►
From YouTube: End Users (July 21, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
B
Oh
on
the
doodle,
you
mean.
B
No,
I
I
don't
recall
actually
that
was
days
ago.
I
barely
remember
what
I
was
doing
yesterday.
A
I
know
that
jack
can't
make
it,
but
I
was
wondering
if
noah
was
able
to
make
it
from
spotify.
B
Noor
is
apparently
available
at
this
time.
Excellent.
B
A
Hello
noor:
are
you
able
to
hear
us.
C
C
Yeah,
I'm
in
jersey
city,
I
work
in
new
york,
but
I
work
from
home,
mostly
so
jersey
city.
What
about
you
all.
A
A
West
coast
yep,
so
we
spread
we
spread
far
and
wide.
So
I'm
in
london,
vicki's
in
west
coast
and
one
of
our
other
participants
jack,
is
hopefully
not
diving
in
because
he's
in
perth.
A
Should
we
post
the
I'll
post
a
link
to
the
document
again,
so
we
do
have
a
document
with
notes.
B
Yes,
please
sign
in.
Let
us
know
who's
here.
B
B
All
right
well,
who
would
like
to
be
described
today
and
take
notes.
A
Day,
what
manure
I'll
also
help
and
dive
in
and
maybe
add
a
few
points
as
you
go,
if
that's
going
to
be
helpful,
sure.
B
Thanks
all
right,
there
are
notes
already
stubbed
out
in
the
to
make
it
easy
to
see
where
we're
going
and
stuff
so
new
friends,
I
believe
more
you're,
our
only
new
friend
today,
hello,
you
want
to
say
a
little
about
yourself.
C
Hi,
my
name
is
noer,
I'm
a
security
engineer
at
spotify.
A
lot
of
my
focus
over
the
past
months
has
been
open
source
security
and
supply
chain
security.
So
I'm
very
happy
to
be
here
with
this
group
to
talk
about
these
topics
and
yeah.
I'm
also
here
today
to
talk
a
little
bit
about
the
end
user
community
proposal
that
we
put
together
at
spotify,
which
is
yeah
very
similar
to
all,
has
a
lot
of
similar
content
to
a
lot
of
the
talks
that
others
have
been
talking
about
so
kind
of
wanted
to
merge.
C
B
Okay,
well,
the
next
thing
on
the
agenda
is
to
finalize
the
missions
and
goals
which
are
in
a
document
in
google
docs.
Let
me
drop
that
link
in
the
chat
and
because
we've
got
more
here
to
talk
about
the
spotify
end
user
thing.
I
don't
think
we
should
spend
too
much
time
on
this
document.
B
We
can
work
on
it
more
or
less
asynchronously,
but
this
morning
I
went
through
and
took
the
information
that
we
had
previously
kind
of
drafted
very
roughly
well.
I
can
even
turn
on
my
video
so
keep
consuming
there.
We
go
and
went
through
things
that
we
had
drafted
and
put
together
a
succinct
mission
goal
sort
of
thing
in
that
document
for
us
to
iterate
on
so
rather
than
spending
a
lot
of
time
on
this
call
wordsmithing
this.
B
I
would
recommend
everybody
go
to
this
and
switch
to
suggestion
mode
rather
than
editing
mode
and
then
make
whatever
changes
you
need
and
we
can
go
from
there
and,
of
course
add
comments
if
you
would
prefer
to
do
that
and
some
of
the
things
that
we
might
come
up
with
after
hearing
what
noor
is
doing,
may
end
up
being
reflected
here.
B
A
And
I
think
I
think,
just
from
my
couple
of
reads
of
it,
I
think
that
the
goals
in
there,
the
three
bullet
points
I
think
there
they
sort
of
hit
the
main
points.
I
was
sort
of
looking
for
when
kicking
off
this
group
in
austin
or
whenever
it
was
so
so
good
to
see
you
in
the
element
there.
It's
great
to
see
your
documentary
and
see
how
that
sort
of
augments
that
right.
B
Well,
we
have
then
on
the
agenda.
The
next
thing
is
for
noor
to
fill
our
heads
with
knowledge.
C
I
think
a
lot
of
the
knowledge
is
already
in
all
of
our
heads,
just
about
kind
of
finalizing
it
and
contributing
back
to
one
document.
I
think
it
makes
sense
to
contribute
to
the
to
the
group's
document
and
bring
whatever
we
have
put
together
as
spotify
into
one
final
document
that
we
bring
to
the
program
manager.
C
But
what
we
have
done-
and
this
goes
back
to
april-
is
outline
a
lot
of
what
I
see
in
the
document
that
you
just
referency
so
things
that
we
needed
well,
we
got
we
started.
We
joined
openssf
in
february,
we
started
looking
into
threat,
modeling
our
environment
at
spotify
and
started
to
our
thoughts
around
all
of
the
open
ssf
offerings.
C
C
C
So
we
are
also
members
of
organizations
like
cncf,
for
example,
and
we
have
had
a
lot
of
value
from
having
an
end
teacher
community
there
building
something
like
a
tech
radar,
which
I
totally
see
us
doing
in
this
group,
for
the
open
ssf
offerings.
What
are
we
using?
What
are
we
not?
What
are
our
pain
points?
C
So
that's
the
first
point:
we
want
to
make
sure
that
we
are
able
to
cross-pollinate
in
fancy
terms
and
like
discuss
all
all
of
these
points
with
other
members.
Other
end
users,
members
or
not.
I
guess
now.
The
other
point
that
we
wanted
is
that
we
wanted
to
have
a
more
official
way
of
like
we
wanted
the
channel
to
be
able
to
say.
Okay
now
we
have
talked
about
this.
We
have
come
into
certain
conclusions
now.
C
How
do
you
bring
back,
bring
this
back
to
openssfs
end
users,
and
what
we
are
suggesting
here
is
having
the
program
manager,
brian
vr
channel,
and
that's
something
that
we'll
see
how
that
kind
of
evolves.
C
It
could
be
that
this
working
group
has,
let's
say,
like
a
co,
leads
colleagues
that
bring
them
up
in
a
more
official
way,
but
we
basically
want
to
formalize
what
an
official
channel
for
us
to
bring
our
the
good
and
the
bad
and
just
how
we
are
using
those
products
back
to
openssf
and
think
that
this
will
provide
a
lot
of
value
to
openness
to
the
other
working
groups.
So
that's
kind
of
it.
That's
like
the
butter
of
it,
as
we
say
back
home,
of
what
we
are
proposing.
C
So
initially
you
can
see
at
the
top
of
the
dock
that
I
updated
it
to
say
that
this
does
not
have
to
be
just
for
members,
because
when
we
were
initially
thinking
about
this,
we
thought
it
makes
sense
for
it
to
be
a
member
community.
C
What
we
do
care
about
is
that
there
is
the
topics
are
end
user
topics,
and
I
think
that's
a
very
important
thing
to
define
in
our
final
document
that,
like
what
is
an
end
user
topic,
so
that's
something
that
I'll
make
sure
that.
B
C
C
So
therefore,
companies
like
us
are
not
necessarily
the
end
users
so
kind
of
aligning
on
what
we
mean
by
end
users
and
also
what
we
mean
by
an
end
user
topic.
Since
we
are
open.
What
we
are
saying
right
now
is
that
we
don't
think
that
it
has
to
be
members
only
as
long
as
the
topics
are
end
user
topics.
We
do
need
to
align
on
what
those
mean.
C
So
that's
something
I'll
take
a
step
and,
of
course,
like
I'd,
love
to
hear
everyone's
thoughts
on
it,
because,
right
now,
in
the
proposal
we
say
who's
an
end
user
and
I
think
it
makes
sense
to
kind
of
shift
a
little
bit
into
what
is
an
interesting
topic
yeah.
And
then
we
see
this
as
benefits
to
everyone,
both
openssf
and
the
end
users
and
its
members.
C
Like
I
said
earlier,
we
think
that
openssf
should
absolutely
be
marketing.
This
because
one
of
the
things
that
we
noticed
when
we
were
starting
to
join
openssf,
is
that
a
lot
of
the
member
perks
were
more
like
coming
from
a
marketing
perspective,
as
opposed
to
technical
perspective.
C
Of
course,
all
of
the
offerings
are
the
technical
perks,
but
we
wanted
something
like
this,
like
this
community,
that
we
are
kind
of,
like
naturally
forming
right
now,
where
we
get
to
talk
to
others
and
really
share
ideas
and
brainstorm
and
kind
of
elevate,
the
security
of
all
of
our
products
together,
and,
I
would
say,
that's
pretty
much
it
at
a
high
level.
C
One
thing
that
I'm
curious
to
hear
from
this
group
is
what
we
think
about
what
community
means,
because
initially
I
was
thinking
about
it
as
kind
of
like
fluid
like
it's
like
whatever
kind
of
comes
out
of
it,
but
it
could
be
something
like
a
working
group
and
I've
heard
like
other
options
as
well.
So
I'm
very
I'm
like.
I
would
be
super
interested
to
hear
more
about
that
from
this
group,
and
if
you
have
any
questions
about
anything
that
I
said
please
let
me
know
it's
awesome.
A
Well,
first
of
all,
from
my
perspective
right,
I
think
I
think,
a
lot
of
what
you
say
just
really
resonates
for
you
know
my
perspective.
It's
been
a
long
time
that
we've
been
talking
to
brian
and
some
of
the
other
community.
Highlighting
that
look.
A
You
know
we're
really
looking
to
participate
in
the
community
in
the
openness
of
really
like
the
mobilization
plan,
really
like
the
individual
working
groups,
but
as
you're
saying
it's,
it's
that
end
user
voice.
That
seems
to
be
missing.
A
I'm
not
going
to
intentionally
define
what
that
means,
but
it's
kind
of
missing
a
little
bit
and
I
think
the
benefits
to
the
community
from
an
open
source
security
perspective
and
supply
chain,
just
in
general
of
actual
end
users
and
consumers
is,
is
something
that
I
think
would
really
benefit
the
ability
to
focus
some
of
our
directive.
Efforts
for
where
the
bigger
impact
is
going
to
come.
A
If
we
look
at
it
from
a
sort
of
end
user
or
consumer
perspective,
and
when
we
think
about
it
from
an
executive
order
standpoint,
you
know
really
focusing
on
how
to
address
the
needs
of
sort
of
critical
infrastructures.
A
Those
usually
are
sort
of
fairly
heavy
sort
of
end
users
of
open
source
software,
but
it
is
a
range
ready
to
range
right
from
the
the
huge
critical
infrastructure
right
down
to
are
these
using
software.
So
I
think
from
my
perspective
and
that's
why,
in
the
other
document,
those
three
goals
sort
of
resonate
and
pick
this
up.
A
It's
getting
that
voice
that
clear,
distinct
voice
into
the
ossf
and
showing
what
the
use
cases
are
for
people
consuming
open
source
software
and
just
providing
that
as
a
benefit
to
the
community
in
in
terms
of
community.
A
You
know,
I
think,
looking
at
the
different
working
groups
and
being
an
open
source
sort
of
way.
I
I
kind
of
like
the
idea
of
being
relatively
flexible,
but
anchored
back
to
those
core
goals
within
an
appropriate
governance
model.
Because
often
we
come
from
like
a
a
big
enterprise
group
and
it's
like
all
formalized
and
it's
you
know
huge
amounts
of
documentation,
process,
paperwork
and
all
sorts
of
stuff.
A
It
just
often
gets
in
the
way,
just
in
my
personal
view,
but
I
think
a
lot
of
the
open
source
projects
within
ossf
are
starting
to
mature,
and
I
know
one
of
the
points
later
on
is
to
talk
about
some
of
the
work
through
we're
talking
to
brian,
about
about
the
governance
model.
I
think
that
still
has
quite
a
way
to
go,
but
I
think
it
would
mature,
as
we
sort
of
progressed
just
with
ossf
in
general.
B
That's
part
of
here
as
far
as
community,
while
the
open
ssf
governance
model
is
still
being
taking
form.
The
rough.
B
And
so
we
should
make
sure
that
we
are
aligning
to
that,
which
means
that
we
should
become
a
working
group
like
the
rest
of
the
really
targeted
groups
within
open
ssf,
and
there
is
a
process
for
becoming
a
working
group.
So
that's
that's.
B
That's
that's
something
that
we
will
have
to
resolve
after
we
had
five
meetings.
This
is
our
third
meeting,
which
is
why
we
are
working
on
in
the
other
documents,
all
the
kind
of
the
mission,
just
the
really.
B
Pitch
that
we
need
to
make
sure
that
we
are
all
on
the
same
page
and
we
know
where
we're
going
and
why
we're
going
in
that
direction.
Hence
the
goals
that
jonathan
mentioned
earlier
that
are
listed
there.
B
We
did
a
lot
of
work
on
that
in
the
last
call,
but
we
need
that
in
order
to
become
a
working
group
as
well
as
having
our
five
calls
and
then
I
think
some
of
our
first
calls
once
we
get
kind
of
the
shape
of
the
group
down,
which
I
believe
a
lot
of
your
document
will
inform
and
are
probably
I
haven't.
I
will
confess
I
haven't
read
it
all.
B
I
I
suspect
we've
talked
about
a
lot
of
the
things
that
are
already
in
that
document,
but
because
we're
looking
for
the
elevator
pitch,
they
got
edited
out,
but
I
think
some
of
our
very
first
deliverables
will
be
to
figure
out.
How
do
we
interact
with
these
other
groups?
How
do
we
ensure
that
there
is
representation
and
user
representation
in
attack
in
the
board
in
the
other
working
groups
in
particular,
because
that's
where
the
primary,
where
the
majority.
A
B
Work
is
happening
in
open,
ssf
is
in
the
working
group,
so
we
need
to
make
sure
that
the
end
users
have
some
say
there
and
are
able
to.
You
know,
raise
our
hand
and
say
hey.
This
is
going
to
be
really
difficult
for
us.
It
might
be
easy
for
you
developers,
but
for
us
it's
going
to
be
a
problem
that
sort
of
thing
raised
flag.
So
that's
going
to
be
really
important.
B
There
is
some
cross-pollination,
but
in
general
they're
able
to
work
on
their
thing
and
then
report
back,
whereas
this
working
group
is
very
much
a
horizontal
rather
than
a
vertical,
and
that
is
going
to
be
considerably
different
as
an
operating
model
to
anything
else
within
openssf.
And
I
think
we
need
to
keep
that
in
mind,
because
while
we
do
fit
into
the
working
group
mold,
we
don't
really
necessarily
fit
into
some
of
the
other
molds
and
that's
another
place
where
our
voice
needs
to
come
in.
B
To
make
sure
that
as
open
ssf
does
mature
in
its
governance
and
other
modes,
that
it
is
flexible
enough
to
support
that
horizontal
horizontal
reach
that
we're
going
to
need
now
shut
up.
Now.
C
Now
that
was
really
helpful,
because
it's
something
big
on
my
mind
that
this,
like
channel
of
giving
back
or
like
giving
whatever
we
come
up
with
back
to
openssf.
C
Is
there
anything
in
place
right
now
for
this
or
any
thoughts
that
this
group
has
talked
about.
C
Yeah,
what
does
it
look
like
to
be
a
horizontal
working
group?
What
is
the
communication
model?
Are
we
expecting?
I
don't
know
some
of
us
to
get
planted,
for
example
in
other
working
groups,
or
is
there
a
war
official.
A
A
B
Yeah,
I
think
that's
something
that
where
is
we
will
need
to
make
sure
that
we
have
dotted
that
eye
and
cross
that
t
right
and
make
sure
and
are
we
do?
We
need
to
be
have
representatives
in
every
working
home.
We.
B
Have
the
right
so
eric
and
I
participate
together
in
nearly
all
of
them
already.
A
Right
so
so
we
can
do
that
anyway,
there's
no.
We
don't
need
to
seed
or
inject
ourselves
into
something.
It's
literally.
We
just
turn
up,
but
I
think
yeah.
What
might
be
beneficial
is
as
we're
looking
at
the
different
goals
and
we've
identified
kind
of
the
focus
areas
we
see
from
a
consumer
or
an
end
user
perspective.
We
could
target
working
with
or
making
sure
that
we
do
have
representation
that
regularly
turns
up
to
those
working
groups.
A
The
one,
the
one
area
that
I
think
we
it
may
be
worth
exploring
as
we're
talking
to
brian,
is
to
get
representation
into
the
attack,
or
at
least
a
dotted
line
into
the
attack
to
highlight,
but
all
things
being
equal.
This
is
sort
of
an
end
user
view
right
it
doesn't
it.
It
just
gives
that
sort
of
sounding
board
that
that
from
how
people
are
potentially
going
to
use
the
the
technical
capabilities
from
the
pack
this.
A
This
would
be
something
that
would
be
useful
input
into
a
technical
decision,
but
I
think
that
definitely
needs
to
be
sorted
out
and
discussed
openly
with
the
governing
board
and
the
tax
as
part
of
the
governance
work.
That's
still
ongoing.
B
Yeah,
that's
something
that
is
already.
If
we
become
an
official
working
group,
then
we
get
that
for
free,
because
working
groups
report
into
the
attack
directly
and
the
tap
meetings
are
wide
open.
Anyone
can
attend
and
participate.
I'm
not
a
tax
member,
but
I
do
participate
in
tact
calls
and
I
get
invited
to
attack
tiger
team
calls
and
things
like
that.
B
So
I
think
just
by
nature
of
our
our
membership
already,
we
are
getting
some
cross-pollination,
so
eric
and
I
in
particular
I
I'm
not
sure
where
munowar
is
participating,
but
we
are
already
participating
in
a
large
number
of
the
working
groups.
B
Eric's
team
is
on
a
large
number
of
the
projects,
so
we
are
already
starting
to
get
that,
but
we
need
to
make
sure
that
we
have
it's
intentional
rather
than
incidental
right,
and
we
have
some
sense
of
where
we
wish
to
prioritize
our
efforts
and
see
whether
there
are
synergy
points
where
we
can
come
together,
for
instance,
with
the
best
practices
working
group.
It's
working
on
the
streamline
the
education
stream
from
the
mobilization
plan.
Education
is
something
that
I
think
will
be
very,
very
important
for
end
users.
B
So
how
can
we
make
sure
that
that
is
represented
in
any
sort
of
materials
that
come
up
in
stream,
one
for
the
education
stream?
So
we
can
educate
end
users
on
the
fact
that
you
are
using
these
things
in
your
software
supply
chain.
B
Here's
how
you
raise
awareness,
here's
how
you
can
become
aware
of
anything
that
might
require
changes
right,
how
you
can
update
things,
how
you
can
get
notified
and
that's
something
that
I
think
the
end
user
working
group
will
be
very,
very
key
on
to
make
sure
that
our
voice
is
hurt
there
rather
than
simply
targeting
in
education
developers,
which
is
obviously
very,
very
important.
B
But
there's
another
aspect
right
and
that's
already
somewhat
being
discussed
the
different
use
cases
within
the
education,
so
that
is
being
considered,
but
it
started
just
starting
out.
So
this
is
the
perfect
time
to
make
sure
that
we
can
have
representation
there
and
our
voices
heard
right
at
the
beginning.
C
Yeah,
the
the
aspect
of
intentionality
is
kind
of
where
my
head
was
at,
because
I
know
that
we
can
join
the
working
groups,
but
I
feel
like
just
by
saying
that
or
just
by
knowing
that
it
would
not
be
enough
to
really
share
our
insights.
But
one
thing
that
popped
into
my
mind
is
that
maybe,
in
addition
to
figuring
out,
how
can
we
intentionally
go
about
it
in
terms
of
like
actual
representation
of
being
in
those
working
groups?
Maybe
it's!
C
It
could
be
some
artifacts
that
we
produce,
so
the
decorator
was
something
that
I
mentioned
earlier.
It's
just
the
thought
that
we
can
now
talk
about
like
what
that
really
means
for
for
this
group,
but
if
we
all
say
that
we
have
these
pain
points
with
security
scorecards.
This
is
why
I
cannot
use
security
scorecards
in
production
right
now,
then
that
could
be
something
plus
like
the
many
other
frameworks,
and
so
on
that
we
have
here's.
Why?
C
A
One
of
the
things
I
I
keep
falling
back
on
is
effectively
sort
of
a
an
architecture,
a
threat
model
highlighting
the
focus
areas
that
we
we
need
to
look
at
from
a
consumer's
perspective.
How
that
maps
then
to
the
ossf
working
groups
and
allows
us
to
then
focus
in
on
the
particular
ones
that
we
would
intentionally
want
to
inject
ourselves
in
on
providing
that
feedback?
That
look
you
know.
A
We've
we've
tried
to
use
the
oss
scorecard
it's
great,
but
it
needs
these
additional
things
and
then
contribute
that
back
right
and
I
think
by
centering
on
the
use
cases
that
we
have
as
a
combined
group
of
users.
We
kind
of
formalize
that
and
just
put
that
written
down
on
paper,
because
I
think,
from
my
conversations
with
different,
you
know
end
users
and
consumers,
we're
not
all
the
same
right.
A
We
do
have
slightly
different
views
on
on
things
and
we
we
have
different
industries
that
have
different
requirements
right,
but
I
think
if
we
start
to
document
key
use
cases
of
how
people
are
using
using
open
source
software
using
and
securing
it
and
how
that
then
intersects
with
those
ossf
working
groups,
we
could
start
to
tease
that
out
and
highlight.
Look
that's
why
that's
why
we're
on
the
the
best
practice
group?
That's
why
we're
on
the
integrity
group
and
sort
of
link
that
back
to
the
outcome
that
we'd
expect?
A
I
think
that's
that's
really,
I
think
a
key
goal
and
it
should
just
align
how
we're
trying
to
help
assist
and
influence
those
other
groups.
A
Are
there
any
groups,
nor
that
you
specifically
singled
out
from
from
your
sort
of
investigations
over
the
couple
of
months
where
you
believe
you
want
to
lean
in
or
it
would
make
sense
for
spotify
to
lean
in.
C
Well,
definitely,
the
integrity,
one
everything
supply
chain,
integrity
and
something
that
is
important
to
us
and
then
the
best
practices
as
well
kind
of
have
been
keeping
an
eye
on
it
and
seeing
how
it
grows.
C
Also,
I
forgot
what
it's
called,
but
the
one
that
is
securing
our
repositories,
definitely
keeping
an
eye
on
that
all
the
best
practices
that
are
coming
out
of
it
for
npm
and
others
is
something
that
we're
keeping
on
so
those
come
to
mind
at
first,
but
we
are
kind
of
expanding
beyond
that
and
seeing
what
all
the
you
know
as
we
evolve
our
strategy
and
implement
on
a
lot
of
pieces
of
it,
we'll
probably
look
at
other
working
groups
as
well.
C
A
It's
similar
very
similar
product,
but
I
think
I
think
it
was
vicki's
point
that
my
view
is
more
holistic
in
the
it
really
is
sort
of
end-to-end
looking
at
it
from
a
supply
chain
perspective,
and
therefore
you
know
when
you
start
to
map
that
out
to
that
architect,
you
start
to
pick
up
that.
A
Well,
there's
actually
gaps
that
we
don't
have
a
group,
four
necessarily
or
a
capability
that
just
leaves
an
even
in
or
being
discussed
really
yet
and
that's
why
you
know
we're
starting
to
build
out
open
source
projects
that
we're
gonna,
either
just
open
up
or
donate
to
fill
those
gaps
or
at
least
bring
raise
people's
awareness
to
them.
A
Because,
again,
if
you
look
at
it
from
a
maintainer
or
you
know,
someone
like
ourselves
that
are
in
the
open
source
community
creating
a
lot
of
it,
that's
different
to
when
someone
is
actually
going
to
consume
it
and
there's
there's
gaps
that
people
need
to
fill
when
you're
starting
to
ingest
that
software
and
validate
it's
going
to
work
right,
it's
more
than
the
s-bombs
and
vexes
and
metadata
they
ingest.
A
A
I
don't
know
I'm
talking
a
lot,
but
the
other,
the
other
one
I'm
really
passionate
about
is
is
that
communication
back
right
is
that
for
other
end
users,
consumers,
whatever
it
is
it's
not
just
education
on
you
know
what
secure
is
and
what's
cure,
how
to
secure
securely
write
the
code,
but
it's
how
to
secure
your
supply
chain
and
provide
those
guides.
So
I
was
involved
in
authoring
the
cncf
best
practice
guide,
where
we
started
out
with
a
best
practice
guide
for
supply
chain
security.
A
But
I
think
there's
there's
more
there's
a
bigger
corpus
of
data
and
code
that
would
make
it
easier
for
other
consumers
to
follow
us,
and
I
think,
that's
kind
of
where
my
head's
at.
C
C
C
A
communication
channel
with
brian
jonathan
was
on
it
and
he
was
very
happy
to
bring
this
forward,
assuming
that
we
all
align
on
whether
it
should
be
public
versus
members
only,
and
what
I
brought
up
at
the
beginning
of
this
call
is
that
we
are
not
really
tied
into
it
being
members
only
we
really.
What
we
care
about
is
that
the
topics
you
want
to
discuss
are
being
discussed
and
it
can
totally
be
in
an
open
forum.
C
So
I
think,
since
we
seem
to
be
aligned
on
that
I'll,
make
sure
to
add
our
thoughts
into
this
one
document
and
give
some
thoughts
on
what
this
horizontal
working
group
can't
look
like,
like,
I
said,
I'm
thinking
kind
of
on
the
artifact
producing
certain
artifacts
level
that
others
look
at
and
kind
of
hearing
back
from.
Brian
and
what
he
thinks,
and
maybe
others
as
well
on
what
they
think
that's
kind
of
how
I've
seen
the
next
steps
be,
and
let
me
know
if
there's
any
next
steps
that
you
think
we
should
be
doing.
B
I
would
like
to
counsel
that
we
keep
the
the
conceptual
and
the
detailed
implementation
separate
in
that
document.
I
I
just
added
some
notes
there.
There
are
comments
that
I've
added
in
the
past
about
you,
know,
deadlines
and
deliverables,
and
things
like
that
and
yes,
we
need
to
figure
those
out,
but
those
should
be
separate
from
the
actual
mission
statement
and
and
overall
goals
and
kind
of
philosophy
of
the
group.
B
So
we
should
certainly
document
them
and
those
are
things
that
we
will
get
into
our
repository
once
we
are
a
working
group
and
can
get
one
of
those,
but
in
the
meantime,
capturing
them
in
some
way
in
the
document
will
allow
us
to
move
them
over
into
the
repository
once
we
have
it
just
operational
sort
of
note
that
we
should
keep
in
mind
so
yeah
other
than
you
know
just
everybody's
homework
to
asynchronously
work
on
that
again,
please
try
and
do
it
in
suggestion
mode
if
possible.
B
I
know
I
myself
always
forget
to
do
that,
but
it's
kind
of,
like
forgetting
to
branch
when
you're
working
on
a
new
git
repo,
it's
like
oh
man
and
then
you've
got
to
go.
Do
all
that
cleanup.
So
the
next
thing
on
our
agenda-
and
I
think
we're
actually
we're
at
a
good
place
to
move
to
this-
is
updating
on
it's
jonathan
next
steps
for
the
group
following
your
discussion
with
brian.
A
So
I
think
we
touched
on
chunks
of
it
already.
Actually
so
there's
the
communication
kind
of
channel
that
I
got
cc'ed
in
to
with
yourself
now
and
I
think
the
that
it
was
really
to
raise
that
document
and
spotify
as
additional
members
to
the
group,
and
I
think
the
only
thing
that
you
know
we
resolved
that
stuck
out
to
me
was
the
private
lean
versus
the
public,
and
I
was
I
was
very
much
pro-public
and
I
think
that's
discussed
now
and
and
and
then
we've
strained
that
out.
A
So
so
I
think
that
was
one
initial
thing
we
had
to
pass.
I
think
that's
in
good
shape.
I
think
the
second
part
brian
was
trying
to
figure
out
where
this
it's,
whether
it
was
a
working
group
or
whether
it
sits
within
an
existing
working
group
open
for
discussion.
My
view
is,
it
would
be
a
separate
working
group
because
just
looking
at
the
others,
it
doesn't
quite
fit,
in
my
view,
within
one
of
the
others.
A
A
Now
again,
I
think
we
have
very
committed
members
obviously
would
already
say
that,
because
we're
the
first
people
here
anyway,
but
it
is
frankly
part
of
our
day
jobs
to
to
actually
push
some
of
this
stuff
forward.
So
I
I
think
we
could
probably
allay
some
of
the
fears
there
now
in
terms
of
the
actual
governance
model.
It
is
you
know
forming,
but
it
is
still
very
much
in
flux.
A
The
the
best
sort
of
council
we've
had
so
far
is
that
you
know
it's
the
five
meetings
and
then
make
that
proposal,
but
I
think
there's
still
a
little
bit
of
play
going
on
at
the
moment
to
try
and
nail
down
exactly
the
right
governance
model
or
some
additional
documentation
that
came
through
last
week.
A
So
I
I
think
we
can
expect
to
you
know
continue
with
this
approach
with
the
the
next
couple
of
meetings
and
then
sort
of
make
a
push
to
to
the
attack,
give
people
a
little
bit
more
time
to
formalize
the
the
the
governance
model,
because,
but
it's
not
quite
there.
Yet
that's
really
my
update
not
quite
there
yet,
but
I
think
we're
heading
the
right
direction
to
to
meet
them
when
they
get
there.
B
Yeah,
it's
not,
but
I
think
it's
close
enough
that
when
we
hit
our
five
meetings
it
we're
not
going
to
have
any
problem
whatsoever.
Saying
hi,
look:
we've
got
all
this,
this
corpus
of
stuff
that
we've
been
working
on
and
here's
our
trajectory
we'd
like
to
take
moving
forward.
We
got
a
very
strong
story
for
becoming
a
working
group
and
I
don't
think
we're
going
to
have
any
problem
with
that.
B
As
a
matter
of
fact,
jacques,
whom
we
all
know
is
often
perth
dreamland
right
now
he's
one
of
the
initiators
and
one
of
the
leaders
of
the
repository
working
group,
which
is
the
newest
working
group
before
us
and
eric-
and
I
were
near
the
very
start
of
that
and
we're
following
a
very
similar
trajectory.
I
don't
they
became
a
working
group.
I
don't
anticipate,
we
don't
have
any
problem
with
that,
so
I
certainly
wouldn't
I
wouldn't
bottleneck
us
on
the
tack
and
they're
seemingly
endless
bike
shedding.
B
A
B
At
the
moment
on
many
cases,
but
that
is
something
that
I
don't
think
we
should
have
to
worry
about.
I
think
we'll
be
in
really
good
position
to
be
an
official
working
group
and,
like
jonathan
said,
we
don't
fit
anywhere
else,
and
our
mission
really
is
kind
of
an
umbrella
sort
of
thing
in
that
horizontal
way.
B
So
it
does
make
sense
for
us
to
become
a
working
group,
and
that
is
what
that
is,
the
trajectory
of
the
governance
model
for
openssf,
it's
for
things
to
primarily
be
in
working
groups
and
then
projects
under
working
groups
and
looking
and
sifs.
Those
are
the
three
things
we're,
certainly
not
as
if
we're
not
a
project
under
a
working
group
well
by
default.
That
makes
us
a
working
group.
So
if
nothing
else,
we
it
makes
sense
in
that
way,
but
it
also
just
makes
sense
logically
looking
at
what
we
would.
A
B
To
do
and
the
scope
of
groups
here
so
yeah,
I
think,
there's
a
lot
of
good
stuff
that
we
can
we'll
be
able
to
get
done
without
having
to
wait
on
the
tap
to
really
completely
finalize
stuff.
B
Yeah,
which
is
you
again,
my
friend,
full
disclosure?
I
have
to
leave
like
five
ish
minutes
early
for
my
next
call.
B
Manohar
by
the
way,
thank
you
for
all
the
great
notes
you've
been
taking.
I
really
appreciate
all
the
work
you're
doing
over
there,
so
the
next
topic
is
thoughts
on
taxonomy
for
supply,
chain
attacks,
white
paper
and
threat
model.
A
Yeah
lots
of
words
right.
So
basically,
one
of
the
goals
that
I
keep
sort
of
focusing
on
is
to
try
and
provide
those
use
cases.
So
it
gives
us
that
sort
of
north
star
about
what
we're
actually
trying
to
satisfy
and
when
we're
talking
to
people,
it's
like
here's
the.
Why
and
but
also
to
so,
to
put
that
in
context.
I
think
it's
useful
to
have
a
an
architecture
and
abstract
architecture
which
which
I've
written
and
published,
but
also
shows
people
look
in
an
abstract
sense.
A
This
is
what
an
enterprise
would
look
like
these,
the
the
the
use
cases
we'd
need
to
apply
to
that,
but
to
define
which
use
cases
we
want
to
go
after
it'd
be
useful
to
then
look
at
historic
supply
chain
exploits
or
even
just
thinking
through
some
of
the
exploits.
We
are
concerned
about
or
some
of
the
vulnerabilities
we're
concerned
about,
and
then
we
can
go
and
then
look
at
the
the
mitigations
to
those
vulnerabilities.
A
Now,
when
you
start
down
that
path,
though
it
starts
to
get
very
abstract
and
very
sort
of
wishy-washy,
and
one
of
the
things
that
I
really
like
to
do
is
start
to
look
at
it
more
in
risk
terms
and
try
and
quantify
that
risk
so
by
good
fortune.
A
Actually,
my
colleague
jacques
presented
parts
this
last
week,
the
last
session
around
seer
and
the
ability
of
really
looking
at
trying
to
quantify
and
measure
the
cyber
security
risk
for
the
supply
chain,
and
one
part
of
that
is
really
to
look
at
a
body
of
experts,
give
them
effective
training
on
statistics
basically
and
allow
them
to
try
and
figure
out
how
to
measure
the
risk.
Now.
A
What
I'd
like
to
do
is
is
take
that,
but
then
apply
that
to
a
threat
model,
and
that
would
give
us
a
better
understanding
of
where
we
see
the
risks
coming
through
that
threat
model,
so
that
we
could
then
help
with
those
use
cases
and
then
give
us
better
direction.
Now.
The
reason
I'm
bringing
up
the
taxonomy
is
that
when
you
start
to
do
all
that
sort
of
stuff,
you
need
to
be
talking
about.
A
The
same
thing
and
you
need
to
start
to
put
those
exploits
to
put
those
sort
of
vulnerabilities
into
the
appropriate
taxonomy
so
that
you
can
start
to
opine
about
it,
and
without
that
you,
you
just
stop.
You
know,
wandering
around
in
circles
now,
there's
been
a
really
really
good
paper.
I
think
it
was
was
this
year
was
it
I
think
it
was
in
april
this
year.
A
I
am
gonna,
try
and
get
a
link.
No
I'm
not
because
that
isn't
that's
my
local
drive,
but
it
is
referred
to
as
tell
you
what
I
might
just
type
the
name
of
it
in
here,
and
you
probably
just
copy
it,
but
it's
the
taxonomy
of
attacks
on
open
source
supply
chains,
brilliant
paper,
software
supply
chain,
software.
A
This
is
very
good
question.
I'm
gonna
have
to
I'll
provide
the
resource
for
it.
A
Thank
you,
you
wouldn't
mind
great
paper.
I'd
recommend
people
read
it,
but
what
I
was
trying
to
suggest
is
that
if
a
group
we
we
agreed
to
it,
read
that
taxonomy,
but
when
we're
actually
thinking
thank
you
vicky,
but
when
we're
thinking
through
talking
about
our
exploits
and
how
it
pertains
to
those
use
cases,
it's
useful.
A
If
we
look
at
that
taxonomy
because
I
think
every
exploit
I've
seen
is
wrapped
up
in
it
and
it
just,
I
think,
will
really
make
our
case
much
easier
to
quantify
we're
using
the
same
taxonomy
we're
showing
the
same
use
cases.
We've
mapped
it
to
a
threat
model
and
therefore
we're
going
after
those
particular
focus
areas
or
showing
that
there's
a
particular
gap
or
attending
a
particular
working
group.
So
really
my
ask
is
additional
homework
for
people
unfortunately,
is
read
that
paper
and
ingest
it.
A
Does
anyone
it
sounds
like
vicky
you've
you're
familiar
with
that
paper.
B
A
A
I
believe,
don't
quote
me
on
that:
henrik
plateau
or
plate,
it's
from
sap,
but
they've
put
together
a
an
interactive
attack
tree
that
shows
you
the
different,
exploits
from
the
supply
chain
perspective
and
very,
very
useful
when
we
think
about
supply
chains
and
where
to
focus
our
energies.
So
that's
it
just.
Please
take
a
look
at
that
if
it
is
of
interest-
and
my
vote
would
be
for
using
that
as
sort
of
an
official
taxonomy
as
we're
starting
to
reason
about
where
to
look.
B
I'm
a
big
fan
of
reusing
someone
else's
taxonomy
rather
than
reinventing
the
wheel.
We
were
just
talking
about
something
similar
with
spdx
earlier
today
and
making
sure
we're
reusing
the
ntia
taxonomy
for
us
bombs
rather
than
someone
actually
proposed.
We
come
up
with
our
own.
B
Excellent,
I
love
that
and
yay
homework.
The
homework
is
listed
in
the
action
items
in
the
notes
by
the
way.
So,
if
you
forget
what
you
theoretically
were
volunteered
to
do
during
this
call,
you
can
always
go
back
and
look
at
them
there
any
other
business
for
this
call
today.
B
At
the
moment
it's
been
weekly,
ish
ish,
but
it's
all
so
the
summer,
and
so
people
have
been
gone,
so
I
probably
will
send
another
doodle
by
the
way
I
will
not
be
the
the
person
who
always
does
this.
I'm
just
doing
it
right
now
to
make
sure
that
it
actually
happens,
but
I
will
send
another
doodle,
probably
on
monday,
because
I'll
be
pegged
today
and
I'm
off
tomorrow.
B
C
Yeah
sounds
good.
I
wanted
to
just
say
that
I
also
have
the
colleagues
in
sweden
that
I'd
like
to
loop
in
on
this
and
that
so
we're
kind
of
starting
to
spread
out
time
zone
wise.
I
guess
it'll
be
interesting
to
keep
an
eye
on
where
we
are
all
right
located.
Maybe
we
start
to
make
in
sometimes
like
early
morning
est
sometimes
more
afternoon
and
so
on,
so
that
people
can,
if
they
can
join
every
single
meeting,
they
can
join
every
other
one
or
something
like
that.
Just
be
mindful
of
that.
B
Yeah
well,
the
doodle
and
everything
will
end
up
in
the
end
users
channel.
So
so,
if
you're,
not
there,
please
join
there
and
do
you
have
your
colleagues
join
and
we
can
have
conversations
asynchronously
as
well.
A
A
No,
I
think,
that's
great.
I
think
it's
great
a
great
point.
Sadly,
I'm
gonna
be
out
on
vacation
again
the
week
of
the
first
I'm
around
next
week,
but
out
the
following.
B
Okay,
but
we
will
we'll
figure
it
out
if
we're
not
available.
I
will
try
to
do
the
doodle
for
two
weeks
out,
like
just
not
available
for
only
one
week
but
two
weeks,
and
then
we
can
see
what
works
for
the
most
people.