►
A
A
Hopefully,
people
keep
joining,
but
we
kind
of
change
the
time
we
said
we're
going
to
change
the
time,
but
we
changed
it
a
little
bit
last
minute
so
might
end
up
not
not
getting
as
many
people.
A
Yeah
welcome
it's
just
a
few
of
us
here.
I
see
you
Caleb,
J
I,
don't
know
Cameron
any
anything.
You
want
to
say
hello
or
anything
like
that.
B
Thank
you
thanks
for
moving
the
time
zone
and
it
looks
like
it's
Regular
now,
every
four
weeks.
A
Yeah
so
I
just
got
this
one
in
the
one
four
weeks
from
now
updated,
okay
and
then
I
think
after
that
it's
gonna
be
the
time
change
and
we
have
a
vote
for
a
different
time
after
that,
because
we
go
back
and
you
go
forward.
We've.
A
Okay
sounds
good
yeah
out
of
sync.
A
Yeah
anybody
new
here,
hey
Randall,
thanks
for
joining
hey
guys,
cool
yeah
Amir-
is
in
still
he's
actually
in
Europe
time
zone
right
now,
so
he's
like
1am
or
something
so
yeah,
so
I
assume
for
the
charter.
Oops
We're,
not
gonna,
have
enough
people
here
for
Quorum
again.
So
hopefully
we
get
enough
people
to
join
this
meeting
for.
A
A
A
C
A
D
Yes,
I
actually
I
met
with
Caleb,
and
we
had
a
phenomenal
meeting
together,
talked
about
a
lot
of
great
stuff
and
I
think
that
we're
going
to
be
able
to
fit
what
we
want
out
of
critic
or
in
the
criticality
score
tool.
So
I
don't
know
Caleb.
If
you
wanted
to
talk
a
little
bit
about
what
you
got
away
out
of
that
meeting
as
well,
but
that's
basically
where
I
got
with
it.
B
Yeah,
so
Randall
was
talking
about
moving
the
spreadsheet
that
we
currently
use
into
markdown
format
and
making
it
like
visible
in
a
GitHub
repository,
which
I
actually
think
is
a
really
good
idea
and
puts
process
around
how
it
gets
changed
and
updated,
and
the
idea
is:
how
does
the
criticality
score
tool
fit
into
that,
which
is
a
great
question?
B
The
long
term
it'd
be
great
if
the
critical
like
this
is
in
a
perfect
world,
The
criticality
Score
tool
would
always
produce
perfect
results
that
match
what
everyone
wants
from
a
list,
but
that's
not
likely
to
be
the
case
for
a
long
time.
So
having
a
manual
list
is
a
great
idea
and
Randall
was
talking
about.
B
How
do
we
make
sure
that
something
coming
into
that
list
is
actually
somewhat
critical
without
having
the
burden
of
a
reviewer
having
to
go
off
and
check
a
big
list
or
figure
out
what's
going
on,
and
so
the
idea
is
using
criticality
score
tool
is
like
a
One-Shot.
B
Eight
is
a
new
change
here.
Does
it
what
does
its
score?
What
are
the
signals
and
I
think
that
that
is
a
really
good
use
case
and
one
that
we
could
work
at
supporting
through
the
criticality
score
tool?
Randall
went
ahead
and
created
a
Docker.
Did
you
actually
create
the
action
Randall,
or
did
you
we're
in
the
process
of
doing
that.
B
Okay
yeah,
so
the
idea
would
be
to
create
a
way
to
run,
to
create
either
a
a
single
go
binary
or
a
and
or
a
Docker
container
that
you
can
use
to
run
it
against
a
URL
and
it
spits
out
a
bunch
of
scores
for
it.
So
that
would
then
work
with
having
a
markdown
version
of
things,
and
then
you
can
then
update
the
as
you
update
it.
As
someone
proposes
updates
through
pull
request,
you
could
then
annotate
the
pull
request
with
information
that
is
collected
from
the
critical
early
School
tool.
B
B
So
it's
still
interested
in
in
collecting,
like
on
scale
signals
and
being
able
to
do
that
sort
of
analysis,
particularly
to
improve
the
score
as
well
and
make
its
rankings
better.
But
I
think
this
is
a
certainly
a
use
case
that
makes
sense,
and
it's
kind
of
immediate
and
a
valuable
way
to
actually
use
the
tool
in
a
way
that
yeah
can
provide
some
immediate
value.
B
So
I
I
created
a
bug
about
around
dockerizing,
something
and
in
the
process
of
productionizing
it,
which
is
what
I'm
currently
working
on
I'll,
also
refactor
things
in
a
way
that
makes
it
possible
to
have
a
One-Shot
like
per
repo
sort
of
way,
to
run
the
tool,
but
yeah
I'm
open
to
input
from
the
the
working
group
as
well.
If
anyone
has
thoughts
and
opinions.
C
C
I
don't
have
a
great
solution,
but
how's
this.
Let
me
describe
the
problem
which
I
think
you're
already
Caleb
already
well
aware
of
that
doesn't
mean
there's
a
better
solution,
which
is
why
I've
never
screamed
too
loudly,
but
you
know
it's
obviously
quite
possible
to
have
a
project
which
everyone
depends
on,
but
is
uncompletely
unmaintained
or
very
poorly
main.
You
know,
there's
only
one
maintainer
doesn't
get
involved
very
much.
C
I
totally
understand
why
you
wait
contributor
account
because
under
the
argument
that-
and
please
tell
me
if
I'm
mistaken-
that
hey,
if
there's
a
lot
of
contributors,
an
unusually
large
number
of
contributors
that
suggests
importance,
I
I
I-
get
that
that
does
make
some
logical
sense.
My
worry
is,
of
course
not
having
participants
doesn't
mean
it's
any
less
important.
It
just
means
it's
higher
at
risk,
which
oh
my.
D
Well,
Amir
Amir
wanted
us
to
follow
the
ideology
that
this
is
a
set
so
like
what
we
talked
about
was
staying
away
from
like
hard
numbers,
and
that
was
something
that
we
that
Caleb
and
I
talked
about,
because
maybe,
when
we
get
the
output
for
this
list,
we're
not
we're
going
to
stay
away
from
like
a
hard
criticality
score,
but
Amir
basically
wanted
us
to
add
stuff
to
the
list.
This
was
in
the
list
of
requirements
that
he
kind
of
has
that
where
basically,
things
are
added
as
a
set.
D
So
in
other
words
we
will
not
like
judge
based
on
the
actual
score
or
based
on
any
one
factor,
it's
more
like
a
like
group
of
factors
and
it's
not
a
ranking
either.
So
the
list
could
theoretically
grow
and
then
Caleb
kind
of
brought
up
a
good
point,
though
like
which
is.
But
how
do
we
go
about
like
maintaining
that
list?
D
C
D
Another
another
suggestion
that
I
had
was
that
we
just
basically
leave
it
running
and
every
so
often
we
will
do
maintenance
based
on
maybe
the
last
commit
that
was
or
done
in
the
repository.
But
then
that's
also
not
a
good
one,
because
there
are
pro
there
are
very
specific
projects
and
I
think
the
ones
that
we
talked
about
like
Caleb
and
I
was
x,
x,
org,
which
is
very
interesting
and
gpg,
which
has
like
one
main
developer.
That
holds
it
all
together.
Right.
D
C
Currently,
one
of
the
main
weights
is
and
I
included,
the
link.
You
know
the
top
weights
are
dependency,
counts
and
commit
frequency
and
and
contributor
count
followed
by
things
like
or
account
and
commit
frequency
and.
B
B
I
don't
know
if
it
helps
very
much
in
particular,
it
kind
of
elevates
in
in
C
based
repositories
in
GitHub
things
that
are
Linux
Forks,
as
opposed
to
things
that
where
they
might
have
one
contributor
trying
to
work
on
some
feature
but
like
in
terms
of
stepping
out
outside,
like
we
can
talk
about
the
the
weights
or
the
things
that
we
should
have
there
or
not
have
there,
and
this
is
where
the
work
around
production
guys
are
productionizing.
B
What
we
have
I
think
is
really
important,
where
we
can
have
this
discussion
and
start
playing
around
at
scale
with
how
changing
things
will
affect
the
score
rather
than
like,
like
at
the
moment.
It's
really
hard
to
run
this
thing
more
than
once
again
across
a
million
repositories.
If
it's
very
easy,
then
or
it's
automatic,
then
adding
a
change
and
seeing
how
that
reflect
is
reflected
in
the
scores
becomes
a
lot
more
routine
and
then
these
discussions
can
become
a
lot
easier
where
you're,
like
I,
don't
think,
contributed,
accounts
right.
B
Okay,
let's
put
in
something
else
or
get
rid
of
that,
and
try
something
new
and
I
like
at
the
moment.
It's
very
much
weighted
towards
participation
and
so
popularity
and
activity
and
I
think
that
that's
not
I
read
some
paper
somewhere.
That
was
like
popularity,
doesn't
actually
mean
that
it's
going
to
be
more
secure,
but
also
I,
don't
think
the
popular
projects
are
the
ones
that
are
necessarily
the
most
critical
either
and
so
adding
better
signals,
and
this
is
one
thing
that
I'm
really
focused
like
after
productionization.
B
Very
much
interested
in
is
adding
more
data
around
dependencies
or
dependent
counts,
because
that
information
is
much
stronger
in
terms
of
its
criticality
than
any
sort
of
activity
or
popularity
on
the
project.
So
stronger
data
around
dependent
dependence
is
way
is
something
that,
like
we
need
to
find
that
those
sources
for
and
I
think
long
term,
like
that'll,
have
a
better
impact
in
terms
of
finding
things
that
are
critical
yeah.
So
I'm
like
this
is
my
plug
for,
like
productionizing,
is
a
good
thing.
Yeah.
D
Let
me
let
me
say
this,
though,
in
my
marching
orders
that
I
was
given
from
Mir
I
know
that
part
of
what
Amir
was
going
for
was
staying
away
from
Wade
scores,
so,
in
other
words,
his
ideology
is
that
we
would
just
pull
in
like
the
raw
data
like
amount
of
contributors.
Amount
of
contributions
last
commit
like
when
the
last
release
was
made.
Things
like
that
is
how
Amir
defined
quantitative
data
just
for
them
and.
B
I
think
that
it's
worth
also
distinguishing
for
the
record
the
difference
between
the
output
of
the
criticality
score
tool
and
a
hand
curated
list
of
critical
projects
or
a
hand
curated
set
of
critical
projects
that
this
working
group
is
interested
in
and
they
don't
have
to
be
the
same
and
I'd
like
the
automated
system
to
end
up
reflecting
the
hand
curated
list
as
much
as
possible,
but
yeah
I
think
it's
worth
remembering
that
they
can
be
separate
things
for
the
time
being
or
forever.
Yeah.
A
C
Fair
enough
and
agreed
as
long
if
there's
a
as
long
as
there's
manual
review,
to
say,
hey
wait,
but
that
I
I've
I
tried
to
do
this.
We
I
mean
we
use
different
weights,
but
we
quickly
came
to
a
similar
conclusion
that
you
know
you
run
tools.
You
run
analysis,
you
find
stuff,
but
no
no
measure
set
of
metrics
really
fully
captures
the
real
situation.
B
B
Set
of
lists
a
set
of
critical
projects
to
inform
the
the
algorithm
that
is
in
the
the
particular
score,
that's
being
generated
and
that's
kind
of
where
I'm
I
find
Value
from
this
sort
of
hand.
Picking
not
caring.
So
much
about
the
score
and
allowing
things
with
low
scores
in
the
list
makes
it
helpful
to
understand
whether
the
list
itself,
the
the
output
of
the
criticality
score
project,
is
doing
its
job
or
if
it's
way
off
the
Mark
and
that's
really
important
foreign.
A
So
what
are
the
next
steps
here
for
getting
the
getting
the
integration
going.
D
I
I
was
going
well
I.
Think
Caleb
was
going
to
work
on
getting
output
for
a
single
like
because
the
way
I
was
gonna
work.
It
is
that
I
was
just
gonna,
run
a
diff
in
a
GitHub
action
and
basically
pulled
the
information
that
was
added
in
a
PR
and
then
run
that
through
criticality
score.
That
was
kind
of
what
I
was
going
to
do
and
then
take
that
output
and
basically
post
it
as
like
a
comment
or
something
in
that
PR.
That
was
kind
of
my
ideology
of
how
I
could
run
this.
B
And
I'm
I'm
very
happy
to
support
that
as
well
by
doing
the
necessary
work
on
the
criticality
school
project,
so
I
for
the
record
as
well
I'm
interested
in
deprecating
the
python
project-
and
this
also
serves
that
end
as
well,
where
having
the
ability
to
run
criticality
score
simply
across
a
single
repo,
is
really
handy
for
people
who
are
coming
past
the
project
and
interested
in
what
it
does.
A
So
Randall
is
the
ingestion
automation.
Can
it
are
you
blocked
on
getting
this
feature
from
criticality
score?
I.
D
I
am
I,
am
okay,
basically,
I
have
a
script
that
I
made
for
JS
as
proof
of
concept
with
Anthony
and
I
gave
that
to
Caleb,
so
he
kind
of
saw
that
but
yeah,
basically
as
soon
as
I
can
run
the
diff
on
the
one.
With
from
the
one
line
on
the
go
tool,
then
I
can
get
back
on
that
and
then
I
can
make
the
proof
of
concept
of
the
of
the
actual
repo.
If
you
want
I
could
do
that
in
my
own
personal
or
I.
Could
just
do
it.
D
The
open,
ssf
one
or
I
can
transfer
it.
Whatever
works.
A
B
I
will
have
the
priority
of
my
work
to
make
sure
that
we
get
in.
On
top
of
that,
we
may
want
a
new
repo
for
the
action
as
well.
I
agree
if
you
want
to
put
it
under
the
OSS
F
Banner.
A
B
Yeah
I
was
going
to
start
Randall
I
will
try
and
have
some
thing
for
you
to
execute
within
the
next
couple
of
weeks.
Absolutely.
A
So
one
of
the
things
I
noticed
was
we
have
in
our
meeting
notes
doc.
We
have
the
key
documents
and
the
process
for
identifying
critical
projects
that
Amir
wrote,
and
so
he
wrote
it
with
with
the
Google
form
and
Google
sheet
in
mind.
Should
we
update
this
doc
or
we
already
think
we're
not
at
that
point
yet
I
could
present.
If
you
want
foreign.
A
C
Help
me
here:
I've
I've
lost
the
I.
I've
lost
the
plot
here.
What
do
we
try?
What
are
we
trying
to
do
here
by
looking
at
the
stock
so.
A
We
are
here
kind
of
in
our
our
process
laid.
C
A
Here
right,
we
don't
it's
as
I
was
looking
at
the
we
don't
have
anything
here.
A
Yeah,
maybe
so
here.
C
D
As
soon
as
we
kind
of
hit
that
topic
in
this
working
group,
it
kind
of
becomes
the
Hot
Topic
of
the
phone
call,
so
there's
kind
of
been
a
lot
of
things
being
thrown
and
a
lot
of
really
great
ideas
but
yeah.
So
that
kind
of
depended
on
me
getting
that
proof
of
concept
together
and
a
couple
other
things
as
well.
D
B
A
Yaml
that
gets
processed
into
a
markdown
that
we
View
so
I,
don't
know
if
we
want
to
update
this
to
kind
of
show
our
current
consent
like
working
group
consensus,
it's
kind
of
moving
away
from
this
is.
A
A
D
What
what
I'm
doing
for
for
the
glossary?
Because
this
might
be
something
we
can
do
kind
of
sort
of
is
I-
was
going
to
just
like
concatenate
everything
into
a
huge
yaml
file,
because
the
best
practices
working
group
one
something
of
like
an
easy
way
of
searching
the
glossary.
So
Glenn
and
I
kind
of
been
finagling
a
way
of
how
to
like
concatenate
a
bunch
of
markdown
files
together
into
something
of
like
a
yaml
database
and
then
just
running
that
on,
like
a
simple
like
with
a
simple
search.
A
Okay,
well
yeah
I,
guess
we'll
just
start
with
start
small
or
we'll
put
we'll
comment
on
this
Doc
and
then
we
can
discuss
next
time.
C
D
You
think
that,
before
the
end
of
the
next
meeting,
like
I'd
have
something
to
package,
because
if
that's
the
case
then
I
can
you
can,
let
me
know
when
you're
ready
and
that
way
the
next
action
item
can
be
to
like
have
a
One-Shot
demo
of
the
tool.
B
Oh
I'd,
like
that
to
be
the
case
so
you're
so
in
terms
of
sorry,
I
want
to
understand
the
time
frame.
B
Okay,
I
I
can
be
finished
into
within
two
weeks.
I
would
be
to
be
finished
earlier
than
that,
so
that
you
have
time
to
do
something.
I
would
be
unsure
about
okay,.
D
A
D
A
A
Unfortunately,
I
do
have
to
run
early.
Could
somebody
else
kind
of
Shepherd
the
meeting
for
the
rest
of
the
way
sure
we.
D
D
I
I
want
to
point
this
out:
David,
just
real
quick.
That
I
think
that
this
also
plays
into
our
previous
meeting
at
one
o'clock
these
architecture,
because
there
have
been
certain
groups
that
have
been
unclear
how
this
list
works,
which
I've
needed
to
explain.
C
D
C
D
D
Is
that
like
and
I
told
this
to
Caleb,
that
should
we
align
because
sometimes
I
feel
that,
like
I
like
where
Amir
is
headed
but
I,
don't
feel
like
we
that
that
Vision
aligns
with
the
overarching
vision,
because
when
I
say
that
it
is
important
like
if
it
is
important,
then
I
don't
think
that
anybody
should
be
able
to
just
add
any
project,
because
they
think
it's
important
and
if
it
looks
important
enough,
then
basically,
what
we're
suggesting
is
that
it'll
get
merged
into
the
list.
Yeah.
D
We
actually
had
a
long
conversation
about
this,
to
be
honest
with
you,
because
we
that
this
is
the
this
was
the
conversation
where
we
changed
the
term
list
to
set,
because
we
don't
like,
we
don't
want
to
make
it
a
competition.
If
that
makes
sense,.
C
The
one
who
suggested
it
yeah,
but
but
that
said
I
do
it's
a
set
because
we're
not
trying
to
order
within
the
set.
However,
it's
still
there
is
still
a
distinguishing
characteristic.
If
you
don't
mind
me
using
the
math
terminology
of,
is
it
in
the
set
or
not,
because
if
anybody
can
propose
anything
and
just
it
gets
in
the
set,
then
that's
not
very
meaningful.
So
there
has
to
be.
You
know,
I
think
it's
basically
an
effort
to
try
to
make
it.
C
So
we
don't
have
to
make
useless
decisions
it
doesn't
we
don't
need
to
decide
if
it's
number,
60
or
70
that's
a
lot
of
effort
that
doesn't
matter
but
deciding
whether
or
not
it's
in
the
set
or
not.
That's
what
matters
and
the
with
the
hope
that
that
that
makes
the
decision
making
somewhat
easier,
because
we're
focusing
on
on
just
the
in
or
out
question
fair,
fair.
D
C
C
Yeah
I
mean
the
comp
I
mean
I,
think
the
proposed
the
rationale
for
the
proposed
and
no
one
objects.
I
think
was
more.
You
know.
Maybe
the
problem
here
is
it's
not
well
worded,
okay,
because
I
I
think
what
you
just
said
is
different
than
what
I
recall
was
agreed
to
and
I
see
where
you're
coming
from
I.
Think
the
Assumption
going
in-
and
this
is
I
think
not
well
captured-
was
that
in
many
cases
people
are
going
to
propose
things
that
as
soon
as
you
hear
it,
you
go.
C
Oh
my
gosh,
of
course
that
needs
to
be
in
there.
Okay,
you
do.
We
really
need
to
do
in-depth
analysis
for
the
Linux
kernel
I,
doubt
it.
Okay,
maybe
for
a
network
time,
protocol
Damon
or
you
know,
or
something
some
other
widely
used
implementation.
My
guess
is,
you
know:
hey
that's
deployed
in
several
tens
of
billions
of
devices.
Probably
that's
important
node's,
probably
important
so
is
the
is
C
python.
C
D
D
C
D
C
Reality
the
reality
is,
and
and
I'm
gonna
step
on
it
I
think
a
lot
of
toes,
but
if
you're
primarily
going
on
popularity,
you've
got
jQuery
in
react.
We
can
argue
whether
or
not
jQuery
is
a
framework,
but
they
say
they
are
I'm
going
to
accept
it.
For
now
you
know
jQuery
and
react
sheerly
by
numbers
need
to
be
in
so
I.
Don't
think
we
need
to
argue
those
now.
If
you
want
to
make
the
argument
hey
view,
w-e
should
be
in
there.
C
C
C
D
So
so
Also
to
clarify
Amir
his
vision
was
that
so
somebody
opens
a
PR,
add
something
we
make
the
comment
with
all
of
this
quantitative
data,
and
then
someone
else
would
come
in
see
the
data
and
they
would
merge
it
and
that's
the
way
the
system
would
work
so
I'm
I'm
all
for
a
voting
system.
I
think
that's
a
great
way
of
of
handling
it.
It's
just
then
it
would
be
a
question
of
how
are
we
going
to
have
a
voting
system
on
GitHub.
C
Right
and
by
the
way
we
don't
you
know
I,
it
seems
like
we've
gotten
stuck
waiting
for
the
code
to
be
written
to
implement
this
you're,
not
wrong.
C
As
well,
yeah
I,
I,
agree
and,
and
you
know
what
I'm
all
for
tools
to
make
things
easier.
But
if
that's
our
blocker
well,
let's,
let's
back
down
to
either
you
know
simpler
tools,
I'll
say
no
tool,
but
you
can
argue
that
Zoom
I
mean
zoom's
a
tool.
So
you
know
having
a
meeting
and
going
thumbs
up
thumbs
down,
isn't
a
fancy
tool,
but
I
don't
care
there.
B
B
C
I
I
will
say
that
I
I
think
one
thing
that
we
could
do.
This
is
something
I
advocated
earlier,
but
people
wanted
more
fancy
tools.
Let
me
re-raise
it
basically
using
a
big,
honk
and
Google
sheet
and
just
have
people
review.
C
C
I,
don't
think
Google
Sheets
have
Security
on
per
column
basis,
so
you
have
to
trust
that
people
aren't
going
to
edit
somebody
else's
answers.
Generally,
that's
not
been
a
problem
and
you
can
detect
when
somebody
does
that.
So
you
know
I
I,
don't
think
I.
You
know,
I
I,
think
that
would
be
an
alternative
solution.
B
The
I
I
one
thing
missing
from
Shades
is
like
very
easy
change.
Tracking
I
know
the
owner
of
the
doc
can
see
it,
but
I'm
not
sure
about
others.
B
The
the
other
thing
I
had
a
question
about
in
the
process,
and
this
is
probably
not
until
the
process
for
ingestion
is
finished,
but
also
is
there
a
limit
to
the
size
of
the
list
and
also
what
is
the
like
exit
criteria
for
things
that
are
on
there?
That
probably
shouldn't
belong
there
at
all
anymore,
so,
like
is,
is
it
infeasible
for
this,
like
feasible
for
this
to
grow
forever
and
yeah.
C
Let's
see
here,
you
know
what
I
am
trying
to
pick
notes
at
the
same
time
and
and
I
think
I,
just
I
I
think
I
I
failed
on
my
multitasking.
Can
you
please
repeat
the
question.
B
Sure,
like
the
process,
is
for
ingestion,
but
what
about
the
other
parts
like
size
like
how
big
is
the
set
of
critical
projects?
Is
there
a
limit
to
it?
Yes,
and
also,
if
something,
how
does
something
leave
the
list
or
the
set,
especially
if
you
have
a
limit
to
the
size,
then
also
you
need
some
way
to
say
well,
this
thing
shouldn't
be
in
here
right
yeah,
then
you
need
to
stack
rank
things
and
yeah.
C
Yeah
yeah,
no
okay.
As
far
as
the
how
big
is
the
set
of
critical
projects.
Up
to
this
point,
there's
been
a
consensus
to
limit
it
to
about
100.
Okay,
it
doesn't
have
to
be
exactly
100
I.
C
Think
the
current
list
is
what
103
okay,
you
mean,
so
so
big
I
mean
basically
it
doesn't
have
to
be
exactly
100,
but
the
rationale
for
that
is
that
we're
not
making
a
list
for
Naval
gazing
purposes,
I
mean
you
can
Naval
gaze
if
you
wish,
but
the
goal
is
to
focus
and
funding
and
security
audit
efforts
on
projects
that
are
especially
important
and
I
would
add,
especially
important,
and
especially
those
at
risk.
C
There's
actually
been
a
topic
of.
It
should
be
only
up
to
this
point.
We've
only
tried
to
identify
just
what's
critical,
whether
or
not
it's
at
risk
or
not,
but
I
I
think
the
goal
here
is
we
want
to
focus
on
a
small
set
so
that
we
can
apply
funding,
because,
if
you
say
hey
give
me
the
first
hundred
thousand,
you
know
you
take
the
whatever
dollars
you
get
divided
by
a
hundred
thousand.
C
Nothing
useful
happens,
so
you
know
100
is
a
little
arbitrary,
but
I
think
the
theory
was
that
at
least
going
in
and
the
decisions
can
change.
The
purpose
is
somebody
else
taking
notes.
Oh
bless
you,
you
know
the
the
purpose
was
to
make
it
so
that
it
was
something
that
was
reasonable.
That
was
small
enough,
so
that
we
could
reasonably
pull
a
significant
subset
and
do
some
funded
work
with
them.
C
Okay,
whereas
if
it's
ten
thousand
hundred
thousand
I
mean
Omega
actually
is
looking
at
the
top
ten
thousand,
but
they're
talking
about
just
using
tools
and
they're,
actually
very
much
in
expecting
to
include
in
that
top
ten
thousand
all
the
tool
all
of
the
components
identified
by
this
working
group
in
that
top
ten
thousand
under
the
presumption.
C
If,
if
it's
in
this
this
top
100
group,
it
must
be
in
the
top
ten
thousand,
so
I'm
sure
you
know
if
they
look
at
something
and
they
say
what's
wrong
with
you,
they
might
make
an
exception.
But
at
least
that's
the
current
going
in
position,
but
for
but
for
the
Alpha
part
they
can't
fund
everything
now
they're
not
promising
to
take
exactly
the
list
as
gospel
and
not
at
all.
But
this
is
one
of
their
key
inputs
and.
D
And
rightly
so,
so
David
so
question.
So
how
would
node
qualify
because
node
already
gave
Alpha
Omega
librarity
have
an
engagement
if
I'm
not
mistaken,
so.
C
D
D
C
C
Yeah,
there's
actually
a
couple
things,
but
I
mean
that's:
that's
the
set
for
languages,
yeah,
okay,
so
I'm,
sorry,
I
I
didn't
mean
to
cut
you
up.
My
apology,
no.
D
C
See
what
I'm
trying
to
say
right
right,
they're,
not
funding,
flask
I
mean
flask
I
mean.
C
Fair
enough
and
the
good
news
is
that
many
of
us
aren't
going
to
know
what
flask
is
so
you
know,
so
you
know
flaskood
wouldn't
actually
be
insane
by
the
way
as
as
something
on
the
list,
but.
C
Or
something
yeah
and
actually
Django
is
on
that
list.
Yeah,
okay
and
I,
but
I
think
the
short
answer
here
is:
if
you
look
at
the
goal,
was
comments.
If
you
look
in
the
comments
and
thoughts,
yeah
me,
this
was
done
in
a
hurry,
and
so
it's
not
as
well
explained
why.
C
But,
if
you
look
on
the
right
hand,
side,
if
you
open
up
the
list
and
look
on
the
rightmost
list,
it
says
comments
and
thoughts,
and
this
was
basically,
though,
why
is
this
here?
Okay
and
fundamentally
it's
the
and
you'll
notice
that
basically
widely
used
or
used
a
lot,
it's
those
kinds
of
phrases
that
are
very,
very
widely
used
for
the
you
know
in
terms
of
justifications:
okay,
you're,
absolutely
right
that
the
leveling
varies
I'm,
not
sure
if
that's
I'm,
not
I'm,
not
even
sure.
That's
completely
solvable.
D
C
C
And,
to
be
honest,
Liz
desktop
I
think
is
too
that's
too
big
a
scope,
but
we
did
talk
about
the
kernel
right.
Yes,
now
Oscar
now
the
Linux
kernel
is
on
that
list
and
I.
Think
that's
totally
justifiable
typescript
by
the
way
is
on
the
list
as
well
on
the
current
list.
A
C
C
One
of
the
interesting
ones,
for
example,
that
that
got
on
the
is
on
the
list
is
re,
is
Ruby
Ruby's
a
a
decently
widely
used
programming
language?
Just
one
I
happen
to
use
a
fair
amount
myself,
but
one
interesting
thing
that
came
up
in
discussions
is
not
only
is
it
a
fairly
widely
used
language
but
GitHub
and
gitlab
are
implemented
in
Ruby.
C
So
a
very
serious
you
know,
malicious,
very
serious
subversion
in
Ruby
can
lead
to
subversion
of
most
of
the
open
source
software
software.
B
C
D
But
but
then
you
have
things
like
storybook
and
then
you
have
things
like
string
decoder,
which
are
two.
They
work
out,
two
completely
different
levels,
absolutely
absolutely,
and
you
have
like
system
D
which,
which
I'm
sure
a
lot
of
people.
If
this
was
Gen
2,
we
would
have
all
gottenberg.
C
D
My
argument
is
that,
without
without
open,
oh
crap
I
forgot
what
it's
called
without
the
other
one.
Then
there's
a
bunch
of
them
that
wouldn't
work
like
S6
and
there's
a
lot
of
init
managers
that
would
basically
go.
That
would
not
work
so
well.
Okay,.
C
I
I,
I,
I
I,
think
I
I
and
see
I
think
that
basically
goes
back
to
the.
We
need
to
argue
not
on
categories
of
functionality,
but
on
how
critical
is
this
in
the
sense
of
how
widely
used
is
it
if
a
vulnerability
happened
there?
How
bad
would
it
be
system
for
right
or
for
wrong
is
very,
very
widely
used?
I
think
I
could
argue
that
most
deployed
Linux
systems
today
use
it
if
it's
an
actual
okay.
So
it's
not
a
it's,
not
really
a
quality
argument.
It's
more
of
a
how
wide
world.
D
D
D
C
So
the
the
current
list
was
was
developed
relatively
quickly
because
I
mean
fundamentally-
and
you
can
blame
me,
but
the
great
MFA
project
desperately
needed
a
list
of
some
kind
right,
and
so
we
came
up
with
a
list.
We
know
it
can
be
improved
to
be
honest,
I'm
actually
proud
of
the
list.
I'm
sure
it's
imperfect,
but
we
made
a
decent
start.
Nobody
has
people
scream
about
particular
entries,
but
don't
scream
about
the
list
as
the
worst
ever.
C
No,
it's
not
so,
let's,
let's
work
and
make
it
better
and
I
I
think
that's
that's
so.
C
Policy
kit,
yeah,
okay,
I,
mean
frankly
policy
kit,
controls
security
decisions.
So
I
think
that
I
think
that
makes
a
pretty
but
I
think
Paul
kits
gnome
specific,
isn't.
C
D
C
That's
actually,
that
is,
that
was
actually
a
a
straight-up
decision.
The
decision
was
early
on
we're
not
going
to
try
to
list
gnome
or
KDE
as
a
whole,
because
it's
just
too
big,
but
in
the
same
way
we
don't
list
Fedora
or
Debian
again
too
big,
so
we
were
trying
to
drill
it
down
a
little
further.
You
can
argue,
we
didn't
drill
it
down
two,
but
but
but
nothing
was
far
too
far.
D
But
this
is
where
the
deceivingness
comes
in,
because
you
do
have
Homebrew
that
uses
Gen
2
as
Upstream,
because
I
know
that,
because
I'm
the
person
that
does
that
and
and
and
you
have
also
Nixon
here-
which
so
I
would
say
that
you
would
need
all
of
the
packaging,
all
the
nine
parent
packaging
teams.
C
I
think
the
argument
there
is
oops
and
I
see
Caleb.
Let
me
let
me
not
be
the
only
person
talking.
B
My
hand
is
not
more,
to
kind
of
I
mean
it's
interesting
to
discuss
why
things
are
in
there
or
not
in
there,
but
I
guess.
My
question
is
going
back
to
something
you
mentioned
at
this
earlier
David,
which
was
a
lot
of
the
list,
is
reflective
of
what
is
important
and
I.
B
Think
that
makes
sense
when
you've
only
looking
at
this
from
like
from
at
the
start,
but
since
like
if
a
Project's
been
invested
in
its
security
posture,
has
improved
at
what
point
does
that
actually
get
taken
off
the
list
because
we're
comfortable
this?
Is
this
Project's
getting
the
attention
it
deserves
or
something
or
has
had
the
attention
it
deserves
and
isn't
a
big
security
risk
anymore
like
right.
C
Yeah,
so
that
is
wait
a
minute
that
actually
raises
a
really
important
question
and
it's
one
that
we
really
didn't
adjust
so
well.
Do
you
take
something
off
the
list,
because
is
this
a
list
of
Simply
what's
important,
or
is
this
a
list
of
critical
open
source
software
that
has
higher
than
expected
risks
due
to
problems
of
some
kind,
because
in
my
mind,
if
it's
just
critical,
the
answer
to
how
you
get
rid
of
it
is
because
people
aren't
using
as
much
anymore
and.
C
C
We're
taking
security
but
not
the
how
bad
off
they
are
correct,
yeah.
That
was
my
understanding
as
well.
So
my
understanding
is
that
if
suddenly
tomorrow,
everybody
stopped
using
pytorch
or
you
know
or
C
python,
then
it
would
go
off
this
list.
C
D
And
and
specifically
that
came
up
with
X
because,
like
you
know
how
X
is
very
poorly
maintained,
because
one
of
the
suggestions
we
had
was,
we
could
use
like
the
last
commit
that
was
made.
But
we
found
out
that
that's
not
entirely
accurate
foreign.
B
This
means
that
something
could
technically
leave
the
list
if
they
are
a
key
dependency
for
a
large
project
and
then
that's
correct
that
key
yeah
that
key
dependency.
Sorry,
that
key
dependent
then
removes
that
as
a
dependency
and
then
now
it's
lost
all
its
usage.
B
So
yeah,
that's
one
way
you
could
prune
the
list
as
well,
but
a
lot
of
the
projects
that
are
on
the
list
currently
definitely
critical
in
the
sense
that
they
are
kind
of
an
end
thing
or
a
framework
itself
or
or
a
language
implementation,
or
something
like
that.
C
So
so,
basically,
do
people
agree
that,
as
long
as
we
keep
updating
the
list,
that's
a
reasonable
way
to
removing
them.
Yep
yeah.
B
I
think
that's
a
reasonable
idea,
although
we
don't
have
Quorum-
and
this
probably
should
be
brought
up
at
the
next
working
group
as
well
agreed.
A
C
C
B
I
think
Randall
was
kind
of
doing
most
of
the
is
that
the
focus
point
of
it
and
I
would
argue
you're,
leading
at
Randall
and
I'm
contributing
by
building
support
in
the.
D
Christian,
basically,
what
what
happened
Krab
is
that
I
made
a
comment
like
a
meeting
or
two
a
meeting
ago
to
Amir
about
how
did
criticality
tool
fit
into
everything
that
we're
doing
and
then
then
State
me
and
Caleb
got
in
touch
to
basically
figure
that
out
because
apparently
like
the
initial
idea
was
for
it
to
go
together,
and
then
it
was
like.
Oh
yeah,
we
have
that.
We
should
probably
talk
to
Caleb,
so
yeah.
C
All
right
so
here's
the
problem.
However,
this
is
starting
to
block
the
whole
process,
so
I
guess
it's
rather
unfair
and
we're
wrapping
up
the
meeting
when
we
I,
probably
shouldn't
dump
this
on
you,
but
maybe
just
at
least
stick
in
the
ear.
At
what
point
do
we
say?
Building
tools
is
awesome,
but
maybe
we
shouldn't
block
this
round
and
push
that
off
to
Future
rounds
and
Randall.
Maybe
this
is
at
least
you
know.
C
You
don't
need
to
answer
it
now,
but
if
I
mean,
if
you
have
an
answer
great
but
I,
don't
I
am
totally
sympathetic
to
the
hey.
I've
got
some
ideas
but
I'm
out
of
time.
I'm
there
all
the
time
myself.
C
D
Think
I
think
what
kind
of
got
us
was
that
I
built
kind
of
a
framework
where
you
could
load
scripts
like
for
different,
like
Packaging
Systems,
specifically
with
mpm.
We
just
started
with
npm,
and
then
it
became
a
Thing
If.
But
if
criticality
score
already
has
these
functionalities,
let's
not
build
something
that
later
on
is
going
to
be
like
parallel
to
something
we
already
have
I
think
that
was
the
ideology
there,
because
the
npm
version
is
somewhat
already
built.
It's
just
that.
C
Yeah,
so
why
not
use
criticality
score
for
the
data
anyway,
yeah.
C
C
Yeah
no
I,
I,
I
I,
of
course
I
I
amir's,
not
here
so
I,
don't
think.
He
meant,
though,
that
anybody,
whatever
they
propose
automatically
gets
in
I,
think
his
his
idea
was
whenever,
when
there's
General
consensus
go
ahead
and
let
it
in
because
there's
General
consensus
and
then
argue
about
the
rest
but
I'm
looking
at
the
actual
text
written
in
it
could
be
interpreted
both
ways.
So
I
think
this
is
a
this.
Is
a
text
unclear
problem?
Yes,
all
right,
I
think
that
we
are
at
time.
C
Thank
you,
everybody
for
your
participation.
You
know
I
realize
this
is
going
to
be
challenging,
but
I
I
think
we
basically
you
know.
Randall
I
do
and
Caleb
I
very
much
do
appreciate
your
proposal.
I'm
we're.
We
are
definitely
going
to
try
to
get
as
much
work
out
of
you
as
you'll.
Let
us
get
out
of
you,
but
on
the
other
hand,
I
don't
want
I,
don't
want
to
be
stuck
forever
waiting
for
more
tools
to
be
built.
I
think
that's
I
I
would
much
rather
take
things
using
simple
tools.