►
From YouTube: End Users Working Group (June 22, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I
A
A
A
A
What
we're
trying
to
do
now
is
to
raise
items
for
the
agenda
through
the
GitHub
repo,
so
we're
trying
to
create
a
some
something
of
a
paper
trail
and
allowing
discussion
to
occur.
Asynchronously
is
the
the
thinking
there
please
feel
free
to
open
new
issues
on
the
repo
with
agenda
items.
You
would
like
to
discuss
that
helps
us
as
I
said,
to
keep
track
of
things
over
time.
A
A
C
C
If
something
is
there,
and
so
the
idea
is
that
by
a
customer
tracking,
their
consumption
of
Open
Source,
they
can
much
more
easily
identify
that
themselves
meet
that
responsibility
and
then
communicate
to
the
customer
the
way
another
manufacturer
would
we
can
add
that
and
we
can
remove
the
recall
language
happy
to
do
either
or
I.
Don't
know
if
that
helps.
A
B
You
know,
rather
than
using
the
word
recall
which,
which
could
be
confusing
I,
don't
know
I'm,
just
trying
I
I'm
struggling
to
think
what
it
could
be,
but
but
I'm
I
just
wonder
if
it
could
be
if
it
could
be
Rewritten
without
the
word
recall
doing
you
to
incorporate
that
notion.
That
idea
that
we
will
be
working
together
on.
B
C
C
D
Or
yeah
one
way
somebody
could
you
know
issue
this
air
quotes
recall
would
be
through
Technologies
like
vex.
That's
a
way
to
describe
that.
There's
a
problem
and
kind
of
how
the
component
is
affected
and
the
foundation
has
an
implementation
of
Vex
called
openvx,
but
that's
a
way
that
you
know
a
good
good
citizen
of
the
open
source.
Community
could
be
as
I
have
problems,
I
use
signaling
like
Vex,
or
something
to
share
that
with
the
downstream.
C
There's
there's
so
many
nuances
and
that's
the
thing
we're
trying
to
get
away
from,
but
yeah
I
think
to
your
point,
like
the
CBD
process,
you
know
with
cesa,
like
sort
of
aligns
with
that
too,
where
it's
you
know,
how
do
you
even
begin
to
start
that
disclosure
process,
if
you
have
no
idea
what
you're
consuming
so
I
think
that's
the
spirit
of
of
this
so
I
can
take
all
this
I.
Think
there's
enough
here
to
to
remove
recall
and
capture
the
spirit
with
maybe
even
an
example
or
two.
A
Cool
productive
chat,
any
any
more
sort
of
thoughts
about
the
the
RICO
language
on
ingestion
Manifesto.
What
would
we
like
to
move
on
all
right?
Let's
move
on
so
the
next
one
is
Issue,
Number
Nine,
which
is
the
threat
model
this.
This
is
sort
of
like
a
placeholder
or
an
identifier
for
the
work.
That's
been
done,
I've
linked
there,
the
working
dock
from
the
Sig.
A
A
E
Yeah
I
can
hey
everybody,
I
can
say
a
few
words,
so
first
thing
is
so
the
vote
is
open.
I
think
we
circulated
the
do
the
last
week
or
so
the
vote
is
open
until
Friday
tomorrow,
but
it
looks
like
Monday
half
past
six
European
summer
time
will
be
the
new
schedule,
which
is
a
little
bit
more
friendly
for
people
from
the
US.
E
So
that
is
the
one
thing
we
will
start
with
this
new
schedule
as
of
July
I.
Think
it's
the
second
or
the
third.
But
let's
see
maybe
there
are
another
20
people
voting
until
tomorrow
evening
on
another
day,
and
so
it
will
not
be
the
Monday.
Let's,
let's
see
so
far,
it's
just
six
people
or
so
overboarded.
F
E
E
The
second,
maybe
update
on
the
document
itself,
is
that
we
shifted
a
little
bit
gear
in
the
sense
that
until
last
week
or
this
week,
we
basically
developed
and
discussed
all
those
threads
together
and
added
them,
while,
while
being
in
this
Workshop
in
the
meantime,
John
added
another
bunch
of
threads
to
different
systems
of
this
development
infrastructure.
So
I
guess
this
will
accelerate
the
content
creation
but
then
of
course,
changes
a
little
bit
the
maybe
also
the
the
nature
of
those
meetings.
E
So
we
rather
go
into
reviewing,
which
was
to
be
a
lot
of
great
discussions.
I
suppose
I
did
the
count
just
a
few
minutes
ago.
So
by
now
we
have
like
20
something
different
threads
listed
in
this
table
like
format
but
yeah.
Let's
see,
maybe
some
of
them
will
be
merged
or
split
or
maybe
disappear
altogether
in
later
versions.
D
I've
been
lucky
enough
to
mostly
participate
with
Henrik
he's
been
leading
us
through
the
exercise
and
I
would
encourage
everybody
to
take
a
look
at
the
work
and
if
you
have
inclination,
please
try
to
participate.
I
think
this
is
really
valuable
work
for
a
work
product
for
this
group
to
kind
of
share
with
the
community
at
large.
So
please
participate.
If
you
can
I.
A
D
I
can
so
the
governing
board
last
year
decided
they
want
wanted
to
kind
of
set
some
direction
to
help,
motivate
the
working
groups
and
inform
the
work
of
the
foundation
moving
forward,
and
the
idea
initially
was
the
much
hated
name
Sterling
tool
chain.
So
that's
why
you
know
Jacques
pokes
fun
at
me.
D
We
gives
us
an
opportunity
to
identify
what
existing
work
we
have
and
then
you
know,
wherever
possible,
there
might
be
opportunity
for
partners
potentially
to
fill
some
of
these
needs
to
help
ensure
we
have
some
of
these
capabilities
like
a
secure,
CI,
CD
system,
potentially
maybe
there's
some
open
and
closed
Source
solutions
that
might
help
a
consumer
or
a
producer
a
and
help
them
have
that
capability.
So
that's
what
you
know
we're
trying
to
have
a
a
unifying
idea
of
how
we
can
motivate
the
work
of
the
foundation
going
forward.
D
So
that's
the
the
whole
security
tool
belt
idea
and
I
will
post
a
link
to
the
meeting
notes
if
anyone
is
interested
in
participating,
we've
got
about
15
folks
that
have
been
helping
us
kind
of
shape.
This
idea
so
far,
many
of
these
smiling
faces
here
on
the
call,
but
patches
are
always
welcome.
We
would
love
feedback
and
especially
as
we
get
into
more
of
the
architectury
and
threat
modely
pieces
of
this
exercise,
I'll
definitely
need
some
kind
of
some
seasoned
infosec
opinions
on
helping
us
helping
us
make
sure
we're
doing
things
right.
A
F
So
I
can
maybe
try
to
do
right.
I
was
I
was
working
with
John
about
this,
and
he
mentioned
that
we
should
open,
like
initiative,
see
and
review
the
technical
territor
and
make
necessary
updates.
You
know
that
are
required
for
it
from
the
team.
So
that's
why
you
know
I
had
opened
that
one
and
anybody
who
wants
to
take
a
look
and
review
with
this
team
or
the
thread
modeling
game
that
joins
on
the
other
quickly
call
can
add
an
update
and
review,
and
we
want
to
make
it
a
little
bit
more
robust.
F
You
know
and
comparing
with
other
opennesses,
if
you
know
Charters
and
looking
at
it
and
I
did
actually,
it
seemed
almost
similar
to
me
to
be
honest,
you
know,
but
anything
that
is
make
makes
it
much
more
specific
for
our
team
here,
end
user
working
group
as
well
as
for
the
you
know,
threat
modeling
to
be
extended
and
making
made
more
detail,
and
you
know
the
oriented
orientation
towards
that
would
be
helpful.
That's
the
idea
behind
that
yeah.
D
Yeah
things
like
the
charter
and
the
group's
readme
file
are
just
invaluable
to
document
what
the
group's
doing
so
that
new
participants
can
potentially
be
enticed
to
come
in,
and
then
the
charter
helps
Define
how
this
group
wants
to
operate.
So
it's
important
to
have
these
things
documented.
Like
do
we
want
to
hold
votes
or
you
know.
How
often
do
we
meet
this
type
of
so
documenting
so
that
participants
understand
kind
of
what
the
guidelines
are
for
how
we
operate.
So
it's
you
know
very
important
and
again
I
much
like
the
threat.
D
Modeling
I
would
encourage
participation
here.
You
know
take
a
look
at
that,
give
some
good
feedback
of
how
we
want
this
community
to
work,
and
then
you
know
make
sure
we
get
things
in
the
readme
so
that
external
people
that
are
kind
of
browsing
the
foundation
trying
to
find
where
to
hop
on
they
can
have
a
clear
understanding
of
what
we're
doing
and
how
they
can
contribute
to
that.
F
Yeah
I
think
we
should
look
at
the
you
know,
guidelines
on
how
we
are
going
to
engage
with.
You
know
the
engagement
model
with
external
as
well
as
what
would
be
the
decision
points
and
how
we're
how
we
are
doing
the
controls.
You
know
to
keep
it
clean
and
open
for
everybody
and
without
any
bias,
if
I
might
say,
because
we
all
come
from
different
organizations,
as
you
all
know,
so
those
are
the
main
things
that
we
want
to.
F
A
F
A
A
F
B
B
The
charter
is
more
like
there
to
talk
about
how
the
group
runs
and
is
not
necessarily
talking
about
the
the
content,
but
I
really
think
it
should
be
talking
about
the
content
for
exactly
this
reason.
That
Krab
mentioned
that
to
make
it
more
friendly
to
use
to
external
people
who
may
not
be
familiar
with
openssf
and
how
we're
working.
B
So
the
first
thing
they're
going
to
look
at,
is
they're
going
to
look
at
this
repo
they're
going
to
look
at
the
readme
and
they're
going
to
look
at
the
charter,
because
Charter
is
like,
especially
if
you've
been.
If
you're.
If
you're
familiar
with
working
groups,
then
you
might
look
at
the
charter
and
I
think
it.
It
is
important
to
have
some
some
info
in
there
I'm
happy
to
help
I'm,
not
an
end
user,
but
I'm
happy
to
help.
A
Yeah
yeah
Mike
by
any
question
like
with
the
design
that
LF
gifted
the
working
groups,
is
that
it
what's
the
word
I'm
looking
for
it
envisages
a
technical
steering
committee
that
in
practice,
most
groups,
just
don't
have
most
groups
are
operating
on
on
consent
like
pure
consensus,
which
is
fine.
It's
just
I've
always
worried
about
the
scenario
where
there's
a
irreconcilable
dispute
and
it
needs
to
be
settled
by
vote
and
how
that's
going
to
look
when
it
happens.
Not
if,
but
when.
B
A
D
Haphazardly
worked
through
and
adopted,
Charters
the
charter
is
very
much
boilerplate.
We
inherited
it
from
I
think
maybe
this
even
the
cncf
with
some
slight
changes
and
that's
just
a
template
that
is
given
to
the
working
groups.
The
working
group
is
completely
empowered
to
make
any
adjustments
as
they
desire
to.
So.
D
There
have
been
certain
circumstances
where
you
do
need
to
occasionally
have
a
formal
vote,
maybe
not
so
much
in
this
group,
but
especially
like
when
you
are
considering
adopting
donated
intellectual
property.
There's
some.
You
know
legal
constraints
you
need
to
think
through
and
having
that
documented,
who
is
eligible
and
who
isn't
is
important
and
that
might
not
be
important
to
this
group.
So
if
we
don't
want
it
and
don't
need
it,
we
can
strike
it
and
just
say
we
are
consensus.
D
D
We
can
change
whatever
we
want
so
that
we
have
that
flexibility.
Yes,
the
the
template
is
pretty
much
Lock
Stock
and
Barrel.
What
most
every
working
group
just
uses.
Unfortunately,
like
this
group,
we
didn't
make
a
little
couple
changes
to
say
like
what
our
working
group
name
is,
but
generally
we
want
to.
D
We
want
to
follow
the
spirit
you
know
we
have
to
follow
the
lf's
code
of
conduct,
I
believe
that's
stated
in
the
charter,
and
but
beyond
that,
like
how
we
operate,
how
we
make
decisions,
how
often
we
meet
who's
eligible?
That's
really
up
to
the
the
group
to
decide,
and
we
have
that
flexibility.
If
we
want
to,
we
can
just
take
what
we're
given
and
you
know,
choose
to
devote
our
time
more
on
things
like
the
threat
model,
or
we
can.
D
D
There's
a
process
for
that,
but
the
the
group
has
to
decide
they
want
to
take
that
direction
before
you
can
start
to
take
those
steps.
We
don't
want
any
one
entity
to
come
in
and
kind
of
full
Rush
their
way
through
and
force
something
into
a
working
group
that
the
group
itself
doesn't
necessarily
want
to
do.
And
then
you
know
once
the
group
decides
they
want
to
do
it.
D
Then
we
will
go
through
and
you
know
commit
work
with
LF,
legal
or
whatnot
for
that
particular
transfer
in
the
situation
where,
like
software
is
being
donated
good,
but
you
know
if
this
group
wanted
to
do
personas,
we
wanted
to
spin
up
a
Sig
around
personas,
the
that's
perfectly
within
our
ability
to
do.
If
the
group
decides
they
want
to
do
that
and
state.
This
is
part
of
our.
You
know
as
long
as
it
aligns
with
our
core
Mission
here.
F
So
is
it
right
for
me
to
understand
Rob
like
I
mean,
of
course
we
will
be,
you
know
aligning
and
staying
within
the
you
know
limits
of
elephant,
openness
and
stuff.
But
if
let's
say
if
we
need
to
extend
our
work
in
a
much
more
a
fashion
better,
there
is
a
project
or
a
program
that
we
want
other
group
to
engage
in
like
Alpha
omegas.
F
You
know
mentorship
or
something
that
we
can
engage
and
that
them
have
Hands-On
practical
looking
at
the
threat
model-
and
you
know
have
it
on
some
infrastructure
or
something
like
that
right
in
that
case,
that
we
will
be
going
with
the
LF
and
all
of
the
you
know,
stipulations
and
the
legal
legalities
and
whatnot,
but
I'm
we're
not
going
that
far.
Is
it.
D
D
There's
a
process
for
that,
and
we
need
to
follow
that
right.
You
know
if
this
group
wants
to
just
do
verbal
votes
on
things
write
that
down
on
the
charter.
If
that's
what
we
agree
on
or
if
we
want
to
get
it
formally
documented
in
a
GitHub
issue,
or
it
goes
out
through
an
email,
you
just
want
to
again
provide
those
constraints
so
that
people
understand
and
they
can
feel
free,
that
they
are
empowered
to
participate.
F
D
Most
of
the
work
of
the
foundation
like
a
formal
TSC
is
very
heavy.
You
know
that's
great
for
a
software
project,
so
things
like
scorecard
or
like
Alpha
and
Omega.
They
probably
should
have
attendance
also
should
have
a
technical
steering
committee,
but
you
know
for
us
doing
a
threat
model.
The
formal
approval
committee
might
be
a
little
burdensome
might
be
very
heavy.
We
might
not
need
that
much
process,
but
the
group
might
decide
they
do
need
it.
I
know
that's
up
to
for
you
all
to
help
decide.
A
So
my
feeling
is
that
this
one
will
need
to
come
back
again
in
the
fullness
of
time
in
due
season.
What
else
I
forgot?
There's
one
that
one
of
Australia's
Prime
Ministers,
who
used
to
say
I,
was
in
just
incredibly
obtuse,
but
I
forgotten
it.
Now,
let's
move
on
to
reports
from
other
working
groups
with.
Oh,
they
see.
Dan
has
his
hand
up.
B
Sorry,
while
we've
been
talking
I've
been
I,
thought
I
might
take
a
crack
at
just
doing
a
light
edit
of
the
charter
document
to
put
the
specifics
in
there
I'm
not
going
to
invent
anything,
but
just
so
that
we
have
something
to
talk
about
because
one
one
way,
my
suggestion
is
that
actually
I
can
do
that,
make
a
PR.
Then
we
have
something
to
talk
about
right
and
then
we
can
say:
okay,
I,
like
this
I,
don't
like
that.
Let's
make
this
change.
B
Let's
make
this
that's
new
note,
so
next
working
group
call,
maybe
we
can
work
through
it
and
and
actually
adopt
it
and
then
say
adopted
because
it
has
an
adopted
colon
date
thing
at
the
top.
We
can
say
adopted
that
date
right
and
so,
if
you're,
okay
with
that
I'm
I'm
I
promise
not
to
like
you
know,
invent
some
kind
of
new
process
in
it.
I'll
just
use
use
the
building
blocks
that
are
there
already.
A
F
H
H
Those
conversations
are
are
all
right.
Heating
up,
Melba
has
put
together
her
thoughts,
and
you
know,
I
mean
just
phenomenally
like
I
mean
if
you
could
take
like
a
proverbial
tabbing
out
of
the
framework
and
we've
been
going
through
that
over
the
last
two
or
three
meetings,
because
there's
just
so
much
to
to
go
through,
which
I
think
is
phenomenal.
H
I
put
out,
you
know
every
time
we
have
a
meeting
I
make
sure
in
this
working
group,
I
say:
hey
we're
meeting
now
so
come
on
in,
but
I'll
say
it
here
as
well.
This
is
a
great
time
we
got.
We
got
salsa
1.0,
that's
breathing
a
little
bit
in
the
ecosystem.
This
is
a
great
opportunity
for
us
to
put
some
put
some
muscle
and
some
thought
leadership
behind
what
we
have
going
on
with
s2c2f.
H
So
if
you
are
so
inclined
you
meet
every
other
Tuesday
at
12,
I
believe
and
that's
that's
a
pacific
time
come
on
in
and
and
let
your
voice
be
heard
as
well.
You'll
see
the
issues
there
that
we're
working
on
I
think
we
put
up
I,
think
we
uploaded
a
copy
of
what
Melba
has
for
everyone
to
look
at
and
we
have
new
threats
that
have
been
added
along
with
our
thoughts
around
an
FAQ.
H
D
One
is
about
C
and
C,
plus
plus
compiler
hardening
options,
which
is
probably
less
interesting
for
this
group,
but
that's
in
Flight
getting
some
good
progress.
The
one
guy
that
I
think
would
be
a
lot
deep
interest
of
this
particular
constituency.
Is
our
source
code
management,
concise
guide,
talking
about
how
to
use
things
like
GitHub
and
gitlab
in
the
most
secure
fashion,
we
have
some
best
practices
we're
recommending
so
that
work
is
in
flight.
D
I
will
give
the
group
a
link
that
you
can
take
a
look
at
where
we
are
and
patches
and
comments
and
feedback
are
always
welcome.
We
expect
that
guy's
probably
going
to
get
wrapped
up,
probably
July,
sometime
we're
pretty
good
with
we're
close
to
a
1.0
draft
and
then
we'll
be
looking
for
additional
right.
We
have
GitHub
and
git
lab
fairly
well
documented
for
security
controls
and
configurations,
and
if
there
are
other
forges
that
people
are
interested
in,
we
would
love
to
get
contributions
for
how
to
deploy
similar
controls
and
techniques.
D
In
those
other
environments,
so
any
questions
about
the
SCM
guide,
I'll
put
a
link
here
in
a
second
next
up.
I
would
like
to
maybe
have
bring
Jay
back
to
the
microphone.
The
education
Sig
has
a
Deni
committee
and
they
have
been
operating
a
set
of
office
hours,
trying
to
engage
historically
underrepresented
communities
within
open
source
and
cyber
security
and
I
think
they've
had
a
really
great
series
of
office
hours
and
maybe
Jay
can
kind
of
share
that
to
try
to
get
the
word
out.
Potentially,
let
you
all
take
that
back
to
your
organization.
D
H
Absolutely
absolutely
and
chrome
knows
how
near
and
dear
to
my
heart
that
this
is
especially
when
it
comes
to
educating
those,
not
just
the
the
our
young
people
out
there
that
really
want
to
study
our
craft
right.
Is
you
know
it's
always
a
delight
when
they,
when
they
want
to
study
something
other
than
psychology
in
school
they
want
to.
H
I'm
working
in
this
organization
in
HR
or
Finance
or
or
you
know,
privacy
or
something
else
and
they're
like
you
know
what
working
across
and
watching
what
these
guys
do.
It
looks
really
cool
I'd
like
to
try
that
right
and
they
don't
know
how
to
get
it,
how
to
come
into
the
industry
or
that
there
are
different
paths
to
come
in.
Different
paths
are
coming
into
what
we
do.
H
The
office
hours
are
a
great
place
for
this,
especially
when
it
comes
to
those
members
of
underrepresented
communities
who
don't
have
the
resources
and
also
the
people
to
talk
to
and
I
was
like
you
gotta,
you
gotta
understand
right,
you
know
you
get
out
of
it,
what
we
put
into
it.
So
when
you
see
in
in
in
Tech
the
the
disparity
between
you
know
the
the
people
that
you
currently
see
day
to
day
and
operating
yeah,
you
can
even
see
them
in
our
meetings.
H
Okay,
if
you
take
our
meetings
here
in
the
openness
us
up
as
a
gauge,
you
got
you
you
got,
our
meetings
are,
are
a
little
heavy
in
one
way
and
a
little
lighter
in
the
other,
and
that's
just
the
fact
of
what
it
is.
But
you
have
people
in
your
organizations,
and
everyone
here
believes
in
what
we
do
and
believes
in
the
community
element
of
it.
So
you
all
know
people
who
want
to
break
into
the
industry
put
them
in
our
direction.
H
We
got
it
also
by
all
means,
join
the
office
hours
as
well
and
be
a
voice
for
the
young
people.
That
joint
we've
had
three
very
great,
successful.
I'm.
Sorry
for
successful
meetings
already
in
the
office
hours
where
young
people
have
joined,
and
also
people
who
are
changing
their
careers
have
joined
and
they've
gotten
so
much
out
of
it
in
the
way
of
what
does
a
resume
look
like
you
know
what
kind
of
things
you
should
be.
Should
you
be
prepared
to
talk
about
in
interviews?
H
What
should
you
look
at
as
something
that
you
want
to
do
right?
What
should
you
you
know
discovering
what
your
Niche
is,
trying
everything
and
discovering
what
your
Niche
is?
Some
those
things
like
that
and
everyone
here
has
time
in
the
game,
so
you
have
a
voice
and
you
can
offer
up
hey.
These
are
the
things
that
I
did,
or
these
are
the
things
that
you
could
look
for
and,
of
course
you
talk
to
it.
H
From
your
perspective,
I
encourage
everyone
to
join
I,
encourage
everyone
to
discover
those
that
want
to
come
in
to
come
into
these
come
into
that
meeting
and
join
and
then
all
and
then
also
these
are
a
good
recruiting
grounds
for
those
that
want
to
come
in,
say:
hey,
join
the
open,
ssf
join
our
working
groups
join
our
six
know.
You
no
experience
required.
H
Don't
worry
within
six
months,
you'll
be
able
to
talk,
write
and
have
an
opinion
right
along
the
rest
of
us,
because
that's
time
in
and
then
you'll
be
able
to
take
that
knowledge
and
then
apply
it
to
your
interviews
and
to
think
hey.
I
worked
as
a
matter
of
fact
and
I'm.
Sorry
I'm,
rambling
on
because
I
get
so
excited
about
it.
H
But
I
have
one
individual
who
only
has
six
months
in
the
game
and
they
were
wondering
why
they
weren't
getting
any
looks
by
employers
and
look
at
their
resume
and
you
look
at
their
good
reborn,
say
Hey.
You
have
an
opportunity
to
highlight
work
that
you
actually
can
do
and
put
your
hands
on.
If
you
choose
join
the
sick,
say
hey,
let
me
help
you
work
on
that
code.
H
Put
your
name
in
you,
put
your
hands
on
the
keyboard,
become
a
contributor
and
then
speak
to
that
use
the
star
method
to
say,
speak
to
that
situation
task.
What
was
the
action
that
you
did
and
then
and
then
what
was
the
result
of
that
action?
And
now
you
have
hardened
things
to
talk
about
in
these
interviews
that
not
you're
not
just
telling
them
what
they
what
they
want
to
hear
you're,
showing
them
what
they
want.
So
so
these
are
all
areas
where
that
we
have
that
we
give
the
impactful
on.
H
Thank
you
Crow
for
an
extra
couple
of
seconds
to
run
my
mouth.
Please
join
the
office
hours
I
believe
we
have
those
I
want
to
say
we
do
those
once
a
month.
Don't
call
me
on
that
once
a
month
and
I
believe
that
we
do
them.
What
is
it
is
that
on
Tuesday,
as
well,
once
a
month,
Tuesday
at
12
I
believe.
H
Thursday,
okay
good
deal
Thursday
once
a
month,
I
think
we
just
had
one
last
week
so
it'll
be
in
another
month.
We'll
have
it
again
without
do
the
same
thing.
I
do
with
s2c12f
I'll.
Do
that
with
this
group
as
well,
I'll
post
that
and
say
hey
we're
getting
ready
to
meet.
So
if
you
want
to
come
on
and
come
on
in
and
be
a
contributor
to
the
to
the
minds
of
young
people
and
the
minds
of
those
changing
changing
careers,
thanks
bro.
D
Yeah,
please
spread
the
word.
We
would
love
to
get
as
many
people
as
possible,
participating
both
at
you
know,
bringing
in
new
people
to
the
trade
or
people
that
want
to
change
skills
or
we're
also
looking
for
people
to
assist
and
provide
guidance
for
these
people.
These
new
petitioners,
so
you
know
you
could
be
a
mentor
potentially.
F
So
I
just
have
one
follow-up,
I
think
if
Jay
or
you
can
share
that
information
or
the
links
for
the
office,
hours
and
stuff
and
and
I've
been
part
of
the
Adu.
But
you
know
we
are
working
on
the
mentorship
and
the
university
programs.
You
know
throughout
alphabet.
This
is
a
good
information
to
know
to
extend
and
be
participating
or
requesting
others
who
are
interested
to
join
and
take
advantage
of
as
well.
Thank
you.
H
That
down
and
put
it
into
the
notes.
Thank
you
very
much
on
the
partner,
please
by
all
means
reach
out
to
reach
out
to
either
of
us
directly
you're
doing
some
good
work.
I'd
love
for
you
to
be
part
of
the
dni
Sig
and
and
things
that
we
got
going
on
there
as
well,
because
that's
basically
what
it
comes
down
to
outreach
education
and
then
helping
the
successful,
recruiting
and
retention
of
underrepresented
communities,
and
you
know
doing
what
we
love
and
and
what
we're
passionate
about.
So
thank
you
for
that.
Yep.
D
I'll
track
down
that
link
right
afterwards.
The
best
working
group
also
is
putting
together
a
developer
landing
page
that
may
be
of
some
use
to
the
end
users,
so
we've
kind
of
trying
to
consolidate
a
lot
of
the
resources
and
help
steer
that
particular
persona's
Journey
towards
Foundation
resources.
So
if
you
have
comments
of
other
useful
resources
or
groups
within
the
foundation,
please
submit
a
PR
or
open
an
issue.
D
Security,
Auditors
or
whomever,
whatever
groups
you
want
to
try
to
address
so
that
one's
pretty
short
and
sweet
and
then
two
industry,
things
there's
going
to
be
a
one-day
Workshop
Cisco
is
sponsoring
around
csaf
and
Vex.
That's
going
to
happen
in
July.
Csaf
is
the
electronic
means
with
which
most
commercial
vendors
produce
security
advisories.
D
So
not
super
interesting
to
developers
super
interesting
to
this
group
because
boy,
wouldn't
you
like
to
have
nice
machine,
readable
security
advisories
when
things
happen
and
then
also
in
hand
in
hand
with
that
is
Vex.
The
vulnerability
exchange
it
kind
of
helps.
People
share
their
effectiveness
on
different
things,
so
Cisco's
sponsoring
a
big
shot,
a
bake
sale
so
to
speak,
where
they're
going
to
have
people
come
in
and
do
demonstrations
and
talk
about
these
two
standards
and
that
relates
to
s-bombs,
which
again
is
also
of
interest
to
this
group.
D
The
foundation
is
participating
with
sisa
and
the
jcdc,
which
is
an
organization
within
the
U.S
federal
government,
where
we
are
conducting
a
a
workshop
around
use
of
Open
Source
in
operational
Technologies
and
Industrial
Control
Systems
so
think
power
plants,
nuclear
plants,
water
treatment
plants,
these
types
of
scenarios.
So
it's
a
collaboration
between
government,
those
operators
and
then
consortiums
like
openssf.
D
So
if
you
are
in
the
iot
OR
ICS
space
I
would
strongly
encourage
you
to
reach
out,
and
you
know,
observe
what
that
group's
going
on.
And
if
you
have,
you
know,
if
you're
very
passionate
about
the
open
source
piece
of
it
and
trying
to
help
these
types
of
systems
operate
and
get
signals
around
vulnerabilities
and
fixes.
You
know,
reach
out
to
me,
I'd,
be
glad
to
help
get
you
included
in
those
groups
and
I'll
get
I'll
get
links
to
all
that
nonsense
here
in
a
second.
A
What's
going
on
this
week,
Montana
I
guess
just
a
quick
update
from
this
securing
software
repositories.
Group,
the
great
artifact
repository
audit
program,
is,
is
moving
forward
at
a
decent
pace.
Alfa
Omega
have
been
briefed
and
are
going
to
go
away
and
huddle
on
what
they
would
like
to
fund
and
what
level
and
so
on.
A
The
basic
model
envisaged
is
still
that
we,
you
know
basically
by
process
of
invitation,
asked
particular
repos
to
participate.
They
would
receive
an
audit
at
ao's
expense
carried
out
by
ostiff
and
then
for
findings.
There
would
be
funding
for
remediation
either
donated
to
you
know,
whatever
body
manages
that
repo
or
to
hire
a
contractor
to
do
it.
A
F
A
F
A
Might
be
might
be
retroactively
framed
as
being
part
of
that
program.
Okay,
so
I
think
it'll
it'll
just
come
down
to
willingness
really
for
the
participants
and
and
Readiness
to
go,
we'll
probably
try
to
pick
one
or
two
to
begin
with
and
then
roll
it
out
progressively
over
time
and
I
expect
that,
as
awareness
spreads
of
this
of
this
program,
that
more
more
ecosystems
will
identify
themselves
to
the
group
as
being
interested
in
in
future
rounds.
A
F
You
know
complement
besides
our
Omega
work
and
we
do
have
a
website
of
course,
and
we
I
mean
it
will
be
Cadence
for
updating
and
having
the
monthly
updates
or
the
work
that
has
been
done
or
current
or
existing
engagements
will
be
during
the
first
weeks
of
the
month,
so
I'll
certainly
posted
website
link.
So
that
way
you
will
see
the
alpha
engagements
updates
on
there
and
Omega
work.
F
That
is
being
done
like
the
disclosure
checks
or
the
assertions
and
whatnot
and
iterations
with
the
you
know,
vulnerability
assessments,
so
I
I'll
give
you
the
link.
So
those
are
the
main
things
and
I
think
the
open,
refactory
and
the
step
security
I
think
it's
going
to
go
into
the
way
we
design
it
is
not
Alpha
Omega.
It
would
be
better
with
the
open,
ssf
school
card
and
probably
that
team
would
be
taking
it
up
and
following
with
them
so
a
few
of
those
engagements,
and
those
are
the
updates
for
this.
F
You
know
this
week
or
couple
of
weeks
that
I
have
for
you
and
I'll
forward
you
the
link
to
upkeep
with
the
website
and
do
check
it
out
regularly
and
provide
your
feedback
and
make
it
back.
We
can
make
it
better
because
it's
a
new
website
we
had
from
last
month,
so
some
other
eyeballs
will
definitely
help
I
recognize
the
you
know
what
what
we
don't
have
or
what
would
be
better
for
is
making
it
user
friendly
and
that's
all
we
have
thank
you.
D
Cool
cool
I
had
one
more
thing:
I
also
work
with
an
organization
called
first,
the
form
of
incident
response
and
security
teams,
so
it
represents
things
like
vendor
security
teams
and
then
also
corporate
information
security
teams,
which
I'm
sure
many
of
you
here
represent
or
represented.
They
are
pondering
the
idea
of
creating
a
new
conference.
D
The
current
idea
is
they're,
going
to
call
it
a
Volcan,
and
the
idea
is
to
get
groups
like
first
that
manage
the
CVSs
standard,
the
coordinated
vulnerability,
disclosure
kind
of
Frameworks
and
pcert
and
cert
Frameworks
get
them
get
Oasis.
Who
manages
things
like
csaf
get
the
cve
board
so
get
many
of
the
CNAs
involved,
so
they're,
basically
thinking
about
having
a
several
day
conference
early
next
year
and
specifically
focused
around
vulnerability
management,
vulnerability,
communication
tools
like
cbss
and
CBE
and
whatnot,
and
also
get
community
participation.
So
things
like
openss,
osv
and
open
Vex.
D
These
types
of
things
so
they'll
be
formulating
this
conference
and
if
anyone
is
interested
in
participating,
I'd
like
you
to
reach
out
to
me
and
I'll
put
you
on
the
list
as
that
develops.
I'll
keep
you
apprised
of
kind
of
when,
where
and
how
that's
going
to
happen
and
again
worst
case.
As
you
know,
the
consumer
perspective,
standardization
of
these
things
will
be
very
useful
for
you
all
to
consume
and
understand,
like
I,
think
we're
going
to
try
to
get
Alan
and
the
s-bomb
circus
to
come.
D
Do
some
talks
too,
but
there's
a
lot
of
things
to
touch
on
and
end
users
that
might
be
of
use
so
whether
you
would
want
to
participate
like
maybe
you
want
to
do
when
they
have
the
call
for
papers
right
now,
so
I've
been
an
abstract
or
maybe
you
just
want
to
observe
and
listen,
and
you
know
I
digest
the
output
of
that
conference.
Let
me
know
and
I'd
be
glad
to
keep
you
aware.
As
that
develops.
A
B
The
just
to
note
that
w3c
is
doing
a
Workshop.
This
is
not
the
official
link.
This
is
the
GitHub
link
that
I
found,
unfortunately,
but
I'll
find
the
regular
link
we're
doing
a
workshop
with
w3c
open
ssf
ospin
up
in
JS,
which
is
focusing
on
web
developer
security
and
the
this
was
put
to
happen
in
June.
But
we
didn't
get
enough
paper
submissions
we
think
probably
be
because
it
was
going
to
be
a
physical
Workshop
rather
than
a
virtual
Workshop.
So
we've
now
reimagined
it
as
a
virtual
Workshop.
B
It's
going
to
happen
in
September
26th
through
28th
and
we're
hopping
over
three
days
where
we're
going
to
have
like
one
hour
or
two
hour
sessions
or
one
on
each
day
and
the
paper
submission
deadline
is,
has
been
extended
until
end
of
July.
If
anybody
has
interest
in
JavaScript
security,
web
security
web
application
security,
how
these
things
fit
together
between
new
security
standards
and
what
we're
doing
more,
focusing
on
the
software
supply
chain
side
of
things.
B
A
Oh
all,
right
folks,
we
are
at
the
top
of
the
hour
very
productive
session.
Thank
you,
everybody
for
participating
today.
Next
time,
of
course,
I
believe
will
be
in
two
weeks.
Don't
forget
to
check
the
notes
for
things
that
you
can
join
in.
We
had
lots
of
calls
for
Action
today
hope
to
see
you
again
soon
thanks.
Everyone.