Mike
by
any
question
like
with
the
design
that
LF
gifted
the
working
groups,
is
that
it
what's
the
word
I'm
looking
for
it
envisages
a
technical
steering
committee
that
in
practice,
most
groups,
just
don't
have
most
groups
are
operating
on
on
consent
like
pure
consensus,
which
is
fine.
It's
just
I've
always
worried
about
the
scenario
where
there's
a
irreconcilable
dispute
and
it
needs
to
be
settled
by
vote
and
how
that's
going
to
look
when
it
happens.
Not
if,
but
when.
A
A
A
Broadly,
we
did
a
little
bit
of
tidying
on
this
in
the
securing
software
repos
group
and
that
we
actually
named
a
TSC
in
the
document
so
that
it
was
clear
if
we
needed
to
who
would
vote
so
I
have
a
history
in
student
politics,
so
I
I
read
the
rules
and
imagine
bad
people
trying
to
read
the
rules.
B
A
Yeah,
no,
no
and
and
like
good
rules,
are
a
magical
I'll.
Let
you
talk
in
second
grade.
I
just
want
to
say
this
thing,
but
I've
seen
meetings
that,
like
literally
on
the
edge
of
being
technically
a
riot,
successfully
make
legally
binding
decisions
because
they
have
good
rules.
D
Yeah
to
Echo
Jacques
statement,
the
working
groups
have.
D
Haphazardly
worked
through
and
adopted,
Charters
the
charter
is
very
much
boilerplate.
We
inherited
it
from
I
think
maybe
this
even
the
cncf
with
some
slight
changes
and
that's
just
a
template
that
is
given
to
the
working
groups.
The
working
group
is
completely
empowered
to
make
any
adjustments
as
they
desire
to.
So.
D
If
you
want
a
TSC
great,
if
you
don't
want
a
TSC
great,
but
it's
important
to
document
how
the
group
wants
to
operate
and
when
there
are
decisions
to
be
made
so
to
give
participants
that
structure
and
kind
of
understanding
of
what
what
the
rules
of
the
road
are
and
I
have,
unfortunately
had
the
great
opportunity
to
have
need
of
the
documented
Charter
and
have
that
description
of
who
is
eligible
to
vote.
D
There
have
been
certain
circumstances
where
you
do
need
to
occasionally
have
a
formal
vote,
maybe
not
so
much
in
this
group,
but
especially
like
when
you
are
considering
adopting
donated
intellectual
property.
There's
some.
You
know
legal
constraints
you
need
to
think
through
and
having
that
documented,
who
is
eligible
and
who
isn't
is
important
and
that
might
not
be
important
to
this
group.
So
if
we
don't
want
it
and
don't
need
it,
we
can
strike
it
and
just
say
we
are
consensus.
D
D
We
can
change
whatever
we
want
so
that
we
have
that
flexibility.
Yes,
the
the
template
is
pretty
much
Lock
Stock
and
Barrel.
What
most
every
working
group
just
uses.
Unfortunately,
like
this
group,
we
didn't
make
a
little
couple
changes
to
say
like
what
our
working
group
name
is,
but
generally
we
want
to.
D
We
want
to
follow
the
spirit
you
know
we
have
to
follow
the
lf's
code
of
conduct,
I
believe
that's
stated
in
the
charter,
and
but
beyond
that,
like
how
we
operate,
how
we
make
decisions,
how
often
we
meet
who's
eligible?
That's
really
up
to
the
the
group
to
decide,
and
we
have
that
flexibility.
If
we
want
to,
we
can
just
take
what
we're
given
and
you
know,
choose
to
devote
our
time
more
on
things
like
the
threat
model,
or
we
can.
D
You
know,
spend
some
time
in
getting
this
parliamentary
types
of
things
set
straight,
so
that
if
we
have
a
situation
in
the
future,
we
need
to
make
some
type
of
collective
decision.
We
at
least
have
that
guidance
of
how
we'll
make
those
choices.
D
There's
a
process
for
that,
but
the
the
group
has
to
decide
they
want
to
take
that
direction
before
you
can
start
to
take
those
steps.
We
don't
want
any
one
entity
to
come
in
and
kind
of
full
Rush
their
way
through
and
force
something
into
a
working
group
that
the
group
itself
doesn't
necessarily
want
to
do.
And
then
you
know
once
the
group
decides
they
want
to
do
it.
D
Then
we
will
go
through
and
you
know
commit
work
with
LF,
legal
or
whatnot
for
that
particular
transfer
in
the
situation
where,
like
software
is
being
donated
good,
but
you
know
if
this
group
wanted
to
do
personas,
we
wanted
to
spin
up
a
Sig
around
personas,
the
that's
perfectly
within
our
ability
to
do.
If
the
group
decides
they
want
to
do
that
and
state.
This
is
part
of
our.
You
know
as
long
as
it
aligns
with
our
core
Mission
here.
F
So
is
it
right
for
me
to
understand
Rob
like
I
mean,
of
course
we
will
be,
you
know
aligning
and
staying
within
the
you
know
limits
of
elephant,
openness
and
stuff.
But
if
let's
say
if
we
need
to
extend
our
work
in
a
much
more
a
fashion
better,
there
is
a
project
or
a
program
that
we
want
other
group
to
engage
in
like
Alpha
omegas.
F
You
know
mentorship
or
something
that
we
can
engage
and
that
them
have
Hands-On
practical
looking
at
the
threat
model-
and
you
know
have
it
on
some
infrastructure
or
something
like
that
right
in
that
case,
that
we
will
be
going
with
the
LF
and
all
of
the
you
know,
stipulations
and
the
legal
legalities
and
whatnot,
but
I'm
we're
not
going
that
far.
Is
it.
D
And
get
that
the
charter
is
the
rules
of
the
road
of
how
this
group
wants
to
conduct
itself
and
how
we
operate.
That.
D
Us
from
collaborating
with
other
projects,
okay,
but
again
like
if
there's
something
like
a
member,
wants
to
donate
software
or
Hardware
resources.
D
There's
a
process
for
that,
and
we
need
to
follow
that
right.
You
know
if
this
group
wants
to
just
do
verbal
votes
on
things
write
that
down
on
the
charter.
If
that's
what
we
agree
on
or
if
we
want
to
get
it
formally
documented
in
a
GitHub
issue,
or
it
goes
out
through
an
email,
you
just
want
to
again
provide
those
constraints
so
that
people
understand
and
they
can
feel
free,
that
they
are
empowered
to
participate.
F
D
Most
of
the
work
of
the
foundation
like
a
formal
TSC
is
very
heavy.
You
know
that's
great
for
a
software
project,
so
things
like
scorecard
or
like
Alpha
and
Omega.
They
probably
should
have
attendance
also
should
have
a
technical
steering
committee,
but
you
know
for
us
doing
a
threat
model.
The
formal
approval
committee
might
be
a
little
burdensome
might
be
very
heavy.
We
might
not
need
that
much
process,
but
the
group
might
decide
they
do
need
it.
I
know
that's
up
to
for
you
all
to
help
decide.
A
So
my
feeling
is
that
this
one
will
need
to
come
back
again
in
the
fullness
of
time
in
due
season.
What
else
I
forgot?
There's
one
that
one
of
Australia's
Prime
Ministers,
who
used
to
say
I,
was
in
just
incredibly
obtuse,
but
I
forgotten
it.
Now,
let's
move
on
to
reports
from
other
working
groups
with.
Oh,
they
see.
Dan
has
his
hand
up.
B
Sorry,
while
we've
been
talking
I've
been
I,
thought
I
might
take
a
crack
at
just
doing
a
light
edit
of
the
charter
document
to
put
the
specifics
in
there
I'm
not
going
to
invent
anything,
but
just
so
that
we
have
something
to
talk
about
because
one
one
way,
my
suggestion
is
that
actually
I
can
do
that,
make
a
PR.
Then
we
have
something
to
talk
about
right
and
then
we
can
say:
okay,
I,
like
this
I,
don't
like
that.
Let's
make
this
change.
B
Let's
make
this
that's
new
note,
so
next
working
group
call,
maybe
we
can
work
through
it
and
and
actually
adopt
it
and
then
say
adopted
because
it
has
an
adopted
colon
date
thing
at
the
top.
We
can
say
adopted
that
date
right
and
so,
if
you're,
okay
with
that
I'm
I'm
I
promise
not
to
like
you
know,
invent
some
kind
of
new
process
in
it.
I'll
just
use
use
the
building
blocks
that
are
there
already.
A
F
That's
a
good!
You
know,
thanks
for
volunteering,
then,
and
doing
this
yeah,
that's
a
good
initial
step
for
others
to
follow
in
propose
and
make
amends
yep.
Thank
you.
H
Oh
yeah,
not
not
about
the
charter,
although
I'm
all
about
getting
charges
right.
This
is
about
working
group,
stuff
or
six
stuff.
So
when
we're
ready
for
that
one
to
bring
that,
but
she
was
getting
ready
to
go
there,
so
I
threw
my
hand
up.
H
Cool,
so
you
know,
amongst
the
other
things
that
I,
that
I
work
on
and
help
out
with
in
in
the
openness
and
stuff
when
things
that
are
near
and
dear
to
this
working
group
would
be
S2
c2f.
H
Those
conversations
are
are
all
right.
Heating
up,
Melba
has
put
together
her
thoughts,
and
you
know,
I
mean
just
phenomenally
like
I
mean
if
you
could
take
like
a
proverbial
tabbing
out
of
the
framework
and
we've
been
going
through
that
over
the
last
two
or
three
meetings,
because
there's
just
so
much
to
to
go
through,
which
I
think
is
phenomenal.
H
I
put
out,
you
know
every
time
we
have
a
meeting
I
make
sure
in
this
working
group,
I
say:
hey
we're
meeting
now
so
come
on
in,
but
I'll
say
it
here
as
well.
This
is
a
great
time
we
got.
We
got
salsa
1.0,
that's
breathing
a
little
bit
in
the
ecosystem.
This
is
a
great
opportunity
for
us
to
put
some
put
some
muscle
and
some
thought
leadership
behind
what
we
have
going
on
with
s2c2f.
H
So
if
you
are
so
inclined
you
meet
every
other
Tuesday
at
12,
I
believe
and
that's
that's
a
pacific
time
come
on
in
and
and
let
your
voice
be
heard
as
well.
You'll
see
the
issues
there
that
we're
working
on
I
think
we
put
up
I,
think
we
uploaded
a
copy
of
what
Melba
has
for
everyone
to
look
at
and
we
have
new
threats
that
have
been
added
along
with
our
thoughts
around
an
FAQ.
H
That
is
that
that's
going
to
be
written
as
well,
and
these
are
all
things
that
come
out
of
that
meeting
and
it's
relevant
to
this
group
group
Zen
users
and
of
course
this
is
a
consumer
focused
framework.
Please
come
on
in
and
and
let
your
thoughts
be
put
down
on
paper.
That's
it.
A
Thanks
Jay
great
great
update,
I,
see
crib
has
his
hand
up.
D
One
is
about
C
and
C,
plus
plus
compiler
hardening
options,
which
is
probably
less
interesting
for
this
group,
but
that's
in
Flight
getting
some
good
progress.
The
one
guy
that
I
think
would
be
a
lot
deep
interest
of
this
particular
constituency.
Is
our
source
code
management,
concise
guide,
talking
about
how
to
use
things
like
GitHub
and
gitlab
in
the
most
secure
fashion,
we
have
some
best
practices
we're
recommending
so
that
work
is
in
flight.
D
I
will
give
the
group
a
link
that
you
can
take
a
look
at
where
we
are
and
patches
and
comments
and
feedback
are
always
welcome.
We
expect
that
guy's
probably
going
to
get
wrapped
up,
probably
July,
sometime
we're
pretty
good
with
we're
close
to
a
1.0
draft
and
then
we'll
be
looking
for
additional
right.
We
have
GitHub
and
git
lab
fairly
well
documented
for
security
controls
and
configurations,
and
if
there
are
other
forges
that
people
are
interested
in,
we
would
love
to
get
contributions
for
how
to
deploy
similar
controls
and
techniques.
D
In
those
other
environments,
so
any
questions
about
the
SCM
guide,
I'll
put
a
link
here
in
a
second
next
up.
I
would
like
to
maybe
have
bring
Jay
back
to
the
microphone.
The
education
Sig
has
a
Deni
committee
and
they
have
been
operating
a
set
of
office
hours,
trying
to
engage
historically
underrepresented
communities
within
open
source
and
cyber
security
and
I
think
they've
had
a
really
great
series
of
office
hours
and
maybe
Jay
can
kind
of
share
that
to
try
to
get
the
word
out.
Potentially,
let
you
all
take
that
back
to
your
organization.
D
H
Absolutely
absolutely
and
chrome
knows
how
near
and
dear
to
my
heart
that
this
is
especially
when
it
comes
to
educating
those,
not
just
the
the
our
young
people
out
there
that
really
want
to
study
our
craft
right.
Is
you
know
it's
always
a
delight
when
they,
when
they
want
to
study
something
other
than
psychology
in
school
they
want
to.
H
Actually
touch
is
one
sincerely,
you
know,
I
have
a
I
can
go
on
all
day,
but
but
all,
but
also
those
that
are
looking
at
a
career
change
as
well,
which
is
which
you
know,
people
come
into
what
we
do
a
little
bit
later
on
and
for
any
number
of
reasons,
and
that
could
either
be
because
they
say:
oh
well,
you
know
if
you,
if
you
want
job
security,
go
to
Tech
or
they
can
say
you
know
what
these
ones
and
zeros
actually
speak
to
me.
H
I'm
working
in
this
organization
in
HR
or
Finance
or
or
you
know,
privacy
or
something
else
and
they're
like
you
know
what
working
across
and
watching
what
these
guys
do.
It
looks
really
cool
I'd
like
to
try
that
right
and
they
don't
know
how
to
get
it,
how
to
come
into
the
industry
or
that
there
are
different
paths
to
come
in.
Different
paths
are
coming
into
what
we
do.
H
The
office
hours
are
a
great
place
for
this,
especially
when
it
comes
to
those
members
of
underrepresented
communities
who
don't
have
the
resources
and
also
the
people
to
talk
to
and
I
was
like
you
gotta,
you
gotta
understand
right,
you
know
you
get
out
of
it,
what
we
put
into
it.
So
when
you
see
in
in
in
Tech
the
the
disparity
between
you
know
the
the
people
that
you
currently
see
day
to
day
and
operating
yeah,
you
can
even
see
them
in
our
meetings.
H
Okay,
if
you
take
our
meetings
here
in
the
openness
us
up
as
a
gauge,
you
got
you
you
got,
our
meetings
are,
are
a
little
heavy
in
one
way
and
a
little
lighter
in
the
other,
and
that's
just
the
fact
of
what
it
is.
But
you
have
people
in
your
organizations,
and
everyone
here
believes
in
what
we
do
and
believes
in
the
community
element
of
it.
So
you
all
know
people
who
want
to
break
into
the
industry
put
them
in
our
direction.
H
We
got
it
also
by
all
means,
join
the
office
hours
as
well
and
be
a
voice
for
the
young
people.
That
joint
we've
had
three
very
great,
successful.
I'm.
Sorry
for
successful
meetings
already
in
the
office
hours
where
young
people
have
joined,
and
also
people
who
are
changing
their
careers
have
joined
and
they've
gotten
so
much
out
of
it
in
the
way
of
what
does
a
resume
look
like
you
know
what
kind
of
things
you
should
be.
Should
you
be
prepared
to
talk
about
in
interviews?
H
What
should
you
look
at
as
something
that
you
want
to
do
right?
What
should
you
you
know
discovering
what
your
Niche
is,
trying
everything
and
discovering
what
your
Niche
is?
Some
those
things
like
that
and
everyone
here
has
time
in
the
game,
so
you
have
a
voice
and
you
can
offer
up
hey.
These
are
the
things
that
I
did,
or
these
are
the
things
that
you
could
look
for
and,
of
course
you
talk
to
it.
H
From
your
perspective,
I
encourage
everyone
to
join
I,
encourage
everyone
to
discover
those
that
want
to
come
in
to
come
into
these
come
into
that
meeting
and
join
and
then
all
and
then
also
these
are
a
good
recruiting
grounds
for
those
that
want
to
come
in,
say:
hey,
join
the
open,
ssf
join
our
working
groups
join
our
six
know.
You
no
experience
required.
H
Don't
worry
within
six
months,
you'll
be
able
to
talk,
write
and
have
an
opinion
right
along
the
rest
of
us,
because
that's
time
in
and
then
you'll
be
able
to
take
that
knowledge
and
then
apply
it
to
your
interviews
and
to
think
hey.
I
worked
as
a
matter
of
fact
and
I'm.
Sorry
I'm,
rambling
on
because
I
get
so
excited
about
it.
H
But
I
have
one
individual
who
only
has
six
months
in
the
game
and
they
were
wondering
why
they
weren't
getting
any
looks
by
employers
and
look
at
their
resume
and
you
look
at
their
good
reborn,
say
Hey.
You
have
an
opportunity
to
highlight
work
that
you
actually
can
do
and
put
your
hands
on.
If
you
choose
join
the
sick,
say
hey,
let
me
help
you
work
on
that
code.
H
Put
your
name
in
you,
put
your
hands
on
the
keyboard,
become
a
contributor
and
then
speak
to
that
use
the
star
method
to
say,
speak
to
that
situation
task.
What
was
the
action
that
you
did
and
then
and
then
what
was
the
result
of
that
action?
And
now
you
have
hardened
things
to
talk
about
in
these
interviews
that
not
you're
not
just
telling
them
what
they
what
they
want
to
hear
you're,
showing
them
what
they
want.
So
so
these
are
all
areas
where
that
we
have
that
we
give
the
impactful
on.
H
Thank
you
Crow
for
an
extra
couple
of
seconds
to
run
my
mouth.
Please
join
the
office
hours
I
believe
we
have
those
I
want
to
say
we
do
those
once
a
month.
Don't
call
me
on
that
once
a
month
and
I
believe
that
we
do
them.
What
is
it
is
that
on
Tuesday,
as
well,
once
a
month,
Tuesday
at
12
I
believe.
H
Thursday,
okay
good
deal
Thursday
once
a
month,
I
think
we
just
had
one
last
week
so
it'll
be
in
another
month.
We'll
have
it
again
without
do
the
same
thing.
I
do
with
s2c12f
I'll.
Do
that
with
this
group
as
well,
I'll
post
that
and
say
hey
we're
getting
ready
to
meet.
So
if
you
want
to
come
on
and
come
on
in
and
be
a
contributor
to
the
to
the
minds
of
young
people
and
the
minds
of
those
changing
changing
careers,
thanks
bro.
D
Yeah,
please
spread
the
word.
We
would
love
to
get
as
many
people
as
possible,
participating
both
at
you
know,
bringing
in
new
people
to
the
trade
or
people
that
want
to
change
skills
or
we're
also
looking
for
people
to
assist
and
provide
guidance
for
these
people.
These
new
petitioners,
so
you
know
you
could
be
a
mentor
potentially.
F
So
I
just
have
one
follow-up,
I
think
if
Jay
or
you
can
share
that
information
or
the
links
for
the
office,
hours
and
stuff
and
and
I've
been
part
of
the
Adu.
But
you
know
we
are
working
on
the
mentorship
and
the
university
programs.
You
know
throughout
alphabet.
This
is
a
good
information
to
know
to
extend
and
be
participating
or
requesting
others
who
are
interested
to
join
and
take
advantage
of
as
well.
Thank
you.
H
That
down
and
put
it
into
the
notes.
Thank
you
very
much
on
the
partner,
please
by
all
means
reach
out
to
reach
out
to
either
of
us
directly
you're
doing
some
good
work.
I'd
love
for
you
to
be
part
of
the
dni
Sig
and
and
things
that
we
got
going
on
there
as
well,
because
that's
basically
what
it
comes
down
to
outreach
education
and
then
helping
the
successful,
recruiting
and
retention
of
underrepresented
communities,
and
you
know
doing
what
we
love
and
and
what
we're
passionate
about.
So
thank
you
for
that.
Yep.
D
I'll
track
down
that
link
right
afterwards.
The
best
working
group
also
is
putting
together
a
developer
landing
page
that
may
be
of
some
use
to
the
end
users,
so
we've
kind
of
trying
to
consolidate
a
lot
of
the
resources
and
help
steer
that
particular
persona's
Journey
towards
Foundation
resources.
So
if
you
have
comments
of
other
useful
resources
or
groups
within
the
foundation,
please
submit
a
PR
or
open
an
issue.
D
Security,
Auditors
or
whomever,
whatever
groups
you
want
to
try
to
address
so
that
one's
pretty
short
and
sweet
and
then
two
industry,
things
there's
going
to
be
a
one-day
Workshop
Cisco
is
sponsoring
around
csaf
and
Vex.
That's
going
to
happen
in
July.
Csaf
is
the
electronic
means
with
which
most
commercial
vendors
produce
security
advisories.
D
So
not
super
interesting
to
developers
super
interesting
to
this
group
because
boy,
wouldn't
you
like
to
have
nice
machine,
readable
security
advisories
when
things
happen
and
then
also
in
hand
in
hand
with
that
is
Vex.
The
vulnerability
exchange
it
kind
of
helps.
People
share
their
effectiveness
on
different
things,
so
Cisco's
sponsoring
a
big
shot,
a
bake
sale
so
to
speak,
where
they're
going
to
have
people
come
in
and
do
demonstrations
and
talk
about
these
two
standards
and
that
relates
to
s-bombs,
which
again
is
also
of
interest
to
this
group.
D
I'll
provide
a
link
to
that
if
anyone's
interested
in
just
attending
or
I
can
come
back
and
give
the
notes
I'll
be
there
with
our
open
Vex
crew
to
kind
of
talk
through
stuff
I
get
to
interact
a
lot
with
the
ciso
folks
and
speaking
of
sisa,
another
area
which
may
be
of
interest
to
this
group.
D
The
foundation
is
participating
with
sisa
and
the
jcdc,
which
is
an
organization
within
the
U.S
federal
government,
where
we
are
conducting
a
a
workshop
around
use
of
Open
Source
in
operational
Technologies
and
Industrial
Control
Systems
so
think
power
plants,
nuclear
plants,
water
treatment
plants,
these
types
of
scenarios.
So
it's
a
collaboration
between
government,
those
operators
and
then
consortiums
like
openssf.
D
So
if
you
are
in
the
iot
OR
ICS
space
I
would
strongly
encourage
you
to
reach
out,
and
you
know,
observe
what
that
group's
going
on.
And
if
you
have,
you
know,
if
you're
very
passionate
about
the
open
source
piece
of
it
and
trying
to
help
these
types
of
systems
operate
and
get
signals
around
vulnerabilities
and
fixes.
You
know,
reach
out
to
me,
I'd,
be
glad
to
help
get
you
included
in
those
groups
and
I'll
get
I'll
get
links
to
all
that
nonsense
here
in
a
second.
A
What's
going
on
this
week,
Montana
I
guess
just
a
quick
update
from
this
securing
software
repositories.
Group,
the
great
artifact
repository
audit
program,
is,
is
moving
forward
at
a
decent
pace.
Alfa
Omega
have
been
briefed
and
are
going
to
go
away
and
huddle
on
what
they
would
like
to
fund
and
what
level
and
so
on.
A
The
basic
model
envisaged
is
still
that
we,
you
know
basically
by
process
of
invitation,
asked
particular
repos
to
participate.
They
would
receive
an
audit
at
ao's
expense
carried
out
by
ostiff
and
then
for
findings.
There
would
be
funding
for
remediation
either
donated
to
you
know,
whatever
body
manages
that
repo
or
to
hire
a
contractor
to
do
it.
F
Know
so
how
do
those
invitations
go
like
I'm
with
that
Ayo
right,
I'm,
Alpha,
Omega,
so
I
was
wondering.
Is
there
a
specific
criteria
that
you
have
decided
upon
to
pick?
You
know
the
specific
ones.
A
F
A
I
I
think
it's
apparently,
some
funding's
been
given
to
Pi
Pi.
A
Might
be
might
be
retroactively
framed
as
being
part
of
that
program.
Okay,
so
I
think
it'll
it'll
just
come
down
to
willingness
really
for
the
participants
and
and
Readiness
to
go,
we'll
probably
try
to
pick
one
or
two
to
begin
with
and
then
roll
it
out
progressively
over
time
and
I
expect
that,
as
awareness
spreads
of
this
of
this
program,
that
more
more
ecosystems
will
identify
themselves
to
the
group
as
being
interested
in
in
future
rounds.
A
One
thing:
that's
sort
of
difficult
to
see
from
the
outside,
but
definitely
really
exciting,
is
that
the
mission
of
the
securing
software
repos
group
to
help
diffuse
ideas
between
ecosystems
has
is
actually
quite
successful
for
the
ecosystems
who
are
aware
of
it
and
participating
so
I'm
I'm,
hoping
that
this
effort
will
also
start
to
raise
awareness
of
folks.
A
F
Awesome
I'll
just
follow
with
you,
I've
already
updated
on
the
Alpha
Omega,
so
new
engagements
I've
mentioned
about
are
you
know,
looking
at
the
grants
towards
prosimo
to
improve
the
support
for
rust
and
Linux
kernels
right,
improve
the
rest,
results,
library,
cryptographic,
library
and
to
looking
also
towards
options,
or
you
know,
work
on
finding
the
security
audits
of
openssl
through
rstf,
of
course,
and
open
refractory
engagement
to
help.
F
You
know
complement
besides
our
Omega
work
and
we
do
have
a
website
of
course,
and
we
I
mean
it
will
be
Cadence
for
updating
and
having
the
monthly
updates
or
the
work
that
has
been
done
or
current
or
existing
engagements
will
be
during
the
first
weeks
of
the
month,
so
I'll
certainly
posted
website
link.
So
that
way
you
will
see
the
alpha
engagements
updates
on
there
and
Omega
work.
F
That
is
being
done
like
the
disclosure
checks
or
the
assertions
and
whatnot
and
iterations
with
the
you
know,
vulnerability
assessments,
so
I
I'll
give
you
the
link.
So
those
are
the
main
things
and
I
think
the
open,
refactory
and
the
step
security
I
think
it's
going
to
go
into
the
way
we
design
it
is
not
Alpha
Omega.
It
would
be
better
with
the
open,
ssf
school
card
and
probably
that
team
would
be
taking
it
up
and
following
with
them
so
a
few
of
those
engagements,
and
those
are
the
updates
for
this.
F
You
know
this
week
or
couple
of
weeks
that
I
have
for
you
and
I'll
forward
you
the
link
to
upkeep
with
the
website
and
do
check
it
out
regularly
and
provide
your
feedback
and
make
it
back.
We
can
make
it
better
because
it's
a
new
website
we
had
from
last
month,
so
some
other
eyeballs
will
definitely
help
I
recognize
the
you
know
what
what
we
don't
have
or
what
would
be
better
for
is
making
it
user
friendly
and
that's
all
we
have
thank
you.
D
Cool
cool
I
had
one
more
thing:
I
also
work
with
an
organization
called
first,
the
form
of
incident
response
and
security
teams,
so
it
represents
things
like
vendor
security
teams
and
then
also
corporate
information
security
teams,
which
I'm
sure
many
of
you
here
represent
or
represented.
They
are
pondering
the
idea
of
creating
a
new
conference.
D
The
current
idea
is
they're,
going
to
call
it
a
Volcan,
and
the
idea
is
to
get
groups
like
first
that
manage
the
CVSs
standard,
the
coordinated
vulnerability,
disclosure
kind
of
Frameworks
and
pcert
and
cert
Frameworks
get
them
get
Oasis.
Who
manages
things
like
csaf
get
the
cve
board
so
get
many
of
the
CNAs
involved,
so
they're,
basically
thinking
about
having
a
several
day
conference
early
next
year
and
specifically
focused
around
vulnerability
management,
vulnerability,
communication
tools
like
cbss
and
CBE
and
whatnot,
and
also
get
community
participation.
So
things
like
openss,
osv
and
open
Vex.
D
These
types
of
things
so
they'll
be
formulating
this
conference
and
if
anyone
is
interested
in
participating,
I'd
like
you
to
reach
out
to
me
and
I'll
put
you
on
the
list
as
that
develops.
I'll
keep
you
apprised
of
kind
of
when,
where
and
how
that's
going
to
happen
and
again
worst
case.
As
you
know,
the
consumer
perspective,
standardization
of
these
things
will
be
very
useful
for
you
all
to
consume
and
understand,
like
I,
think
we're
going
to
try
to
get
Alan
and
the
s-bomb
circus
to
come.
D
Do
some
talks
too,
but
there's
a
lot
of
things
to
touch
on
and
end
users
that
might
be
of
use
so
whether
you
would
want
to
participate
like
maybe
you
want
to
do
when
they
have
the
call
for
papers
right
now,
so
I've
been
an
abstract
or
maybe
you
just
want
to
observe
and
listen,
and
you
know
I
digest
the
output
of
that
conference.
Let
me
know
and
I'd
be
glad
to
keep
you
aware.
As
that
develops.
A
Thanks
curb
I'll
just
make
a
quick
joke
that
I'll
go.
If
there's
a
like
a
rap
battle
between
cbss,
ssvc
and
epss,
not
likely
it
happened,
we
we
are
almost
at
time
Dan.
Will
there
be
enough
time
for
for
your
item?
Do
you
think
in
the
other
business.
B
The
just
to
note
that
w3c
is
doing
a
Workshop.
This
is
not
the
official
link.
This
is
the
GitHub
link
that
I
found,
unfortunately,
but
I'll
find
the
regular
link
we're
doing
a
workshop
with
w3c
open
ssf
ospin
up
in
JS,
which
is
focusing
on
web
developer
security
and
the
this
was
put
to
happen
in
June.
But
we
didn't
get
enough
paper
submissions
we
think
probably
be
because
it
was
going
to
be
a
physical
Workshop
rather
than
a
virtual
Workshop.
So
we've
now
reimagined
it
as
a
virtual
Workshop.
B
It's
going
to
happen
in
September
26th
through
28th
and
we're
hopping
over
three
days
where
we're
going
to
have
like
one
hour
or
two
hour
sessions
or
one
on
each
day
and
the
paper
submission
deadline
is,
has
been
extended
until
end
of
July.
If
anybody
has
interest
in
JavaScript
security,
web
security
web
application
security,
how
these
things
fit
together
between
new
security
standards
and
what
we're
doing
more,
focusing
on
the
software
supply
chain
side
of
things.
B
A
Oh
all,
right
folks,
we
are
at
the
top
of
the
hour
very
productive
session.
Thank
you,
everybody
for
participating
today.
Next
time,
of
course,
I
believe
will
be
in
two
weeks.
Don't
forget
to
check
the
notes
for
things
that
you
can
join
in.
We
had
lots
of
calls
for
Action
today
hope
to
see
you
again
soon
thanks.
Everyone.