►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Okay,
I
mean
I
I
think
we
should
have
the
meeting
today,
because
Michael
wrote
that
he
cannot
join
today
so
asked.
If
someone
want
to
do
the
meeting
of
just
move
to
another
week,
but
I
think
we
have
the
meeting,
we
can
wait
for
minutes
and
see
and.
A
I
I,
you
think
we
should
have
or
not
have
we
shouldn't
have
it,
but
what
I'm
going
to
do
is
I'm
going
to
see
if
I
can
find
our
meeting
notes
links.
Let's
see
that
looks
like
a
meeting
looks
like
we
are
being
recorded.
A
Oh,
you
know
what
you
know.
What's
strange,
we
haven't
had
any
issues
within
this
group,
but
usually
in
the
meeting
notes
I
like
to
link
to
the
code
of
conduct
so
I'm
going
to
add
that
right
now,
meeting
notes,
there's
the
antitrust
and
right
after
that
I'm
going
to
let's
see
here
all
open
ssf
meetings
must
comply
with.
A
The
Heading
I
should
say
all
right
and
that
will
give
us
time
to
wait
to
see.
If
there
are
anyone
else
will
join
us.
A
Okay,
907.
A
All
right,
let
me
let
me
post
the
link
to
the
meeting
notes.
A
Okay,
nothing
else.
The
one
main
item
that
I
think
that
we
really
should
be
talking
about
today
is
setting
up
discussions
with
you
know
with
elephants
Etc
regarding
next
steps
for
a
metrics.
A
Okay,
Luigi
I
will
just
type
your
name
in
here.
A
I,
don't
know,
if
did
any,
was
anyone
designated
as
a
lead?
If
not
I
can
I.
B
A
A
I
I
I'm,
more
I'm,
thinking
more
in
terms
of
just
you
know,
making
sure
everybody
can
can
you
know
get
can
get
the
turn.
A
So
if
you
don't
mind,
though,
if
not
for
nothing
else,
I'm
the
one
who
sent
out
an
email
last
was
it
last
week
proposing
this
so
for
those
of
you,
so
so,
let's
just
go
ahead
and
get
started.
Is
everybody
okay
with
that.
B
A
Okay
update
all
right,
but
let's,
let's
so
I'll
just
I'll,
just
add
you
okay,
so
you
may
have
seen
my
email.
But
basically
you
know
we
have
this
prototype
metrics
dot
openssf.org,
but
you
know
it's
I
mean
it
runs
hooray
for
that,
but
we
really
need
to
go
further
than
that.
We
really
want
to.
You
know,
got
more
information,
get
easier
to
use
and
all
that
good
stuff
there's
been
some
interest
within
the
LFX
security
platform.
A
I
know:
there's
been
some
other
interests,
avishack
actually
expressed
interest
as
well
over
at
Google,
and
so
I
wanted
to
basically
propose
that
we
set
up
a
gathering.
It
could
be
this,
but
maybe
we
need
to
set
up
a
different
meeting
time,
because
I
think
some
people
have
some
scheduling
problems.
So
I
propose
hey,
let's
have
a
just
a
meeting
just
on
the
okay.
A
What
needs
to
be
done
for
next
steps
to
to
go
on
and
and
go
for
there
is
everybody,
but
I
didn't
want
to
pull
ahead
of
of
the
group.
So
I
just
want
to
get
a
sense
from
the
group.
Does
that
seem
like
a
reasonable
thing?
We
can
set
up
a
Google
poll
and
you
know
those
are
interested.
A
You
can
declare
I'm
interested
and
then
we'll
have
a
meeting
and
then
I
think
that
next
step
is
basically
trying
to
work
up
requirements
and
next
steps
to
to
move
forward
from
where
we
are
now.
A
That's
right:
that's
right!
A
dashboard!
Basically,
you
know
create
create
a
new
meeting.
Doodle
poll.
Okay,
the
the
purpose
of
the
the
meeting
would
be
to
ID
requirements
and
next
steps
to
implement
a
a
better
metrics
dashboard.
B
Yes,
I
mean
if
I
can
say
something
about
this.
We
have
a
two
one.
B
Already
implemented
the
sort
of
well
technically
I
met
your
dashboard
using
grafana
to
show
some
information
about
the
open
source
project
and
we
have
deprecated
it
and
probably
which
I
I
cannot
I
mean.
I
cannot
call
it
as
post
Martin,
but
it
will
be
important,
probably
understand
why
we
have
shut
down
that
dashboard
and
understand
which
information
we
need
to
add
in
this
dashboard
without
having
a
scorecard
duplicate.
I
mean
scorecard,
is
an
evaluation
tool
and
it
is
definitely
good
and
probably
we
want
to
add
all
the
information
that
are
in
the
scorecard.
B
But
probably
a
dashboard
is
something
that
is
more
human
friendly,
so
something
that
people
want
to
read
in
some
way
or
using
a
dashboard
or
using
API.
But
definitely
there
is
a
human
that
use
the
product
and
software.
You
want
to
have
more
information
related
related
to
security
for
sure
or
to
a
sort
of
healthy
check
of
the
project.
So
not
just
security,
sometimes
can
be
the
list
of
maintainer
the
URL
of
the
project,
the
URL
to
the
documentation.
That
is
important.
B
We
have
seen
that
the
log
4J
was
well-documented
in
I
mean
was
the
the
feature
was
in
the
documentation,
but
no
one
know
this.
So
I
think
that
that
if
we
want
to
start
with
the
dashboard
I
think
it
is
a
good
idea.
B
I
mean
because
people,
especially
in
small
team
or
small
company,
want
to
have
a
human
friendly
tool,
but
we
need
to
be
sure
that
we
don't
deprecate
it
after
one
yeah,
it's
very
common
that
we
create
a
lot
of
projects
and
with
Source
from
different
place,
and
probably
at
least
inside
open
ssf.
We
should
be
better
to
communicate
to
be
sure
that
project
can
coexist
and
can
give
a
value,
because
I
mean,
from
my
perspective
the
previous
dashboard
was
a
nice
idea,
but
for
some
reason
we
decide
to
duplicate
it.
B
It
was
difficult
to
maintain
it.
It
was
difficult
to
to
find
the
right
information
sometimes
to
give
the
right
evaluation
to
the
project.
So.
A
A
All
right
so
I
mean
I,
I
have
the
all
I
I
can
set
up,
I
can
set
up
doodle
poll
and
gotta
kind
of
get
that
going
and
then
those
who
are
interested
can
gather.
Maybe
we
need
to
write
a
little
requirements
doc
to
try
to
agree
on
what
those
requirements
are
based
on.
B
Yes
and
I
have
a
question
for
you
now.
This
kind
of
product
is
very
big
like
a
lot
of
projects
that
we
have
at
the
moment
and
I.
Don't
know
it's
just
an
open
question.
No,
no
about
Linux
Foundation
want
to
open
position
to
hire
people
to
work
on
projects
or
not
because
probably
this
can
okay,
because.
A
Absolutely
now
I
I'm
saying
that
we
can,
that
doesn't
always
mean
that
we
do
I
will
say
we
tend
that
we
tend
not
to.
We
often
tend
to
either.
You
know
depend
on
companies
to
hire
the
people
right,
people
and
use
them
or
we
hire
Consultants,
but
do
we
hire
employees
absolutely
and
in
fact,
Alpha
Omega
is
working
right
now
to
hire
folks
who
will
be
actual
LF
employees
and
will
work
full-time
on
that
work?
Okay,
so
so
can
we
do
it?
Yes?
A
The
previous
step,
however,
is
what
do
you
want
to
do
and
what's
the
best
way
to
accomplish
it,
because
I'll
tell
you
one
one
trouble
with
hiring
already
and
I
realize
I'm
telling
something
that
everyone
here
already
knows.
Is
it's
actually
challenging
to
get
people
who
are
good
and
have
the
right
expertise?
A
You
know
it's,
it's
just
it's
challenging
and
elephant's
not
immune
to
that
problem.
So
you
know,
but
but
really
Step
One
is
what
are
you
trying
to
accomplish?
Okay
and-
and
yes,
hiring
is
absolutely
one
of
the
techniques,
if
that
turns
out
the
best
way
to
get
the
job
done.
A
People
all
right
thoughts,
comments.
A
All
right
that
was
it
for
for
Mom
Luigi,
your
your
problem.
B
Okay,
security
inside
some
updates,
I'm
I,
need
to
open
the
issue
well
written
for
the
score
card.
B
At
the
moment
it
is
just
a
picture
request
or
a
feature
test,
so
I'll
probably
add
that
pull
request
in
the
future
to
see
if
we
can
Implement
I
mean
if
the
scorecard
team
can
implement
or
can
integrate
the
security
insights
inside
the
the
score
card,
the
evaluation
or
analysis
we
can
I
mean
the
team
probably
can
Define
how
to
use
the
data
that
are
contained
in
in
the
security
insights,
because
I
can
understand
if
they
decided.
They
cannot
trust
everything.
B
It
is
okay,
but
there
are
some
data
that
are
better
than
the
scan
that
they
do
now.
In
addition,
in
the
last
week,
there
was
a
thread
on
slacker
about
some
feedback
received
by
the
community
regarding
automatic
pull
request
to
fix
bug
a
security
issue
or
automatic
issue
to
to
to
communicate
security
issue.
I
am
not
sure
the
moment,
but
the
point
is
that
the
community
I
mean
some.
B
Some
maintainers
have
objected
the
requests
or
the
automatic
report,
but
other
one
didn't
so
happy
about
receiving
automatic
pull
requests
for
a
lot
of
Reason.
Maybe
the
content
of
the
record
was
not
so
good
or
the
vulnerability
was
an
acceptable
risk
for
the
project
and
so
on,
and
so
so
in
the
thread.
I
have
the
link
to
the
thread
give
one
second,
so
I
can
give
more
context
to
that
that
we
can
add
it
to
there
I.
C
Can
add
the
context
because
I
was
responsible?
Oh
yes,
that
worked
so
hi.
This
is
one
hour
yeah,
so
I'm,
so
I'm
CEO
of
openrefactory
we're
working
with
Alpha
Omega
project,
specifically
Mike
excavator.
C
Basically,
our
goal
is
to
so
our
tool,
intelligent
code,
repair
or
icr.
It
detects
bugs
with
very
low
false
positive,
so
very
high
concentration
of
true
positive.
So
we
have
an
ambitious
project
where
we
want
to
scan
the
entire
Pipi
repository
and,
basically
then
the
goal
would
be
to
like
communicate
with
the
maintainers
and
then
have
like
hardened
the
security
of
of
the
of
the
projects
and
also
fix
vulnerabilities
and
so
on.
So
as
part
of
that
experimentation,
we
have
had
a
had
a
website
that
was
launched
earlier.
C
It
is
in
pipi.openrefactory.com
and
so
in
in
that
website.
Right
now
we
are
automatically
like
scanning
about
200,
between
200
and
250
I.
Don't
exactly
have
the
number
but
yeah
some
amount
of
of
the
top
IPI
projects
and
basically
I
identifying
bugs
in
that.
So
one
of
the
things
that
we
found
out
is,
as
I
mentioned,
we
found
only
important
bugs
and
so
in
in
projects,
for
example
in
ansible.
C
If
you
run
like
any
other
tool
like
we
ran
sonar,
Cube
and
others,
and
so
on,
you
would
get
in
close
to
three
thousand
four
thousand
bug
reports
in
that,
and
that's
you
can't
work
with
that.
You
can't
do
anything,
because
many
of
them
are
false,
positive
and
on
won't
fix
issues
and
so
on.
We
identify
only
like
20
something
bugs,
and
some
of
them
are,
so
all
of
them
are
height
of
medium
severity
level.
So
what
we
did
as
an
experimentation
part
The,
Next
Step.
C
How
do
we
communicate
with
the
re
with
the
with
the
maintainers?
We
select?
We
picked
a
small
subset
of
of
that
I.
Think
24
of
those
pull
requests
that
were
identified
across
projects.
We
submitted
manual
pull
requests.
There
is
nothing
automated
that
was
done,
but
it
was
done
in
an
A
B
testing
manner,
as
in
some
of
them
were
done
in
in
a
more
structured
way.
It
appeared
that
it
is
coming
from
from
some
machine,
but
then
the
other
one.
C
There
are
some
other
messages
that
were
written
in
a
first
person
basis
so
that
it
it
looked
like
it
is
coming
from
a
human
being,
so
the
current
status
is
now
that
10
of
them
have
been
accepted
out
of
those
24
eight,
we
don't
have
any
any
answer,
and
six
of
them
have
not
been
accepted.
So
there
was
that
in
one
case
there
was
a
violation
of
the
protocol.
C
As
in
like
the
person
who
was
doing
this,
he
actually
created
a
a
message
that
was
on
internet
that
are
some
maintainers,
but
but
basically,
basically,
what
we
found
out
is
number
one
that
the
content
of
the
bugs
are
important.
If,
if
the
we
didn't
find,
even
though
our
test
is
small,
we
didn't
find
that
the
messaging
difference
did
not
create
any
so
out
of
the
10
bugs
that
were
accepted.
C
Six
were
from
the
from
the
more
human-like
message
communication
for
where
about
the
accepted
from
the
automated
message
and
so
on.
So
there's
no
difference
in
terms
of
the
messaging
that
created
any
any
difference
in
the
in
the
acceptance
rate.
It
was
the
quality
of
the
bug
because
it
people
found
that
it's
important,
that's
why
they
were
accepted
and
being
merged
in
the
code
base.
C
What
we
also
found
is
that
the
same
bug
so,
for
example,
we
were
looking
for
cross
side,
request,
forgery,
protection
being
disabled,
and
so
this
was
accepted
by
four
different
projects,
one.
It
is
pending
right
now
and
then
one
rejected
that,
because
it
was
not
important
for
the
so
it
was
not
a
giving
a
valid,
so
they
didn't
have
an
attack
surface
for
that
particular
attack
or
that
particular
problem.
C
So
what
we
understood
is
is
that
probably
I
mean,
even
though
I've
been
building
automated
tool
for
for,
like
over
15
years.
I,
don't
even
subscribe
to
that
idea.
Yet
of
submitting
automated
pull
requests,
but
I
mean
you
and
I
we're
planning
to
have
a
chat
about
it
later
today,
but
if
we
find
high
value
bugs
people
are
gonna,
get
notice,
are
gonna
notice
it
and
and
accept
these
things.
C
So
it's
important
that,
before
generating
or
before
going
to
that
step
as
an
automated
pull
request,
we
need
to
first
of
all
improve
the
quality
of
the
of
the
scans.
So
so
that's
that's
a
critical
piece
of
the
of
the
puzzle
as
well,
but
if
the
bugs
are
good
or
if
the
bugs
are
important
issues,
then
I
mean
we
found
that
with
very
little
effort
about
40
percent
of
our
fixes
that
we
submitted
got
accepted
and
within
a
week.
C
So
so
that's
that's
pretty
encouraging
we're
also
looking
into
other
mechanisms,
so
Michael
suggested
that
we
also
look
into
so
this
was
more
about
going
through
communicating
to
pull
requests
there.
Another
way
would
be
to
communicate
through
security
advisories.
So
that's
what
we
are
experimenting
now
as
in
and
we're
gonna
produce
that
that
particular
report.
This
is
happening
with
the
alpha
omega
folks.
So
sorry,
this
was
long,
but
this
is
kind
of
the
context
of
of
that
particular
case
study.
That's
going
on.
A
So
I'm
raising
my
hand,
I
guess
on
myself,
so
I
want
a
quick
respond.
I
do
think
that
Jonathan
L
has
had
successes,
submitting
automated
pull
requests,
but
to
be
fair,
he's
using
a
really
different
approach.
So,
instead
of
scanning
software
and
looking
a
particular
program
and
looking
for
the
vulnerabilities
he's
looking
for
like
one
vulnerability
in
some
software
that
is
widely
vendored
and
then
and
then
it's
basically
it's
the
same.
It's
it's
not
a
highly
abstract.
It's
very
specific.
A
You
know
this
particular
either
program
or
significant
snippet
is
being
reused
the
same
way
over
and
over
in
a
bad
way.
It's
it's
the
wrong
thing
to
do
so.
It's
not
a
scan
of
a
whole
program
and
find
the
problems.
It's
you
know.
I
found
a
particular
pattern
and
then
I'm
using
you
know,
I
think
he
generally
uses
code.
You
know
code
2L,
he's
basically
scanning
for
a
very,
very
specific
code
patterns
over
and
over
again,
which
is
a
different.
So
it's
he's
being
successful
at
it,
but
doing
something
rather
different.
So.
C
You're,
absolutely
right,
yes
and
I
mentioned
that
in
the
blog
post,
that
I
wrote
as
well
that
his
is
more
about
patch
dissemination
like
there
is
a
specific
vulnerability
and
the
patch
has
been
created
and
he's
just
disseminating
that,
even
though
that
his
path
is
based-
and
that
also
depends
on
the
patch
quality.
So
he
has
actually
shared
his
data
set
with
me
so
for
for
a
case
like
that
he
had
done
before
with
HTTP.
So
with
Maven
like
Library
loading
with
HTTP.
C
Instead
of
https,
he
had
big
success
like
40
of
the
office
pool
requests
were
accepted,
but
in
the
current
ones
that
he
was
doing
because
of
the
quality
of
the
patch
was
not
necessarily
that
good.
He
had
actually
less
than
one
percent
of
the
pool
requires
that
have
been
accepted.
So
his
recent
record
on
that
is
not
necessarily
good,
but
yeah.
C
His
focus
is
on
patch
dissemination,
but
it
also
is
dependent
on
the
patch
itself
self
because
he
was
making
some
assumptions
generalization
assumption
that
that
does
not
hold
for
for
software
really
so
so
his
patch
was
a
little
bit
too
aggressive
and
that's
why,
in
the
recent
case,
sap
is
not.
It
was
not
very,
very
much
accepted
by
the
community,
but
previously
here
like
as
high
as
40
acceptances
as
well.
So
we
are
very
different
because
we
are
more
a
general
purpose.
Bug
bug
thing
so
spot
on
that
observation.
A
B
But
there
is
my
reply,
but
it's
not
the
first
open
source,
maintainer
or
security
guy.
That
say
this:
it's
very
common
that
sometimes
you
receive
report
security
report
that
are
not
so
interesting
for
your
project,
because
maybe
some
vulnerabilities
are
accepted
by
Design
or
are
not
so
critical
for
your
own
project.
B
If
we
consider
a
threat
model,
especially
and
usually
suggest
to
maintainers
to
add
a
sort
of
autoscoping
scope
list
in
the
security
policies,
not
because
it
is
a
very
good
idea,
honestly
I
prefer
to
receive
every
kind
of
report,
but
if
you
need
to
maintain
a
project
or
you
want
to
reduce
the
noise
of
the
image
that
you
receive,
so
it's
normal
and
human
I
think
and
for
this
reason
the
security
insights
already
support
this.
If
Alpha
Omega
helped
them
the
maintainer
of
the
project.
B
To
add
this
similar
yaml
file,
where
there
are
all
this
information,
for
example,
if
you
accept
or
not
to
request,
if
you
accept
or
not
video
reports
and
so
and
so
we
have
a
file
that
we
can
scan
and
in
the
future,
we
can
use
that
file
to
decide
how
to
report
a
particular
security
report
or
open
request
to
automate
a
fix.
Sometimes
not
all
the
fix
are
set
accepted,
because
maybe
they
don't
respect
some
standard
or
similar.
B
So
it's
difficult,
but
at
the
same
time
we
see
that
some
information
about
how
to
report
the
the
the
issue
are
important
for
the
security
Community.
Yes,
we
can
still
continue
to
send
an
email
to
a
contact
if
we
are
lucky
and
we
found
the
security.md
or
just
a
link
to
a
policy
I'll
open
up
a
issue
where
we
say
hey,
we
have
found
the
security
issue.
Can
we
have
a
contact
to
send
you
it
privately?
B
So,
but
this
approach
can
scale
and
in
a
system
where
we
have
the
packet
manager,
the
the
repo
of
the
project,
and
so,
and
so
maybe
we
want
to
have
something
that
can
work
better.
So,
from
my
perspective,
of
course,
I
I
can
be
biased.
Alpha
Omega
could
spread.
The
standard
so
suggest
to
the
maintainer
to
implement
is
similar
yaml
file
that
also
the
basic
one.
B
So
with
just
the
minimum
information
the
required
one
that
are
20
lines,
I,
think
and
in
that
way
we
can
have
a
file
that
we
can
use
in
the
future.
So
we
can
just
scan
the
repo.
If
there
is
this
file,
we
can
read
it
and
according
to
it,
we
can
decide
how
to
proceed.
So
we
can
also
automate
some
reports
because
I
mean
okay.
B
When
you
want,
when
you
are
talking
with
maintainers
and
developers
and
just
people
that
do
open
source
in
the
free
time,
you
want
to
have
a
human
approach,
definitely,
but
at
the
same
time
I
can
understand
if
someone
wants
to
help
I
want
to
scale,
because
also
Jonathan
had
done
a
very
good
work,
but
he
how
to
make
part
of
the
work
so
I.
Don't
think
that
we
can
I
mean
it's
like
funding,
not
all
open
source
project,
accepting
report
because
they
are
maybe
just
a
generic
dangerous
service.
B
But
if
the
research
is
very
good,
it
can
find
a
way
to
escalate
a
phantom
issue.
But
the
question
is
we
want
to
spend
time
to
find
the
right
exploiter.
We
want
just
to
fix
the
bug
because
it
is
a
risk
and
from
that
perspective
a
similar
standard
and
specification
can
help.
The
point
is
that
the
main
friction
that
we
have
or
the
main
challenge
that
we
have-
and
it
is
quite
big
honestly,
it
is
convinced
people
to
adopt
it
and
maybe
not
having
a
lot
of
similar
file
like
right
now.
A
C
On
the
previous
one,
just
one
final
note,
so
so
the
so
the
conversation
that
has
I'm
I've,
been
having
with
Michael
is
that
there
is
also
politics
involved,
as
in
like
whom
are
people
getting
requests.
So
one
of
the
so
we
only
like
out
of
the
24
pool
request
that
we
submitted.
There
were
only
two
cases
where
people
didn't
like
they
thought
that
it
was.
C
It
was
coming
from
a
comp,
so
it
was
sent
from
an
openly
Factory
Handler,
so
it
was
coming
from
a
company
and
it
was
not
necessarily
good
and
so
on.
So
one
of
the
things
that
that
I,
think
and
Michael
kind
of
agrees
to
that
is,
if
open
ssf
is
is
sending
those
or
Alpha
Omega
is
sending
those
things.
C
There
is
a
better
reception,
perhaps
just
because
of
the
perception
of
that,
that
it
is
not
coming
from
from
from
a
corporation
or
or
that
kind
of
entity,
but
it
is
coming
from
from
from
a
research
perspective,
so
so
that
there
is
that
that
politics
of
of
human
acceptance
that
is
also
affiliated
with
that,
but
anyway,
so
that
Iris
matches.
Thank
you.
C
A
Okay,
I
think
we've
run
out
on
this
topic
now.
Moonwalk.
Are
you
also
the
one
who
raised
this
virtual
Summit
idea.
C
Michael
raised
this
I'm,
just
the
executor
myself,
Alex
and
ishel
three
of
us
just
volunteered
to
execute,
but
my
it's
originally
Michael
scuba's
idea
that
was
shared
in
the
general
Channel.
Okay,.
A
A
You're
you're
conceiving
of
this
as
an
open,
ssf
thing
right
exactly
or
is
this
an
external
thing?
This
is
an
openness,
something
externally.
C
This
was
proposed
by
Michael.
We
are
still
like.
We
just
had
two
meetings
as
Alex
is
here:
Alex
can
feed
feed
me
as
needed.
We
have
had
two
meetings
so
far,
so
three
of
us
volunteered,
and
so
we
have
our
two
meetings
we
right
now.
The
plan
is
to
create
a
steering
committee,
which
basically
means
communicating
with
you
and
and
getting
some
people
involved
so
that
we
can
take
some
decisions.
The
decisions
that
are
needed
are
number
one.
C
The
scope,
who
are
the
I
mean
we
can't
because
it's
a
virtual
event,
even
though
Zoom
allows
us,
but
we
can't
have
like
300
people
there,
because
there's
no
communication,
effective
communication
that
happens.
So
if
we
narrow
the
scope,
let's
say
just
have:
40
people
50
people
who
will
be
those
people.
C
What
will
be
those
products
so
we
have
been
or
I
I've
been
working
with
the
identifying
so
with
Amir
and
and
that
particular
group
to
get
the
list
of
the
projects
based
on
different
languages,
the
top
Project
based
on
different
languages
and
possibly
using
that
list.
There
are
other
ideas
as
in
different
tiers
tier
zero
to
tier
three.
There
are
also
ideas
of
getting
projects
from
different
verticals,
like
payment
industry
or
healthcare
industry,
fintechs
and,
and
each
of
them
so
have
represent.
C
We
can't
obviously
have
all
of
them
in
one
meeting,
so
one
of
the
things
that
we
were
thinking
is
and-
and
that
was
also
part
of
the
original
idea-
is
to
make
this
thing
a
periodic
thing
like
having
having
this
thing.
Every
quarter
involved
a
small
subset,
a
marrow
scope
and
then
focus
on
that.
So
that's
one
of
the
things,
the
scope.
C
The
second
thing
is,
we
still
need
to
decide
on
the
format
we
discussed
on
like
having
a
workshop
format,
which
requires
like
maybe
four
hours
of
or
so
of
involvement
in
a
specific
day,
and
we
break
that
into
specific
sessions
and
so
on.
There
could
also
be
like
a
panel.
It
will
also
be
just
an
in
just
a
talk
or
a
presentation
from
some
more
noteworthy
figures
and
then
have
question
answers
around
that.
So
that's
something
that
we
also
want
to.
There's
also
that
this
the
budget,
the
funding
and
so
on.
C
So
it's
still
in
very
early
stages,
but
we
are
basically
ishel
who's
in
Ireland
right
now
we
asked
her
to
connect
with
people
and
get
a
group
of
people
with
whom
we
can
form
a
steering
committee
and
meet
this
partner.
That's
kind
of
yeah.
D
Yeah,
thank
you
munar
and
thank
you
David.
So
you
asked
a
very
good
question:
David.
Is
this
open
ssf
thing
right,
yeah
I'm
wondering
you
know
what
makes
openness
as
a
you
know.
Thing
is
I,
think
a
question
we
want
to
answer
too
right.
If
we
do
this
under
a
warp
group-
or
you
know,
is
there
validation
needs
to
be
approved
by
the
working
group
or
when
we
were
talking,
you
know
yesterday,
mana
and
I,
we
definitely
have
to
work
with
the
tags.
You
know
to
get
some
inputs
and
I.
D
Think
Michael's.
Point
of
view
was
that
if
this
happens,
you
know
as
a
recurring
event
right.
It
can
make
a
good
impact
on
the
community
from
the
user
side.
I
know,
Alpha
Omega
has
efforts
too,
but
I.
Think,
as
you
know,
someone
who
can
just
drop
by
into
the
this
virtual
conference
or
virtual
Summit
can
learn
a
lot
about.
What's
going
on
and
key
projects
that
open
ssf
decides
right.
D
This
is
a
top
100
projects
that
very
important
to
keep
and
maintain
the
security
of
the
code
right
or-
or
you
know,
the
the
important
part
of
the
impact
on
other
software,
vendors
or
other
users
right.
So
that
was
the
key
message
we
wanted
to
deliver
and
if
we
wanted
to
be
part
of
open,
ssf
Event,
what
other
things
that
we
need
to
do
to
make
it
happen
right
and
we
definitely
need
some
help
from
Linux
foundation
too.
A
Okay,
I
I
can
give
partial
answers
and
they
open
that
stuff
is
still
you
know
they
actually
just
accepted.
You
know
some
change
to
try
to
formalize
some
things.
Historically,
open
ssf
has
been
very
informal
and
we
originally
we
didn't,
have
any
funding
so
we're
trying
to
formalize.
A
You
know
we,
you
can
claim
we're
trying
to
build
the
plane
while
we're
flying
but
I
think
right
now
the
the
I
think
the
way
to
get
started
is
if
it's
going
to
be
an
open,
ssf
thing
generally,
you
know
open
ssf
things
happen
within
working
groups
or
projects
and
things
created
by
those
working
groups.
So
you
basically
show
up
in
a
working
group.
A
Do
is
there
a
general
consensus
by
the
working
group
and
it
can
be
electronic,
or
you
know
a
meeting
like
this
and
then
that
needs
to
go
up
to
the
path.
Usually
the
working
group
lead
brings
up
to
the
fact
hey.
Is
there
any
issue,
because
attack
of
the
attackers
are
a
little
concerned
about
doing
the
same
thing
multiple
times
right
or
even
opposed
to
each
other,
which
we
don't
want
to
do?
Okay
and
I?
Think
there's
there's
a
desire
to
solve
the
problems,
but
not
just
let
a
thousand
flowers
bloom.
A
The
cncf
has
taken
that
approaching
very
effectively
but
I
think
there's
an
expectation
there's
a
little
more
limited.
You
know
the
problem
is
big.
People
don't
want
to
spend
as
much
on
somebody's
security
related
things
and
therefore,
while
there's
there's
some
funding,
we
want
to
be
not
a
thousand
flowers
bloom.
But
here
is
the
flower
for
this
particular
area
and
we're
going
to
try
to
focus.
You
know
we're
going
to
do
multiple
things,
but
not
do
multiple
things
for
the
same
result.
A
So
working
group
seem
okay,
bring
it
to
the
pack.
Is
there
an
issue
now
specific
for
a
conference
and
such
the
elephant
we've
actually
got
a
whole
bunch.
We
actually
have
a
whole
event
staff
depending
on
the
scale.
You
want
to
do
this.
If
you
want
to
get
just
a
couple,
people
together,
I
mean
Zoom
calls
they
work
they're,
just
fine
okay,
if
you
want
to
get
a
thousand
people
and
have
a
webinar
that's
a
different
scale.
We
can
do
that.
A
We
actually
have
a
couple
platforms
we
tend
to
use,
depending
on
which
you
want
to
accomplish.
So,
unsurprisingly,
I'm
going
to
come
back
and
ask
well
what
are
you
trying
to
accomplish,
but
we've
got
a
couple,
different
platforms
that
we
can
use
depending
on
you
know
scale,
but
if
you
want
to
have
a
multi
thousand
person
event,
I
mean
we
run
the
cncf
events,
so
we
can
do
that
yeah
right.
The
issue
is,
if
you
want
to
do
that,
I
would
urge
you
before
doing
that.
A
You
know
what
are
you
trying
to
accomplish?
Do
you
think
that
will
get
you
there,
because
that's
obviously
a
big
deal?
Yeah
Emily
has
noted
something
called
meeting
play.
A
A
E
No
you're
right
so
I've
I've
started
conferences
within
the
Linux
foundation
and
I
currently
coach
everyone.
E
E
It
sounds
like
an
initial
perspective
of
looking
to
the
maintainers
and
giving
them
a
platform
for
expression
about
some
of
their
challenges
and
difficulties,
as
well
as
providing
awareness
of
what
the
open
ssf
is
doing
and
how
best
to
engage
is
a
really
good
outcome
and
working
towards
what
those
goals
in
mind
would
be
beneficial.
That
being
said,
you're
talking
about
the
top
critical
projects,
if
you
were
to
strip
that
down
to
maybe
like
the
top
50
that
are
the
most
important,
they
probably
have
more
than
one
maintainer
you're
looking
easily
at
upwards
of
110.
E
These
so
you'll
need
to
figure
out
how
to
structure
and
provide
opportunity
for
a
lot
of
those
discussions
to
happen
and
give
them
voice.
So
it
could
be
in
the
form
of
you
can
do
cfp
calls.
You
can
also
just
do
open
Forum
communication
where
everybody
gets
on
a
webinar,
and
you
add
everyone
as
a
speaker
Heck.
E
If
you
really
wanted
to
to
take
a
crack
at
it,
you
probably
do
like
Twitter
spaces
or
something
like
that
to
get
folks
to
talk
I'm,
not
recommending
that,
because
that'll
be
very
confusing,
but
there's
a
lot
of
different
opportunities
there,
but
it'll
always
go
back
to
what
are
you
looking
to
get
out
of
it?
Who
are
your
attendees?
What
do
you
want
that
Focus
to
be,
and
then
from
there
selection
of
platform?
E
Is
the
next
thing
and
the
events
team
will
be
there
to
help
you,
but,
generally
speaking,
it
sounds
like
something
that
would
be
best
suited
as
a
Colo
event
or
an
ongoing
event
to
an
existing
conference
such
as
OSF
Summit.
That
would
be
a
good
opportunity.
Cncf
runs
kubecon
and
they
have
a
maintainers
circle
or
a
maintainers
Meetup,
where
they
cover
a
lot
of
those
discussions,
and
that
is
as
part
of
the
main
event
right.
D
Right,
thank
you.
Emily
I
think
you
have
a
great
Insight,
so
it
would
be
great
if
you
can.
You
know,
join
us
on
the
next
week
on.
You
know
this.
This
team
discussion,
one
thing
I
wanted
to
point
out,
is
I,
think
it
Michael's
ideas
intended
to
be
virtual
Summit,
where
you
don't
have
to
travel
and
and
make
it
more
flexible
to
people
coming
from
overseas
or
other
countries,
so
just
wanted
to
point
out
that
it
intended
to
be
a
virtual
Summit,
yep.
E
Yes
and
I
think
that'll
be
the
most
important,
especially
given
where
the
maintainers
are
so
that
is
as
long
as
you
can
keep
it
virtual
and
make
sure
that
there
is
good
opportunity
for
everyone
to
speak
in
that
platform,
either
through
slack
or
through
audio
in
some
space
that'll
be
beneficial.
There's
been
a
lot
of
really
neat
development
by
community
maintainers
on
how
do
you
give
audio
to
a
diverse
virtual
community?
All
at
once,
there's
been
some
really
neat
projects
I've
seen
in
the
past.
D
Right
right,
that's
that's
the
target
point
and
also
you
know
selecting
criteria
of
what
focused
projects
we.
You
know
we
have
a
list
of
those
Target
open
source
project,
but
you
know
what
is
the
realistic?
You
know
number
two
start
with
in
the
first
set
of
you
know
some
then
move
to
the
next
one.
What
will
be
the
next
Target
of
products
right
who
decide
those
that
that's
something
we
we
have
to?
You
know
discuss
further
working
with
tech
and
working
with
Open
Access
working
days
right,
foreign.
A
This
is
kind
of
a
point
of
order,
but
I
just
reposted.
The
meeting
notes,
Emily
I
tried
to
take
notes
on
some.
You
had
some
great
stuff
and
I.
Don't
know
that
I
got
it
I.
E
A
A
E
Yeah
so
I
as
co-chair
for
cubecon
I
work
with
the
LF
events,
team
I've
had
excellent
support
staff
when
I
was
running
Cloud
native
security
con
as
a
KOLO
event
for
kubecon,
again
great
support
from
the
events
staff.
So
just
so
you're
situationally
aware
anybody
serving
in
a
program
committee
function
or
a
co-chair
for
those
kinds
of
events,
you're
going
to
be
doing
a
lot
of
work
and
the
events
team
we'll
be
relying
on
you
to
make
a
lot
of
the
decisions
around
structural
organization
content
platform,
Keynotes.
Anything
like
that.
A
As
someone
who
does
my
darndest
to
not
do
some
of
those
crazy
things,
thank
you
thank
you
for
being
willing
to
do
that
because,
in
my
short
experience
of
doing
this
I
made
I
said.
Oh
my
gosh,
that's
a
lot
of
work,
so
thank
you.
It's.
E
A
A
Give
you
back
15
minutes.
Thank
you.
Everybody
we
can,
you
know,
make
some
last
minute.
Tweaks
I
see,
Emily
is
trying
to
fix
all
my
mistakes,
so
thank
you.
D
David
something
different
topic:
I
I
know
you're
speaking
at
OMP
Summit
next
week
in
Philly
you're
going
to
be
in
person,
I'm.