►
From YouTube: End Users Working Group (May 25, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
So
I
had
just
found
out
recently
that
about
an
hour
ago,
John
can't
make
it
for
personal
reasons.
I've
tried
to
update
the
create
the
entry
for
today
in
the
slack
Channel.
If
you
can
add
your
names
and
add
anything
to
the
agenda
that
you
would
like
discuss,
that'd
be
helpful.
C
D
G'day,
can
you
give
me
just
a
minute?
My
last
meeting
ran
up
to
exactly
10
o'clock,
so
I
need
a
second.
E
E
C
D
Give
it
a
few
more
seconds
and
then
we'll
kick
off.
Let
me
show
folks
have
seen
the
link,
but
if
not
I
will
drop
it
in
chat
just
one
more
time,
because
why
not
the
links
are
free.
D
D
Daniel
Andrew
could
I
91
of
you.
You've
done
a
great
job
in
the
past.
E
I
would
normally
I
I
will
try.
I
will
try
I'm,
just
not
I'm,
not
I'm,
not
running
it.
100
capacity
today,
I'm
just
like
suffering
from
a
cold
I.
F
D
Sorry
to
hear
that
so
the
next
next
thing
we
usually
do
is
to
say
hello
to
new
friends,
people
who
might
have
not
visited
before
or
who
haven't
visited
for
a
long
time
and
would
like
to
reintroduce
themselves.
Here's
your
chance.
G
Hi,
this
is
nitin
bhargav
and
I'm
from
ADP
and
Jonathan
from
Citibank
actually
introduced
me
to
this
group
and
suggested
that
I
should
join
and
I
manage
the
power
security
third
party
at
ADB.
D
That's
really
cool
it's
great
to
see
new
faces.
Speaking
with
your
email,
the
new
faces
that
I
haven't
caught
yet.
D
No
okay.
That
leads
us
now
to
the
next
part
of
the
agenda,
which
is
membership
and
I
think
Andrew.
This
would
be
you.
A
Yeah
so
Newton
welcome
aboard
wonderful
to
have
you.
Thank
you.
It's
always.
It's
always
good
to
have
new
members
of
every
session.
I
think
that's
I!
Think
that's
great.
So
thank
you.
A
We
also
had
from
the
Linux
Foundation
openssf
day
up
in
Vancouver
a
couple
weeks
ago
we
had
Morgan
Stanley,
commit
I,
don't
believe
they're
on
here,
they've
been
in
the
past,
but
yep,
but
he's
committed
to
have
someone
here.
Moving
forward
was
not
able
to
connect
with
Boeing.
They
had
expressed
an
interest.
I
still
think
they're
trying
to
find
the
right
person
to
participate.
I'll
continue
to
work
on
that
any
other
from
the
from
the
members
here,
any
other
folks
that
you've
talked
to
that
have
expressed
an
interest.
A
You,
okay,
all
right!
Well,
it's
it's
gonna,
be
a
collective
effort
to
make
sure
we
continue
to
grow
this
this
working
group-
so
please,
all
you
know
just
keep
thinking
about
who
you
can
reach
out
to
Jonathan
I
Jacques
are
are
happy
to
reach
out
to
anybody
that
that
make
may
come
up,
but
we
this
selective
effort
to
continue
to
drive
the
membership
here.
D
Absolutely
definitely
Keen
to
broaden
the
base.
That's
why
it's
so
great
to
see
you
today
in
okay,
so
we
have
here:
LF,
North,
America,
Summit,
debrief
I'm,
not
sure
who
put
this
in
or
would
like
to
take
it
Andrew
go
ahead.
A
I
did
so
I
know.
A
number
of
us
were
up
there.
There
were
a
couple
of
panels
where
I
participated
in
where
we
talked
about
the
open
ssf.
We
talked
about
the
end
user
working
group
and
its
mission,
the
one
the
Jacques
and
I
and
and
John
presented
to
the
open
ssf,
the
open,
ssf,
attendees
I
think
it
is.
A
It
was
a
bit
of
a
self-selecting
group
and
it
pointed
out
to
us
the
the
need
to
really
grow
this
membership,
because
I
think
in
a
room
of
what
50
people
there
were
three
end
users
is
that
about
right,
group
yeah.
A
A
Chance
to
participate
on
a
separate
panel
with
with
the
IBM
and
Amazon
and
and
JP
Morgan,
and
it
was.
It
was
interesting
that
it
was
a
general
talk
topic
around
software
supply
chain
security,
and
this
was
in
the
broader.
A
So
we
had
some
folks
who
clearly
understood
were
actively
contributing
and
participating
to
a
variety
of
different
efforts,
and
then
we
had
some
that
put
it
bluntly,
weren't
quite
sure
what
software
supply
chain
security
was
so
again
it
just.
It
just
reminded
us
of
that.
We
need
to
continue
to
raise
awareness.
We
need
to
continue
to
put
out
material
to
reach
out
to
an
audience
again
with
widely
varying
degrees
of
expertise.
We
can't
just
assume
that
people
have
the
same
level
of
knowledge
of
many
of
the
folks
on
this
audience.
A
All
this
all
the
groups
were
all
the
sessions
were
that
I
was
there
for,
were
pretty
well
attended,
I,
don't
know
if
others
would
like
to
share
Crow,
but
definitely
like
to
get
your
feedback
you,
you
were
all
over
the
place
up.
There
I
saw.
B
Yeah
I
thought
all
in
all.
It
was
a
good
set
of
micro,
conferences
and
conferences.
I
think
the
open,
ssf
day
started
off
very
strong.
We
lost
some
folks
in
the
afternoon.
I,
don't
know
if
that
was
just
kind
of
competing
content,
or
if
people
didn't
want
to
see
about
the
mobilization
plan,
I
can't
tell,
but
a
lot
of
really
good
talks
and
I
absolutely
agree.
Andrew,
we
need
to
it
the
pan.
B
The
the
panel
that
you
and
jock
and
Jonathan
put
together
really
highlighted
the
need
to
get
a
broader
feedback
from
the
end
user,
constituency
and
I.
Think
there's
just
a
lot
of
opportunity
and
the
there's.
A
group
of
us
working
on
threat,
modeling
the
software
supply
chain,
with
henrik's
kind
of
helping
lead
that
and
an
idea
that
potentially
could
lead
into
luring
more
participation
is.
B
A
And
I
think
perhaps
for
me,
one
of
the
most
important
takeaways
is
Jonathan
hosted
a
kind
of
an
ad
hoc
birds
of
a
feather
session,
which
I
was
actually
not
able
to
to
attend,
but
I
guess
there
were
a
few
folks
there,
and
one
of
the
outcomes
of
that
that
we
had
talked
about
was
pitching
the
open
ssf
to
get
some
project
management,
support
and
more
marketing
support,
and
that
was
wholeheartedly
supported
in
probe.
A
A
B
And
I'll
put
a
plug
in
they're
doing
the
OSS
EU
will
be
in
Spain
in
September
and
they'll
be
doing
an
open
ssf
day
there.
They
just
opened
up
a
call
for
papers
for
open
source,
Summit
Asia,
so
that
call
for
papers
is
open.
Now
and
depending
on
the
interest
we
might
be
able
to
do
another
open
ssf
day
and
I
would
encourage
this
group
to
figure
out.
B
If
anyone
can
just
you
know,
show
up
there
and
see
if
we
can
arrange
some
birds
of
other
stuff
to
lure
in
you
know
more
end
user
participation
to
try
to
get
that
very
vital
feedback.
E
I
just
wanted
to
put
my
two
cents
in
that
I
totally
agree.
I
was
not
the
event,
but
like
it
jibes
with
my
feeling
that
you
know,
we
really
need
to
work
on
getting
the
word
out
getting
the
raising
the
awareness
of
these
terms.
Software
supply
chain
security
is
very,
very
well
known
in
our
circles
but
like
when
I
talk
to
web
developers.
They,
you
know
they're,
like.
E
Like
I'm
a
martian
but
I
one
thing,
I
is
there
actually
I
know
that
there's
a
concise
guide
there
are
concise
guides,
but
is
there
actually
like
a
guide
or
a
single
document
somewhere?
That's
like
this
is
the
definition
of
software
supply
chain
security.
According
to
the
openness
set
because
I
know
there
are
like
blog
posts
and
there's
concise
guides
and
then
there's
like
more
detailed
learning
material,
but
maybe
crop
can
answer.
Is
there
something
that
we
can
point
to.
B
A
a
very
handsome
gentleman
with
an
amazing
haircut
recently
proposed
that
we
create
a
foundation-wide
dictionary
that
we
could
consolidate
all
these
terms
from
across
the
working
groups
and
I.
Just
that
person
would
love
some
help
in
trying
to
help
push
that
notion
and
get
that
created.
B
So
it's
a
cross
foundational
resource
for
both
dictionary
lexicon
type
things
personas
and
also
be
a
resource
where
we
could
have
an
introductory
deck
on
explaining
what
each
of
the
working
groups
do
just
some
resource
for
the
whole
Foundation
that
one
place
people
could
go
to
to
get
this
stuff.
So
I
agree
patches,
welcome.
B
E
B
For
free
software
and
I
am
three
thousand
percent
over
subscribed,
so
any
additional
help
would
help
us
get
that
or
the
finish
line
and.
F
So
probably
we
got
we
got
that
we
got
that
document
that
we
started
and
I
still
have
the
link
open
right
on
my
damn.
I
still
have
it
open
as
one
of
my
links
on
my
yeah
yeah
yeah
I.
Do,
although
I'm
not
on
my
computer
right
now.
What
I
can
do
is
when
I
get
there.
I
could
post
a
link
in
the
slack
but
but
I
started
with.
F
We
have
a
we
have
like
five
or
six
different
areas
and
I
wrote
some
in
each
one
of
them
for
for
the
objective,
the
Mission
Vision
scope,
one-liners
that
can
be
built
out,
probe
and
I
have
both
strapped
for
time.
So
whenever
we
can,
we
jump
back
into
it
and
do
something,
but
we
really
would
like
to
get
this
over
the
Finish
Line,
we're
strapped
we're
really
strapped
for
time,
but
the
the
idea
is
to
build
a
working
group.
F
That's
a
centralized
tentative
that
can
have
tentacles
out
to
the
other
working
groups
so
that
we
can
do
things
like
you
know,
on
one
sheet
of
music
with
personas
one
sheet
of
music
with
taxonomy
one
sheet
of
music,
with
d
e
and
I
one
sheet
of
music
that
spreads
out
across
the
and
then
can
act
as
a
liaison
across
the
LF,
even
on
behalf
of
the
open
ssf.
To
do
some
of
these
things
as
well.
Right,
that's!
That's!
That's
more!
That's
our!
That's
our
our
ultimate
Vision
I!
F
Guess
for
the
for
that
particular
working
group,
but
the.
But
we
have
a
document
that
that's
that
we
started
months
ago,
that
you
know
things
come
up
and
we
can't
you
know
we
need
help.
So
so,
when
I
get
back
to
my
computer
I'll
post
a
link
because
I
still
have
it
open
because
I
get
back
to
it
when
I
can
and
then
and
then
you
know
so
so
who
Crow
was
referring
to
it,
wasn't
just
him.
F
F
C
D
Benefits
of
wisdom,
how
should
I
see
you
have
your
hand
up.
H
Yeah
so
I
thought
Dan
was
asking
about
more
of
a
not,
as
you
know,
like
the
glossary
type
of
thing,
but
more
around
the
the
guidance
or
or
the
the
main
requirements
or
countries
I
mean
I.
I
I'm
come
from
security
backgrounds
right
talk
in
terms
of
controls,
the
controls
that
need
to
be
in
place
in
our
supply
chain.
H
You
know
to
say
that
our
suppression,
we
meet
supply
chain
requirements
right.
So
I
thought
that's
what
Dan
was
referring
to
so
do
we
have
any
guidance
on
like
you
know.
These
are
the
controls
we
recommend
in
you
know
in
in
sem
or
these
are
in
in
the
build
pipelines
or
in
the
introduction,
or
you
know
so,
do
we
have
anything
that
you
know
runs
through
those
type
of
controls
so
that,
like
end
users
like
us,
we
could
like
take
it
and
say:
okay,
do
we
meet
those
requirements
in
our
environment.
E
I
was
just
gonna
say
yes,
I
mean
I.
I
might
I
think
that
the
thing
that
I'm
thinking
about
is
something
that
speaks
in
the
language
that
software
developers
would
understand,
but
not
necessarily
people
that
are
in
the
security
field,
right
to
explain
to
them
in
simple
terms
what
it
is
we're
talking
about
when
we
talk
about
software
supply
chain
security-
and
you
know
that
could
then
be
a
link
off
to
things
like
what
is
an
s-bomb?
What
is
a?
What
is
it
this?
E
What
is
it
that
right
and
I
think
that,
like
like
the
thing
that
was
going
through
my
head,
when
you're,
when
you
were
talking
about
glossary,
is
there?
Are
we
got
to
make
sure
that,
when
we're
building
that
we
build
it
from
that
mindset,
perspective
of
it's
not
for
us?
Actually,
it's
for
it's!
It's
for
the
wider
Community
yeah
right.
B
Agreed
and
then
specifically
to
gaja's
statement,
there
is
no
centralized
place
that
provides
that
kind
of
mapping
to
the
nist
search
cyber
security
framework
or
anything
like
that.
But
we
do
have
things
like
salsa
and
guac
and
S2
c2f
S2
c2f
is
probably
your
best
example
of
mapping
the
idea
of
information,
security
controls
to
different
compliance
and
legislative
guidelines
and
Frameworks,
but
there
is
no
centralized
resource
today.
It's
kind
of
spread
out
across
a
couple
different
projects
and
working
groups.
D
That
that
said,
I
did
see
someone
pop
up
in
the
salsa
channel
on
slack
Lori
Williams,
who
says
she
or
he
has
a
draft
of
framework.
There's
a
union
of
the
72
tasks
from
ssdf
salsa,
S2
c2f
and
some
sort
of
mapping
I
haven't
looked
at
it.
I'll
drop
a
link
to
slack
in
the
chat
here.
That's
in
the
salsa
channel,
so
I
I,
yeah.
F
So
so
that
so
Laura
went
through
that
on
during
our
SCI
working
group
meeting,
where
she
as
a
as
a
part
of
a
project
while
she's
on
sabbatical,
took
the
different
Frameworks
and
took
the
different
Frameworks
and
went
and
put
together
a
mapping
of
them
and
brought
out
72
controls
that
are
aligned
across
each
framework
to
address
governance
and
I
try
to
go
from
top
to
bottom
here,
but
there's
governance,
there's
it's
for
when
the
last
one
is
deployment.
F
Goodness
gracious
I
can't
remember
the
other
two,
but
but
it
was
actually
a
really
comprehensive.
There
were
a
couple
of
gaps,
so
I
think
it's
something
that
can
be
further
developed
I
actually
like,
like
what
I
saw
for
the
most
part,
but
she
did
take
everything
like
you
know,
not
just
the
the
outside
frames
but
s2c2
up
and
salsa
to
do
this
as
well.
I
think
she
missed
a
couple
of
points
that
salsa
provides,
but
it
was
it
was.
F
D
That's
that's
helpful,
so
so
just
keeping
an
eye
on
on
movement
and
color.
How
do
we
feel
about
the
Summit
debrief?
Do
we
think
we've
sort
of
tapped
it
out.
D
I
Yeah
I
think
a
couple
weeks
ago
at
the
summit,
I
know
Brian
and
and
Jonathan
were
there
I,
don't
know
who
else
so
I
think
they
had
some
some
conversation
because
we'd
pitch
the
the
manifesto
a
couple
times
I
think
before
in
the
past
at
least
two
months,
and
so
we
pushed
it
to
GitHub
sort
of
a
version.
Zero
I
think
we've
got
some
good
comments.
I
replied
to
those
today
I'd
like
to
see
what
we
need
to
get
that
to
like
a
V1.
I
You
know
just
so
we
can
get
it
out
there
and
then,
once
we
can
do
that,
hopefully,
relatively
quickly,
I
have
a
blog
post
that
we
can.
You
know,
put
to
the
openss
blog
to
sort
of
publish.
You
know,
give
it
a
little
get
some
more
notice
but
open
the
comments.
Still.
If
anyone
has
any
questions,
what
it
is,
the
Link's
there
in
the
dock
as
well.
D
I
know
this
is
bike
shedding,
but
I
feel
like.
There
was
a
discussion
about
the
word
manifesto
at
some
point
and
whether
there
was
a
a
word
because
it
means
different
things
in
different
places.
Unfortunately,
but
that
that
could
be
an
aside.
So
is
the
the
action,
the
caller
action
here
for
for
more
comments.
I
Yeah
I
think
I
think
you
know
the
you
know.
Maybe
we
give
another
week
because
there
haven't
there
haven't
been
a
lot
since
the
last
two
weeks
in
in
you
know,
there's
no
more
comments
in
a
week.
We
can.
We
can
think
about
the
wording.
I
know
there
were
comments
about
that
I'm
I'm
on
the
side
of
not
letting
people
take
words
sure
but
I
totally
understand.
I
But
then,
if
we
could
do
that
in
the
next
week,
then
maybe
follow
the
week
following
we
could
sort
of
look
into
getting
the
blog
post
published
and
finalizing
this
and
I
saw
Joshua
you
you
had
some
comments,
I
think
I've
replied
to
all
of
them,
I
think
yeah,
including
your
edits,
and
all
of
them
looked
good,
but
I
had
comments.
D
So
what
I
might
suggest,
then,
is
that
our
next
meeting
on
the
normal
schedule
would
be
two
weeks
from
now.
We
could
take
a
vote
in
it
then
perhaps.
D
I
I
Yeah
sounds
great,
I
won't
be
here
because
I'll
actually
be
out
of
town,
but
Brian
Fox
or
someone
else
from
from
some
type
can
probably
take
my
place
for
it,
but
also
in
the
email
and
can
do
all
that
and
I
can
send
out
the
draft
for
the
the
potential
blog
as
well.
Do
you
know
on
the
blog
side
who-
and
this
may
be
more
I-
see
rob
you
might
have
a
an
idea
on
this?
You
know
next
steps
for
that,
where
we
need
to
get
that
that
going.
D
Usually
I've
worked
with
Jennifer
Bligh,
okay
and
oops
I'm
here
buying
you,
yes,
so
I've
usually
talked
to
Jennifer
Bligh
about
it,
but
I
think
operations
at
openssf,
.org,
we'll
we'll
get
you
everything
you
need
is
like
the
catch-all.
Okay,
then.
E
Is
the
blog
post
something
that
you're
going
to
be
looking
for
or
it's
anything
related,
sometimes
in
a
Manifesto
you
have
signatories
to
the
manifesto.
Are
you
looking
for?
Are
we
looking
for
signatories,
or
is
it
kind
of
implied
that
it
has
the
imperator
of
this
group
and
the
members
of
this
group
by
simply
by
this
group
publishing
it.
I
Yeah
I
think
the
intent,
but
again
I
wasn't
at
the
meeting
at
the
summit,
but
I
think
that
was
the
intent
of
bringing
this
in.
You
know,
I
think
some
people
you
know
ran
into
how
they
would
be
a
signatory.
You
know,
with
representation
of
their
company
and
that
causing
issues
so
that
I
think
that
was
one
of
the
ideas
was
to
bring
it
into
the
end
user
group
and
that
sort
of
be
the
way
to
do
it
versus
you
know
someone
going
wait.
You
signed
this.
I
What
did
you
just
legally
abide
yourself
to
and
then
the
blog
itself
I
think
is
just
more
to
to
sort
of
set
the
description
and
understanding
of
it
and
again
I
can
I
can
show
you
all
that
what
we
have
get
feedback.
C
D
All
right,
so
the
next
item
on
the
agenda
is
from
Dan.
It's
an
update
on
the
sem
guide
from
rest
practices.
E
E
C
E
Yes,
okay
right,
so
this
is
some
work
that
we've
started
in
the
best
practices
working
group.
Some
grub
is
aware
of
it
and
some
other
people
who
are
in
the
best
practices
working
group
are
aware
of
it
and
it's
basically
starting
with
the
content
that
legitify
have
provided.
E
E
But
the
idea
here
is
to
fold
that
into
some
work
that
some
editorial
work,
that
Christine
from
F5
has
been
really
pushing
and
very
active
on,
and
you
know
so
that
we
end
up
with
something
that
is
a
document
that
can
then
also
serve
as
a
as
a
home
for
these
pages
that
are
the
that
are
the
each
individual
best
practice
statement
that
comes
out
of
the
legitify
database
right.
E
So
the
idea
is
that
we
have
and
that,
and
that
this
therefore
will
sit
alongside
of
things
like
the
concise
guides,
for
instance,
as
a
open
asset
deliverable
and,
and
the
idea
is
that
you
know
you
would
come
to
this
document
and
you're
gonna
be
able
to
read
a
little
bit
about.
E
You
know
our
thinking
around
securing
your
source
code
repository
and
then
you
come
down
to
individual
best
practice
statements
here
and
each
one
of
them
either
has
a
GitHub
logo
or
a
gitlab
logo,
or
in
some
cases
both
when
it
when
it
applies
to
both
GitHub
and
gitlab,
and
then,
when
you.
E
So,
if
I
go
down
to
to
indicative
one
I,
always
like
to
pick
two-factor
Authentication,
it
doesn't
I
can't
find
it
right
now,
right,
two-factor,
authentication,
okay,
so
then
you
know
I
can
click
on
the
logo
for
GitHub
and
I
can.
E
The
demos-
yes
exactly
all
right
here,
we
go
all
right,
we'll
just
click
on
the
first
one
I
shouldn't
have
gotten
fancy
all
right
and
then
that
links
through
to
a
Singleton
page,
that
that
shows
like
the
description.
How
severe
we
think
it
is.
You
know
the
description,
the
thread
example
and
a
remediation
steps,
and
that's
why
you
kind
of
need
this
to
be.
You
need
this
to
be
fluid,
because
sometimes
the
remediation
steps
are
going
to
change
if
the
UI
on
that
particular
platform
changes.
E
So
the
idea
here
that
we
are
kind
of
like
converging
on
is
that
these
individual
Pages,
which
are
the
markdown
files
that
are
generated
out
of
the
legitified
data,
will
continue
to
be
auto-generated,
but
they
will
be
linked
to
from
these
index
Pages,
which
will
be,
which
will
were
originally
auto-generated,
but
will
continue
to
be
edited
and
with
additional
content
edited
at
the
end
to
to
give
context
and
to
make
the
document
more
readable
and
yeah.
E
Basically,
that's
I,
just
I'm
I'm
trying
to
get
I
mean
part
of
the
point
of
presenting
it
here
is
to
get
feedback
really
and
to
see,
because
because
the
the
audience
part
of
the
audience
that
is
intended
here
are
you
know,
people
working
in
ospus
right.
So
we
want
to
make
sure
that
this
is
actually
useful
for
those
for
those
groups.
E
D
E
F
J
To
I've
copied
about
conversation,
there
is,
but
I
was
just
commenting.
First
of
all,
the
hospital
thing
I
I
just
came
out
of
the
the
osbo
Europe
thingamajig
that
that
is
sometimes
I.
I,
don't
know
every
week
or
something
like
that.
I
can
I
can
add
this
to
the
to
the
agenda
for
the
for
the
hospital
at
least
Hospital
Europe.
J
So
you
can
get
some
other
points
of
view
there
and
also
I
just
so
right
now
it's
GitHub
and
gitlab
what
if
people
want
to
add
other
stuff,
because
I
I
wanted
to
be
part
of
this,
but
my
time
kind
of
just
went
out
of
the
window
also,
so
you
know
it
is
what
it
is,
but,
for
instance,
there's
also
you
know
you
know
stuff
involved
with
like
Azure
devops
repositories
and
and
Etc
et
cetera,
et
cetera,
like
is
that
within
scope
right
now
or.
E
Any
if,
if
yeah
I
mean
I,
think
this
is
intended
to
be
a
living
document
right
and
the
idea
is
that
the
idea
of
having
a
big,
GitHub
and
gitlab
is
to
build
it
in
such
a
way
that
that
we're
starting
with
two
so
that
we
so
that
make
that
always
makes
it
easier
to
add
another
another
one,
and
also
we're
going
to
end
up
with
a
bunch
of
things
that
are
more
like
down
at
the
bottom
of
the
document.
E
There's
some
operational
stuff
that
doesn't
really
have
legitify
generated
pages,
so
I
think
we're
as
we
as
we
continue
working
on
this.
We
will
be
building
out
from
the
core
information
that
comes
out
of
the
legitify
database
and
adding
more
editorial
that
comes
from
this
from
from
open,
ssf
right
and
that
could
include
as.
C
B
Yeah,
the
intention
was
always
to
make
this
a
multi-use
document.
The
team
that
assembled
has
a
lot
of
deep
expertise
in
GitHub
and
git
lab,
but
we
always
wanted
to
make
it
open
enough
that
we
would
have
other
source
code
Management
systems
and
forges
so
to
speak
in
there.
It's
just.
We
don't
currently
have
folks
that
have
the
background
or
time
to
do
that
so
again,
patches
are
always
welcome.
Robert,
we
would
love
you
to.
You,
know
add
if
you
had
other
areas,
you
wanted
to
contribute
to
that'd,
be
awesome.
J
Time
is
something
I
don't
really
have,
but
at
the
same
time
like,
if
we
would
it
be
an
idea
to
add
an
issue
about
adding
the
you
know,
Azure
devops
repository
to
this
particular
that.
E
Would
be
great,
and
we
can
take
that
up
next
week,
when
we,
when
we,
when
we
when
we
have
the
special,
because
we
have
a
a
special
bi-weekly
call
now
on
Thursdays
right,
we'll
take
that
up
in
that
special
by
weekly
bi-weekly
call
all.
D
Stuff
thing
yeah,
I
had
I
had
sort
of
two
questions.
The
first
question
was
around
the
relationship
to
other
open,
ssf
sort
of
work.
It
feels
like
there
might
be
overlap
or
or
intersection
with
one-off
or
both
salsa,
which
we
know
at
the
moment
doesn't
have
a
source
track
anymore,
but
did
did
previously
and
also
possibly
with
scorecard,
which
includes
a
lot
of
these
sort
of
controls,
as
as
things
that
they
recommend
and
I'm
sort
of
curious
about.
E
Thing
I
can
say
that
we've
already
had
a
couple
of
calls
where
we've
had
scorecards
folks
talking
with
yeah
we've
had
cross
whatever's
communication
and
the
idea
there
is
because
scorecard
wants
to
build
out
scorecard
so
that
it
provides
more
information
on
remediation
steps
when
there
is
a
source
where
in
in
any
case,
but
in
specifically
when
there
are
SCM
configuration
issues
that
are
identified
by
scorecard,
they
want
to
be
able
to
provide
and
here's
what
you
need
to
do
to
fix
it.
E
Well,
what
we've
talked
about
is
now
that
we
have
these
these
Singleton
pages
that
are
going
to
be
at
a
stable,
URL
and
I.
Don't
think
the
GitHub
URL
should
be
the
should
be
the
final
URL
for
these
by
the
way,
I
think
it
should
be
at
an
open,
ssf.org
URL.
You
know
published
through
get
a
page
type
mechanism
or
something
like
that,
but
the.
But
once
we
have
these
Singleton
Pages
at
a
specific
at
a
stable
URL,
then
then
scorecard
could
send
you
to
that
URL.
E
Basically,
like
here's,
the
remediation
steps
that
you
need
and
then,
if,
if
then
it's
up
to
it's
up
to
us
or
it's
up
to
the
best
practice
working
group
to
make
sure
that
that
information
is
up
to
date,
so
that
that
seems
like
it
could
be
a
good
way
to
work.
So
we've
had
those
those
discussions
already
I
haven't
had
any
discussions
with
salsa
but
I'm
happy
to
chat,
although
I
always
just
think
about
eating
salsa.
When
I
hear
salsa
so
never
mind,
it's.
D
H
Yeah
I
I'll
pass
it
on
to
the
Osco
in
internally
and
Morgan
Stanley,
but
some
of
the
members
of
our
ASCO
are
also
part
of
Finn
voice,
different
working
groups
and
Finos,
and
you
know
the
working
groups
that
deal
with
Supply
chains
like
that
talk
about
supply,
chain
security
and
a
few
other
relevant
topics.
Should
we
pass
it
on
to
them
or
I
mean?
Is
there
a
restriction
on
how
far
we
can
take
it.
E
No
it'd
be
great.
That
would
be
great
yeah
and
the
way
that
we're
managing
this
now
is
through
is
is
through
issues.
So,
if
there
are,
if
they,
if
there
are
issues,
they're
welcome
to
raise
an
issue
or
they're
welcome
to
raise
it
to
me
or
if
you
want
to
raise
it
to
me
on
slack
on
I'm
responsive
there,
and
we
can
work
it
that
way,
I'm
happy
to
to
to
be
able
to
funnel.
For
for
that
feedback.
D
K
I
just
wanted
to
raise
my
hand
as
a
salsa
contributor.
So
if
you're
going
to
have
a
discussion
on
on
how
to
engage
yourself
to
I,
can
connect
with
you
on
slack
or
something.
D
Okay
cool:
is
there
a
next
action
for
folks.
E
Really
just
feedback,
let
me
know
if
you
have
any
feedback,
if
you
see
things
that
are
missing
and
join,
you
know
join
our
join
our
calls.
If
you're,
if
you're
interested
in
participating
in
the
work.
D
Cool
next
is
Chrome
and
user
working
group
report
out
to
the
attack
on
May
30th.
B
Yeah
I
mentioned
this
to
Jonathan.
This
working
group
gets
the
opportunity
to
come
before
the
attack
next
Tuesday,
and
you
have
10
minutes
to
share
all
the
awesome
things
that
you're
working
on.
If
you
need
assistance
with
anything,
there
is
an
amazing
Google
slide
template
that
I
shared
with
Jonathan,
and
we
would
love
to
the
broader
Foundation,
would
love
to
hear
what
this
working
group
is
working
on
and
especially
where
you
all
want
feedback
like
on
the
manifesto,
and
things
like
that.
B
It'd
be
good
to
highlight
those
types
of
things
so
I,
I,
I,
told
Jonathan
I,
don't
know
if
he
remembered
he's
a
busy
fella,
but
Jacques
I'm
glad
to
share
the
template
with
you.
If
this
please
like
to
collaborate,
yes,.
D
I
have
I
have
actually
I
was
joking
earlier
about
being
busy
now
that
I'm
unemployed,
I
kind
of
am
but
I
do
have
some
time
to
Smash
in
some
Christmas.
B
Yeah
I'm,
presenting
on
the
best
working
group
same
meeting
so
I'll
just
share
what
I'm
working
on
you
can
just
copy
it
and
then
find
it
replace
best.
D
B
D
Cool
thanks
for
that
reminder.
Very
helpful.
I
have
once
or
twice
being
the
person
giving
a
presentation
ad
hoc,
which
is
which
is
interesting.
Okay,
also,
we
have
Sterling
tool
chain,
seek
kicking
off
soon,
I
assume
this
is
you
crib
yeah.
B
That's
me,
so
the
I
received
a
large
volume
of
feedback
that
the
governing
board
had.
B
This
idea
called
the
Sterling
tool
chain
back
in
the
late
fall,
and
there
has
not
been
a
ton
of
work
on
it,
so
we're
starting
our
initiative
assembling
the
troops,
what
not
people
that
are
interested
in
participating
and
Jonathan,
and
several
of
the
folks
in
this
group
were
very
adamant
since
end
users
of
the
people
that
have
to
end
up
using
open
source
and
get
the
opportunity
to
you
know
benefit
from
the
tools,
but
also
you
need
to
be
able
to
have
secure
Frameworks
like
salsa
or
tooling,
like
scorecard
I
thought
it
would
be
great
idea
to
invite
this
group
anyone
that's
interested
in
providing
feedback
on
as
we
shape
this
idea,
I
think
we're
on
to
a
security
tool
belt.
B
Everyone
universally
agreed.
The
title
is
terrible,
but
I
think
we
might
be
security
tool
belt,
but
we're
going
to
start
meeting.
There
is
an
issue
on
the
TAC
repo
I
would
invite
you
to
comment
on.
If
you
have
feedback
now,
and
then
there
is
a
doodle
poll,
if
you
want
to
participate
with
the
group
and
actually
help
architect
the
future
or
in
real
time
we're
going
to
meet
weekly
and
we're
going
to
kick
those
calls
off
probably
next
week.
So
end
users
are
welcome.
D
Cool,
hopefully,
that
goes
smoothly,
I'm
glad
to
hear
that
there's
a
a
possible
shift
in
the
the
local
distribution
of
bike
sheds.
Just
you
know,
words
have
power
as
they
say.
D
I
mean
we've
got
20
minutes.
We
could
talk
about
the
name,
no
I'm
joking,
please
don't
okay,
well,
that
that
sort
of
gets
us
through
to
the
end
of
the
traditional
sort
of
list
of
things
on
the
on
the
agenda.
Typically,
what
we
like
to
do
is
in
any
other
business
section
to
allow
for
impromptu
discussions.
Was
there
anything
else
that
folks
would
like
to
discuss.
D
F
Yeah
I
wanted
to
bring
up
s2c
to
work.
This
is
picking
up
steam
now
that
we're
done
or
for
the
time
being
and
we'll
let
in
salsa
1.0
breathe.
F
F
Now
a
lot
of
people
are
are
actually
going
through
up
down,
left
right
and
center
of
the
of
the
spec
and
providing
their
perspectives
and
we're
adding
new
threats
and
we're
identifying
gaps
that
that
can
be
filled
when
we
need
the
end
users
Community,
especially
with
this,
to
make
this
exactly
what
it
needs
to
be
for
the
consumer
for
the
end
user,
so
Jump
On,
In,
the
water's
warm
every
other
Tuesday
at
12.
The
last
one
was
this
Tuesday,
so
look
for
it
in
in
a
couple
of
weeks.
F
I
can't
remember
what
day
of
the
week
that
is
and
I
want
to
say
it's
a
I
want
to
say
it's
a
not
the
the
fourth
or
the
fifth
I
I.
Can't
it's
on
the
calendar.
There
yeah
it's
on
the
calendar,
so
take
a
look
at
the
public
calendar.
You'll
see
it
there
like
I,
said
come
on
in
the
water.
Is
warm
love
to.
F
12
P
12
pacific
times
also
12
Pacific,
three
Eastern
and
then
of
course,
anywhere
else
in
the
world.
I
don't
have
a
I,
don't
have
the
time
zone
map
in
front
of
me.
So
if
you
go
from
there
there
will
be
okay.
D
Yes,
definitely
I.
Think
s2c2f
is
a
good
good
place
for
folks
to
be
involved.
Given
it's
sort
of
consumer
Focus
makes
makes
a
lot
of
sense
for
friend
users
to
be
involved.
Was
there
any
other
business
effects
we'd
like
to
discuss.
D
If
not,
I
can
give
you
back
15
minutes
16.
Technically,
it's
pretty
exciting.
D
All
right,
okay,
folks,
thank
you
very
much
for
coming
today.
I
think
it
was
a
great
session.
We
will
see
you
all
again
in
two
weeks,
except
for
those
of
you
who
are
coming
to
Tech
next
week
and
we'll
talk
to
you
then
have
a
good
one.
Everyone
bye.