►
From YouTube: End Users Working Group (March 30, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
A
A
B
C
A
That
in
thank
you
so
just
for
a
future
reference
for
everyone
in
the
slack
chat
at
the
top,
we
have
bookmarks
the
end
user
notes
and
Omission
goals,
Zoom,
etc,
etc.
All
right!
So
if
if
people
can
add
themselves
to
the
notes,
document,
I'd
appreciate
it.
Well,
let's
kick
off
so
Dan.
Thank
you
for
being
subscribed
start
with
any
new
friends
joining
us
today.
D
Yes,
so
yes,
there
we
go
sorry
a
little
slow.
This
morning,
I
had
committed
to
having
a
spreadsheet
out
I
apologize.
If
the
last
two
weeks
have
included
our
fiscal
year
end
spring
break
travel,
vacation
and
illness,
so
I
apologize
for
that,
but
I
will
get
it
out.
I
know
Jonathan.
You
had
mentioned
that
I
think
ADP
is
interested
in
participating.
That's
awesome.
D
I've
also
received
commitments.
I
thought
Morgan
was
going
to
be
here
today,
but
I
don't
see
that
they're
they're
on
the
call
I,
don't
think
Morgan,
Stanley
and
Mercedes
has
committed,
so
I'm
really
excited
about
them
them
participating.
They
are
freeing
up
the
right
right
person,
but
they
re
they
committed
last
week
to
joining
this
group,
as
has
Boeing.
So
we've
got
some
other
some
other
high
regulated
industries
that
are
joining
so
I'm
really
excited
about
that.
D
D
But
what
I
found
out
at
the
last
second
literally
four
hours
before
the
deadline
is
that
any
and
every
panel
presentation
must
have
a
female
participate
and
also
someone
from
a
a
you
know,
kind
of
a
underserved
class
and
so
I
didn't
have
all
my
panelists
committed.
So
I
kind
of
rewrote
the
presentation,
as
as
a
presentation
on
on
openssf
end
user
activities
with
Jonathan
and
myself,
and
that
was
accepted.
Also
so
I'm
excited
to
do
that.
But
I
would
still
like
to
see
if
we
can
turn
it
into
a
panel.
D
So
I
am
so
Jonathan
and
I
are
kind
of
reaching
out
we'd
like
to
find
out
if
there
are
going
to
be
any
female
attendee.
These
are
participants
from
this
working
group
being
at
or
in
in
person
at
the
event
in
Vancouver
or
if
we
can
Network
within
our
organizations
to
try
and
find
someone
who
can
participate.
A
To
me,
I'll
be
should
be
in
Vancouver.
Obviously,
I
think
we've
raised
this
a
couple
of
times
before
many
other
people
are
going
to
be
in
Vancouver
are
able
to
make
the
trip
yeah
I'm,
not
sure
how
many
people
are
going
to
make
it.
This
time
see
well
be
glad
to
have
you
across
there
yeah
I'll,
be
there.
A
Excellent
Jane
well
I
think
when
we
get
there
we'll
we'll
see
if
we
can
catch
up
with
people,
I
think
it'd
be
I,
think
it'd
be
great
to
catch
up
over
a
beer
or
two
and
start
to
talk
about
some
of
the
end
user
group
work
very
cool,
all
right
Andrew.
Thank
you
very
much
and
it
sounds
like
some
good
progress
there
on
the
on
the
commitments.
Hopefully,
you
can
get
people
attending.
A
They
do
they've
done
they've
done
the
initial
easy
part
yeah.
Let's
see
all
right,
very
cool
right.
So
next
item
in
the
agenda
was
a
request
from
Mike
scavetta
around
the
Omega
Assurance
framework,
something
that
I've
been
cooking
up.
Sounds
it's
interesting
from
the
alpha
omega
group.
Of
course,
then,
like
awesome,.
E
The
the
the
goal
is
is
provide
stakeholders
consumable
data
that
they
can
use
to
describe
the
security
quality
of
a
thing.
This
is
very
related
to
and
I
don't
want
to
get
too
far
into
the
well.
What's
the
risk,
what's
a
you
know,
vulnerability?
Is
it
General?
Is
it
for
me,
like?
Those
are
all
really
good
things?
I!
E
It
doesn't
do,
for
example,
static
analysis,
it'll
do
like
cve
checks,
so
a
lot
of
organizations
use
are
pretty
limited
to
kind
of
those
two
types
of
things
when
they
evaluate
a
piece
of
Open
Source,
most
organizations,
I,
would
dare
say
practically
all
of
them.
Don't
crack
into
the
open
source
like
code
itself
to
see.
E
Is
this
thing
safe
and
that's
because
it's
expensive
and
it's
hard
so
we're
trying
to
lower
the
bar
there
in
a
way
that
just
kind
of
moves,
the
needle
like
one
one
notch,
one
notch
up
it's
supposed
to
complement
everything
else.
This
is
not
intended
to
overlay
on
top
or
extended
to
complement
a
guac
score
cards,
depth,
Dev
a
lot
of
other
things
so
context,
most
open
sources
never
gone
undergone
any
kind
of
security
validation.
E
Like
you
know,
I'm
saying
looking
at
the
code,
the
real
you
know
the
the
lowest
level
stuff
because
it's
expensive,
but
we
need
that.
We
need
this
data
available.
So
the
Insight
that
kind
of
led
to
this
I
think
is,
if
you
run
the
best
security
tools
on
a
piece
of
Open
Source
and
it
doesn't
find
any
SQL
injection.
E
So
after
that,
it's
basically
I'm
just
going
to
skip
through
most
of
this.
So
there
are
two
parts
of
this
there's
assertions
and
policies.
An
assertion
is
a
fact.
Example.
Assertions
I
was
able
to
rebuild
this
package
from
this.
The
source
code
repository
as
of
this
moment
it
is,
it
is
marked.
It
is
associated
with
these
CDs.
It's
actively
maintained
based
off
of
scorecard.
E
E
E
E
So
if
you
actually
don't
trust
our
assertion,
you
can
go
a
little
bit
deeper,
so
this
is
example
of
a
you
know,
one
based
off
of
scorecards
and
then
so
that
that's
assertions
and
then
you
have
policies
and
the
policy
is
where
you
add,
like
your
value,
your
judgment,
your!
What?
What
do
you
want
to
see?
So
you
as
an
organization
you
know,
I,
would
like
all
the
packages
that
that
my
organization
consumes
to
be
actively
maintained.
E
I,
don't
think
that
any
npm
modules
should
be
implementing
crypto,
meaning
like
the
math
within
that
within
the
module.
I.
Just
don't
think
that's
appropriate,
for
example,
like
so
I
can
express
the
policies
like
that
in
terms
of
something
that
executes
against
one
or
more
assertions
and
then
comes
out
with
a
pass
fail.
E
E
The
important
thing
here
on
this
slide
is
that
there's
no
human
in
the
loop.
So
while
you
could
have
an
additional
assertion
that
I
as
a
security
expert,
you
know
like
I
review,
left
pad
I
said
I
think
it's
all
good,
so
I'm
going
to
to
sign
off
on
that.
That
can
be
an
additional
assertion.
Maybe
that
has
a
lot
of
value
for
you
or
maybe
you
don't
trust
me
that
has
no
value
for
you.
E
That's
an
important
part
of
this
is
that
trust
comes
from
the
consumer,
so
all
of
us
could
be
providing
similar
assertions
into
a
common
data
store
and
when
you
know
you
consume
from
that
data
store
and
make
policy
decisions
based
off
of
that,
you
can
choose
who
to
trust.
You
don't
have
to
trust.
You
can
trust
openssf.
You
could
not
trust
openssf.
E
You
could
have
a
private
store
that
that's
you
know
you
store,
you
keep
yourself,
you
could
use
the
public
ones,
you
could
use
our
policies,
you
could
write
your
own
policies,
it's
all
open
source
and
fun,
and
you
can
just
just
add
your
own
API
surface
is
pretty
simple.
It's
you
know.
You
generate
an
assertion
with
this
kind
of
input,
this
type
and
then
you
analyze
it
meeting
running
all
the
assertions
and
then
on
the
consumption
part
it
you
know
similar
similar
API
service.
You
get
out
of
pass
fail.
A
A
That
is
the
idea
behind
this
to
provide
the
additional
sort
of
security
attestation
on
top
of
that,
so
we
can
then
make
those
policy
decisions
and,
if
that's
really,
where
we're
going,
who
are
you
suggesting
the
ossf
for
Alpha
Omega,
is
gonna,
perhaps
start
to
create
these
assertions
I'm
just
trying
to
figure
out
where
that
trust
boundary
is
going.
You
know.
E
Yes,
so
so
I
I
do
think
that
well,
I
I
think
it'll
be
more
obvious
from
the
from
the
webview,
which
I
think
is
is
coming
up.
Yeah
I
think
that
that's
all
I
have
for
the
for
the
deck.
Here's,
the
the
demo
site
or
not
them
I
mean
it's.
It's
a
real
site,
so
you're
welcome
to
click
around
the
links
in
the
docs,
but
so
this
is
the
npm
Cheerio
module.
E
E
I,
don't
know,
check,
npm
Cheerio
of
the
command
line
and
come
up
with
you
know,
policy
a
fail,
pass
pass,
pass,
or
just
the
failed
ones
or
whatever,
but
it
could
just
just
call
this
API
and
and
and
and
do
this
you
could
also
restrict
things
to
a
particular
policy
set.
I
intend
to
make
it
so
that
you
can
create
your
own.
E
You
know
through
the
website
and
stuff
like
that,
but
you
know,
but
essentially
you
have
this
thing
and
then
Jonathan
after
our
previous
conversation,
you
mentioned
like,
would
be
cool
to
have
like
the
dependency
view.
So
this
is
Cheerios
dependency
tree.
You
know,
directs
and
indirects
and
how
they
all
fare.
So
obviously
demo
site,
we
don't
have
a
I,
don't
have
a
lot
of
data,
but
I
do
have
some.
E
G
E
E
So
as
part
of
the
assertions,
I
I
run,
sem
grep
and
and
code
ql
would
say
you
don't
like
those
tools.
You
only
want
to
rely
on
coverity,
you
run
coverity
yourself
generate
assertions
somehow
get
them
into
a
common
pool
of
assertions,
so
you
only
want
to
trust
static
analysis
results
that
come
from
coverity.
So
that
would
be
another
example
where
it's
not
so
much
the
signer.
E
But
the
attributes
of
the
of
the
assertion
that
that
you
trust
because
policy
evaluation
is
the
default,
is
just
open
policy
agents
which
is
Rego.
You
can
slice
and
dice
the
assertions
in
whatever
way
you
want
to
decide
whether
or
not
you
you
you
want
to
evaluate
them
so
I.
We
should
come
here
with
an
opinion,
but
we
should
be
flexible
enough
that
if
you
have
different
opinions,
you
can
ignore
hours
and
just
use
the
framework
as
a.
G
E
E
D
Cool
so
Michael
it'd
be
interesting
to
understand
how
you're
going
to
actually
the
language
used
to
describe
that.
So,
for
example,
if
you
said
that
we
ran
this
through
XYZ
tool
and
no
virus
was
detected,
I,
don't
think
that
those
those
vendors
who
whom
are
described
may
want
their
their
name
mentioned
for
liability
reasons
right.
So
how
are
you
going
to
create
instead
of
metadata
or
how
are
you
going
to
actually
describe
it?.
E
Well,
so
so
a
couple
things
the
right
now,
the
only
AV
vendor
that
I'm
using
is
is
clam
AV,
so
I
feel
pretty
comfortable
with
using
that
I
also
feel
comfortable.
That
expressing
facts
like
I
ran.
I
I
am
I'm,
saying
that
I
ran
this
and
it
came
out
with
zero
results.
And
here
are
the
here
are
the
here's.
The
output
like
we're,
not
saying
that
the
tool
is
good
or
bad,
or
things
like
that,
but
I
totally
get
that.
E
There's
a
liability
thing
there
before
we
especially
reference
commercial
tools
and
what
they
found
or
did
not
find
we
we
need
to
have
that
conversation
with
I,
guess
LF
legal
to
you
know,
find
the
right
balance
of
the
two,
but
I
also
don't
want
to
water
down.
So
much
that
we
can't
say
anything
useful
for
fear
of
offending
somebody.
E
H
H
E
Would
I
so
we've
already
I've
had
some
preliminary
conversations
with
guac
I
didn't
it
would
totally
make
sense
for
me.
You
know,
from
my
perspective,
for
these
to
be
attributes
living
within
a
guac
breath
now
whether
they're
also
accessible
in
through
different
UI
surface,
because
I
think
the
UI
surface
like
right
now,
relying
on.
E
At
the
moment,
lower
end
queer
yeah
yeah,
but
conceptually
yeah.
The
two
are
totally
complementary
and
it
would
be
silly
for
guac
not
to
be
able
to
surface
this
data
through
its
its
API
surface.
So
I
totally
intend
for
that
that
those
to
align
I
just
didn't
want
to
get
into
the
walk
train
before
I
knew
what
the
like,
what
it
would
look
like.
Yeah.
H
B
Is
that
data
explicitly
licensed
in
a
way
that's
compatible
with
that?
And
you
know
I'm
thinking
specifically
of
we
have
a
product
called
sneak
advisor
or
somebody
types
A
package
name
into,
and
we
give
them
information
right.
You
know
we're
looking
to
incorporate
scorecard
data
into
that
I'm
thinking
as
you're
presenting
this,
we
should
be
in
corporate
operating
this
data
into
it
as
well.
Is
that
is
that
kind
of
part
of
the
vision
so.
E
So
funny
so
I,
actually
you
know
I
I
do
have
sneak
code
running
in
the
back
end,
but
I
don't
expose
that,
and
one
of
the
reasons
is
because
there
is
I.
Would
we
I
need
less
ambiguity
in
terms
of,
like
am
I
allowed
to
like
publish
like
the
snake
code
output
from
running
against
a
piece
of
Open
Source,
and
unless
the
answer
is
like
resounding,
of
course
you
are
like
I'm
gonna
tread
really
lightly.
You
know
toward
that,
but
I
think
the
conceptually
I
would
like.
G
Yeah
Michael:
do
you
mind
going
to
the
dependencies
section?
Please
of
course
right
so
I
guess
we
are
putting
version
in
there,
but
so
I
brought
up
this
before
with
other
people,
and
not
every
single
technology
makes
sure
that
our
the
versioning
is
unmutable.
So
is
that
something
that
we
can
kind
of
like
pin
down
in
this
information
in
kind
of
like
this
plate,
even
programmatically
as
well.
E
If
I
have
data
on
the
columns,
I
I
am
not
sure
how
depths.dev
knows
that
this
version
of
cheerio
it
has
Dom
Handler
503,
because
if
it
was
a
version
range
and
504
came
out,
would
it
have
been
504
like
it?
So
was
it
a
point
in
time,
I
I,
don't
think
you
can.
You
can
determine
these
things.
Statically
from
you
know,
from
a
I
mean
if
it
has
a
package
lock,
maybe
you
can
so
we
can
provide
more
information
here.
E
I'm
also
not
like
some.
A
lot
of
the
policies
are
version
agnostic,
so,
like
is
the
is
the
project
actively
maintained
will
hold
true
for
every
version
of
that
project
and
is
there?
Is
there
a
better
way
of
conveying
that,
rather
than
treating
everything
as
a
you
know,
tied
to
a
specific
version
and
I.
E
Both
I
mean
certainly
feedback.
You
know
always
super
useful.
You
know,
I
I
do
I,
do
I,
mean
I,
think
it's
I
think
I've
gotten,
like
the
major
features
that
I
that
I
wanted
done.
So
at
this
point
it's
I
I
just
need
to
find
find
Cycles
to
really
connect
deeply
with
guac
and
in
Toto
those
those
are
I.
Think
the
two
at
the
the
top
of
my
list
to
align
there
but
I
also
want
to
just
you
know
gut
feel
like
is,
is
this
kind
of
information
useful?
E
Is
it
something
that
you
would
like
make
a
decision
on
or,
like
you
know,
I
don't
want
to
build
this
just
because
you
know
I
think
it'd
be
useful,
so
think
about
it.
You
know
feedback
always
good,
especially
if
it's
like
this
part's
okay.
But
this
part
like
no
value
to
see
the
assertions
like
or
you
know,
the
policy
language
is
just
way
too
limited
to
make
a
you
know,
make
any
interesting
decisions
on
it,
but.
A
I
think
you
and
I
you
and
I
had
a
conversation
about
it.
I
I
think
it
to
me:
it's
useful
information
to
get
those
out
of
stations.
It
depends
on
who's,
creating
the
attestations
and
whether
or
not
I
trust
them,
or
it's
interesting
information
that
we
could
then
validate.
I.
Think
one
of
the
things
I've
been
thinking
about
is
the
work
that
goes
through
Alpha
Omega,
perhaps
other
entities.
A
If
we
can
get
some
of
that
security
testing
completed
and
then
evidenced
in
a
testable
way,
yeah
and
I
can
make
a
call
on
whether
or
not
I
want
to
truly
trust
that,
or
at
least
use
that
as
an
information
guideline
of
what's
happening
and
then
perhaps
write
those
destinations,
myself
will
get
a
different
vendor.
Perhaps
to
do
it,
but
that's
my
sort
of
personal
view.
I,
don't
know
if
anyone
else
has
anything
to
share.
E
A
C
You
know,
thanks
for
all
the
feedback
from
everyone
after
conversation
with
Jonathan
O'brien,
a
number
of
others,
especially
around
trying
to
simplify
this
and
not
get
it
mixed
in
with
some
of
the
good
work
you
know
being
done
with
Frameworks
and
the
security
development
Covenant
work,
we've
sort
of
trimmed
it
down
a
bit,
so
I
have
a
new
version.
The
previous
version
exists
as
well,
so
I
can
put
that
there
I'll
put
it
the
new
version
in
the
chat
here
as
well.
C
Let's
send
the
doc
I'll
say
again.
Welcome
all
feedback
questions
comments
things
you'd
like
to
see
us
do
regarding
that.
For
those
that
that
aren't
aware
this
is
sort
of
something
in
the
spirit
of
the
agile
Manifesto
in
you
know
how
we
can
encourage
organizations
to
to
solve
the
really
big
gaping
hole
today
around.
You
know,
consumption
of
Open
Source,
and
you
know
what
they
can
do
at
a
broad,
a
broad
view.
C
Up
sooner
rather
than
later,
I
think
that
really
comes
down
to
Brian
Brian
Fox.
He
has
a
few
I
think
conversations
with
some
some
of
the
leadership
and
spreading
it
around
open,
ssf
as
well.
We
have
a
blog
post
and
draft
as
well,
but
we've
been
we've
been
incubating
on
this
for
a
number
of
weeks,
so
I
think
you
know
we
got
to
a
pretty
good
point,
at
least
with
comments
on
the
last
draft.
I,
don't
think,
there's
there's
nothing
shocking
in
this.
C
A
Got
it
pretty
cool,
pretty
cool
all
right,
so
it's
information
purposes
if
people
want
to
reach
out
and
sign
up
to
that
or
provide
feedback,
yeah
all
right,
pretty
cool,
all
right!
Thank
you
and
moving
on
to
the
next
element,
which
was
the
architecture
and
threat
modeling
piece
of
work
that
we've
been
doing
for
a
couple
of
weeks
now.
Abdullah.
Do
you
want
to
bring
up
page?
A
G
A
We've
I
think
there's
a
couple
of
conversations
about
the
distribution
platforms.
We
split
that
out
into
proprietary
versus
open
source.
Remember
that
was
a
particular
focal
point.
There
was
conversations
about
the
maintenance
of
the
architecture
and
what
we
sort
of
suggested
was
really
up
here.
We're
highlighting
there's
multiple
different
use
cases
of
that
architecture,
and
rather
than
clutter
that,
in
that
same
architecture
with
multiple
different
duplicative
diagrams
and
arrows,
we
put
them
up
separately
as
not
the
main
flow
of
the
data.
A
There
are
definitely
people
that
would
be
working
on
that
as
well
and
I.
Think
we've
gone
through
it
to
the
point
that
now
we're
starting
to
look
through
the
and
start
to
do
some
fairly
lightweight
threat,
modeling,
so
we're
starting
to
identify
key
assets
within
that
architecture.
That
we'd
need
to
protect
particularly
secrets
and
keys
throughout
pretty
much
multiple
different
elements
of
that
stlc,
the
source
code
and
binary
flowing
through
pretty
much
each
individual
system
as
well
and
so
forth.
A
One
of
the
things
that
we'd
also
discussed
was
whether
or
not
to
include
Insider
threat
as
one
of
the
the
threat
actors
and
our
suggestion
was
not
to
initially
and
perhaps
look
at
that
subsequently,
just
in
the
interests
of
time
and
actually
trying
to
get
some
value
out
of
this
rather
than
bike
shedding
the
thing
to
death.
Thinking
about
everyone
is
an
act,
an
attacker,
so
that's
kind
of
our
approach.
A
We
have
held
off
doing
the
small
scale
architecture
clearly
because
we
still
can't
find
sufficient
input,
let's
say
from
people
and
companies
that
are
in
that
smaller
scale,
I
think
we
were
discussing
amongst
ourselves
and
the
reality
hit
that
not
really
you
know,
none
of
us
are
from
a
small
scale
or
a
small
in-house
development
shop,
we're
from
a
large
institutions
or
even
startups-
in
inverted
commas-
that
have
100
people
working
for
them,
which
now
arguably
that's
not
exactly
the
smallest
of
small.
So
rather
than
suggest,
don't
worry
about
it.
A
A
Yeah,
so
we're
going
through
the
taxonomy
that
was
presented
last
time
in
absence
of
anything
else,
particularly
although
I
know
those
conversations
still
going
around
the
taxonomy
and
then
we'll
start
to
look
at
given
the
architecture,
given
the
threat
models
around
it,
where
do
the
different
standards
fit?
Where
does
salsa
fit?
Where
does
ssdf
S2
c2f
fit
within
that,
and
then
perhaps
look
at
how
this
could
lead
to
a
sterling
tool
chain
or
some
form
of
tool
chain
that
would
link
all
of
this
together?
That's
really
the
next
part
of
it.
A
So
those
sort
of
sessions
will
continue.
We
can
certainly
talk
through
it
a
little
bit
more
today
if
that's
of
Interest
we'll
move
on
to
any
other
business,
but
I
think
we
just
need
to
keep
plotting
on
and
adding
additional
sessions
to
the
calendar
for
people
who
are
interested
in
digging
into
this
yeah.
A
All
right,
one
of
the
things
that
I've
been
particularly
bad
at,
but
we've
managed
to
get
through
it
anyway,
is
actually
putting
additional
meetings
on
the
community
calendar.
Although
we
have
informally
got
everyone
together
and
done
it
anyway,
I
think
I
think
it
is
something
we
need
to
take
as
an
action
or
something
if
anyone
else
could
take
it
as
an
action
since
I
failed
twice
already
in
doing
so,
of
putting
a
community
action
or
community
calendar
appointment
in
there
I'll
leave
that
to
the
to
others
all
right.
G
A
I
think
that's
in
general,
right,
I
think
as
an
end
user
group,
we
have
more,
you
know
and
as
Andrew's
working
through
the
membership,
we're
trying
to
get
additional
members
to
attend
as
well
as
just
consume
the
output
when
going
through
that
in
a
sort
of
prioritized
order.
But
if
people
do
find
smaller
team
members
or
smaller
companies,
I
think
that
would
really
be
beneficial.
A
I
A
I
I
Not
in
scope
and
then
then
then
that's
fine
and
I
will
I.
Will
I
will
take
my
take
my
tail
and
go
elsewhere,
I'm
working
on
A's
under
the
vulnerability
disclosure
Sig,
which
is
not
yet
a
Sig,
because
we
need
a
couple
more
meetings,
but
it's
a
Sig
focused
on
auto
fixing.
So
basically
the
work
that
I've
been
engaging
in
the
past
past
year
and
change
has
been
automating.
I
The
fixing
of
widespread
common
security
vulnerabilities
across
open
source
and
generating
bulk
pull
requests
to
fix
those
vulnerabilities,
and
it's
kind
of
in
just
me
and
my
work
and
then
some
other
researchers
followed
on
my
footsteps
and
did
it
again
did
it
as
well
and
because
this
work
is
becoming
more
normalized,
generating
polar
aggressive
scale
and
the
potential
negative
reactions
of
maintainers
I
mean
a
lot
of
maintainers
are
like
you
know:
thanks
great,
merge
it
and
then
go.
You
know
it.
I
The
there's
a
specification
that
I've
written
up
for
defining
what
is
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign
and
I,
don't
know
if
this
is.
If
this
is
of
interest
to
the
group
there's
there
are
Sig
meetings,
every
Wednesday
every
two
weeks.
Sorry,
every
two
weeks
on
Wednesday
at
4
pm
discussing
this
topic.
I
I
This
work
of
automating,
both
across
generation,
will
be
not
just
something
that
Alpha
Omega
does,
which
is
where
I
work,
I'm
I'm
part
of
Alpha
Omega,
but
also
the
idea
of
the
specification,
is
defining
it
so
that
this
is
something
that
any
organization
can
implement
it
in
such
a
way
that
they
are
compliant
with
what
the
open
ssf
defines
as
as
a
as
a
standard
for
this
practice
so
yeah.
So
it's
a
it's
a
discussion
of
you
know
what
are
the
best
practices?
What
do
we
expect
of
the
people?
I
You
know
out
of
people
doing
this
work.
You
know
topics
like
is
there
an
expectation
that
this
is
done
privately?
If
so,
how
does
it
get
done?
Privately
GitHub
doesn't
have
a
way
VIA
an
API
to
create
a
private
issue
or
a
private
security
advisories,
but
they
are
adding
that
within
the
next
two
well
they're
shipping,
something
today
and
then
they're
adding
support
for
it.
In
two
weeks,
however,
get
a
private
vulnerabilities
closure
still
opt
in
by
maintainers,
so
you
can't
so
yeah
large
topic.
I
I
Yeah,
this
is
the
spec
and
then
the
meeting
notes
are
using
the
vulnerabilities
closure
working
group
meeting
notes.
So
if
you
are
interested
in
in
following
meeting
notes,
go
have
a
look
at
that
they're
also
recorded
and
also
uploaded,
as
probably
just
under
the
vulnerability
closure
working
group
got.
A
A
A
Definitely
an
interesting
Forum
they're
discussing
potential
changes
to
nvd
and
such
and
looking
at
how
the
you
know
with
some
changes
to
the
the
the
data
schema,
perhaps
it'll
be
possible
to
get
a
better
end
result.
So
I
think
some
interesting
things
coming
out
from
Tom
and
team
I'm,
not
sure
how
much
of
that
has
been
presented
publicly
but
I
think
there's
some
good
blog
articles
that
Tom's
putting
out
there
might
be
of
interest
to
the
group
all
right
other
than
that
anyone
got
any
other
any
other
business.
B
A
A
B
Yeah
that
conversation
is
happening
in
the
security
tooling
working
group
and
I've
been
plugged
into
that,
and
one
of
the
things
that
we're
doing
there
is
putting
together
a
use
case
document
and
talking
about
different
user
needs
around
s-bombs
and
there's
a
lot
of
good
discussion
happening
there.
Just
I
mean
I'm,
not
officially,
you
know
whatever
appointed
or
anointed,
to
give
an
s-bomb
everywhere
update.
B
A
No
all
right
well,
I,
think
we're
going
to
be
heading
into
holiday
season
fairly
soon.
So
if
people
aren't
available
next
week
or
the
week
after
I
have
a
good
vacation
and
we'll
see
people
when
they
come
back
other
than
that,
we
will
somehow
get
this
architecture
meeting
on
the
community
calendar
by
hooker
by
crook,
but
it's
good
to
see
that
we're
making
some
progress
there.
So
thanks,
Abdullah
and
Rick,
you
know
Cynthia
we'll
get
some
work
done,
so
pretty
cool
all
right!
Thanks
a
lot!
Everyone
thanks
for
your
time,.