►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
And
the
meeting
notes
are
in
the
meeting
invite,
so
you
guys
should
all
have
access
to
that.
I
will
share
that
out.
A
Cool
yeah
so
welcome
everybody.
If
you
guys
weren't
on
the
call
two
weeks
ago,
happy
new
year
hope
everybody
had
a
nice
break
so
yeah.
So
just
wanted
to
talk
about
a
couple
things
today,
but
we
can
kind
of
you
know,
take
the
conversation
where
the
conversation
goes.
Please
you
know
add
yourself
and
and
if
you
have
any
topics
that
you
want
to
talk
about,
just
enter
the
agenda
and
we'll
make
sure
that
we
that
we
talk
about
them.
C
C
Linuxfoundation.Org
okay,
so
I
posted
a
few
comments
about
the
metrics,
so
people
get
a
chance.
I
think
basically,
the
issue
right
now
is:
we
need
to
figure
out
how
to
improve
the
little
dashboard
to
measure
things
we
actually
care
about.
A
Yep
yep
agreed
so
yeah.
I
think
that
that's
the
output
that
I
would
like
to
get
from
that
is
having
a
core
team
that
just
focuses
on
the
implementation
of
the
dashboard.
So
I'm
sorry
I'm
lost
my
screen,
so
I
can't
actually
see
anything
that
I
want
to
see.
A
Okay,
yeah,
so,
okay,
so
so
the
agenda.
So
for
you,
we
could
talk
about
that
kind
of
where
how
we
take
the
the
dashboard
from
this,
like
quasi-mvp
proof-of-concept
thing
to
something
that
we
can
actually
release.
Some
of
it
is
like
design
stuff.
Some
of
it
is
implementation
stuff.
Some
of
it
is,
you
know
getting
like
a
domain
name
and
figuring
out
like
how
to
blog
about
it,
and
things
like
that.
A
I
do
need
to
update
the
readme
so
that
other
folks
can
install
the
the
dashboard
and
and
kind
of
go
with
it.
We
did
want
to
talk.
Maya
gave
a
decline,
so
I
don't
know
that
we
can
that
we
have
much
that
we
can
talk
about
on
getting
the
scorecard
either
this
either
the
the
metric
dashboard
or
the
scorecard
project.
A
Access
to
a
you
know
enhanced
github
api
token,
so
that
it
wouldn't
be
subject
to
this
to
the
normal
rate
limits.
If
we,
if
we
need
to
defer
that,
that's
that's
what
we'll
have
to
do,
but
I
think
that
that
right
now
is
a
limiting
factor
on
you
know.
Unless
we
do
some
radical,
like
redesign
where
we
you
know,
use
the
end
users,
you
know
token
or
something.
A
D
Nicole,
so
this
nicole-
and
I
forget
her
last
name-
I
think
if
we
have
down
here,
he
might
be
able
to
remind
us
so
maya
mentioned
that
there's
a
nicole
at
github,
that's
working
on
allowing
researcher
access
to
github
data
and
we
might
be
able
to
to
work
with.
E
A
C
Sounds
good
yeah
mike?
Do
you
currently
record
the
date
for
the
data
that
you
that
you're
reporting.
A
Yes,
sometimes
so
so
for
certain
collectors,
the
date
is
the
current
time
stamp.
Because
that's
you
I
understand
right,
but
for
like
your
data,
I
echo
the
there's
a
collection
date.
I
think
yeah.
So
I
I.
C
The
the
reason
I
ask
is
I
mean
you
we
don't
have
to
fix.
You
know
I'm
looking
more
at
like
an
mvp
kind
of
thing.
You
know,
could
we
do
something
like
you
know
just
so,
let's
you
know,
you've
got
a
list
of
projects
to
analyze,
let's
sort
by
the
oldest
data
that
you've
got.
You
know
and
do
the
end.
Every
day
do
end
projects
are
the
oldest
and
then
later,
if
you
get,
if
you
get,
you
know
super
user
tokens
that
let
you
get
lots
and
lots
of
data.
A
C
Yeah
and
as
far
as
you
know,
projects
to
analyze
the
you
know
what
you
know,
I
I
can't
control
the
universe,
but
it's
easy
for
me
to
give
you
the
list
of
projects
that
are
currently
participating
in
the
ci
best
practices
badge.
You
could
download
that
list
yourself
actually.
C
A
A
A
So
I'm
looking
for
someone
on
this
call
to
step
up
and
say
you
know
what
I
have
some
time.
I
would
like
to
drive
this
drive
the
implementation.
What
that'll
mean
functionally
is
you
know?
You
are
now
the
main
contributor,
the
main
committer
to
the
project
security,
metrics
repo?
I
will
give
you
access
and
credits
and
what
not
to
the
to
the
vm
and
the
grafana
instance.
A
So
you
can
party
on
it
and
you
know
you
can
then
have
a
you
know
hopefully
have
a
small
team
that
you
work
with
out
of
band
of
these
kind
of
bi-weekly
meetings
to
make
kind
of
more
sustained
and
more
meaningful
progress
forward.
I
think
it's
the
only
way
that
that
it's
going
to
succeed
so
I'll
I'll,
open
it
up
there
is
there
anyone
that
would
like
to
put
their
name
next
to
this
and
say
you
know
what
I
got
this.
D
So
I
can't
put
my
name
next
to
it,
but
I
I
have
some
other
thoughts
and
I'm
willing
to
do
some
reaching
out
to
folks.
So
I-
and
this
relates
to
something
else-
we've
talked
about
on
the
metrics
project,
so
we've
talked
about
trying
to
to
apply
a
supply
chain.
D
Integrity
kind
of
framework
to
to
the
data
that
we
put
in
here
and
in
in
toto
is
a
framework
for
that
and
santiago
torres
arrias,
who
is
the
lead
of
that
project,
is
a
professor
at
purdue
and
has
a
research
lab
and
people
that
that
we
might
be
able
to
see
if
we
could
make
that
be
a
research
project
for
him.
D
So
that's
one
idea.
Another
idea
I
have
is
that
we
have
some
funding
in
the
open
ssf
and
we
could
consider
you
know
possibly
hiring
someone
as
a
contractor
if
we
think
that
this
is
contractor
like
work
or
you
know,
work
that
we'd
be
comfortable
having
a
contractor
help
with
so
that's
another
option,
I'm
also,
as
you
know,
michael
I'm
trying
to
get
more
resources
at
microsoft,
dedicated
to
openssf,
so
that
we
have
some
engineers
at
microsoft.
Who
can
work
on
projects?
D
That's
going
to
be
a
little
longer
out
so
so
those
are
my
my
brainstorm
thoughts.
A
Cool
yeah,
I
don't
see
any
reason
why
a
contractor
wouldn't
work,
except
that
it's
gonna
be
more
of
a
it's,
not
so
much
the
pushing
of
the
buttons
it's
the
knowing
what
buttons
to
push
or
like
thinking
of
what
the
most
effective
buttons
to
push
would
be.
So
we'd
have
to
be
a
contractor
with
enough
domain
knowledge
that
we
can
describe
the
problem
basically
haven't
joined
the
work
group
and
then
and
lead
it
that
that
that
that
would
work
for
me
having
having
santiago.
A
If
he's
interested,
that
sure
I
mean
in
the
same
kind
of
scenario
of
like
great
you're
part
of
the
work
group
and
you
own
this,
you
know
I
would
like
it
to
be
kind
of
driven
through
through
this
working
group.
Yes,
as
far
as
who
does
it,
I'm.
I
think
it's
more
important
that
there
is
there's
momentum
and
progress,
even
if
we
have
to
sometimes
backtrack
and
go
in
a
slightly
different
direction.
C
So,
michael,
I
I
would
be
interested,
but
I
have
something
of
the
same
problem
where
I
only
have
25
hours
in
the
day
so,
but
I
might
be
able
to
to
lend
a
hand.
I've
probably
my
first
step
would
be.
I
need
to
be
able
to
install
it.
I
tried
last
time
and
as
we
noted,
the
instructions
are
for
the
old
version,
so.
C
C
A
Mean
it's
like
I,
I
would
say
kind
of
a
jack-of-all-trades
kind
of
you
know.
A
generalist
developer
would
be,
would
be
fine
because
the
you
know
on
the
on
the
grafana
end,
it's
literally
using
grafana,
which
you
know
you.
You
watch
the
videos
for
a
couple
hours
and
it's
it's
not
that
you
know
you
know
it's
fine,
I'm
getting
data
in
into
grafana
it's!
It
can
be
whatever
it's
some
some
of
its
shell
scripts
from
some
of
it's
python.
Some
of
it
can
be
whatever
they
want.
A
It's
just
a
thing
to
to
an
endpoint
yeah,
the
server
itself.
A
A
There
is
an
azure
function,
which
is
c
sharp,
but
this
is
uninteresting.
It
just
provides
a.
A
So
like
none
of
these
like
these
are
all
I
mean,
I
guess
the
only
real
coupling
is
the
azure
function
to
postgres,
but
that's
I
mean
it's
really.
I
mean
it's
probably.
A
500
lines
of
code
in
total,
like
the
entire
thing
other
than
like,
obviously
graphana,
and
you
know
the
implementations
so
yeah,
it's
kind
of
like
whatever
they
have
they
can,
they
can
use,
it
could
be
node.
It
can
be
whatever
the
the
the
thing
that
that
I
think
will
take
a
while
is
like
right
now.
You
know
I
I
made
up
a
bunch
of
metrics
or
not
made
up,
but,
like
I
said
you
know,
okay,
so
here
are
metrics
from
the
scorecard.
A
Here
are
some
from
the
the
best
practices
here
are
some
others.
That
kind
of
made
sense
to
me
at
the
moment
are
those
the
right
metrics?
Do
they
convey
the
right
story?
I
I
you
know
it
has
to
be
a
value
that
it
has
to
be
something
that
that
the
user
can't
do
just
by
going
to
you
know
running
the
scorecard
themselves
or
going
to
the
best
practices
website
or
like
looking
at
like
the
github
insights,
page
and.
D
C
Yes,
michael,
am
I
have
I
been
looking
at
the
wrong
project,
I'm
looking
at
project
dash
security
dash
metrics
and
when
I
do
a
find
on
it,
it's
pretty
much
all
python,
except
for
a
couple
of
get
up
by
yaml
files.
Am
I
missing
something
important.
B
C
A
A
Actually,
wait,
wait.
Wait,
wait,
wait!
No!
I'm!
Sorry!
I
merged
it.
It's
I'm
on
the
main
road.
So
so
so
there
there
is
a
run
jobs
which
just
kicks
off
and
runs
a
bunch
of
other
jobs.
The
one
of
the
jobs
is
like
the
github
project
releases,
which
this
one
goes
straight
to
github
and
looks
for
it
just
as
graphql
grabs
the
releases
and
spits
it
out
and
well
and
submits
it
to
the
to
the
right.
A
I
think
this
is
this,
is
it
let
me
see
there?
Is
there
we
go
at
least
there
was
one
that
this
does
a
a
clone
and
looks
for
the
unique
contributors
and
posts
that
but
yeah,
so
so
this
is.
A
Oh
yeah,
python
two
is
is
dead
to
me
and
everyone
else.
C
It
is
not
that
everyone
else
it
is
that
to
you,
there's
a
vast
number
of
people
who
have
python
people.
No,
no,
it
is
dead
to
python
people,
developers
of
python,
not
to
the
people
who
use
python,
which
is
an
enduring
problem.
C
B
A
It
yeah
so
so
so,
basically,
you
know
each
of
these
widgets
corresponds
to
a
piece
of
data
in
the
in
database
and
by
bringing
it
together
and
telling
a
story,
some
of
it,
I
think,
might
actually
just
be
like
if
we're
okay,
with
like
these
metrics
being
the
metrics
that
we
provide,
then
it's
just
more
more
data
and
automating
the
you
know,
collection
of
it,
which
is
could
be
just
be
some
crown
jobs,
it's
more
just
the
the
the
cognitive
burden
of
keeping
this
in
my
head
and
trying
to
make
progress
on
it.
A
That
is
overflowing
the
cup
at
the
moment,
so
yeah.
So
we
went
to
a
contractor,
but
you
know
I
do
want
to
give
folks
on
the
call.
Just
if
you,
if
you,
if
you,
if
you're
thinking
about
this
later
and
you're
like
you
know
what
I
want
to
do,
this
just
shoot
an
email
out
or
post
on
slack
or
something,
and
that
would
be
that'd,
be
terrific.
D
The
other
thing
is
we:
are
you
know
for
the
the
funds
that
we
have
available
from
openssf
we're
looking
at
you
know,
setting
up
a
process
where
we
have
working
groups
and
others
create
proposals
and
submit
those
to.
I
think
we'll
run
this
all
through
our
budget
committee,
which
is
just
getting
formed
up
or
just
about
to
get
formed
up
and
then
and
then
we
can
decide.
D
You
know
we
can
open
for
those
proposals.
We
can
have
companies,
we
can
have
funds
that
are
already
in
open,
ssf
potentially
go
towards
those,
and
we
can
also
ask
other
companies
if
they
might
be
willing
to
submit
monies
toward
that.
So
what
I
can
do
is
keep
this
in
mind
as
one
of
those
proposals
and
then,
as
that
process
firms
up
a
bit
more
michael,
you
and
I
can
work
together
to
to
create
a
formal
proposal.
So
that
would
be
awesome.
A
A
A
A
I've
determined
that
left
pad
is
fine
or
it's
not
fine
or
it's
fine,
but
only
in
these
circumstances
or
whatever,
and
I
make
I
write
up
that
as
a
entity
I
post
it-
I
put
it
in
the
bag
of
security
reviews
and
then
you
and
then
anybody
else
when
they
are
looking
to
use
left
pad.
They
can
say.
Oh
mike,
did
a
discord
review
and
he
said
it
was
okay
or
like
the
discretion.
He
said
this
is
terrible
whatever
it
is.
A
Whatever
the
opinion
is,
you
know
it's
there,
so
this
differs
from
cbes.
A
So
so
it's
not
a
zero
day
trading
club,
we're
not
going
to
like
post
new
vulnerabilities
in
this
that
that
haven't
been
been
known,
but
as
a
couple
examples
of
the
types
of
things
that
make
this
interesting
number
one:
the
fact
that
someone's
look
at
it
and
didn't
find
anything,
it's
a
positive
indicator
that
does
not
exist
anywhere
else.
A
For
the
most
part
I
mean
some
projects
have
had
third-party
security
audits
and
they
can
come
back
clean
and
they
put
my
website
and
that's
great,
but
there
were
just
so
few
of
those
like
it's
practically
zero
percent.
A
How
about
second
places
where
the
usage
of
a
component
like
so
elasticsearch,
don't
expose
elasticsearch
to
the
internet?
It's
probably
a
reasonable
guide
guideline,
but
people
make
that
mistake
all
the
time
you
sandboxing
in
electron.
A
This
crypto
library
implements
40
different
crypto
algorithms.
Only
three
of
them
are
deemed
secure
at
the
moment
by
you
know.
A
Cryptographers
generally,
this
is
a
pseudo
a
this
is
a
random
number
generator,
but
on
linux
it
is
super
predictable
or
whatever
things
like
that,
they
wouldn't
be
classified
as
cves
and
therefore,
if
there's
no
other
place
for
them,
that
knowledge
was
usually
either
in
a
github
issue
or
a
you
know,
buried
in
the
dock
somewhere
of
the
of
the
project
and
that's
fine,
but
I
think
consolidating
that
into
one
place
has
a
lot
of
value,
because
what
you
really
want
to
say
is
you
know
I,
as
an
enterprise,
I'm
using
10
components.
A
F
A
They
are
safe,
one
of
them
has
been
reviewed
and
here's
the
information.
I
want
to
know
that
information
so
that
that's
the
long
elevator
pitch
for
for
why.
I
think
this
is
important.
A
A
C
I
I
just
added
a
whole
bunch
of
thoughts
on
some
key
issues,
some
of
which
I
think
you've
already.
You
know,
yeah
make
sure
it's
clear
who
did
the
review.
I
didn't
allow
hyper
text
links.
I
probably
should
make
that
clear.
Hyper
text
links
to
others
reviews
because
sometimes
you
can't
post
them
because
of
copyright,
but
we
link
to
them
as
long
as
we
can
link
to
them.
C
I
think
that's
fine,
making
it
clear
that
you
might
not
agree
with
your
reviewer,
that's
okay,
it's
just
it's
someone
else's
review,
yeah
and
and
some
sort
of
process
for
adding
and
removing
them.
I'm
thinking
of
you
know,
there's
some
sort
of
group
at
least
a
couple
people
approve.
It
approve
their
addition
to
removals
so
that
it's
not
just
one
person's
opinion
to
add
or
remove
them
very
light,
but
it's
gotta
be
lightweight,
but
you
know
yeah
something
but
other
than
that.
C
I
I
mean
I
love
this
idea
and-
and
I
think
that
this
suddenly
provides
added
value
for
the
metrics
thing,
because
you
go
to
the
metrics
website
and
it
shows
not
only
these
numbers,
but
if
there's
a
review,
poof
there's
your
review.
Oh
hey!
Look
at
that.
G
G
I
would
be
happy
to
to
update
some
of
our
security
reviews,
some
of
which
you
know
have
have
just
been
completed
recently,
to
kind
of
get
some
momentum
going
in
the
listing,
but
yeah
overall,
I
think
it's
a
fantastic
idea
and
I
think
secured
reviews,
like
you
said,
I
mean,
there's
very
few
components
and
very
few
open
source
projects
that
get
them.
Despite
being
you
know
so
popular
and
so
ubiquitous,
so
overall
yeah
fantastic
idea,
and
if
I
can
help
in
any
way
with
this,
please
let
me
know.
A
Awesome
so
I
I
think
the
the
the
main
right
now,
I
think
the
long
pole
in
my
tent
is
getting
the,
and
this
is
not
it's
definitely
not
the
most
important
part
of
the
project.
But
in
order
to
move
forward,
I
need
to
standardize
on
these
criteria,
and
I
don't
want
to
devolve
this
into
a
a
you
know,
a
committee
that
just
talks
about
capitalization.
A
Things
like
you
know:
what
are
the
possible
values
for
a
recommendation
like?
How
do
we
say
that
this
thing
is
good?
This
thing
is
definitely
no
good,
or
this
thing
is.
It
might
be
good,
depending
on
how
you're
using
it
like
what
are
the
words
we
want
to
use
here.
How
do
we
describe
like?
Are
we
looking
at
the
entire?
Did
I
look
at
all
of
elasticsearch,
or
am
I
just
looking
at
like
you
know
how
one
deploys
elasticsearch.
C
I
think
right
now,
I
think
making
the
making
their
criteria
too.
Strict
is
a
mistake,
because
we
have
so
few
that
stripping
away
things
is
going
to
be
a
problem
at
all
yeah
I'd
rather
I'd.
Rather,
I
think
it's
more
important
that
it's
very
clear
who
did
the
review,
and
maybe
I
should
also
ask
you,
know
clearly
id.
I
guess
this
is
number
five
clearly
id
what
was
reviewed
yeah.
C
You
know
I
id
what
was
reviewed
so,
for
example,
you
know
that
we,
the
lf
just
recently,
did
a
review
with
for
the
linux
kernel,
but
just
of
a
very
specific
part
of
its
vulnerability
handling
process.
None
of
the
kernel
as
a
whole.
I
think
that's
okay,
as
long
as
it's
clear
that
that's
what
it
was.
G
C
Yeah
so
so
I
I
think
I
I
I
think
right
now,
I'd
wait.
I'd
focus
way
more
on
truth
in
advertising.
Then
it's
got
to
be
this
particular
way
or
capitalize.
These
letters
right.
You
know
so
truth
in
advertising.
I
know
who
did
it?
You
don't
have
to
agree
with
them
and
then
later
on,
we
can
be
pickier.
The
story
of
wikipedia
actually
might
be
useful.
C
C
And
I
mean
who
I
would
be
happy
to
be
one
of
the
people
who
looks
at
things
on
whether
or
not
it's
okay
but
I'd
it
better,
not
be
on
just
my
shoulders.
I
I
would
rather
have
like
a
list
of
10
people
and
two
people
say
yes
and
verily,
and
then
we
can
distribute
the
workload.
A
C
Oh
you,
I,
I
think
it's
even
simpler.
Just
you
make
a
poll
request
and
somebody
else
says
approve,
and
you
wait
a
couple
days
and
if
there's
no
complaints
go
and
that's
yeah
and
really
I'm
not
expecting
there
to
be
any
issue
with
what
you've,
what
you've
done
in
your
current
set.
It's
much
more
of
a
forward
process.
Oh.
A
Yeah,
okay,
so
so
yeah
I'll
I'll
push
forward
on
it.
Sorry
dude.
C
A
Yeah
so
so
I'm
planning
to
I
I'll,
probably
choose
like
100
or
so
that
we've
done
and
kind
of
seed,
the
set
with
those
and
then
yeah
and
then
and
then
go
from
there,
but
well
so
there'll
be
one
big
pull
request
at
the
beginning.
I
think
we
need
things
like
like
you
know.
We
need
this
to
be
on
the
ossf.
A
C
And
it'll
be
clearly
identify
who
I
mean
they'll
completely
be
identified
as
a
microsoft
evaluation,
okay,
great
yeah,
great.
A
Okay,
yeah,
and
so
so
the
number
will
it'll
probably
be
small
enough
that
we
can
fix
them
all
if
we
decide
that
you
know
oh
yeah,
like
methodology,
is
actually
really
important
to
have
like
machine
readable.
You
know,
I
think
severity
is
probably
the
other
thing.
That's
important,
I
think,
but
but
yeah
I
I
get
your
point
on
it.
A
Okay,
so
I
don't
know
that
I
have
the
ability
to
create
new
repos
under
ossf,
ryan
or
k.
I'm
sure
I'm
sure
you
guys
do.
Does
this
sound
like
do
we
need,
since
this
is
kind
of
part
and
parcel
of
this
working
group
anyway,
do
we
need
like
tac
approval
or
anything
like
that,
or
can
we
just
create
a
repo
and
go.
E
C
D
Yeah
the
other
thing
I
would
recommend,
though,
is
to
go
ahead
and
and
send
a
note
to
the
attack,
letting
them
know
that
we're
doing
this,
and
it's
not
so
much
that
you
know
they're
going
to
stop
it.
It's
just
for
visibility,
so
we've
had
other
cases
where
people
have
started
new
projects
and
others
haven't
known
about
it,
but
they
might
have
been
excited
and
wanted
to
contribute.
So
yep.
A
We'll
do
when's
the
next
hack
meeting,
because
I
could
just
show
up
and
chat
about
it.
E
C
A
Awesome
cool:
I
think
we
got
through
just
about
everything.
H
Hi,
hello,
hi,
hello,
hello,
hi,
hi,
hi
yeah,
I
I'm
new
here,
but
I
would
like
to
catch
up
things
by
also.
I
have
some
clarification
to
make
this
body
I
mean,
although
we
we
are
looking
into
clarifying
packages
based
on
security.
A
Biased
in
terms
of
that
we're
making
poor
decisions
on
what
makes
a
component
secure,
insecure
or
biased,
like
we
are
only
going
after
certain
projects
that,
let's
say
like
single
developer
projects,
we're
like
harsh
on
them
than
we
are
on
like
big
name
projects
or
something
else.
H
Our
good
deeds
by
categorizing
this
I
mean
this
is
one
of
the
good
efforts
that
needs
to
be
done,
but
should
not
be
used
in
a
manner
that,
in
in
future,
people
regard
this,
as
as
as
a
modest
of
reference
and
disqualify.
H
A
That's
a
that's
a
great
question.
I
don't
know.
I
have
all
the
answers
there.
I
think
transparency
helps
so
the
fact
that
anybody
will
be
able
to
deal
with
people
and
our
if
I
am
biased
in
how
I'm
handling
that
I
can
only
do
that
by
being
transparent
in
my
blocking
of
their
pull
request.
A
If
big
corporation
x
has
a
component
and
then
they
submit
a
security
review
against
own
component,
that
says
it's
the
greatest
thing
ever
and
way
better
than
their
competitors
like.
If
I
in,
if
I
merge
that
request,
that's
kind
of
like
me
endorsing
that,
we
probably
need
to
to
articulate
what
our
what
our
review.
What
are
like
criteria
is
like.
Is
it
acceptable
to
review
your
own
complaint?
A
Is
it
acceptable
to
write
a
negative
review
on
your
competitors
component?
Are
we
gonna
block
that?
Are
we
gonna
police?
It
is
it?
Will
we
just
it's
kind
of
the
honor
system
and
when
people
raise
problems
like
if
somebody
says,
opens
up
an
issue
and
says
hey,
I
think
this
review
was
done
by
a
someone
with
with
bad
intent
and
then
it
doesn't,
it's
you
know
should
be
removed.
That's
fine
and
that's
that's
transparent.
We
can
act
on
it.
A
We
probably
need
to
have
a
core
team,
that's
kind
of
on
the
line
to
make
these
decisions,
and
maybe
it's
this
work
group.
I
yeah.
I
think
transparency
probably
saves
80
of
the
problem,
but
obviously
we
could,
in
the
future
start
doing
the
wrong
thing
and
it's
you
know
we
still
own.
We
would
still
win
the
repo,
so
we
can't
you
know
I
I
think
articulating
I
mean
some
of
it.
A
I
think
also
comes
down
to
the
values
and
principles
of
the
open
ssf,
where
we
as
part
of
the
open
ssf.
We
still
need
to
adhere
to
those
principles
around
transparency
and
openness,
and
you
know
inclusiveness
and
all
that,
so
I
think
it'll
be
okay,
but
if
we
need
to-
but
I
probably
should
be
clear
on
how
we
make
decisions
that
way:
it's
not
they're
not
just
completely
arbitrary.
H
Yeah
but
another
another
manner
is
to,
for
example,
if
you
see
common
criteria,
there's
something
called
evaluation
assurance
level,
and
there
is
a
certain
level
of
assurance
that
a
component
can
provide
and,
for
example,
ring
zero
and
ring
one
after
ring.
Seven
right,
so
here
in
this
manner,
in
such
a
manner
with
the
common
criteria,
you
are
able
to
bring
in
open
source
developers
from
a
security
perspective
from
a
low
grade
to
a
high
grade
entity.
A
I
have
I,
I
think,
I'm
sorry
continue.
H
So
do
we
have
such
mechanism,
for
example,
rather
than
beating
everybody
with
just
one
type
of
stick,
I
would
like
to
have
something
like
assurance
level
or
something
which
paves
the
way
for
new
contributors
contributors
who
doesn't
have
much
security
exposure,
but
their
their
idea
or
the
embarkment
whatever
they
are
embarking
on
endeavor
is
worth
a
maturity
path.
So
that's
what
I
I
would
like
to
emphasize
on
what
kind
of
variations
are
you
going
to
provide
with
this
kind
of
effort,
with
with
your
grading,
based
on
security
level,.
A
Yeah,
so
I
might
my
fear
in
going
down
a
formal,
so
I
think
we
could
make
this
too
informal,
where
it's
just
a
slack
channel
when
people
post
on
like
hey.
I
looked
at
this
thing
and
this
thing
looks
fine
and
people
can
search,
and
this
is
like
the
super
formal
end
of
it
where
we
become
a
certification
body
and
there
are
guarantees
that
we
make
and
we
have
a
super
specific.
D
For
crush
are
there
so
you
mentioned
something
about
common
criteria.
Is
there
some
work
being
done
somewhere
else
that
that
we
can
leverage
or.
H
Actually,
this
is,
you
can
qualify.
This
is
about
qualifying
systems,
but
not
packages,
as
you
have
mentioned
here,
but
it
does
have
a
way
to
qualify
less
sql
system
because
they
are
applicable
scenario
permits
it
to
put
it
in
a
simple
manner.
We
we
do
not
want
to
treat,
I
mean
to
treat
every
package
and
its
use
case
in
in
a
very
narrow
standard,
but
where
it
is
going
to
be
used
place
the
way
it
plays
a
very
important
role
in
how
much
security
level
that
that
package
should
support.
H
H
D
Yeah,
so
I
wonder
if
we
I
I
I
think
I
understand
this,
so
let
me
go
back
a
few
things
that
I've
heard
recently.
So
we
also
heard
a
similar
concern
recently
from
github,
michael
ryan,
and
I
were
in
a
not
yet
yeah
github
we're
in
a
separate
meeting
where
they
were
a
bit
concerned
about
making
security
information
too
visible
in
the
framework
of
github,
because
they
didn't
want
to
discourage
individual
developers
from
you
know,
just
being
creative,
creating
projects
and
getting
started.
D
That
doesn't
mean
that
security
information
shouldn't
be
available
about
projects.
It's
just
a
you
know.
How
do
you?
How
do
you
balance?
D
You
know
the
work
of
someone
who's
who's
just
getting
started
versus
bigger
corporations
anyway,
so
that
was
something
I
I
heard
that
sounded
like
a
similar
con
concern
to
what
you're
suggesting
prague
another
thought
I
have
and
then
I'll
stop
and
see.
If
this
sounds
like
it's
the
direction.
D
You're
heading
there's
another
group
that
I'm
part
of
that
is
thinking
about
supply
chain
metadata,
and
that
includes
information
about
software
and
vulnerabilities
that
are
related
to
software
and
mitigations
related
to
software,
and
in
that
group,
we're
thinking
about
sharing
information
like
vulnerabilities
and
mitigation,
but
just
attaching
to
content
that
others
have
created.
D
So
I'm
being
I'm
not
being
quite
concrete
enough,
but
I'll
try
to
be
more
concrete
now.
So
the
way
that
I
think
about
this
with
this
security
metrics
dashboard
is
that
you
know
we
could
include
reviews
that
are
more
general
and
we
could
include
reviews
that
are
more
specific.
Maybe
that
meet
some
sort
of
criteria,
and
we
could
include
all
of
those
in
the
dashboard
and
just
make
it
clear
which,
which
ones
are
are
which,
rather
than
requiring
our
security
reviews
to
all,
have
the
same
set
of
criteria.
G
I
think
that
makes
sense,
and
I
I
think
it
all
goes
back
to
the
transparency.
I
think
you
made
a
great
point,
michael,
that
I
think
transparency
really
solves
a
lot
of
these
kinds
of
these
kinds
of
issues,
and
you
know
just
the
fact
that
anyone
can
you
know
who
has
something
you
know
they're
passionate
about
or
they
want
to
talk
about.
They
can
join
one
of
the
meetings
and
you
know
bring
that
up.
A
Yeah,
I
I
yeah
thank
you
for
that.
I
think
the
other
place
where
we
might
be
able
to
push
on
this
is
with
funding
so
the
same
way
that
there
were
bug
bounties
and
hopefully
at
some
point
patch
bounties.
There
could
be
review
bounties
where
we
say
you
know,
because
there
are
so
many
components
out
there
and
a
lot
of
reviews
could
take.
A
You
know
two
hours
you
know
and
to
attach
a
you
know,
a
monetary
reward
to
doing
that
might
might
be
a
good
way
to
kind
of
efficiently.
G
Not
to
shamelessly
plug
not
to
shamelessly
plug
or
or
promote,
but
also
that
is
kind
of
what
ocef
specializes
in
as
well.
G
I'm
gonna
be
giving
the
securing
critical
projects
work
group
an
update
on
the
work
that
we
did
kind
of
referring
back
to
the
to
the
linux
kernel
that
specific
review,
and
you
know
really
the
sky's
the
limit
with
that
in
terms
of
all
the
different
reviews
that
can
be
done
in
terms
of
getting
the
right
resources
because,
with
security
reviews,
like
you,
said,
michael
lots
of
times,
they
don't
happen
because
you
know
who's
going
to
do
it.
G
Who's
going
to
take
responsibility
for
it,
who's
going
to
push
it
forward
and
that's
kind
of
why
we
kind
of
step
in
and
act
as
a
catalyst
to
get
these
security
reviews
done
and
kind
of
push
them
forward.
And
you
know
basically
get
them
done,
get
all
get
all
the
right
pieces
in
place
and
and
move
the
project
forward
to
completion.
G
So
just
a
thought
as
well,
and
hopefully
I
think
it
will
be-
if
not
the
next
meeting.
But
the
meeting
after
that
that
we'll
do
a
little
bit
more
of
a
deep
dive
into
the
results
of
that
review.
Awesome.
A
I
will
be
there
cool
yeah,
so
so
prague
thank
you
for
bringing
that
up.
I
I
I
the
way
that
I've
internalized
this
is
that
perhaps
there
is
a
lowest
level
of
like
there's
no
formalism
defined,
and
this
is
this
will
be
the
the
pot
that
anybody
can
contribute
to,
and
it's
really
like
the
the
reasonableness
bar
is.
You
know
it's
at
the
right
point,
but
it
isn't
super
high
and
then
after
that,
then
we
can
say.
A
Okay,
if
you
want
to
be
a,
I
don't
want
to
reuse
eal
but
like
if
you
want
to
be
a
level
in
order
for
this
to
be
a
level
one
review
you
have
to
use
one
of
these
static
analysis
tools
that
we,
we
think
are
reasonable
and
maybe
at
a
level
two
you
have
to
do
that
and
fuzzing
and
you
have
to
do
code
whatever
it
is
like,
and
that
way
it's
you
know
the
the
advantage
for
the
consumer
is
that
I
know
that
if
I'm
building
a
spaceship,
I
I
need
everything
to
be.
A
You
know
level
three
or
above
and
if
I
just
have
my
just
my
personal
website,
I
don't
care
about
anything,
so
it
doesn't
matter
that
kind
of
thing,
but
but
but
I
do
I'm
also
cognizant
that,
as
we
make
this
more
formal,
the
amount
of
community
input
we'll
get
will
probably
go
down
drastically,
so
we'll
probably
have
to
pay
for
anything
over
the
default
level.
Maybe
I
don't
know
could
be
wrong.
A
Cool
we
got
about
five
minutes
left
anything
else
that
anyone
would
like
to
talk
about.
A
Excellent
well
then,
I
hope
everybody
enjoys
the
rest
of
the
week
and
we'll.
I
think
our
next
meeting
is
in,
I
think,
the
first
week
in
february,
so
we'll
chat
then,
and
cable,
we'll
we'll
follow
up
on
the.
D
For
engineering
resources-
yes,
yes,
yeah,
and
I
also
wanted
to
just
say
prague,
thank
you
and
welcome,
and
you
know
we're
glad
to
have
new
people
here
so,
and
I
appreciate
your
bringing
up
that
topic
and
please
please
keep
joining
us
and
feel
free
to
to
bring
it
up
again
until
we
until
we
get
it
right.
I
think
we're
still.
You
know
early
in
thinking
about
how
to
do
this
so
and
opened
ideas.
So
yeah.
A
Okay
thanks
a
lot
and
then
the
last
follow-up.
I
will
send
I'll,
probably
post
something
in
slack
about
the
security
reviews
when,
when
that
repo
is
created,
I
will
try
to
have
some
reviews
posted
in
the
next
like
well
sometime
before
our
next
meeting,
and
then
we
can
kind
of
iterate
on
that
a
bit
and
then
and
then
go
from
there.