►
From YouTube: OpenSSF Identifying Security Threats WG (March 1, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
Okay,
so
Michael
will
not
be
present
in
today's
meeting
so
I
he
has
somebody
to
volunteer
and
I'm
volunteering.
So
let
me
get
the.
A
I'm
sharing
the
meeting
notes.
Please
add
your
names
there.
A
We
can
start
by
like
if
there
are
any
new
or
somebody
who's
new
to
this
particular
group.
I
see
many
familiar
faces,
a
familiar
names,
but
if
there's
anybody
who's
new
to
this
particular
group,
it's
it's
a
it's
a
good
time
to
introduce
themselves.
B
Hi
I
guess
I'm
new
in
this
group,
I'm
Matia,
I
work
in
reproducible
builds
mostly
on
the
piano
stuff
and
the
mirror
mostly
to
to
look
around
in
this
group.
So
to
look
if
what
you
work
off
on
is
relevant
to
us
or
as
a
it's
actually
interesting,
so
to
say
for
sure,
I
glanced
at
your
notes.
It
looks
interesting,
so
I'm
looking
forward
to
get
more
for
you.
Thank
you.
A
So
Matthew
I
I
shared
a
meeting
notes
link
to
a
Google
doc
that
that
is
where
we
keep
the
meeting
notes,
and
so
please
add
your
name
and
affiliation.
There.
A
So
we
can
just
go
ahead
and
talk
about
the
project
updates.
There's
we
can
start
with
the
virtual
maintainer,
Summit,
Alex
or
HCL.
You
want
to
do
that.
Foreign.
C
Last
week,
the
summit
very
successfully
we
had
several
attendees,
we
recollected
all
the
feedback
from
both
of
the
rooms
of
on
our
working
table
round
tables.
So
what
is
coming
next
from
it
is
generate
the
report
of
the
event
and
present
it
to
the
attack
members
and
the
other
thing
that
we
are
not
only
with
the
outcomes
with
the
team
and
the
main
ideas
that
we
recollected
from
this
work
will
mini
Summit.
D
Button
yeah,
it
was
very
successful.
It
might
add
just
one
more
comment
about
20
people
over
20
participants
from
different
foundations
like
Eclipse,
Foundation,
openjs,
node.js
foundation
and
the
call
you
know
and
J
some
of
those
GCC
tool
chain.
It
was
very
successful
and
can't
wait
to
share
more
details
with
the
team
and
everybody.
A
Are
you
planning
to
write
a
blog
post
or
anything
regarding
the
findings
or
the
discussion
that
you've
had?
Is
it?
Was
it
recorded.
D
It
was
not
recorded,
I
think
it.
You
know,
you
know
I
think
with
the
next
step
is
to
summarize
it
and
then
in
a
way
we
can
publish
it
either
by
blog
or
report
or
in
some
way
to
send
a
message
to
the
community
how
it
happened,
what
we
discussed
and
what
with
the
next
step,
could
be
right,
I
think
that
making
like
each
cell
shared
this
can
happen
again
sometime
soon
or
maybe
in
a
bigger
format
that
can
benefit
everybody
in
open
source
Community
to
understand
what
open
ssf's
doing.
F
Yes,
I:
do
we
had
a
great
actually,
a
good,
really
good
meeting
on
Friday
Rob
was
able
to
present
a
a
a
better
look
at
at
the
dashboard.
In
general,
we
had
great
conversation
around
some
of
the
features
that
that
we'd
like
to
have
added
well
to
the
dashboard,
a
little
bit
more
content
in
some
areas.
F
Also,
we
had
a
discussion
about
the
potential
to
request
funding
for
its
maintenance
and
upkeep
once
we
do
have
something:
that's
something
that
that's
that's,
ready
and
and
workable
and
and
put
into
to
a
production.
So,
like
I,
said
great
meeting
as
far
as
that's
concerned,
we'll
have
a
follow-up
where
we're
looking
at
more
creatures.
We
also
have
additional
help
with
a
lot
of
the
work.
F
F
In
a
really
good
place
to
get
something
before
the
working
group
here
pretty
shortly.
A
Okay,
great
thank
you.
So
Luigi
is
not
here,
so
I.
Don't
think
anybody
is
doing
a
security
insights
update
anything
is
Amir
here.
Oh
Amir
is
here
so
I
mean
anything
about
Security
reviews.
A
A
So
I
want
to
introduce,
or
maybe
start
a
conversation
on
a
specific
topic
since
others
are
not
volunteering,
so
I
mean
I
can
start
so
Yesenia
and
I.
A
We
have
been
thinking
of
doing
a
survey,
a
large
scale
survey
of
Open
Source
maintainers,
and
this
is
to
focus
on
what
is
a
good
way
of
like
interacting
with
them,
for
specifically
we're
focusing
on
the
vulnerability
management
issue
so
and
and
what
is
a
good
way
of
of
like
working
between
the
or
creating
a
better
Synergy
between
external
researchers
and
project
maintainers,
so
that
things
get
done
quickly
without
and
and
and
done
in
a
in
a
manner
that
is,
that
is
satisfiable
and
and
it's
a
happy
incident
for
for
both
parties.
A
So
we,
when
the
when
the
mini
Summit
happened,
there
was
a
survey
that
was
done
and
that
survey
is
which
had
some
questions.
That
was
talking
about
specific
practices
that
the
maintainers
do
like.
Do
they
use
tools,
or
how
often
do
they
have
do?
They
have
a
dedicated
security
team
and
how
often
do
they
meet
and
how?
What
happens
if
there
is
a
security
incident
and
how
do
they
react
when
some
vulnerabilities
are
reported
and
so
on?
So
there
were
different
topics
that
were
covered
yesterday
and
myself.
A
We
were
planning
to
do
that.
Do
a
focused
survey
on
that
and
and
so
right
now
it's
in
the
planning
phase,
we're
working
with
or
yes
India
is,
is
connecting
with
crop
to
also
get
like
get
his
feedback
regarding
this,
but
at
some
point
would
maybe,
in
the
next
meeting
or
so
we'll
share
the
the
the
the
frame
framing
of
the
survey,
and
we
would
appreciate
opinion
from
other
people
regarding
this
or
if
you
have
any
thoughts
on
like
whether
this
kind
of
survey
has
been
done.
A
Is
it
a
good
idea?
Is
this
the
right
place
for
doing
doing
this
Etc
any
any
opinions
I
mean?
We
would
appreciate
it
now
or
later.
E
A
E
Okay,
all
right,
if
that's
the
case,
you're
saying
maybe
you've
of
your,
you
might
want
to
talk
very
much
with
LF
research
and
we've
got
a
whole.
We've
got
a
little
Department.
That
does
that.
So.
E
I
think
so,
but
you
know
I
I,
don't
know
if
that
I
mean
you
know.
Much
depends
on
details,
but
certainly
I
would
encourage,
take
a
look
and
see
if
that
would
be
a
a
helpful
Direction.
A
Yeah
so
the
survey
that
was
done
during
the
mini
Summit,
even
though
we
got
not
a
lot
of
responses
like
seven
or
eight
in
total
out
of
the
17
practitioner,
16
practitioners
or
16
maintainers,
who
were
there
so
yeah
roughly
about
40
percent
responded,
but
even
there
like
what
was
evident
or
a
theme
that
was
emerging
was
at
least
like
those
six
I.
A
Think,
there's
only
one
or
two
that
had
or
out
of
those
response,
only
one
or
two
projects
had
a
like
a
dedicated
security
team
and-
and
so
so
it
was,
and
during
the
conversation
at
the
mini
Summit
at
the
room
where
you
were
in
and
at
our
room.
Also,
one
of
the
themes
that
were
emerging
was
many
of
these
projects
actually
started
very
simple
or
very
small,
but
they
have
now
been
like
because
of
fame
fame
happened
and
adoption
happened.
A
A
That
was
one
of
the
themes
that
was
emerging
and
we're
gonna
look
more
into
like
what
was
there,
but
I
mean
these
are
interesting,
Insight
that
that
we,
that
we
can
ask
the
large
open
source
community
and
and
get
and
and
that
that
can
be
aligned
with
the
open,
ssf,
Agenda
and
and
so
on,
and
and
it
can,
it
can
be
part
of
the
the
even
the
planning
Etc
that
you
guys
are
doing
so
it
can
have
interesting
ramifications
as
well.
A
Yeah
I
was
telling
Michael
that,
because
many
of
the
regulars
are
not
present,
it
might
be
a
short
meeting
and
I'm,
not
very
good,
at
feeling
the
void
so
I
I
appreciate
it.
G
I
appreciate
you
stepping
into
lead
this
call,
so
thanks
for
doing
that,.
A
Okay,
I
guess:
if
we
don't
have
anything,
I
mean
we
get
about
45
minutes
that
we
can
get
back
in
our
life
and
do
stuff
so.