►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
To
september
but
everybody's
here
and
make
sure
this
actually
works
cool
awesome,
I
assume
you
guys
can
see
the
see
the
screen.
So
I
do
have
a
quick
thing
I
I
have
to
drop
at
in
at
halfway
through.
So
I
was
wondering
if
someone
wouldn't
mind
running
the
rest
of
the
meeting
through
after
that
I'll
just
drop
and
the
meeting
should
just
magically
continue.
A
A
Think
it
will
well,
you
know,
if
not
it'll,
be
a
short
meeting
today,
but
I
think,
as
long
as
I
hit
leave
and
not
end
meeting,
it
should
thanks.
A
Cool
so
yeah,
so
the
first
thing
that
david,
I
think
you
you
added,
was
to
talk
about.
You
know
how
do
we
index
security
audit
reports
so
that
they
can
be
more
searchable
or
consumable
and
stuff
like
that,
but.
B
A
Oh
sorry,
I
think
I
think
those
are
two
different
issues,
one
I
think.
Okay,
one
was
about
like
hey
it's
great.
They
have
all
these
security
reviews
and
a
github
repo,
but
like
how
do
I
search
was
that
it.
B
That's
a
different
topic:
okay,
all
right!
Yeah
that
that's
that's
you
know,
that's
that's
a
different
topic!
Yeah
tell
me
what
look
we
we
just
talked
briefly,
but
we
didn't
record
it.
So
let
me
just
quickly
add
to
the
agenda
just
so.
We
catch
up
the
recording.
What
we
already
just
said,
which
is
we
should
include.
B
Sorry,
folks,
I'm
trying
to
type
and
talk
at
the
same
time
security.
What
was
that
so
security
feeds
looking
for
malicious
packages.
B
In
the
in
the
metrics.openssf.org
dashboard
all
right
now,
let's
move
on:
how
can
we
improve
index
of
security
audit
reports
so
the
other
tools,
particularly
the
score
yeah,
because
the
scorecards
also
want
to
see
that
and
we
have
to
solve
that
problem
too.
B
So,
basically,
they
wanted
to
make
an
easy
way
to
you
know
so
that
if
you
it
once
you
post
something
about
a
security
audit,
it's
super
easy
to
find
it.
A
Okay,
I
thought.
A
Api
yeah
and
that's
what
I
thought
so
npm
yeah.
We
have
one
for
left
pad.
So
here,
if
I
do
left
head-
and
I
do
that
question
is:
do
I
see
the
security
review?
A
Yeah
security
review?
That's
the
content,
that's
all
the
other
stuff!
So
yes,
so
they
can.
So
this
is
the
current
to
whatever
json
rest
api
for
left
pad.
B
B
B
Right,
I
think
I
think
that's
expressly
what
they
want
to
avoid
and
I
would
agree
with
them
yeah.
So
all
right,
do
you
how's
this
one
I
at
since
I'm
the
one
who
brought
this
up?
Why
don't
you
just
bring
this
on
the
issue?
Tracker
itself.
A
D
No,
no,
no,
not
at
all,
no
the,
like
the
actual
security
review
like
once
they
search
like
once.
They
like
you,
know,
use
the
json
api
unless
it's
like
they
automate
it
in
some
kind
of
code
and
so
yeah
like,
for
example,
like
I'm
like
reading.
That
is
not
very.
D
B
D
Because
yeah,
oh
yeah,
that's
true
yeah!
You
can
literally
just
go
on
the
metrics
page
and
search
and
I'll
just
populate
on
that.
Okay,
sorry.
D
B
A
I
love
it
next
thing
I
want
to
talk
about.
Was
this
alpha
omega
project,
which
I
think
last
time
we
talked
about
at
this
meeting?
It
was
just
omega,
so
we've
added
an
alpha,
but
I
would
I
think
I
am.
A
I
should
be
on
the
agenda
for
the
next
governing
board
meeting,
not
the
one
that's
happening
tomorrow,
but
the
one
that's
happening
like
a
month
or
so
from
now.
I
would
like
that
to
be
the
the
the
the
point
at
which
I
literally
ask
for
money
to
to
make
this
happen,
so
we
have
about
a
month.
A
In
speaking
with
lots
of
different,
like,
I
think,
probably
every
work
group
now
and
lots
of
other
people,
I
think
the
the
the
changes
are
becoming
less
and
less
each
time.
So
I
think
we're
we're
landing
on
something
I
still
don't
know.
If
strategically,
we
want
this
to
be
a
giant
rock
that
open
ssf
invests
in
because
it's
you
know
two
more
zeros
than
anything
else,
but
I
would
love
to
get
your
opinion.
A
I
think
amir,
I'm
not
sure
that
you've
been
in
any
meetings
that
I've
presented
this
to
so
I'd
love
to
get
your
your
feedback,
and
I
apologize
if
you've
already
given
it
to
me,
but
I'm
it's
just
cool
I'll.
Look
it
over
cool.
A
You
know,
and
some
of
it
is
clearly
stuff
that
ostiff
kind
of
has
muscle
in
so
look
to
see,
get
your
thoughts
there
and
I
tried
to
stay
a
bit
away
from
implementation
like
this
is
about
like
what
are
we
trying
to
get
done,
not
who's,
doing
it
or
even
who's
paying
for
it,
and
things
like
that?
It's
it's!
It's
more
like
at
least
on
the
on
the
alpha
side.
B
Yeah
and
I
I
suspect
there
will
be
better
ways
to
do
things,
but
the
best
way
to
learn
anything
is
to
try.
A
Yeah
right,
right
and,
and
so
actually
david,
you
know
I
could
use
your
thoughts
on
the
best
way
to
approach
this.
From
that
perspective,
with
open,
ssf
and
and
ryan
youtube,
you
know
like
while,
while
there's
some
logic
in
asking
it
and
not
trying
to
go
to
the
well
twice,
because
I
don't
know
what
that
larger
number
looks
like
with
any
with
any
confidence.
A
What
I
want
to
say
is
you
know,
seed
this
for
six
months
and
here
are
options
a
b.
You
know
a
b
or
c
on
how
to
do
that,
meaning
we
hire
people,
we,
you
know,
hire
a
managed
service.
You
know
a
vendor
firm
to
do
it
or
we
try
to
pass
around
a
hat
to
open
ssf
organizations
and
say
I
need
an
engineer
for
six
months.
Can
you
make
that
happen
and
kind
of
do?
Do
it
voluntary
that
way?
A
I
don't
know
what
the
right
answer
is,
or
maybe
there's
a
fourth
way,
but
I
feel
like
if
we
don't
get
moving
on
this
very
soon.
It's
not
going
to
happen.
B
Yeah,
I
I
think
in
the
end,
what
you
need
to
do
is
come
up
with
a
proposal
and
a
number-
and
you
know
when
you
come
up
with
number
proposals.
The
big
numbers
there's
going
to
be
a
lot
of
of
stop
and
discussion.
It
won't
be
easy,
but
you
will
not
make
a
goal.
You
don't
try
for
that's
and
right
now.
I
think
this
is
the
best
possible
time
there
I
mean
you
know.
B
A
Yeah
and-
and
actually
you
know
that
I
think
a
related
thing,
because
you
are
as
deep
in
the
executive
order
as
anybody
I
know,
would
you
agree
with
me
that
the
executive
order
requires.
B
A
I'm
sorry
you
you're
absolutely
right,
I
didn't
mean
the
executive.
I
meant
the
nist.
B
Even
the
nist
stuff
is
a
little
wishy-washy,
the
closest
that
you'll
get
to
a
requirement.
Right
now
is
the
testing
stuff.
But
if
you
look
more
carefully
at
it,
I
know
the
guy
who
wrote
it
who's
a
nice
guy.
He
he's
smart,
but
it's
it's
more
or
less
a
list
of
things.
You
could
do
it's
not
a
reset
requirement
set,
it
never
says:
thou
shalt
do
all
these
things
and
nowhere
says,
must
even.
A
So
the
thing
that
I
just
posted
in
chat
now
granted
this
is
section
three,
so
I
think
three
is
informative.
A
This
as
as
as
kind
of
my
backstop
of
why
doing
nothing
isn't
actually
an
option.
But
if
I'm,
if
I'm
standing
on
super
shaky
ground
like.
B
Okay,
how's
this
I
mean
feel
free
to
quote
that
I
but
I'll,
I
think,
you're
better
off.
Looking
at
page
well,
pdf
pages,
one
and
two
pdf
page
one
says
guidelines:
okay,
guidelines
on
minimum
standards;
yes,
they're,
not
the
minimum
standards.
These
are.
B
B
Okay,
nothing
here
says
you
must
do
these
or
we
will
not
accept,
however,
that
so
it's
not
fair
to
say
that
this
is
an
absolute
rock
hard
requirement,
but
it's
it's
not
fair
to
ignore
it
either.
Basically,
what's
going
to
happen
is
if,
if
the,
if
the
u.s
government
can
really
only
impose
requirements
on
itself
without
special,
it
can
create
regulations,
but
that's
a
different
process,
and
that's
not
the
one
they're
engaging
yet
in
this
part,
but
what
they
can
do
is
impose
requirements
on
themselves
and
right
now.
A
I
bet
that,
yes,
I
totally
agree
there
and
that
this
this
kind
of
number
two
here
is
what
you
know
got
my
ears,
ears,
perked,
as
as
where
they.
B
There
you
go
sir
asus
from
mandated
standards
in
the
future.
There
you
go
that's
right
right
now,
they
are
still
cooking.
Okay,
they're
still
trying
to
figure
out
things
and,
I
suspect,
it'll
be
hard
to
say.
Thou
shalt
never
accept
software
if,
unless
it
meets
all
these,
but
I
think
it's
fair
to
say
that
it's
going
to
look
for
these
as
way
to
distinguish
what
it's
going
to
use,
what's
not
as
basically
a
selection
criteria,
which
is
actually,
I
think,
a
better
model
anyway,
totally.
A
Agree,
yep
yep,
but
but
but
I
mean
for-
and
this
is
I
mean
I
get
this-
this
is
the
purpose
of
openness
is
to
is
to
tackle
these
harder,
harder
things
as
large
organizations
that
sell
to
the
federal,
and
we
all
know
that,
like
federal
procurement
requirements
tend
to
bleed
over
into
the
rest
of
society.
A
B
B
There
you
go,
I
think,
that's
exactly
right,
it's
not
that
right.
Now
these
are
the
requirements
yeah,
certainly
not
in
the
commercial
space,
but
even
in
the
government
space.
However,
the
I
think
many
large
organizations
have
exactly
the
same
problem
as
the
us
government
in
the
sense
that
they're
using
a
lot
of
software,
they
vitally
depend
on,
and
they
don't
know
which
ones
they
should
worry
about.
B
So,
okay,
you
know,
and
so
when
the
us
government
works
hard
and
comes
up
with
something
yeah,
it
may
not
be
it.
It
may
be
great,
it
may
be
awful,
but
at
least
they
thought
hard
about
it.
A
lot
of
other
organizations
aren't
going
to
put
that
kind
of
effort
into
it.
So.
A
A
Is
really
where
I
I
see
alpha
omega
the
the
primary?
Well,
the
the
primary
real
benefit.
Is
you
know
more
more
secure
higher
security
posture,
better
security
quality,
open
source,
the
the
secondary
benefit
is
having
an
existing
thing
that
people
can
point
to
and
say
I
don't
need
to
do
this
assurance
work
myself,
because
this
assurance
work
has
been
already
been
done
and
has
conveyed
a
security
quality
that
I
can
rely
on
to
to
use.
A
Worth
nearly
as
much
as
if
it
were
a
if
it
could
convey
that
assurance.
B
B
That's
I
mean
in
my
mind
the
best
thing
to
do
is
for
because
there's
always
going
to
be
something
that's
critical
for
one
organization,
that's
not
as
critical
as
anybody
else,
but
so
I
see
the
open
ssf
as
more
of
the
it's
across
multiple
organizations.
We
don't
need
to
all
independently
do
this.
That's
nonsense!
We're
going
to
work
together
here
and
then
organizations
can
focus
on
the
it's
critical
to
me,
but
not
anybody,
but
not
for
anybody
else.
B
A
Cool
so
yeah,
I
guess,
for
you
know,
let's
say
we'll
iterate
on
this
kind
of
one
more
time
I'll
make
the.
I
think.
B
Are
you
gonna
try?
Are
you
gonna
try
to
come
up
with
okay
yeah,
so
you've
got
some
estimates,
estimates
of
dollar
figures
and
so
on.
A
Yeah
they're,
probably
off
by
at
least
a
factor
of
two
or
three
in
different
places,
but
just
you
know
like
it's
the
kind
of
thing
that
you
know
give
me.
B
A
A
You
know
that
that
budget
for
that
many
people,
if
you
want
to
multiply
that
10x
multiply
all
the
numbers
just
add
a
zero
but
yeah
this
should
this
should
scale
with
that
and
and
the
the
other
kind
of
good
feedback
that
came
up
was,
you
know,
hey,
like
shift
left
like
go
to
the
developer
themselves,
best
practices
right
better,
like
all
the
other
stuff
that
open
ssf
is
already
well.
Some
of
it
that
opens
up
is
already
doing.
A
Other
parts
is
clearly
in
the
open,
ssf
mission,
so
I
don't
think
any
of
this
stuff
precludes
work,
and
ideally
we
never
find
anything
because
static
analysis
has
already
been
run
and
they've
been
fixed
and
the
developers
you
know
it's
all
it's
all
done
already,
in
which
case
you
know,
we
might
feel
sad
at
wasting
money
in
building
it,
but
we
know
that
we're
secure.
B
Well,
no,
you
you
haven't
wasted
it,
even
if
you
don't
find
it
because
it
gives
you
confidence
that
this
project
is
doing
okay.
What
you're
paying
for
is
confidence
either
you
find
problems
and
you
fix
them
or
you
don't
find
problems
in
which
case
well.
Either
your
process
for
finding
problems
is
bad
or
the
project's
doing
pretty
well,
and
hopefully
it's
the
latter,
if
you're,
if
you're,
if
you're
finding
problems
in
other
projects.
B
That
gives
you
credibility
that
you
have
confirmed
that
this
one's
doing,
okay,
yeah
cool,
yeah
cool,
I
guess
I.
I
think
that
the
budget
should
include
a
little
money
to
make
sure
that
when
you
leave
they're
more
likely
to
continue
things
like
they're
going
to
implement
the
stuff
in
the
ci
best
practices
badge
and
the
scorecards
that
they're
going
to
you
know,
do
various
and
basically
make
sure
that
that
when
you
leave
there,
you're
going
to
leave
with
some
process
changes
in
place.
B
I
don't
I'm
not
sure
how
much
you
need
to
budget
for
that.
It
probably
should
budget
a
little
bit.
I
don't
think
it's
a
lot.
I
think
it's
budget
dust
compared
to
a
security
audit,
but
but
I
I
think
you
should
make
sure
you
include
that
if
you're
gonna
audit
something
you
shouldn't,
leave
it
without
making
sure
it's
got
some
stuff
in
place,
I
mean
you
want
to
burn
down
vulnerabilities
and
leave
it
in
a
situation.
There's
fewer
going
to
likely
end
up
there.
E
A
Actually,
would
this
apply
to
alpha
mega
or
both
because.
A
We
could
certainly
have
have
like
canned
content,
which
is
like
hey.
You
may
want
to
consider
x
y
if
you
see
you're
on
github,
so
click
this
button
to
enable
the
thing
and
things
like
that
for
the
for
alpha
yeah,
a
lot
of
that
relationship
will
be
like.
How
do
you
make
your
process
better
so
that.
B
Yeah
yeah,
okay,
that's
fair,
so
so
maybe
alpha
is
where
you
really
focus
that
I
think
it'd
be
great
if
we
could
work
on
doing
that
for
omega.
But
I
I
see
your
point
that
may
be
a
little
far.
You
could
probably
put
in
some
pull
requests.
I
mean
a
cheap
pull
request,
is
you
know,
assign
them
a
badge,
a
id
and
then
at
propose
a
readme
that
adds
that.
But
you
know
we
we've
been
very
much
focused
on
the
badging
for
consent.
A
I
yeah
I
I
think
we
need
to
be
careful
there.
I
do
need
to
drop.
So
let
me
let
me
drop
david.
You
got
the
rest
of
the
meeting.
Sure
good
awesome
take
care
bye.
Thank
you
all.
B
Okay,
so
we
have
a
small
item
and
a
big
item:
let's
do
the
small
rule
real
quick.
If
you
don't
mind,
I
just
had
a
question
for
everybody.
The
ci
best
practices
badge
doesn't
currently
have
a
link
to
metrics
openssf.org.
B
F
B
Okay,
amir,
I
mean
you
know.
Obviously
it
depends
on
what
you're,
what
you're
trying
to
accomplish.
C
B
Yes,
I
wonder
particular
repo.
C
For
the
url
of
the
repo
okay-
and
I
wonder
if
that
could
just
be
like
an
additional
data
field,
like
you
know,
for
like
supplemental
links,
it
could
be
a
link
to
the
security
score
card
or.
B
C
B
No,
I
have
a
very
different
idea
on
this.
Okay,
we
for
the
best
practices
badge
there's
you
know,
there's
a
number
of
questions
on
it,
it's
66
for
passing
and
you
can
type
in
a
whole
bunch
of
stuff
but
darn
it.
We
do
our
best
to
not
make
people
enter
data
unless
we
have
to
so.
B
No
absolutely
no
intent
to
do
that
in
order
to
get
under
the
best
practices
badge
at
all.
You
have
to
provide
at
least
one
url
for
either
the
repo
or
the
home
page.
It
won't.
Even
let
you
create
a
badge
if
you
don't
give
it
one
of
those
two
pieces
of
information.
B
Ideally,
we
want
both,
but
you
have
to
have
at
least
one,
and
that
should
be
enough
for
a
search
on
the
on
the
metrics
dashboard.
So
you
know
for
any.
As
soon
as
you
create
a
badge
entry,
we
can
create
a
link
to
the
metrics
dashboard
that
says:
hey
search
for
this,
and
so
when
they
click
they'll,
automatically
engage
a
search
and
go
to
whatever
was
found,
which
may
be
a
list
okay,
and
that
means
that
I
don't
have
to
ask
the
users
to
do
anything.
B
F
B
B
B
So
I
I
view
repo
urls
as
the
closest
thing
to
an
identifier
for
a
project
and
so
for
most
projects,
we'll
use
that
as
the
search
and
then
no
problems.
If
that
doesn't
work,
then
we
have
to
use
the
home
pages
and
then
life
can
get
a
little
complicated,
but
for
most
folks
it's
not
going
to
be
a
real
issue.
Yeah.
C
B
All
right,
so,
let's
move
on,
I
know
matt
you're
gonna
have
to
wake
up
now
because
you,
I
know
you
care
about
this
one
well.
B
Oh,
I
I
can't
see
your
you
you've
hidden
your
face
while
eating,
so
I
can't
I
can't
tell
what
you're
up
to
so.
I
re
I
modify
the
the
title
and
the
notes
for
security.yaml,
because
I
think
this
is
no
longer
a
security.md
file.
It's
something
else,
and
maybe
it's
not.
F
I
I
don't
know
if
there
was
a
discussion
that
I
missed
about
some
other
other
group
decided
to
create
their
own
security.yaml
file,
but
I
think
in
general
I'm
worried
about
I
worried
initially
about
and
again
about
collisions.
F
F
F
So
in
turn,
in
terms
of
you
know,
if
the
open
ssf
is
getting
collisions
already,
maybe
we
should
agree
jointly
open
ssf
if
we're
going
to
create
artifacts
that
reside
in
github,
repos
or
whatever,
that
are
in
the
same
source
code
management
systems
that
we
should
have
some
domain
centric
naming
scheme
you
know
and
and
and
not
shy
away
from
adding
ossf
as
a
domain
name.
You
know
much
like
you
like
a
mini
uri.
If
you
will
so
right
well,.
B
You
know
what
making
sure
that
the
names
are
clear
and
not
confusing,
I
think,
is
a
worth
a
naming
concern,
and
so
I
just
I
did
something
crazy.
I
used
a
google
search.
You
know
is
this:
this
is,
is
how
come
I
can't
type
is
security.yaml
confusing,
and
there
is
something
else
symphony
uses
this
for
yeah.
F
I
mean
I
said
initially.
I
said
that
if
you
go
to
secure.md
for
my
apache
project,
it
talks
about
secure
workflows
inside
the
project
inside
the
actual
framework,
not
externally
it's
not
about
how
we've
secured
the
actual
project
at
all.
So
I'm
suggesting
that
much
like
we
do
in
you
know
an
xml,
namespace,
notation
or
spec
uri
scheme
short
cuts,
abbreviation
that
we
that
we
somehow
incorporate
ossf
as
our
as
a
scheme
name,
and
we
use
that
we
we
adopt
that
into
whatever
file
name.
We
we
we
pick
to
get
past
it.
So
I.
B
B
F
Yeah,
I'm
sorry
for
stepping
on
you,
but
you
know
I've
heard
you
say
it
before
and
I
disagree
completely.
If
you
go
to
any
github
repo,
the
the
practice
is,
as
you
add,
automated
tooling,
with
a
big
kit
or
white
sources
twisted
block
any
type
of
scanning
tools,
any
types
of
workflow
tools,
but
what
they
do
is
they
always
add
a
dot
file
and
they're,
not
afraid
of
naming
it
after
the
the
tool
itself
or
the
organization.
B
Yeah,
I've
actually
seen
a
lot
of
pushback
against
that,
for
example,.
B
F
Talking
about
the
file
level,
not
claiming
things
or
actions,
necessarily
but
yeah
yeah.
So,
but
I
mean
it's
it's
you
know
it's
it's
not
about
we're
not
trying
to
brand
it.
I
think
it's
more
of
a
branding
issue,
we're
actually
literally
saying
this
is
a
a
standard
that
will
probably
be
producing
at
a
work
group
at
openssf
and
that
we're
unambiguously
qualifying
it
through
a
scheme
name.
C
I
see
both
opinions.
I
I
given
that
this
is
kind
of
under
the
direction
or
kind
of
you
know.
The
main
discussion
for
this
is
happening.
You
know
at
open,
ssf
meetings,
I
think
it's
safe
to
say
it's
associated
with
open
ssf
and
having
a
consistent
naming
schema
is
always
a
good
practice.
So
as
long
as
it's
consistent,
but
I
could
see
both
sides,
but
I
would
probably
lean
towards
if
it's
an
open,
ssf
themed
tool,
maybe
having
it
in
the
name
somewhere.
B
Okay,
so
what
so,
let's,
let's
let's
come
up
with
a
name
it
can
change
later,
but
clearly,
security
md
is
not
working.
Security.Yaml
we
have
concerns.
F
I
would
I
would
I've
always
had
mentally
pictured
oss
dash
security,
dot
yaml,
just
you
know
we
could
use
it.
I
think
dash
is
the
most
accessible
character
to
add
a
separator
between
the
foundation.
The
leading
scheme
name
dash,
whatever
the
sub
project
might
be,
you
know
so,
or
the
sub
use
your
utility
would
be.
B
F
Well,
I
was
picking
something
that's
compatible
with
ui
with
typical
uri
scheme,
I
would
say
a
dot,
add
an
extra
dot
in
front
of
it
and
dot
between,
but
I
thought
that
might
be.
You
know
two
two,
that's
because
it's
what
we're
doing
is
a
configuration
file,
so
dot
implies.
It's
part
is
part
of
the
of
the
pro
a
process
or
workflow.
B
F
B
Also
implies
it's
a
sub
type,
so
you
know
I
would
just
ask.
Well,
what's
the
you
know
ace
what's
in
that
md,
you
know
so
like
a
car.gz
file
is
a
compressed
tar
file.
F
F
But
I
I
think
that
you
know
you
know
this
is
a
discussion
we
might
need.
I
think
that
this
goes
with
branding
and
it
goes
making
sure
that
people
see
that
consistently
is
that
other
people
create.
You
know
oss
scorecard
or
ossf.
Whatever
tools
we
have,
that
we
use
the
same
scheme.
I
think
it's
a
higher
order
discussion
to
be
honest
with
you.
B
F
Oh
I.
B
I
I
think
how's
this
one.
We
just
call
it
ossf
dash
security.yaml,
ossf
and
security
and
uppercase,
and
we
can
change
this
later,
but
how's
this
it
at
least
isn't.
I
still
have
my
concerns
about
you
know
this
is
at
least
this
is
at
least
unique.
B
And
we
can
change
it
later,
but
you
know
as
this
thing
as
we
start
to
clarify
its
scope:
we've.
We
we've
ended
up
needing
okay
needing
a
new
name,
okay,
so
names.
So
as
long
as
we're
adding.
B
All
right,
all
right
so
name
of
file,
name
changed
or
for
now
or
now
at
least
right.
B
Oh
I'm
hearing
echo:
does
anyone
else
hear
an
echo
briefly
there,
but
it
went
away.
Okay,
all
right,
very
odd.
Okay,
whatever
the
echo
suppression
system
was
briefly
got
confused
and
now
we're
okay
all
right.
So
we've
written
some
text
here
and
some
tweaks.
We
only
have
15
minutes
left.
What
do
we?
What
can
we
usefully
accomplish
in
the
next
15
minutes.
F
B
B
B
B
All
right,
so
we've
we've
made
some
attempts
at
doing
this.
I
tweaked,
as
you
can
see
the
title
here,
the
title
in
the
file
name
and
the
title
in
in
this
working
name
here
and
we've
got
some
usage
cases
and
off
we
go
and
a
spec.
We
really.
There
are
obviously
things
that
need
to
be
dealt
with
here.
B
F
Yeah
so
much
my
mvp
is
is
something
that
can
can
satisfy
like
what
I've
been
calling
the
general
profile.
You
know
what
are
the
what
are
what's
and
I
I
think,
based
grounded
in
a
structure
where
we
have
a
tuple
that
provides
the
location
to
find
specific
documents.
You
know
which
which
practices,
which
documents
that
we're
trying
to
find
that
are
important
to
scorecard
or
in
general,
for
if
you,
if
you
want
to
publish
them
or
locate
them,
you
know
uniformly.
F
You
know
what
what's
the
what's
the
base
that
information
we
want
people
to
have
you
know,
determinism
on
in
terms
of
you
know
where
what
am
I
where's
my
security
volume
reporting
process?
Where
do
I,
you
know
where
I
handle
these
things?
What
are
what
are
those
topics?
What
are
those
key
right?
What.
F
F
B
B
B
And
we
could
even
say
the
cfs
practices
badge,
although
it
has
another
data
source
of
the
humans
themselves
or
a
scorecard.
Does
it
so
I
I
would
say
the
the
one
that
needs
it
most
is
squirting
help
how's
those
people,
maybe
she's
more
more
specific,
override
proposed
overrides.
B
F
So
so,
basically,
it's
about
you
know,
I
guess
I'm
in
a
weird
mental
state,
but
it
goes
back
to
when
I
created
an
auditing
standard.
It
goes
back
to
being
unambiguous.
So
as
an
auditor,
if
I'm
coming
in,
to
find
something
it's
like
who?
What
when?
Why,
where
how
that
we
create
a
create
a
consistent
data
structure
that,
regardless
of
the
security
topic,
the
security
matrix,
the
secure
whatever
you
want
to
call
it
based
upon
your
score,
carding
system
that
you
know
whatever
it
is,
you
can
iden
you
basically
have.
F
You
know
you
have
a
name
for
it
and
it's
a
it's
a
key
name,
and
then
you
have
for
it
and
you
have
a
perhaps
a
link.
You
know
you
have
a
way
to
locate
a
link
that
talks.
That
shows
you
where
the
what
the
word
prose
process
is.
F
You
have
you
have
the
ability
to
send
a
link
to
show
where
automation
or
how
it's
automated
or
what
tooling
is
done,
and
you
have
a
you
have
you
know
some
type
of
structure
that
that
perhaps
you
know,
tells
you
I
here's
my
process.
I
followed
it
using
these
tools
and
here's
my
proof
at
the
end.
Here's
how
I
test
to
it.
You
know:
what's
the
proof
of
evidence
at
the
end,
so
everything
I
think
we
do
should
have
that.
F
Have
that
in
mind,
I
think
that
fits
very
well
dovetails
very
well
into
what
I'm
trying
to
bring
into
this,
which
is
try
to
figure
out
how
we,
how
we
show
as
an
organization,
a
foundation
that
the
score
cutting
tool
and
what
we're
you
know,
rating
against
grading
against
you
know
can
be
mapped
eventually
to
salsa.
So
we
have
a
risk
trust
framework
and
we
can
prove
that
scorecard
is
following
that
risk
trust
framework
and
that
the
struct
structure
and
organization
of
those
things
are
expressed
in
this
in
this
file
and
it's
ambiguous.
F
Like
here's,
my
input,
here's
my
process,
I
prove
that
I
have
tools
that
programmatically
can
follow
and
enforce
the
process,
and
then
we
also
have
we
had
to
station
records
and
that
fits
very
well
sig
store
as
well
like.
So
you
know.
Where
do
I
put
my
attestation
records
in
record?
Where
do
I
put
my
public
keys
and
record?
You
know
wherever
it
might
be,
it's
not
recoil.
I.
B
B
Yeah,
whereas
I
want
to
drill
down
to
the
give
me
a
couple
specific
elements
in
the
schema
so
that
you
know
it,
I
I
I
was
briefly
involved
in
a
data
scheme
in
a
oh
draft.
The
word
is
now
escaping
me,
probably
because
I'm
just
trying
to
prevent
bad
memories.
You
know,
but
the
you
know
we're
gonna
model
everything
in
the
universe.
F
No,
I'm
sorry,
I'm
just
throwing
it
out
there
saying:
let's,
let's
put
a
spitball
schema
up
there,
that
you
know
has
those
three
three
or
four
elements,
this
the
tuple
or
whatever,
and
and
then
try
and
see
if
we
can
take,
let's
run
that
run
the
run
the
examples
through
it
and
see
how
we'd
fill
out
those
fields.
You
know.
B
B
All
righty,
I'm
not
sure
how
where
to
push
next,
then,
though,
what's
the
next?
What
do
you
think
the
next
step
would
be
then.
F
Well,
I
mean
I
I
I
remember,
and
we
scrolled
past
it.
I
think
you
had
some
discreet
examples.
You
know.
Maybe
we
could
try
to
express
some
of
those
things
in
this.
I
say
tuple,
but
maybe
it's
more
than
more
than
three,
but
right
so
maybe
try
to
express
it
and
figure
out
how
we
create
how
if
we
have
a
pattern
that
can
that
can
accommodate
the
examples
that
you
had
earlier
or
somebody
put
in
earlier.
B
B
Okay,
I
mean,
if
we
later
on,
want
to
generate
json
from
yaml.
There
are
tools,
that'll
do
that
fast,
but
I
want
to
only
edit
one
thing
at
a
time
because
otherwise
I
don't
know
they'll
be
go
out
of
sync
okay,
so
I
don't
even
know
who
I
think
this
was
michael,
who
tried
this
first
cut
and
I
don't
know
if
I
believe
it
or
not,
but
that's
the
you
know
he
that
this
is
what
he
was
trying
to.
F
Yeah,
I
prefer,
I
prefer
animals.
This
is
a
super
set
of
json,
so
yeah.
B
Yep
my
theory
also
especially
since
this
is
probably
going
to
be
read
by
humans,
not
just
machines,
and
I
can
see
humans
editing
this.
Even
I
you
know
I'm
sure
some
people
go
but
people.
I
am
all
the
time.
Okay,
five
minutes.
I
don't
know
that
we.
D
B
F
No,
I
mean
I'll,
be
honest.
No,
probably
that's
why
I've
been
lobbying
for
the
weekly
calls,
so
we
can
make
grounds,
hopefully
we'll
hit
you
know
hopefully
we'll
hit.
You
know
people
are
getting
interested
now
that
we
have
actual.
F
You
know
groundbreaking
work
that
we're
doing
in
this
group,
so
we're
gonna
have
to
figure
out
how
we
best
bring
new
people
in
and
inform
them
our
work
without
resetting
every
week.
So
I
know
that
the
first
working
session
kind
of
got
derailed
because
we
had
somebody
from
google
that
I've
never
seen
before
come
in
and
wanted
to
revisit
the
entire
use
case.
For
why
we're
doing
this.
So
we
need
to
figure
out
how
to
do
that
as
well.
So.
F
B
Okay,
so
how's
this,
maybe
what
we
ought
to
do
is
create
a
google
poll,
and
I
mean
if
weekly
meetings
are
what's
necessary
to
make
some
real
progress
frankly
makes
sense
to
me
who
else
would
be
interested
in
this?
I'm
guessing
michael's
interested,
even
though
he's
not
here
right
now,
especially
since
he
wrote
some
of
these
other
things
amir
or
some
others.
Who
else
would
be
interested
in
this.
B
And
frankly,
the
scorecard
folks,
since
I
think
that's
the
short
term
specifically
probably
ought
to
get
involved.
B
Yeah,
so
how
so,
let's
see
here,
I'm
switching
back
over
here
to
notes.
So,
let's
see
here
so
we
need
to
we
need
to
have
more
more
meetings
is
not
exactly
what
I
mean
here
we
need
to
have.
F
B
Specifically
focused
on
this
say
once
a
week,
okay,
and
need
to
get
the
best
practices,
working
group
and
scorecards
folks
involved
by
the
way,
I
would
also
see
our
best
practices
badge
mailing
list,
maybe
as
well.
F
F
F
F
B
F
B
I
think
there's
a
step
before
that,
which
is
we
need
to.
We
need
a
short
description.
D
B
I
I
get
it
into
the
current
dock.
B
C
B
Right
so
so
I
think
what
we
need
to
do
is
is,
let's
let
us
I
propose
we're
running
out
of
time,
let's,
let's
I'll
work
on
the
document
and
try
to
get
by
next
week,
a
short
and
basically
tweak
the
intro
so
that
it
explains
what
it
is,
I'm
hoping
for
somewhere
between
a
sentence
and
a
page
I
mean
like,
like
maybe
two
paragraphs
or
something
like
that,
but
you
know
something
relatively
you
know
a
few
paragraphs
I'll
say
that
new
paragraphs,
okay,
will
work
on
the
existing
on
the
current
google
doc.
B
F
Monday
is
a
us
holiday.
I
believe
I
hope
I
think
I
hope.
Maybe
all
I
know
is
that
my
inner
a
lot
of
things,
my
universe
are
colliding
on
thursday,
because
there's
a
lot
of
assumptions
about
people
taking
friday
off
at
least
yeah
so
point
out,
a
lot
of
people
might
be
unavailable.
People
are
taking
advantage
of
that
long
week.
B
Yeah
you,
you
know,
here's
right,
I
would
say,
send
out
the
google
set
up
the
doodle
poll
next
week.
B
I
would
say,
maybe
late
next
week
next
monday,
so
so
basically,
basically,
let's
get
the
short
description.
What
is
this
thing
and
then
send
a
doodle
poll
and
say:
hey
we've
been
talking
about
making
this
thing
if
you're
interested,
you
know,
you
know
please
join
and
we'll
talk
about
it.
B
B
Okay,
all
right
we're
at
time,
so
I
guess
we
gotta
go
away
so
good
to
see
everybody
likewise
take
care.
Al
thanks.
Everybody.