►
From YouTube: Identifying Security Threats WG (May 25, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
hello,
good
morning,
good
morning
I
just
got
a
ping
from
jory
and
I
have
a
ticket
to
open
ssf
event.
The
out
the
the
thing
so
yay
cool,
awesome,
awesome.
D
B
Cool,
let's
get
let's
get
started
hello.
Everybody
welcome
to
the
may
25th
meeting
of
the
identifying
security
threats
working
group.
Thank
you
to
whoever
well
to
the
folks
that
joined
two
weeks
ago
and
and
ran
the
meeting.
That's
great.
The
one
kind
of
major
takeaway
was
that
we
need
to
have
a
conversation
on.
B
Are
we
should
we
change
the
name
of
this
working
group
to
be
more
reflective
of
like
what
we
do
so
we
can
certainly
chat
about
that
today.
B
I've
got
a
quick
update
on
alpha
omega,
but
it
can
do
that
here
if
you
guys
have
any
other
things
that
you'd
like
to
talk
about.
Please
add
them
to
the
agenda
and
we
can
we
can
get
to
it
before
we
start
how's
everybody
doing.
E
I'm
excited
but
overwhelmed.
The
big
gathering
in
dc
was
great,
but
I
was
totally
overwhelmed
with
all
that
and
I
am
still
trying
to
catch
up
with
everything
else.
So
if
I'm
behind
on
some
emails
to
you,
my
apologies
or
whatever
so
there's
some
there's
some
work
that
I
really
want
to
do
for
various
working
groups
that
I
just
haven't
gotten
to
yet.
B
So
I
guess
bye
bye.
We
have
summit
follow-up
because
the
previous
incantation
of
this
working
group
was
on
the
11th.
I
hope
everybody's
seen
it,
but
if
you
guys
haven't
seen
it
just
open
sf.org
it's
at
the
top
right
and
it
is
the
the
mobilization
plan.
B
And
my
my
interpretation
of
how
the
event
went
was
there
was
generally
broad
consensus
that
the
mobilization
plan
was
a
reasonable
direction.
B
Most
numerically,
most
of
the
things
were
non-controversial,
so
I
think
we're
what
we're.
What
we're
waiting
on
at
a
high
level
is
kind
of
the.
How
should
we
go
and
bite
off
pieces
and
go?
Do
it?
The
best
information
I
have
right
now
is
that
this
is
intended
to
be
kind
of
a
bottoms
up
thing
where
working
groups
see
that.
Oh,
this
thing
aligns
with
me:
I'm
going
to
start
off
and
kind
of
just
go,
do
it,
and
but
now
there
will
be
funding
available
to
to
make
it
happen.
B
E
Yeah,
but
before
you
go
on
yeah,
just
real
quick,
I
agree
with
you.
I
think
I
mean
there
was
specific
discussion,
especially
really
both
days
where
people
were
asked
to
have.
You
know,
have
comments
back
and
in
fact
we
set
aside
time
to
specifically
as
groups
talk
about
each
of
the
ten
streams
that
the
plans
divide
into
three
goals
and
further
divide
into
ten
streams,
each
each
goal,
supported
by
multiple
streams.
E
I
don't
think
anybody
said.
Oh,
my
gosh,
that
stream
was
a
terrible
terrible
thing.
It
was
more
a
matter
of
hey
make
sure
you
includes
so,
for
example,
education.
We
talked
about
college
and
boot
camps.
There
was
a
discussion
about
hey,
also
include
k
through
12.
separately,
although
I
don't
remember
if
it
was
within
that
group.
I
know
I've
separately,
gotten
emails
about
hey
what
about
reproducible
builds
and
well.
That's.
B
Absolutely
yes!
So
so,
just
because
it's
not
the
mobilization
plan
doesn't
mean
we
can't
do
it,
and
just
because
it's
in
the
mobilization
plan
doesn't
mean
we
have
to
do
it,
but
you
know
from
a
venn
diagram
perspective.
I
I
think
it
should,
if
it
more
or
less
matches
what
are
what
we
do
over
the
next
two
years,
two
three
years,
if
it's
mostly
in
that,
I
think
that
would
be
a
good,
a
good
outcome,
a
terrific
outcome,
so
yeah.
B
Wonderful,
so
one
of
the
topics
that
came
up
came
up
a
couple
times
both
prior
to
to
dc,
but
also
at
ftc
was
the
idea
of
having
in
kind
of
an
office
hours
and-
and
this
was
in
the
context
of
stream
six,
but
also
we
touched
a
little
bit
about
it
when
we
talked
about
spinning
up
an
open,
ssf
pcert
for
kind
of
coordinated
response,
for
you
should
say
high
impact,
open
source
events,
and
I
the
way
that
I'm
thinking
about
this
is
super
experimental
and
not
about
pcert
but
more
about.
B
If
you
are
an
open
source
developer
and
you
have
questions
you
need
help,
you
need,
you
would
like
some
like
hands-on
guidance
more
than
what
you
could
get
with
stack
overflow.
I
think,
then,
right
now
you
as
an
open
source
developer
like
unless
you're
part
of
a
larger
foundation.
You
don't
really
have
any
place
to
go.
I
mean
you,
you
can
like
go
to
the
docs
and
like
figure
it
out
yourself,
so
what
we
were,
what
what
the
proposal
is
and
there's
a
link
here.
B
Is
for
a
couple
months
to
try
running
weekly
or
bi-weekly
office
hours,
where
it's
available,
anybody
can
join
any
security
questions
like
we're
there.
We
will
do
our
best
to
help
there
it's
time
boxed
to
the
hour.
So
it's
not
a
it's,
not
staff
augmentation
forever.
It
is
not
a.
We
will
join
every
project
to
become
their
security
champ,
but
it
is
it's
intended
to
address
the
the
problem
of
there's
nobody
to
turn
to
for
help.
B
We
may
find
out
after
two
months
that
this
is
actually
not
not
a
problem
like
nobody.
Nobody
cares,
nobody
wants
it,
it
doesn't
provide
value
or
the
only
value
that
it
would
provide
is
in
having
a
longer
term
relationship
with
the
project
which
I
don't
think
this
proposal
is
is
is
looking
to
is
looking
to
solve.
So
I
would
what
I
would
love
is
kind
of
feedback
on
it.
We
don't
have
to
do
it
real
time,
but
you
know
throw
throw
comments
in
the
doc.
Do
you
think
it's
worth
it?
B
B
People
that
have
requested
help
have
always
wanted
more
help
than
we
could
provide
in
that
time,
and
this
came
up
a
couple
times
that
folks
thought
that
project
maintainers
may
not
feel
comfortable
talking
about
their
security
problems
in
a
forum
where
other
kind
of
random
maintainers
would
would
be
or
could
be
present
and
there,
and
perhaps
a
more
asynchronous
kind
of
a
ticketing
system
might
be
better.
E
Yeah
I
mean
this
seems
like
a
low
risk
kind
of
you
know:
let's
try
it
declare
that
we're
going
to
do
it
four
times
as
experiment
and
go
I
mean
you
know
having
four
meeting
one-hour
meetings
and
seeing
if
it
works,
I
mean
go,
go
for
it.
You'll
be
shocked,
shocked
to
know
that
I
I
think
your
name
needs
work.
There's
just
I
mean
is
this
a
security
office
that
has
hours
is
this
office
hours
for
security.
B
Oh
so
we
need
to
do.
I
need
to
wait
just
parentheses.
This
is
the
solution
to
every
all:
ambiguity,
solve
parentheses,.
E
Oh,
I
hate
it
even
more
okay.
So
so
basically
I
I
will
make
the
standard
observation
that
naming
is
hard,
but
but
we
don't
need
to
solve
that
this
instant,
I
think
we
do
need
to
have
a
clear
name
as
we
as
clear
as
we
can
and
as
short
as
we
can-
and
I
know
that's
that
can
be
conflicting,
but
my
whine
about
the
name
notwithstanding.
E
I
you
know
hey,
you
know
this
seems
like
one
of
those
could
be
helpful,
might
not
be,
but
the
only
way
to
know
is
try
the
cost
is
low,
let's
go
for
it
cool
and
and
if
it
turns
out
that
nobody
shows
well,
let's
try.
We,
I
I
think
one
of
the
feedbacks
would
be
okay.
Why
didn't
you
it
might?
I
would
be
unsurprised
if
a
lot
of
folks
would
be
unwilling
to
talk
about
specifics
publicly,
but
that's
okay.
That
will
be
a
that
will
be
a.
E
We
confirm
that
another
issue,
though,
might
be
just
you
know.
E
You
know
not
even
sure
what
questions
to
ask,
but
again,
I
would
say,
go
for
it
and
you
know
this
is
not
the
kind
of
thing
where
you
know.
If
we
spent
multiple
hours
debating
not
what
we
should
do,
it
would
cost
more
than
just
doing
it.
F
B
Agreed
amir
sorry,
altas.
G
Oh
yeah,
just
a
quick
comment
here,
michael
just
making
sure
that
people
understand
what
value
they
can
get
out
of
this.
It
could
go
down
into
a
code
review,
for
example,
you
know
like
it
could
go
down
to
that
level,
and
if
there
are
people
in
the
office
to
go
in
there
and
support
them,
then
suddenly
it's
like
well,
you
know,
I
don't
know
what
value
I'm
getting
out
of
this
and
the
other
thing
as
well
is.
I
think
it
would
be
amazing
if
there
are
lessons
learned
or
patterns
that
emerge.
B
G
B
That
totally
makes
sense
yeah.
I
agree
there
would
need
to
be
at
least
enough.
I
mean
I
was
thinking
like
if
four
four
people
five
people
are
on
the
call,
there's
probably
enough
overlap
to
cover
most
like
we
have
somebody
there
who's,
like
you
know,
I'm
a
I'm,
a
kernel
developer
and
I'm
having
some
problems
with
the
thing
like
that.
B
We
may
not
have
the
expertise
to
help
there,
but
for
I
would
hope,
90
95
of
the
cases
having
five
people
might
but
we'll
see
cool.
So
I
think
the
most
important
thing.
Oh
sorry,
john
jonathan,
you
have
your
hand
up.
A
Do
I
have
to
grab
the
unmute
button
I'm
happy
to
attend?
I
would
I
would
be
interested
in
attending
and
helping
out
where
I
can,
how
is
it
gonna
get
advertised
so
that
actually
people
learn
about
it
existing
and
know
that
they
should
like
they
have
a
thing
to
join
that
they
can
ask
for
help
for
our
ad.
B
I
think
initially
twitter
is
probably
the
best
I
mean
twitter
and
a
blog
would
because
we
don't
want
to
like.
We
also
don't
want
to
get.
You
know,
38
people
showing
up
the
first
week
for
help,
or
you
know
700.
that
demonstrates
this
clearly
a
problem
it
does.
B
It
does
yeah
yeah,
that's
true,
but,
although
maybe
it
might
be,
you
know
700
people
just
coming
just
you
know
just
to
see
what
happens
either
way,
though
yeah
I,
I
think
just
keep
it
organic,
initially
and
and
simple,
but
I
would
love
to
have,
though,
is
an
owner
to
kind
of
drive
this
and
make
this
happen?
B
Is
there
anyone
on
this
call
that
that
this
is
calling
to,
and
you
feel
like
this
would
be
something
it
should
be
relatively
time
I
mean
if,
if
we
start
it,
if
the
first
session
is
like
mid-june,
I
would
say
so.
It
would
be
like
june
and
july,
maybe
by
early
august
kind
of
wrap
it
up
and
see
what
we
learned
and
see
if
we
want
to
continue
it,
but
relatively
time
box
relatively
well
defined
anybody
want
to
own
it.
E
B
E
Day
and
week,
so
if
I'm
the
owner,
I'm
probably
have
to
start
it
after
that
week
because
because
of
conflicts,
but
that
doesn't
you
know
but
doesn't
have
to
be
me,
and
certainly
I
can
show-
and
I
also
had
my
hand
up
earlier,
because
I
want
to
note
that
we
probably
want
to
get
some
folks
from
the
openness
this
best
practices
working
group
yeah
and
there
you
go
yeah.
B
They
may
actually
somebody
from
there
may
also
want
to
own
this
yeah.
Oh
how
about
this?
Since
since
y'all
are
here,
you
guys
get
first
dibs
if
you
want
to
own
this,
put
your
name
down.
If
I
don't
see
a
name
down
I'll
ask
krobe
for
to
to
drive
this
through
his
his
working
group.
E
Well,
this,
this
is
a
a
start
of
support
for
one
of
the
streams.
Isn't
it.
B
Yes,
yeah
five
and
six,
I
think
both
mention
this.
B
Wonderful:
okay,
next
thing,
open
ssf
day
is
happening
on
june.
20Th
registration
is
available.
This
is
part
of
this
is
a
day
of
day,
zero
or
day
negative
one
of
supply
chain,
security,
con
or
security
supply
chain,
whatever
it
is,
the
one
in
austin
the
sign
up
is.
B
Org,
I
think
it's
david,
you
probably
know
this.
Is
it
virtual?
Is
it
hybrid?
It
is
hybrid,
it
is
hybrid,
so
you
can
be
there
in
person
and
you
can
be
not
that.
E
E
That's
right
that
that
is
my
understanding
as
well
and
I'm
registered
and
I'm
showing
up
for
that
whole
week,
so
the
open
source
summit.
So
thank
you,
there's
actually
a
whole.
If
you
haven't
signed
up
already,
there's
a
whole
bunch
of
things
going
on
that
week
got
open
ssf.
That
first
day
you
got
supply
chain
security
con.
I'm
on
that
program
committee
we've
also
got
linux
security
summit,
I'm
also
on
that
program
committee
and
there's
all
sorts
of
other
stuff
going
on.
So
so
there's
there's,
there's
yeah.
B
Gonna
make
your
you're
willing
to
own
for
the
thing,
just
very
light
gray
as
a
favor
to
you,
because
you
don't
need
anything
else
to
own
dave.
E
I
I
like
to
say
yes,
I
know
yes,
so
so
yeah
so
I'll
I'll
hold
off
and
wait
for
other
people,
but
I
I
actually
think
it's
a
cool
idea.
I
don't
know
if
it'll
work
either,
but
this
this
seems
like
the
sort
of
thing.
The
only
way
you
know
is
you
try
yeah.
B
Yeah
yep
and
honestly
getting
it
like
out
of
my
head
of
like
oh.
I
should
really
do
this
like
it's
a
big
benefit,
so
awesome.
Okay,
security
updates
luigi
cannot
make
today.
So
I
don't
think
we
have
anything
for
security
insights.
I
do
think,
though
we
we
do
want
to
well.
We
talked
about
it
in
two
weeks,
but
I
do
think
we
want
to
have
a
more
targeted
campaign
to
get
having
some
having
a
group
like
apache
or
eclipse
or
another
kind
of
foundation
with
lots
of
projects.
B
Kind
of
on
board
would
be
would
be
enormously
helpful.
Having
all
the
openssf
projects
is
like
mandatory,
so
we
should
figure
out
how
to
how
to
go
after
that
and
make
that
happen.
Maybe
it's
as
simple
as
pull
requests
to
the
different
projects,
but
we'll
right
next
week,
secure
reviews
me
or
anything
on
your
end
from
from
this.
D
I
I
did
wanna
just
briefly
mention.
I
see
you
wrote
it
there
already,
the
the
pull
request
was
merged,
so
all
of
that
the
automated
reviews
for
omega
have
been
updated
into
the
repo.
D
I
also
did
want
to
give
a
shout
out
to
luigi.
I
thought
he
did
a
fine
job
running
the
meeting
last
time,
but
so
just
so
that's
on
record,
but
yeah,
not
a
ton
of
updates
on
that.
We
are
going
to
be
putting
a
couple
of
reviews
from
rn
too
from
ostif's
reviews
that
were
we're
wrapping
up
here
we
got
a
couple
good
ones
that
we're
gonna
be
putting
out
there
as
soon
as
they're
ready
we're
thinking
in
the
next
couple
weeks.
B
Awesome
awesome
so
for
omega,
specifically,
since
I
I
don't
think
most
of
the
folks
on
the
call
are
aware
of
what
we
did
here
so
for
for
alpha
omega.
One
of
the
ways
that
we
wanted
to
get
started
was
because
we
don't
have
a
a
body
in
seat
to
to
do
the
analysis.
B
Yet
we
thought
that
if
we
ran
the
tool
chain
against
a
bunch
of
open
source
projects
and
the
results
came
back
completely
clean,
like
the
scan
ran
and
the
scan
found,
nothing
that
that
would
that
as
a
positive
indicator
of
goodness,
we
could,
you
know,
templatize
and
create
a
security
review.
So
as
an
example,
this
is
this
is
what
it
looks
like.
So
this
is.
This
is
against
the
npm.
B
Was
it
ansi,
yellow
package,
so
to
be
clear,
like
no
eyeballs
were
on
this
package,
so
this
was.
This
is
all
automated.
So
what
we
ran
is
we
ran
codeql
with
the
default
default
rule
set,
detect
secrets,
which
is
an
open
source
like
secret
detector,
node.js
scan,
which
adds
a
little
bit
more
sem
grip
with
basically
the
kitchen
sink
of
rules,
so
some
so
this
is.
This
can
be
a
little
bit
noisy,
but
again,
if
it
comes
back
with
nothing,
then
that's
a
signal.
B
We
checked
to
see
if
it
was
rebuildable-
and
I
don't
know
if
we
re
rebuildable
or
reproducible
or
buildable
what
the
right
word
is
there,
but
effectively
we
took
the
npm
package
and
we
saw
it
and
we
we
determined
whether
or
not
we
could
go.
We
could
look
at
the
package,
find
its
source
code,
get
its
source
code
and
then
rebuild
the
package
from
the
from
the
source.
So
there's
a
there's,
a
tool
that
we
released
to
kind
of
do
this
and
if
it
passes,
then
it
passes
and
it
passed.
B
I
don't
know
if
this
is
depth.dev
or
osv.
I
think
this
is
depth.dev
that
we
did
for
this.
So
with
all
those
signals
we
felt
okay.
We
published
this
so
there's
93
of
these
here.
The
rate
of
I
think
that's
about
15
of
packages
that
we
scanned
came
back
clean,
so
that
itself
is
an
interesting
number.
These
were
all
npm
packages.
Most
of
these
are
very
tiny,
so
maybe
it's
skewed
long
term.
B
I
think
the
place
where
this
goes
is
into
some
sort
of
an
assertion,
and
I
don't
know
if
that
is
a
skit
assertion
in
toto
something
else
like
I
I
don't
know
and
like
I'm
trying
like
I
kind
of
don't
care
what
the
implementation
is.
But
at
some
point
I
want
to
be
able
to
say
that
npm
binary
extensions
version-
I
guess
2.2.0-
was
clean
because
evidence
and
have
that
be
something
that
that
can
kind
of
be
consumed.
Programmatically,
because
this
is
a
review.
B
It
is
also
metadata.
So
you
can
you
can
pull
out
and
see
that
binary
extensions,
2.2.0.
B
Came
back
issues
identified
none,
so
you
can
rely
on
that.
If
you
want
right
now,
the
publication
state
is
draft,
so
it
doesn't
show
up
in
the
overview.
Yet
I
wanted
to
give
it
a
couple
weeks
to.
D
Fine,
we
talked
about
it
a
little
and
I
think
it's
actually
the
next
topic,
but
I'm
talking
about
the
metric
dashboard
and
how
this
data
this
metadata
could
feed
into
whatever
the
metric
dashboard
comes
out
to.
But
I
think
that
would
be
a
good
way
to
be
able
to
access
the
information.
B
Definitely
and
to
be
right,
I
think
it
should
today,
even
because
the
metric
dash
well
sorry.
It
doesn't
today
because
it's
broken,
but
it
would
today
if
it
were,
if
it
weren't
broken,
and
by
that
I
mean
that
it
does
clone
all
of
the
it
clones
the
repo
and
parses
all
the
stuff
and
then
adds
the
review
metadata
into
the
into
the
dashboard
thing,
but
in
the
future.
Yes,
it
should
absolutely
also
do
that
and
it
will,
and
between
christine
and
jay
and
vanad.
E
I
I
guess
I
do
have
a
broader
question.
I
mean
this
is
definitely
one
of
those
databases
and
I
need
using
databases
in
the
broad
general
sense
of
collection
of
data
where
the
more
data
more
information
we
have,
the
more
people
are
going
to
use
it.
The
more
people
want
to
contribute
to
it.
Have
we
have.
We
tried
other
ways
to
try
to
get
some
of
the
existing
reviews
into
this
form.
I
mean
I
mean
you
know
I.
E
I
know
that
they're,
you
know
amir,
you
really
you're
the
person
who
knows
many
of
these
other
organizations
have
already
done
reviews
whether
or
not
austif
has
oversaw
them
have
any
of
them
considered
contributing.
To
this
I
mean
it
seems
to
me
that
they
would
have
incentive
to
add
things
on
this
list.
Just
like
you
know,
and.
E
D
Yeah,
that's
a
good
question.
A
couple
things
that
come
to
mind
are
potentially
reaching
out
to
the
otf
folks,
because,
while
their
reviews
are
very
kind
of
narrow
in
scope,
they
do
a
decent
amount
of
them
and
right
that
could
be
a
way
to
get
the
numbers
up.
Have
you
contacted
you?
Do
you
know
them
indirectly?
E
We
have
talked
with
each
other
several
times
so
yeah,
that's,
but
that's
a
great
idea,
open
technology,
fun.
Folks,.
A
E
If
anybody,
if
anybody
has
better
connections-
that's
great
otherwise,
I
would
be
happy
to
to
pick.
I
mean
I
mean
really
it's
just
an
email,
I'll
ccu,
michael
ccu.
I
mean
no
guarantees.
They'll
do
anything,
but
it
does
seem
like
yeah.
This
is
definitely
one
of
those
things
where
we
need
to
get
data
in
in
order
to
start
getting
people
to
put
data
in.
D
Right
one
cool
thing
that
happened
was,
I
think
it
just
happened
through
just
through
the
wild.
We
did
have
somebody
kevin
backhouse
upload,
a
review
on
to
their
kind
of
just
organically.
So
I
think
if
we
do
even
a
little
bit
more,
maybe
with
this
next
iteration
of
reviews
that
we're
going
to
add
on
to
there.
Maybe
if
we
gave
a
shout
out
to
the
repo
to
you
know,
just
promote
it
a
little
bit
more
and
just
reassure
folks
that
hey,
you
can
add
stuff
on
here
too.
A
Right
I
have
like
I
run
into
cases
where
I'm
like
I've
looked
at
this
method.
It
looks
vulnerable,
but
it's
actually
not
right.
Like
that's
the
kind
of
thing
that
I
like
will
look
through
and
see,
but,
like
I
don't
want
to
make
sweeping
claims,
I
got
without
the
entire
application,
but,
like
I
can,
I
can
make
very
narrowly
focused
things
like
this
thing
looks
vulnerable
or
may
like
there
was
a
code.
Qr
query
alert
that
flagged
here
that
this
is
not
vulnerable,
at
least
as
far
as
I
can
tell.
E
B
B
The
alpha
omega
repo
went
live,
so
we
have
the
node
engagements
described
and
what
the
role
is
and
what
what
they're
going
to
be
doing.
I
think
what
we're
going
to
do
is
we're
going
to
keep
it
simple
and
have
a
monthly
update
markdown,
that
they
will
pr
into
us
and
we
will
either
keep
the
content
or,
if
they
want
to
put
it
someplace
else,
we'll
just
be
a
link
to
it.
B
But
the
point
will
be
that
you'll
be
able
to
from
from
somewhere
here
get
to
well
what's
been
done
recently
in
this,
for
the
for
this
engagement,
so
we'll
be
updating
this,
as
as
we
get
the
next
two
engagements
around,
and
the
final
thing
here
is,
we
do
have
the
omega
analyzer
in
a
it's.
It's
in
a
separate,
separate
branch,
we're
just
waiting
for
approval
on
the
licensing
and
and
because
it's
a
little
bit
complicated.
B
But
for
now
it
is
a
docker
file
that
you
can
just
build,
and
this
is
this
is
the
this
is
the
sauce.
So
it's
everything
from
code
ql
to
semgrap
and
and
everything
else,
as
well
as
a
orchestration
layer
that
pulls
stuff
out
and
aggregates
it,
and
then
I
think
this
even
the
review
creator
is
here
to
yeah
creators
a
little
create
the
files.
So
you
guys
are
welcome
to
play
with
that.
It's
all
public
right
now.
B
B
So
more
more
to
come
there
I'll
I'll
try
to
get
a
a
report
back
later
this
week.
B
Cool
anything
else
on
these
topics.
B
Cool,
so
there
was
apparently
chat
last
time
on
changing
the
work
group
name.
I
agree.
The
work
group
name
is
terrible.
I
apologize
for
that
was
there.
Does
anybody
have
really
strong
feelings
on
what
the
name
should
be
so
just
to
be
to
be
clear,
so
the
things
we've
done.
B
So
we
do
dashboard
security,
insights,
screw
reviews,
maybe
threats
paper
yeah,
I'm
gonna
say
like
squigglies
against
alpha
omega,
because
that's
kind
of
now
a
top
level
thing.
F
B
E
The
worst
comes
to
worst.
We
can
go
look
at
what
this
group,
how
this
group
is
self-des
is
described.
D
E
If
I
go,
click
on
open,
ssf
join
the
this
group
is
defined
as
follows:
in
informed
confidence
in
the
secure
of
security
of
open
source
offer
by
collecting
curating
and
communicating
relative
metrics
and
metadata
in,
for
you
informed
decisions.
D
I
mean,
is,
I
can't
remember,
is
there
a
group
called
security
insights
or
something
or
that's
the
subgroup?
Okay,.
E
E
This
is
a
much
more
of
a
military
terminology,
but
it's
the
you
know.
I
want
to
make
a
decision-
I'm
not
here,
to
make
your
decision
I'm
here
to
give
you
the
data
necessary
and
analysis
necessary
to
help
you
make
a
good
decision.
You
know,
and
it's
more
focused
on
the
here's,
the
facts.
If
you
do
x,
this
is
what's
going
to
happen
if
you're
going
to
do
y,
this
is
what's
going
to
happen.
B
H
H
B
No-
and
I
don't.
B
B
I
don't
think
that,
like.
B
B
H
B
E
Yeah
but
michael,
let
me
let
me
push
back
a
little
bit
and
let
me
I'm
going
to
try
to
channel
the
tac
members
briefly,
noting
that
I'm
not
attack
member.
I
I
think
the
tac
folks
are
right
now
feeling
a
little
disconnected
from
the
law
of
the
work,
because
you
know
I'm
actually
showing
up
at
all
the
meetings,
so
I
actually
have
an
idea
of
what
made
the
working
group
right
now.
E
E
A
E
Just
they're
they're
rough
baskets
to
help
organize
otherwise
too
many
people
and
that's
all
they
are.
You
know
if
a
project
can
fit
in
multiple
basket,
find
select
one
we
move
on,
but
I
think
I
think
it
is
helpful
to
have
clearer
names.
I
mean
I
think
really.
This
is
the
only
group
that
has
a
name.
That
is
a
true
mystery
to
most
the
people
I
mean
none
of
them
are
perfect,
but
most.
C
B
I
I
did
see
crow
post
kind
of
an
update
back
to
the
tack
mailing
list.
I
think
it
was
earlier
today
yeah,
it's
a
good
template
I'll
just
follow
that
template
and
do
the
same
thing.
That
will
be
one
way
of
communication,
but
just
you
know,
and
because
and
because
this
meeting
is
being
recorded
and
because
I
don't
make
the
best
decisions.
Sometimes
is
anybody
here
on
the
tack
that
are
that
is
attending
this
meeting.
E
B
Right
so
the
tax
I
feel
very
strongly.
The
tac
members
should
be
active
participants
in
working
groups
too.
B
E
Right
and
I
think
that's
fair-
I
think
I
think
that's
fine
and
and
conversely,
though,
none
of
no
most
attack
members
are
going
to
end
able
to
show
up
at
all
of
them
so
having
clearer
names,
you
know
reporting
back
and
forth.
It's
all
goodness.
B
Yep
and
and
frankly,
I
should
be
attending
the
tac
meetings,
which
they'll
say
that
too
well,
so
so,
strangely,
I
didn't
think
that
I
was
invited
to
tack
meetings
until
oh,
no.
E
Yeah,
I
think,
at
the
very
least
they
want
you
to
come.
You
know
every
once
a
while
to
hey.
You
know,
you
know
just
again
more
awareness,
both
directions
than
anything
else.
Don't.
H
You
know
like
a
good
explanation
and
I
I
really
appreciate
explaining
you
know
all
the
differences
and
I
was
just
trying
to
help
to
get
the
right
name.
We
need
to
understand
what
we
do
right
like
and
they're.
Definitely
overlaps
and
fuzzy,
and
it's
the
nature
of
this
group,
because
there
are
so
many
talented
people
can
contribute
multiple
things.
H
Maybe
as
we
going
forward,
newcomers
like
me
can
get
some
help.
If
there's
like
a
then
either
kind
of
venn
diagram
or
like
a
you
know,
you
know
to
grasp
that
kind
of
position
ourselves.
We
are
more
stronger
in
you
know.
If
you,
if
you
look
at
the
like
gartner
reports,
that
has
like
this
positioning
graph
right,
we
can
kind
of
you
know
position.
We
are
stronger
in
here,
but
we
can
also
do
attest
to
this
work
right.
I
think
that
may
be
helpful.
B
I
I
like
that.
I
like
that
idea,
a
lot
we
we
we
can
and
should,
and
we
should
absolutely
do
that.
D
Yeah,
I
think
the
they're
still
doing
the
quarterly
open
ssf
updates
right.
I
thought
that
was
a
good
way
where
basically
to
get
insight
into
what
all
the
working
groups
are
doing
and
stuff
like
that.
I
think
that's
a
that's
going
to
continue
to
happen,
but
visualizing
it
in
some
way.
I
totally
agree,
I
think,
that's
a
great
idea.
B
The
the
last
town
hall
was
february
so
march
april
may
so
we're
due
for
one,
although
with
everything
like
I'm,
I'm
imagining
will
probably
be
july.
A
A
So
my
ten
times
on
this
whole
topic
of
naming
is
the
tack
is
not
necessarily
something
that
I'm
thrilled
and
interested
in
and,
like
you
look
at
the
tag,
meaning
you're
like
okay,
the
tech
meetings-
great,
I
just
you
know,
keeping
the
name
interesting
so
that
it
encourages
people
to
actually
join
right
like
identifying
security
threats
is
a
pretty
like
eye,
grabby
name
in
terms
of
like
interest
in
like
oh,
I
want
to
go
see
what
that
meeting
is
about
and
like
learn
more
about
it
right.
A
I
don't
have
that
same
feeling
about
decision
support.
I
respect
where
you're
coming
from
but,
like
you
know,
I
think
that
keeping
a
name
that
like
pulls
people
in
like
I'm,
that
sounds
interesting.
I
want
to
learn
more
about
like
what
what
are
identified
like
what
are
the
security
threats
that
were,
you
know,
yep.
E
B
Is
there
a
so
there's
like
games
and
blue
teams
and
purple
teams
and
green
teams?
Is
there
any
team
color
that
naturally
would
align
better
with
what
we
we
do?
Is
there
like
a
fuchsia
team
that.
B
A
I
dressed
up
as
a
crayon
for
christmas
or
for
a
halloween
one
year
and
I
was
a
fuchsia
and
I
now
have
the
nickname
of
fuchsia
from.
C
So
you
said:
fuchsia
color,
I'm,
like
my
call
back.
C
B
D
Real
quick:
this
is
not
terribly
related
to
everything
else
we're
talking
about,
but
for
securing
critical
projects.
I
also
plan
on
using
krobe's
template
and
doing
those
regular
meeting
updates.
I
think
it's
a
good
practice
so
just
so
show
some
consistency.
B
Let's
do
it
are
those
do
you
know
if
those
are
the
tax
should
publish
those
in
their
repo?
I
mean
we
should
just
pr
them
into
their
repo.
The
mailing
list
is
not
discoverable
really.
E
A
Right
that
list
throw
that
into
a
an
ide
hooked
up
to
get
up
co-pilot
see
what
it
comes
up
for,
suggested
comments.
After
after
that,
the
name
list
you
feed
it.
A
E
Okay,
all
right
how's
this
can
I
propose
that
we
continue
this
discussion
next
meeting,
although
that
may
be
a
problem.
Isn't
there
a
con?
Are
there
conflicts
with
that?
Next
meeting
probably
ought
to
look.
E
D
Two
wednesdays
is
that
that
one
event
in
dc,
I
believe.
E
Yeah
so
mira-
and
I
I
think
are
not
going
to
be
around
so
that
doesn't
mean
it
mean
it
can't
happen.
Just
you
know
amir
and
I
will
have
to
not
be
there
so.
E
B
Yeah
that
works
wonderful,
last
call
for
for
comments
or
questions
from
anybody.