►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
E
C
A
A
D
I
mean
hi
Michael
I
can
start
with
the
the
virtual
Summit
yeah
awesome.
So
we
had
a
toxicity
right.
I
mean
we
were
unsure
about
like
whether
we
would
be
able
to
have
a
critical
mass
of
people
sure
but
I
mean
so.
What
we
have
been
doing
for
the
past
one
week
was
actually
personally
connecting
with
the
people
whom
we
have
reached
before,
and
they
were
kind
of
sitting
on
the
fences
haven't
committed
and
like
get
a
confirmation
from
them.
D
So
with
that,
like
gorilla
effort,
we
have
right
now
have
gotten
acceptance
from
I,
think
14
or
15
maintainers
and
the
rest
of
us
I
mean
you
will
also
get
an
invite
and
as
well
as
the
the
other
participants.
Yes
and
yeah,
also
suggested
that
that
she
also
wants
to
participate
in
that
event.
So,
together
we'll
have
about
20
something
people,
it's
not
gonna,
be
a
friend
but
I
mean
it's
gonna
happen
at
least
that's
the.
A
D
D
That
kind
of
gives
us
some
data
point
that
we
can
use
during
the
conversation
we
have
also
connected
with
the
moderators
I
mean
initially
we
thought
of
four
breakout
sessions,
but
because
the
participant
size
is
lower,
we
now
have
two
breakout
sessions,
so
crop
and
Bob
Callaway
would
be
like
we
have
connected
with
them.
We
have
previously
asked
like
David
to
be
there
I
mean,
but
because,
like
we,
we
have
like
downsized
a
little
bit.
D
So
that's
why
we're
limiting
it
to
two
people
and
I
I
guess
like
David,
might
appreciate
the
I
mean
you're,
welcome
to
show
up,
of
course,
and
and
but
I
mean
you
don't
have
to
like
be
burdened
with
with
an
extra
Duty.
So
so
that's
that
and
yeah
I
mean
Karim
said
that
he
knows
how
to
set
this
thing
up
in
Zoom,
so
that
we
can
have
like
a
group
session,
then
break
out
and
then
come
back
together.
D
D
E
E
A
I'm
just
going
to
keep
talking
and
pretend
that
all
is
not
Fubar
yeah.
So
so
that
sounds
great,
so
I
do
want
to
give
you
a
heads
up.
I
am
on
vacation
next
week
and
I
believe
at
10.
30
I'm
actually
like
in
we're
a
long
story.
We're
building
a
house,
so
we're
like
picking
out
stuff
so
I
probably
will
not
be
able
to
make
it
at
all
for
that
date.
But
please
please,
like
have
a
great
time
and
I
will
be
with
you
in
spirit
sure,
cool.
A
D
That
could
that
could
be
done.
I
mean
we.
We
welcome
more
participation.
Even
at
this
I
mean
the
more
the
better.
So
we
can
just
connect.
I
mean
right
now
we
are
the
the
basically
the
flow
is
that
I'm,
connecting
personally
with
people
when
I
get
the
acceptance,
I
pass
them
to
and
he's
just
like
sending
them.
The
calendar
invites
that's
basically
that's
that
that
works.
A
B
Things
are
going
well,
we
we
did
hit
just
just
a
a
small
bump,
and
that
was
really
due
to
competing
priorities.
You
know
in
our
in
our
individual
work
efforts
for
our
respective
employers
so
so
that
there
were,
there
was
a
just
a
bump
there,
but
we're
back
on
track.
What
what
we're
working
on
now
is.
The
new
features
that
we
are
that
we
had
in
open
from
from
December
you
know
Rob
is
is
currently
working
on
those,
so
that
we
can.
B
We
can,
as
I
say,
look
at
look
at
those.
What
we
want
to
do
for
the
working
group,
though,
is,
is
get
a
working
demo
together.
So
that's
what
we're
actively
pushing
towards
so
that
we
can
bring
a
a
solid
demo
here
to
the
to
the
working
group.
Hopefully
you
know
in
the
next
in
the
next
couple
of
a
couple
of
Cycles
right
next
couple
next
couple
of
meetings.
B
A
B
Okay,
you
know
we
could
begin
having
those
discussions
and
I.
Guess
too,
we
can
add
that
to
we
can
add
that
to
to
the
agenda
as
a
general
items
to
discuss
and
I'll
even
well.
I'll
even
add
that
even
add
that
in
here
for
for
our
next
meeting
to
begin
discussing
that,
especially
since
he's
working
on
the
mock-up
and
then
the
demo
I
can
ask
just
at
a
high
level
how
much
you
know
budget
wise.
Do
we
think
we'll
need
and
then
we'll
bring
that
back
to
the
working
group.
Very
good.
E
C
E
Heard
that
I
might
be
talking
about
him,
so
you
know
I
think
that
if,
if
people
are
starting
to
get
worried
about
funding
that
doesn't
mean
that
that
that
kills
this
it
just
means
we
need
to
escape.
We
may
need
to
control
the
scale
a
little
more
carefully
and
I.
Think
that's
totally
doable.
You
know,
oh
okay,
maybe
we
don't
you
know
have.
Maybe
we
don't
try
to
reproduce
every
every
build
on
the
first
version
of
metrics.
C
C
E
F
That
was
me
David
I,
just
thought
I
would
quickly.
Add
it
on
I
was
just
reviewing
the
notes
from
the
last
meeting
and
my
apologies
for
not
being
able
to
make
the
last
few
just
the
timing.
Just
did
not
work
out,
but
I
see
that
there
were
some
questions
about
uploading.
All
of
the
individual
reviews
from
the
impact
report
onto
the
onto
the
security
reviews.
Dashboard
I
was
able
to
see
this
table
that
generates
that
has
all
the
reviews
and
I
think
it
looks
fantastic.
F
So
I
would
be
happy
to
I
think
because
we
got
the
kind
of
the
the
template
thing
fixed,
which
was
giving
me
some
problems
last
year,
but
I
think
now
that
that's
fixed
I'll
I
will
upload
the
the
individual
projects
into
the
repo
so
that
those
are
easily
you
know
viewable
and
indexable
and
I
also
just
saw
from
the
notes
talking
about
incorporating
this
into
the
scorecards
project
and
I
just
want
to
go
ahead
and
and
suggest
that
I
think
that's
a
great
idea,
I
really
liked.
How
are.
C
F
I
mean
I
could
see
both
working
I
actually
was
just
about
to
say
that
I
thought
it
worked
really
well
with
that
initial
metrics
dashboard
that
we
had
the
metrics.openssf.org,
so
I
think
the
more
that
this
information
can
be
integrated
into
other
things
that
you
know
give
insight
into.
You
know
the
workings
of
a
project
then
I
think
all
the
better.
E
E
G
G
With
like
I
mean
one
of
the
ways
that
you
could
do,
that
is
by
buying
a
domain
that,
like
mirrors
githubs,
so
in
basically
that
so
like
let's
say
github.com
right,
you
just
add
like
OSS
best,
like
you
know,
oh
oaf,
like
osbestpractices.org
at
the
beginning
of
that
domain,
and
it
would
resolve
to
a
site
that
served
that
content.
So
you
just
like
you
all
you
need
to
do
is
mess
with
your
your
your
browser
window
a
little
bit.
G
E
A
Well
so
so
I
mean
the
the
reviews
themselves
have
package
URLs
or
the
the
essence
of
the
thing
that
the
review
is
tied
to,
and
that
doesn't
work
well
for
everything
and
but
for
a
lot
of
things
it
does
so
if
you
knew
that
you
were
doing
one
of
npm
left
pad
so
package
npm
left
pad
and
then
rely
on
GitHub
code
search
to
find
that
in
the
repo
that
might
be.
That
might
be
good
enough
for
most
now.
G
E
A
Are
yeah
it's
like
package,
generic
and
blah
to
refer
to
like
things
that
don't
make
sense,
and
that
was
our
our
like.
We
need
to
like
fit
it
into
a
package
URL,
because
package
will
like
they
are
verified.
They
are,
are
validated
to
be
like
syntactically
correct,
but
there's
no
standard
for
like
I've,
got
a
random
web
page.
What's
the
package
URL
for
that,
like.
A
A
C
E
E
E
E
C
A
Or
well
yeah,
so
you
could
also
add
it
on
your
end.
Have
a
maybe
that's
what
you
just
said
but
like
when
you,
when
you
provide
a
project
to
best
practices.
In
addition
to
home,
page
and
repo,
you
say
what
package
arrows
are
you
distributed
under,
which
sounds
a
little
bit
like
the
security
insights
yeah
almost
spec,
yes,.
E
C
C
E
A
E
E
E
A
E
A
C
F
A
So
what
I
guess
for
okay,
so
so
for
for
Security
reviews
as
part
of
AO
we're
going
to
be
generating
these
assertions
assertion
is
a
fact,
like
you
know,
when
code
ql
ran,
it
found
zero,
critical
issues
in
this
thing,
we're
gonna,
save
those
assertions
and
then
run
policy
against
them.
Saying
we
think
a
reasonable
policy
is
that
code.
A
So
that
was
that
was
my
my
first
point
and
then
the
second
was:
let's
do
the
same
thing
and
have
it
exposed
through
the
metrics,
dashboard
and
I.
Don't
have
a
strong
opinion
on
whether
it
should
go
like
assertions
to
Security
reviews
to
dashboard
or
assertions
to
both
or
what,
but
you
know,
I
I
think
having
those
two
tied
together
would
be
interesting.
A
F
You
know
business
I,
can't
think
of
the
word
right
now,
but
but
yeah
we
would
have
you
know,
essentially
what
was
called
like
the
standards,
the
III
standards,
The
Institute
of
internal
auditor,
like
standards
that
you
basically
use
as
your
backbone
and
then
you
basically
publish
you
know
as
part
of
a
of
an
internal
audit
report,
what
we
would
call
like
reasonable
Assurance.
So
you
know
it
was
you
know?
F
If
something
was
you
know
if
controls
are
if
you're,
if
you
have
enough
evidence,
basically
that
they
are
following,
you
know
these
certain
standards
you
can.
You
know
say
that
you
know
we
found
that
there
was
reasonable
assurance
that
you
know
these
security
controls
are
being
followed
and
what
have
you
so
something
like
that
is
certainly
possible.
I
think
you
know
there
is
enough
resources
out.
There
I
mean
I.
Think
of
a
lot
of
the
the
the
the
Publications,
for
example,
that
the
audit
teams
that
we
work
with
use.
F
You
know
they
use
a
lot
of
stuff
from
nist
and
a
lot
of
stuff
that
comes
out
of
the
EU
government
and
I.
Think
it's
digit,
for
example,
so
I
mean
something
like
that.
I
think,
especially
more
like
mid
to
long
term,
especially
as
we
do
more
of
these,
and
at
more
scale,
as
you
mentioned,
is
something
worth
visiting
and
talking
about.
F
Even
if
it's
you
know
something
pretty
Bare
Bones,
you
know
just
saying
like
we
generally,
you
know
use
these
things
as
our
you
know,
guidance
for
example.
You
know
there's
plenty
of
good
resources
out
there
and
and
then
you
know,
come
up
with
kind
of
some
I
guess
somewhat
standardized
language
on.
You
know
how
the
assertions
can
look
and
yeah
I.
F
Think
it's
a
I
think
it's
a
good
idea,
especially
like
you
said
over
time,
as
we
do
more
and
and
kind
of
start
to,
because
one
thing
I've
noticed,
at
least
in
my
personal
experience
with
with
auditing
open
source
projects,
is
that
you
know
no.
Two
projects
are
ever
the
same:
there's
never
like
a
standard
like
template.
We
apply
that
works
for
everybody.
You
know
I,
so
I
think
that
makes
it
a
little
harder
But,
but.
A
So
I
I
think
we
might
be
talking
about
a
slightly
different
things.
The
assurance
assertions
that
I'm
referring
to
are
the
fully
automated
ones,
so
you
basically
run
you
run.
You
know
n
number
of
tools
and
when
the
tools
all
show
effectively
nothing
interesting,
there's
nothing
to
triage.
Therefore,
you
can
make
a
statement
of
that
fact
without
having
to
have
eyeballs
on
it,
so
we're
only
going
to
get
a
subset
of
Open
Source.
A
That
will
be
able
to
make
interesting
assertions
on
or
we'll
be
able
to
make
this
code
that
this
package
looks
clean
assertions
on
the
rest.
The
best
we'll
be
able
to
do
is
a
tool
showed
something,
but
no
one
has
looked
at
it,
assertions
which
we
need
to
talk
more
about
like
what
that
you
know
like
what
that
means
and
what
evidence
we
provide
and
all.
A
F
A
And
the
the
summarized
results
you
know
showed
for
for
this
one
in
particular
it
was
it
was,
you
know
when
code
12
ran,
there
were
zero
results
like
it
ran
successfully,
but
and
nothing
was
found,
detect
Secrets
found
nothing,
no
jscan
found
nothing.
Simgraph
found
nothing,
we
were
able
to
rebuild
it
and
when
we
checked
I
think
osv
or
that's
Dev,
there
were
no
vulnerabilities
found
so.
A
F
F
E
B
Oh
yeah,
what
I
wanted
to
do
is
I
wanted
to
as
a
as
a
caveat
to
what
mayor
was
talking
about
and
then
what
what
you
displayed
I
I
think.
Ultimately,
as
far
as
reviews
go
there
that
language
so
as
an
example
to
kind
of
bridge
between
what
Amir
was
saying
and
what
what
you
displayed,
even
even
in
instances
and
in
the
mirror,
I'm
saying
this,
because
I
too
worked
in
the
internal
audit.
B
B
As
a
caveat
to
what
you
were
saying
and
then
and
of
course
well,
Mike
is
even
in
the
instance
where
you
ran
a
tool
and
this
tool
has
said
that
this
thing
passed
and
you
can
provide
that
level
of
assurance
that,
because
of
what
was
ran
on
this
tool,
we
can
safely
say
or
or
within
whatever
degree
of
standard
deviation.
I
don't
know.
I
should
say
that
this
past
that
language
should
still
be
standardized
right.
A
A
B
That
would
probably
be
that's
standardized
that
standardized
wording
for
instances
like
that
kind
of
assurance.
When
you
ran
that
tool
right,
there
could
be
a
section
that
says
in
an
instance
where
tools
are
random.
I
know
the
wording
is:
is
the
babe
I'm
not
going
to
go
over
the
wording,
but
what
produce?
What
gets
produces
this
document?
That
says
this?
That
says
these
specific
things
based
on
this
specific
criteria
right
and
that's,
and
that
can
be
improved
over
time.
B
That's
a
working
document
that
can
change
over
time
right,
but
perhaps
something
like
that
does
need
to
be
created
if
these
type
of
reviews,
these
type
of
artists
and
then
these
type
of
assurances
are
being
made
at
scale.
Perhaps
we
do
need
to
provide
some
type
of
standardization
like,
for
instance,
stuff.
That's
done
through
the
eye,
because
then
we
can
audit
the
audit
process,
which
and
Amir
knows
this.
B
I
can't
remember
what
it's
called
the
mayor.
Freshman
I
can't
remember
what
it's
called,
but
you
actually
pull
out
audit
reports
and
then
do
an
audit
of
the
audit
practices.
If
you
can
look
at
a
report
and
take
that
report,
pull
out
and
know
exactly
the
steps
that
were
taken
to
to
reach
that
conclusion,
then
that
report
successful.
If
you
cannot,
then
there
are
things
missing
and
I
can't
remember
what
that's
called
in.
There
is.
B
F
A
A
E
A
A
All
reproducible,
anyway,
practically
by
definition,
because
we're
doing
this
in
the
standards
tool
chain
that
we
are
releasing
with
the
standard
tools
that
we've
released,
so
you
should
be
able
to
produce
modulo
a
signature,
The
Identical
assertion
that
we
that
we
produce.
So,
if
that's
not
true
like
nothing,
is
perfect,
like
you
know,
there
are
like
non
actually
non-reproducible
things
out
there,
but
the
evaluation
of
it
should
be
98,
99
reproducible
so
well,.
E
A
No,
no,
but
there's
no
analyst
here
it.
It
is
just
with
the
tool
came
out
with
so
so
you
know
running
running
okay
tool
version
X
against
package.
Version
Y
in
this
kind
of
standardish
environment
should
give
eight
results
today
and
eight
results
tomorrow
and
eight
results
the
next
day
and
that
that's
the
kind
of
reproduction
that
I
been
referring
to.
Okay,
okay,
cool,
okay,
I
think:
we've
talked
a
lot
about
all
of
that
Luigi
anything
on
security,
insights
that
you'd
like
to
talk
about.
H
Yeah,
a
short
update,
I
am
presented
the
well
the
situation
in
some
project
that
we
have,
that
don't
doesn't
have
I
mean
they
don't
have
a
security
policy
during
the
last
stack
meeting.
So
now,
I
am
involved
in
discussion,
slash
yeah
in
the
discussion
to
write
a
security
policy
that
we
can
use
for
the
organization,
or
at
least
some
project
or
key
project
yeah.
H
E
H
We
can,
but
the
some
projects
maybe
want
to
have
their
own
email
or
contact
technically,
it's
very
easy
to
solve
this
problem,
but
not
for
the
reception,
because
we
can
use
just
hey
encrypt
your
email
with
this
part
with
this
public
key
every
project
has
a
different
public
key,
but
no
one
wants
to
encrypt
them.
Yeah.
A
H
G
Like
any
of
these
vulnerabilities
accidentally,
getting
like
like
a
project,
maintainers
have
stopped
working
on
it.
The
tech
hasn't
figured
out
what
to
do
with
it.
They're
they're
ending
up
being
like
a
black
hole
that
these
these
reports
go
into
and
nobody
responds
to
them,
and
that
looks
so.
The
the
risk
is
not.
G
A
A
H
H
G
A
G
G
G
G
G
G
G
No,
no!
That's
why
that's
why
I've
been
making
this
very
clear?
This
is
not
the
same
thing
as
what
you're
doing
this
is
very
much
not
the
same
thing.
That's
why
I
don't
I
want
this
to
be
a
separate
issue.
This
is
for
vulnerabilities
that
that
primarily
Alpha
Omega,
but
any
other
open
source
software
Foundation
working
group,
May,
identify.
G
G
Are
disclosing
the
vulnerability?
This
is
our
policy.
This
is
our
policy.
No,
no!
It's
not
it's,
not
our
reporting
policy.
This
is
our
policy
on
how
we
will
disclose
a
vulnerability
after
a
set
of
conditions
are
met
either
the
report
has
been
fixed
or
the
maintainer
has
dropped.
The
ball
like
this
is
the
policy
that
we
will
use
to
disclose
a
vulnerability,
not
report.
It.
A
G
A
A
G
Should
be
consistent
with
the
policy
of
receiving
vulnerabilities
I.E
like
they're,
the
way
that
we
report
vulnerabilities
should
not
like
if
I
am
reporting
a
vulnerability
to
an
open
source
security
Foundation
project,
it
should
not
be
incompatible
with
the
outgoing
policy
right
like
there
should
be
there
that
they
should
be
compatible
with
one
another.
Otherwise,
if
that
looks
stupid,.
A
C
A
G
E
G
H
E
G
G
E
G
E
G
E
C
G
I
I
think
the
the
the
the
the
rationale
that
I
heard
from
somewhere
is
either
my
conversation
with
Katie
or
someone
else.
The
reason
it's
90
days
is
because
Microsoft
originally
couldn't
get
vulnerabilities
fixed
that
fast
and
So.
Eventually,
Microsoft
really
announced,
what's
called
Patch,
Tuesday
and
Patch
Tuesday
is
once
a
month,
and
so
90-day
policy
gave
Microsoft
three
patch
Tuesdays
to
get
a
fix
out
for
a
security
effects
before
project
zero
in
public
with
a
vulnerability,
and
so
that's
why?
And
because
a
lot
of
the
vulnerabilities
that
project
zero
finds
is
in
Microsoft
stuff.
G
That's
the
policy,
they
kind
of
catered
it
to
you
know
Microsoft.
You
know
they.
There
was
a
lot
of
juggling
back
and
forth
between
Microsoft
I
mean
originally
Microsoft
hated
Google
dropping
o
days
on
them
like
there
was
a
lot
that
you
know
it
ended
up
in
I.
Think
the
project
zero
was
dropping
o
days
on
Microsoft,
ended
up
being
a
topic
as
a
part
of
a
congressional
hearing,
because
some
people
got
pissed
at
some
like
marketing.
People
at
Microsoft
got
pissed
at
at
just
project
zero
for
doing
that
to
them.
A
Just
wanted
one
more
important
point
for
the
stock.
The
automated
part
is
the
really
important
part,
so
so
so
yeah
I
think
it's
gonna
find
10,
000,
zip
slip
or
whatever
vulnerabilities.
In
the
thing,
the
idea
of
manually
contacting
and
engaging
each
of
ten
thousand
is
not
feasible.
So
the
purpose
of
the
automated
thing
is
for
certain
classes
of
vulnerability.
When
they're
done
at
scale,
is
there
a
way
to
do
it
without
manual
effort
per
project?
That's.