►
From YouTube: End Users Working Group (April 27, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
B
B
A
He
is
probably
unable
to
come
today.
There's
apparently
something
going
on
his
place,
so
I'm
just
going
to
Mark
him,
as
apologies.
D
Okay,
because
I
I
saw
him
on
on
slack,
but
maybe.
A
So
all
right,
I,
don't
know
we
still
got
another
minute
or
two
I
think
before
we
can
kick
off,
but
it's
exciting
to
eat
so
many
faces
this
week,
considering
that
it's
technically
Cloud
native,
although
I
always
think
of
it
as
kubecon
this
week,
I
think
in
the
year.
A
A
Be
a
quiz
all
right,
so
I'll
just
pop
the
knights
back
in
the
chat
again,
if
you
haven't
marked
yourself
as
present,
please
do
that.
Let's
kick
off
the
agenda
to
start
with.
First
question
is
always
who's
going
to
be.
The
Scribe
and
I
can't
meet
me
today,
because
I'm
the
talking
head.
A
You
thank
you
very
much.
I
appreciate
that.
So
to
begin
with,
our
first
thing
is
who
would
like
to
introduce
themselves?
Perhaps
you've
been
here
before,
and
you
haven't
seen
us
for
a
while
or
perhaps
you're
brand
new
and
you'd
like
introduce
yourself.
Here's
your
opportunity.
C
Benfield
from
New
York,
Presbyterian
I
think
this
is
Jay's.
First
meeting
we've
been
recruiting
him
and
I'll
offer
from
my
personal
experience
that
not
only
has
new
or
Presbyterian
done
some
great
work
in
contributing
with
daggerboard
around
s-bombs
but
they're
about
the
most
forward-leaning
Healthcare
institution
in
the
entire
United
States
that
I
know
of
next
to
maybe
try
and
grab
it
graphite
Health,
which
is
trying,
but
not
there,
yet
to
be
involved
in
open
source.
So
I'm.
H
C
A
Awesome,
that's
fantastic,
it's
great
to
see
new
faces.
Who
else
would
like
to
introduce
himself
so
many
yeah.
I
I'll
jump
in
because
I
think
this
is
the
first
time
I've
been
at
this
particular
meeting,
so
I'm
Chris
I'm
from
IBM,
Cloud,
object,
storage,
also,
a
delegate
for
IBM
at
tc39
and
the
CSS
working
group.
So
hello.
A
I
I
A
I
don't
know
just
seeing
membership
update,
I,
don't
know
whether
that's
actually
meant
to
be
a
reminder
for
folks
to
have
themselves
on
the
list
or
whether
it's
General.
D
It
is
a
reminder
for
folks:
can
you
please,
at
the
top
of
the
slack
Channel
there
is
the
spreadsheet,
that's
embedded
there
I
think
I
I
have
the
permissions
correct
after
last
week
now
people
should
be
able
to
get
in
and
edit
I've
seen
a
few
people
have
what
we're
looking
for
is.
D
You
know,
please
put
your
own
names
on
the
second
tab,
trying
to
build
a
a
list
of
who
are
active
members
here
and
then,
if
you
have
any
referrals-
and
we
are
looking
for
an
and
it's
it's
wonderful
to
have
Jay
representing
another,
highly
regulated
industry,
we
are
looking
for
a
more
diverse
crowd
of
end
users
more
in
healthcare,
Retail
transportation
anywhere.
D
A
Yeah
we're
very,
very
keen
to
to
broaden
the
base.
You
know
across
geographies
across
levels
of
Regulation
across
industry
sectors
and
across
you
know,
public
private
academic
Etc.
Just
to
get
the
best
representation.
We
can.
D
Don't
have
to
be
an
open,
ssf
member,
obviously
we'd
like
you
to
be
an
open,
Assistant
member,
but
there
is
no
requirement
you
can
join.
You
can
join
the
working
group.
G
Yeah,
well,
we
are
so
you
know,
that's
fine
I'm,
just
wondering
like
like,
if
I
should
put
ourselves
in
there
in
the
second
time
the
current
one
yeah,
yes,.
D
B
D
Yeah,
so
obviously
LF
Summit
is
is
coming
up
in
a
couple
weeks.
Two
things
here:
one
is
one
to
find
out
who
is
going
from
this
group
or
if
they
know
from
their
organization
is
going.
We
had
talked
about
hosting
a
birds
of
a
feather
session
to
meet
up
at
one
of
the
local
watering
establishments
in
the
evening
or
carving
out
some
time
during
during
when
there
may
be
some
down
time
between
sessions
and
evening
activities
just
to
get
together.
Connect
in
person.
D
So
it'd
be
good
to
to
add
yourself
to
this
list
to
the
notes
here,
if
you
are
planning
on
going,
the
other
is.
The
other
item
is
that
John
and
I
Jonathan,
Meadows
and
I
are
do
have
a
presentation
there.
The
trials
tribute
tribulations
trials
and
tribulations
of
end
users
in
open
source
software
supply
chain
security.
D
That's
not
the
full
title,
that's
the
gist,
and
so
what
I
wanted
to
put
out
put
it
put
forth
here
is
what
we
want
to
do
is
talk
about
a
couple
of
things,
one
what's
going
on
in
this
in
this
segment.
What's
going
on
that
that
are
the
highest
profile
issues
for
end
users,
there's
going
to
be
a
whole
bunch
of
presentations
that
represent
the
the
producer,
the
developer
of
software.
We
really
just
want
to
focus
on
the
end
user,
because
that's
what
we're
doing
right
now
right.
D
So
what
are
the
biggest
issues
to
end
users?
We
have
25
minutes,
we
want
to
highlight
them,
and
then
we
want
to
spend
a
few
minutes
on.
What
is
this
working
group
doing
to
address
the
main
concerns
of
end
users
right
so
want
to
get
that
out?
You
can
you
can
slack
us,
you
can
put
them
in
in
the
notes,
Here.
We
can
spend
a
few
minutes
talking
about
it
like
what
what
are
the
highest
profile
issues
that
we
should
be
bringing
up
to
to
this
audience.
D
C
If
I
could
spur
the
conversation,
I
spent
the
last
two
days
in
an
all-hand
session
with
the
healthcare
sector,
and
we
were
working
on
the
Strategic
plan
in
areas
of
concern
and
for
us,
medical
devices,
software
s-bombs,
the
relationship
between
device,
vendors
and
and
their
customers
how
the
customers
can
use
the
information.
C
The
Challenge,
where
you
have
multiple
vendors
in
a
facility
and-
and
this
is
one
of
the
things
daggerboard
is
trying
to
address-
is
maybe
maybe
perhaps
you're
in
a
theoretical
world
where
every
vendor
is
compliant
they're,
providing
an
s-bomb
they're,
keeping
it
up
to
date.
How
the
end
users
are
able
to
use
all
of
that
information
for
a
supply
chain.
C
Risk
management-
you
know,
analytics
or
or
understanding,
is
still
very
much
a
challenge
and,
of
course,
there
are
also
challenges
internal
with
those
vendors
with
with
coming
up
with
their
s-bombs
and
how
they're
keeping
them
up
to
date.
So
the
Dynamics
and
moving
from
just
the
static
s-bomb
concept
into
real
supply
chain
risk
management
and
Asset
Risk
visibility
on
the
part
of
the
end
user
is
a
challenge.
I
think.
D
Okay,
that's
a
great
topic,
Supply
chains,
obviously
a
huge
and
evolving
issue.
So
what
so
s-bombs
are
are
a
piece
of
that
was
in
a
conversation
with
a
client
yesterday,
and
their
main
concern
was
the
validity
of
the
information
in
the
s-bomb
right.
That
was
a
hot
topic
for
them.
They
do
a
lot
of
business
with
a
lot
of
startups
and
they
consume.
C
Yeah
and
I'd
add
to
that
from
the
security
officer
perspective.
It's
always
easy,
just
not
to
trust
the
vendor.
I,
don't
think
they're
giving
me
the
best
thing
from
like
medical
advice.
Also
on
the
vendor
side,
you
know
with
with
larger
companies
and
more
complex
engineering
and
development
processes.
They
want
to
try
and
provide
the
customer
with
the
most
up-to-date
s-bomb
software
detailed
information,
but
there
are
just
challenges
within
their
own
organization,
and
you
know
they
threw
out
things
as
an
example
where
they're
trying
to
put
together
a
Cardiology
device.
C
One
piece
of
software
still
runs
on
Windows,
NT
or
or
XP,
or
something
like
that.
You
know
how
do
we
work?
How
do
they
work
around
that
from
an
engineering
perspective
to
still
deliver
a
device
that
helps
a
cardiologist
save
somebody's
life
while
at
the
same
time
acknowledging
the
Cyber
risks
of
the
underlying
you
know,
engineering
infrastructure.
H
Yeah
I
think
there's
a
general
hesitancy
still
on
the
part
of
vendors
and
medical
device
manufacturers
to
expose
some
of
that
dirty
laundry.
We
we
encounter
summary
some
resistance,
still
our
vulnerability
team,
for
example.
You
know
it
encounters
some
resistance
still
with
with
just
s
bottom
collection
and
and
kind
of
navigating
that
process.
Today,
we
we
have
taken
some
strides
as
an
organization.
Recently
we
implemented
some.
K
H
Security
standards
that
we've
we've
published
openly,
we've
shared
actually
on
on
our
website
that
that
dictate
a
lot
of
really
really
good
stuff,
as
bomb
has
not
been
incorporated
into
those
standards.
Yet,
but
there's
there's
plans
for
doing
really.
It
really
lays
out
expectations
of
the
vendors
that
we're
working
with
and,
and
you
know,
manufacturers
oems
in
terms
of
how
we
do
business
and
what
we
expect
in
terms
of
you
know
the
software
and
the
systems
coming
into
the
environment.
H
E
I,
do
I
have
two
topics
that
this
group
may
want
to
discuss.
Part
of
what
Andrew
is
laying
out
adjacent
to
Jim's
statement.
I
had
the
great
pleasure
this
week
to
attend
the
cert
CC
vendor
meeting,
which
is
an
annual
secret
Cobble
that
gets
together
every
year
at
RSA
and
all
the
vendors
sit
in
a
room
and
talk
about
all
you,
customers
and
whatnot,
not
really,
but
a
large
point
of
discussion
was
the
integration
of
s-bombs
advisories
through
things
like
csaf
and
then
open,
Vex
and
Vex.
E
So
this
group
may
be
interested
in.
You
probably
don't
have
this
problem
yet,
but
it
is
conceivable
in
the
future.
You
will
have
multiple
hundreds
of
s-bombs
provided
to
you
from
your
suppliers.
Then
you
will
have
potentially
thousands
of
advisories
around
all
those
different
things
and
then
the
new
hotness
is
Vex,
which
is
a
way
for
a
developer
or
supplier
to
kind
of
State
the
effectiveness
of
a
component
to
a
vulnerability.
E
You
review
all
that,
so
that
was
one
topic
this
group
might
want
to
chat
about
Andrew
and
then
the
other
topic,
one
of
the
other
hats
I
get
to
wear
at
the
foundation,
is
I
sit
on
the
public
policy
committee
and
we
had
an
exciting
dialogue.
All
about
the
eu's
CRA
legislation.
That's
coming
down
the
pipe,
and
that
might
be
something
that
everybody
here
cares
about,
whether
you
a
live
or
do
business
in
the
EU
or
B
get
some
type
of
software
or
Hardware
from
a
vendor
within
the
EU.
G
A
Yeah
I
might
I
might
double
down
on
the
CRA.
I
have
raised
it
internally
with
government,
Affairs
folks
and
the
scenario
I
give
is
I
consider
to
be
the
low
probability,
but
very
high
impact
would
be
if
rubygems.org
gets
locked
out
of
the
EU,
because
it
can't
meet
the
distributive
requirements.
A
Suddenly
we
can't
deploy
in
the
EU
and
because
of
data
residency
laws.
That
means
we
can't
do
business
in
the
EU,
which
is
bad
news
for
everybody.
If,
if
any
package
repository
gets
locked
out
of
the
EU
you're
in
a
world
of
hurt.
A
Similarly,
if,
if
authors
in
the
EU
suddenly
get
cold
feet
about
developing
open
source
software,
because
they're
afraid
of
being
considered
manufacturers
again,
suddenly
a
lot
of
your
dependencies
is
not
getting
updated,
nobody's
attending
to
the
PRS.
The
security
holes
are
just
sitting
there
because
nobody
wants
to
touch
it.
It's
become
toxic.
A
That
would
be
extremely
disruptive
on
a
longer
time
scale.
So
I
encourage
all
of
you
to
talk
to
your
government.
Affairs
works,
if
you
have
them
and
encourage
them
to
weighed
in
I,
know
that
a
lot
of
companies
already
have
taken
a
position
on
the
CRA,
but
it
tends
to
be
formed
around
the
commercial
operations
rather
than
what
you
might
think
of
as
the
it
operations,
which
is
the
perspective
I
come
at
it
from
so
definitely
definitely
take
another
look.
If
you
haven't
and
Joshua
points
out,
if
you're
in
The
UU.
B
D
Cra,
but
also,
what's
going
on
with
U.S
legislation
right
giving
a
summary,
an
update,
so
I'll
put
together
a
draft
of
the
deck
I've
started
to
draft
the
deck
I'll
actually
send
it
to
the
group
for
review,
definitely
would
like
input
and
feedback
again.
We
only
have
25
minutes
and
I
want
to
reserve
a
little
bit
of
that
for
questions.
I
want
to
reserve
some
of
that
debt
to
pitch
and
not
Pitch
the
open,
ssf
right.
D
It's
not
a
sales
pitch,
but
I
do
want
to
say
who
we
are,
what
we're
doing
come
and
join
us
and
spend
a
few
minutes
on
that.
So
I'm
really
looking
at
about
and
and
I'm
going
to
do
this
in
a
kind
of
a
semi
interview,
format
with
John,
so
we'll
have
about
15
minutes
of
kind
of
presentation
and
then
other
activities.
So
we
so
other
content.
D
So
we
have
to
be
really
crisp
and
I
want
to
get
it
down
to
just
like
the
top
five
things
that
we
can
spend
a
couple
minutes
on
each,
but
certainly
the
CRA,
s-bombs
and
integrate
and
the
supply
chain
issues
certainly
are
are
up
there,
but
really
want
any
other
feedback
from
the
group.
Please
please
contribute.
C
There's
a
couple
U.S
federal
associations,
industry
associations
that
bring
together
both
government
Representatives,
as
well
as
Government
vendors
in
the
technology
space
I
participate
very
heavily
in
one
and
they're
always
focused
on
zero
trust
and
identity
and
Cloud
security
and
Ai
and
Quantum,
and
we
don't
really
have
a
s-bomb
secure
software
attestation
effort
yet.
C
But
but
with
the
link
I
put
in
the
chat
about
what
the
office
and
management
budget
is
now
going
to
assist
at
agencies,
do
it's
probably
an
area
to
spin
up
and
been
collaboration
between
this
working
group
and
and
that
Association
working
group
could
be
a
useful
way
to
build
the
message
specific
to
the
federal
government
environment.
L
A
Oh
well,
thank
you
very
much
for
that
I'm
I'm.
Looking
forward
to
that
session,
I'm
looking
forward
to
that
conference
in
general
I
think
it's
going
to
be
very
interesting.
I'm
also
going
to
be
attending
the
open
ssf
day.
I
hope
folks
will
be
able
to
do.
That
is
that
that
schedule
looks
very
interesting
too.
So
now
we
come
to
the
catch-all
section
of
the
agenda,
which
is
the
any
other
business
or
aob.
A
So
if,
if
there's
something
that
you
have
a
burning
need
to
discuss
that
we
haven't
had
a
chance
to
get
to
or
that
you
feel
that
we've
oversee
failed
to
see
or
overlooked.
There's
the
word
I
was
looking
for
now's
your
chance
to
pop
your
hand
up,
and
let
us
know
what
you'd
like
to
discuss.
A
A
E
So
fun
fact:
the
last
year
the
foundation
put
out
a
document
called
the
mobilization,
Plan
and
there's
been
some
effort
around
that
over
the
last
year
last
December.
The
governing
board
also
wanted
to
highlight
a
slightly
different
direction
for
the
foundation,
so
they've
dubbed
this
concept,
the
Sterling
tool
chain
and
we've
had
a
lot
of
conversation.
E
Well,
we've
had
some
conversation
at
like
a
GB
tack
level,
with
some
people
being
involved
in
that
conversation
and
Jonathan
and
I
had
talked
a
lot
about
the
Sterling
tool
chain
and
I
think
it
would
be
very
useful
to
get
the
end
user
perspective
on
trying
to
help
develop
a
set
of
requirements
for
what
that
might
look
like
so
I
would
invite
everybody
to
take
a
peek
I
have
a
attack
issue
and
there
is
a
Associated
document
that
goes
along
with
that.
E
So
if
you
have
any
thoughts
about
from
an
end
user
perspective,
what
you'd
like
to
see
the
foundation
kind
of
produce
or
endorse,
or
encourage,
please
review
that
either
make
a
comment
in
the
TAC
issue
or
comment
directly
on
the
attached
Google
Document.
So
we
can
talk
about
kind
of
the
future
direction
of
how
we're
going
to
help
try
to
secure
the
open
source
supply
chain
for
the
world.
D
E
Sure,
let
me
find
my
notes
on
the
topic,
so
the
idea
behind
the
Sterling
tool
chain
is
trying
to
accelerate
the
value
and
the
security
that
we
are
working
with
the
community
for
all,
but
for
both
maintainers
and
consumers
of
Open
Source.
E
So
we're
trying
to
improve
the
security
posture
overall
and
the
idea
is
to
well
first
off
it's
a
bit
of
a
fishing
Expedition,
but
where
there
isn't
a
concrete
ask
of,
we
want
to
make
a
widget
to
do
widgety
things,
but
the
idea
we're
trying
to
collect
ideas
about
what
the
Sterling
tool
chain
could
be,
and
the
idea
is
to
kind
of
look
at
an
end-to-end
software
supply
chain
and
figure
out
how
we
can
Implement,
either
new
tools
or
new
practices
to
produce
more
information.
E
Like
we
touched
on
a
little
bit
earlier,
where
some
people
don't
trust
their
vendors.
Well,
how
can
we
improve
the
trust
in
the
supply
chain?
So
what
types
of
signals
can
we
release
so
that
when
a
developer
does
a
scan,
maybe
that
gets
recorded
and
put
up
into
a
dashboard
somewhere
or
you
know
when
somebody
is
plugged
into
scorecards?
You
know
that
that's
an
easy
way
for
an
external
Observer
to
kind
of
view,
some
set
security
criteria
and
make
their
own
risk
assessments
based
off
of
that.
E
So
the
idea
behind
the
tool
chain
is
to
try
to
find
these
areas
where
we
can
increase
that
communication,
wherever
we
can
potentially
find
either
develop
or
find
a
set
of
applicable
tools
for
open
source
to
leverage
and
consumers
to
Leverage
and
really
it's
it's
been
a
bunch
of
people
trying
to
hammer
on
this
I.
E
This
idea
of
this
very
secure,
very
disciplined,
very
well
managed
software
supply
chain,
and
how
can
we
execute
on
that
and
again
the
there's
a
lot
of
thoughts
on
what
this
could
be
and
we're
just
looking
for
feedback
and
I
think
that
end
users
has
been
a
group
that
hasn't
necessarily
had
their
chance
to
express
their
opinion
on
what
they
would
like
to
see:
openssf
Focus
projects
or
work
or
funds
towards
shock.
A
I
I
took
a
look,
and
about
a
week
ago,
I
think
I
took
I,
took
a
look
at
the
document
and
my
main
conclusion
was
that
I
didn't
have
a
conclusion
about
what
it
is.
The
the
title
is
very
suggestive.
You
know
tool
chain.
A
It
sounds
very
much
like
picking
particular
Technologies
and
wiring
them
together
in
a
particular
default
configuration,
but
the
document
itself
sort
of
skitters
towards
and
bounces
away
multiple
times
from
that
possibility.
That's
the
first
thing
and
the
second
thing
is
I.
Don't
know,
I'm
mostly
concerned
that
the
open
ssf
does
not
invest
its
funds
in
a
lot
of
development.
Work,
that's
expensive
and,
to
be
frank,
the
vendors
can
do
it
like
they've
they've
they've
got
the
the
folks
on
the
bench
to
do
it.
A
They've
got
the
funds
to
do
it
and
they
can
profit
from
it.
If,
if
they're,
candy
and-
and
you
know,
Mark
it
well,
whereas
I
see
the
open,
ssf's
points
of
highest
leverageable,
things
that
fall
between
the
gaps
between
vendors
and
end
users
and
users
are
busy
doing
their
business
selling
their
tractors,
fixing
people's
hearts
building
planes,
you
know,
and
so
on.
A
Vendors
are
busy
building
software
and
services
and
selling
those
to
the
end
users.
What's
missing
is
the
stuff
in
the
middle,
which
is
you
know
the
stuff
that
everybody
knows
that
we
want,
for
which
we
have
a
collective
need,
but
for
which
no
individual
party
is
the
is
the
rational
actor
to
actually
go
and
do
it
for
everybody.
B
A
So
it
I
also
had
a
proposal
last
year
which,
which
we
put
to
the
site
at
the
moment,
which
was
the
shared
help
desk
right
like
it's,
not
sexy,
running
a
help
desk,
but
it
has
high
Leverage
and
those
are
the
sorts
of
things
where
I'm
concerned
that
funding
for
a
development
effort
would
compete
too
much
too
well.
Given
the
cost
of
engineering,
Talent
and
I
see
that
I've
sparked
your
discussion.
E
And
before
I
have
to
the
others,
it
doesn't
necessarily
need
to
be
a
tool
or
set
of
tools,
although
that
is
an
option.
A
lot
of
the
work
that
this
group
is
doing
around
the
reference
architecture
and
the
threat
modeling
so
Henrik
and
Pierre
Giorgio,
and
that
crew
we're
working
on
a
reference
architecture
that
definitely
could
play
into
it
and
as
a
a
template
for
a
consumer
to
adopt
and
here's
kind
of
threats
you
need
to
avoid
and
how
to
mitigate
them.
But
yeah
how
hush
up
and
let
the
group
talk.
C
I'm
sorry
I
was
Jacques,
I
thought.
Jacques
commentary
was
excellent
and
back
to
what
I
was
saying
before,
to
kind
of
reiterate
that
you
could
have
an
array
of
software
vendors
be
day
medical
devices,
be
they
any
other
devices,
it
could
be.
Automotive
Healthcare,
government,
Etc
and
the
end
user
is
like
okay
I'm
presented
with
this
array
of
software
supply
chain
information.
C
What
do
I
do
with
it
and
I
think
you
know
and
not
to
get
into
a
controversial
area,
but
I'm
sure
people
are
aware
that
there
has
been
some
creative
tensions
between
spdx
and
Cyclone
DX,
specifically
around
the
fact
that
servicenow
rightfully
wanted
to
kind
of
build
this
into
what
they're
offering
for
their
customers
to
understand
their
environment.
I.
Don't
think
we
have
an
across-the-board,
comprehensive,
open
source
approach
to
doing
that,
to
give
individuals,
as
I
think
I
mentioned
before
asset
or
Asset
Risk
or
software
risk
of
visibility.
C
That
ties
into
a
a
excuse
me,
the
the
security
dashboard
look
or
or
something
else
that
says,
I
have
to
comply
with
this.
This
control
I'm
getting
the
feedback
from
from
this
s-bomb
that
this
device
is
not
complying
with
it
or
I'm,
starting
to
use
oscow
in
my
cloud,
environment
and
so
forth,
and
so
on.
You
know
how
do
I
dynamically
get
those
metrics.
L
Hey
yeah,
it
shouldn't
be
surprising
to
know
that
or
to
learn
that
sneak
is
is
kind
of
not
really,
you
know
positive
on
openness
without
developing.
You
know
completely
comprehensive
sort
of
feels.
I
I.
Think
our
our
view
on
the
Sterling
tool
chain
thing,
though,
is
that
it
should
be-
and
this
is
something
that
I've
been
saying
to.
Whoever
will
listen
to
me
is
that
it's
the
Nuance
here
is
about
commodity
functions.
L
Things
like
a
scorecard,
for
instance,
which
are
amazing
and
should
and
should
be
developed
in
a
in
a
collective
spirit
and
then
in
a
way
where
it
can
be
used
as
a
library
or
data
from
scorecard
can
be
used
in
other
people's
applications.
You
know
open
SF
members
and
non
and
people
are
not
affiliated
with
open
ssf
collectively,
so
that
we
can
level
up
the
industry.
L
So
so
we
would
like
to
see
more
effort
like
we
would
like
to
see
the
the
energy
that
is
Sterling
tool
chain
kind
of
funneled
in
that
direction,
where
it's,
where,
where
the
tools
we're
talking
about
are
libraries
that
can
help
level
up
everyone
and
kind
of
all
in
all
boats,
rise,
kind
of
way,
yeah
and
and
also
I,
just
wanted
to
ask
Chrome
if
the
voices
in
their
head
had
stopped
because
of
your
hat
there,
or
is
that
they're.
J
As
you
know,
there
has
just
been
a
lot
of
talk
around
the
community
about
how
open
ssf,
like
certain
Outreach,
hasn't
been
taken
positively,
so
I
wonder
how
that
would
fit
or
how
that
would.
All
of
this
would
update
that
if
you
get
what
I'm
saying
that.
J
And
let
me
also
say
this:
Crow
I
have
recently
been
interacting
with
a
different
group
of
people
because,
as
you
know,
my
position
at
LF
is
kind
of
been
growing
and,
like
the
colonel
people,
don't
have
a
very
like
positive
impression
about
what
openssf
is.
Are.
E
J
E
And
and
that's
my
personal
caution
around
the
idea
of
creating
a
bunch
of
tools,
is
we
don't
want
to
be
seen
as
King
makers
so
to
speak?
I
think
there's
a
lot
of
choices,
and
you
know
based
out
of
the
end
users
here
on
this
call
I.
Imagine
that
we
could
very
easily
come
up
with
everyone,
but
have
a
list
of
their
tools
they
use
today
and
there's
it'll
be
very
difficult
to
have
any
kind
of
single
tool.
That's
going
to
work
effectively
across
all
these
customers.
J
I
did
get
good
feedback.
They
think
that
we
are
not
sensitive
to
the
fact
that
there
are
several
generations
of
security
where
security
has
been
defined
differently
and
different
at
different
periods
of
time.
So
they
think
that
we
a
lot
of
the
work
we
do
is
insensitive
to
that
because
it
forces
people
to
think
about
security.
The
way
we
think
about
security
and
I'm
Yara-
that's
a
great
take,
but
there
is
there
might
be
a
slight
point
to
that.
So
I
just
want
to
point
that
out.
E
Yes-
and
we
all
should
be
aware
that
security
continually
evolves
the
threat
landscape,
everyone
here,
that
represents
a
Enterprise.
You
are
constantly
barraged
by
a
stream
of
attacks
and
threats,
so
you
have
to
constantly
adapt.
But
yes,
I
I
understand
there
is
a
need
to
be
empathetic
and
find
ways
to
translate
between
the
different
Generations.
So
to
speak
of
these
different
implementations
of
security,
yeah.
K
E
E
Well,
it
depends
on
who
you're
talking
to
the
governing
board
thinks
it's
great.
The
people
that
are
trying
to
implement
it
are
having
some
a
vigorous
debate
and
dialogue
about
how
we
could
execute
on
that
vision.
And
again,
all
feedback
is
welcome.
If
people
have
ideas
of
how
this
could
be
forged
into
something
that
is
actionable
and
useful.
You
know
please
give
us
that
feedback,
so
we
can
help
try
to
achieve
our
goal
of
improving
security.
M
Oh,
thank
you.
Yeah
no
I
was
just
going
to
affirm
some
of
the
points
that
Randall
just
brought
up
relative
to
looking
at
this
from
a
multi-generational
multi-perspective
point
of
view,
because
you
know
weekend
in
the
tech
industry
to
latch
on
to
the
latest
shiny
object.
That's
new
and
hey
cool,
but
looking
at
the
security
issue
from
a
a
more
rounded
perspective,
I
think
will
be
helpful
because
I
think
certainly
especially
from
an
end
user
perspective.
M
M
It's
a
huge
trade-off
and
in
many
respects
your
your
your
trading,
one
challenge
for
another,
even
when
you
do
that,
because
it's
kind
of
a
bit
of
whack-a-mole
really
honestly
so
I'd
hate
for
us
as
an
organization
to
suddenly
put
up
some
scoreboard
that
says
ooh.
If
you're,
not
if
your
code's
not
written,
then
rust,
you
know,
that's
a
you
know
a
minus
or
a
a
red
square
in
the
Box,
because
that's
not
necessarily
the
case
and
the
other
thing
I
wanted
to
share
perspective
on
the
Sterling
tool
chain
is
I.
M
I
agree
with
Jock's
point
of
view
that
you
know,
there's
no
reason
that
the
open,
ssf
necessarily
needs
to
you
know,
go
in
the
direction
of
trying
to
develop
something
that
specifically
competes
with
the
vendor
community.
M
But
how
do
we
leverage
the
past
learnings
of
other
major
initiatives
so
that
you
know
we
can
do
something
in
that
space
that
helps
move
the
industry
forward,
because
there
are
problems,
not
just
Gap
areas
but
fundamental
things
where
this
could
help,
because
the
vast
majority
of
Open
Source
developers
don't
necessarily
depend
on
vendor
tools.
E
K
So,
and
thanks
for
the
Segway
girl,
because
I
was
about
to
say
the
same
thing,
you
know,
perhaps
the
Sterling
two
chain
in
Cope
said
this
earlier
and
I
I
saw
him,
but
that's
just
not
a
set
on
a
complete
set
of
tools
per
se,
but
maybe
it's
a
combination
of
people
process
process
of
Technology.
What
I'll
also
say
is
this
and
I
would
for
everybody
to
think
about
this
angle
of
it
right,
as
Chrome
said
before,
the
governing
board
is
gung-ho
about
about
a
sterling
tool
chain.
K
You
know
part
of
what
we
do
in
the
openness
and
stuff
and
I.
You
know
I'll
come
right
out
and
say
it.
We
we
all,
are
volunteers
and
we're
trying
to
do
great
work
in
the
industry,
but
we
all
are
representatives
of
the
organizations
that
we
work
for
and
the
organization
that
we
work
for
happen
to
put
our
bosses
on
the
governing
board
in
some
instances,
not
at
all,
but
in
some
instances
our
bosses
are
sitting
on
this
governing
board.
K
So
we
have
to
be
careful
if
they're
gung-ho
about
it,
I
think
what
might
be
beneficial
for
us.
If
we
have
an
issue,
if
we
do
think
it
should
go
in
a
specific
Direction
here
in
the
in
the
end
users
Group,
which
I
think
is
a
great
place
to
do
it
right
so
I
Echo
the
sentiment,
because
these
are
the
we're
the
individuals
that
are
going
to
you
know
be
advocating
for,
for
whatever
happens,
you
know.
Go
internally,
have
these
internal
discussions.
K
You
know
get
the
buy-in
necessary
that
can
go
before
the
governing
board,
so
maybe
the
influence
on
the
governing
more
sways
a
bit
right
and
I
mean
you
might
want
to
do
this
and
go
from
the
outside
in
rather
than
From
the
Inside
Out
on
this
one.
Just
so
it
should
not.
You
know
on
these
recorded
calls
we're
not
directly
conflicting
with
our
overlords.
K
K
We
can
talk
about
that
all
day
long,
but
let's
make
sure
that
whatever
we
come
up
with
we're
going
internal
having
the
discussions
getting
the
buy-in
having
building
the
rash
now
so
that
when
the
governing
board
meets
the
rationale
is
echoed
in
the
governing
board
and
that
way
that
direction
could
come
back
down
so
that
we're
all
on
the
same
sheet
of
music
I'll.
Stop
there
I'll.
A
I'll
preempt
Jim
I'm,
sorry
Jim,
not
all
of
us
are
on
the
governing
board.
Some
of
us
are
ordinary
members
having
having
sort
of
traded
up.
You
know
made
made
thoughts
about
the
trade-off
about
where
to
apply
our
energy,
whether
we
play
that
in
time
or
treasure,
so
to
speak.
A
But
I
do
take
your
point
for
those
folks
who
are
able
to
talk
to
their
their
governing
board
representatives
to
find
out
what
their
thinking
is
and
and
to
see
whether
it
can
be
adapted.
I
think
that's
helpful.
I
do
worry
about
what
feels
like
a
disconnection
between
the
working
groups
at
one
end
of
the
organization
and
the
governing
board
at
the
other
end
of
the
organization.
A
They
don't
seem
necessarily
be
on
the
same
page,
a
lot
of
the
time
or
aware
of
what
each
other's
doing
the
fact
that
krobe
had
to
come
in
here
today
and
talk
about
something
that's
been
bubbling
in
the
background
for
months.
In
my
understanding
since
last
year,
I
think
is
itself.
C
Thanks
sir
yeah
I
was
just
going
to
follow
up
both
on
on
Jay's
Excellence,
Commons
and
Jeffries,
and
Ed
yeah,
there's
in
every
Linux
Foundation
project.
In
my
opinion,
there's
what
I'll
call
Dynamic
tensions
between
the
board
board
companies
who
those
representatives
are,
but
to
kind
of
encapsulate
it
for
I.
Think
for
this
working
group
there
is
a
growing
regulatory
tsunami
that
started
with
the
executive
order
now
embodied
in
things
like
what
OMB
has
put
out,
what
the
what
the
CRA
says
in
the
EU
and
from
medical
device
side.
C
What
I
think
they
think
it's
the
MDR
or
something
like
that
which
which
basically
is
applying
gdpr
at
the
medical
device
level
that
these
things
are
building.
There
is
no
longer
a
tolerance
for
these
conversations
around
software
vulnerability
and
Jeffrey
made
a
great
point
when
he
talked
about
hey
just
because
the
newest
and
hottest
thing
is
rust,
doesn't
mean
you've
got
to
re-engineer
all
of
your,
your
C
plus
libraries.
C
You
know
for
the
folks
who
have
been
involved
in
in
security
assessments
and
vulnerability,
scans
and
Pen
tests
before
you
always
come
up
with
this
list
of
things
that
are
considered
critical
on
an
on
an
nvd
score.
But
you
know
the
reality
is
I'm
not
going
to
fix
that
or
that's
someplace
else,
and
that's
when
you
have
visibilities
that
vulnerability
and
then
say
well,
I've
offset
it
or
mitigated
with
this
control.
C
There
is
an
opportunity
to
be
something
of
a
king
maker
in
the
in
the
absence
of
any
other
guidance
where
right
now,
essentially
on
almost
a
global
basis,
we're
around
kind
of
saying
gee.
What
are
we
all
going
to
do
about
this?
Well,
it'll.
Be
forced
on
us
it'll
be
forced
on
us
in
ways
we
may
not
like
if
organizations
such
as
this
one,
which
I
think
are
empowered
to
do
so,
don't
come
up
with
with
things
to
offer
just
a
thought.
E
C
And
10
more
seconds
of
that,
because
Crow
mentioned,
of
course,
our
mobilization
plan
I
was
involved
with
Brian
and
the
teams
at
open
ssf,
where
we
put
together
those
various
mobilization
streams
and
they
were
built
around
the
fact
that
we
knew
we
had
an
audience
of
the
White
House
to
be
able
to
say
the
Linux
Foundation
has
a
plan
you're
bringing
together
a
bunch
of
tech
leaders
and
saying
gee.
What
are
we
going
to
do
about
this?
C
We
have
a
plan
we
collectively
as
as
open
ssf,
and
we
have
groups
dedicated
to
working
on
these
tool
sets.
So
that
really
has
been
the
intended
fall
on
to
that
mobilization
plan,
whether
those
streams
are
organically
built
or
we
go
back
to
to
seek
more
or
more
audiences
with
with
what
we
can
do
and
create
and
Foster
participation
and
for
me
to
necessarily
do.
But,
but
that
was
the
groundwork
and
the
impetus
around
what
we
did
last
year.
E
A
Shameless
plug
I
am
doing
a
session
at
open
ssf
day
in
Vancouver
about
the
mobilization
plan
and
the
current
efforts
and
kind
of
summarize
I've
talked
to
each
of
the
group
leads
of
all
the
active
efforts.
So
if
you're
curious
to
see
what's
going
on
with
the
mobilization
plan,
come
to
my
session.
E
I
believe
that
Jeffrey
may
be
leading
the
efforts
to
help
with
a
refresh
of
the
writing.
Is
that
correct,
Jeffrey.
E
There
there
is
a
group
that
will
be
getting
assembling
soon
to
help
do
a
one-year
refresh
and
update
of
the
document,
and
that's
where
groups
like
the
education,
Sig
and
the
OSS
cert
Sig
they've,
taken
the
original
plan
and
Rewritten
it
and
that
would
be
potentially
part
of
the
artifact
update,
will
be
incorporating
that
new
knowledge.
We've
learned
over
the
last
year.
E
The
mobilization
plan
rewrite
yeah
I,
don't
know,
I
had
to
ask
to
be
invited
to
it.
Even
though
I
wrote
like
a
quarter
of
it,
the
whole
plan.
D
It
it
would
be
a
shame
and
a
little
bit
par
for
the
course
if
they
aren't.
If
someone,
if
an
actual
end
user
is
not
a
part
of
that
plan,
completely.
A
Stimuli
for
for
the
formation
of
this
group
was
the
absence
of
Andy's
representation
on
the
tech
and
the
sense
that
it
was
a
very
vendor
heavy
organization
and
I
guess.
That's
still
slightly
the
case.
Yeah.
A
D
A
No,
unfortunately,
but
you
know
that
all
things
change
in
time,
I
hope.
A
Okay,
so
we've
got
10
minutes
left
I
think
that
was
a
very
productive
discussion.
Thank
you,
Craig
for
bringing
that
up.
I'm
curious.
If
folks
have
any
other
issues
they'd
like
to
discuss
before
we
tie
up
for
the
day.
A
L
L
Who's
well
based
in
the
UK,
so
I
don't
know
whether
I,
whether
I
care
about
the
EU,
but
you
know
I,
but
if
somebody
is
closer
to
the
EU,
the
I
think
it
would
be
good
to
do
that.
And
if
there's
some
yeah
there's
something
some
way
we
can
set
that
up.
That
would
be
great.
A
I
think
it
would
be.
It
would
be
useful
for
definitely
for
folks
who
have
government
affairs
or
lobbying
type
organizations
in
in
their
organization
to
get
briefed
on
the
open
source
implications.
B
A
Least,
from
what
I've
seen
the
focus
has
been
on
other
areas,
both
as
individual
end
user
and
in
terms
of
working
together
in
Collective
lobbying
groups,
the
focus
has
been
elsewhere
and
I
have
to
be
vague,
but
but
it
has
been
elsewhere.
A
So
so,
basically,
if
there
was
a
webinar
or
webinar
series
that
I
could
you
know
invite
my
garden
Affairs
folks
too,
that
sort
of
like
had
an
incredible
Authority
briefing
them
the
implications
for
open
source
and
for
a
company
production
in
the
worst
possible
scenario
where
we
get
a
production
interruptions
would
be
would
be
useful.
F
To
convey
I
would
strongly
suggest
we
don't
try
and
do
anything
ourselves
and
funnel
people
towards
the
Linux
Foundation
Europe,
who
are
mobilizing
like
folks.
A
F
Yeah
I
can
put
the
link
I
put
the
link
in
a
chat
earlier.
I
can
put
it
in
again
I
can't
edit.
F
My
system
than
anything
to
do
with
the
doctor
yeah
drop
the
link
in
the
chat
to
The
Learning
Foundation
Europe's
CRA
call
to
action
page.
L
But
is
there
any
activity
or
is
there
any
you
know
kind
of
webinar
or
or
anything
like
that?
That's
planned
as
part
of
that
as
private
part
of
that
activity,
or
are
they
just
looking
for
feedback
right
now.
F
I
think
it's
reasonable
to
I,
don't
know
it's
the
honest
answer.
I
saw
a
a
panel
at
kubecon
Europe
last
week.
F
That's
why
that's
the
only
reason
I'm
aware
of
it
but
I
think
if
you
are
saying
that
a
webinar
would
be
useful.
That's
that's
good
feedback
for
the
LF
Europe
folks,
right,
they're,
looking
to
to
instigate
change
in
this
area
and
that's
their
remit
as
the
European
Learning
Foundation.
D
Yeah
so
I'm
happy
to
bring
it
up.
Gab
is
a
Gabba
leads.
Lf
Europe
is
also
part-time.
Still
executive
director
for
Finos
I'm
I'm
on
the
board
of
Finos
I
can
bring
it
up
with
him.
I
think
it's
a
good
idea.
I
think
Jacques
to
your
one
thing
you
mentioned
earlier
is
a
creditable
Authority
that
that
all
of
our
public
policy
folks
would,
you
know,
see
a
name,
a
title,
a
role
and
go.
Oh
yeah
I
should
be
on
that
call.
Yeah.
A
Because
I
I
I
I
I'm
just
an
engineer.
What
do
I
know
I
mean
the
fact
that
I
studied
law-
it
doesn't
appear
next
to
me.
So
you
know
when,
when
I
get
paranoid
about
legal
documents,
that's
the
thing
but
yeah
I,
think
I.
Think
having
having
external
credibility
will
help
can
be
convey
the
sort
of
the
the
gravity
of
the
situation,
but
I've
cut
off.
Curb.
E
No
I
was
circling
back
about
that
lack
of
representation
from
the
end
user.
Community
Jonathan
Meadows
strongly
asked
me
to
participate
as
part
of
this
group,
which
I'm
very
glad
to
because
a
large
part
of
my
career
has
been
as
an
Enterprise
Defender
for
a
long
time.
So,
if
anyone
here
has
anything
they
would
like
to
pass
along
to
either
the
attack
or
the
GB,
don't
hesitate
to
reach
out
to
me.
I
can
help
be
your
voice,
even
though
you
may
not
have
a
seat
I'm
glad
to
help
represent
this
community.
E
A
I
think
that's
very
helpful,
always
helpful
to
have
someone
in
the
room.
One
thing
I
like
in
my
days
of
student
politics,
that
a
surprising
amount
of
the
world
is
run
by
people
who
just
showed
up.
A
All
right,
so
we've
got
five
minutes
to
go.
Let's
see
if
anyone
else
can
sneak
under
the
wire
going
once
going
twice
sold
to
the
man
with
the
funny
hat.
Thank
you.
Everybody
for
coming
today,
I
think
it's
been
a
very
productive
session.
A
D
A
Oh
well,
thank
you,
of
course.
We
all
miss
Jonathan.
Today,
thanks
everybody
for
coming
and
we'll
see
you
again
soon.