►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
great,
so
maybe
we
will
start
off
with
the
requirements
document.
That
kay
was
leading
we'll
work
through
a
few
of
those
items,
and
then
we
will
go
on
to
a
few
of
the
other
things
that
were
on
the
github.
B
Okay,
that
sounds
that
sounds
like
a
transition
to
me.
Probably
yes,
please
sounds
great
all
right
good,
let's
see,
let
me
I'll,
I
can
drop
in
a
link
to
the
requirements
document
and
I
can
also
share
my
screen.
A
B
B
Well,
I
ran
into
this
before
and
I
wasn't
I
never
was
able
to
get
it
fixed.
I
think
I
had
to
reboot.
A
All
right,
can
you
all
see
all
of
my
many
tabs
yeah
excellent,
all
right.
So,
okay,
you
can
take
it
from
here
and
I
will
try
to
remember
not
to
click
on
anything.
B
All
right
great,
so
now
so
what
I
have
done,
I
shared
this
in
their
last
meeting
and
that
at
that
point
I
didn't
have
any
content
in
it.
I
just
had
a
framework
where
we
were
taking
a
look
at
all
three
projects:
the
best
practices,
badge,
security,
metrics
and
security
scorecards,
and
for
each
one
we
wanted
to
have
a
look
at
goals,
then
airplanes
or
use
cases,
and
then
requirements,
and
the
idea
for
all
of
this
is
to
see
see
at
the
end
of
it.
B
If
there's
common
goals
and
scenarios
across
all
of
these,
and
let
this
kind
of
help
guide
us
to
where
we
may
use
a
common
infrastructure,
or
maybe
some
of
these
things
will
merge
sooner
or
later,
so
that
we
have
one
thing
instead
of
three.
But
you
know
we'll
start
off
by
understanding
the
goals
for
each
one.
B
Does
that
make
sense?
Get
comments
on
that.
B
When
I
look
at
the
presenters,
do
we
have
kim
lewandowski
or
dan
lawrence
with
us
today.
B
All
right
great,
I
just
wanted
to
make
sure
we
had
you
here
when
we
talked
about
security
scorecards.
So
let's
start
with
cii
best
practices,
badge
so
and
david
put
some
information
here
and
then
jonathan
had
some
comments
as
well.
So
david,
do
you
want
to
talk
us
through
this
and
then
sure
people
can
ask
if
they
have
questions.
C
Oh
good,
the
one
of
the
catchphrases
for
2020,
I'm
sure,
okay,
so
if
you
scroll
down
to
the
goals-
cia
best
practices
section-
I
I
I
didn't
try
to
make
this
long.
I
tried
to
make
it
short
and
hopefully
straightforward-
I'm
going
to
claim
that
the
goals
here
for
the
ci
best
practices
badge
or
you
know,
encouraging
projects
to
follow
best
practices,
help
them
discover
what
they
are
and
help.
Users
know
which
projects
are
following
best
practices
so
that
users
can
prefer
those
who
are
those
projects
which
are
doing
best
practices.
C
Somebody
asked
hey:
why
is
this
help
for
number
three?
Don't
we
want
users
to
know
what
those
best
practices
are?
I
actually
am
not
so
sure
about
that,
because
the
question
is:
what
is
a
user?
If
a
user
is
another
developer,
I
would
want
them
to
know
what
best
practices
are,
but
that's
already
covered
by
two.
If
the
users
are
end
users,
the
reality
is
that
you
end
users,
frankly,
don't
care
what
best
practices
are.
I
don't
care
why
the
car
works.
I
bought
a
car
I
wanted
to
drive
in
the
morning.
C
C
They
really
don't
they
just
don't
care,
so
I
I
do
I'm
intentionally
using
help.
Users
know
which
projects
are
following
best
practices
quite
intentionally,
because
I
think
what
they
only
care
about
is.
Is
this
reasonably
likely
to
not
fight
me
in
the
morning?
You
know:
is
this
going
to
work?
Is
this
likely
to
work?
Is
it
likely
to
not
have
serious
security
problems
and
that's
what
I'm
trying
to
aim
for
at
least
4.3,
so
scenarios
use
cases
next.
C
C
C
Number
two
bob
is
try
is
on
the
other
side,
the
ingest
side.
You
know
bob's
writing
software.
He
wants
to
bring
in
one
of
maybe
several
different
projects
that
seem
to
do
kind
of
what
he
what
he
wants,
but
it's
not
clear
which
one
he
wants.
C
So
he
wants
to
prefer
one
they're
following
good
practices,
so
he's
looking
for
metrics
to
help
him
figure
that
out
so
the
best
practices
badge
gives
him
a
quick
way.
Oh
look,
you
know
they're
following
best
practices,
and
I
know
what
you
know
you
know.
I
know
that
immediately.
That
tells
me
they're
doing
version
control,
they're,
doing
testing
they're
doing
a
whole
lot
of
things
see
charles,
and
I
guess
this
is
not.
This
is
kind
of
something
a
little
different.
C
C
C
Let's
see
here
was
that
I
guess
okay,
next
so
at
least
from
the
from
the
cia
badges.
You
know
original
notion
and
point
of
view
and
what
it's
trying
to
accomplish.
You
know
simple
way
to
input
data
automated
where
possible.
This
is
actually
probably
a
big
difference
between
what
some
some
folks
here
are
interested
in
both
both
here
and
actually
also
in
chaos.
C
Talking
about
metrics,
we
actually
went
backwards
and
start
first
of
what's
the
information
we
need
and
then,
if
we
can
automate
that
measurement
great,
but
we
care
more
about
whether
it
was
important
not
whether
or
not
it
was
easy
to
automate.
So,
for
example,
we
heard
loud
and
clear
when
we
were
doing
a
survey
of
this
year's
back,
that
one
of
the
big
problems
people
are
having
was
what
is
the
project
supposed
to
do?
Give
me
one
sentence
somewhere.
C
C
We've
not
found
really
good
way
to
automate
that,
but
it
still
seems
awful
important
so
getting
data
automating,
where
we
can
simple
display
of
a
progress
of
progress
of
a
badge
and
simple
way
to
extract
data
about
a
project,
and
I
will
note
that
basically,
the
way
we
do
number
three
is
as
a
very,
very
simple
rest
api
and
also
for
the
badge
itself.
We
have
just
a
simple
url
where
people
can
just
quickly
get
the
badge
and
it's
on
fastly.
C
So
there's
no
problem
with
lots
and
lots
of
people
viewing
that,
so
I
didn't
try
to
make
it
long.
In
fact,
I
tried
to
make
this
short,
but
with
enough
information
to
talk
about
questions.
B
Yeah,
I
I
think
you
did
a
good
job
yeah,
just
the
the
right
amount
of
of
content
there,
a
couple
of
quick
questions
so
on
the
there's,
a
scenario
that
I
for
microsoft,
that
we're
interested
in,
which
is
that
we
want
to
be
able
to
gate
which
software
we
open
source
software
we
use
based
on
security
information.
B
You
know
security,
metrics
or
the
posture
of
the
security
posture
of
a
project,
and
I
think
that
the
best
practices
badge
you
know
that
could
be
something
that
that
we
could
use
are
there
on
on
the
number
three,
the
you
know,
simple
way
to
extract
data
are:
are
there
customers
that
are
using
that
api
today?
And
yes,.
C
Yeah
there's
well
I
mean
cncf
is
probably
the
best
known.
The
cncf
actually
has
the
passing
badging
criteria
as
a
graduation
requirement,
so
they
have
multiple
levels.
When
you
first
come
in,
it's
called
incubator.
It's
what
it
sounds
like
I
mean
it
might.
It
might
be
more
a
dream
in
somebody
than
working
code.
C
You
know
presumably
there's
something,
but
you
know
it's
the
notion
of
incubators.
It's
you
know,
okay,
you
know
you're
getting
started
you're
getting
people
working
together.
Excuse
me,
oh
great
bless
you!
Oh
thank
you.
Allergies
have
not
gone
away
from
covent
so,
but
so
basically
to
graduate
from.
I
think,
that's
what
you,
what
they
call
it
graduate
studies
and
my
apologies.
I
talk
with
them
many
times.
C
It's
just
flowing
my
mind
right
now
what
their
title
is,
but
the
next
stage
up
in
order
to
get
that
next
step
up.
They
have
to
achieve
at
least
a
passing
badge,
and
that
means
things
like
they've
got
automated
tests
and
version
control.
All
these
other
things
that
are
requirements.
They
have
to
fix
any
vulnerabilities
that
they're
publicly
known
within
a
certain
amount
of
time
yeah.
C
So
absolutely
people
do
do
that
they
have
a
dashboard,
there's
actually
a
number
of
linux
foundation
projects,
and
this
actually
reminds
me,
okay.
I
was
probably
gonna
talk
to
you
and
or
the
tools
folks,
because
the
lf
has
this
tool
called
the
landscape
for
identifying
many
projects
when
it's
starting
to
get
difficult
to
figure
out.
You
know
who's
who
fits
where
I
don't.
I
don't
know
that.
That's
measure
that
this
group
really
has
a
need
for
that,
but
I
think
the
tools
folks
very
much
might
the
cncf
certainly
does.
C
C
C
The
cncf
intentionally
has
many
different
projects
that
fit
in
different
bins
as
it
will,
and
so
this
lets
you
see
right
away
where
they
fit
in
and
let's
see
here,
if
you
go
back
to
card
mode,
it's
probably
easier
to
do
to
zoom
in
a
little
bit.
I
don't
know
if
I'll
pick
on
container
d
or
something
like
that.
C
Yeah,
so
if
you
look
look
to
the
left
a
little
bit
further
down,
let's
see
under
container
d,
the
third
button
down
no
yeah
there,
you
go
best
practices
and
you
click
over
there
and
oh
look.
Okay,
but
you'll
notice
see
you!
You
see
the
little
image
the
best
practices
patching.
If
you
go
backwards,
one
so
go
back
step,
one,
no
you're!
Just
there!
You
go
if
you'll
see
this
this
image
right
here.
This
is
a
dashboard.
C
That's
extracting
data
from,
among
other
things,
the
cii
best
practices
badge,
it's
actually
extracting
it
from
multiple
places
and
bringing
it
in
so
they've
got
a
dashboard
that
pulls
data
from
other
places,
including
the
cii
best
practices,
and
you
know
I
work
with
them
and
that
sort
of
thing,
and
so
absolutely
other
people
do
create
dashboards
and
yank.
The
data
in.
C
C
B
Okay,
all
right
and
so
for
security
metrics,
I
know
ryan
is
out
and
I
didn't
get
he's
on
vacation.
It
looks
like
he.
He
or
someone
might
have
put
some
information
in
here.
Jennifer
do
you?
A
Yeah
definitely
so,
as
many
of
you
know
from
earlier
in
this
group,
we've
been
looking
a
lot
at
security
metrics
and
creating
both
a
dashboard
and
an
api
to
display.
You
know
relevant
security
metrics
about
a
given
open
source
tool.
So
really
what
we're
trying
to
do
is
collect
where
possible
or
otherwise
compute
some
of
the
metrics
that
we
think
are
most
important
and
to
display
them
in
a
way
that
really
empowers
the
user
of
our
dashboard
to
understand
different
things
that
are
affecting
an
open
source
project
security
posture.
A
So
some
of
the
scenarios
that
have
been
defined
include,
if
you're,
simply
an
open
source
developer
yourself,
and
you
want
to
understand
how
secure
your
project
is
and
to
understand
also
some
of
the
dependency
risk
and
the
security
posture
of
those
dependencies.
This
this
dashboard
project
can
help
you
alternately.
A
If
you
are
an
organization
that
wants
to
understand
the
security
risk
related
to
open
source
components
that
you
may
use
within
your
organization,
you
can
make
informed
decisions
by
abstracting
out
security
data
about
projects
by
looking
at
the
dashboard
so
either
through
some
of
the
well-designed
visuals
that
ryan's
been
working
on.
You
can
initially
get
kind
of
an
intuitive
feel
from
the
the
color
coding
and
other
things
that
we're
using
around
how
secure
in
general,
a
project
is,
but
also
you
can
dig
deeper
into
different
things
that
contribute
to
security
risk,
to
understand.
A
What's
driving
that,
because
maybe
those
factors
you
weigh
them
differently
in
your
organization
than
another
organization
might
so
being
able
to
drill
in
deeper
and
really
inquire
into
that
data.
What
is
affecting
the
security
posture
and
why
another
scenario
that
we
would
consider
is,
if
you
are
a
security
researcher,
and
you
want
to
better
understand
the
security
posture
of
critical
components
and
to
share
those
learnings
with
people
in
the
community.
A
So
I
think
that,
like
this
is
a
very
diplomatic
way
of
saying
figuring
out
what
is
a
good
research
target?
Ultimately,
so,
if
you're
able
to
take
a
glance
as
a
researcher
at
a
variety
of
different
open
source
projects
and
get
an
idea
as
to
how
well
maintained
they
are
from
a
security
perspective,
whether
they
do
things
like
try
to
implement
cryptography
or
whether
they're
using
low-level
languages
or
alternately,
if
they're
using
memory
safe
languages,
we
get
indications
in
a
different
direction.
A
So
this
helps
the
security
community
who
may
want
to
look
for
vulnerabilities
and
help
us
improve
these
projects.
Intuitively
start
to
understand
a
few
of
the
basics
that
can
guide
whether
it's
an
interesting
target
of
inquiry
for
them.
And
we
talk
about
this
with
respect
to
security
posture.
But
you
could
also
talk
about
this
with
respect
to
impact.
A
So
if
we
get
to
visualize
transitive
dependencies,
which
has
been
one
of
the
hot
topics
within
this
group
and
is
probably
not
the
mvp
of
this
project
but
a
little
further
down,
if
we're
able
to
help
people
inquire
into
and
understand,
transitive
dependency
risk
as
a
security
researcher,
that's
very
appealing
because
it
lets.
You
understand
the
impact
of
a
vulnerability.
A
Were
you
to
find
one
in
a
given
project
and
then
relatedly
within
this
open
source
security
foundation?
There's
the
group
called
securing
critical
projects
and
they
want
to
identify
high-risk
projects.
So
that's
all
we
have
here.
I
can
definitely
talk
more
about
what
we're
doing
what
I
don't
have
and
we'll
have
to
wait
on
ryan
when
he's
back
is
a
demonstration
of
the
user
interface
as
he's
designed
it,
because
I
think
it's
really
great.
C
So
if
I
can
jump
in
for
a
moment,
I
had
a
conversation
and
I
think
it
was
with
ryan
my
my
apologies.
If
it's
not
I've
had
so
many
conversations
with
so
many
people
last
month.
It's
it's
getting
to
be
a
little
bit
of
a
blur,
but
there
was
basically
a
discussion
of
how
to
to
integrate
between
and
basically
you
know,
the
ci
best
practices
badge.
Of
course
you
know
it's
got
a
simple
rest
api.
C
C
We
made
some
little
tweaks
to
make
it
even
easier
to
integrate
data
from
the
ci
buses
practices
badge
into
this
and,
conversely,
we
I
can
make
changes
in
the
ci
best
practices
badge
so
that
it
points
off
to
this
and
he
can
get
get
data
from
it
and
so,
basically,
without
even
trying
to
make
merge
any
code
bases
or
anything
make
it
so
that
people
that
each
can
get
data
from
the
other
and
each
could
point
off
to
the
other
as
appropriate.
A
Yeah-
and
that
makes
a
ton
of
sense
to
do
something
like
that,
especially
since
these
groups
are
working
together,
but
even
if
they
were
more
separated,
it
would
make
sense
to
try
and
do
that
where
we
can.
I
guess
I
guess,
in
the
spirit
of
that.
The
way
that
we
can
think
of
the
relation
between
the
two
projects
is
that
this
security
metrics
piece
is
probably
a
superset
of
the
projects
that
are
impacted.
A
So
you
can
use
this
dashboard
to
see
things
that
include
projects
that
have
already
gone
through
the
best
practices
and
they'll
probably
score
a
heck
of
a
lot
better.
On
the
flip
side,
you
can
also
take
a
look
at
projects
that
have
definitely
done
the
exact
opposite
of
the
best
practices,
and
you
will
see
a
very
different
looking
dashboard.
A
A
It's
just
a
lack
of
awareness
in
how
to
improve
so
really
we're
hoping
that
this
will
help
make
very
clear,
specific
ways
of
improving
and
encourage
that
behavior
by
resulting
in
a
higher
score
and
and
better
metrics
on
on
the
dashboard,
but
also
with
the
connection
of
it
to
the
best
practices
badge.
I
imagine
that
it
will
drive
a
lot
of
maintainers
who
haven't
been
through
the
best
practices
program
to
go
into
that
and
try
and
achieve
that
badge,
given
the
impact
that
it
would
have
on
their
overall
score.
B
Do
we
have
a
so
for
someone
who
is
wants
to
be
a
customer
of
the
data?
How
do
we,
and
so
there
are
some
options
we
could
say
you
know
pull
in
you
know,
so
it
sounds
like
we're.
Gonna,
we'll
we'll
have
two
separate
that
we'll
have
separate
apis
for
both.
So
would
we.
B
Let's,
let's
say
that
as
a
customer,
I
wanted
to
get
started
doing
something
sooner.
I
guess
what
I
could
do
is
start
using
best
the
best
practices
api
today
because
it
exists
and
then
in
the
future,
would
we
you
know,
what's
our
what's
our
message
to
those
customers,
so
in
the
future
begin
using
the
security
metrics
api,
because
that
will
have
the
best
practices
information
in
it.
B
A
I
don't
know
if
this
is
a
great,
a
great
way
to
answer
the
question,
but
I
think
it's
the
way.
I
would
look
at
it,
at
least
with
the
current
state
of
development
of
things.
I
would
say
if
a
best
practices
badge
exists,
that's
great
because
then
you
know
as
the
customer
that
you
have
at
least
some
certain
assurance
level
of
security
in
the
absence
of
any
best
practice
badge
existing
on
a
given
project.
A
C
I
I
I
would
guess
I
would
answer
it
slightly
differently,
which
I
I
think
it's
a
it's
the
right
kind
of
question
to
ask,
but
I
would
like
to
make
it
so
in
some
sense
it
doesn't
matter.
You
know
you
basically
start
at
one
or
the
other,
and
you
quickly
get
the
information
that
you
nee
and
from
there
wherever
you
start,
you
quickly
get
the
information
you
need.
C
If
I'm
a
developer,
I
would
probably
want
them
to
start
moving
on
best
practice
fix
any
problems
that
you
already
that
you
know
you
have
that
are
serious
and
start
working
on
best
practices.
That's
probably
even
parallel,
I'm
not
sure
the
one
or
the
other
one.
The
other
is
not
exclusive.
C
C
C
Right,
I
I
have
to
admit
I
would
be
worried
about
gaining
purely
on
various
on
various
numbers.
I
mean,
I
would
gate
more
in
terms
of
you
know,
a
human
makes,
a
decision
and
what
information
can
we
provide
a
human
to
help
them
make
good
decisions,
but,
but
with
with
that
caveat
I
would
want
them
to
see
both
you
know.
Are
they
following
good
practices
and
what
are
the
metrics
telling
me.
A
Kind
of
related
to
that
david,
just
a
question
that
I
have
so
I'm
imagining
the
things
we're
not
capturing
right,
because
there's
there's
certain
things
that
happen
in
the
background
say
how
a
project
handles
a
disclosure,
for
example,
that
doesn't
it
isn't
something
that
we
can
write
down
and
measure.
But
there
are
indicators
that
over
time
can
give
us
indications.
A
So
if
we
talk
about
let's,
let's
imagine
that
we
have
a
project
that
argues
with
every
vulnerability
report
that
they
receive,
that
it's
not
actually
a
security
bug
and
they're
not
going
to
fix
it
over
time.
You
would
imagine
that,
like
at
some
point,
a
researcher
is
going
to
drop
a
zero
day
or
somehow
going
to
be
escalated,
and
you
may
see
a
cve
associated
with
the
project
would
does
the
cii
best
practices
badge
currently
account
for
in?
A
It
need
not
be
real
time,
but,
like
account
for
overtime,
the
emergence
of
new
vulnerabilities
or
is
it
a
static
snapshot
at
the
time
of
evaluation.
C
Well,
let's
see
here,
I
guess
we
very
much
tried
to
rig
the
questions
so.
F
C
We
actually,
we
didn't
very
much
anticipate
that
thing,
the
the
so
the
idea
was
that
we're
focusing
on
practices
that
are
over
a
period
of
time.
Now.
It's
absolutely
true
that
things
change
over
time,
and
so
you
know
if,
if
you
were
doing
something
and
now
you're
not
well
a
per
per
the
best
practices
badge
rules,
you
actually
no
longer
have
that.
Now
we
currently
don't
go
back
and
do
automated
rechecks.
C
That
is
something
that
we
actually
made
steps
towards
and
we
keep
threatening
people
that
will
do
that,
but
but
we-
but
I
guess
it's
actually
a
strategic
question-
is
you
know
what
you
know
with
limited
resources?
What
do
you
folk
focus
on
first
and
for
for
better
for
worse?
C
Besides
just
making
sure
the
thing
keeps
running
we've
up
to
this
point,
we've
really
focused
more
on
getting
projects
from
not
passing
to
passing,
and
you
know
the
the
code
is
there
and
the
intent
is
there
to
eventually
start,
you
know
doing
periodic
checks,
but
there
are
so
many
projects
which
are
in
just
horrifically
bad
states
that
we
figure
right
now.
The
the
risk
is
the
projects
which
aren't
even
trying.
C
Yeah,
I
think
never
a
number
of
people
know
how
to
spell
it,
but
but
but
you
know
this
this
whole,
you
know.
Oh,
there
are
tools.
Oh
I
should
do
automated
testing
yeah
actually
to
be
fair.
I
I
think
we're
actually
beyond
that
phrase,
I
think
at
this
point
many
people
are
aware
that
there
are
security
tools
and
they're
aware
that
they
should
do
automated
testing
just
to
pick
two
examples.
A
I
think
it's
hard
like
to
be
fair
to
developers.
I
mean
even
like
coming
from
the
security
perspective,
it's
hard
to
pick
the
right
tools
and
it's
hard
to
know
how
they
trade
off
and
sometimes
the
instrumentation
is
really
complicated.
So
I
mean
I
have
compassion
for
those
developers.
We
we
from
the
security
side
have
not
made
it
easy.
C
I
agree.
Actually
let
me
let
me
I
just
opened
the
kimono
a
little
bit.
I've
been
working
with
the
cii
census.
Folks,
who
asked
a
number
of
open
source
developers.
You
know,
basically
a
survey
hey,
what
do
you
need
and
one
of
the
not
the
top
but
one
of
the
higher
answers
of
hey?
What
do
you
want
is
basically
templates
to
help
them
quickly,
pick
appropriate
tools.
A
C
Because
they
don't
want
it
basically,
if
you
give
them
here's
a
document,
and
all
you
have
to
do
is
edit
the
cml
file.
That's
too
much
push
this
button
and
your
security
problems
are
solved.
I
mean
I'm
making
a
little
bit
of
a
fun
of
that.
I
guess,
but
they
really
do
want
push
this
button.
They
they
don't
want
anything
complicated.
Don't
make
me
read
another
document,
please
I
have
those.
C
And-
and
in
fact,
if
you
I
don't
know,
if
you've
seen
my
my
my
core
edx
course,
yeah
it'll
handle
all
syria,
I
I
I'm
making
a
little
fun
of
it,
but
I
I
actually
do
think
that
they've
got
an
excellent
point.
Basically,
you
push
this
button.
Here
is
a
proposed
yaml
file
or
whatever
that
will
automatically
bring
in
the
correct
reasonable
tools,
not
the
correct,
reasonable
tools,
and
you
can
edit
you
can
change
or
whatever,
but
something
so
they
can
get
started
now.
B
Maybe
we
should
get
through
the
security
scorecards
and
then
and
then
maybe
stop
on
this
document
for
today
and
then
next
week
we
can
come
back
and
you
know
talk
about
overlaps
and
where
we
want
to
go
so
kim.
Do
you
want
to.
E
B
A
E
It
doesn't
matter,
you
can
click
the
link
doc,
it's
fine,
okay,
similar,
so
so.
This
is
similar
to
some
of
the
above
use
cases
for
earth,
but
we
want
something:
that's
completely
automatable
and
only
uses
objective
data,
and
so
we
want
to
make
it
easy,
so
developers
can
sort
of
see
every
piece
of
criteria
that
applies
to
you,
know
a
project
or
the
maintainers
for
the
projects
and
be
and
be
able
to
check
all
the
boxes.
E
If
you
will
so
everything
that
we
have
should
be
actionable
and
then
yeah,
so
we
want
to
give
maintainers
a
way
to
correct
any
findings
too.
If
we,
if
we
got
anything
wrong
when
we
essentially
scored
their
projects
and
then
yeah
like
we
said
in
the
similar
to
the
to
the
last
one,
is
we
want
to
use
this
data
for
the
securing
critical
projects
working
group
when
we're
looking
through?
E
You
know
the
top
critical
projects
that
people
depend
on
and
sort
of
where
they
line
up
and
where
they
can
actually
make
improvements,
and
then,
let's
see
so
instead
of
you,
know
the
ui
piece.
We
went
from
the
other
direction
and
have
started
looking
at
actually
pulling
some
of
this
dating
data
in
and
seeing
how
far
we
could
get
excuse
me.
E
We
ran
into
a
couple
issues
already
with
you
know,
just
some
of
the
stages
isn't
available
through
like
github,
we
started
with
github.
So,
for
example,
there's
no
way
really
to
query
to
see
if
all
all
maintainers
or
all
developers
on
a
project
have
two
factor
auth
enabled
so
hopefully
maybe
we
can.
You
know
work
with
them
to
see
if
we
can
get
some
more
of
this
data
exposed.
So
we
can
pull
that
in
pull
that
into
these
these
tools
and
yeah.
E
E
D
Awesome
yeah
so,
as
kim
talked
about
the
focus
here
is
really
things
that
we
can
actually
check
in
an
automated
fashion,
even
if
they're
kind
of
wild
guesses
or
heuristics,
or
anything
like
that.
As
long
as
the
heuristics
are
well
defined
and
somewhat
consistent
and
in
one
place-
and
we
can
all
agree
on
them,
then
I
think
that's
way
better
than
nothing.
D
So
it's
a
little
go
binary
here.
We
just
called
it
scorecard,
got
about
10
or
12
little
checks
in
here
now
that
we
can
go
through.
These
are
things
like.
Does
a
project
use
code
review
and
that's
an
example
of
one
that
needs
some
heuristics,
because
there's
no
simple
if
a
project
is
using
code
review
so
right
now
we
look
through
a
whole
bunch
of
recent
pull
requests
and
see.
If
look
for
signs
of
a
code
review,
there
are
about
three
or
four
different
code
review
systems.
D
I
found
in
common
use
on
github,
so
I
added
support
for
detecting
those.
Does
a
project
have
more
than
one
contributor?
Are
they
from
multiple
organizations?
Github
services,
some
of
that
in
the
api?
So
we
just
kind
of
crawl
through
commits
project
looking
for
who's
contributing
a
couple
of
the
other
ones.
Here
are
projects
using
cryptographically
signed
releases,
that's
something
from
the
cii
best
practices
as
well.
There
are
a
whole
bunch
of
different
way,
cryptographic
signing
techniques
for
releases.
D
So
we
look
through
a
couple
of
those:
do
they
have
a
security
md
file,
declaring
their
vulnerability
reporting
policies?
Are
they
running
tests
in
ci
stuff
like
that
or
all
things
that
we
try
to
sniff
out
from
a
project?
Let
me
put
the
terminal
and
just
run
this
on
something
we'll
make
this
bigger.
D
I
mean,
there's
a
go
binary.
We
can
just
kind
of
either
build
it
and
ship
it
or
you
just
go
run
here
to
iterate
on
it
quickly.
If
you're
running
on
kubernetes
project,
it
starts
all
these
up.
It's
got
a
couple,
little
tricks
in
here
to
avoid
hitting
github
api
rate
limits
and
caching
requests,
and
that
kind
of
thing,
but
it
is
running
these
in
parallel.
D
C
D
Awesome
yeah,
so
each
check
here
so
far
gets
to
return.
You
know
pass
fail
and
then
a
confidence
level.
So
some
of
these
we
can't
really
tell
confidently
so
that's
a
zero,
so
kind
of
toss
that
out
and
improve
the
heuristic,
so
that
sign
is
for
this
is
basically
what
the
results
look
like
for
a
repo.
You
can
point
this
at
anything
on
github.
Now,
I'm
well
aware:
it's
missing
a
whole
bunch
of
you
know
ways
that
tests
are
run
and
declared
and
stuff
like
that.
But
it's
pretty
easy
to
add
things.
B
D
A
All
right
anything
further,
you
guys
wanted
to
share
danny
kim.
E
I
think
that
is
it
for
now
so
yeah
this
has
been
fun.
I
actually
started
learning
go
playing
around
with
this
project,
so
I
think
we'll
keep
iterating
on
it
like
I
said
it
would
be
great
if
we
could
get.
Maybe
I
don't
think
anyone
from
github
is
here
currently.
Is
anyone
no
but
it'd,
be
great
to
have
a
conversation
with
them
to
see
if
they
have
any
plans
to
to
expose
some
of
the
data
that
I
talked
about
like
seeing?
E
If
you
know,
developers
have
two
factor
auth
enabled,
or
I
think
the
other
one
is
protected
branches.
I
don't
think
there's
an
easy
way
to
see.
If
projects
have
that
enabled
or
not
so
maybe
in
a
future
meeting
or
something
they
come,
we
can
chat
about
that
together.
A
B
No,
I
think
you
know
this
has
been
good.
This
is
just
you
know,
information
gathering
and
then
in
our
next
meeting,
I'd
like
to
spend
some
time
just
thinking
about
how
we,
because
I
think,
there's
when
there's
similar
needs
and
there's
some
overlap
and
it'd
be
great
to
to
think
about
how
we
can
pull
some
of
this
together
or
which,
or
which
things
we
want
to,
or
maybe
there's
different
things
that
are
for
different
uses.
So
anyway,
we
can
talk
about
that
next
week,.
A
Yeah,
there's
a
there's
a
lot
of
overlap
from
what
I've
heard
today,
so
I
I
think
that
doing
the
work
once
and
being
able
to
call
upon
it,
many
times
is
perfect.
So
I'm
glad
you
pulled
this
together.
Thank
you
kay.
Okay,
thanks
everyone
all
right,
so
going
back
to
the
agenda
for
today.
I
know
that
we
also
had
on
here
the
threats,
risks
and
mitigations
document.
I
think
it
was
luigi.
Was
it
you
that
had
been
working
on
this.
G
I
have
a
write,
a
mark,
the
measure
of
our
document,
and
there
is
a
prerequisite
on
the
repo
and
now
I
found
the
link
to
second.
Yes,
here.
G
I
have
created
a
prerequisite.
I
don't
know
if
it
is
okay,
I
hope
in
the
e.
If,
if
it
is
okay,
we
can
merge,
and
I
have
a
question
about
our
document.
G
I
I
don't
know,
I
don't
know
github
so
well
so,
but
could
we
create
documents
that
are
accessible
to
all
people
and
and
and
then
and
including
so
sorry,
I
would
like
to
have
documents
that
are
accessible
and
inclusive,
and
so
so
I
don't
know
if
we
have
some
kind
of
rules
or
similar
to
write
in
in
the
right
way
and.
A
Okay,
so
you're
you're
interested
in
reaching
a
wider
audience
with
this
document.
I
guess
my
question
to
you
would
be
what
does
that
look
like
to
you
so
right
now
there
exists,
I
think,
a
pdf
version
of
this
on
the
open,
ssf
website
and
then
there's
now
this
markdown
version
in
github.
G
I
don't
know
if
markdown
pdf
or
the
kicks
online
are
can
be
read
by
a
vocal
assistant,
for
example
and
similar,
so
I
don't
know
if
we
should
think
how
to
make
more
accessible
these
these
documents-
I
I
don't
know
if
we
should
work
on.
D
This
kind
of
topic,
so
I
opened
the
bug
I
think
that
might
have
led
to
this.
I
opened
an
issue
saying
with
a
suggestion
to
convert
the
pdf
to
markdown
and
at
least
the
reason
I
opened
it
was
because
it
would
be
easier
to
iterate
on,
and
somebody
had
left
a
comment
saying
that
they
had
done
this
in
another
project,
where
the
doc
itself
lived
in
markdown
and
then
was
kind
of
compiled
into
a
pdf
and
docx
every
once
in
a
while
for
like
a
release
or
a
publication
of
it.
A
G
Well,
I
I
think
this.
This
can
be
important
for
people,
and
I
don't
know
I
I
have
talked
about
this
when
I
I
was
writing
the
markdown
version
of
our
document,
so
it
is
only
a
topic
that
we
can
discuss
if
we
want.
H
C
Screen
reader
software
of
some
sort:
well,
there
usually
isn't
separate
screen
reader
formats.
Usually
you
generate
either
pdf
or
html
and
read
it
from
there.
If
it's
in
pdf
pdf
was
a
pdfa,
it
should
be
fine
already
for
accessibility
that
doesn't
make
it
easily
editable.
C
And
but
you
know,
if
you
can
generate
html,
usually
screen
readers
don't
have
any
trouble
with
with
html.
The
big
problem
is
the
images
you
need
alts
alt
text
for
each
image
and
that
probably
isn't
there.
A
Okay,
so
maybe
in
terms
of
actionable
next
steps,
we
could
create
an
issue
for
if
someone
wants
to
create
the
alt
text
and
then
maybe
what
we
can
do
is
like
periodically
render.
Especially
if
we've
made
a
bunch
of
recent
updates,
we
can
render
a
new
pdf.
That
includes
the
alt
text,
and
then
people
will
at
least
periodically
have
an
up-to-date
version
that
would
be
consumable
by
a
screen.
Reader.
C
Either
pdf
or
html,
okay,
in
fact,
we
probably
should
set
up
a
little
action.
I
I
I'm
a
little
afraid
to
say
this
because
I'm
not
actually
volunteering,
so
you
know
it
automatically
gets
generated,
or
indeed,
if
you
put
it
on
github
as
a
big
markdown
file,
it
can
automatically
render
it
as
html.
You
don't
have
to
do
anything
special
if
you're,
just
making
a
big
markdown
file,
you're
done.
C
I
mean
you
only
get
html
rendering,
but
I
think
I
don't
remember
anything
special
about
that
document
other
than
maybe
a
table
of
contents.
It
I
I
don't
remember
it
having
any
special
formatting
does.
Can
anybody
enlighten
me.
A
There's
there's
certainly
some
diagrams.
That
would
be
very
hard
to
articulate
as
alt
text.
C
Yeah,
I
I
suspect
this
is
something
we
can
work
on
incrementally
if
we
want
to
continue
to
maintain
this
document
yeah
I
have
to.
I
guess.
The
assumption
here
seems
to
be
that
we're
going
to
be
continuing
to
maintain
this
document.
I
I
wasn't
sure
what
is
that
the
intent
it
seemed
like
it.
D
I
mean
there's
already
a
version
one
in
a
version
1.1,
so
that
hints
that
there
might
be
more,
and
I
think
I
can't
remember
what
they
were
now,
but
I
think
I
saw
a
couple
small
typos.
While
I
was
reading
the
pdf,
which
led
me
to
open
the
issue,
so
I
could
kind
of
fix
them
as
I
went
and
now,
of
course
I
forget
where
they
were
yeah,
do
I
think,
do.
C
A
A
A
All
right,
so
I
don't
think
michael's
available
and
I
haven't
taken
a
look
at
what
he's
done,
but
he
notes
here
that
the
project
has
been
dockerized.
You
can
clone
the
repo
update
a
few
config
files
and
run
it
so
they're
still
working
on
the
ux
and
the
first
set
of
metrics.
So
I
think
there's
a
few
probably
loose
ends
on
this,
but
since
we
don't
have
michael
or
ryan
it'll
be
hard
to
discuss.
A
For
from
my
side,
I
was
going
to
be
doing
the
documentation
of
like
how
we
computed
each
of
these
metrics,
why
they
matter
and
how
do
we
like
contextualize
them
so
that
as
a
user
either?
If
you
don't
understand
why
a
metric
matters
or
if
you
can
test
biometric
matters
or
how
we
can
give
just
some
background
into
how
we
computed
it?
A
So
that
is
something
that
is
open
and
I
think
it's
dependent
upon
defining
exactly
what
this
first
set
of
metrics
is
for
the
version
that
will
be
released.
So
I
think
that'll
be
something
we'll
have
to
revisit
when
we
have
the
broader
group,
because
I'm
still
waiting
on
that
list
as
well.
But
it's
great
to
see
the
progress
that
has
been
made.
A
All
right,
so
I
think
I
think
that
we
can
probably
wrap
things
up
here
when
we
think
about
next
steps
for
the
next
time
we
meet
kay.
How
should
we
between
now
and
that
meeting,
think
about
this
requirements
document
and
what
could
we
have
prepared
to
make
that
conversation
productive
next
time.
A
Like
should
we
collect
any
further
data
about
these?
Should
we
start
to
map
out
the
overlap,
or
is
this
just
something
that
we
will
deal
with
it
when
we
next
gather.
B
Yeah
I
was
starting
to
talk
and
of
course
I
was
muted,
so,
okay
yeah,
so
I
think
we
could,
if,
if
people
you
know
have
time
and
want
to
jump
at
the
dock
and
and
try
to
you
know
identify
you
know,
map
out,
so
I
think
the
first
thing
to
do
is
to
identify
where
there's,
whether
overlapping
goals,
scenarios
and
requirements,
and
then
we
can
talk
about
where
there
are
differences.
B
That
would
be
my
next
approach
for
that.
So,
if
you
know
people
want
to
jump
in
and
help
with
that,
that's
great
otherwise
I'll.
That's
an
action
that
I
can
take
to
have
something
prepared,
just
as
a
starting
point
for
discussion
and
then
I
think
it
will
be
valuable
to
get
input
from
the
entire
group.
It
shouldn't
be
an
effort
that
this
one
person
is
doing.
A
That
sounds
really
good
for
the
white
paper.
I
know
we
have
some
open
questions.
Do
we
have
any
action
items
as
well.
G
G
A
All
right
that
sounds
good
to
me
and
we'll
revisit
those
open
questions
next
time
as
well
and
for
the
metrics
update
next
steps
for
us
would
be
trying
out
trying
out
the
project
as
written.
A
A
And
I'll
capture
those
things
here
in
the
notes
all
right,
so
I
think
that
covers
everything
we're
going
to
discuss
today.
Any
final
comments
from
the
group
or
things
that
we
want
to
add
to
the
agenda
for
next
time,
just
one.
B
Quick
question
so
jonathan
had
asked
if
we
can
share
this
more
doc,
doc
share
this
more
broadly
jonathan.
Are
you
still
on
the
line.
B
In
the
notes,
I
think
so
the
the
requirements
document
is
highlighted
and
then
the
question
is:
can
we
share
this
more
proudly?
So
I
think
that
quite
oh.
A
Okay,
all
right,
I
think
that's
everything.
Thank
you.
Everyone
for
joining
have
a
great
day,
and
we
will
talk
in
a
couple
of
weeks.