►
A
A
C
B
Oh,
we
have
a
pretty
sparse
agenda,
though
the
item
that
is
on
it
I'm
excited
about.
So
if
any
folks
have
anything
else,
they
want
to
want
to.
Cover
updates
on
today
feel
free
to
drop
something
in
the
notes.
I
also
don't
see
action
items
from
last
meeting
which
I
I
had
to
miss.
Unfortunately,
so
if
there
was
action,
items
also
drop
those
in
the
in
the
agenda.
Otherwise
we
can
maybe
have
a
short
meeting.
B
A
D
A
This
this
is
the
idea
of
this
project
is
a
secure
content
download,
but
we
go
for
more
detail,
so
I
work
at
VMware,
I'm,
open
source
engineer
at
All,
Sport
and
today
what
I
plan
to
hear
it's
given
an
introduction,
a
bit
about
the
tough
and
the
motivation
for
this
product
and
then
I
I'll,
walk
through
the
project,
the
design
and
and
details.
I
will
share
also
use
case
for
our
stuff
and
having
time
we
go
for
this.
A
Yeah
I
would
try
to
give
an
introduction,
a
very
high
level
about
tough.date
framework
I'm
not
expecting
in
in
tough
I'm
approaching
tough
in
very
specific
level
and
the
specific
path.
So
why
but
I'm
comfortable
to
do
to
talk
about
stuff
here
we
have
a
lot
of
tough
experts
here
in
that
conf.
So
in
the
end,
if
someone
has
some
specific
question,
maybe
we
can
open
for
that
and
I
I
know
that
there
are
some
people
here
that
can
folks
here.
That
can
help
me
with
that.
A
A
A
How
tough
does
it
it's
by
the
metadata
structure
that
contain
roles
and
delegations
that
have
those
signatures
there
and,
for
example,
for
these
roles?
We
have
timestamp
that
give
the
freshness.
We
have
the
snapshot
that
guarantee
that
report
story
metadata
is
consistent
and
also
tough
helps
to
reduce
the
impact
if
we
want
of
the
keys
of
the
rolls
are
compromised
and
I
allow
very
quick
recovery
from
that.
A
When
we
talk
about
dot
signature,
the
verification
policies
is
needs
to
be
highlighted
here,
because
it
verifies.
The
signature
is
an
authorized
entity
and
also,
if
it
is
signatory,
is
still
valid.
So
but
I
don't
want
to
go
too
much
in
details
here
about
tough.
We
can
cover
it
more
in
the
end.
If
someone
want
to
discuss
about
this-
and
there
are
a
lot
of
good
documentation
and
presentation
blog
posts
where
you
can
get
more
about
stuff,
so.
A
To
explain
the
motivation
for
for
the
project
I
need
to
share
my
journey
about
stuff.
So
when
I
first
joined,
the
project
of
I
felt
very
lost
about
the
name
framework
when
I
went
to
the
website,
I
said
where
I
can
get
it
and
download
it
and
they
use
this
applied
in
my
environment
and
then
took
me
a
while
to
understand
that
the
F14
in
turf
was
in
the
specification
that
is
very
good
and
also
in
the
libraries
that
help
people
to
implement
those.
A
So
I
had
a
friend,
I
was
already
contributing
with
python
talk,
joined
the
community
and
the
friend
asking
me
some
how
they
could
protect
their
clients
because
they
have
this
idea
of
downloading
package
for
the
the
clients.
Actually,
they
have
like
a
system
update
that
the
platform
can
be,
has
a
kind
of
Life
Update
that,
but
he
was
really
looking
for
how
to
protect
this.
Then
I
shared
that
with
them,
and
it's
really
small
company
and
when
he
tried
to
go
to
the
specification,
try
to
implement
it.
A
He
made
a
project
plan
for
the
company
and
it
was
just
rejected
by
the
manager
because
they
need
a
lot
of
people
to
do
this
about
an
year
to
do
this,
to
implementation
everything
so
I
I
was
also
a
bit
frustrated
with
the
situation.
I
said.
Okay,
then
I
started
contributing
with
Pipi.
The
pep
458
I
have
a
pull
request
there
that
implements
talks
to
Pipi
when
I
was
working
with
that
I
said
well.
This
is
great
the
design
of
pep458
together
with
Turf,
it's
amazing.
It
could
be
used
for
more
people.
A
More
people
could
have
this
benefit
of
pep458
and
tough
in
a
easy
way
to
start
and
I
started
this
in
in
April
like
designing
how
it
could
be
done
and
also
to
to
be
able
to
test
some
stuff
related.
It's
not
good
to
use
this
stuff
forward,
but
yeah
I
was
starting
some
design
for
pep458
as
well
and
I.
I
start
this
product,
like
in
parallel
just
to
be
able
to
exercise
some
situations
that
Pipi
could
have
in
deploying
stuff
and
later
I.
A
Don't
know
if
he
uses
here,
but
you
see,
gave
a
talk
in
the
open
source
Summit
and
was
really
something
that
motivated
me.
I,
actually
I
felt
represented
there,
because
what
he
shared
was
exactly
my
thinking
that
report
stories
are
more
alike
than
they
are
different
and
a
lot
of
problems
are
are
shared
by
the
repository.
So
when
I
come
up
with
this
idea,
so
what
is
all
right?
Stuff
people
started,
so
we
try
to
implement
the
repository
with
the
tough
design
metadata
from
Turf
as
a
search
simple
like
that.
A
But
of
course
implementing.
This
is
not
easy.
We
are
facing
this
challenge
now
and
what
are
the
outcomes
of
this
product?
Actually
it's
to
enable
cooperations
project
teams
smaller
large,
to
implement
stuff
to
secure
the
content
delivery.
It
will
be
helping
the
security
supply
chain
in
general,
in
my
opinion,
so
and
another
another
thing
is
about
helping
the
tough
Community,
because
we
we
always
when
you
talk
about
repository.
A
We
don't
have
a
really
open
design
implemented
the
way
we
can
be
receive
some
ideas
or
how
is
it
a
good
way
to
implement
tough
so,
and
we
can
also
contribute
back
to
the
library
saying:
look.
We
need
to
change
this,
or
even
to
the
specification
say
we
are
facing
this
kind
of
problems
in
large
deployment
to
scale
how
we
can
implement
it
better.
So
this
is
the
the
whole
idea,
so
I'll
talk
about
the
Arts
of
design,
so
the
goal
here
for
our
our
stuff
is
to
be
easy
to
integrate.
A
So
we
want
to
integrate
itself
and
our
stuff
actually
along
the
Korean
tax
factory
production
system.
So
it
doesn't
matter
if
you
running
how
you
generate
the
art
attacks,
but
basically
it
will
cover
like
a
CI
CD
and
an
existence
or
a
distribution
platform
that
can
be
just
call
our
stuff
to
say.
Look
I
I
have
a
new
Target
to
the
metadata.
A
Please
add
it,
and
now
the
mechanism
behind
that
is
management
of
the
the
tough
metadata
will
be
done
by
our
store,
and
we
don't
want
to
also
change
the
way
that
people
exposure
they
expose.
Data
repository
doesn't
matter
if
they
ask
fact
in
the
end,
is
in
a
web
server,
A
J,
progax,
Factory
Docker
Hub
registry,
because
we
don't
take
care
of
this
layer.
We
just
take
care
of
the
the
tough
metadata
so.
A
Have
the
top
metadata
design,
but
it's
not
the
goal
here,
to
go
deep
on
that,
so
the
repository
and
and
the
metadata
it's
based
in
pep458
that
when
I
saw
it
I
I
I
I
felt
that
it
could
be
useful
for
many
people.
The
way
that
this
is
designed,
our
stuff
used.
Python.
Tough
python.
Tough
now
has
a
very
modern
and
reliable
metadata
management
for
for
stuff
and
really
we
want
to
implement
web
458
of
480.
A
That
is
the
end-to-end
signing
on
top
of
our
stuff,
and
we
have
a
lot
of
ideas
every
time
that
I
discuss
it
with
someone
will
come
up
with
ideas
so
about
the
the
service
design,
because
you
are
talking
that
we
provide
it
as
a
service.
So
to
deploy
our
stuff,
we
provide
containers
and
image
to
be
easy
to
deploy.
We
provide
management
to
CLI
to
manage
the
the
our
stuff
and
the
metadata
in
some
flows.
A
We
provide
an
API
integration,
which
means
that
cicd
can
be
integrated
or
any
kind
of
artifact
management
or
of
our
distribution
system
so
and
because
that
design
we
can
deploy
our
stuff
in
the
edge
in
clouds,
private
or
public,
and
one
thing
that
I
need
to
highlight
here
is
yeah.
We
also
have
they
scale
to
support
very
active
repository.
It
means
you
could
have
multiple
guys.
Multiple
workers,
that
are
the
components
for
the
our
stock
I,
will
cover
it
about
these
components.
A
A
A
For
example,
object,
storage,
so
it
means
that
the
metadata
can
be
in
an
objective
storage
and
also
the
the
key
storage
interface,
because
that
design
of
the
metadata
you
require
some
online
keys
and
those
online
Keys
now
can
be
installed
in
in
the
local
fire
system.
But
this
is
we
use
more
for
developing,
but
we
want,
for
the
first
release,
also
support
at
least
one
or
two
SAS
Key
Management
Services.
So
it
means
that
those
online
Keys
could
be
in
that
place.
A
So
what
you
see
in
the
left
or
in
the
in
the
right
in
this
geogram
is
that
you
have
the
two
services
that
they
are
not
really
part
of
the
CI,
CD
or
or
your
build
system
actually
to
go
along
with
that
and
the
integration
is
done
by
API.
So
you
see
also
the
storage
sets
and
the
key
sets
that
what
the
worker
will
be
where
they
work
will
be
operating
the
metadata,
the
physical
metadata.
A
The
worker
actually
consumed
from
this
broker
and
do
the
task
so
that
way
you
can
scale
and
have
multiple
workers
managing
that
metadata
and
the
metadata.
The
storage
needs
to
be
exposed
because
we
know
that
the
metadata
for
Turf
needs
to
be
exposed,
along
with
the
artifacts
that
you,
you
have
the
package
or
whatever.
So
talking
about
the
command
line.
A
A
So
if
you
have
one
key
compromises,
how
I
rotate
the
key,
so
you
can
use
the
the
CLI
to
do
this
kind
of
operations
and
one
thing
that
also
was
very
difficult
for
people
when
I
presented
tough,
how
I
create
the
first
initial
metadata
I
need
to
create
a
script,
how
I
do
the
ceremony,
so
we
are
creating
a
ceremony
process
inside
of
the
CLI
to
make
easy
for
who
want
to
implement
the
the
r
stuff
with
tough
metadata.
So
yeah
I
give
two
use
case
one.
A
The
first
one
is
the
CI
integration
and
our
demo
will
be
on
top
of
that
as
well.
So
you
have
usually
how
it
works.
You
have
your
boot
system,
VCI
CD,
so
you
just
integrate
it
to
your
CD
using
the
rest
API
the
token,
and
it
will,
when
you
have
a
new
release,
you
say
to
the
other
stuff
who
here's
information
about
my
new
package
and
it
will
manage
in
in
the
metadata.
A
The
same
I'll
give
an
example
like
a
pi
TI.
Imagine
that
Pipi
you
push
you
you
send
and
you
you
publish
some
new
package.
It
goes
use
some
twine
two
or
something
like
that.
It
goes
to
the
distribution
platform,
and
this
goes
to
the
today
storage,
where
you
can
download
the
the
arc
fact
so
in
that
layer.
Also,
you
add
the
calls
to
the
API.
A
You
can
integrate
this
API
with
the
web
UI
if
you
want
or
depending
on
how
is
your
process
so
I'll
I'll
give
the
demonstration,
basically
in
the
the
first
scenario
that
I
will
have
a
CI
running,
the
CI
will
run
the
checks
after
my
CD
will
ask
me
to
approval
to
approve
the
new
release
and
the
new
release
go
with
the
new
artifact
and
also
the
the
tough
metadata
will
be
dated.
So
what
I
will
be
using
in
that
demonstration
here?
A
My
art
stuff
is
deployed
in
Cloud.
Also
the
metadata
is
stored
in
Cloud.
It's
just
a
web
server
that
has
access
to
my
storage.
Git
will
be
my
my
GitHub
here
and
actions.
I
will
my
CI
CD
I
will
be
using
GitHub
actions
and
the
repository
where
my
Xbox
I
store.
It
will
be
the
the
GitHub
really
simple:
this
will
be
my
personal
GitHub
account
so
yeah,
so
here's
the
deployment
I
deployed
to
use
kubernetes
but
could
be
something
simpler
or
more
complex.
This
is
the
API
metadata
that
that
is
exposed.
A
Yeah
so
yeah
the
kubernetes,
the
kubernetes
and-
and
here
is
the
metadata,
the
Json
files
on
the
metadata.
So
the
next
step
I'm
showing
a
bit
of
the
CLI
I'm
generating
token.
So
here
again,
I'm
generating
I'm
talking
to
integrate
to
the
GitHub
actions.
I
generate
talking
just
with
right
scope,
so
it
can
GitHub
will
be
able
just
to
add
a
Target.
A
And
here
I'm
doing
the
integration
I'm,
adding
the
token
to
the
GitHub
actions
in
my
secrets:
I'm
not
showing
the
pipeline
now,
but
I'll
show
it
later
when
it
runs
so
I
show
it
at
once.
So
here's
the
someone
is:
releasing
a
new
version
of
a
package.
I
created
a
demo
package
here,
so
how
it's
done,
I
just
push
a
new
tag
and
it
will
trigger
my
CI
CD.
A
E
A
A
A
So
then
I'll
make
the
demonstration
a
bit
more
interesting,
I'm
simulating
a
temperate
version.
Imagine
that
someone
found
that
he
has
access
to
Creator.
He
lives
in
the
to
the
GitHub
web
page,
but
of
course
it
will
not
trigger
my
CI
CD,
so
he
is
creating
a
fake
Heelys.
Here,
let's
say
someone
is
going
there
and
adding
a
higher
version
of
the
package
and
it
was
not
sorry
to
the
screens
are
switching
yeah.
He
created
the
temperature
one
added
a
malicious
package
and
publish
daily.
A
So
it
means
that
in
my
repository
in
the
GitHub
he
lives
he
was
able
to
add
something.
But
not
in
my
tough
metadata
because
he
didn't
use
my
CI
with
my
credentials
or
whatever
and
then
I
simulate
with
the
same
download
that
it
will
fail,
because
it
is
not
able
to
to
find
the
package
in
the
metadata
with
the
correct
signature,
only
the
hilly
space.
A
A
We
have
also
the
documentation
that
is
available,
but
if
you
have
a
really
specific
user
case,
I
would
love
to
talk
more
with
you
understand
more.
What?
If
the
API
is
the
flows?
Everything
fits
for
you
or
have
some
kind
of
feedback
or
ideas
how
you
can
play
with
our
stuff.
You
can
deploy
it
using
Docker
I'll
leave
here
the
link
where
you
have
the
instructions
how
to
deploy
it.
A
The
images
are
available
in
the
GitHub
registry,
but
I
would
like
to
say
also
if
you
don't
want
to
deploy
it,
but
you
want
to
just
start
checking
it.
I
have
a
deploy
in
the
in
the
cloud.
I
can
generate
a
token
for
someone.
Just
request
me
to
reach
me
out
and
I'll.
Give
you
a
token
that
you
can
play
with
that.
I
have
the
API
available
together
with
the
the
metadata
that.
A
B
B
Okay,
I
I
do
have
one,
which
is
a
lot
of
the
the
sort
of
example.
You
know
deployments
and
demos
that
you
talked
about
using
CI
we're
using
sort
of
more
more
like
symmetric,
auth
options.
I
was
wondering
whether
you
had
considered
anything
like
support
for,
like,
for
instance,
GitHub
actions
has
an
oauth
identity
associated
with
with
each
job
that
runs
and
using
using
that
sort
of
thing
for
authentication
is.
E
B
A
No
actually
I
discussed
it
before
with
some
folks,
and
actually
this
authentication
and
authorization
should
even
be
in
our
stuff
right
because
I
don't
care
about.
So
we
have
in
a
roadmap.
You
can
see
it
there.
We
have
a
feature
that
it's
the
possibility
to
someone
that
deploy
disable
the
authentication
and
authorization,
because
probably
you
want
to
use
something
more
powerful
in
the
front
like
a
an
API,
Gator
or
or
SSO
authentication,
you
have
a
complex
held
up
so
yeah.
A
B
Cool
that
makes
sense,
yeah
and
I
can
see
opportunities
and
I
know
many
of
the
folks
working
on
this
are
acquainted
with
sing
store
for
so
for
for
potential
integration.
There.
That's
that's
one
nice
way
to
sort
of
turn
these
GitHub
oidc
identities
into
into
signatures
that
you
can
verify
X
externally,
if
I
I'm
in
the
I
just
joined
the
slack
channel
on
the
cncf
so
happy
to
follow
up
there
and
discuss
further
yeah
Jason
is
that
is
that
a
question.
C
Yeah
I
had
a
quick
question:
I,
maybe
a
clarification
I'm,
one
of
the
demos
you
showed
kind
of
separate
dealing
with
the
metadata
I
think
the
demo
pick
command
and
is
pointing
down
metadata,
but
not
the
actual
package
itself.
I,
don't
know
if
that's
something
unique
to
our
stuff
or
tough
in
general,
but
you
mentioned
several
times.
A
G
D
F
D
No
I
I
think
it's
it's
specific
for
tough
to
separate
the
artifacts
and
the
metadata
and
other
stuff
probably
amplifies
this
by
having
a
completely
separate
service
that
only
takes
care
of
the
metadata
and
proper
apis.
So
the
the
pr
that
Cairo
talked
about
initially
on
on
Warehouse
of
the
Pi
Pi
code,
basically
does
the
whole
metadata
handling
and
artifact
handling
in
the
same
code
base,
but
with
RS
tops.
You
have
a
clearer
separation
of
those
things.
D
F
F
A
To
be
honest,
not
much,
but
it's
something
that
I
I'm,
not
the
answer,
because
I
actually
maybe
I,
didn't
think
about
that.
Yet
because
I
don't
know
if
it
should
be
in
a
layer
before
sending
it
to
our
stuff,
because
it
depends
of
which
kind
of
repository
a
bit
you
know
or
how
you
provide
I
mean
it's
I,
see
it
more
as
a
flow
before
you
releasing
something
like
the
same
way
that
I
do
the
approval,
say:
okay,
here
I
approved
the
the
demo
package
version
103.,
so.
F
I
got
it
I
mean,
of
course,
that
then
means
that
the
CI
system
is
now
even
more
critical
because
you're
going
to
trust
the
CI
system,
so
it
kind
of
like.
If
you
had
your
checks
behind
the
the
wall
and
our
stuff
side,
then
they
might
kind
of
be
less
susceptible
to
you
know
the
CI
system
being
broken
into,
but
it's
not
an
easy,
easy
issue.
So
yeah,
it's
fine.
A
H
A
Actually,
you
define
it
in
your
client,
let's
say
that
you
are
changing
the
app
T
to
work
with,
or
let's
say
that
you
are
changing
people
to
work
with
the
tough
metadata
and
also
the
pipi.org
repository
where
the
packets
are
right.
So
when
you
create
your
clients,
your
pip
in
that
pip,
you
put
this
information.
Of
course
you
have.
Where
is
my
repository
for
the
art
facts
and
where
is
my
address
for
my
metadata
I.
Don't
know
if
I
answered
well.
H
B
Know
if
you're
someone,
if,
if
you
don't
mind
I,
can
I
can
take
a
stab
so
I
think
here
right.
The
the
important
thing
is
that
when
you
ask
tough
to
resolve
basically
a
package
by
its
name
like
that
package
name
has
to
be
canonical
and
what
you
get
out
of.
That
is
like
a
cryptographic
hash
of
that
package,
which
is
nice
because
that's
that's
going
to
be
safe.
B
So
as
long
as
the
thing
you
ultimately
get
matches
that
hash,
I
think
I
think
you're
in
good
shape,
and
you
can
do
that
either
indirectly
by
like
a
convention
where
I
take
this
package
name
that
I
just
looked
up
in
tough
and
I
just
hit.
You
know
ipi.org
packages
slash.
You
know,
Etc,
like
the
same
the
same
package
name.
B
If,
if
you
just
do
exactly
that,
you
you
should
wind
up
in
the
same
place,
I've
seen
other
repositories
either
propose
or
actually
sort
of
cut
out
this
middle
step
and
say:
okay,
you're
going
to
look
up
the
hash
here
and
then
we
have
this.
You
know
sort
of
content,
addressable
store
where
you're
just
going
to
query.
You
know
data.repository.com
for
the
hash
and
then
get
get
that
artifact
directly,
so
I
think
those
are
two
ways
you
can.
F
Well,
I
was
going
to
mentioned
that
this
is
kind
of
related
to
the
whole
Target
Discovery
aspect
of
tough
that
isn't
really
there,
like.
A
lot
of
people
are
finding
that
out
kind
of
the
hard
way
that
that
tough
doesn't
provide
this
kind
of
idea
of
looking
for
something.
Like
you
mentioned,
you
need
to
know
the
exact
identifier
for
whatever
you're
looking
for
as
long
as
you
know
that,
then
it
works,
but
it's
just
a
method
of
downloading
things
not
for
searching.
For
you
know,
packages.
G
B
B
All
right
well
thanks
again
Carol
that
was
super
interesting,
yeah,
I,
think
I
think
really
promising,
because
I
I
personally
am
excited
about
tough
as
a
as
a
sort
of
mechanism
to
be
put
in
place
on
a
lot
of
repositories
and
I.
Think
we've
we've
heard
over
and
over
again
that
there
are
a
lot
of
hurdles
to
actually
rolling
that
out.
So
if
we
can,
if
we
can
reduce
those
all
the
better
okay,
there's
not
a
lot
added
to
the
agenda.
B
Someone
suggested
to
me
that,
since
this
is
perhaps
the
first
time
that
many
many
folks
in
this
room
were
able
to
make
that
we
could,
we
could
start
with
I
guess
start,
but
what
we
get.
We
could
sort
of
welcome
everyone
with
with
sort
of
a
little
bit
of
background
on
this
group,
what
we've
been
up
to
so
far
how
it
works
Etc
in
case
this
is
your
first
time
at
this
meeting
I'm
happy
to
attempt
to
give
a
summary
of
the
history
that
is
totally
unprepared.
B
So,
if
I
get
anything
wrong
or
I'm
missing,
anything
feel
free
to
add
it
in
the
chat
or
or
holler.
So
this
is
the
openssf
securing
software
repositories
working
group.
What
does
that
mean?
It
means
that
we
get
a
bunch
of
people
in
a
room
and
talk
a
lot
about
how
to
make
you
know,
package
managers
and
repositories
more
secure
and
specifically
focusing
on
the
repository
angle.
B
So
you
know
I
think
things
like
Pi
Pi,
Maven
Central.
We
have
representation
from
cargo
OS
package
managers
I.
Think
someone
from
Gen
2
is
is
hung
out
every
once
in
a
while
someone,
some
more
experimental
stuff
which
is
cool.
Someone
like
NYX
or
the
there's
folks
working
on
webassembly
packages
or
I.
Guess
modules
is
the
actual
name
for
that,
but
any
any
any
case
where
you're
Distributing
software
and
one
other
potential
use
cases
is
sort
of
the
ml.
B
Community
has
their
analogs
of
these
repositories
as
well,
and
so
everyone
in
this
room
wants
to
make
those
safer,
I
think
the
best
way
we
can
do
that
is
to
sort
of
not
in
a
vacuum.
You
know
all
in
parallel
kind
of
try
to
figure
everything
out,
but
but
sort
of
learn
from
the
best
examples
of
of
other
folks
I.
E
B
What
that
could
look
like
I
believe
in
npm
the
an
RFC
for
package
signing
that
actually
looked
a
little
bit
like
what
was
in
the
example
where
you
have
in
the
CI
system.
Do
the
signing
and
not
the
maintainers
themselves,
that
proposal
for
npm
was
merged
recently
and
I
believe
that
effort
you
know,
is
underway,
I,
don't
I,
don't
have
the
details
of
development
there,
so
so
cool
stuff
like
that
learning
from
from
other
repositories,
yeah
in
terms
of
logistics.
We
have
this
meeting.
B
B
If
you
have
anything,
you
want
to
say,
feel
free
to
drop
stuff
in
the
notes
and-
and
someone
can
read
something
for
you,
but
there's
also
a
lot
of
asynchronous
communication.
A
lot
of
that
happens
in
slack
on
the
open,
ssf
Slack
and
the
securing
software
repositories
working
group,
or
maybe
it's
WG-
securing
software
repositories.
B
Something
like
that,
you'll
find
it
and
then
there's
an
email
list
too,
which
I
believe
is
I
can
drop
a
link
in
the
in
the
chat
here
less
traffic
on
the
email
list,
though
it's
encouraged,
if,
if
you're
interested
in
in
participating
in
conversations,
yeah
I,
think
that
covers
a
lot
of
what
we've
done
check
the
meeting
minutes.
We
have.
B
167
pages
of
meeting
minutes,
so,
if
you're
you're
looking
for
some
some
nice
speech
reading,
take
take
a
gander
at
those
but
feel
free
to
ask
too.
If
you
have
questions,
and
you
don't
want
to
read
through
167
Pages,
if
we've
ever
covered
something
before
what
are
our
oh
there's
a
charter,
the
charter
is
linked
from
the
slack
Channel.
E
B
B
Nothing
in
this
group
is
going
to
be
binding
of
anyone,
but
might
represent
sort
of
collective
wisdom,
and
that's
that's
kind
of
I
think
the
most
realistic
work
output
that
directly
comes
out
of
this
group,
but
I,
think
many
of
the
folks
involved
to
do
represent
actual
package
repositories
are
doing
way,
cooler
and
really
really
tangible
work,
outputs
which
we
love
to
hear
about
all
right.
Thanks
for
letting
me
ramble
anyone
else,
who's
been
here
for
a
while
have
anything
they
want
to
add
or
any
newcomers
have
any
questions.
B
I
I
I
I
We
got
back
about
11,
including
you
know,
the
main,
the
main
languages
of
the
popular
languages,
so
we
had
like
Pi,
Pi,
ruby,
gems,
npm,
different
flavors
of
java
and
many
more
so
the
the
the
doc
that
I
have
in
that
is
kind
of
like
the
summary
of
results.
At
least
my
interpretation
of
it
I'm
not
sure
how
I
can
best
share
the
actual
data
with
folks
I
can
export
it
the
spreadsheet,
but
that's
not
super
readable.
B
J
B
Yeah
and
I
encourage
you
to
look
the
website.
I
believe
still
has
the
program
from
2021
a
lot
of
I
presume
to
most
of
the
folks
in
this
room
very,
very
interesting
content,
cool
stuff
around
you
know,
package
managers,
package
repositories
generally
and
specifically
on
security,
so
check
those
out,
I
think
they're
all
recorded
and
available
online
too.
G
B
Oh
very
cool,
appreciate
your
work,
Chang
and
anyone
else
on
the
organizing
committee.
Putting
that
together,
yeah
you're
welcome
all
right.
Well,
then,
I
think
I
think
we
can
call
it
a
wrap
for
for
today,
thanks
again
Cairo
for
for
swinging
by
that
was
a
cool
demo.
You
know,
hopefully
we
can.
We
can
see
further
collaboration
and
use
of
that
project
in
the
future.