►
From YouTube: End Users Working Group (February 16, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
C
B
A
B
A
B
B
B
B
D
A
A
D
B
F
B
D
D
B
D
B
All
right,
why
don't
we
get
going
first
thing?
If
you
see
my
head
going
back
and
forth,
it's
not
because
I
have
a
nervous
tick,
but
because
of
the
fact
that
our
security
team
allows
us
to
view
Google
docs
on
our
work.
Computer,
but
I
have
to
keep
my
personal
computer
open
if
I
want
to
edit
Google
Docs.
B
B
G
H
G
C
D
I
B
B
B
C
Yeah
there
was
I
took
an
action
last
week
to
set
up
the
start
of
some
issue
templates
in
the
repo
and
I
never
got
the
required
access
to
do
that
so
I.
If
I
I'm
happy
to
do
my
action
but
I,
just
don't
I,
don't
have
whatever
the
required
access
level
is
into
this
repo.
So
if
somebody
can
do
that,
that
would
be
great
I
could
do
my
action.
B
C
C
B
H
Yeah
I
had
an
agenda
item
that
I
just
stuck
in
there
within
the
last
five
ten
minutes
so
and
a
couple
of
the
other
working
groups
and
Sig
meetings.
We've
been
going
over
and
I've
mentioned
this
a
couple
of
times
before
over
the
last
few
months,
but
with
the
taxonomy
updates
done
in
this
particular
working
group.
H
H
H
We
can't
effectively
tell
that
story
if
everyone
is
speaking
with
a
different
language,
so
we
thought
it
might
be
best
to
get
everybody
together
and
then
proposing
that
here
as
well.
We
talked
about
another
signal,
the
working
groups,
everyone
seems
to
say,
hey.
Maybe
this
is
something
we
could
try
I'm
leaving
it
on
the
floor
here.
Let's
say
everyone.
B
H
H
We
could
come
in
here
and
decide
well
what
does
that
language
mean
to
us?
So
it
should
be
something
that's
kind
of
ongoing
as
new
technology
emerges
as
old
wishful
thinking,
type
of
Technology
becomes
more
realistic
right.
This
might
be
a
good
position
for
us
to
have
a
space
where
we
talk
about
that
understand
what
that
means
to
us
and
then
formalize
that
language
across
the
entirety
of
the
openness
up.
This
should
be
something
that's
ongoing.
H
B
H
B
H
You
know
what
so
I
even
thought
that
maybe
this
should
be
something
that
sits
as
a
sub
underneath
the
diagram
of
society,
because
the
diagram
of
society
is
putting
together
information
that
can
be
consumed
by
everybody
about
what's
going
across
right
across
all
the
working
groups
and
sigs,
and
everything
that
we
do
I
thought
it
might
be.
A
subcommittee
under
that
I
don't
know,
I
shrug
I
I
feel
like
that
could
be
something
that
we
discussed
in
in
an
attack
me.
H
You
know
something
at
a
larger
level:
I
don't
know,
but
I
can
put
together
a
proposal.
That's
just
the
same.
We'll
love
some
help
with
that.
But
maybe
you
know
I
really
want
to
see
what
the
what
the
rest
of
the
room
feels
like,
regardless
before
we
start
putting
that
in
the
paper
and
then
now
we're
beating
stuff
around
before.
Even
you
know
before
it
even
gets
out
the
door
and
I
apologize.
This
is
my
cardio
time
so
breathe
the
breathe.
B
I
I
A
lot
of
people
are
all
starting
to
come
up,
are
starting
to
create
some
combination
of
supply,
chain,
taxonomy
or
also
a
supply
chain,
ontology
sorts
of
groups,
and
that
sort
of
thing
might
you
know,
and
and
if
everybody
starts
inventing
the
wheel,
even
if
let's
say
the
open
ssf
has
their
understanding,
then
the
CD
Foundation
is
going
to
have
a
completely
different
one.
The
cncf
is
gonna,
have
a
completely
different
one,
and
so
anything
we
can
do
as
like
sort
of
you
know.
I
More
broadly
would
be
super
useful
and
then
I
think
the
other
thing
wanted
to
bring
up
real
quickly
and
I.
Think
it
might
have
been
brought
up
in
a
previous
meeting.
I
was
looking
through
the
notes,
but
there
has
been
a
couple
of
papers
on
folks
who
have
actually
taken
work
from
the
openssf
cncf
and
so
on
and
actually
generated
a
taxonomy
out
of
it
and
so
maybe
sort
of
not
suddenly
blanket
adopting
it
but
sort
of
saying
hey.
E
B
E
B
A
H
E
B
F
Oh
I
just
wanted
to
jump
in
real
quick
with
a
trivia
Point
Mikey
was
saying
earlier
that
we
should
look
at
the
software
taxonomy
paper
and
talk
to
the
researchers
they're
here
already.
That's
that's
something.
That's
been
been
discussed
and
has
been
worked
on,
so
you
have
an
excellent
intuition.
I
think.
B
All
right,
thank
you.
A
couple
items
I
wanted
to
see.
If
anybody
has
read
it
came
out
a
few
weeks
ago
by
the
Atlantic,
the
council.
They
do
some
some
good
stuff
here.
It's
called
avoiding
the
success
trap
towards
policy
for
open
source
software
as
an
infrastructure.
I,
don't
know.
If
anybody's
read
that
very
long
paper,
it's
got
I've
just
gone
through
the
highlights
of
it.
They
certainly
like
analogies.
B
So
if
you
haven't
I'll
put
the
link
in
here,
or
has
it
already
been
done,
but
it's
it's
a
good
paper.
It's
got
lots
of
lots
of
interesting
information,
it's
not
a
hundred
percent
on
point
for
us,
but
it
gives
I
think
a
nice
industry
View
and
a
nice
view
of
how
we
should
be
advocating
and
what
we
should
be
advocating
towards
the
the
federal
government.
So
I'd
recommend
people
perusing
it
when
they
have
a
few
minutes.
F
F
Thank
you,
Jim
I,
also
added
that
link
to
the
notes
as
well.
Thank
you
for
that
all
right,
yes,
I'll,
plus
one,
the
the
that
people
should
read.
It
I
think
two
things
that
were
really
helpful.
That
came
out
of
it
that
were
important,
because
it's
a
document
aimed
at
policy
makers
they're
the
target
audience
two
things
that
are
very
important
to
take
away
from,
and
apart
from
the
analogies
one
was
they
point
out
that
the
criticality
of
Open
Source
doesn't
come
from
the
authors,
maintainers
suppliers?
F
However,
you
want
to
describe
them.
It
comes
from
the
consumers
and
putting
all
the
burden
on
producers
is
unfair
because
they're,
not
the
ones
who
are
capturing
the
value
and
the
other
one
is
that
they
point
out
that
there's.
This
maybe
goes
to
us
as
well.
Is
that
there's
some
somewhat
of
an
over
focus
on
open
source
as
a
security
risk,
rather
than
like.
C
F
General
Health
of
Open
Source
as
something
that's
critical
to
things.
So
we,
you
know,
we
think
about
Road
and
Bridge
security
and
water
supply
security
and
so
on.
But
we
also
think
about
all
the
other
aspects
of
water
supply.
You
know
making
inefficient,
making
it
work
smoothly,
making
sure
it
gets
the
right
places
and
the
right
people
and
the
right
quality.
K
At
that
point
makes
a
lot
of
sense
when
you
think
about
it,
but
it
seems
it
seems
to
fly
in
the
face
of
some
of
the
criticality
score
calculations
of
like
how
all
the
criticalities
sure
stuff
is
based
upon
statistics
from
the
Repository
and
and
like
that's
really
not
where
the
criticality
comes
from.
It
comes
from
where
the,
where
it's
ending
up
using
being
used,
but
we
don't
have
like
statistical
information,
that's
produced
by
all
these
large
companies
stating
this
is
all
the
pro
like.
F
There
was
I
proposed
a
while
back
I
had
to
back
out
of
it
for
time,
commitments
a
more
General
estimation
sort
of
ranking
procedure,
partly
because
of
that
that
paucity
of
of
end
data
I
think
the
purchasing
power.
The
federal
government
will
be
moving
the
needle
on
s-bombs
over
time,
because
they're
going
to
be
insisting
on
it
and
they
are
the
largest
purchases
in
the
world.
So
pretty
much
everybody
bends
to
their
will
eventually.
K
J
Oh
yeah
I
also
threw
a
link
in
the
chat
to
a
recording
done
in
January
by
csis
the
center
for
strategic
and
International
Studies.
They
had
a
a
panel
session
which
is
recorded
and
on
YouTube,
around
government
policies
for
open
source
software
and
and
talk
through
some
of
the
government
policy
aspects.
I
also
have-
and
some
of
you
may
know,
read
me
the
cause
maker.
J
He
moved
into
center
for
Medicare
and
Medicaid
services
in
their
office
at
Digital
Services
to
promote
open
source,
and
we
created
a
slack
Channel
together
when
I
was
with
lfph,
that
I
have
still
have
access
to
that.
Have
other
governments,
Digital
Services
offices,
interest
in
open
source.
So
if
we
wanted
that
as
a
sounding
board
or
invite
Remy
for
this,
I
could
coordinate
that.
J
B
I
think
one
thing
all
this
points
out
is
the
fact
that-
and
we
brought
this
up
before-
we
really
do
need
to
have
some
government
participation
on
this
working
group
right.
So
I
I
think
we
should
all
be
thinking
about
who
we
know
who
we're
connected
to
who's
who's
kind
of
relevant
to
this
topic
and
then
having
that
person
and
maybe
Jonathan
reach
out
and
and
try
and
bring
them
into
this
group.
E
Chrome
directly
to
that
we
could
talk
to
Friend
of
the
show
Dr
s
Baum
Mr
Alan
Friedman.
He
is
a
frequent
open,
ssf
visitor,
and
he
anytime,
you
say
s-bomb
enough
times.
He
shows
up
to
a
call
magically.
So
if
we
keep
saying
it
he'll
make
pop
in,
but
he
would
definitely
be
I.
Think
open
to
coming
and
talking
to
us
and
I
think
he
would
love
that
as
the
kind
of
driving
force
at
CSUB
for
s-bomb
to
may
actually
get
end
user
requirements.
E
If
we
can
try
to
find
tooling
to
make
make
it
a
GitHub
action
to
generate
an
s-bomb
at
the
end
of
a
developer's
Pipeline
and
then
it
as
they
fix
an
update.
They
automatically
is
an
action
that
automatically
barfs
out
a
Vex
advisory,
so
we
can
influence
things
at
an
upstream
level
so
that
at
least
the
source
projects
potentially
might
have
these
artifacts.
And
then
it's
a
very
big
debate
in
the
vendor.
Community
I
also
participate
in
a
group.
F
E
First,
the
form
of
incident
response
and
security
teams,
and,
unsurprisingly
many
vendors-
do
not
want
their
s-bombs
public.
So
there's
a
there's
like
two
big
camps
of
we
want
everything
public
versus.
We
want
everything
private,
so
you'll
that'll
eventually
work
itself
out.
However,
it
probably
will
first
be
to
purchasers
of
commercialized
software,
but
ideally,
through
things
like
the
foundation,
you
might
be
able
to
influence
Upstream
to
get
the
core
projects
to
have
these
artifacts.
So
at
least
people
could
start
to
do
some
of
their
own
analyzes.
J
Yeah
I'd
add
to
that
I've
been
involved
in
the
healthcare
sector's
efforts
for
adopting
s-bomb,
specifically
medical
devices,
and
that
gets
into
an
ugly
political
match
around
medical
devices
and
how
they
provide
vulnerability.
Information
to
hospitals
and
organizations
that
buy
them
in
the
first
place
and
who's
responsible
for
the
s-bomb
and
out
of
the
s-bomb
shared,
and
is
that
an
s-bomb
snap
in
time
you
know
versus
another
update
yeah.
B
K
B
That
that
was
really
an
eye-opening
presentation
for
me
when
you
think
about
this
is
a
medium
to
large
one
single
medium
to
large
hospital
that
has
to
create
that
wants
to
create
s-bombs
for
1800
different
medical
devices
for
just
that
one
hospital.
Then
you
begin
to
understand
the
complexity
of
the
issue.
We're
trying
to
address
here.
Yeah.
J
B
Yeah
all
right,
I
had
one
other
topic:
I
want
to
bring
up
and-
and
we've
actually
discussed
this
before,
as
we
want
to
continue
to
broaden
our
our
membership
base
and
actually
broaden
our
our
excuse
me
kind
of
impact
across
the
LF
and
and
the
industry.
We
wanted
to
make
sure
that
there's
a
bridge
with
Finos
and
I
think
you
have
some
good
folks
here.
For
that
conversation,
we've
got
Jim.
We
got
Rob
and
myself
I'm
on
the
board
of
Finos,
so
I
don't
know
Jim
and
Rob.
J
Yeah
absolutely
and
get
30
seconds
on
that
Andrew
I,
think
you're,
also
in
the
education
sector,
Rob
and
I
have
have
been
trying
to
commit
to
having
the
education
sick
and
this
working
group
onto
our
calendars
specifically
and
supportive,
as
as
Andrew
mentioned,
open
source
Readiness,
we
are
developing
both
a
body
of
knowledge,
around
open
source
operations
and
and
Andrew
and
Wipro
were
kind
enough
to
contribute
an
open
source
maturity
model.
That's
in
the
first
stages
of
development.
J
We
have
a
vision
for
Finos
for
Finos
members
financial
institutions
around
creating
you
know
comparable
to
like
a
cmmi
project
management,
Institute,
Etc
body
of
knowledge
of
of
core
consensus-built
activities
and
Education
and
Training
that
constitute
what
we,
as
the
membership
think,
should
be
an
open
source
program
office
and
an
open
source
activities
in
the
organization.
So
more
than
just
the
osbo
constructs
how,
from
a
maturity
model
standpoint
level,
one
through
level,
five
are
open.
J
Source
activities
done
either
talk
level
one
or
fully
integrated,
so
that
you're
proactively
using
open
source
software
for
business
value,
we're
still
in
the
early
stages
of
that.
But
it's
really
exciting
both
to
see
the
level
of
Engagement
from
the
membership
as
well
as
working
with
Andrew
and
others
here
to
to
build
those
bridges
between
specific
security
activity,
specific
training
activities
Etc
that
that
would
inculcate
a
model
that
will
contribute
back
to
open
source
for
everyone.
J
L
We're
already
consuming
open
ssf
materials,
we're
trying
to
put
open
ssf
best
practices,
badgings
on
all
of
our
projects
and
like
embody,
like
the
best
practices
that
you
guys
come
up
with
in
our
open
source
projects.
But
we
want
to
yeah,
as
Jim
says,
we
want
to
try
and
make
sure
we're
linking
off
to
all
the
good
materials
that
get
produced
by
open
ssf,
because
you
know
everyone
sees
you
as
the
experts,
but
perhaps
it's
not
completely
clear
to
ospo's
where
to
go.
They
don't.
L
This
is
literally
something
that
Andrew
brought
up
in
a
meeting
yesterday.
They
need
to
be
led
down
a
path
of
of
a
process,
and
so
we're
hoping
to
provide
that,
for
obviously
the
finance
industry,
but
through
regulated
Industries
generally
I
think
is,
is
kind
of
where
we
see
that
going,
and
you
know
we're
lucky
to
have
Jim
coming
on
board.
Who's
got
a
bit
of
a
healthcare
kind
of
slant
on
on
the
world,
so
that's
pretty
handy
but
yeah.
L
We
definitely
intend
to
try
and
attend
more
of
your
meetings
and
reach
out
to
you
and
and
try
and
make
the
links
because
I
think
yeah.
It's
it's
pointless
us
trying
to
work
in
a
vacuum
here
we
and
in
a
similar
way
we're
doing
that.
We're
trying
to
build
these
Bridges
with
the
to-do
group
as
well,
who
we
see
as
being
equally,
you
know
profoundly
knowledgeable
about
ospos
and
running
open
source
within
an
organization,
so
these
are
like
pieces
of
the
puzzle
for
us,
so
yeah.
Thanks
for
having
us
all.
B
B
C
E
Had
one
short
thing,
I've
mentioned
it
before,
where
the
vulnerable
disclosure
working
group
has
made
two
coordinated
vulnerability:
disclosure
guides
already,
our
first
guide
was
focused
on
open
source
maintainers.
Our
second
guide
was
focused
on
how
security
researchers
and
helping
them
work
better
with
Upstream
projects.
Well,
our
new
project
is,
we
are
working
on
a
cvd
guide
for
consumers
of
Open
Source,
and
we
would
patches
are
welcome
right
now.
We're
assembling
kind
of
a
table
of
contents
of
topics
we'd
like
to
talk
about.
E
So
if
anyone
has
any
feedback
from
a
consumer
perspective,
what
you'd
like
to
see
out
of
a
guide
like
that?
We
would
love
to
get
that
feedback
and
you're
welcome
to
participate.
As
that
effort
kicks
off,
and
we
start
the
writing.
We
hope
our
Target
is
probably
august-ish
to
get
the
Guide
published
so
we'll
see,
depending
on
how
much
collaboration
we
get
is
how
quickly,
without.
E
Yep,
we
have
an
issue
that
you
can,
if
you
just
want
to,
watch
it
to
track
progress
and
then
I
actually
put
a
link
to
the
the
start
of
the
document
itself
and
we'll
collaborate
very
actively
in
a
Google
Document
and
then
at
some
point,
we'll
cut
it
over
and
make
it
a
markdown
file
in
GitHub.
Like
the
other
guides.
J
Strategically
I,
don't
we're
still
trying
to
kind
of
map
out
what
would
be
like
the
four
or
five
setting
aside
the
training,
four
or
five
Publications
or
guides
to
include
in
a
body
of
knowledge,
to
immediately
reference
kind
of
around
all
things.
Security,
so
it'd
be
great
to
kind
of
have
that
as
a
short
list
and
we'll
go
ahead
and
incorporate
that
into
our
development.