►
A
All
right,
if
there's
anybody
here,
that
that
hasn't,
attended
regularly
or
would
like
to
introduce
themselves
or
start
out
any
comments.
Here's
your
chance,
don't
feel
obligated,
but
jump
in
if
you
want.
A
All
right,
then,
I
guess
two
project
updates.
We
can
do
this
in
whatever
order
folks
would
like
to,
but
we
have
so.
The
the
list
is
on
the
meeting
notes,
but
virtual
summative,
maintainers
I,
don't
see
Luigi
so
we'll
move
that
one
down.
A
30
insights
office
hours,
I've
been
seeing
some
stuff
pop
out.
There
looks
like
this
is
all
happening
in
in
the
office
hours
Channel
metric
dashboard
we've
got
Christine
J
norov
et
cetera
there
to
chat
about
that,
and
then
we
can
kind
of
go
down
from
there.
Virtual
summative
maintainers
all
right.
B
C
Yeah
yeah:
this
is
how
Emily
Bob
stand
up.
Munawa,
please
and
also
Excel
I,
don't
know
if
she
can
make
it
today,
but
we
were
working
on
preparing
virtual
submit
event
and
one
of
those
task
team
has,
you
know,
prepared
some
of
the
detailed
documentation.
Also
you
know
presentation
to
to
get
to
Media,
Tech
or
other.
You
know
working
groups
to
get
consensus.
Then
we
reached
out
to
a
little
Foundation
event.
C
Team
and
also
Brian,
thanks
for
joining
here
mentioned
that
there
are
certain
other
events
that
maybe
we
can
do
you
know
planning
or
you
know,
collaborate
together.
So
before
we
get
into
more
details,
I,
don't
know
anything
that
you
want
to
talk
about.
One
aspect
that
we
can
see
from
working
with
the
bigger
open,
SSS
group.
A
C
Emily
and
Noir,
would
you
like
to
add
anything
that
you
want
to
discuss?
I
know
we'd
like
to
get
some
input
from
Brian
too,
so.
D
So
we
have
been
meeting
for
the
past
hi.
This
is
one
hour,
so
we
have
been
meeting
for
the
past
four
weeks,
four
or
five
weeks
regarding
to
to
iron
out
different
aspects
of
it
right
now.
The
idea
would
be
to
have
and
have
a
POC
kind
of
in-person,
a
virtual
event
in
mid
January,
with
a
small
group
of
participants,
a
small
group,
by
that
we
mean
about
10,
to
15
important,
open
source
projects
about
30
to
40
maintainers
of
those
projects.
D
This
would
be
an
invitation
only
event
about
for
three
to
five
hours
of
commitment
for
one
day,
and
it
will
be
done
in
a
workshop
format,
as
in
there
will
be
an
opening
remarks.
There
may
be
a
like
an
initial
presentation,
then
there'll
be
separate.
Working
groups
there'll
be
like
working
with
the
like
so
splitting
this
up
into
maybe
three
or
four
small
groups
where
we'll
be
talking
about
their
specific
pain
points,
their
stories
of
how
they
deal
with
security
issues,
incidents,
responses,
how
people
can
help
and
so
on.
D
So
those
are
those
would
be
the
the
the
goals
of
the
of
the
specific
working
groups.
Then
we
come
back
together,
we'll
have
a
panel
and
we
try
to
create
some
understanding
common
understanding
from
all
of
that
that
we
then
later
want
to
present
as
a
Blog,
some
sort
of
other
notes,
and
then
we
may
be
able
to
also
present
this
to
the
other
open
ssf
organizations
for
them
to
consume
this
information.
D
So
that's
kind
of
so
this
is
going
to
be
a
POC
I
I'm
using
the
time
POC
here,
because
this
is
we'll
just
try
this
out
in
a
small
scale,
with
the
help
of
Linux
Foundation
they're
like
event
stuff,
with
their
help,
will
create
a
like
virtual
Meetup
space,
where
we're
gonna
be
able
to
do
that.
We're
still,
we
still
haven't
had
the
meeting
with
the
Linux
foundation.
Events
folks.
D
Yet
so
that's
why
the
details
are
are
TBD
at
this
point,
but
once
we
have
these,
the
the
future
plan
would
be
to
perhaps
like
next
year
when
the
open,
ssf
event,
the
summit
actually
happens.
Then
we
can
also
have
a
try
this
out
as
an
in-person
event
down
the
line,
so
that's
kind
of
and
as
far
as
the
10
to
15
projects
that
we
want
to
be
participating
there.
D
The
the
plan
right
now
is
to
like
reach
out
to
our
personal
connections
with
important
projects,
there's
also
a
projects
that
are
connected
with
Alpha
Omega,
like
I've,
connected
with
Eclipse
Foundation,
like
Michael,
barbero
of
Italy's
foundation
and
and
like
we
can
also
include
the
we
plan
to
also
include
the
pipi
people.
D
We
also
want
to
include
the
RAS
Foundation
people,
maybe
have
those
people,
because
there's
already
a
link
with
that
I'm
working
with
Amir
to
like
basically
get
some
of
the
important
security
repositories
that
they
have
identified
like
Caleb
and
the
others
have
been
preparing
a
list
and
Amir
is
also
like.
The
Austin
is
also
doing
this
kind
of
reviews
for
the
past
year
or
so
so
he
has
already
gotten
interaction
and
personal
relationship,
perhaps
with
some
of
these
projects,
so
getting
some
of
those.
D
D
So
we
expect
to
get
a
list
completed
by
in
in
a
couple
of
weeks
and
I've
already
started
an
Excel
sheet
where
we
are
keeping
track
of
or
just
putting
ideas
at
this
point
like
okay
and
10
to
15
project
is
not
a
well,
it's
not
difficult,
but
still
like.
We
need
to
finalize
that
and,
most
importantly,
the
biggest
goal
up
front
right
now
is
to
have
that
meeting
with
the
Linux
Foundation
events.
Folks,
and
once
we
do
that
we
can
actually
finalize
the
date
and
then
start
circulating
people.
D
There's
also
other
aspect
of
we
want
to
invite
some
panelists,
so
we
are
figuring
out
like
Alex
and
ishel
and
and
Emily
has
been
figuring
out,
which
are
the
people
who
would
be
invited
in
the
panels.
Who
would
be
the
moderators
of
the
event?
We
would
also
have
to
figure
out
the
questions
Etc
beforehand
and
so
on.
So
there's
a
lot
of
tasks
that
are
also
going
on
preparing,
but
the
biggest
task
up
front
is
to
have
that
meeting
with
the
Linux
Foundation.
Then
we
have
an
actual
date
that
we
can
start
circulating
around.
E
Okay,
so
if
I,
if
I
understand
this
correctly,
it's
to
try
to
have
essentially
a
workshop,
that
is
fairly
on
the
small
side
right,
you
know
it's
15
projects
about
40
people,
it's
to
really
just
have
a
kind
of
a
listening
session
on
their
pain
points
on
I
mean
deciding
who
to
invite
with
what
those
15
projects
are.
You
can't
cast
The
Net
too
wide,
because
then
everyone
will
want
to
go.
E
You
don't
want
to
make
it
too
narrow,
because
then
there's
some
biases
I
mean
how
what's
the
process
that
you're
using
to
decide
who
the
right
set
of
15
are
and
and
frankly,
what
are
the?
What
are
the
goals
for
the
meeting?
I
mean
I
I,
see
it
in
the
presentation,
but
you
know
hearing
I
mean
there's
this.
This
is
saying
like
every
every
open
source
project
that
is
a
little
bit
broken
in
a
different
way,
very
much
like
tolstoy's
families
and
More
in
peace,
they're,
they're,
I
I.
E
You
know
each
of
them
broken
in
a
slightly
different
way.
So
I
you
know,
are
we
trying
to
learn?
What
are
we
trying
trying
to
learn
by
having
this
event?
I
guess
maybe
that's
explicit
in
the
deck
but
yeah
I
see
on
page
seven
in
the
deck
event
survey.
Maybe
this
is
a
good
way
to
try
to
say
what
what
you're
hoping
to
get
out
of
the
event
so.
F
This
is
intent
in
the
intent
of
the
pre-event
survey
is
to
kind
of
gather
information
from
maintainers
or
members
of
the
various
foundations
organizations
and
projects
to
understand
that
initial
set
of
concerns
care
abouts
areas
where
they
need
assistance.
The
structure
of
that
pre-event
survey
is
still
trying
to
be
determined.
It
might
be
beneficial
to
focus
on
the
alignment
structure
that
the
openssf
has
and
group
questions
in
those
similar
constructs.
F
To
really
understand
the
nuanced
pain
points
associated
with
each
of
those
core
areas
of
work
that
the
foundation
is
already
pursuing
to
ensure
both
that
maintain
feel
comfortable
with
the
members
and
leaders
of
the
foundation
that
are
driving
those
efforts
and
they
know
who
to
go
and
ask
questions
of,
but
also
do
it
to
kind
of
give
them
a
voice
to
any
potential
concerns
or
challenges
or
adoption
issues
that
they're
experiencing
and
taking
advantage
of
the
work.
That's
already
coming
down
out
of
the
foundation.
F
So,
basically,
ultimately
opening
up
the
lines
of
communication,
letting
them
know
where
the
correct
people
are
and
locations
and
the
work
that's
going
on
in
progress
and
ensuring
that
the
work
that's
being
done
within
the
foundation.
The
group
those
activities
are
well
received
or
positioned
to
be
better
received
by
those
maintainers
in
a
way,
that's
less
friction
for
them
to
adopt
right.
C
They
can
anything
when
I
understood
in
the
beginning.
If
we
have,
we
have
this
office
hours
that
taking
input
from
the
users
and
answer
questions
by
the
SMS.
This
could
be
a
like
a
Open
Mic
session
from
foundations
or
maintainers.
The
key
maintain
open
source
project
to
charity,
opinions
right
and
the
broadcast,
maybe
or
or
getter
inputs
from
you
know
the
communities.
C
Thank
you,
okay,
and-
and
this
will
be,
we
start
with
just
one.
You
know
approval
concept
or
MBP,
but
we're
hoping
to
make
it.
You
know
bi-monthly
or
you
know
quarterly
or
whenever
it
you
know,
makes
sense
to
do
it
over
and
over,
so
that
we
can
maintain
it
as
like,
a
community
event.
A
One
of
the
benefit,
which
is
in
addition
to
us
getting
information
from
and
providing
information
to,
maintainers
having
it
being
a
workshop
format,
means
that
there's,
you
know
I
think
there's
an
opportunity
for
connective
tissue
to
grow
between
the
projects
themselves,
because
for
the
most
part,
most
projects
are
feeling
the
same
pain,
at
least
that's
the
hypothesis
and
therefore
you
know
just
having
those
open
conversations.
A
E
Yeah
we
we
and
I'll
mention
the
Linux
foundations.
Research
team
did
a
large
survey
of
maintainers
a
couple
of
months
ago
as
well
about
security
practices
and
security
perspectives.
E
They've
I
think
they
issued
an
interim
kind
of
report
on
the
first
kind
of
waves
of
that,
but
there's
more
to
digest
and
Stephen
Hendricks
on
the
research
team
has
been
kind
of
owning
this,
so
I
I
mean
I.
I
could
be
somebody
I
think
we
should
bring
in
and
just
so,
we
can
use
some
of
the
prior
research
and
some
of
the
prior
information
that's
been
gathered.
I
do
want
to
just
emphasize.
You
know
the
the
answers
you
get
from
this
work
will
vary
tremendously
based
on
the
people.
E
You
invite
and
thinking
carefully
about
I
mean
even
even
the
the
prioritization
that
decision
making
you
make
about
who
to
ask
will
weigh
heavily
on
the
outcome
and
so
I
think
it's
important
not
to
characterize
the
results
of
of
this
process
as
reflecting
either.
You
know
a
consensus
view
of
the
entirety
of
the
open
source,
Community
or
or
speaking
for
all
maintainers.
It's
really
just
here's
the
subs
of
the
folks.
We
happen
to
talk
to
you
know
and
who
self-select
it
really
to
participate
in
this
right.
E
E
You
know
some
sort
of
regular
process
for
kind
of
a
broad
fan
out
of
polling
of
maintainers
across
across
a
larger
group
in
some
ways,
so
just
kind
of
free
thinking
here
and
so
in
terms
of
like
burden
on
the
organization
to
support
or
what's
needed.
Let
me
put
it
that
way
to
for
us,
as
the
Linux
Foundation
or
as
open
ssf
staff
to
support
this.
It
doesn't
sound
like
it's
much
more
than
a
zoom
call.
E
It
sounds
like
you
all
would
probably
staff
this
in
terms
of
conducting
the
event
having
moderators
to
lead
breakouts
I,
you
probably
also
I'm,
assuming
digest
the
information.
That's
shared,
take
notes.
I
I,
have
you
know
some
sort
of
outcome
from
that
meeting
that
that
you
know
as
a
result,
if,
if
all
you're
asking
from
us
is
the
ability
to
host
this
on
Zoom,
you
know
and
and
and
maybe
a
little
bit
of
kind
of
production,
this
doesn't
sound
like
a
big
lift
at
all.
E
That'd
be
great
I
think
we
have
to
be
careful
about.
This
is
a
private
meeting,
so
we
have
to
have
the
any
trust
stuff
kind
of
pop
up
and-
and
you
know
have
one
of
us
on
staff
kind
of
attending
the
meeting
to
make
sure
things
don't
steer
in
the
wrong
way
just
to
keep
us
all
above
board,
but
other
than
that.
This
is
not
a
not
a
a
hard
thing.
We
don't
have
to
involve
I
believe
the
events
team
in
this
kind
of
thing,
which
would
incur
a
bunch
of
costs.
E
This
is
the
Linux
foundation.
Events
team
I'm
talking
about
the
ones
who
do
the
the
kubecon
events
and
OSS
events
and
the
like.
They
do
virtual
events
for
sure,
but
that's
more
in
the
vein
of
like
webinars
and
larger
group
things,
so
this
I
think
is
really
just
a
larger
version
of
this
kind
of
meeting
we're
on
right
now,
if
I,
if
I
understand
correctly,
unless
unless
I
misunderstand
anything.
E
For
survey
coordination,
so
there's
the
Linux
Foundation
to
research
team
headed
by
Hillary
Carter,
who
I
think
you
might
have
met
Stephen
Hendricks
works
for
her
as
well
and
they've
done
a
couple
of
these
kind
of
surveys.
They
were
the
ones
as
well
who
coordinated,
I,
I,
believe
coordinated
with
the
Harvard
Business
School
and
the
open
source
census
work.
E
Not
everything
has
to
go
through
them
or
anything
like
that.
I
don't
intend
to
I,
don't
mean
to
say
that
they're
a
gateway
to
anything
this
kind
of
thing,
but
what
I
would
like
to
do
is
take
this
to
Stephen
Hendrix
and
connect
this
to
some
prior
survey.
Work
that
had
been
done
and
I
think
he'd
find
this
really
fascinating
and
useful
and
I
hope
would
be
a
a
net
major
contributor
to
this
effort.
E
Okay,
no
I
first
found
out
about
this
from
some
research,
some
Outreach
that
have
been
done
to
Angela
Brown,
who
runs
events
at
the
LF,
and
then
she
turned
to
me
and
went:
have
you
heard
of
this
and
I
hadn't?
So
can
I
be
aware
of
this
now
and
I
think
we
can
support
you
directly
on
this,
rather
than
needing
to
involve
the
LF
events.
Team.
C
Sure
sure
yeah
we
we
actually
discussed
internally.
You
know
it
could
be
a
sufficient
way
to
zoom
too,
that
we
were
not
just
sure
how
many
audience
or
how
many
people
will
be
joining
so
just
trying
to
get
some
of
those
impotent
advices,
and
you
know
you're
going
to
want.
You
know
before
we
walk
we're
gonna
crawl,
so
sure
we'll
see
yep
yep.
E
In
in
Hillary
or
Stephen
might
actually
be
helpful
as
well
to
think
about
some
of
the
framing
and
how
to
ask
the
right
kinds
of
questions.
It's
actually
I
find
it
very
hard
not
to
ask
leading
questions
when
I
know
when
I
have
in
my
head
what
the
right
kind
of
answers
might
be
so
so
really
asking
questions
the
right
way
and
I
and
I
really
like
zoom's
support
now
for
breakouts
as
well,
that
that
seems
to
have
worked
pretty
well
in
a
couple
meetings.
E
I've
been
in,
so
you
know
you
fan
out
and
they
bring
everybody
back
to
one
room
at
the
end
of
some
duration
right
right,
right.
C
Okay
and
then
we
we
got
to
be
able
to
have
a
admin
or
exit
control.
Engine
right,
I
think
there's
a
place
to
request
that
access
right.
E
Yeah
well,
I
think
what
I
would
do
is
ask
you
know
one
of
us
on
staff
to
be
to
be
the
host
for
this
meeting
and
the
host.
We
could
probably
share
a
co-host
with
a
couple
people
as
well,
and
that's
how
you'd
kind
of
manage
the
fan
out
the
different
breakout
rooms
and
when
to
bring
people
back
and
yeah
the
only
other
thing.
Oh.
E
E
C
E
Yeah,
it's
it's
to
the
point
where
we've
canceled
panels,
when
a
late
breaking
change,
we
could
not
guarantee
that
so
yeah,
okay,
good,
yep,
great
and
and
I
see
it
in
terms
of
panelists.
You
might
want
either
other
ossf
leadership
to
pretend
participate.
Maybe
somebody
from
the
governing
board
as
well.
E
E
We
might
just
want
to
pick
a
date
that
doesn't
clash
with
some
other
major
industry
event,
but
but
I
think
if
we're
looking
at
January
I
think
we
can
all
be
pretty
flexible
in
this.
E
For
a
small
Workshop
like
this,
just
looking
at
the
very
end,
finding
a
a
rock
star
I
mean.
Are
you
certain
you
need
somebody
who
I
mean
if
this?
If
the
focus
point
of
the
this,
this
three
and
a
half
four
hours
is
to
listen
to
the
maintainers,
do
you
feel
like
you
need
something
like
this
to
attract
the
right
level
of
maintainer
to
to
the
to
to
spend
a
half
day
with
us.
F
So
the
that
open
source
Rockstar
comments
within
the
slide
deck
was
more
along
the
lines
when
this
was
originally
scoped
to
be
significantly
larger.
Instead
of
the
smaller
event,
we
haven't
actually
rediscussed
whether
or
not
that
role
was
still
warranted,
given
the
higher
priority
focus
on
the
workshop
itself
and
on
the
panel
and
soliciting
that
comment
back.
E
Okay,
yeah,
certainly,
if
you
think
about
this
as
a
larger
scale
event
with
a
little
bit
more
of
an
open
invite
with
where
you
want
to
publicize
it.
E
That's
where
just
two
things
I'd
ask
one
is
that's
probably
where
we'd
start
to
involve
the
Linux
foundation,
events
team-
and
that
means
thinking
about
a
budget
assigned
to
this
and
and
needing
to
reconcile
that
with
with
other
things
and
second,
it's
thinking
about
this
event
in
the
context
of
other
open,
ssf
events
through
the
course
of
the
year,
you
know
we
we,
like
we
like
doing
events
we
like
pulling
people
together,
I
think
it's
important.
We
also
don't
want
to
burn
people
out.
E
We
know
travel
budgets
well,
this
is
virtual,
so
it
doesn't
quite
fall
into
that.
But
you
know
we.
If
we
say
this
is
the
one
event
for
maintainers
to
attend
in
the
year.
We
want
that's,
you
know
we
want
to
make
sure
that
that
really
is
the
one
event
we
want
to
pull
people
to
right,
and
so
we
have
to
think
about
this
in
context
with
open
ssf
days
and
other
things
if
it
were
to
be
more
of
a
bigger
public
event.
But
we.
F
B
C
D
Sorry,
switching
topics
so
just
to
keep
everybody
on
the
same
page
as
as
we
are
because
there
will
be
a
lot
of
these
decisions
that
we
are
taking.
Do
you
suggest
that
we
create
like
a
mailing
list
of
people
and
then
like
use
that
to
circulate
the
like,
for
example,
the
date
or
other
information
around,
or
how
do
we
keep
everybody
informed.
E
Well,
so
there
should
be
a
a
a
place
for
the
planners
to
discuss
this
I
do
see
the
the
slack
channel
here.
The
ritual
Summit
maintainers
are
critical,
open
source
projects.
You
may
want
to
use
that
and
then
there
might
be
a
second,
either
Channel
or
or
other
facility.
You
provide
to
communicate
with
the
40
maintainers,
who,
presumably
you
want
to
confirm
in
some
way
register
in
some
way
and
yeah
we
can
get
that
set
up
for
you.
E
D
We
are
but
I
I
was
more
thinking
like
how
do
I
Michael
is
probably
in
that.
So
sure,
maybe
we
include
you
in
that
channel.
So
how
do
we
get
like
more
people,
for
example
like
for
you
to
be
informed
about
stuff
or
people
like
Stephen,
Hendricks
or
Hillary
Carter?
That
you
mentioned
him
also
involved
like?
Is
that
just
invite
them
to
the
channel.
E
First
off,
let
me
talk
to
them.
Explain
the
context
for
this
I
figure
out
how
they
want
to
divide
this,
probably
just
one
or
the
other
of
them,
you
know
would
be
involved
and
and
I
think
they'd
be
in
a
supportive
role
rather
than
a
coordinating
role
and
then
there'd
be
somebody
else
for
my
team,
probably
kahil,
but
let
me
figure
out
who
who
I
would
assign,
as
the
kind
of
person
responsible
from
the
open
ssf
staff
for
making
sure
this
event
happens
and
then
and
then
facilitating
the
event
directly.
E
C
A
You
awesome
thanks
everybody
any
other
topics
on
this,
or
can
we
move
to
metrics
dashboard.
B
Really
quickly,
I
just
had
a
question.
I'll
also
follow
that
channel
as
well,
and
then
is
the
idea
that
this
would
be
a
completely
private
event
or
like
parts
of
it.
We'd
want
to
share
more
broadly
are.
B
And
then,
in
terms
of,
like
you
mentioned
some
content
that
might
come
out
of
the
results.
C
It
will
definitely
open,
you
know
event,
but
all
the
discussions
are
in
public
too,
so
we
want
to
make
it
as
much
as
public.
You
know,
as
we
can.
E
I
push
back
on
that
just
a
bit,
I
mean
it
sounded
like
at
least
from
the
deck
that
I
saw
the
design.
The
idea
was
that
it
was
a
40-ish
maintainers
from
1500
projects
and
it'll
be
a
small
Workshop
kind
of
setting.
So
I
presume
you
wouldn't
want
publicity
for
this
or
an
open.
You
know
invite
we'd,
probably.
F
F
A
lot
of
this
initially
we're
looking
at
Chatham
House
Rules
folks
are
10,
tend
to
be
a
little
bit
more
Frank
and
upfront
about
that.
E
Yeah
I
think
I
think
we'll
have
to
have
some
sort
of
write-out
readout
from
the
from
this
that
we
do
make
public,
perhaps
as
a
short
blog
post
of
some
sort.
You
know,
but
yes,
I
I,
think
I
think
it's
not
it's
not
otherwise,
something
we
pre-announce
or
anything.
B
Yeah
I
think
that
makes
sense
for
the
kind
of
event.
A
Terrific,
thank
you,
everyone.
It's
a
I'm,
really
excited
to
see
this
going
forward.
Super
cool
be
super
happy
to
participate
too,
but
awesome
metrics
dashboard.
Who
would
like
to
take
this
one.
H
Yeah,
hey
hello,
everyone,
so
we
we
don't
have.
We
have
not
made
so
much
progress
on
this
one,
we're
still
working
on
the
MVP.
How,
then
we
will
look
like
I
know:
we've
been
working
on
that
Google
doc,
but
yeah.
So
that's
one
portion
of
it
and
the
second
thing
that
I
need
is
regarding
that
Sig.
So
what
we
want
to
do
it
is.
H
We
want
to
set
up
a
mailing
list,
but
we
just
don't
know
and
again
sorry
I'm
I'm,
not
familiarized,
with
the
processes
like
who
are
the
people
part
of
it
and
whom
to
keep
in
the
loop
and
where
to
seek
out,
for
you
know
like
help
in
terms
of
the
feedback
and
all
that,
so
that
is
still
in
flux.
So
those
are
the
some
of
the
topic
I
had
okay,
so
so.
A
We
could
just
I
I
think
some
of
those
we
can
just
knock
off
here
so
mailing
list.
So
you
want
this
as
like.
Whatever
I
would
call.
Maybe
metric
dashboard
is
too
specific,
but
like
what
are
metrics
at
lists.
Dot,
open,
access.org,.
H
Yeah
yeah
I'm,
not
yeah,
okay,.
A
E
I
I
saw
it
in
there
I'm,
sorry
I'm.
Sorry
I
saw
you're
asking
this
as
well:
I'll
relay
that
to
the
operations
team
and
so
we'll
get
that
and
set
up
with
the
right
naming
convention.
Yeah.
A
H
Yeah
and
so
Brian
and
Michael,
how
does
it
work
about
I
think
we're
supposed
to
send
some
email
to
Tech
or
someone
I,
don't
know
if
that
happens,.
A
Notice,
so
so
what
I
would
do
is
I
would
I
mean
Brown
unless
you
have
a
better
better
way.
Send
a
note
on
on
slack
to
the
tech,
Channel
and
say:
hey:
we've
been
working
on
a
thing:
we'd,
really
like
your
input.
A
E
Yeah
and-
and
you
know,
I'd-
be
happy
to
work
with
you
on
kind
of
describing
that
framing
it
in
the
right
way,
but
it's
a
pretty
open
and
accommodating
group
pretty
friendly
group,
but
you
will
get
lots
of
feedback,
I'm
sure,
I,
think
the
important
thing
is
that
was
the
decision
of
this
group
to
start
the
the
Sig
and
it's
not
it's
not
Tech
doesn't
have
to
approve
it.
E
They
just
want
to
be
informed
about
it
and
and
what
we're
doing
is
bringing
this
to
them
for
for
to
invite
them
to
be
involved
in
the
process.
I'm.
Just
aware
a
little
bit
of
the
sensitivity,
this
you
know,
neurops
the
Linux
Foundation
employee
and
one
of
the
things
we're
really
trying
to
do
is
make
sure
that
this
comes.
E
This
is
a
community
process,
not
just
something
that
the
LF
is
driving
so
having
having
many
of
you
who
are
interested
in
this,
also
coming
to
the
presentation
and
being
a
part
of
that
conversation
will
be
important
and
we'll
just
you
know,
we'll
be
aware
of
this
as
we
as
we
as
we
engage
in
this,
you
know
we'll
be
just
looking
for
other
voices
from
the
community
to
really
be
a
champion
for
this.
H
Yeah,
like
a
main
help,
I
needed
is
like
I,
have
a
vision.
The
way
we
had
it
from
the
stream
to
perspective,
but
like
the
vision,
is
slightly
getting
changed
right
because
it's
more
around
community
and
all
that
so
so
the
main
thing
I
need
help
from
product
perspective.
In
defining
this
MVP
and
I
know
azim
and
his
team
is
helping
me
on
this
one,
but
in
addition
to
azim
right,
like
I,
would
like
to
get
more
feedback
and
I
know.
H
Brian
is
also
working
on
some
of
the
product
ownership
perspective,
but
net
yeah.
We
just
need
help
from
the
MVP
perspective
like
how
the
MVP
should
look
like
from
the
feedback
perspective.
A
Is
that
the
the
posts
that
you
put
in
the
Stream
2
Channel
yeah,.
H
That
that's
right,
yeah,
that's
the
one
that
we
are
going
to
use
like
how
the
that's
the
dog
we're
going
to
use
it,
how
MVP
should
look
like,
but
that
was
the
additional
one
that
we
used
for
the
stream
too.
But
it's
not
relevant
anymore.
A
Oh
sorry
is
this:
the
dot
is,
is
that
doc,
the
one
that
you
want
feedback
on
now?
So
sorry,
you
said
you
were
working
on
on,
look
and
feel
and
and
like
product
kind
of
stuff
yeah.
Is
that
a
different
doc
or.
H
Is
that
yeah?
So
let
me
share
my
screen
so
that
way,
so
what
I'm
proposing
is
so
this
is
something
like
a
like
a
high
level
plan
that
we
had
it
right
and
then
azim
and
Brian
has
provided
feedback
on
strategy
missing
and
vision.
That's
all
great!
So
now
we
are
at
the
stage
like
for
next
three
months
right
like
what
should
we
focusing
on
the
action
item
that
we
had?
It
is
let's
make
sure
that
we
Define
our
MVP.
H
What
exactly
we
are
trying
to
build
right
and
make
sure
everyone
is
online.
So
we
just
need
a
feedback
around
that
like
around
these
some
of
these
points,
because
I
don't
want
like
I
Define,
something
and
then
become
a
part
of
it
right
like
so,
I
want
more
feedback
around
it
so
that
we
can
clearly
Define
the
vision
for
the
product.
A
H
H
Yeah
we
can
come
up
with
the
detail,
breakdowns
how
those,
but
at
least
we
need
some
like
a
high
level
feedback
instead
of
like
all.
This
is
the
score
card
from
the
user
perspective.
What
are
the
things
that
we
would
like
to
see
it
right,
and
then
we
can
come
up
with
the
plan
and
all
that
stuff.
A
Got
it
so
so
for
everybody
in
the
larger
work
group,
it's
a
great
chance
to
like
get
specific
in
in
terms
of
you
know
what
what
problem
is
this
trying
to
solve?
Well
all
the
questions
in
that
doc,
so
I
think
everybody,
the
edit
links
in
the
in
the
meeting
notes
party
on.
H
And
Azu
had
a
couple
of
things
that
he
was
thinking
to
share
as
well.
Azim
I,
don't
know
if
it
is
a
right
time,
but.
I
Yeah
I
mean
nothing
a
specific
I
I
was
just
I
thought,
maybe
a
good
time
to
discuss
the
mbsr
I
think
we
were
having
some
discussion
over
the
talks,
so
we
thought
maybe
the
meeting
might
be
a
good
place
to
discuss
what
should
be
like
the
Mission
Vision,
just
like
a
one-liner
that
we
all
agree
upon
so
yeah
like
do
you
want
to
maybe
share
the
dog
so
that
we
can.
H
I
Yeah
I
can
give
like
a
very
brief
context
here.
Right
so
I
mean
I
like
this
is
my
wording
so
feel
free
to
words,
method
or
like
change
it
completely,
but
I
I
feel
like
we
are
building
this
solution
more
for
the
open
source
consumers,
rather
than
maintainers
right,
like
I'm,
assuming
the
solution
that
we're
building
is
for
anyone
planning
to
consume
open
source.
I
I
How
often
contributors
are
making
contributions
and
all
of
these
things
right
so
I
feel
this
is
more
targeted
toward
consumers
and
the
answers
they
want
to
know
about
like
how
does
the
overall
health
of
this
community
look
like
what
kind
of
practices
are
they
following
and
stuff
like
that,
so
yeah
just
wanted
to
get
an
understanding
of
like?
Does
that
fit?
Well,
with
what
folks
are
thinking
about
the
dashboard
here
or
like
you
know,
maybe
we
are
completely
off
or
other
personas
that
we
are
missing.
B
Yeah
yeah.
Sorry
thanks
so
yeah
I
assume
when
we
started
this
initiative
right
like
we
were
looking
for
the
replacement
for
metrics
and
at
the
mattress
of
millions
of
components
like
why
we
are
restricting
the
10
000
critical
component
repositories.
I
mean
it's
just
about
repository,
so
it's
a
package
or
components
like.
H
I
H
Yeah
so
right
now
we
yeah
right
now
we
focus
around
the
repositories
only
that
is
part
of
that
again
like
in
order
to
define
the
success
criteria
right
like
what's
the
success
criteria,
look
like
so
we
we
thought,
like
we
start
with
the
10K
first
and
then
eventually
grow
that
so
it's
by
repository.
H
Yeah,
we
can
add,
add
more
granular
to
it.
Yeah.
A
I
I
think
maybe
we're
using
repository
in
in
in
a
loose
way
here,
or
at
least
maybe
we
should
just
be
clear-
is
a
repositories.
You
know:
GitHub
gitlab
bitbucket
or
our
repositories,
GitHub
npm
and
Debian.
H
Yeah,
so
so
what
we
are
referring
is,
like
you
know,
repository,
which
is
hosted
on
the
GitHub
gitlab.
That
is
what
we're
referring
here.
A
Okay,
I
would
suggest
making
up
just
10
10K
critical
OSS
projects,
and
that
way,
you
you
detach
it
from
the
implementation.
C
B
H
Yeah,
so
we
have
not
defined
there
like
the
from
the
implementation
perspective
right
now.
So
what
we
thought
is:
okay,
let's,
let's
figure
out
first,
what
we're
trying
to
build,
what
we're
trying
to
solve
and
then
from
there
we'll
we'll
discuss
more
from
the
implementation
perspective,
so
that
is
where
I
have
defined
it,
like
the
part
of
it.
Yeah.
B
I
was
going
to
ask
too
for
the
level
of
detail
where
we
start
thinking
about.
You
know
what
is
that
that
kind
of
user
journey
and
I
know
there's
a
couple
of
personas
described,
but
if
we
we
flesh
that
out
further
like
thinking
about
how
people
even
discover
this
dashboard,
how
they're
going
to
to
return
to
it
and
use
it
on
a
regular
basis?
Is
that
something
you
know
that
would
be
under
say
stage
three
or
would
you
think
that
that
should
be
included
a
little
bit
earlier?.
H
Yeah
like
like,
so
there
is
no
like
guarantee
in
the
order
Brian
like,
but
yeah
I
definitely
would
be
included
part
of
stage
three,
but
we
can
kind
of
change
the
order
right.
We
can
start
that
first,
but
yeah
like
the
idea
here
is
that
as
a
user
right
like
what's,
the
user
Journey
looks
like
and
what
are
the
things
that
user
is
trying
to
solve
right.
So
those
are
the
things
that
we
want
to
focus
yeah,
but
the
order
is
not
guaranteed.
We
can
change
it.
A
So
something
that
we
talked
about
in
the
past
and
and
I
think
there
were
strong
opinions
on
both
sides
of
this.
But
is
this
a
just
the
facts
dashboard
or
are
we
willing
to
give
it
a
score?
Give
it
a
grade,
A,
B,
C,
D
and
and
I
think.
The
reason
that's
important
is
what
what
I've
seen
in
I
mean
a
lot
of
dashboards.
You
know
you
you
you
you've
had
three
commits
in
the
past
12
months.
Is
that
good?
A
Is
that
bad
there's
a
lot
of
contacts
that
you
as
the
consumer
don't
have
and
I
don't
think
we
can
expect.
You
know
most
consumers
to
kind
of
do
the
math
themselves
to
see
if
three
is
a
good
or
a
bad
number.
A
And
maybe
it's
a
I
mean
I
I
guess
I
mean
I
mean
scorecard.
Does
it
if
you
have
an
eight
that's
better
than
a
two,
so
the
the
mission
here
single
source
of
Truth?
A
Is
it
I
mean?
Do
you
also
include
opinions
in
there
about
what
makes
a
good
project
I
guess
you
have
to.
E
Oh
sorry,
no,
it's
okay,
so
I
think
I
think
that
the
headline
of
this
should
be
here
is
the
the
the
the
the
One
Stop
shopping
kind
of
the
the
the
the
you
know,
the
repo
for
all
objective
data
relating
to
open
source
projects
that
you
know
that
in
the
long
term
that
this
is
a
place
to
pull
together,
not
just
the
the
scorecard
data,
the
best
practices
badge
data,
but
potentially
as
well
results
from
scans
from
dependency
analysis
from
from
other
things
right,
but
also
looking
at
things
like
when
was
the
last
time
this
project
had
a
third
party
audit.
E
How
much
churn
has
there
been
since
then?
What
was
the
result
of
that
third
party
audit,
like?
Let
me
see
the
report
and
understand
that
lead
to
cves
or
or
bugs
being
closed.
You
know
think
about
other
sources
of
objective
data
right.
The
the
chaos
metrics,
for
example,
other
things,
in
fact
having
a
rich
law
library
of
things
that
feed
into
this
data
set
is
something
that
open
source
would
be
great
at
helping
us
build
having
us
common
data.
E
You
know
off
a
copy
of
the
data
set
or
otherwise
you
know
it's
the
best
way
to
Fan
this
out
and
I
think
allow
for,
for
you
know
some
of
that
to
those
questions
answer
themselves.
I
would
shy
away
from
just
from
a
as
a
as
a
diplomat
shy
away
from
having
a
the
MVP
focus
on
saying
here
is
your
credit
score.
You
know,
you
know
this
project
scores
700.
You
know
this.
One
scores
435.
E
I,
think
showing
here
is
a
picture
of
the
different
objective
data
and
the
numbers
and
and
what
you
know
what
what
how
that
relates
to
other
projects
is
very
useful,
but
I
think
knowing
what
are
the
specific
weights
to
lead
to
an
overall
score
is
a
very
charged
conversation
you
might
want
to
just
defer
for
now
and
I.
Don't
know
that
it's
necessary
to
demonstrate
the
impact
of
this.
I
Yeah
I
I
think
I
was
about
to
make
the
exact
same
point
that
you
mentioned,
like
purely
strategically
speaking,
I
I
think
it's
it's
a
hard
problem
to
start
with,
to
say,
let's
have
a
cumulative
score,
especially
given
that
not
all
the
sources
are
guaranteed
to
be
there
for
every
single
project.
So
purely
from
a
strategy
point
of
view,
it
seems
like
might
be
worth
punting
on
that
problem.
I
For
now
and
considering
doing
the
cumulative
score
a
little
further
down
the
road
when
we
we
have
a
bit
more
clarity
around
what
kind
of
sources
we
have.
A
Really
see
your
comment
in
chat,
I
I,
agree,
historical
trending
is
is
would
be
pretty
important
here.
This.
F
Is
often
a
conversation
that
I've
had
with
other
individuals
out
in
Industry
about
what
is
the
security
health
of
a
project
and
a
lot
of
folks
go
back
to
how
active
it
is,
and
it's
entirely
project
dependent
and
it's
based
off
of
that
maintainer.
So
I
fully
expect
that
whatever
comes
out
of
this,
there
will
be
various
government
agencies
or
regulatory
bodies.
Looking
at
this
to
establish
security,
health
indicators
for
their
own
requirements
and
Frameworks.
So
whatever
we
do,
we
need
to
be
very
cautious
and
provide
due
diligence
and
the
justification
for
applying
it.
A
E
Yeah
but
but
defaults
matter
too,
you
know
if
the
default
is
that
the
score?
You
know
you
land
on
the
page
for
a
log
for
J
and
it
has
a
score
of
73.
You
know
that's,
even
though
all
the
code
behind
that
is
open
and
changeable.
You
know
the
the
it's
gonna
cause
questions
right.
What's
the.
A
Oh,
are
you
gonna
be
transparent
about
what
led
to
it?
No,
no
sorry,
yeah
I
I
meant
even
at
the
at
the.
What
what
does
if
I
say
that
the
log4j
has
had
active
contributions
in
the
past
three
months?
Well,
what's
the
contribution
is
that
a
code
commit
is
it
emerge?
Is
it
a
issue?
Is
it
a
smiley
face
on
an
issue
and
having
that
be
so
even
at
the
at
the
objective
level,
yeah
being
transparent
and
what
what
what
things
mean?
It's.
E
Both
in
spirit
of
this
project
and
I
think
important
to
deflect
criticism
that
every
time
you
show
a
bit
of
data
somebody's
able
to
drill
down
and
understand
where
that
data
came
from
yeah.
What's
the
algorithm
that
led
to
you
know
this
score,
you
know
and
the
scorecards
conversations
about
what
do
those
numbers
mean
and
what's
the
weighting
of
all
the
different
things
you
look
at
that's
going
to
get
the
more
that
scorecards
gets
used
out
there
in
meaningful
ways,
the
more
charged
those
conversations
are
going
to
become.
E
About
this
project,
every
time
I
talk
about
the
metrics,
dashboard
work
and
the
scorecards
work
with
people
lights
go
off
in
ways,
you
wouldn't
believe
even
people
who
aren't
programmers,
people
who
think
about
you
know
once
they
realize
not.
You
know
open
source
software
is
pretty
secure
by
and
large,
but
there's
a
wide
variance
in
some
of
the
objective.
You
know
realities
on
the
ground
of
between
different
projects.
They
go
well.
How
do
I
learn
more
and
I?
You
know
how
do
we
learn
more
about
about
that?
Is
it's
just.
E
G
Yeah
I
was
just
going
to
also
mention
that,
even
even
as
we
did
first
sort
of
like
the
opinion
it
explodes
and
all
maybe
it's
already
been
said,
but
just
being
able
to
understand
what
that
data
means
and
where
it
comes
from.
G
So
even
though
that
it's
actionable
will
be
will
be
good
as
well,
and
the
second
point
I
wanted
to
make
is
that
there
are
there's
a
different
working
group
called
like
the
in
within
the
open
ssf
called
the
best
practices
working
group
that
put
together
like
a
concise
guide
for
evaluating
open
source
software.
Perhaps
some
of
this
work
here
can
then
be
like
channeled
back
into
either
updating
that
data
actually
giving
guidance
to
how
this
dashboard
could
work
together
with
that
to
make
more
informed
decisions.
A
Are
driving
us?
Is
there
anything
that
the
working
group
can
that
that
you
need
from
us
or
or
from
anybody
else,
I
know
getting
for
an
attack?
Is?
Is
one
thing
so
we'll
make
that
happen
other
than
that.
H
No
I
think
no,
we
don't
need,
but
other
than
that
I
think.
The
main
thing
we
need
is
just
helping
defining
this
MVP
I'm
gonna
sync
up
with
couple
of
folks
offline
but
yeah
continue
to
add
your
comments
on
this
Doc
and
then
wolf
for
the
brainstorm
on
it
looks
like
we
know,
there's
something
to
share.
G
H
Yeah
yeah,
so
yeah
I
have
not
said
it
about
anything.
So
Brian
is
going
to
help
me
instead
of
the
mailing
list
and
zoom,
and
then
I
need
to
work
on
the
timing
with
everyone
like
what
time
would
work
for
everyone,
and
then
I
was
hoping
that
during
that
call
we'll
continue
to
work
on
defining
this
MVP
further.
I
Yeah
one
quick
question
Michael
so
before
we
go
to
attack
and
like
get
these
Sig
set
up,
is
that
do
we
need
to
have
the
mvsr
and
stuff
like
that
sketched
out
before
that?
Or
can
we
use
the
Sig
time
to
actually
sketch
these
things
out?.
A
Like,
oh
so
so
so
the
the
Sig
I
is
a
and
someone
who
knows
better
than
I
correct
me
if
I'm
wrong
here.
This
thing
is
a
very
Loosely
defined
thing
still,
so
this
the
the
Sig
exists
have
meetings
whenever
you
want,
preferably
on
the
community
calendar,
so
other
folks
can
join.
You
do
not
need
permission.
A
The
only
the
only
the
next
point
that
you
need
permission
or
need
approval
to
do
anything
really
is
when
you're
asking
for
money,
and
that
would
you
know
at
the
same
time,
it's
polite
to
get
input
from
from
the
attack.
I
Sounds
good
I
think
then
you
know
maybe
we
should
like
actually
get
the
mailing
list
and
the
and
like
a
time
set
up
for
ourselves.
I
I
think
we
have
enough
things
on
the
agenda
that
we
can
have
a
focused
meeting
on,
so
maybe
that
that
should
be
the
next
step
here.
Okay,.
H
So,
where
can
I
get
everyone's
availability
like?
What's
the
median
like,
should
I
put
it
in
that
stream
tool
slack
channel
so
that
I
can
get
everyone's
availability
or
I
can
just
randomly
I.
B
J
Yeah
so
I'm,
just
just
thinking
about
the
the
order
of
the
next
steps
right,
I
I,
don't
believe
we
we
I
think
both
of
these
things
can
happen
simultaneously.
The
the
what
we
need
to
do
with
attack,
but
then
also
I,
think
we
can
go
to
either
jury
or
Khalil
to
actually
get
a
meeting
set
up
on
the
calendar.
J
So
once
so,
once
we
do
do
the
do
the
doodle
poll,
of
course,
you
know,
would
get
that
time
back,
get
the
meetings
up
on
the
calendar
and
then
I
think
we
could
do
the
the
mailing
list
after
that
right,
yeah.
A
Oh,
it's
sorry!
Actually,
because
we
have
the
magical
mailing
list,
magical
operations
at
opennessesf.org,
say
hey.
Can
you
set
up
a
recurring
yes
thing
at
this
time?
So
please
set
up
this
mailing
list.
All
that
stuff
is
operations
at
yeah.
A
It
thank
you
all
office
hours,
I,
don't
I,
don't
see,
I,
don't
think
we
have
anything
any
updates
on
the
call,
but
there
are
updates
in
the
slack
channel.
So
please
take
a
look
at
office
hours,
I
believe,
first
date.
Oh,
we
have
a
date.
B
A
If
you
have
not
volunteered
or
if
you,
if
you
don't
know
that
you
volunteered
ping
Marta
in
slacker
or
whatever
to
volunteer,
please
please
show
up
I'm
I'm,
hoping
that
you
know
this
is
a
very
first
pilot,
so
we'll
see,
but
no
I
think
this.
This
would
be
good,
and
the
purpose
of
this
is
that
one-on-one
connection
with
open
source
maintainers
that
need
help
in
anything
related
to
security,
so,
like
like
true
officer,
is
just
kind
of
stop
by
and
chat
so.
B
A
Security
reviews
Amir
is
not.
Oh
sorry,
is
there
any
any
comments
on
that
topic.
I
A
You
need
a
doppelganger,
Security
review.
Sorry
I,
don't
see
Mira
I.
There
were
some
follow-ups
from
last
last
time
that
I
think
one
of
them
is
on
me
to
take
a
look
at
no,
it's
not
secure
reviews.
A
There's
security,
insights,
Let's,
see
we
don't
have
enough
time
for
any
more
topics.
Is
there
any
any
last
comments
anybody
would
like
to
make
otherwise
we'll
move
the
remaining
topics,
we'll
we'll
start
with
those
next
time?
A
Thank
you
all
very
much,
I
really
appreciate
everybody's
time.
This
is
a
great
conversation
looking
forward
to
all
these
projects
moving
forward
and
changing
the
world.
So
thank
you
all
very
much
very
much
appreciative
have
a
good
one.
E
D
That
I
could
not
switch
off,
so
it's.