►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
There
we
go
cool,
welcome
everybody
to
the
september
29th,
identifying
security
threats,
working
group
meeting.
Thank
you
all
for
for
being
here
a
couple
things
I
wanted
to
to
just
include,
but
you
know.
Obviously
we
can
talk
about
lots
of
other
things
or
today
might
just
be
a
short
short
meeting,
so
status
of
alpha,
omega
and
actually
ryan.
Maybe
you
can
help
me
out
with
this,
because
I
don't
know
if
we
reached
the
threshold
on
tac
votes
but
we're
we're
close
yeah.
I
think
we're.
B
Okay,
with
dan's
approval
yeah,
I
believe
that
takes
us
to
four.
So
that's
that's
the
simple
majority
now
so
yeah.
I
need
to
send
a
mail
to
official,
officially
approve
it
to
the
governing
board
and
then
let
them
take
it
from
there
but
yeah.
It
was
a
little
washy
there
with
everybody,
these
extra
stipulations,
but
I
think
we
got
it.
I
think
we're
there
now.
A
Perfect
yeah-
and
I
am
I'm
you
know
for
the
record,
I'm
totally
on
board
with
like
obeying
those
like
caveats,
because
I
think
those
are
all
the
right
things
to
do
anyway.
So
yeah,
absolutely
yeah
yeah
no
worries
there
at
all
cool.
So
I
will
get
rid
of
this
question
mark
and
we'll
say.
Well,
I
don't
know
if
it'll,
if
it'll
be
approval,
but
at
least
it'll
definitely
be
in
october.
B
A
Yeah
it'll
be
it'll,
be
interesting
regarding
you
know
how
much
of
this
is
like,
so
my
understanding
from
some
other
conversations
were
is
like
like,
where
money
would
actually
flow
from
whether
they
would
be.
You
know,
kind
of
dollars
projected
towards
this
project
separately
or
they
would
come
through
member
dues
and
like
which
comes
first
and
all
that
stuff.
So
we'll
we'll
work
that
all
out.
A
Yeah
awesome
and
then
assuming
that
happens,
then
you
know
public
announce
along
with
everything
else
in
in
in
early
november,.
A
Cool,
I
don't
know,
did
anybody
have
any
any
questions
on
anything
around
alpha
omega.
C
A
Oh
no,
no,
it
is
definitely
not
done
honestly.
It's
just
been
slightly
lower
priority.
It's
been
like
priority
two
underneath
like
actually
getting
the
whole
thing
approved
or
getting
the
whole
product
moving.
What
what
I'm
imagining
will
happen
is
depending
on
what
budget
gets
approved
for
the
project,
we'll
have
to
kind
of
work
backwards
and
say
how
many
can
we
do
how
many
are
already
being
covered
by
google's
the
thing
that
they
announced
two
weeks
ago?
A
I
guess
because,
obviously
we're
not
gonna,
you
know,
fund
the
same
project
work
twice
and
things
like
that
for
calendar
2022.
A
I
would
not
be
surprised
if
the
budget
is
available
to
do
fewer
than
we
want,
but
still
a
good
representative
sample.
So
I
don't
know
if
that's
10
or
20
or
30,
but
it
probably
won't
be
100.
I
could
be
wrong,
but
you
know
that's
my
guess
at
this
point
so
yeah
we
are
going
to
need
to
like
churn
and
and
bubble
up
to
the
top,
the
most
important
things.
A
A
A
Yeah,
so
we
have
what
ten
nine
responses,
and
these
are
all
good.
Actually
this
is
a
real.
This
is
a
this
is
what
I
was
hoping
for
is
like
a
you
know,
a
good
list
like
that
yeah
and
then
we
said,
and
then
we
probably
have
open
ssf
vote
members
vote
on
on
the
ones
that
they
think
are
most
important.
So
we
kind
of
see
a
where,
where
it
kind
of
just
naturally
bubbles
so
yeah,
we
we
absolutely
need
to
do.
A
Cool
but
see
I
did
one
more
thing
for
particularly
omega.
I
met
with
shubra,
who
is
runs
the
I
guess
he's
director
product
for
linux
foundation,
so
he
he
owns
the
the
technology
that
that
runs
all
the
I
love
stuff.
He
has
a
platform
called
lfx,
so
this
is
lfx
security
and
it
does
a
bunch
of
things.
A
They
have
an
integration
with
with
with
snick
and
they
have,
I
think
they
100
and
something
projects
kind
of
listed
and
they
give
kind
of
security,
no
metrics
actually
around
them.
So
we
had
a
conversation
on
two
angles:
one
is,
you
know:
hey
the
openness
of
metrics
dashboard.
A
Maybe
that
should
ultimately
be
collapsed
into
the
lfx
platform.
That
would
require
the
lfx
platform
to
expand
out
to
many
more
projects,
so
that
that's
one
area
and
then
the
other
area
was.
A
Have
the
lfx
platform
be
extended
to
become
the
omega
triage
portal
and
the
nice
thing
about
there
is
he
has
designers
and
a
dev
team
and
support
and
like
he
has
like
the
whole,
all
the
infrastructure
and
you
know
seems
super
willing
to
to
work
with
us
to
come
up
with
something
that
that
really
makes
sense.
So
I'm
working
on
some
wireframes,
let
me
actually
find
a
link
to
the
wireframe,
so
we
can
send
it.
A
Okay,
the
overall
like
what
it
what
it
should
look
like,
and
you
know
how
you
be
able
to
have
some
sort
of
a
discussion
board
and
case
creation
and
we'd
probably
want
to
ultimately
push
that
out
to
vince
or
packer
one
or
something
like
that.
A
Filtering
severities
and
all
sorts
of
stuff
so
welcome
to
give
this
a
look
super
happy
to
collaborate
on
this.
I
don't
want
to
go
too
far
out
before
we
get.
We
get
budgeting,
but
I
wanted
to
kind
of.
A
B
A
Know
honestly,
I'm
not
sure
because,
like
like,
I
know
that
I'm
not
a
designer,
so
whatever
I
make
it
look
like,
should
not,
hopefully
not
be
what
it
actually
ends
up.
Looking
like,
I
guess
what
I'm
mostly
concerned
about
like
is:
what
are
the
core
features
that
a
triage
portal
will
need
to
have
in
order
to
make
everything
you
know
efficient,
so
so
the
idea
of
like
like
what
would
what
would
a
what
would
like
the
false
positive
flow
or
what?
What?
What
should
it
look
like?
A
So
you
know
tool
finds
a
thing.
It
ultimately
lands
in
a
database
thing
somewhere
a
triager
sees
it
gets
angry,
because
it's
such
bad
quality
does
a
thing
and
then
an
engineer
does
a
thing
and
then
those
issues
never
appear
again
like,
and
how
do
we
do
that?
For
you?
I,
I
think
the
the
the
efficiency
part
is
the
hard
part,
and
I
think
the
other
one
that
I
that
I
don't
know
how
to
represent
is
this
particular
finding
applies
to
310
versions
of
this
open
source
component.
A
Yeah
and
I
try
I
tried-
I
I
tried
using
figma
and
figma
seemed
like
like
photoshop,
like
you
start
with
bits
yeah,
so
I
just
didn't
balsamic
because
it
has
like
stencils
and
stuff
and
it
just
after
a
couple
hours.
I
was
like
nope,
I'm
not
I.
I
don't
want
to
do
this
for
the
rest
of
my
life.
A
Cool
okay!
So
that's
that.
A
So
next
one
security.yaml,
so
I
think
in
the
last
in
the
last
meeting
amir
volunteered
to
kind
of
take
this
one
and
start
driving
it.
We
had
a
discussion
afterwards
on,
like
you
know,
is
this:
is
this
taking
like
a
hard
problem
in
turn?
Is
this
taking
an
easy
problem
and
turning
it
into
a
really
hard
problem?
Like
is
so
one?
You
know
question
like.
A
A
A
80
percent
of
the
problem,
and
so
and
I
don't
know
the
answer
to
it-
I'm
happy
to
you
know
well
if,
if
we
collectively
think
that
we
should,
you
know,
go
down
the
right
that
we
have
been.
C
C
There
are
some
some
information
related
to
the
project
that
can
help
a
lot,
and
I
don't
know
if
we
want
to
proceed
in
this
way.
We
need
to
discuss,
of
course,
but
yes,
the
yaml
is
a
good.
It
is
a
good
approach
because
it
is
a
human,
readable
format,
but
you
can
also
convert
in
json
or
analyzing,
using
a
machine
yeah
and.
C
Especially
if
it
it
be
it
will,
it
will
be
a
standard.
Maybe
we
want
to
improve
it,
changing
the
standard,
adding
new
paradigm
or
new
value,
and
probably
it's
not
just
the
contact.
Maybe
in
the
first
version
it
is
a
sort
of
security.txt
plus
some
information
related
to
the
project,
but
in
the
future,
if
other
scanner
becomes
popular
or
similar,
maybe
it
is.
It
is
more
than
just
a
contact
file.
Yeah.
A
C
D
A
Cool,
so
I
mean
I,
I
guess
as
far
as
kind
of
where,
where
you
want
to
go
from
here,
like.
C
Well,
at
the
moment
there
is
a
good
draft
document.
I
have
other
comments.
I
have
some
suggestion
probably,
but
we
need
to
define
if
we
need.
We
need
a
new
working
group
for
for
creating
a
new
standard
and
we
need
to
decide
if
we
want
to
create
a
real
new
standard.
C
So
we
work
to
create
a
yaml
definition,
a
yaml
standard,
and
then
we
propose
an
rfc
because,
for
example,
security.txt
is
a
rfc
and-
and
if
so
I
have
created
a
document
with
the
next
step,
just
to
create,
for
example,
a
mailing
list,
a
slack
group,
ncs
locker
channel.
Sorry-
and
I
have
the
document
here-
I
can
invite
it
by
email
then,
but
at
the
moment
it
is
just
a
public
link
and.
C
And
yes,
if
we
want
to
create
a
new
working
group
to
work
on
the
security
ammo
or
a
security
standard,
that
open
source
project
can
easily
add
to
the
project
and
probably
is
a
good
idea,
because
the
security
dot
md
is
a
good
standard,
but
every
project
right
write
it
in
a
different
way.
So,
but
but
we
need
to
find
new
members.
This
is
a
problem,
probably
yeah,
because
I
can
work
of
course
alone.
But
it's
not
a
good
idea.
In
my
opinion
and
yeah.
A
I
mean
feel
free
to
post
all
over
slack
and
try
to
get
get
folks
interested.
That
way.
It
probably
would
also
be
good
to
tee
this
up,
as
so
so
in
november,
when
we
do
the
town
hall
and
the
kind
of
the
re.
A
I
don't
know
what,
if
there's
like
a
theme
phrase
I
should
be
saying
but,
like
you
know,
open
ssf
2.0
as
part
of
that
it
probably
would
be
good
to
have
the
list
of
new
projects
that
are
in
kind
of
incubation
or-
and
I
think
this
would
be
a
great
yes.
C
C
If
it
is
okay
for
you,
I
can
continue
to
write
on
the
security
jam
document
that
david
created
two
weeks
ago
from
memory
right
or
one
month
ago,
just
to
be
sure
about
some
something.
I
have
added
some
comments,
but
probably,
if
I
share
in
general
on
in
in
some
working
group
it
some
other
people
can
add
their
idea
and
comment
and
just
propose
it
to
the
town
hall.
It
can
be
a
good
point,
so
maybe
we
can
define
how
to
proceed,
especially
probably
this
project.
C
If
we
want
to
create
a
new
standard,
we
need
a
new
working
group.
C
I
mean
it's
not
necessary,
I
will
write
technically.
Yes,
it's
just
a
project,
but
we
need
to.
It
is
a
new
project,
so
we
need
to
schedule
a
well
yeah
exactly.
B
C
A
C
C
A
I
mean,
I
think,
just
just
talking
through
it,
I
should
be,
I
mean
seeing
seeing
the
example
might
might
help
make
it
concrete.
But
it's
up
to
you.
A
Cool
last
one
for
me,
for
that
I
had
was
just
trying
to
recruit
new
work
working
group
members.
So
if
you
guys
know
anybody
that
you
think
would
be
good
for
this
feel
free
to
reach
out,
you
don't
doesn't
need
to
go
through
any
official
channel.
Just
you
know,
invite
them
point
them
to
the
point
for
the
calendar
link
point
them
to
the
calendar
link.
You
know.
A
I
have
a
feeling
that
we'll
we'll
get
a
bump
in
november
with
the
press
from
that,
but
until
then
it
would
be
good
to
kind
of
reinvent
great
things
or,
if
you
guys
have
have
feedback
on
why.
A
B
Yeah
I
mean,
I
think,
we've
been
seeing
some
dwindling
numbers
across
the
working
groups
lately,
unfortunately,
it's
not
unique
just
this
one,
but
certainly
other
ones
do
still
have
more
activity,
and
I
think
it's
having
something
to
rally
around
project
wise
is
useful.
I
know
some
of
the
other
ones
that
have
activity,
at
least
with
the
core
members
that
are
recurring.
You
know
going
and
things
like
that
they're
they're
vested
in
some
sort
of
project,
so
I
think
alpha
could
help
with
that.
The
security
ammo
thing
could
help
with
that.
B
Certainly
the
metrics
dashboard,
if
we
have
like
an
actual
vision
for
how
we're
gonna
do
that
migration
and
if
we're
gonna
coordinate
with
this
other
group
like
if
we
can
have
some
concrete
things
that
we
can
kind
of
help
go
recruit.
Based
on
that,
that
could
be
useful.
I
think
that
might
have
some
interest.
C
Yeah
yeah-
and
I
mean
I
don't
know
just
a
question,
but
do
you
think
that
this
project
is
being
a
security-oriented
project?
Maybe
we
are
losing
some
good
tech
people
that
are
not
security,
engineers
or
not
in
the
security
fields,
and
but
they
are
good,
they
may
be.
They
are
good
developer.
They
follow
some
best
practice
or
they
can
give
a
good
contribute
also
if
they
are
not
security.
Experts.
A
B
I
think
it's
a
valid
point,
though,
like
I
haven't
really
thought
about
that,
but,
like
this
group,
all
certainly
security
oriented
right
and
that's
the
focus
of
it.
A
lot
of
the
help
that
we
need
doesn't
have
a
whole
lot
to
do
with
security
or
actual
like
security,
analysis
and
yeah.
Maybe
that
upfront
intimidation
is
keeping
some
people
from
looking
looking
into
it
more
because,
like
you
said,
we
just
kind
of
need,
like
developers
for
a
lot
of
this.
A
For
most
people
on
the
working
group
across
all
all
of
all
the
openstack
working
groups,
I'd
be
curious
to
know
how
many
of
them
like
what
the
distribution
is
of
the
number
of
let's
say
hours
a
week
that
they
put
into
like
purely
open
ssf
work,
and
I
would
imagine
it's
super
hockey,
stick
shaped
where
you
have
a
very
small
number
of
people
that
are
putting
in
a
very
significant
portion
of
their
of
their
job,
and
these
are
people
that
I,
I
think
either
what
they
do
for
open,
ssf
overlaps
very
much
with
with
their
day
job
or
their
day.
A
A
A
I
hope
that
that
we
get
we
get
folks
that
are
like
yeah
we're
gonna
like
drive
this
thing,
and
I
think
that
that
kind
of
was
in
my
mind,
one
of
the
drivers
behind
like
we
just
need
to
have
funds
available
so
that
we
can
hire
full-time,
you
know
or
contractors
or
whatnot,
and
that
way
that
is
there.
You
know
40
hours
a
week
of
of
work,
but
that's
just
what
the
topic
could.
B
This
is
the
thing
I
need
you
to
go.
Do
don't
worry
about
the
rest,
but
like
this
is
this
is
the
task
right
if
you've
got
time,
go?
Do
that,
like
I
don't
know
if
it's
just
creating
like
granular
github
issues
and
saying
hey,
go
party
on
this.
If
you've
got
time
type
thing
or
you
know
how
we
could
do
that,
so
that
just
lower
the
barrier
to
entry
a
little
bit
to
yeah,
also
to
appeal
to
quote
non-security
folks
as
well
right.
B
A
Folks
involved
exactly,
and
I
mean
I
I
guess,
if
the
pool
were
larger,
then
I
mean
if,
if
whatever
you
know,
99
one
or
whatever
the
kind
of
the
breakdown
of
like
you,
know,
lurkers
versus,
like
somewhat
participants
versus
like
core
maintainers,
you
know
you
need
to
have
like
100
people
involved
before
you.
You,
like,
naturally
mine
a
core
contributor
out
of
it.
Yep,
so
just
need
to
make
the
pool
bigger.
B
A
Putting
out
a,
I
don't
know
like
a.
A
A
something
that
would
make
it
really
clear
that,
like
as
a
member
of
open
ssf,
you
are
expected,
like
maybe
perhaps
not
required,
but
we
do
expect
you
to
show
up
and
participate
that
this
isn't
a
an
organization
where
you
get
a
badge.
You
put
the
badge
on
your
laptop
and
like
people
just
high-five,
you
like
you,
you
need
to
you
need
to
show
up.
You
need
to
do
stuff
because
just
looking
like
the
the,
where
is
it
there
are.
A
Oh,
I
saw
this
somewhere
look
at
see
like
how
many
people
are
in
like
the
this,
this
the
slack
channel
and
show
channel
to
open,
channel
details,
yeah,
there's
400
members
in
in
in
general,
like
you
know,
and
I
think
there's
maybe
20-
that
have
like
written
a
message.
Be
super
pessimistic
on,
like
you
know,
all
the
stuff,
but
like.
A
It
would
be
good
to
be
able
to
kind
of
squeeze
more
juice
from
the
fruit
or
whatever,
whatever.
A
It's
also
interesting,
because
we
do
have
a
lot
of
like
security,
vendors
that
are
member
that
are
like
members
of
open
ssf
that
I've
never
seen
like
in
any
in
any
meeting.
And
I
wonder
if
that's.
A
Another
opportunity
that
we
that
we
should
lean
on
and
say,
hey,
like
you
know,
but
go
like
go,
go
after
the
the
organizations
that
this
is.
This
is
their
day.
Job
is
like
advancing
this
kind
of
stuff
and
have
them
more
actively
participate
anyway.
C
D
B
A
Cool,
that's
all
I
have
yes,
everybody
else.
You
want
to
talk
about.
D
No
clue
I
by
the
way,
sorry
I
just
I've,
been
like
just
kind
of
trying
to
listen
and
like
rack
my
mind
for
like
kind
of
ideas
and
stuff
too.
I
agree
with
pretty
much
everything
has
been
said.
It's
like
hard
to
drive,
I
just
I
don't
want
to,
like
repeat
exactly
what's
been
said,
but
like
just
it
is
hard
to
drive
kind
of
like
membership
without,
like
some
kind
of
I
don't
know
deeper
core
incentive.
I
agree
like
the
lower
barriers,
something
like
that.
A
I
mean
I
I
almost
feel
like:
we
need,
like
a
twitter
celebrity
to
be
like
hey
guys.
This
is
it's
really
just
about
getting
like
spreading
the
message
wide
enough,
so
that
the
folks
that
are
already
interested,
but
just
not
aware
like
hear
about
it.
I
think.
D
Yeah,
maybe
like
it's
almost
like
a
market
like
an
advertisement
like
people
want
to
like.
Maybe
there
has
to
be
like.
I
don't
know
in
my
mind,
like
maybe
like
a
core
driven
kind
of
like.
Why,
like
what
can
as
a
person
like
what
would
like,
what
can
you
get
out
of
either?
D
I
see
it
as
like
a
learning
opportunity
almost
like
a
like
a
kind
of
some
kind
of
not
like
a
class
but
like
or
a
networking
like
something
where
you
know
you
oh
you'll,
be
able
to
interact
with
people
across
so
many
different
organizations.
You
get
projects
under
your
like
stuff.
Like
I
don't
know,
I
think
it
has
to
be
like,
I
think,
the
message
of
like
what
you
are
given
or
like
what
is
provided
if,
in
terms
of,
if
we're
looking
like,
recruit
people
and
stuff
that
that
could
be
a
good
kind.
C
A
D
D
My
like
internship
is,
is
I
mean
you
know
honestly
where
that
like
interest
kind
of
sparked
for
me,
but
I
do
like
it's
hard
to
envision
like
I'm
trying
to
envision
like
if
I
didn't
have
that
experience
of
that
internship-
and
I
saw
this
as
a
person
kind
of
like
online
or
an
opportunity
like
what
would
drive
me
to
to
do
that.
D
One
thing
with
yeah,
I
don't
know
sorry,
I
just
kind
of
was
like
a
wish-watchy
answer,
but
I
don't
know
I
feel
like
I
just
kind
of
like
got
like
informally
kind
of
drawn
in
and
and
I'm
it's
awesome
now,
but
yeah
I
don't
know,
does
anyone
else
have
thoughts
luigi?
How
did
I
don't
remember
how?
How
did
you
like?
Did
you
kind
of
just
see
this
like
working
group
like
how
did
that
happen?
For
you
out
of
curiosity,.
C
I
joined
before
openness
ssf
I
joined
when
there
was
this
activity
leaded
by
github,
and
then
we,
the
the
github
group
or
the
github
activity,
has
been
merged
in
this
linux
foundation,
project
and
well.
I
joined
because
my
manager
convinced
me-
and
it
was
an
interesting
project,
especially
because
security
in
the
open
source
is
a
mess,
and
in
arduino
I
had
I,
I
had
to
improve
the
security
of
the
tea
party
packages
that
the
community
offered
to
other
one
and
saw
probably
working.
C
I
mean
it
was
interesting
to
work
on
standard
and
and
some
good
best
practice
to
communicate
with
the
developers,
and
I
I
continue
to
join
the
meeting
because
I,
like
it
and
well
michael,
is
a
great
manager,
and
I
think
that
the
first,
the
first
document
that
we
have
prepared
the
thread
modeling,
is
incredible.
It
is
a
really
very
document.
C
I
I
share
with
my
peers
and
with
other
and
with
my
friends
a
lot
of
times,
because
it
is
a
a
good,
a
really
good,
complete
document
to
start
to
evaluate
the
security
of
open
source
project.
Then
the
dashboard
is
another
good
way
to
evaluate
quickly
the
open
source
they
to
have
an
an
is
in
an
overview
of
the
security
of
opersus
project.
And
so
I
think
that
we
are
running
in
the
right
direction.
C
But
at
the
same
time,
I
think
that
we
are
not
able
to
convince
or
to
show
really
our
work
or
products.
And
this
is
a
problem,
and
I
don't
know
if
I
have
an
answer
to
your
question.
But
I
tried
oh.
D
No,
it
totally
answered
my
question.
I
think
I
I
agree
on
everything
like
I
think
if
people
were
to
like
just
like
come
like
attempt
like
even
once
like
to
just
come
in
and
drop
and
listen
into
a
meeting.
I
think
that
would
make
things
a
lot
more
interesting
and
like
tangible,
and
I
think
again,
like
the
tangible
aspect
is
like
really
important.
D
They
saw
like
the
metric
dashboard
page
for
like
kubernetes
or,
like
the
I
don't
know
like
some
other
kind
of
project,
that's
in
the
works
and
that's
being
built,
and
you
know
be
like
oh
like
you
could
be
a
part
of
this
like
this
is
a
great
way
to
build
your
experience
as
a
software
developer.
I
think
that's
probably
a
better
term
than
like
security,
like
that'll,
probably
draw
like
a
wider
audience
like,
I
think
again,
those
already
mentioned,
but
you
know
like
just
what
will
motivate
people?
D
Right
like
people
like
will
probably
want
to
do
that
if
we
like,
you
know,
want
to
garner
like
a
larger
audience,
so,
like
maybe
some
kind
of
kind
of
advertising
to
show
like
what
how
it
could
help
someone
like
progress
in
their
career
and
just
in
terms
of
like
a
project
experience
like
getting.
You
know
like
getting
kind
of
on
a
conversation
level
with
people
from
microsoft
and
the
linux
foundation.
You
know
you
can,
like
name,
drop
a
whole
lot
of
stuff.
D
If
you
want-
and
so
you
know
get
to
say,
oh
you'll
get
experience.
You'll
get
to
build
your
resume.
You'll
get
to
be
able
to
work
with
these
people.
Almost
then
you
could
like
pull
the
class
card
like
you
know,
you'll
be
able
to
learn
a
whole
lot
in
this
space
and
build
your
skills
and
this
and
that-
and
you
know
maybe
that
might
get
you
a
smaller
kind
of
like
a
somewhat
partially
less
experienced
or
ecology
university
audience.
D
I
don't
know,
but
it
doesn't
seem
like
we're
like
super
super
picky
at
the
moment
anyway.
So
I
don't
know
these
are
all
I
just
like.
That's
my
off
the
cuff,
but
that's
yeah.
I
don't
know.
Sometimes
I
tend
to
like
tangent
on
too
much,
but
so
feel
free
to
stop
me.
If
I
do
that
again
but
yeah.
C
C
Yes,
I
have
a
twitter
infrastruct
celebrities.
I
am
thinking
about
this.
I
agree
that
probably
we
need
to
try
to
convince
them.
I
don't
think
it
is
difficult
at
the
same
time
probably
need
to
better
show
the
result
that
we
have
already
obtained
and
the
disclosure
policy
or
the
open,
ssf
metric
dashboard
are
good
results.
Maybe
we
can
do
it
better,
for
example,
but
this
does,
it
is
just
a
user
opinion.
C
The
metric
dashboard
is
cool,
but
it
is
based
on
grafana,
and
maybe
we
want
to
improve
the
user
experience
or
the
design,
and
we
need
so
also
contrib
contribution
from
tech,
people
or
people
that
have
experience
on
design,
but
maybe
they
are
not
security.
Well,
they
have
no
experience
the
security,
but
they
can
contribute
to
have
a
better
approach
to
the
security
in
the
operations,
because
if
security
is
not
reason
friendly,
we
have
a
problem.
C
D
And
maybe
sorry
one
more
thing
I
just
thought
meg,
maybe
it
seems
like
the
more
closely
we
kind
of
drift
towards
like
the
existing
foundations
that
have
infrastructure
and,
like
you
said
with
the
project
like
I
think,
was
lfx.
D
I
think,
with
the
project
with
the
project,
metrics,
dashboard
and
stuff,
like
that,
it
seems
like
the
more
closely
we
like
are
like
float
towards
these
kind
of
like
towards
organizations
that
can
like
help
kind
of
get
support
and
get
people
kind
of
affiliated
and
looped
it,
and
maybe,
like
you
know,
to
the
point
where
someone
from
that
organization
or
group
will,
you
know,
attend
our
meetings
more
regularly
and.
D
That
so
that
might
help
that
might
maybe
like
shift
a
little
bit
of
our
drive
in
terms
of
like
some
of
the
projects,
we
want
to
work
on
like
if
we
think
that
one
project
might
have
more
overlap
or
possibility
to
engage
in
discussions
with
a
particular
organization
or
company
or
I'm
not
saying
to
just
you
know,
forget
our
own
solo
ideas
or
anything
like
that.
D
Just
like
to,
I
think,
to
be
opportunistic
in
that
standpoint,
can
get
us
in
kind
of
can
connect
us
to
a
much
larger
circle
in
a
lot
of
ways.
A
I
added
these
these
down
here.
I
don't
know
if
there's
other
types
of
participants
that
that
other
than
these
guys-
that
that
I
think
would
be
okay,
because
I
think
every
every
team
I'm
I've
ever
been
on,
I
think,
has
has
admitted
that
they
are
terrible
at
marketing,
and
so
you
know
the
team.
We
always
do
really
good
stuff,
but
not
the
too
few
people
hear
about
it
and
know
about
it
and
internalize
it
and
pass
it
on,
and
things
like
that.
A
A
Like
people
that
are
passionate
about
telling
the
story
behind
or
just
telling
stories,
because
security
is
just
just
a
domain,
I
don't
I
don't
know
how
we
find
people
like
that,
but
that
would
there
would
be
interest.
I
would
love
to
have
somebody
that
you
know
looked
at
all
this
stuff
and
said
yeah,
but
so
security.
You
know
security
yaml
like
how
are
you
going
to
make
people
want
to
use
it
and
like
approaching
it
from
that
that
complete
other
side
which
not
my
superpower,.
B
Yeah,
I
think
something
you
mentioned
earlier
was
interesting.
You
know,
like
I
think,
kind
of
jokingly
but
semi
serious
about
you
know
we
need
like
a
twitter
star.
You
know
so
next
week
is
the
governing
board
meeting,
and
you
know
they
talk
they're
responsible
for
marketing,
and
things
like
that.
So
I
could
certainly
bring
this
up.
B
I
could
talk
to
k
and
see
if
it's
a
topic
to
bring
up,
and
but
I
know
that
you
know
our
community
representative
on
the
governing
board-
has
a
pretty
large
twitter
following
and
you
know
they
could.
Certainly,
if
they're
open
to
it,
we
could
ask
and
see
if
they're
interested
in
helping
to
drive
some
of
these.
You
know
more
specific
things.
B
You
know,
because
I
could
totally
see
like
a
tweet
going
out
from
some
other
big
following
and
saying,
like
hey,
want
to
participate
and
moving
open
source
and
security
for,
but
don't
have
any
security
experience.
We
need
help
with
the
following.
Like
you
know
that
thing
and
just
get
people
to
go,
oh
okay,
cool!
You
know
I
can
do
that
and
yeah
security's
cool,
but
I
don't
know
anything
about
it.
B
Type
thing,
and-
and
we
definitely
have
other,
even
kind
of
exec
level-
people
at
various
companies
that
are
invested
in
open
ssf
and
want
to
see
it
happen.
Maybe
we
could
get
some
of
them
to
start
doing
some
tweets
and
actually
build
a
campaign
around
recruiting
yeah
around
some
of
these
initiatives.
Not
just
saying
hey,
look,
here's
the
cool
things,
we've
done,
but
actually
say,
hey
come
get
involved
like
we
really
could
use
the
help.
B
Do
yeah!
So
if
you
go
to
openssf.org
there
at
the
top
of
the
page,
is
a
get
involved,
link
right
up
top
to
the
right
there,
yep
yeah,
so
they
actually
drove
getting
a
lot
of
this
done.
Some
months
back
probably
need
to
update
it
at
this
point
yeah,
but.
B
D
Yeah
I
mean
you
can
almost
recruit
as
if
it's
like
you
know
like
a
like.
A
paid
kind
of
you
know
like
you
can
put
like
you
know
we're
looking
for
this
kind
of
someone
to
fill
this
kind
of
role,
and
you
know
role
response,
but
like
skills
like
things
like,
and
then
projects
like
yeah,
like
the
kind
of
projects
we're
working
on
and
then
that
way
we
can
what's
cool
about.
That
is,
if
we
kind
of
fill
in
like
little
roles
or
descriptions
of
things
we
need
on
this
page.
D
That
can
make
outreach
pretty
easy,
because
you
know
we
can
like.
We
can
take
that
and
just
you
know
highlight
all
kind
of
copy.
Like
you
know,
we
could
either
send
email
people
around
or
post
stuff,
and
that
makes
it
easy
to
kind
of.
A
C
Projects
etc-
and
maybe
I
don't
know-
but
we
need-
I
mean
the
them
open,
ssf
member,
what
usually
people
use
or
require
or
decide
to
investigate
a
particular
tool,
approach
or
standard
if
they
see
it
in
the
important
operations
project.
So
maybe
we
want
to
add
in
the
redmi
or
in
some
or
something
similar,
the
page
or
some
or
something
similar.
So
you
people
visit
the
kubernetes
page
and
they
see
that
there
is
a
little
page
related
to
open
ssf
or
the
link
to
the
metric
dashboard
or
similar
one.
I
see
kubernetes.
A
Is
there
a
what
are
those
little,
the
the
the
little
tiny
gifs
that
that
have
like
you
know,
coverage
80
or
like
number
of
stars,
22
that
people
stick
in
their
readme
file.
C
C
A
Cool
we
are
getting
close
to
the
top
of
the
hour.
This
is
a
really
good
conversation.
So
thanks
thanks
everybody
any
last
thoughts.
C
A
Perfect
yeah,
I
appreciate
that
very
much
yeah
and
let
me
know
if
you
need
any
help
with
with
anything
there,
but
obviously
yeah.
I
said
you
were
gonna
post
some
stuff
in
slack
to
kind
of
recruit
more
people.
I
think
it'll
be
good
to
get
to
get
more
eyes
on
it.
Stuff.