►
From YouTube: End Users Working Group (December 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
A
Getting
ready
for
Christmas
so
I
think
it's
going
to
be
fairly
quiet
as
everyone's
now
giving
up
and
ready
for
Christmas
time
right,
Christmas
parties
kicking
in,
and
we
only
just
really
had
the
the
last
update
last
week,
but
shall
we
kick
off
to
do
my
notes
yep
right?
So
if
people
can
note
their
attendance,
that
would
be
great
I'm
going
to
do
that
too.
A
Dan
straight
to
the
front,
with
best
note
taking
the
world
appreciate
that.
Thank
you
very
good.
A
Okay,
so
I
think
mainly
familiar
faces
here,
but
if
it
is
any
new
people
joining,
we
can
add
them
to
the
group.
So,
let's
get
off
with
the
agenda.
If
that's
okay,
Mitch
I
know
you
and
I
talked
a
little
bit
and
it's
still
in
progress.
But
do
you
want
to
give
people
a
bit
of
an
update
on
the
work
you're
doing.
B
Yeah
I
welcome
everybody,
folks
that
I
haven't
met
before
pardon
my
voice,
I've
been
now
to
between
Coben
and
Nicole
I'm,
a
tech,
strong
group
media
company
I
run
I'm,
the
CTO
that
runs
all
the
technology
and
I'm
a
developer
and
security
person,
and
so
I
talked
to
Jonathan
about
helping
out
wherever
I
can,
and
one
of
the
things
we
decided
to
take
on
is
get
some
of
our
documentation
about
the
main
sort
of
reading
page
on
GitHub
for
the
working
group.
B
So
I'm
pouring
through
the
notes
of
past
agendas
and
putting
things
like
the
mission
and
description
that
you
all
have
already
talked
about
and
kind
of
give
us
a
good
landing
page
on
GitHub,
with
the
information
that
you've
got,
or
maybe
we
fill
in
a
few
blanks.
So
I
might
reach
out
with
a
few
questions
here
and
there
just
to
help
get
started
so
I'm
I
just
offered
to
Jonathan
I'm
happy
to
help
in
any
way
and
and
I
know
I'm,
not
an
open
source
developer.
B
A
No,
it's
very
cool.
Thank
you
very
much
Mitch
and
look
I
think
you
know,
as
those
updates
come
in
just
just
make
them
and
then
perhaps,
if
we
can
catch
up
asynchronously
on
the
slack
Channel
see
if
people
want
to
provide
updates,
they'll
need
I
think
to
stand
on
ceremony,
particularly
since
we'll
be
out
likely
over
Christmas.
So
I
think
we
just
add
contributions
to
it
and
see
how
we
go.
A
Very
good
all
right.
Thank
you
very
much.
So
next
agenda
me.
Oh,
it's
me
for
the
proposals.
So
I
had
a
chat
as
we've
been
going
through
this
with
probe,
see
you
joining.
A
Thank
you
for
that
and
Eva,
and
and
also
Bob
Callaway
and
caught
up
again
with
Bob
over
the
last
couple
of
days
and
confirmed
that
we
are
good
to
propose
to
the
tech.
So
he's
going
to
put
us
on
the
agenda
for
January
at
this
point,
but
it's
going
to
be
I,
think
the
first
one
in
January
and
that's
going
to
be
the
two
proposals,
the
taxonomy
one
and
the
end-to-end
architecture.
One
I
think
everyone's
reviewed
it
put
in
additional
comments.
A
Different
attack
members
are
putting
additional
comments,
so
I
think
we've
got
to
feel
pretty
good
in
terms
of
where
that's
going,
to
go
kind
of
locked
and
loaded
really
just
until
we
get
the
meeting
in
in
January,
but
I
think
that's
a
pretty
positive
outcome.
D
No
I'm
happy:
this
is
proceeding.
It's
some
good
work,
we're
proposing
here
and
excited
to
see
what
how
the
attack
Embraces
it.
A
Excellent
looking
good
for
that,
but
yeah
I
think
well.
I,
don't
know
lead
the
witness
I
guess.
Certainly
I've
had
a
plus
one
from
Probe
on
that
already,
plus
one
from
Bob
and
yeah
I
think
we're
in
great
shape.
A
Right
next
one
is
the
end
User
Group
end
of
year
statement.
Andrew
has
just
sent
his
apologies
he's
at
the
Finos
group
at
the
moment.
Talking
about
open
source
and
I
think
it's
probably
going
to
drop
a
plug-in
for
us
as
well,
but
but
Andrew
did
the
end
of
year
statement
for
the
end
User
Group,
with
with
Jen
I'm,
not
sure
when
that
actually
goes
out,
so
it
was
Jennifer.
Bligh
I
do
have
a
copy
of
it,
but
I
think
that's
probably
sort
of
an
internal
copy.
A
I
guess
I,
don't
really
know
the
internet
so
that
does
anyone
know
by
the
end
of
year.
Report
gets
finally
published.
No
all
right!
Well,
Andrew's
done
some
great
work
there.
It
really
just
reviews
our
goals,
which
was
part
of
the
our
our
remit,
a
number
of
regular
contributors.
Some
2022
highlights
in
there,
including
the
proposals
we're
making
so
I
I
think
we're
in
I
think
a
reasonable
attempt
in
that
end
of
year
statement
so
thumbs
up
for
Andrew
I.
Think
for
that
one.
C
A
I
I
can't
because
the
only
thing
I've
got
is,
is
Jen
sent
across
like
a
copy
to
to
edit
and
and
Andy
was
the
only
one
that
edited
I
I.
Wonder
if
let
me
let
me
just
ping
a
a
follow-up
to
see
when
this
comes
out.
A
A
Next
one
is
the
supply
chain,
total
and
malicious
threat.
So
last
week
we
had
zachie
from
check
marks,
also
come
and
add
his
voice
to
that
I
Know
Jack.
You
had
some
thoughts
on
that
I'd
reached
out
to
the
the
securing
software
repo
working
group.
I
have
no
time
to
read
my
replies,
so
it
sounds
like
there
is
interest
in
getting
together
as
an
ad
hoc
group
to
have
a
quick
discussion
about
it
and
Jack.
E
Yes:
yes,
yes,
yes,
yes,
so
we
we,
the
securing
software
repost
group,
is
up
for
reporting
at
TAG
next
week.
One
thing
I
want
to
mention
during
that
report
is
hey.
We've
noticed
that
multiple
groups
have
had
the
same
idea
or
an
overlapping
idea,
and
we
want
you
to
be
aware
of
it,
we're
going
to
figure
out
amongst
ourselves
who
does
what
and
how
it
fits
together.
But
you
know
heads
up.
This
is
this
is
something
that
has
popped
up
in
a
lot
of
places
and
you
know
any
guidance
or
advice
most
welcome.
A
Yep
I
think
that's
great
and
I
think
hopefully,
that'll
be
well
received
just
looking
at
a
list
of
replies
for
that
message.
I've
had
a
thumbs
up
from
yourself,
Randall
or
yourself,
Shack
Marina,
Moore
Drew.
A
So
this
is
quite
a
couple
of
people
are
interested
in
collaborating
on
that,
and
you
know,
I
should
probably
put
together
a
sort
of
brief
meeting
next
week
to
see
if
we
can
get
some
sort
of
momentum
behind
it
as
well
as
just
do
good
self
talking
to
attack,
check,
yep,
great
I,
I.
Think
you're.
A
Right
though
I
think
there's
a
couple
of
other
proposals
like
that,
where
they're
starting
to
be
talked
about
in
multiple
working
groups
and
I
I
think
we
just
need
to
be
aware
that
we
don't
replicate
stuff
all
over
the
place
and
try
and
reach
out
to
people.
A
So
this
is
pretty
cool,
very
good,
all
right,
so
I
guess
I'll
take
an
action
to
on
the
back
of
that
feedback
to
set
up
a
meeting
next
week
start
the
ball
rolling
a
little
bit
faster,
but
I'm
I'm
Keen
not
to
be
the
one
leading
that
necessarily
because
I
think
there's
some
great
work
happening
in
the
multiple
different
working
groups.
It's
just
making
sure
that
we're
plugged
into
it.
A
All
right,
the
final
thing
for
me
is
deliverables
for
next
year,
I
wanted
to
sort
of
have
a
discussion
as
a
working
group.
You
know
where,
where
are
we
going
to
take
things
next
year?
We've
got
a
couple
of
the
deliverables
on
the
the
charter,
we're
going
through
these
different
proposals,
but
is
there
anything
specific
that
we
we,
as
a
group,
feel
that's
missing?
We
really
want
to
push
anything
we
want
to
add
to
our
deliverables.
Perhaps.
E
One
thing
I've
seen
done
at
the
cncf
end:
users,
working
group
and
I'm
sure
it's
elsewhere
as
well-
is
providing
space
for
different
end
users
to
share
their
experiences
with
using
a
particular
technology,
or
you
know,
output
or
product
under
the
cncf
Aegis.
So
I
think
we
maybe
not
right
away,
but
as
we
grow
the
group
and
as
these
Technologies
documents
procedures,
Etc
mature
people
will
start
Road
testing
them.
E
People
will
start
applying
them
for
Realties
and
the
end
users
group
is
a
great
place
to
to
share
those
experiences
with
each
other
and
also
that
lets
us
be
a
point
of
contact
that
then
they
can
bubble
that
up
to
other
groups.
When
we
have
particular
feedback,
we
can
say.
Look
at
this
meeting.
A
Yeah,
that's
a
great
call.
You
know
how
other
people
are
mitigating
some
of
those
issues.
Perhaps
the
threats
that
people
see
different
projects
of
Interest
sounds
really
good.
Any
any
other
thoughts.
F
A
G
F
Right,
you
know
I,
think
in
the
architecture
slides
we
have
the
the
large
as
a
development
organization,
but
I
guess
as
a
consumer,
only
architecture
we
haven't
gotten
that
nail
down
yet.
But
what
I
was
going
to
say
is
that
we
perhaps
won't
expand
on
the
other
functions
aside
of
the
pipelines
or
the
asean,
for
example,
vulnerability
management
and
how
these
ones
relate
to
the
processes
that
we're
trying
to
control
in
the
puck
lights.
A
So
you
mean
for
a
regulated
consumer,
expand
not
just
the
pipeline,
but
also
vulnerability
management
and
other
processes
and
tasks
that
someone
would
need
to
do
in
that
regular
environment,
right
yeah,
yep,
yep
and
my
I'm
pretty
excited
to
see
that
expand
right
with
the
work
that
piagio
and
Henrik
putting
into
those
architectures
it'd
be
good
to
see
those
build
out
as
well
right,
just
just
across
the
other
use
cases
we
do
need
to
Define
as
well.
This
is
probably
more
short
term
than
anything
else.
A
C
Maybe
something
something
as
bomb,
because.
C
Something
something
has
pumped
something.
What
I'm
thinking
of
specifically
is
I
saw
a
note
somewhere
about
some
company
that
was
going
through
PCI
compliance
checklist
and
their
PCI
and
their
whatever
company
auditor
was.
C
They
were
working
with,
seemed
to
be
implying
that
part
of
the
CCI
compliance
is
now
also,
you
know,
providing
type
information
about
stuff
and
so
yeah.
Exactly
that's
what
I
said:
that's
right
and
yeah,
so
I
I
hadn't,
seen
this
before,
but
I
think
some
investigation
might
be
necessary
like
do,
and
especially
like.
C
This
seems
to
be
to
me
to
be
something
that
really
would
apply
to
end
users
to
Consumers
right,
like
if
you're,
an
e-commerce
platform
and
you're
making
use
and
you're,
and
you
You
Know
You're
Gonna,
Wanna,
Know
What
implications.
This
has
for
you
about
the
use
of
Open
Source
packages.
That
kind
of
thing
so
is
so
maybe
maybe
just
something
to
bookmark
that
we
should
be
looking
at
over
next
year,
yep
and
and
as
as
a
as
a
coordination
project
with
s-bomb
everywhere
work,
Street.
G
So
one
thing
that
I
can
add
that
might
be
useful
is
right.
The
s-bomb
consumption
tools
have
really
lagged
well,
understandably,
right
because
no
one
has
piles
and
piles
of
s-bombs
and
so
I
think.
One
thing
that
this
group
could
do
is
say:
hey
what
do
we
want
in
some
s-bomb
tools
so
that
right,
folks,
who
are
building
open
source
or
dare
I
say
building
proprietary
products
could
say
you
know?
Okay.
G
This
is
what
a
a
large
group
of
experts
who
use
open
source
in
their
organizations
and
are
worried
about
risks
are
focused
on.
So
that
could
be
a
very
useful
contribution.
F
Just
just
on
on
that
to
expand
a
little
bit
more
on
that
one
right,
Alum
I,
think
what
you're
highlighting
what
Don
mentioned
falls
into
probably
the
development
part
type
of
organization,
but
I
guess
on
on
the
side.
F
You
could
also
argue
that
there
could
be
third
party
kind
of
like
assessments
right,
particularly
for
the
regulated
consumers,
that
don't
have
these
development
structure
and
they
wouldn't
be
able
to
implement
that
kind
of
tooling
to
analyze
that
as
well
right
so
I
think
that
would
be
a
side
kind
of
like
equivalent
in
a
non-development
organization.
G
You
know
it
totally
does
I
guess
my
I
had
the
idea
and
and
sorry
I
know:
Jacques
had
his
hand
up
so
I
apologize,
they're,
jumping
saying
well,
so
there
there's
your
internal
development
team
right
and
they're,
generating
it
and
and
they've
got
their
vulnerability.
G
What
we
want
to
move
to
a
world
is,
when
people
give
you
software
or
when
you're
using
outside
software,
open
source
or
proprietary,
we
want
to
encourage
one
them.
Why
would
you
buy
from
someone
who
couldn't
tell
you
what
they
had
or
use
something
that
you
couldn't
do
that?
But
then
what
are
you
going
to
do
with
it
to
to
contribute
to
your
risk
management
right?
So
it's
it's
now
software
that
you're
using
so
it's
your
responsibility
and
so
integrate.
G
What
are
some
of
the
existing
security
tools
that
you
have
that
you
can
fit
in?
Does
that
make
sense
all
your
exist?
Your
asset
management
tools,
your
vulnerability
management
tools,
your
cmdbs,
your
data,
Lakes,
all
that
stuff
that
you
already
have,
and
you
guys
already
pay
a
lot
of
money
for
how
can
we
say
we'd
like
you
to
also
integrate
s-bop
data
into
it?
Does
that
make
sense
as.
F
E
Yeah
no
worries
that
was
a
that
was
a
useful
conversation.
I
have
I
have
a
slightly
different
angle
that
I
wanted
to
raise.
E
I
feel
like
it's
an
open
loop,
which
is
between
us
and
the
Auditors,
or
between
s-bomb
folks,
and
the
Auditors
like
if
Auditors
are
starting
to
say,
I
want
to
hear
about
s-bombs
I
want
you
to
talk
about
s-bombs,
then
we
need
to
make
sure
that
we're
giving
the
Auditors
the
most
up-to-date
and
accurate
sort
of
information
about
how
mature
the
s-bomb
space
is,
so
that
they
can
make
sensible
decisions
about
what
compliance
to
push
for
in
their
audits,
because
otherwise
they're
just
going
to
be
getting
like
the
telephone
game
version
of
where
the
world
is
at
and
that
that
might
cause
a
lot
of
harm
and
that
might
cause
a
lot
of
blowback
against
s-bombs
as
a
as
a
a
program.
E
A
Just
just
adding
to
that
I
I
think
that's
that's
one
we
should
definitely
put
down
is
sort
of
an
Outreach
right
is
I
think
we
discussed
it
at
a
previous
meeting
where
we're
trying
to
put
together
as
a
group
some
documentation
to
show
end
users
what
to
do
and
to
sort
of
get
together
as
members,
but
there's
I
think
even
within
our
Charter,
it
actually
suggested
there
was
an
Outreach
component.
We
should
be
talking
to
the
the
Auditors
and
trying
to
help,
inform
or
provide
pointers
to
as
you're
saying
Jack
to
look.
A
This
is
this
is
the
level
of
maturity.
This
is
the
state
of
the
art.
Don't
necessarily
you
know,
audit
on
the
absolute
bleeding
edge
that
we're
just
still
trying
to
figure
out
but
take
a
look
at
some
somewhere
else.
I
think
that's
a
great
point.
We
should
perhaps
put
sort
of
underlying
for
for
next
year
to
see
how
we
can
make
those
connections
or
strengthen
those
connections
to
provide
the
input.
Yeah.
That's
a
great
one,
yeah
one
of
the
things
I!
A
Guess
it's
more
of
an
observation
than
something
I'd
like
to
look
I
suggest.
We
look
at
next
year
is
I've
heard
from
a
number
of
members
of
the
group
that
we're
talking
to
a
lot
of
other
Enterprises
and
end
users
and
consumers.
Huge
numbers
of
them
and
trying
to
you
know,
work
in
sort
of
a
network
and
bring
people
back
to
this
group
and
we're
having
a
lot
of
these
conversations.
A
Whilst
not
everyone
is
coming
back
to
this
group,
we're
still
having
those
conversations
next.
Only
so
I
wonder
if
we
figure
out
a
way
of
trying
to
bring
that
conversation
back
to
here,
or
at
least
report
upon
it,
so
that
it's
not
you
don't
have
to
be
in
this
group
to
necessarily
apply
and
provide
input,
but
we
can
put
together
documentation
or
feedback
to
say.
Look
I
just
talked
to
17
different
car
manufacturers
about
s-bombs
and
supply
chain
material.
A
This
is
kind
of
what
people
were
saying
and
just
bring
it
back
to
the
group,
because
I
think
we're
missing
that
little
element,
whilst
there's
only
sort
of
15
20
of
us
in
this
group.
We're
actually
talking
to
like
a
couple
of
hundred
there's
a
lot
of
information
that
I
think
we
can
share.
Bi-Directionally
and
perhaps
use
it
and
bring
it
into
this
group,
we
want
to
make
sure
that
you
know
maybe
I'm
talking
to
someone,
and
you
know
maybe
someone.
A
It
would
be
useful
for
someone
else
in
this
group
to
know
that
there's
a
whole
load
of
Pharma
groups
that
we're
talking
to
that
might
be
beneficial
in
general.
D
Read
when
I
raise
my
hand
and
lowered,
it
should
know
to
unmute
me
so
your
prior
Point,
the
education
Sig,
is
going
to
be
creating
material
for
a
manager.
Auditor
type
persona.
D
So
if
this
group
has
materials
like
we
want
to
educate
people
on
s-bombs
or
how
to
incorporate
open
source
in
a
regulated
environment,
this
group
can
help
jointly
kind
of
create
those
materials
and
the
Sig
can
make
that
part
of
our
pipeline
as
we
blast
it
out
through
a
couple
different
medium.
So
that's
a
future
opportunity
for
this
group
to
collaborate
with
over
there
in
the
education
group.
A
Raised
my
own
hand
and
lower
it
again,
but
you
know
what
I
I've
started
to
already
think
about
New
Year's
resolutions,
and
one
of
them
is
going
to
be
I
I.
Just
I
personally
need
to
figure
out
how
to
work
together
more
closely
with
the
other
working
groups.
You
know:
we've
got
together
as
a
group,
the
list
of
the
working
groups
we're
supposed
to
going
out
and
working
with
and
Reporting
backup
on
I'm,
just
not
earmarking
enough
time
in
the
day.
To
actually
do
that.
A
That
will
be
my
New
Year's
resolution
going
forward
to
contribute
to
your
point:
crib
look.
This
is
some
educational
material
be
great
to
input
there.
It
doesn't
all
necessarily
have
to
come
back
here
right.
So
that's
one
of
my
many
New
Year's
resolutions,
I'm
putting
together
grub.
D
To
that
point,
there
is
a
group
of
people
within
the
foundation
that
is
working
to
kind
of
document
everything
that's
going
on
all
the
activity
across
the
foundation.
It's
the
diagrammer
society.
We
have
posted
several
different
styles
of
diagram
to
help
showcase
different
views
of
what
the
foundation
is
doing.
D
We
recently
had
a
member
make
a
mind
map
where
he
went
through
all
of
the
existing
documentation
for
every
working
group,
Sig
and
Sif.
So
that's
that
mind
map
file.
So
if
you
want
to
take
a
look
at
that
and
if
you
were
interested
start
to
improve
your
list
of
who
you
want
to
reach
out
to
and
what
everybody's
doing,
that
would
be
a
good
starting
place
if
you
have
a
Apple
device,
we
have
that.
D
Actually,
that
mind
map
file,
you
can
load
up
in
a
mind
map
program
on
Apple
to
kind
of
dive
in
and
it's
all
hyperlinked.
Otherwise,
if
you
don't
have
that,
you
can
look
at
the
pit
the
Ping
file,
but
that
might
help
inform
activities
in
the
future
and
kind
of
help
show
where
we
might
add
value
or
want
to
start
to
encourage
collaboration.
A
A
A
All
right
next
section
is
any
notes
from
other
working
groups
that
anyone
would
like
to
share
or
bring
back
to
the
group.
A
A
good
thinking
go
for
it
group.
D
D
So
everyone
is
welcome,
we'll
be
setting
a
formal
call
for
comments
for
the
best
practices,
working
group
and
the
education
Sig
starting
this
week
for
two
weeks
and
then
we'll
push
it
up
to
the
tack
for
a
two-week
comment.
Everyone
is
welcome
to
participate
on
that
and
we
will
probably
go
over.
Ask
do
our
little
dog
and
pony
show
to
the
governing
board
sometime
in
January
the
OSS
cert
Sig,
which
may
be
of
interest
to
some
of
you.
Since
you,
many
of
you
are
consumers
of
Open
Source.
D
There
is
another
funding
proposal
to
create
a
dedicated,
open
source
security
incident
response
team.
That
plan
has
already
been
shared
with
the
TAC
I
can
point
you
to
the
issue
there
in
a
minute
medicine
that
is
open
for
two-week
comment
and
then,
ideally
I,
don't
think
we'll
squeeze
it
in
before
the
end
of
the
year,
but
we'd
like
to
get
that
on
probably
the
first
governing
board
docket
next
year
for
funding
for
consideration.
A
I'll
go
so
I
I
attended
the
LF
energy
working
group,
Linux
Foundation
Energy
Group,
and
gave
a
very
small
presentation
about
the
end
user
work
that
we're
doing
in
supply
chain
in
general,
pretty
well
received.
There's
a
couple
of
energy
companies
that
reached
out
afterwards
for
a
bit
more
detail
on
just
the
issue
at
hand.
A
They've
got
a
full
book
of
work
that
is
not
at
all
supply
chain
related,
so
they're
often
doing
that.
But
one
of
the
things
that
did
did
stick
with
me
is
in
the
conversations
afterwards
they're
looking
at
a
very
different
area
of
supply
chain
security
than
we
are,
which
probably
makes
sense,
I
know
deep
insight
into
energy
sector
at
all
really,
but
whereas
we're
looking
at
it
primarily
I
guess
we're
looking
at
the
vendor
work
we're
looking
at
the
open
source
work
that
could
be
vendor
or
bespoke
software.
A
Clearly
they're,
looking
at
massive
infrastructure
that
has
software
within
it
as
well.
Huge
Transformers,
multi-million
dollar
type
thing,
as
opposed
to
something
you'd
get
on
a
download
over
the
Internet,
so
different
layer
slightly
different
challenges,
but
the
sound
of
it,
but
definitely
connected.
So
a
couple
of
interested
parties
from
over
there.
A
Carefully
and
I
mentioned
and
with
a
very
large
wooden
pole,
I,
don't
know.
A
Yeah
very
good,
so,
okay,
so
open
it
up
for
any
other
business.
A
Any
other
thoughts
but
alrighty
so
we'll
close
it
there
then
a
fairly
short
meeting
but
I
think
we
we
did
have
the
other
one
last
week,
I
guess
the
next
question
is:
do
we
want
to
meet
again
before
the
end
of
the
year
or
you
know
when
should
we
set
the
next
call
everyone's
heading
into
Christmas
and
parties
and
checking
out
and
holidays
and
vacations
any
thoughts
on
the
next
session.
A
All
right
so
I'll
request
that
we
cancel
next
week
because
yeah
22nd,
there's
there's
limited
chance
of
that
and
go
for
the
fifth
well,
very
good
all
right.
Thank
you
very
much.
Everyone
thanks
for
your
input
and
I,
think
let's
have
a
great
holiday
season
and
let's
get
this
proposals
going
next
year
and
work
with
the
other
working
groups.
Thanks
a
lot
cheers
everyone
bye.