►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
C
A
A
A
A
A
A
A
So
we
can
go
with
project
updates
or
there
are
other
topics
you
know
we
can
we
can
as
usual.
We
can
do
this.
Whatever
way
you
all
want,
if
you
want
to,
if
you
want
to
add
a
topic,
just
add
into
the
meeting
notes
or
just
talk
and
we'll
we'll
discuss
anything
there,
but
the
default
would
be
let's
go
through
on
Project
updates,
so
we
have,
let's
see
start
with
virtual
maintainer
Summit.
C
C
F
Yeah,
okay
from
the
last
from
the
previous
meeting,
I
have
an
updates.
Unfortunately,
but
I
have
a
three
open
pool
requests.
They
are
in
draft
because
I
need
to
understand
how
we
want
to
proceed
with
some
compliance
in
open
ssf.
For
example.
Not
all
the
projects
have
a
security
MD
and
technically
we
can
enable
it
easily
as
organization
in
GitHub,
but
at
the
moment
we
have
a
hit,
and
another
question
is
for
just
the
most
important
project.
F
F
Mean
if
you
really
need
somebody
like
yeah
exactly
if
it
is
a
documentation
project
is
not.
Maybe
you
don't
need
the
security
insights,
but
we
are
talking
about
project
where
there
is
a
code
base.
I
mean
I
need
to
double
check,
but
for
sure
that
is
called
I
have
a
check
that
give
one.
Second
I
can
link
you
the
three
project
that
I
have
give
him
a
second
or
maybe
they
are
in
the
meeting
notes
yeah
in
the
previous
meeting
notes.
F
And
you
can
see
that
sometimes
not
so
easy
to
identify
the
security
testing,
and
maybe
we
will
we.
We
are
interested
to
have
some
standards
also
for
that.
This
bomb
is
not
still
in
a
lot
of
open
source
project
in
open
ssf
and
another
problem
is
I
need
to
find
it
security
control.
Oh
this
one,
it
is
the
first
introspector
I,
don't
know
if
it
is
a
documentation
project
from
but
from
the
code
base
it
it
doesn't
seem
so
I
have
the
link.
Where
is
zoom
here.
F
This
is
the
pull
request,
and
this
is
the
project.
I
mean
I,
don't
know
if
we
can
Define
it
popular,
but
it
has
more
than
200
stars
and
there
is
the
opens
open.
Ssf
Score,
Card
7.5.
So
if
you
have
the
open,
SS
scorecard
I,
don't
think
you
are
a
documentation
project.
You
are
definitely
a
project
yeah,
a
software
project,
yep.
A
Yeah
I
mean
I,
I
would
I
would
even
go
so
far
say,
even
if
you
are
just
a
documentation
project
having
having
a
security
MD
it
for
consistency,
especially
for
ossf.
As
an
organization
like
you
could
have
a
separate
organization
that
says
that
documentation
projects
should
not
get
security.
Md
I
would
respect
that
opinion,
but
for
our
organization,
I
think
a
blanket
every
every
repo
gets
a
security
MD
I
think
is,
is
reasonable
and
does
the
default
template
that
we
have
so
there's.
F
Like
this
is
the
other
question,
I
mean
checking
the
project.
I
have
seen
three
interesting
points.
One
is
that
more
than
one
years
ago,
if
you
remember
when
we
implemented
the
first
version
of
the
security
dashboard,
Apache
Foundation
enabled
the
security
team
for
all
the
repo
in
gitabo
using
the
security
tab,
because
the
in
the
score
cards
in
the
scorecard
slash
romantic
dashboard,
their
security
policy.
F
That
was
not
the
security.md
that
was
a
external
link,
was
not
classified
like
a
security
policy,
so
they
show
us
that
we
can
enable
the
security
policy
slash
security
MD
in
all
rep
of
the
organization.
Even
if
you
don't
add
the
file
in
the
repo,
because
there
is
the
security
tab
that
link
every
project
or
less-
and
maybe
we
can
do
this,
so
maybe
some
project
can
have
the
security.md
and
other
can
have
just
the
security
tab.
F
That
is
still
a
valid
security
policy,
and
the
other
point
is
that
yeah
we
don't
have
a
a
standard
for
the
security.md.
We
have.
The
scorecard
have
a
security.md
that
is
very
short
and
it
points
to
a
Google
group.
The
email
address
is
a
Google
group.
If
I
remember
correctly
and
I,
don't
know
if
we
want
to
have
an
open,
ssf
contact
and
not
just
a
Google
group,
I,
don't
know
so.
Okay,
it
is
a
compliance
topic.
Maybe.
A
So
I
think
I
think
it
would
be
very
reasonable
to
maybe
go
through
all
of
the
ossf
projects
and
for
any
of
them
that
don't
have
a
security,
MD
file
open
up
a
security
issue.
Saying
hey
you
should:
could
you
create
a
security,
MD
file
and
also
added
to
the
project
template
so
that
new
repos
as
they
get
created,
get
One
automatically?
A
F
I
think
that
would
that
would
be
super
useful,
yeah,
exactly
because
I
mean
at
the
moment
that
requests
that
didn't
laugh
just
for
this
reason,
because
I
don't
want
to
bypass
the
security
and
size
requirement
at
the
same
time,
I
think
it
is
a
good
idea
to
solve
this
issue
to
an
organizational
level
and
the
same
for
the
Bounty
I
mean
enough.
You
can
say
I
mean
the
organization
can
say
just
know,
and
it
is
acceptable
for
sure.
F
C
D
D
F
I
totally
agree,
I
mean
technically
I.
Don't
ask
that
the
project
has
a
security.md
in
the
main
folder
they
can
have
in
a
subfolder
also
in
external
website,
but
I
mean
I
need
to
be
able
to
find
it
in
the
redmi.
You
can
adjust
for
the
security
policy
and
link
to
an
external
link.
The
security
insights
don't
require
a
security.
It
requires
a
link
to
a
security
policy.
Just
this
right.
D
F
The
point
is
that
the
security
inside
can
help
you
to
easy,
easily
easier,
find
everything
that
at
the
moment
has
no
standard
or
just
people
don't
like
in
the
main
folder
or
they
don't
like,
or
they
use
docs
or
dock
or
Point
dock.
So
we
don't
have
standard
for
this
kind
of
stuff.
A
scanner
can
try
to
improve
to
find
document,
but
it's
not
so
easy.
Yeah,
no.
D
A
D
G
G
G
A
G
E
F
B
Just
for
quickly
ask
questions
some
work
I'm
currently
doing
with
Argo
CD,
which
is
around
using
treasure
to
threat
model
their
their
ecosystem.
I
was
just
wondering.
Would
this
be
a
super
place
to
put
in
the
docket
at
GitHub
as
well,
or
it's
first
time,
I've
actually
heard
of
this
dot?
He
GitHub
so
I'm
quite
excited
about
it,
but
would
that
maybe
happen
like
PDFs
and
PDF
of
the
risks
and
also
the
data
flow
chart?
Would
that
be
somewhere
where
we
could
put
stuff
like
that?
No.
G
B
F
A
F
Yeah
the
help
is
that
it
would
be
great
to
have
a
sort
of
organization
level
or
at
least
for
the
rapper,
where
I
have
opened
Apple
request
a
security
policy
or
some
or
linked
with
something,
and
probably
it
is
attack,
decision,
I,
guess
and
I
need
to
help
to
communicate
with
attack
group,
especially
because,
for
some
reason
usually
when
they
have
the
meeting
I
cannot
join
the
meeting.
So
if
someone
can
move
or
escalate,
this
problem
can
help
me,
especially
because
probably
we
need
an
approval
by
the
management
at
the
board
and
also.
F
And
that
is
also,
it
will
be
interesting
to
know
if
we
want
to
adopt
this
bomb
for
our
project,
because
something
that
it
seems
to
be
important
for
open,
ssf,
the
SB
om
file,
but
the
time
I
mean
I
would
like
to
see
the
adoption
of
our
current
standard
that
we
proposed
to
the
community.
So
people
can
use
our
repo
as
an
example,
and
we
can
continue
to
improve
yeah
how
we
work
thanks.
Hope.
A
Okay,
a
question
for
s-bomb
and-
and
it's
just
my
my
own
ignorance
here-
are:
are
s-bomb
files
intended
to
be
committed
to
source
code,
or
are
they
intended
to
be
the
output
of
a
build
that
gets
attached
to
a
release
like?
Would
they
be
in
releases?
You
know
Foo,
1.2.3.zip
or
actually
committed
into
into
Source.
F
It
is
a
good
question
at
the
moment
there
is
no
standard
checking
online
I
have
seen
that
someone
added
in
the
search
code.
Someone
has
a
page
or
a
folder
in
the
website
of
the
project
where
they
added
the
difference,
but
for
every
version,
so
I
think
that
at
the
moment
there
is
no
a
real
stand-up.
Okay.
Let's
say
why
we
need
to
put
it
hi,
David.
D
D
Some
are
generated
after
the
fact
by
analyzing,
a
bunch
of
bits
by
tools
which
work
very
hard
to
use
a
lot
of
heuristics
to
guess
what
might
be
in
their
baby
so
and
then
there's
other
s-bombs
that
are
determined
at
runtime
to
see
what's
running
now.
So
the
the
short
answer
is
that
very,
very
soon
I'm
thinking
within
a
two
weeks
time,
so,
hopefully,
by
the
next
time,
we
gather
there's
going
to
be
a
document
out
that
a
number
of
us
have
been
working
on
to
identify.
D
Well,
what
are
these
different
types
of
s-bombs
and
a
particular
s-bomb
might
be
actually
a
merge
of
more
than
one
case
like
you
might
have
a
sources
bomb
and
then
add
build
information
or
whatever,
but
the
answer
to
that
question:
where
do
you
store?
It
depends
a
lot
on?
How
did
you
create
it?
Basically,
what
type
of
s-bomb
it
is
yeah
if
it's
something
that
is
essentially
derived
from
the
source
code,
I,
don't
think
it's
insane
to
make
it
part
of
the
source
code
checked
in
that
means.
D
You
have
to
update
it
when
you
check
in
your
source
code,
which
usually
you
want
to
generate
instead
of
just
having
this
part
of
the
source
code.
But
it's
not
a
crazy
thing
to
do
for
the
build
type
stuff,
though,
that
really
doesn't
make
much
sense,
which
you
probably
want
to
do,
is
have
a
way
to
point
from
the
source
code.
D
How
do
I
get
the
build
information
for
the
various
builds
and
then
say
when
you
download
a
particular
build
package,
the
metadata
of
that
points
off
to
the
s-bomb,
so
so
so
I
think,
there's
a
reason
for
your
G
I'm,
not
sure
and
there's
a
variant,
because,
as
people
have
gotten
into
this
they're
realizing
that
there's
different
cases
for
different
circumstances.
Okay,.
A
E
Hey
this
is
my
number
hey
Michael,
so
we
have
right
now
sent
the
emails
to
the
potential
participants.
We
have
done
it
twice.
The
second
round
went
this
Monday.
However.
So
far
we
have
only
received
I
think
for
acknowledgments,
so
it's
kind
of
like
we
have
a
raised
heartbeat
at
this
point,
as
in
like
okay,
what's
happening,
how
So
the
plan
is
to
now
personally
Reach
Out.
Many
of
these
participants
are
people
who
we
know
so
personally,
reach
out
and
kind
of
coerce
them
into
participating.
E
G
Have
a
very
funny
story
to
what
happened
when
I
actually
thought
I
brought
this
to
Homebrew
with
Jay
and
Michael
and
David
might
already
know,
but
but
we
could
talk
about
it
later,
but
I
do
think
that
there
is
some
interesting
feedback
that
happened
there,
that
we
don't
have
to
talk
about
on
this
phone
call,
but
yeah
I,
it's
not
like
I,
didn't
pass
it
along.
It's
just
that
yeah
there's
certain
opinions
than
like
things
that
happened
so
yeah.
E
E
I
am
not
so
maybe
I
will
connect
with
you
separately
and
find
out
so
yeah.
It's
always
interesting.
I
mean
we're
doing
people
engineering
here,
so
that's
yeah
I'll
get
that
feedback
from
you
on
the
side,
but
yeah.
So
that's
what
it
is.
We
have
also
sent
emails
to
the
panelists
this
week.
This
and
this
was
sent
on
I,
think
Tuesday,
but
I
mean
with
the
families
there's
only
a
few.
E
We
have
already
pre-communicated
with
them,
so
the
only
thing
that
they
have
to
do
is
to
adjust
their
date,
which
was
January
25
before
and
now
acknowledged
to
the
February
22nd
date.
So
that
is
not
something
that
we're
too
much
worried
about.
So
the
next
steps
are
basically
creating
structure
as
in
who's
doing
during
the
actual
event,
who's
conducting,
which
part
like
that
we'll
figure
out
among
ourselves
and
then
we'll
also
coordinate
with
the
people.
There's
there's
a
round
of
survey.
E
There's
a
set
of
survey,
there's
a
survey
that
we
created
that
to
try
like
ask
different
question
about
security
practices
existing
in
that
community
of
that
that
particular
community.
So
that
gives
us
some
data
point
that
we
can
share
during
the
conference.
This
goes
out
a
week
before
the
conference,
that's
something
that
has
already
been
done.
It's
just
like
ready
to
go
out
to
the
people
who
have
accepted
to
participate
in
that
event.
H
G
H
I
D
B
D
I
think
the
question
to
be
asked
is:
why
did
no
one
sign
up?
I
mean
we
had
several
people
sign
up
to
answer
questions,
but
we
didn't
have
anybody
sign
up
to
ask
questions
so
the
question
to
be
asked
is
why
not
now,
maybe
it
was
just
bad
timing,
inadequate
warning
or
maybe
people
are
really
afraid
to
air
their
dirty
laundry
questions
in
public,
in
which
case,
maybe
we
need
to
take
a
different
tack.
A
If
we
wind
up
getting
so
much
attention
that
we
do
need
to
like
cue
it,
and
then
there
were
sensitive
topics,
so
we
need
to
like
pre-register
like
I,
think
that's
a
problem
that
we
can
solve
once
we
have
the
demand
for
it,
but
I'm.
My
my
gut
is
that
perhaps
we
limited
demand
by
making
it
a
little
too
hard
or.
A
Maybe
maybe
it
would
have
been
more
effective,
it
was
just
a
completely
open,
we're
gonna
run
it
for
three
months
and
if
nobody
shows
up
after
three
months
and
we're
talking
about
it
and
advertising
over
time,
then
we
realize
that
this
is
a
a
solution
that
for
which
there
was
no
problem
and
that's
fine.
We
cancel
it
and
move
on,
but
I
feel
like
I
feel,
like
folks
would
show
up
if
they
knew.
This
thing
was
always
available
and
they're
like
I,
can't
make
it
this
week,
but
I
can
do
it
next
time.
G
G
You
want
another
observation:
it's
everything
too
thin
2018
like
prior
to
2018.
They
kind
of
have
no
idea
so
like
containers,
because
I
kind
of
think
like
the
year
of
Docker,
was
2018.
so
like
I,
think
like
everything
prior
to
that
kind
of
feels,
very
marginalized.
By
like
open
ssf
in
general,
like
gnome,
distros
and
yeah.
G
Well,
I
I
don't
want
to
get
too
finger-pointy
on
like
no
no
yeah
but
but
like
basically
yeah
like
like,
even
like
a
lot
of
really
big
Old-Timers
that
are
in
kernel,
project
and
Gen,
2
and
gnome,
and
things
like
that.
I
have
no
real
idea.
What
problem
we're
trying
to
solve?
They
think
that
we're
just
a
lot
of
Croft
and
if
you
guys
want
to
stay
after
so
we
can
get
into
The
Homebrew
call
there's
some
really
interesting
feedback
that
comes
out
of
that
call,
because
the
word
strong
arming
came
up
several
times.
A
G
G
A
A
Yeah
and
and
I
do
kind
of
expect
that
most
most
problems
are
are
perception
and
communication,
but
we'll
we
can.
You
should
not
forget
about
that.
Look
let's
follow
up
on
that
cool,
so
so
the
question
on
on
office
hours
do
we
think
that
we
should
kind
of
continue?
This
change
change
the
approach
slightly?
A
A
A
A
D
Yeah,
here's
here's
the
challenge
that
I've
got
I'd
like
to
actually
I
I
can
modify
the
best
practices
badge
to
link
to
the
Security
reviews
and
in
fact,
I'd
I'd
like
to
the
challenge
I've
got
is
I,
have
a
name
like
of
the
get
and
I
have
a
GitHub
repo.
What
I
need
is
a
way
to
link
like
the
home,
page
or
GitHub
repo
automatically
to
a
place
in
the
security
reviews
repo.
D
B
D
A
A
C
D
B
D
Yep
yep,
that
is
actually
all
I
need,
that'd,
be
great,
that
other
folks
could
and
I
bet
once
you
have,
that
other
folks
could
have
that
too.
And
then,
if
we
reorg
that's
okay,
if
we
reorg
the
the
markdown
files,
that's
okay,
because
if
you
pull
off
the
index,
it
won't
matter
yep
cool
that
works.
Okay,
who
do
I
talk
into
doing
that.
D
Cool
yeah,
so
so
how's.
This
I'll
commit
that.
If,
if
somebody
can
give
me
that
I
can
add
a
little
button
or
something
when
that's
present
dude
okay,
you
know
link
off
to
it
and,
and
you
know
what
we
you
know,
I
can,
if,
if
people
are
okay
with
me,
loading
that
file
once
a
day,
it
means
that
there
could
be
as
much
as
a
24-hour
delay
before
you
link.
D
F
Yes,
I
have
added
a
link
in
the
well
technically
other
topics.
Now
is
on
the
top
sorry,
because
yeah
moving
stuffing
yeah
darkest
weird
but
the
first
one
is
a
issue
that
you
have
a
sort
of
reopen
before
Christmas.
Yes,
and
maybe
it
is
interesting
if
we
want
to
update
the
or
do
a
I
mean
document,
1.3,
I
guess
for
the
security
threats,
and
there
is
a
list
of
new
threats,
none
I
mean
two
or
three
I,
don't
remember
now.
This
means
that
the
first
version
was
good
enough
and
I.
A
C
F
I
mean
the
comments
in
the
GitHub
issue
or
I
mean.
The
point
is
that
maybe
we
can
update
the
document,
adding
some
attack
that
we
have
seen
in
the
last
two
years:
multi-factor
authentication,
fatigue,
attack
or
conditional
stuff
from
pie,
pies
another
interesting
scenario
and
similar,
and
the
other
point
is
that
about
it.
Is
this
document
good
or
not,
I
mean
it.
It
has
if
the
document
help
other
people
and
projected.
F
Okay,
if
you
need
something
read
this
document,
it
is
at
least
the
first
step
that
you
can
do
to
improve
the
security
in
your
project,
but
my
question
is
I
mean
according
to
numbers,
we
have
seen
that
in
the
last
two
years
that
okay,
the
last
year,
were
very
particular
but
they're
attacking
the
open
source
project
in
the
concept
of
supply
chain.
We
I
mean
we
can
Define.
What
is
supply
chain,
but
definitely
increases,
so
it's
not.
F
It
doesn't
depend
by
our
how
we
spread
awareness,
but
for
sure,
if
we
spread
more
awareness
about
how
to
ensure
that
your
open
source
project
is
safer,
we
can
help.
This
document
is
very,
very
good.
It
is
the
first
document
that
I
share
when
I
need
to
share
something
about
open,
open
source
security,
but
yeah.
Maybe
we
are
not
sharing
it
enough.
Maybe
we
should
present
in
a
different
way
or
super
bright
Blockbuster
or
something
so.
C
A
F
No,
no
I,
we
can
do
a
refresher
and
add
the
more
data
that
maybe
we
have
collected
I
mean
that
other
company
collectedly.
We
can
update
the
data
that
we
have
arrived,
the
in
the
document
and
we
can
add
the
more
data.
If
we
have,
we
can
see
what
changed
in
the
last
two
years,
for
example,
yeah
the
scenario:
the
scenarios
that
we
described
in
the
document
are
still
valid,
but
maybe
some
scenario
are
more
validant
holders
or
just
more
common
than
others,
and
this
kind
of
reviews
become
something
that
we
can
start.
A
A
Perfect,
what
might
make
sense
is
to
just
spin
this
off
as
a
separate
B
Team
meet
a
couple
times.
Have
you
know
it's
it's
just
marked
down.
What
I
would
suggest
is
like
as
much
as
I
like
the
pdf
version,
formatting
better
than
markdown
markdown
is
just
easier
to
it's
should
just
just
use
the
markdown
and
then
I'll
just
I'll
create
a
copy
of
it
in
a
new
directory.