►
From YouTube: End Users Working Group (April 27, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
B
B
A
A
A
A
C
Benfield
from
New
York,
Presbyterian
I
think
this
is
Jay's.
First
meeting
we've
been
recruiting
him
and
I'll
offer
from
my
personal
experience
that
not
only
has
new
or
Presbyterian
done
some
great
work
in
contributing
with
daggerboard
around
s-bombs
but
they're
about
the
most
forward-leaning
Healthcare
institution
in
the
entire
United
States
that
I
know
of
next
to
maybe
try
and
grab
it
graphite
Health,
which
is
trying,
but
not
there,
yet
to
be
involved
in
open
source.
So
I'm.
H
C
A
I
A
I
I
D
A
D
D
B
D
Yeah,
so
obviously
LF
Summit
is
is
coming
up
in
a
couple
weeks.
Two
things
here:
one
is
one
to
find
out
who
is
going
from
this
group
or
if
they
know
from
their
organization
is
going.
We
had
talked
about
hosting
a
birds
of
a
feather
session
to
meet
up
at
one
of
the
local
watering
establishments
in
the
evening
or
carving
out
some
time
during
during
when
there
may
be
some
down
time
between
sessions
and
evening
activities
just
to
get
together.
Connect
in
person.
D
So
it'd
be
good
to
to
add
yourself
to
this
list
to
the
notes
here,
if
you
are
planning
on
going,
the
other
is.
The
other
item
is
that
John
and
I
Jonathan,
Meadows
and
I
are
do
have
a
presentation
there.
The
trials
tribute
tribulations
trials
and
tribulations
of
end
users
in
open
source
software
supply
chain
security.
D
That's
not
the
full
title,
that's
the
gist,
and
so
what
I
wanted
to
put
out
put
it
put
forth
here
is
what
we
want
to
do
is
talk
about
a
couple
of
things,
one
what's
going
on
in
this
in
this
segment.
What's
going
on
that
that
are
the
highest
profile
issues
for
end
users,
there's
going
to
be
a
whole
bunch
of
presentations
that
represent
the
the
producer,
the
developer
of
software.
We
really
just
want
to
focus
on
the
end
user,
because
that's
what
we're
doing
right
now
right.
D
So
what
are
the
biggest
issues
to
end
users?
We
have
25
minutes,
we
want
to
highlight
them,
and
then
we
want
to
spend
a
few
minutes
on.
What
is
this
working
group
doing
to
address
the
main
concerns
of
end
users
right
so
want
to
get
that
out?
You
can
you
can
slack
us,
you
can
put
them
in
in
the
notes,
Here.
We
can
spend
a
few
minutes
talking
about
it
like
what
what
are
the
highest
profile
issues
that
we
should
be
bringing
up
to
to
this
audience.
D
C
The
Challenge,
where
you
have
multiple
vendors
in
a
facility
and-
and
this
is
one
of
the
things
daggerboard
is
trying
to
address-
is
maybe
maybe
perhaps
you're
in
a
theoretical
world
where
every
vendor
is
compliant
they're,
providing
an
s-bomb
they're,
keeping
it
up
to
date.
How
the
end
users
are
able
to
use
all
of
that
information
for
a
supply
chain.
C
Risk
management-
you
know,
analytics
or
or
understanding,
is
still
very
much
a
challenge
and,
of
course,
there
are
also
challenges
internal
with
those
vendors
with
with
coming
up
with
their
s-bombs
and
how
they're
keeping
them
up
to
date.
So
the
Dynamics
and
moving
from
just
the
static
s-bomb
concept
into
real
supply
chain
risk
management
and
Asset
Risk
visibility
on
the
part
of
the
end
user
is
a
challenge.
I
think.
D
Okay,
that's
a
great
topic,
Supply
chains,
obviously
a
huge
and
evolving
issue.
So
what
so
s-bombs
are
are
a
piece
of
that
was
in
a
conversation
with
a
client
yesterday,
and
their
main
concern
was
the
validity
of
the
information
in
the
s-bomb
right.
That
was
a
hot
topic
for
them.
They
do
a
lot
of
business
with
a
lot
of
startups
and
they
consume.
C
Yeah
and
I'd
add
to
that
from
the
security
officer
perspective.
It's
always
easy,
just
not
to
trust
the
vendor.
I,
don't
think
they're
giving
me
the
best
thing
from
like
medical
advice.
Also
on
the
vendor
side,
you
know
with
with
larger
companies
and
more
complex
engineering
and
development
processes.
They
want
to
try
and
provide
the
customer
with
the
most
up-to-date
s-bomb
software
detailed
information,
but
there
are
just
challenges
within
their
own
organization,
and
you
know
they
threw
out
things
as
an
example
where
they're
trying
to
put
together
a
Cardiology
device.
C
One
piece
of
software
still
runs
on
Windows,
NT
or
or
XP,
or
something
like
that.
You
know
how
do
we
work?
How
do
they
work
around
that
from
an
engineering
perspective
to
still
deliver
a
device
that
helps
a
cardiologist
save
somebody's
life
while
at
the
same
time
acknowledging
the
Cyber
risks
of
the
underlying
you
know,
engineering
infrastructure.
H
Yeah
I
think
there's
a
general
hesitancy
still
on
the
part
of
vendors
and
medical
device
manufacturers
to
expose
some
of
that
dirty
laundry.
We
we
encounter
summary
some
resistance,
still
our
vulnerability
team,
for
example.
You
know
it
encounters
some
resistance
still
with
with
just
s
bottom
collection
and
and
kind
of
navigating
that
process.
Today,
we
we
have
taken
some
strides
as
an
organization.
Recently
we
implemented
some.
K
H
Security
standards
that
we've
we've
published
openly,
we've
shared
actually
on
on
our
website
that
that
dictate
a
lot
of
really
really
good
stuff,
as
bomb
has
not
been
incorporated
into
those
standards.
Yet,
but
there's
there's
plans
for
doing
really.
It
really
lays
out
expectations
of
the
vendors
that
we're
working
with
and,
and
you
know,
manufacturers
oems
in
terms
of
how
we
do
business
and
what
we
expect
in
terms
of
you
know
the
software
and
the
systems
coming
into
the
environment.
H
E
I,
do
I
have
two
topics
that
this
group
may
want
to
discuss.
Part
of
what
Andrew
is
laying
out
adjacent
to
Jim's
statement.
I
had
the
great
pleasure
this
week
to
attend
the
cert
CC
vendor
meeting,
which
is
an
annual
secret
Cobble
that
gets
together
every
year
at
RSA
and
all
the
vendors
sit
in
a
room
and
talk
about
all
you,
customers
and
whatnot,
not
really,
but
a
large
point
of
discussion
was
the
integration
of
s-bombs
advisories
through
things
like
csaf
and
then
open,
Vex
and
Vex.
E
So
this
group
may
be
interested
in.
You
probably
don't
have
this
problem
yet,
but
it
is
conceivable
in
the
future.
You
will
have
multiple
hundreds
of
s-bombs
provided
to
you
from
your
suppliers.
Then
you
will
have
potentially
thousands
of
advisories
around
all
those
different
things
and
then
the
new
hotness
is
Vex,
which
is
a
way
for
a
developer
or
supplier
to
kind
of
State
the
effectiveness
of
a
component
to
a
vulnerability.
E
You
review
all
that,
so
that
was
one
topic
this
group
might
want
to
chat
about
Andrew
and
then
the
other
topic,
one
of
the
other
hats
I
get
to
wear
at
the
foundation,
is
I
sit
on
the
public
policy
committee
and
we
had
an
exciting
dialogue.
All
about
the
eu's
CRA
legislation.
That's
coming
down
the
pipe,
and
that
might
be
something
that
everybody
here
cares
about,
whether
you
a
live
or
do
business
in
the
EU
or
B
get
some
type
of
software
or
Hardware
from
a
vendor
within
the
EU.
G
A
A
A
Similarly,
if,
if
authors
in
the
EU
suddenly
get
cold
feet
about
developing
open
source
software,
because
they're
afraid
of
being
considered
manufacturers
again,
suddenly
a
lot
of
your
dependencies
is
not
getting
updated,
nobody's
attending
to
the
PRS.
The
security
holes
are
just
sitting
there
because
nobody
wants
to
touch
it.
It's
become
toxic.
A
That
would
be
extremely
disruptive
on
a
longer
time
scale.
So
I
encourage
all
of
you
to
talk
to
your
government.
Affairs
works,
if
you
have
them
and
encourage
them
to
weighed
in
I,
know
that
a
lot
of
companies
already
have
taken
a
position
on
the
CRA,
but
it
tends
to
be
formed
around
the
commercial
operations
rather
than
what
you
might
think
of
as
the
it
operations,
which
is
the
perspective
I
come
at
it
from
so
definitely
definitely
take
another
look.
If
you
haven't
and
Joshua
points
out,
if
you're
in
The
UU.
B
D
Cra,
but
also,
what's
going
on
with
U.S
legislation
right
giving
a
summary,
an
update,
so
I'll
put
together
a
draft
of
the
deck
I've
started
to
draft
the
deck
I'll
actually
send
it
to
the
group
for
review,
definitely
would
like
input
and
feedback
again.
We
only
have
25
minutes
and
I
want
to
reserve
a
little
bit
of
that
for
questions.
I
want
to
reserve
some
of
that
debt
to
pitch
and
not
Pitch
the
open,
ssf
right.
D
It's
not
a
sales
pitch,
but
I
do
want
to
say
who
we
are,
what
we're
doing
come
and
join
us
and
spend
a
few
minutes
on
that.
So
I'm
really
looking
at
about
and
and
I'm
going
to
do
this
in
a
kind
of
a
semi
interview,
format
with
John,
so
we'll
have
about
15
minutes
of
kind
of
presentation
and
then
other
activities.
So
we
so
other
content.
D
So
we
have
to
be
really
crisp
and
I
want
to
get
it
down
to
just
like
the
top
five
things
that
we
can
spend
a
couple
minutes
on
each,
but
certainly
the
CRA,
s-bombs
and
integrate
and
the
supply
chain
issues
certainly
are
are
up
there,
but
really
want
any
other
feedback
from
the
group.
Please
please
contribute.
L
A
Oh
well,
thank
you
very
much
for
that
I'm
I'm.
Looking
forward
to
that
session,
I'm
looking
forward
to
that
conference
in
general
I
think
it's
going
to
be
very
interesting.
I'm
also
going
to
be
attending
the
open
ssf
day.
I
hope
folks
will
be
able
to
do.
That
is
that
that
schedule
looks
very
interesting
too.
So
now
we
come
to
the
catch-all
section
of
the
agenda,
which
is
the
any
other
business
or
aob.
A
A
E
So
fun
fact:
the
last
year
the
foundation
put
out
a
document
called
the
mobilization,
Plan
and
there's
been
some
effort
around
that
over
the
last
year
last
December.
The
governing
board
also
wanted
to
highlight
a
slightly
different
direction
for
the
foundation,
so
they've
dubbed
this
concept,
the
Sterling
tool
chain
and
we've
had
a
lot
of
conversation.
E
So
if
you
have
any
thoughts
about
from
an
end
user
perspective,
what
you'd
like
to
see
the
foundation
kind
of
produce
or
endorse,
or
encourage,
please
review
that
either
make
a
comment
in
the
TAC
issue
or
comment
directly
on
the
attached
Google
Document.
So
we
can
talk
about
kind
of
the
future
direction
of
how
we're
going
to
help
try
to
secure
the
open
source
supply
chain
for
the
world.
D
E
Like
we
touched
on
a
little
bit
earlier,
where
some
people
don't
trust
their
vendors.
Well,
how
can
we
improve
the
trust
in
the
supply
chain?
So
what
types
of
signals
can
we
release
so
that
when
a
developer
does
a
scan,
maybe
that
gets
recorded
and
put
up
into
a
dashboard
somewhere
or
you
know
when
somebody
is
plugged
into
scorecards?
You
know
that
that's
an
easy
way
for
an
external
Observer
to
kind
of
view,
some
set
security
criteria
and
make
their
own
risk
assessments
based
off
of
that.
A
A
It
sounds
very
much
like
picking
particular
Technologies
and
wiring
them
together
in
a
particular
default
configuration,
but
the
document
itself
sort
of
skitters
towards
and
bounces
away
multiple
times
from
that
possibility.
That's
the
first
thing
and
the
second
thing
is
I.
Don't
know,
I'm
mostly
concerned
that
the
open
ssf
does
not
invest
its
funds
in
a
lot
of
development.
Work,
that's
expensive
and,
to
be
frank,
the
vendors
can
do
it
like
they've
they've
they've
got
the
the
folks
on
the
bench
to
do
it.
A
They've
got
the
funds
to
do
it
and
they
can
profit
from
it.
If,
if
they're,
candy
and-
and
you
know,
Mark
it
well,
whereas
I
see
the
open,
ssf's
points
of
highest
leverageable,
things
that
fall
between
the
gaps
between
vendors
and
end
users
and
users
are
busy
doing
their
business
selling
their
tractors,
fixing
people's
hearts
building
planes,
you
know,
and
so
on.
A
Vendors
are
busy
building
software
and
services
and
selling
those
to
the
end
users.
What's
missing
is
the
stuff
in
the
middle,
which
is
you
know
the
stuff
that
everybody
knows
that
we
want,
for
which
we
have
a
collective
need,
but
for
which
no
individual
party
is
the
is
the
rational
actor
to
actually
go
and
do
it
for
everybody.
B
A
So
it
I
also
had
a
proposal
last
year
which,
which
we
put
to
the
site
at
the
moment,
which
was
the
shared
help
desk
right
like
it's,
not
sexy,
running
a
help
desk,
but
it
has
high
Leverage
and
those
are
the
sorts
of
things
where
I'm
concerned
that
funding
for
a
development
effort
would
compete
too
much
too
well.
Given
the
cost
of
engineering,
Talent
and
I
see
that
I've
sparked
your
discussion.
E
And
before
I
have
to
the
others,
it
doesn't
necessarily
need
to
be
a
tool
or
set
of
tools,
although
that
is
an
option.
A
lot
of
the
work
that
this
group
is
doing
around
the
reference
architecture
and
the
threat
modeling
so
Henrik
and
Pierre
Giorgio,
and
that
crew
we're
working
on
a
reference
architecture
that
definitely
could
play
into
it
and
as
a
a
template
for
a
consumer
to
adopt
and
here's
kind
of
threats
you
need
to
avoid
and
how
to
mitigate
them.
But
yeah
how
hush
up
and
let
the
group
talk.
C
I'm
sorry
I
was
Jacques,
I
thought.
Jacques
commentary
was
excellent
and
back
to
what
I
was
saying
before,
to
kind
of
reiterate
that
you
could
have
an
array
of
software
vendors
be
day
medical
devices,
be
they
any
other
devices,
it
could
be.
Automotive
Healthcare,
government,
Etc
and
the
end
user
is
like
okay
I'm
presented
with
this
array
of
software
supply
chain
information.
C
What
do
I
do
with
it
and
I
think
you
know
and
not
to
get
into
a
controversial
area,
but
I'm
sure
people
are
aware
that
there
has
been
some
creative
tensions
between
spdx
and
Cyclone
DX,
specifically
around
the
fact
that
servicenow
rightfully
wanted
to
kind
of
build
this
into
what
they're
offering
for
their
customers
to
understand
their
environment.
I.
Don't
think
we
have
an
across-the-board,
comprehensive,
open
source
approach
to
doing
that,
to
give
individuals,
as
I
think
I
mentioned
before
asset
or
Asset
Risk
or
software
risk
of
visibility.
C
That
ties
into
a
a
excuse
me,
the
the
security
dashboard
look
or
or
something
else
that
says,
I
have
to
comply
with
this.
This
control
I'm
getting
the
feedback
from
from
this
s-bomb
that
this
device
is
not
complying
with
it
or
I'm,
starting
to
use
oscow
in
my
cloud,
environment
and
so
forth,
and
so
on.
You
know
how
do
I
dynamically
get
those
metrics.
L
Hey
yeah,
it
shouldn't
be
surprising
to
know
that
or
to
learn
that
sneak
is
is
kind
of
not
really,
you
know
positive
on
openness
without
developing.
You
know
completely
comprehensive
sort
of
feels.
I
I.
Think
our
our
view
on
the
Sterling
tool
chain
thing,
though,
is
that
it
should
be-
and
this
is
something
that
I've
been
saying
to.
Whoever
will
listen
to
me
is
that
it's
the
Nuance
here
is
about
commodity
functions.
L
Things
like
a
scorecard,
for
instance,
which
are
amazing
and
should
and
should
be
developed
in
a
in
a
collective
spirit
and
then
in
a
way
where
it
can
be
used
as
a
library
or
data
from
scorecard
can
be
used
in
other
people's
applications.
You
know
open
SF
members
and
non
and
people
are
not
affiliated
with
open
ssf
collectively,
so
that
we
can
level
up
the
industry.
J
J
E
J
E
And
and
that's
my
personal
caution
around
the
idea
of
creating
a
bunch
of
tools,
is
we
don't
want
to
be
seen
as
King
makers
so
to
speak?
I
think
there's
a
lot
of
choices,
and
you
know
based
out
of
the
end
users
here
on
this
call
I.
Imagine
that
we
could
very
easily
come
up
with
everyone,
but
have
a
list
of
their
tools
they
use
today
and
there's
it'll
be
very
difficult
to
have
any
kind
of
single
tool.
That's
going
to
work
effectively
across
all
these
customers.
J
I
did
get
good
feedback.
They
think
that
we
are
not
sensitive
to
the
fact
that
there
are
several
generations
of
security
where
security
has
been
defined
differently
and
different
at
different
periods
of
time.
So
they
think
that
we
a
lot
of
the
work
we
do
is
insensitive
to
that
because
it
forces
people
to
think
about
security.
The
way
we
think
about
security
and
I'm
Yara-
that's
a
great
take,
but
there
is
there
might
be
a
slight
point
to
that.
So
I
just
want
to
point
that
out.
E
Yes-
and
we
all
should
be
aware
that
security
continually
evolves
the
threat
landscape,
everyone
here,
that
represents
a
Enterprise.
You
are
constantly
barraged
by
a
stream
of
attacks
and
threats,
so
you
have
to
constantly
adapt.
But
yes,
I
I
understand
there
is
a
need
to
be
empathetic
and
find
ways
to
translate
between
the
different
Generations.
So
to
speak
of
these
different
implementations
of
security,
yeah.
K
E
E
Well,
it
depends
on
who
you're
talking
to
the
governing
board
thinks
it's
great.
The
people
that
are
trying
to
implement
it
are
having
some
a
vigorous
debate
and
dialogue
about
how
we
could
execute
on
that
vision.
And
again,
all
feedback
is
welcome.
If
people
have
ideas
of
how
this
could
be
forged
into
something
that
is
actionable
and
useful.
You
know
please
give
us
that
feedback,
so
we
can
help
try
to
achieve
our
goal
of
improving
security.
M
Oh,
thank
you.
Yeah
no
I
was
just
going
to
affirm
some
of
the
points
that
Randall
just
brought
up
relative
to
looking
at
this
from
a
multi-generational
multi-perspective
point
of
view,
because
you
know
weekend
in
the
tech
industry
to
latch
on
to
the
latest
shiny
object.
That's
new
and
hey
cool,
but
looking
at
the
security
issue
from
a
a
more
rounded
perspective,
I
think
will
be
helpful
because
I
think
certainly
especially
from
an
end
user
perspective.
M
M
It's
a
huge
trade-off
and
in
many
respects
your
your
your
trading,
one
challenge
for
another,
even
when
you
do
that,
because
it's
kind
of
a
bit
of
whack-a-mole
really
honestly
so
I'd
hate
for
us
as
an
organization
to
suddenly
put
up
some
scoreboard
that
says
ooh.
If
you're,
not
if
your
code's
not
written,
then
rust,
you
know,
that's
a
you
know
a
minus
or
a
a
red
square
in
the
Box,
because
that's
not
necessarily
the
case
and
the
other
thing
I
wanted
to
share
perspective
on
the
Sterling
tool
chain
is
I.
E
K
So,
and
thanks
for
the
Segway
girl,
because
I
was
about
to
say
the
same
thing,
you
know,
perhaps
the
Sterling
two
chain
in
Cope
said
this
earlier
and
I
I
saw
him,
but
that's
just
not
a
set
on
a
complete
set
of
tools
per
se,
but
maybe
it's
a
combination
of
people
process
process
of
Technology.
What
I'll
also
say
is
this
and
I
would
for
everybody
to
think
about
this
angle
of
it
right,
as
Chrome
said
before,
the
governing
board
is
gung-ho
about
about
a
sterling
tool
chain.
K
You
know
part
of
what
we
do
in
the
openness
and
stuff
and
I.
You
know
I'll
come
right
out
and
say
it.
We
we
all,
are
volunteers
and
we're
trying
to
do
great
work
in
the
industry,
but
we
all
are
representatives
of
the
organizations
that
we
work
for
and
the
organization
that
we
work
for
happen
to
put
our
bosses
on
the
governing
board
in
some
instances,
not
at
all,
but
in
some
instances
our
bosses
are
sitting
on
this
governing
board.
K
So
we
have
to
be
careful
if
they're
gung-ho
about
it,
I
think
what
might
be
beneficial
for
us.
If
we
have
an
issue,
if
we
do
think
it
should
go
in
a
specific
Direction
here
in
the
in
the
end
users
Group,
which
I
think
is
a
great
place
to
do
it
right
so
I
Echo
the
sentiment,
because
these
are
the
we're
the
individuals
that
are
going
to
you
know
be
advocating
for,
for
whatever
happens,
you
know.
Go
internally,
have
these
internal
discussions.
K
You
know
get
the
buy-in
necessary
that
can
go
before
the
governing
board,
so
maybe
the
influence
on
the
governing
more
sways
a
bit
right
and
I
mean
you
might
want
to
do
this
and
go
from
the
outside
in
rather
than
From
the
Inside
Out
on
this
one.
Just
so
it
should
not.
You
know
on
these
recorded
calls
we're
not
directly
conflicting
with
our
overlords.
K
We
can
talk
about
that
all
day
long,
but
let's
make
sure
that
whatever
we
come
up
with
we're
going
internal
having
the
discussions
getting
the
buy-in
having
building
the
rash
now
so
that
when
the
governing
board
meets
the
rationale
is
echoed
in
the
governing
board
and
that
way
that
direction
could
come
back
down
so
that
we're
all
on
the
same
sheet
of
music
I'll.
Stop
there
I'll.
A
A
But
I
do
take
your
point
for
those
folks
who
are
able
to
talk
to
their
their
governing
board
representatives
to
find
out
what
their
thinking
is
and
and
to
see
whether
it
can
be
adapted.
I
think
that's
helpful.
I
do
worry
about
what
feels
like
a
disconnection
between
the
working
groups
at
one
end
of
the
organization
and
the
governing
board
at
the
other
end
of
the
organization.
A
C
Thanks
sir
yeah
I
was
just
going
to
follow
up
both
on
on
Jay's
Excellence,
Commons
and
Jeffries,
and
Ed
yeah,
there's
in
every
Linux
Foundation
project.
In
my
opinion,
there's
what
I'll
call
Dynamic
tensions
between
the
board
board
companies
who
those
representatives
are,
but
to
kind
of
encapsulate
it
for
I.
Think
for
this
working
group
there
is
a
growing
regulatory
tsunami
that
started
with
the
executive
order
now
embodied
in
things
like
what
OMB
has
put
out,
what
the
what
the
CRA
says
in
the
EU
and
from
medical
device
side.
C
What
I
think
they
think
it's
the
MDR
or
something
like
that
which
which
basically
is
applying
gdpr
at
the
medical
device
level
that
these
things
are
building.
There
is
no
longer
a
tolerance
for
these
conversations
around
software
vulnerability
and
Jeffrey
made
a
great
point
when
he
talked
about
hey
just
because
the
newest
and
hottest
thing
is
rust,
doesn't
mean
you've
got
to
re-engineer
all
of
your,
your
C
plus
libraries.
C
You
know
for
the
folks
who
have
been
involved
in
in
security
assessments
and
vulnerability,
scans
and
Pen
tests
before
you
always
come
up
with
this
list
of
things
that
are
considered
critical
on
an
on
an
nvd
score.
But
you
know
the
reality
is
I'm
not
going
to
fix
that
or
that's
someplace
else,
and
that's
when
you
have
visibilities
that
vulnerability
and
then
say
well,
I've
offset
it
or
mitigated
with
this
control.
C
There
is
an
opportunity
to
be
something
of
a
king
maker
in
the
in
the
absence
of
any
other
guidance
where
right
now,
essentially
on
almost
a
global
basis,
we're
around
kind
of
saying
gee.
What
are
we
all
going
to
do
about
this?
Well,
it'll.
Be
forced
on
us
it'll
be
forced
on
us
in
ways
we
may
not
like
if
organizations
such
as
this
one,
which
I
think
are
empowered
to
do
so,
don't
come
up
with
with
things
to
offer
just
a
thought.
E
C
And
10
more
seconds
of
that,
because
Crow
mentioned,
of
course,
our
mobilization
plan
I
was
involved
with
Brian
and
the
teams
at
open
ssf,
where
we
put
together
those
various
mobilization
streams
and
they
were
built
around
the
fact
that
we
knew
we
had
an
audience
of
the
White
House
to
be
able
to
say
the
Linux
Foundation
has
a
plan
you're
bringing
together
a
bunch
of
tech
leaders
and
saying
gee.
What
are
we
going
to
do
about
this?
C
We
have
a
plan
we
collectively
as
as
open
ssf,
and
we
have
groups
dedicated
to
working
on
these
tool
sets.
So
that
really
has
been
the
intended
fall
on
to
that
mobilization
plan,
whether
those
streams
are
organically
built
or
we
go
back
to
to
seek
more
or
more
audiences
with
with
what
we
can
do
and
create
and
Foster
participation
and
for
me
to
necessarily
do.
But,
but
that
was
the
groundwork
and
the
impetus
around
what
we
did
last
year.
E
E
E
There
there
is
a
group
that
will
be
getting
assembling
soon
to
help
do
a
one-year
refresh
and
update
of
the
document,
and
that's
where
groups
like
the
education,
Sig
and
the
OSS
cert
Sig
they've,
taken
the
original
plan
and
Rewritten
it
and
that
would
be
potentially
part
of
the
artifact
update,
will
be
incorporating
that
new
knowledge.
We've
learned
over
the
last
year.
E
D
A
A
D
A
A
L
L
A
B
A
L
F
F
D
Yeah
so
I'm
happy
to
bring
it
up.
Gab
is
a
Gabba
leads.
Lf
Europe
is
also
part-time.
Still
executive
director
for
Finos
I'm
I'm
on
the
board
of
Finos
I
can
bring
it
up
with
him.
I
think
it's
a
good
idea.
I
think
Jacques
to
your
one
thing
you
mentioned
earlier
is
a
creditable
Authority
that
that
all
of
our
public
policy
folks
would,
you
know,
see
a
name,
a
title,
a
role
and
go.
Oh
yeah
I
should
be
on
that
call.
Yeah.
A
Because
I
I
I
I
I'm
just
an
engineer.
What
do
I
know
I
mean
the
fact
that
I
studied
law-
it
doesn't
appear
next
to
me.
So
you
know
when,
when
I
get
paranoid
about
legal
documents,
that's
the
thing
but
yeah
I,
think
I.
Think
having
having
external
credibility
will
help
can
be
convey
the
sort
of
the
the
gravity
of
the
situation,
but
I've
cut
off.
Curb.
E
No
I
was
circling
back
about
that
lack
of
representation
from
the
end
user.
Community
Jonathan
Meadows
strongly
asked
me
to
participate
as
part
of
this
group,
which
I'm
very
glad
to
because
a
large
part
of
my
career
has
been
as
an
Enterprise
Defender
for
a
long
time.
So,
if
anyone
here
has
anything
they
would
like
to
pass
along
to
either
the
attack
or
the
GB,
don't
hesitate
to
reach
out
to
me.
I
can
help
be
your
voice,
even
though
you
may
not
have
a
seat
I'm
glad
to
help
represent
this
community.