►
From YouTube: End Users Working Group (December 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
A
Getting
ready
for
Christmas
so
I
think
it's
going
to
be
fairly
quiet
as
everyone's
now
giving
up
and
ready
for
Christmas
time
right,
Christmas
parties
kicking
in,
and
we
only
just
really
had
the
the
last
update
last
week,
but
shall
we
kick
off
to
do
my
notes
yep
right?
So
if
people
can
note
their
attendance,
that
would
be
great
I'm
going
to
do
that
too.
A
Okay,
so
I
think
mainly
familiar
faces
here,
but
if
it
is
any
new
people
joining,
we
can
add
them
to
the
group.
So,
let's
get
off
with
the
agenda.
If
that's
okay,
Mitch
I
know
you
and
I
talked
a
little
bit
and
it's
still
in
progress.
But
do
you
want
to
give
people
a
bit
of
an
update
on
the
work
you're
doing.
B
So
I'm
pouring
through
the
notes
of
past
agendas
and
putting
things
like
the
mission
and
description
that
you
all
have
already
talked
about
and
kind
of
give
us
a
good
landing
page
on
GitHub,
with
the
information
that
you've
got,
or
maybe
we
fill
in
a
few
blanks.
So
I
might
reach
out
with
a
few
questions
here
and
there
just
to
help
get
started
so
I'm
I
just
offered
to
Jonathan
I'm
happy
to
help
in
any
way
and
and
I
know
I'm,
not
an
open
source
developer.
B
A
No,
it's
very
cool.
Thank
you
very
much
Mitch
and
look
I
think
you
know,
as
those
updates
come
in
just
just
make
them
and
then
perhaps,
if
we
can
catch
up
asynchronously
on
the
slack
Channel
see
if
people
want
to
provide
updates,
they'll
need
I
think
to
stand
on
ceremony,
particularly
since
we'll
be
out
likely
over
Christmas.
So
I
think
we
just
add
contributions
to
it
and
see
how
we
go.
A
A
Thank
you
for
that
and
Eva,
and
and
also
Bob
Callaway
and
caught
up
again
with
Bob
over
the
last
couple
of
days
and
confirmed
that
we
are
good
to
propose
to
the
tech.
So
he's
going
to
put
us
on
the
agenda
for
January
at
this
point,
but
it's
going
to
be
I,
think
the
first
one
in
January
and
that's
going
to
be
the
two
proposals,
the
taxonomy
one
and
the
end-to-end
architecture.
One
I
think
everyone's
reviewed
it
put
in
additional
comments.
D
A
A
Right
next
one
is
the
end
User
Group
end
of
year
statement.
Andrew
has
just
sent
his
apologies
he's
at
the
Finos
group
at
the
moment.
Talking
about
open
source
and
I
think
it's
probably
going
to
drop
a
plug-in
for
us
as
well,
but
but
Andrew
did
the
end
of
year
statement
for
the
end
User
Group,
with
with
Jen
I'm,
not
sure
when
that
actually
goes
out,
so
it
was
Jennifer.
Bligh
I
do
have
a
copy
of
it,
but
I
think
that's
probably
sort
of
an
internal
copy.
A
I
guess
I,
don't
really
know
the
internet
so
that
does
anyone
know
by
the
end
of
year.
Report
gets
finally
published.
No
all
right!
Well,
Andrew's
done
some
great
work
there.
It
really
just
reviews
our
goals,
which
was
part
of
the
our
our
remit,
a
number
of
regular
contributors.
Some
2022
highlights
in
there,
including
the
proposals
we're
making
so
I
I
think
we're
in
I
think
a
reasonable
attempt
in
that
end
of
year
statement
so
thumbs
up
for
Andrew
I.
Think
for
that
one.
C
A
A
Next
one
is
the
supply
chain,
total
and
malicious
threat.
So
last
week
we
had
zachie
from
check
marks,
also
come
and
add
his
voice
to
that
I
Know
Jack.
You
had
some
thoughts
on
that
I'd
reached
out
to
the
the
securing
software
repo
working
group.
I
have
no
time
to
read
my
replies,
so
it
sounds
like
there
is
interest
in
getting
together
as
an
ad
hoc
group
to
have
a
quick
discussion
about
it
and
Jack.
E
Yes:
yes,
yes,
yes,
yes,
so
we
we,
the
securing
software
repost
group,
is
up
for
reporting
at
TAG
next
week.
One
thing
I
want
to
mention
during
that
report
is
hey.
We've
noticed
that
multiple
groups
have
had
the
same
idea
or
an
overlapping
idea,
and
we
want
you
to
be
aware
of
it,
we're
going
to
figure
out
amongst
ourselves
who
does
what
and
how
it
fits
together.
But
you
know
heads
up.
This
is
this
is
something
that
has
popped
up
in
a
lot
of
places
and
you
know
any
guidance
or
advice
most
welcome.
A
A
A
So
this
is
pretty
cool,
very
good,
all
right,
so
I
guess
I'll
take
an
action
to
on
the
back
of
that
feedback
to
set
up
a
meeting
next
week
start
the
ball
rolling
a
little
bit
faster,
but
I'm
I'm
Keen
not
to
be
the
one
leading
that
necessarily
because
I
think
there's
some
great
work
happening
in
the
multiple
different
working
groups.
It's
just
making
sure
that
we're
plugged
into
it.
A
All
right,
the
final
thing
for
me
is
deliverables
for
next
year,
I
wanted
to
sort
of
have
a
discussion
as
a
working
group.
You
know
where,
where
are
we
going
to
take
things
next
year?
We've
got
a
couple
of
the
deliverables
on
the
the
charter,
we're
going
through
these
different
proposals,
but
is
there
anything
specific
that
we
we,
as
a
group,
feel
that's
missing?
We
really
want
to
push
anything
we
want
to
add
to
our
deliverables.
Perhaps.
E
One
thing
I've
seen
done
at
the
cncf
end:
users,
working
group
and
I'm
sure
it's
elsewhere
as
well-
is
providing
space
for
different
end
users
to
share
their
experiences
with
using
a
particular
technology,
or
you
know,
output
or
product
under
the
cncf
Aegis.
So
I
think
we
maybe
not
right
away,
but
as
we
grow
the
group
and
as
these
Technologies
documents
procedures,
Etc
mature
people
will
start
Road
testing
them.
E
A
F
A
G
F
Right,
you
know
I,
think
in
the
architecture
slides
we
have
the
the
large
as
a
development
organization,
but
I
guess
as
a
consumer,
only
architecture
we
haven't
gotten
that
nail
down
yet.
But
what
I
was
going
to
say
is
that
we
perhaps
won't
expand
on
the
other
functions
aside
of
the
pipelines
or
the
asean,
for
example,
vulnerability
management
and
how
these
ones
relate
to
the
processes
that
we're
trying
to
control
in
the
puck
lights.
A
So
you
mean
for
a
regulated
consumer,
expand
not
just
the
pipeline,
but
also
vulnerability
management
and
other
processes
and
tasks
that
someone
would
need
to
do
in
that
regular
environment,
right
yeah,
yep,
yep
and
my
I'm
pretty
excited
to
see
that
expand
right
with
the
work
that
piagio
and
Henrik
putting
into
those
architectures
it'd
be
good
to
see
those
build
out
as
well
right,
just
just
across
the
other
use
cases
we
do
need
to
Define
as
well.
This
is
probably
more
short
term
than
anything
else.
A
C
C
They
were
working
with,
seemed
to
be
implying
that
part
of
the
CCI
compliance
is
now
also,
you
know,
providing
type
information
about
stuff
and
so
yeah.
Exactly
that's
what
I
said:
that's
right
and
yeah,
so
I
I
hadn't,
seen
this
before,
but
I
think
some
investigation
might
be
necessary
like
do,
and
especially
like.
C
This
seems
to
be
to
me
to
be
something
that
really
would
apply
to
end
users
to
Consumers
right,
like
if
you're,
an
e-commerce
platform
and
you're
making
use
and
you're,
and
you
You
Know
You're
Gonna,
Wanna,
Know
What
implications.
This
has
for
you
about
the
use
of
Open
Source
packages.
That
kind
of
thing
so
is
so
maybe
maybe
just
something
to
bookmark
that
we
should
be
looking
at
over
next
year,
yep
and
and
as
as
a
as
a
coordination
project
with
s-bomb
everywhere
work,
Street.
G
So
one
thing
that
I
can
add
that
might
be
useful
is
right.
The
s-bomb
consumption
tools
have
really
lagged
well,
understandably,
right
because
no
one
has
piles
and
piles
of
s-bombs
and
so
I
think.
One
thing
that
this
group
could
do
is
say:
hey
what
do
we
want
in
some
s-bomb
tools
so
that
right,
folks,
who
are
building
open
source
or
dare
I
say
building
proprietary
products
could
say
you
know?
Okay.
G
G
What
we
want
to
move
to
a
world
is,
when
people
give
you
software
or
when
you're
using
outside
software,
open
source
or
proprietary,
we
want
to
encourage
one
them.
Why
would
you
buy
from
someone
who
couldn't
tell
you
what
they
had
or
use
something
that
you
couldn't
do
that?
But
then
what
are
you
going
to
do
with
it
to
to
contribute
to
your
risk
management
right?
So
it's
it's
now
software
that
you're
using
so
it's
your
responsibility
and
so
integrate.
G
What
are
some
of
the
existing
security
tools
that
you
have
that
you
can
fit
in?
Does
that
make
sense
all
your
exist?
Your
asset
management
tools,
your
vulnerability
management
tools,
your
cmdbs,
your
data,
Lakes,
all
that
stuff
that
you
already
have,
and
you
guys
already
pay
a
lot
of
money
for
how
can
we
say
we'd
like
you
to
also
integrate
s-bop
data
into
it?
Does
that
make
sense
as.
F
E
E
A
Just
just
adding
to
that
I
I
think
that's
that's
one
we
should
definitely
put
down
is
sort
of
an
Outreach
right
is
I
think
we
discussed
it
at
a
previous
meeting
where
we're
trying
to
put
together
as
a
group
some
documentation
to
show
end
users
what
to
do
and
to
sort
of
get
together
as
members,
but
there's
I
think
even
within
our
Charter,
it
actually
suggested
there
was
an
Outreach
component.
We
should
be
talking
to
the
the
Auditors
and
trying
to
help,
inform
or
provide
pointers
to
as
you're
saying
Jack
to
look.
A
This
is
this
is
the
level
of
maturity.
This
is
the
state
of
the
art.
Don't
necessarily
you
know,
audit
on
the
absolute
bleeding
edge
that
we're
just
still
trying
to
figure
out
but
take
a
look
at
some
somewhere
else.
I
think
that's
a
great
point.
We
should
perhaps
put
sort
of
underlying
for
for
next
year
to
see
how
we
can
make
those
connections
or
strengthen
those
connections
to
provide
the
input.
Yeah.
That's
a
great
one,
yeah
one
of
the
things
I!
A
Guess
it's
more
of
an
observation
than
something
I'd
like
to
look
I
suggest.
We
look
at
next
year
is
I've
heard
from
a
number
of
members
of
the
group
that
we're
talking
to
a
lot
of
other
Enterprises
and
end
users
and
consumers.
Huge
numbers
of
them
and
trying
to
you
know,
work
in
sort
of
a
network
and
bring
people
back
to
this
group
and
we're
having
a
lot
of
these
conversations.
A
Whilst
not
everyone
is
coming
back
to
this
group,
we're
still
having
those
conversations
next.
Only
so
I
wonder
if
we
figure
out
a
way
of
trying
to
bring
that
conversation
back
to
here,
or
at
least
report
upon
it,
so
that
it's
not
you
don't
have
to
be
in
this
group
to
necessarily
apply
and
provide
input,
but
we
can
put
together
documentation
or
feedback
to
say.
Look
I
just
talked
to
17
different
car
manufacturers
about
s-bombs
and
supply
chain
material.
A
This
is
kind
of
what
people
were
saying
and
just
bring
it
back
to
the
group,
because
I
think
we're
missing
that
little
element,
whilst
there's
only
sort
of
15
20
of
us
in
this
group.
We're
actually
talking
to
like
a
couple
of
hundred
there's
a
lot
of
information
that
I
think
we
can
share.
Bi-Directionally
and
perhaps
use
it
and
bring
it
into
this
group,
we
want
to
make
sure
that
you
know
maybe
I'm
talking
to
someone,
and
you
know
maybe
someone.
D
D
So
if
this
group
has
materials
like
we
want
to
educate
people
on
s-bombs
or
how
to
incorporate
open
source
in
a
regulated
environment,
this
group
can
help
jointly
kind
of
create
those
materials
and
the
Sig
can
make
that
part
of
our
pipeline
as
we
blast
it
out
through
a
couple
different
medium.
So
that's
a
future
opportunity
for
this
group
to
collaborate
with
over
there
in
the
education
group.
A
Raised
my
own
hand
and
lower
it
again,
but
you
know
what
I
I've
started
to
already
think
about
New
Year's
resolutions,
and
one
of
them
is
going
to
be
I
I.
Just
I
personally
need
to
figure
out
how
to
work
together
more
closely
with
the
other
working
groups.
You
know:
we've
got
together
as
a
group,
the
list
of
the
working
groups
we're
supposed
to
going
out
and
working
with
and
Reporting
backup
on
I'm,
just
not
earmarking
enough
time
in
the
day.
To
actually
do
that.
A
D
To
that
point,
there
is
a
group
of
people
within
the
foundation
that
is
working
to
kind
of
document
everything
that's
going
on
all
the
activity
across
the
foundation.
It's
the
diagrammer
society.
We
have
posted
several
different
styles
of
diagram
to
help
showcase
different
views
of
what
the
foundation
is
doing.
D
We
recently
had
a
member
make
a
mind
map
where
he
went
through
all
of
the
existing
documentation
for
every
working
group,
Sig
and
Sif.
So
that's
that
mind
map
file.
So
if
you
want
to
take
a
look
at
that
and
if
you
were
interested
start
to
improve
your
list
of
who
you
want
to
reach
out
to
and
what
everybody's
doing,
that
would
be
a
good
starting
place
if
you
have
a
Apple
device,
we
have
that.
D
Actually,
that
mind
map
file,
you
can
load
up
in
a
mind
map
program
on
Apple
to
kind
of
dive
in
and
it's
all
hyperlinked.
Otherwise,
if
you
don't
have
that,
you
can
look
at
the
pit
the
Ping
file,
but
that
might
help
inform
activities
in
the
future
and
kind
of
help
show
where
we
might
add
value
or
want
to
start
to
encourage
collaboration.
A
D
So
everyone
is
welcome,
we'll
be
setting
a
formal
call
for
comments
for
the
best
practices,
working
group
and
the
education
Sig
starting
this
week
for
two
weeks
and
then
we'll
push
it
up
to
the
tack
for
a
two-week
comment.
Everyone
is
welcome
to
participate
on
that
and
we
will
probably
go
over.
Ask
do
our
little
dog
and
pony
show
to
the
governing
board
sometime
in
January
the
OSS
cert
Sig,
which
may
be
of
interest
to
some
of
you.
Since
you,
many
of
you
are
consumers
of
Open
Source.
D
There
is
another
funding
proposal
to
create
a
dedicated,
open
source
security
incident
response
team.
That
plan
has
already
been
shared
with
the
TAC
I
can
point
you
to
the
issue
there
in
a
minute
medicine
that
is
open
for
two-week
comment
and
then,
ideally
I,
don't
think
we'll
squeeze
it
in
before
the
end
of
the
year,
but
we'd
like
to
get
that
on
probably
the
first
governing
board
docket
next
year
for
funding
for
consideration.
A
I'll
go
so
I
I
attended
the
LF
energy
working
group,
Linux
Foundation
Energy
Group,
and
gave
a
very
small
presentation
about
the
end
user
work
that
we're
doing
in
supply
chain
in
general,
pretty
well
received.
There's
a
couple
of
energy
companies
that
reached
out
afterwards
for
a
bit
more
detail
on
just
the
issue
at
hand.
A
They've
got
a
full
book
of
work
that
is
not
at
all
supply
chain
related,
so
they're
often
doing
that.
But
one
of
the
things
that
did
did
stick
with
me
is
in
the
conversations
afterwards
they're
looking
at
a
very
different
area
of
supply
chain
security
than
we
are,
which
probably
makes
sense,
I
know
deep
insight
into
energy
sector
at
all
really,
but
whereas
we're
looking
at
it
primarily
I
guess
we're
looking
at
the
vendor
work
we're
looking
at
the
open
source
work
that
could
be
vendor
or
bespoke
software.
A
Clearly
they're,
looking
at
massive
infrastructure
that
has
software
within
it
as
well.
Huge
Transformers,
multi-million
dollar
type
thing,
as
opposed
to
something
you'd
get
on
a
download
over
the
Internet,
so
different
layer
slightly
different
challenges,
but
the
sound
of
it,
but
definitely
connected.
So
a
couple
of
interested
parties
from
over
there.
A
All
right
so
I'll
request
that
we
cancel
next
week
because
yeah
22nd,
there's
there's
limited
chance
of
that
and
go
for
the
fifth
well,
very
good
all
right.
Thank
you
very
much.
Everyone
thanks
for
your
input
and
I,
think
let's
have
a
great
holiday
season
and
let's
get
this
proposals
going
next
year
and
work
with
the
other
working
groups.
Thanks
a
lot
cheers
everyone
bye.