►
A
A
I
just
want
to
show
that
everybody
that
Dustin
and
I
did
not
coordinate
our
outfits
today,
despite
the
colors
being
basically
the
same
just
to
come
into
it.
Yours.
B
Laughs,
cool
yeah.
Just
remember,
if
add
your
name,
please,
to
the
note
stock.
I'll
drop
a
link
from
here
too,
for
the
notes.
Anyone
that
just
joined.
B
Yeah
and
please
add
anything
to
the
agenda
if
they're,
if
you
have
anything
otherwise,
this
should
probably
be
a
sure
shorter
meeting.
Let
me
get
started
in
like
a
minute.
B
B
Okay,
cool,
let's
get
started
so
real,
quick
meta
thing:
we've
gone
ahead
and
put
a
future
agenda
through
the
rest
of
the
year
at
the
top
of
the
node
stock.
We
will
cancel
the
meeting
at
the
end
of
the
year.
In
your
holidays.
B
There
is
at
least
one
meeting
on
November,
16th
and
also
actually
the
next
meeting
where
we
could
use
a
backup
chair
or
a
regular
chair.
If
someone
is
available
would
like
to
chair,
we'd
really
appreciate
it.
Just
stick
your
name
in
the
doc.
Otherwise
these
meetings
may
or
may
not
be
canceled
based
on
my
and
Jacques
availability,
so
Zach.
Thank
you.
I
see
you
doing
that
already
cool
yeah
thanks
for
that
sharing
the
meeting
is
very
easy.
B
We
just
get
agenda
items
into
the
Net
stock
run
through
them
in
order
and
just
sort
of
address
questions,
and
that
kind
of
thing,
as
we
go
make
sure
everyone
gets
a
chance
to
talk,
yeah,
no
Jacques
anything
else.
You
want
to
add
to
that.
B
Okay
and
yeah
real
quick,
want
to
welcome
anyone
that
hasn't
been
before.
If
you
want
to
say
hi
and
tell
us
who
you
are
and
and
where
you
work,
that
would
be
awesome.
Is
there
anyone
that's
new.
B
Okay,
welcome
welcome
old
friends
as
well
and
yeah.
Let's
see
Joseph
are
you
here?
Do
you
want
to
talk
a
little
bit
about
this
agenda
item
we
have
stuck
on
here,
yeah
I,
see.
E
Hello,
everyone
actually
I
asked
mate
if
you
would
like
to
take
our
material
I
can
do
some
brief
introduction
about
the
topic.
E
To
me
yeah
so
I.
D
Sorry,
sorry,
I
had
some
yeah
I
can
so
hi
everyone
for
people
that
don't
know
me:
I'm
Matthew,
Mansfield,
I,
work
at
Mann
and
I
work
at
a
movie
times
security
team
as
a
oh,
let's,
let's
call
it
an
open
source
commitment
and
we
tend
to
detect-
maybe
not
a
lot
compared
to
npm,
but
prefer
a
number
of
research
packages,
and
one
thing
that
we
wanted
to
discuss
is
how
to
deal
with
that,
because
up
until
now,
our
policy
in
ruby
gems
was
to
allow
them
as
long
as
they
would
not
be
malicious
or
if
they
wouldn't
collect
sensitive
information,
and
we
could
have
a
long
discussion
on
what
sensitive
is
first
for
certain
people.
D
But
let's
say
nothing
that
would
be
that
could
be
exploited,
Beyond,
a
security
research
right.
That's
how
how
we
see
that
and
just
to
be
clear
that
Ruby
jumps
policy.
I,
disagree
with
that,
but
yourself
set
to
to
open
the
discussion
here.
Npm
removes
packages
like
that
when
we
report
them,
we
report
admit
more
or
less
400
packages
like
that
in
two
weeks:
Prince,
so
yeah,
200,
Weekly
right
so
I
just
wanted
to
ask
on
behalf
of
ruby
gems.
D
What
do
you
guys
do
with
that
in
other
registries
right?
Should
we
reshape
our
policy?
That
is,
as
of
now,
really
generous
like
if
it's
not
harming
anyone,
if
it's
described
at
least
decently,
we
allow
it
to
stay,
or
should
we
remove
it
right
on
one
side,
security,
research,
good
security
research
is
needed.
On
the
other
hand,
then
we
get
some
complaints
like.
Why
is
it
in
registry?
D
Why
didn't
you
stop
Alex's
binham
dependency,
confusion
when
you
knew
about
that,
but
you
allowed
the
packages
to
stay
right,
so
we
we
actually
don't
know
what
to
do
with
it.
So
we're
asking
other
people
from
other
registries
how?
How
do
you
deal
with
this
type
of
of
non-malicious
but
still
kind
of
exploitable
content.
D
Okay,
oh
many
opinions.
So
let
me
rephrase
the
question:
would
you
expect
us
to
remove
packages
like
this
right?
If
you
would
encounter
a
package
like
this
in
any
registry
that
is
sending
something
from
from
your
systems
whether
it
is
or
it
is
when
it
is
not
any
sensitive
information,
non-keys,
let's
say
a
IP
host
name
again,
we
can
argue
if
host
name
is
something
sensitive,
I
believe
it
is
booby
gems
as
a
collective
does
not.
D
Would
you
expect
a
registry
like
ours
or
any
other,
to
take
care
of
content
like
this,
even
if
it
is
well
described
and
like
because
someone
behind
that
we
know.
B
So
I
I
can
answer
this
on
behalf
of
the
behalf
of
a
registry,
I
guess
so
for
Pi
Pi,
like
we,
our
policy
is
the
same
as
npm
like
anything
that
is
essentially
not
legitimately
useful.
Software
is
grounds
for
removal
and
is
considered
an
invalid
project.
So
like
Alex
Pearson's
packages,
it
was
a
specific
sort
of
turning
point
where
we
were
like
yeah.
B
If
IPA
is
not
a
security
research
Tool,
and
so
we
removed
all
those-
and
we
do
remove
essentially
anything
that
checks
the
box
of
malware,
including
abusication
or
exfiltration,
because
essentially
our
policy
is
that
there's
no
legitimate
need
for
acoustication
and
there's
no
way
for
us
to
determine
the
legitimate
use
of
exfiltration.
Essentially,
it
all
just
looks
like
someone
trying
to
compromise
some
some
users.
So
even
if
the
package
says
I'm,
only
a
security
project
do
not
install
me.
I
am
malicious.
B
E
And
nothing
are:
is
there
any
any
policy
described
somewhere
in
the
public,
we're
listing
those
rules,
what's
actually
malicious
and
what
is
allowed
and
what's
not
in
in
your
repository
yeah.
B
E
D
I
agree:
if
you
could
invite
at
least
me
and
yourself,
whoever
is
also
interested
to
see
the
draft.
I
may
maybe
reuse
it
or
put
our
comments.
That
would
be
really
good,
because
I
have
a
plan
to
open
a
request
for
changing
ruby
gems,
to
exactly
provide
a
policy
like
that
and
then
basically
do
a
bigger
cleanup.
B
Okay,
Sebastian
has
a
hand.
B
No
microphone
day
Jacques
do
you
want
to
go.
A
A
Yes,
so
wearing
my
end
user
hat
working
at
Shopify
and
worrying
about
their
people,
I
see
any
exfiltration
of
data
is
hostile,
no
matter,
no
matter
what
the
stated
intention
of
the
researcher
is.
Anyone
can
say
that
they're,
a
researcher
anyone
can
say
that
they're
doing
it
for
good
purposes
and
that
that
seems
to
be
currently
the
excuse
for
obviously
hostile
people
where
they're
like
oops,
you
caught
me,
but
it
was
legit.
I
promise
right.
It's
just
like
somebody
being
caught
robbing
a
bank.
A
A
D
A
That
is
a
good
question.
We
did
that
as
as
a
secondary,
like
initially
as
the
first
line
of
defense
against
dependency,
confusion
right
back
when
it
was
the
hot
fresh
thing
mostly
it
has.
They
haven't
been
removed
out
of
an
abundance
of
caution.
If
the
policy
was
that
they
should
be
removed,
then
we'd
go
with
that
and
there's
a
case
to
be
made
that
that
they
should
be
because
they
don't
like
serve
and
peppers.
But
that's
like
a
step
further
than
you
exhibit
any
behavior
that
could
potentially
be
malicious
because
they
don't
do.
D
Because
there
are
many
companies
that
and
that's
actually
justifiable
right-
that
version
their
their
packages
with
v,
something
right,
Google
likes
to
do
that
they
release
different
packages
for
different
versions,
maybe
probably
also
because
there's
a
they're
different
in
what
they
do
are
different
apis
so,
like
the
maintenance
may
be
distributed
across
bigger
teams,
but
they
also
do
placeholders
right.
They
have,
let's
say:
V1
and
V2
should
be,
should
be
removed
at
V3
until
it
is
not
being
used.
D
And
how
should
we
deal
with
this
non-security
part
where,
let's
say
I
like
to
do
data
mining,
so
I
just
pick
a
lot
of
names
that
I
know
that
are
going
to
be
taken
not
for
typo
scoring,
but
just
because
then
I
can
claim
hey.
You
know,
but
I
created
a
V3
version
for
this
API
I'm
I'm,
not
Google,
I'm,
not
I'm,
at
Shopify
or
whoever.
But
this
is
a
legit
API,
and
this
is
a
legit
package.
D
Should
this
be
then
removed
right,
so
it
My
worry
is
that
it
opens
upon
the
Redbox,
so
I
wouldn't
remove
empty
placeholder
packages,
just
the
the
non-usable
ones,
because
for
for
for
you
guys
it's
it's
clearly
visible.
What
is
the
purpose
of
them
right.
A
I
don't
know,
I
I
would
want
to
start
with
the
current
scope
of
the
discussion,
which
is
when
a
security
researcher
uploads
something,
and
it
does
something
that
vaguely
resembles
my
way
like
dials
home
in
some
way
to
prove
that
they
did
it
I,
don't
care
I,
don't
give
a
if
they
can
publish
a
paper
or
not
or
whether
they
get
a
cool
blog
post
or
a
conference
talk.
That's
not
my
problem.
My
problem
is
that
they're,
actually
cheating
data
from
my
systems,
I
hadn't,
thought
about
the
place.
A
Also
I
would
suggest
that
there
would
be
like
another
conversation
is
to
like,
as,
as
we
move
along
the
hierarchy
of
what
we
consider
to
be
abuse
of
the
Repository,
then
then
we
can
sort
of
I
think
discuss
that
in
in
stages.
B
So
we
also
would
remove
like
those
kind
of
name,
squatting
attempts,
but
we
do
also
provide
a
way
for
an
organization
like
Shopify
to
come
and
say,
hey
here's
a
stuff
that
we
think
we
might
want
to
publish
in
the
future
and
let
them
reserve
the
name
without
like
publishing
something
that's
non-functional
Sebastian
seems
to
have
a
working
mic.
F
D
D
That's
true,
I
guess
if
we
would
enforce
a
policy
where
Telemetry
needs
to
be
explicitly
Allowed
by
the
end
users
to
allow
it
to
run
then
I
I
guess
it
would.
It
should
make
everyone
equally
unhappy.
G
Yeah,
let's
I
want
to
let
you
all
finish
up
the
Telemetry
conversation.
If,
if
there's
more
of
this
up
there,
because
I
I'm,
just
gonna,
move
on
to
something
else,.
G
Oh
okay,
cool
I
just
wanted
to
chime
in
on
this
question
from
the
researcher
perspective
and
I
can
tell
you
this
may
vary
by
institution,
but
traditional
academic
institutions,
at
least
in
the
United
States.
G
If
you
went
to
an
IRB
and
you
propose
doing
something
that
just
like
deemed
data
from
people's
computers
up
to
a
server
that
you
controlled
you
would
you
would
not
get
that
study,
approved
and
so
I
I
think
that
I
am
in
favor
of
the
repositories
being
really
harsh,
especially
about
non-opted,
Telemetry
and
exfiltration
of
data
and
and
I
think
that
no
reasonable
researcher
would
object
to
that.
I
think
you
know
you
should
allow
your
users
and
study
participants
to
have
you
know
some
notion
of
informed
consent.
G
That's
like
a
real
requirement
of
even
like
really
low-key
Anonymous
survey
data,
and
so
yeah
I
I
I'm
in
favor
of
made
like
I,
am
against
anything
where
unwitting
users
are
part
of
your
survey.
Now,
that's
like
there's
some
Nuance
here
right
because
data
that,
for
instance,
you
pipe
guy
might
be
able
to
to
pick
on,
you
know,
might
be
collecting
already,
like
you
know,
download
counts
or
whatever
can
be
and
has
been
used
in
academic
research
and
so
I
think
there's
some
Nuance
there,
but
I
think
that's
different.
G
F
What
you
said
there
Zach
also
reminded
me
of
a
case
where
a
user
of
a
package
that
I
helped
maintain
said
that
it
was
sending
data
off
to
Google
and
their
corporate
policy
prevented
that.
And
that
was
a
bit
strange.
But
it
turned
out
that
there
were
so
many
dependencies
of
our
project
that
it
was
very
hard
to
find
out
which
of
the
libraries
was
sending
that
information
and
so
having
a
opt-in
would
make
it
much
better.
G
Yeah,
absolutely
and
putting
on
a
different
hat.
My
the
Hat
of
a
software
developer
I
would
be
extremely
surprised
to
find
that
Library
dependencies
were
performing
Telemetry
and
surprised
in
a
bad
way
and
I
think
that
I
am
a
fan
of
opt-in.
In
every
case
when,
in
a
past
life
I
was
shipping
command
line
tools,
that's
how
we
did
it
and
our
metrics
were
worse
and
you
live
with
that
because
you
have
to
respect
people's
privacy.
F
Out
of
fairness,
I
ought
to
add
that
it
turned
out
that
this
Library
probably
was
not
sending
data
to
Google,
but
the
mere
fact
that
it
had
code
in
it
that
was
capable
to
made
our
users
a
little
scared
for
a
while,
and
that
kind
of
thing
it
needs
to
be
smoothed
over,
if
not
for
security,
for
Community
acceptance.
H
Yeah
I
have
the
story
of
what
happened
when
we
turned
Telemetry
on
at
Homebrew,
because
it
turned
into
like
a
real
incident
like
massive,
and
we
ended
up
having
to
do
a
bunch
of
stuff
to
it,
and
the
Google
thing
actually
came
up
because
we
were
using
Google
analytics
so
I
remember.
There
was
a
post
on
Reddit
about
how
we
were
sharing
information
with
Google
but
yeah.
It's
a
it's
very
tricky.
H
H
A
Yeah
but
open
source
is
a
as
a
as
a
very
broad
Church
yeah,
because
a
generous
Wing
devoted
to
conspiracy,
theorists.
B
So
I
want
to
try
and
bring
us
back
so
we
we
started
out
talking
about
essentially
policies
on
malicious
factors,
and
so
long
we
should
talk,
is
definitely
very
interesting,
but
I
think
so
one
takeaway
I'm
getting
is
it'd,
be
great
to
sort
of
understand
what
everyone's
policies
on
malicious
packages
are.
B
But,
more
importantly,
maybe
it
makes
sense
for
us
all
to
have
sort
of
a
shared
policy
or
have
some
way
for
us
all
to
agree
like
what
is
and
isn't
valid
on
a
software
Repository
I,
don't
I,
don't
think
any
way
we
can
force
this
across.
B
All
of
us,
but
I
think
maybe
having
like
collaborating
on
a
single
document
that
describes
this
under
the
umbrella
of
open
ssf
would
be
would
be
helpful
because
it
would
sort
of
enumerate
like
things
that
repositories
don't
want
and
allow
us
to
actually
write
our
own
repository,
specific
policies
based
on
that.
H
Of
around
it's
not
them
it's
it's,
the
one
Jeff
leads
it
I
think
Jeff
Meadows
and
they
both
they
made
the
mpm
best
practices.
They.
They
were.
The
group
that
published
that
I'm
a
part
of
a
lot
of
groups-
I,
don't
remember
all
the
names
of
all
the
groups
I'm
a
part
of,
but
there
is
one
that's
supposed
to
like
be
for
the
pat,
like
software
repositories
to
like
publish
a
set
of
like
this
is
what
we
consider
best
practices.
I'll,
find
it
on
GitHub
and
I
will
send
the
link
on
chat.
B
I
guess
this
is
kind
of
the
inverse
right.
This
is
worse
practices.
This
is
like
the
stuff.
We
definitely
don't
want
you
to
do
that
group
or
not.
Maybe
we
can
collaborate
with
them
right
and
so
one
action
that
I'm
going
to
take
out
of
this
I
shared
there's
a
link
here
on
what
IPI
already
considers
to
be
in
developed
projects.
It
doesn't
go
into
a
lot
of
detail
about
malware.
Specifically,
it
just
says
malware,
so
I
will
share
like
updated
draft
and
what
so?
B
What
we're
actually
working
on
is
an
acceptable
use
policy
which
we
don't
really
have
right
now,
but
if
you're
interested
in
seeing
a
really
good
one,
githubs
is
really
good
in
describing
like
what
represents
acceptable
use.
What
can
be
published
on
GitHub
that
kind
of
thing,
but
I'll
share
that
so
is
there
anything
else
that
you
know
we,
as
a
group
should
probably
do
here.
I
People
doesn't
do
it
I
think
it's
important
to
recognize
here
that
every
region,
every
set
of
customer
types
right-
that,
for
example,
is
going
to
have
a
different
set
of
rules
and
regs
in
this
area,
and
it
is
the
cloud
providers
requirement
to
make
sure
you
know
for
these
repositories
that
it's
right
and
and
for
its
private
customers,
Etc
that
it
is
the
security
policies
of
the
policies
of
that
region.
Legal.
I
You
know,
Federal,
that
sort
of
thing
Mia
has
their
own
rules,
for
example,
especially
with
regard
to
the
types
of
data
you
can
expose.
So
I
think
what
this
group
should
be
focused
on.
Then,
in
that
view,
is
the
plugability
of
these
kinds
of
security
profiles.
These
you
know
ways
that
various
companies
Define
how
they're
going
to
react
to
certain.
You
know
such
instances
right
more
so
than
trying
to
create
a
one-size-fits-all
for
all
countries,
all
regions,
all
companies,
all
corporate
types.
B
B
B
I
mean
yeah,
maybe
it's
broad
what
we
consider
software
processary
generally
in
this
work
group.
We
consider
those
to
be
a
group
gyms,
Pi
Pi.
You
know
Maven
Central,
GitHub
software
repository
right,
like.
G
B
We
are
half
an
hour
into
this.
We
have
a
half
an
hour
left
anything
else
on
this
topic.
Would
anyone
wants
to
add.
A
I
would
I
would
be
anxious
not
to
start
a
discussion
on
on
enforcement.
I
think
that's
the
next
step.
I
think
first,
is
to
establish
the
policy.
A
B
B
See
it
kind
of
thing
that
we're
trying
to
identify
here,
yeah
mushies.
D
A
Yes,
this
is
a
quick
update
on
the
proposal
to
have
a
shared
help
desk.
You
may
recall
that
we
talked
about
this
at
the
last
meeting,
or
maybe
you
don't
because
it's
at
a
different
time,
but
to
summarize
briefly,
several
repositories
or
most
most
repositories
are
volunteer,
operated
and
have
limited
sort
of
bandwidth
for
dealing
with
support
issues.
A
Many
of
us
would
like
to
expand
the
coverage
of
NFA
requirement
policies
to
larger
cohorts,
but,
of
course,
the
more
people
you
have.
The
more
people
need
MFA
resets
to
be
performed
because
they
lose
their
phone
or
something
else
happens
that
goes
wrong,
and
that,
of
course,
is
an
intensive
process
and
a
tricky
process
and
and
miles
will
recall.
A
So
we
can
hire
someone
a
to
be
that
support
person
shared
amongst
multiple
ecosystems,
because
you
know,
there's
probably
not
enough
for
just
one
ecosystem
and,
second
of
all,
to
fund
a
series
of
contracts
to
be
rfped
to
basically
construct
the
tooling.
That
will
be
necessary
because
of
course
nobody
in
their
right
mind
is
going
to
say,
like
hello
person
who
is
paid.
But
we
don't
know
here-
is
production
access
to
the
database?
A
A
So
that
proposal
got
updated
slightly
very
helpfully
from
the
I
believe
end
users
working
group
I
got
some
feedback
on
what
a
realistic
number
is
or
what
a
good
budgetary
number
is
for
a
support
person
and
they
cited
300
000
as
a
number
I'm,
not
sure
whether
that's
fully
loaded
or
whether
that's
just
the
base.
A
So
I've
assumed
it's
not
fully
loaded
for
conservatism,
and
the
next
step
is
going
to
be
that
I
will
put
that
report
in
front.
Put
that
proposal
in
front
of
the
TAC
I
wasn't
mentioning
it
to
them
yesterday,
because
we
were
supposed
to
give
a
report
on
what
we've
been
up
to
and
what
we're
going
to
be
doing
to
tax,
so
I
sort
of
had
to
extemporize
a
little,
because
we
we
missed
the
calendar
on
that
one.
A
So
that's
going
to
go
to
Tech
next
for
their
blessing.
Once
we
have
their
blessing,
we
can
take
it
to
the
governing
board
and
say
Hey.
You
know
how
you
want
to
spend
money.
Here's
the
thing
you
can
spend
money
on.
B
A
Probably
the
two
Deltas
would
be:
first
of
all,
I
got
some
figures
from
yourself,
a
pipei
and
from
Joseph
for
rubygems
to
give
us
approximations
of
the
support
burden
at
the
moment
and
as
I
said,
I
also
managed
to
get
a
a
useful
figure,
like
an
estimation,
figure
from
some
other
folks
in
the
300,
000
I
believe,
is
also
being
used
as
the
figure
for
folks
working
on
education
proposals
as
well.
A
B
A
If
you
haven't
already,
please
take
a
look,
there's
a
link
in
the
notes.
There
comments,
questions,
queries
if
you've
set
up
a
help
desk
and
that's
a
long
shot
in
the
past,
then
any
feedback
is
particularly
welcome,
because
this
is
the
first
time
I've
set
up
a
help
desk.
J
Hello,
I'm
glad
to
see
that
this
is
progressing
I,
think
one
thing
that
could
help
this
be
really
impactful.
You
know
like
bringing
it
to
the
openness
set
and
eventually
you
know
like
the
world
approving
it
would
be
some
sort
of
like
commitment
or
interest
from
other
registries.
J
So
I
think
you
know,
based
on
the
work
that
you're
doing
you
know,
ruby
gems
is
clearly
interested,
but
if
we
could
have
some
like
clear
interest
and
apologies,
if
you
already
have
it
apart
from
like
Pi,
Pi
or
cargo
or
I
mean
crates
or,
like
other
you
know,
volunteer-led
organizations,
obviously
folks,
like
npm
or
nougat,
wouldn't
be
part
of
this
proposal.
J
I
think
that,
like
that,
would
be
pivotal
to
seeing
it
be
successful
and
then
the
other
thing,
because
at
least
you
know
if
I
was
on
the
other
side
of
this,
you
know
reviewing
said
proposal.
J
I
would
speak
to
directly
like
how
how
access
is
going
to
be
managed
and
I
know
that
we
talked
about
it
briefly.
In
apologies,
I
haven't
had
a
chance
to
to
review
it,
but
like
top
and
Center
one
of
the
most
important
bits-
and
this
is
what
I
would
imagine
like-
the
various
Registries
need
to
agree
to
is
like
who
will
eventually
be
making
the
decisions?
How
will
they
get
access
to
these
details?
J
How
will
we
integrate
into
it,
because
I
would
personally
find
it
hard
to
fund
something
without
like
a
clear
commitment
to
executing
on
it
or
like
knowledge
that
you
know
it's
set
up
for
Success
to
be
clear.
I
think
that
this
is
really
important
and
as
possible,
but
those
are
kind
of
the
holes
that
I
would
look
at
first.
A
A
Of
yeah
in
terms
of
integration,
I,
I
included
in
in
the
proposed
budget,
a
series
of
contracts
to
basically
pay
for
the
development,
because
the
the
whole
point
of
it
is
that
it's
volunteer
organizations
that
have
limited
bandwidth
and
saying
surprise
we're
gonna
dump
something
on.
You
probably
doesn't
go
very
well.
I'm
gonna
turn
off
my
screen
in
monitor
for
a
second
I've
got
someone
at
the
door,
but
I'll
still
be
listening.
A
Timed
that
well
didn't
I.
Do
you
do
you
know
which,
which
group
that's
coming
out
of
sorry.
H
That's
the
because,
basically
originally,
the
ideology
of
the
Sig
cert
was
to
create
like
a
First,
Response
Unit,
but
now
that
things
are
starting
to
move
and
like
there
are
groups
that
are
starting
to
like
gather
information,
we're
starting
to
realize
that
might
not
be
entirely
possible.
So
now
it's
kind
of
sitting
at
this
50
50,
split
of
education
and
like
incident
response.
So
that's
why
it
might
be
worth
having
a
conversation
with
him.
A
F
Thank
you
I'm
just
going
to
say,
given
the
spirit
of
the
open
ssf,
it
would
be
really
good
a
fantastic
opportunity,
I
think,
to
use
cvcrm
as
the
technical
platform
for
the
shared
help
desk.
A
A
Think
they're
probably
need
to
be
some
yeah
I
think
that
would
be
some
brief
discussion
amongst
folks
as
to
what
they're
most
comfortable
with
so
that
that
itself
is
going
to
be
probably
a
a
question
of
development
or
integration,
because
I
expect
that
everybody's
using
something
different
I
know
that
rubygems
uses
zendesk
as
its
management
thing
at
the
moment.
A
F
A
Thank
you.
Yes,
integration
is
definitely
one
of
the
reasons
that
that
the
the
budget
includes
a
substantial
amount.
The
proposed
budget
includes
a
substantial
amount
of
money,
basically
for
letting
contracts
to
deal
with
integration
problems,
because
it's
it's
not
possible
to
let
like
I
mean
it's
very
unlikely
that
we
could.
We
could
let
the
project
to
one
vendor
and
get
everything
done,
because
we'd
need
them
to
be
experts
in
Python,
Ruby,
potentially
rust
chat
like
all
these.
A
All
these
different
things,
whereas
realistically,
what
we're
gonna
wind
up
doing
is
is
probably
have
some
level
of
centralization
somewhere
and
we
can
all
go
outside
and
have
a
wrestling
match
about
whose
technology
will
rank
screen.
A
F
Right
I
see
yeah
anyway,
it's
a
it's
a
potential
opportunity
and
the
more
open
source
tools
we
use
the
better.
It
is
because
other
package
archives
can
adopt
the
process,
if
not
the
community,
that
we've
developed.
B
A
Well,
I,
what
I
would
basically
like
I
guess
to
Master's
Point
at
least
a
in
principle,
yes
from
from
folks
from
say
two
ecosystem,
so
I
would
say
normally
pipeline,
which
answers
the
obvious
candidates.
Other
ecosystems,
of
course,
welcome,
so
I'll
send
an
email
to
the
mailing
list.
To
that
end,
I
would
like
at
least
a
Voice
vote.
Probably
next
time,
all
the
time
after
I've
got
to
look
at
the
coming
calendar
and
the
tricky
part
is
that
I
will
not
be
at
the
next
meeting.
A
I
have
an
off
site
to
attend,
so
focusing
take
a
vote
in
my
absence
and
tell
me
the
good
news,
but
I'm
not
sure
whether
that
is
how
we'd
like
to
do
it,
whether
you
want
to
take
a
vote
without
the
proposal,
though,.
A
B
Okay,
sorry
I
was
confused.
You
want
that
on
the
5th
or
the
19th.
You
want
to
do
it
while
you're
out
here
the.
A
Night
I
think
it'll
be
easier
if
I'm
here,
because
there'll
be
more
questions,
I
imagine
on
the
day.
You
know
people
reasonably
want
information
before
they
vote.
Irony.
B
You
can
do
that.
I
put
you
on
the
agenda,
cool
yeah,
so
actually
in
front
of
everyone.
It's
just.
If
you
haven't
reviewed
that
take
a
look
and
share
it
see
it
folks
that
might
find
it
relevant
cool
anything
else
on
shared
help,
desk
proposal.
B
Okay
looks
like
Joel:
you
have
a
quick
thing
on
here.
C
And
people
have
answered
there,
so
I
was
really
I'm
asking
for
a
friend,
literally
Jason,
so
I
couldn't
make
it
today.
He's
like
hey
Go
pass
this
along
the
working
group,
so
it
looks
like
there
will
be
folks
there,
I
I
I,
don't
know
if
I'm
going
yet
and
but
I
feel
like
Jason's
sort
of
plotting
out
his
his
show
visit
schedule.
So
this
is
helpful
and
I'll
make
sure
to
pass
this
along
to
him.
B
Yeah
I
just
want
to
highlight,
like
Zach,
is
giving
a
talk
at
six
doorcon
and
actually
like
one
of
the
contractors
that
have
been
working
with
my
team
on
six
door.
Python
stuff
is
giving
a
talk
on
like
six
different
python
ecosystem,
so
a
bunch
of
relevant
stuff
happening
there
around
six
store.
B
I,
don't
know,
I
haven't
really
looked
at
the
broader
agenda.
Maybe
there's
some
other
relevant
stuff
we
could
highlight
here,
but.
G
Yeah,
the
only
the
only
thing
that's
I
think
worth
calling
out
is
a
lot
of
stuff
around
tough,
the
update
framework
lives
under
the
umbrella
of
the
cncf,
which
is
hosting
six
door
con,
and
so
there's
a
few
things
going
on
later
in
the
OR.
Sorry
is
OC
and
six
for
stock
con
and
kubecon.
G
There's
I
believe
like
a
hack
on
tough
day
at
some
point
during
the
week,
There's
a
panel
and
then
there's
just
an
overview
talk.
So
that's
probably
the
the
item
on
the
agenda.
That's
of
most
interest
to
this
group.
B
Cool
I
think
that's
it
for
our
agenda.
Is
there
anything
else.
B
So
action
items
I
wanted
to
ask
Jason
who's,
not
here,
I,
didn't
think
anything
else
from
reasons
here.
C
I'll
I'll
pass
it
along
I
feel
like
it's
not
just
going
to
be
him
he's
going
to
need
some
input
from
me,
and
you
know
you
know
maybe
Arvey
who
you
know
also
sits
on
one
of
the
various
Apache
stuff
but
I'll
mag,
to
make
sure
that
we
we
spend
our
15
to
20
minutes
to
get
that
filled
out.
B
Yeah
yeah
that'd
be
awesome.
You
me
I'm
gonna
share
the
draft,
maybe
by
next
week
on
5k's
Paladin
dialogue,
projects,
policy
and
then
yes
give
shock
some
feedback
on
the
shared
help
desk
thing.
Anything
else.
B
All
right,
thanks
all
for
your
time,
see
you
in
two
weeks
awesome.