►
A
So
might
as
well
just
get
started
thanks
everyone
for
joining
this
week's
securing
critical
projects
working
group
meeting
again
for
those
that
just
joined.
We
have
meeting
notes
in
the
calendar.
Invite
as
well
as
paste
in
chat
I,
can
paste
that
again.
A
In
a
second
add
yourself
as
an
attendee
and
add
any
agenda
items
to
us
to
discuss
today
in
this
meeting
and
as
usual,
we'll
get
started
with
new
faces,
so
anybody
that
wishes
to
can
introduce
themselves
that
hasn't
been
for
a
while
or
or
is
new
here,
so
go
ahead
and
open
it
up.
Anybody
just
go
ahead
and
start
talking.
B
B
Hello,
everyone
I
am
Mano,
I
am
from
Brazil,
so
hi
Marco
I
am
a
devsa
Corps
at
Sky
and
based
in
in
the
UK
and
I
learned
about
this
project
and
I
was
excited
to
learn
more
and
maybe
help
you
guys
secure
critical
projects.
So
that's
it
foreign.
C
I'm
Peter,
everyone
knows
me
as
fuzzy
and
yeah
I'm
coming
from
the
astral
protect
team.
Chelsea
come
around
and
try
and
help
the
foundation.
Randall
dragged
me
in
so
I'm
here,
because
I
Randall.
If
anybody
has
anybody
to
blame,
thank
you
very
much
for
having
me.
A
Yeah
thanks
welcome
everyone
glad
to
have
you
all
here,
all
right,
so
just
as
a
bit
of
housekeeping
I
wanted
to
let
everybody
know
about
the
APAC
friendly
time
poll
results,
so
they
by
far
the
time
they
got
the
most
votes
in
the
first
section
was
the
8
AM
Sydney
3,
P.M
West,
Coast
6
p.m,
east
coast
and
11
p.m.
A
London
time
so
I
think
that's
a
clear
winner
of
when
we're
going
to
move
for,
at
least
for
now
and,
as
you
may
know,
after
Daylight
Savings
Time
ends
southern
hemisphere,
Springs
Ford
and
Northern
Hemisphere
falls
back
so
the
times
change
a
lot
in
between
the
two
and
to
make
the
make
it
more.
You
know
to
get
a
different
time
that
can
get
more
people.
On
the
same.
The
same
meeting,
the
the
the
next
time
listed.
A
There
was
the
the
winner
in
the
poll,
which
is
an
hour
earlier
for
Sydney,
but
it
means
that
like
East
Coast
is
3
P.M
and
even
Europe
could
come
if
if
they
wanted
to
stay
up
a
little
late,
so
any
questions
there
or
discussions
on
the
time
I
think
the
next
next
question
is
like:
when
do
we
do
the
first?
When
do
we
start
alternating.
D
Foreign,
thank
you
Jeff
and
thank
you,
everyone
who
did
the
poll
I
suppose
as
soon
as
we
can
get
I
believe
it's
Jory
to
update
the
calendar.
D
Maybe
we
can
for
the
next
meeting
if
we
want
to
start
with
the
Apec
friendly
time,
if,
unless
anyone
opposes
I
think
we
could
probably
get
it
set
up
by
then.
A
All
right
don't
hear
anything
sounds
good,
so
we'll
go
ahead
and
Mary
and
I
will
work
with
Jory
and
the
the
crew
to
to
get
the
times
on
the
calendar
just
again,
but
pay
attention
to
the
we'll
send
an
announcement
on
the
mailing
list,
but
also
pay
attention
to
the
openssf
calendar.
It
should
be
reflected
there.
A
Great,
let's
move
on
and
see
what
we
have
here.
The
potential
GitHub
demo
for
Randall
is
that
yeah.
D
I
I
threw
that,
on
there,
I
thought
I'd
give
a
little
bit
of
both
a
little
bit
of
context
for
some
of
the
new
folks
and
maybe
a
bit
of
a
heads
up
for
Randall,
but
we're
we're
talking
about
having
a
good
process
for
capturing
and
curating
a
set
of
Open
Source
projects
that
we
think
are
critical,
we're
calling
it
a
set
for
the
time
being,
because
there
is
no
kind
of
prioritization
or
ordering
of
that.
It's
just
you
know.
D
We
did
a
iteration
of
this
already,
which
I
think
went
really
well,
and
we
came
up
with
a
candidate
list
of
100
projects
and
now
we're
just
basically
trying
to
formalize
that
a
little
bit
more
and
maybe
doing
it
in
a
way
that
is
one
inclusive
and
two,
you
know
really
considers
the
wide
range
of
expertise
both
in
the
open,
ssf
community
and
in
the
The
Wider
Community,
as
well
as
all
the
research
that
comes
out
in
the
space.
D
So
we
had
talked
about
maybe
doing
that
at
least
the
the
nomination
kind
of
curation
capturing
part
on
GitHub.
D
So
that
it's
kind
of
like
a
public
link
that
folks
can
access
and
kind
of
view
the
change
the
track
changes
to
to
what
we
come
up
with
and
Randall
took
the
Baton
on
potentially
looking
into
seeing
how
that
would
work
and
maybe
even
creating
a
demo.
So
Randall
did
you
happen
to
make
any
progress
on
that.
E
Actually
I
did
and
I
will
show
you
what
I
have
I
didn't
get
to
make
as
much
progress
as
I
wanted,
but
I
did
package
the
criticality
score
so
now
we
can
use
it
in
PRS,
so
I'm
still
working
on
that.
But
I
can
demo
that
to
you.
So
that
way,
if
you
guys
want
to
run,
you
can
run
basically
anything
with
the
container
you
just
give
it
a
URL
and
it'll.
E
Give
you
the
criticality
score
so
I
have
that
and
then
fuzzy
and
I
did
work
on
putting
together
kind
of
the
preliminary
markdown.
But
then
you
kind
of
ran
into
some
questions
because
it
really
like
the
markdown
will
get
messy
really
really
fast.
E
Let
me
get
my
screens.
Sorry
I
have
a
lot
of
Defcon
stuff
going
on
no.
E
Yeah,
it's
all
good.
It's
all
good.
E
D
While
you're
loading
that
up
did
you
I
saw,
you
saw
that
screenshot
that
I
sent
you
did
that
help
at
all
kind
of
give.
You.
E
E
All
well
anyway,
so
let
me
share
my
screen:
if
I
can
okay
foreign.
E
E
So
then
we
started
thinking
about
if
we
just
start
checking
things
in
in
yaml
and
like
so
and
then,
since
each
entry
would
be
a
yaml
entry
and
then
that
would
just
be,
you
could
just
put
that
in
the
pr
and
then
we'd
run
the
criticality
score,
which
doesn't
work
but
but
yeah
I
can
send
you
guys
the
the
repo
of
where
it's
going
to
be.
It
doesn't
work
right
now,
but
it'll
work
eventually
resume
I,
don't
know.
D
A
Yeah,
so
the
idea
here
is
that
we
can
make
a
PR
with
a
a
package
or
project
and
the
action
or
or
the
automation
will
fill
in
score
like
criticality
score
as.
E
A
Have
we
has
anybody,
not
just
you
Randall,
has
anybody
known?
Is
there
a
way
to
pull
like
the
download
counts?
For
you
know,
packages
from
known,
yes,
packages.
E
E
There
is
depending
on
the
package
Source,
but
most
of
them
do
have
the
ability
to
get
package
counts,
and
that
is
something
that
we
are
working
on
packaging.
Basically,
in
order
for
us
to
run
it
in
GitHub
actions,
we
have
to
package
it
in
a
Docker
container,
mm-hmm.
A
E
I
I
would
say
maybe
the
first
step
that
everyone
on
this
call
could
help
us
out
with.
If
they
know
anything
they
want
to
add
like
we
can
add,
download
counts.
We
have
to
package
it,
but
it
is
possible
anything
that
would
need
to
be
in
the
pipeline.
E
C
My
questions
were
more
like
what
kind
of
scope
of
information
are
we
looking
to
really
acquire
when
it
comes
to
attorneys
and
surveys
and
reviews,
and
what
we
asking
from
people
when
it
comes
to
the
PRS
I
was
discussing
with
Randall.
If
there
was
some
way
that
we
could
actually
capture
the
payment
format
for
like
the
markdown
field,
I'm
more
proposing
the
line
of
if
we
have
the
the
metadata
tied
within
the
ammo
within
the
front
matter
or
the
markdown
that
way.
C
We
could
then
parse
that
and
put
that
into
a
UI
and
then
have
that
there
sitting
there
as
a
site
for
people
to
actually
go
on
and
check
out
and
obviously
the
markdown
would
be.
You
know
we
can
then
take
that.
Take
that
and
then
put
that
to
get
Hub,
and
it
will
be
able
to
preview
that
as
well
through
the
GitHub
as
well.
C
E
We're
we're
fuzzy
and
I.
Actually,
work
is
right
here
in
Astro,
so
that's
kind
of
why
we
put
this
in
here
as
a
joke,
because
friends
are
friends
are
like
leader
so
anyway,
but
it
wouldn't
be
that
hard
for
us
to
pull
down
a
markdown
file
and
parse
it
an
asteroid,
make
a
side
out
of
it
and,
like
fuzzy
said,
actually
have
a
much
better
user
experience
than
just
or
GitHub
preview.
E
We
could
go
to
something
like
this
as
opposed
to
having
a
file
like
this
that,
basically
can
be
broken
if
you
just
miss
like
if
we
were
to
add
another
project,
if
you
just
miss
one
of
these,
like
separators,
the
markdown
file
will
break.
So
we
can
avoid
all
that
by
just
using
this
or
like
yaml
files.
But
then
the
markdown
preview
support
kind
of
gets
a
little
spotty.
D
D
So
you,
you
actually
brought
up
a
good
point
in
that
we
were
considering,
at
least
for
starters
again
if
this
can
be
augmented
or
automated
into
like
a
web
page,
like
you,
said
a
basic
Google
form
to
kind
of
capture
some
of
this,
this
basic
information
from
folks,
and
if
we
standardize
that
you
know
we
we
decide,
you
know
what
is
the
most
important
information
to
capture
and
the
more
consistent,
the
better
then
it'll
be
more
readable,
more
usable,
so
I'm
I'm
totally
in
agreement
with
you
on
this.
E
We
can
make
I
think
all
of
these
like
form
elements
inside
of
GitHub,
so
they
actually
like
when
you
actually
make
it.
You
have
to
fill
it
out.
However,.
D
E
D
C
E
E
Because,
like
what
I'm
saying
is
that
this
this
table
will
work
on
GitHub,
because
that's
what
I'm
doing
here
is
I'm
rendering
on
github's
engine.
So
that
is
exactly
what
the
document
preview
will
show.
But
if
we
start
putting
in
yaml
files
and
whatnot,
it's
not
going
to
work
because
you
need
something
to
basically
concatenate
all
those
things
together.
D
D
But
then,
but
but,
like
you
said,
I
mean
if
that
comes
at
the
cost
of
maintainability
or
automatability
I,
see
some
other
folks
have
their
hands
raised.
I'd
love
to
get
their
thoughts,
looks
like
we
have
Jacques
and
Jeff.
F
F
Yeah,
it's
I
first
heard
about
it
from
Google
who
said
he
got
it
from
a
Microsoft
person,
so
it's
around
googling,
now
yeah
and
the
gist
of
it
is.
You
know:
I
I
have
in
mind
for
getting
to
a
later
project
called
Sia,
which
would
require
essentially
a
database
like
this
as
part
of
it,
or
at
least
a
table
or
two
expressing
you
know
what
a
project
is.
F
What
are
its
features
so
I'm
more
in
favor
of
the
animal
approach,
because
that's
going
to
be
easy
to
to
convert
when
the
day
comes.
So
that's
my
two
cents.
A
Yeah,
so
my
idea
is
that
we're
going
to
want
to
put
in
like
check
in
lots
of
packages
for
review
or
for
evaluation
so
essentially
like
if
we
put
in
yaml
for
a
bunch
of
potential
packages,
I
think
it's
fine
to
like
not
just
see
that
in
a
preview
but
actually
commit
that
to
a
different
directory.
A
That
says
like
for
evaluation,
then,
if
all
the
automation
runs
and
gets
all
the
numbers
and
puts
it
all
there
as
well,
we
can
then
see
the
the
current
state
of
the
repo
in
the
the
evaluation
directory
and
then
evaluate
this
pack.
Just
decide
if
we
want
to
move
them
to
preview
is
less
important.
Is
what
I'm
saying
I
think
we
might
want
a
workflow
where
we
put
everything,
write
everything
in
yaml
check
it
all
in
then
view
it
after
after
the
the
code
is
run.
A
D
D
E
Yes,
but
this
is
where
those
other
tools
that,
because
I
did
have
a
few
conversations
outside
of
this,
with
some
people
from
criticality
score
and
that's
not
on
the
road
map,
I,
don't
think
so,
like
immediately
at
least
the
way
it
was
I
was
made
to
understand
it.
So
I
was
given
some
Alternatives
that
do
already
work
like
I
know.
E
Sap
has
one,
but
it's
in
Java,
and
you
know
so,
but
I
I
that
I
think
it
would
just
be
a
matter
of
criticality
score
as
a
whole
is
mainly
aimed
towards
GitHub,
like
it
requires
a
GitHub.
E
D
D
A
it's
a
good
question:
I
I
just
worry
about,
maybe
like
expanding
our
scope
too
much
where
this
is
I,
think
you
know
if
I'm
I
should
go
back
to
what
to
exactly
what
we
wrote
down,
but
this
was
meant
to
be
kind
of
just
like
a
an
engine
for
capturing
some
of
this
information
and
and
really
it's
up
to
the
person
who's.
D
Viewing
this
information,
for
example,
like
what
we're
looking
at
on
the
screen
to
make
informed
decisions,
so
I
want
to
kind
of
walk
that
fine
line
of
you
know
obviously
doing
some.
You
know
doing
due
diligence
showing
that
you
know
we
are
going
through
a
very
critical
process
to
show
you
this
set,
but
also,
at
the
same
time,
not
not
doing
too
much
in
that.
You
know
where
were
Furnishing.
An
opinion
for
people
is,
is
what
I'm
saying
does
that
make
sense?
Oh.
E
D
Yeah
I'm
gonna
defer
back
to
yeah,
so
here
you
go
in
this
document
that
is
linked
in
our
notes
and
I.
I'm
I
think.
If,
as
long
as
you
have
access
to
the
Google
group,
you
can
access
it,
but
I
think
what's
important
is
when
we
wrote
that,
where
is
it
shoot
I
just
lost
it
reasoning
for
set.
D
So
we
just
say
you
know
to
provide
a
best
effort,
analysis
of
quantity,
quantitative
and
qualitative
research
and
the
open
source
ecosystem
and
generate
a
curated
living
set
of
projects
deemed
critical
to
organizations
and
individuals.
We
say
set
and
not
list
because
we're
not
currently
trying
to
order
the
entries
inside
the
set,
so
I
defer
back
to
that
and
I
just
want
to
make
sure.
We
are
all
in
agreement
that
you
know
that
is
kind
of
what
the
I
guess.
D
The
objective
of
what
we're
trying
to
do
is
and
if
that
needs
to
be
fine-tuned,
I'm
certainly
open
to
it.
But
I
think
that
you
know
that
kind
of
Mantra
will
guide
what
we
do.
So
it
would
be
important
to.
You
know
make
sure
we're
in
agreement
on
that,
and
that
reflects
what
we're
trying
to
do
so
do
we
have
any
thoughts
on
that
fuzzy.
I,
see
your
hand
is
up
so
I'd
love
your
thoughts
as
well.
Oh.
C
Sorry
I
was
going
to
speak
to
a
narrower
point
that,
but
this
is.
C
I
really
don't
have
much
insight
to
this
I
would
rather
yeah
I.
Think
if
you're
looking.
C
Say
it's
quite
nice:
it
plays
into
the
whole
place.
Well,
it's
quite
a.
C
It
works
with
oinger
Franco
of
the
like
the
computer
terminology.
You
know,
and
it
speaks
yeah
I
like
it
and
I
like
the
concept
of
the
project
as
well.
I
feel
that
is
is
really
good
in
terms
of
like
that
for
the
JavaScript
ecosystem,
it
will
be
something
that
a
lot
of
projects,
especially
there
and
soil
maintainers,
can
leverage
and
it
gives
them
additional
tools
to
help
secure
and
you
know,
standardize
their
projects,
which
is
something
that
they've
been
wanting
for
a
while.
So
yeah
I
really
do
like
this
project.
B
Foreign
yeah,
just
a
simple
one.
I
I
also
mentioned
this
in
the
chat,
but
if,
if
one
of
the
problems
with
markdown
is
like,
for
example,
breaking
tables,
there
are
markdown
linters
that
you
can
use
and
I've
actually
used
some
of
them
in
the
in
GitHub
CI.
So
if
you
do
break
the
the
markdown
or
if
you
put
something
that
it's
in
the
wrong
format,
it's
going
to
to
tell
you.
B
So
it's
really
easy
to
to
to
fix
it
back
and
to
to
you
can
actually
run
it
in
a
pre-commit
thing.
So
you
can
actually
know
if
you
have
break
down
the
documentation
before
you
actually
do
the
push
and
yeah
if,
if
things
are
going
to
move
to
yaml
I'm,
also,
it's
also
a
nice
format
to
have.
B
But
let's
remember
that
markdown
is
very
easy
to
parse,
not
only
by
Google's
reader
or
preview
whatever,
but
you
can
also
use
some
other
tools
like
Google
uses,
there's
another
very
cool
one
in
Python,
but
I
just
forgot
the
name
but
yeah.
You
can
also
just
grab
the
markdown
files
and
just
copy
them
and
build
a
a
real
quote-unquote
website.
By
using
this
type
of
tools
like
Google
and
other
or
other
type
of
engines,.
B
E
Agree
with
what
Alvaro
said
said
as
well,
that.
C
Actually
brought
was
the
one
thing
I
was
wanting
to
mention.
I
know,
Jax
has
their
hand
on
for
a
while
sorry
to
interrupt
guys.
Thank
you
very
much,
and
I
was
just
wanting
to
say
that
when
it
came
to
the
when
we
were
me
and
Andrew
were
discussing,
you
know
the
the
tables
marked
down
what
kind
of
different
approaches
and
what
flavors
would
be
best
applicable
having
a
markdown
fail
and
the
ammo
on
the
front
matter
having
the
two
co-located
together,
it
does
give
you
the
added
scope
that
we
can
then
add.
C
More
Rich
information
in
terms
of
this
comments
becomes
an
actual
markdown
page.
That
is
a
scope
for
the
comments.
We
can
add
more
resources.
We
could
add
more
links,
images.
You
know
we
can
provide
more
Edge
information
for
the
end
user
than
just
a
small
little
snippet.
That
would
fit
nicely
into
that
table.
A
table
really
speaking,
is
like.
After
effect,
they
are
so
little
entries.
It
just
becomes
a
number
unburdenable
nightmare
to
deal
with,
and
especially
with
marketing.
You
can't
really
order
Etc,
whereas
this
way
you
can
structure
the
fields
of
projects.
C
You
know
the
the
folder
structure
there
Etc
and
you
can
have
a
lot
of
more
project
structure
and
and
allows
for
maintainability
as
well
and
Version
Control,
there's
so
much
more
benefits.
Actually,
when
it
comes
down
to
that
or
collocation
between
the
ammo
and
Mark,
then
nothing.
F
I
will
add
to
the
pylon.
My
concern
is
that
it
It's
relatively
easy
to
accidentally
like
leave
a
column
out
or
get
a
column
mixed
up.
You
know
you
like
leave
a
column
blanket,
but
you
left
the
wrong
one.
Blank
and
now
the
field
is
the
information
is
in
the
wrong
field,
which
doesn't
really
matter
at
a
sort
of
a
human
level.
F
Reading
the
table
you'll
realize
that
it's
off
by
one,
but
it
will
come
to
bite
us
on
the
backside.
When
we
import
that
data
into
a
database,
it
actually
does
break
it.
F
F
Right
it
can
be
syntactically
correct,
but
you
could
have
put
things
into
the
wrong
the
wrong
column
so
to
speak,
and
that
that's
my
sort
of
concern,
which
yaml
is
more
likely
to
to
be
visible.
At
least
if
you
require
all
of
those
fields
to
be
present,
even
if
they
explicitly
say
that
they're
empty
now.
E
E
B
E
Right
on
so,
what
I
could
do
with
fuzzy
next
time
is
I
can
put
together
a
demo
with
the
yaml,
and
that
way
you
guys
can
see
it
side
by
side,
because
this
is
the
markdown
example
and
then
I
could
put
for
next
time.
A
yamale
example
together
and
I'll
have
a
little
bit
more
time
to
to
update
the
criticality
score
container
and
maybe
demo
that
as
well.
D
Awesome,
awesome
and
I
think
that
that
is
that's
really
applicable
to
what
I
thought
we
could
talk
about
next,
which
fuzzy
mentioned
and
and
we've
we've
all
talked
about.
It
Matt
made
a
good
point
in
the
last
meeting
about
kind
of
having
a
singular
pipeline.
So
I
did
make
a
very,
very
simple
ingestion
engine
form,
it's
just
a
Google
form,
but
I
thought.
D
If,
if
the
work
group
is
open
to
it,
we
could
discuss
as
a
group
and
maybe
try
and
capture
what
we
would
say
you
know
is
the
most
important
basic
information
that
we
would
want
to
to
capture
I
mean
we
do
kind
of
have
an
idea
here,
but
I
figure
we
could
discuss
if
there
are
things
that
would
make.
That
would
make
this.
That
would
make
this
work
better.
So
I
did
my
best
to
make
it
public,
but
I
have
a
feeling
yeah.
No,
it
didn't
work.
Okay,.
D
I
think
this
might
work,
so
let
me
send
this
out
to
everybody
and
if
it
doesn't,
I
can
always
screen
share.
But
as
of
now,
it's
just
asking
three
main
questions
and
I'm
sure
we'll
have
more
so
again
open
to
discussion
here.
D
D
D
Yeah,
who
would
have
thunk,
let
me
see
if
I
can
share
my
screen.
Okay,.
D
Okay,
can
everyone
see
this
now
awesome
so
yeah
so
again,
the
the
idea
is
that
it's
a
very
easy
form
that
we
can
share
and
folks
can
nominate
projects
I
put
a
little
intro
here
that
was
largely
borrowed
from
other
sources
and
I
kept
it
relatively
simple
and
that
you
know
I
kept
a
pretty
basic
definition
of
what
critical
means
without
getting
into
it
two
granularly
and
then
yeah.
It's
it's
basically,
three
questions
for
the
time
being
and
I
know.
We
can
definitely
include
a
couple
more.
D
Maybe
a
couple
I
don't
know,
I
would
say:
what's
a
good
amount
of
questions
five
to
six,
if
there's
too
many
it'll
be
burden,
some
and
people
won't
do
it.
So
what
are
what
is
the
group's
thoughts
on
this.
D
And
keep
in
mind,
you
know
for
a
template
to
you
know
if
we
were
to
make
this
into
a
template
or
if
this
could
be,
like
you
said
kind
of
converted
into
different
data
forms
like
into
yaml,
and
things
like
that.
Please
keep
that
in
mind
too
I'm
a
little
naive
in
that
area.
So
any
feedback
or
input
is
more
than
welcome.
D
So
right
now
it's
just
very
three
pretty
basic
questions,
so
one
thing
I
had
considered
was:
maybe
something
like
like:
how
would
you
categorize
it
like
I
go
back
to
this
I
go
back
to
this,
from
from
Julia's
presentation
and
from
roads
and
bridges.
If
we
wanted
to,
maybe
ask
you
know,
would
you
consider
it
a
one
of
these?
You
know
five
subcategories.
E
D
Okay
and
I
think
that
could
make
it
easier
too,
for
because,
like
I
really
liked
your
table,
Randall
that
you
screen
shared
like
if
someone
wanted
to
see
let's
say
JavaScript
ecosystem
or
see
all
the
projects
on
the
list
that
are
in
typescript,
you
know
in
the
typescript
language
or
you
know
I.
This
could
be
a
good
way
to
to
chop
it
up
and-
and
you
know,
let
people
analyze
it.
You
know
to
their
own
how
they
look,
how
they.
E
G
A
That's
true,
but
first
are
we
I
mean,
is
trying
to
make
this
frictionless
a
really
high
goal
for
us?
Are
we
do
we
have
a
worry
that
people
aren't
going
to
contribute
and
secondly
like
if
we
have
more
questions
that
are
optional?
Does
that
add
friction?
A
So
if
we
wanted
to
have
like
a
a
drop
down
list
of
package
types
which
would
enable
our
automation
to
do
things
like
look
up
the
API,
the
the
package
manager
stuff
I,
wanted
to
have
a
link
to
the
package
manager,
as
well
as
a
package
manager
site
as
well
as
the
the
repo?
If
we
wanted
to
have
your
question
yeah
about
the,
how
do
you
categorize
it
I
think
these
are
all
good
like
like?
A
Should
we
have
a
question
for
every
column
that
we're
going
to
have
and
make
mark
them
optional,
just
so
that
people
that
want
to
can
fill
that
in
people
don't
have
to
I,
don't
know
the
answer
but
yeah,
but
I'll
erase
that.
B
All
right,
this
is
one
hour.
So
on
that
note
like
so
for
example,
the
second
question:
do
you
expect
people
to
write
like
sentences?
If,
if
not,
then
like
what
what
Jeff
was
mentioning
like
having
options
like
a
drop
down
list
would
be,
would
make
it
easier
for
people
so
across
the
board,
like
favorite
drop
down
list,
where
you
don't
want
people
to
like
write,
arbitrary
stuff,
that
will
also
make
things
harder
to
parse
and
then
like
binify
later.
D
C
Sorry
I
just
had
two
questions.
Really.
It
was
something
that
was
mentioned
to
Randall.
It's
like
what
is
the
general
scope
of
the
information
that
you're
looking
to
acquire
right
for
this
and
to
display,
because
Euro
right
now
is
pretty
like
wasn't
veggie,
you
know
it's
like
score,
license
comments,
kind
of
stuff.
You
know
it's
like
I
feel
like
we
want
to
actually
provide
information.
You
know,
let's
try
and
make
it
as
rich
as
possible.
I
do
like
I.
C
Do
a
second,
the
idea
of
it
being
you
know,
standardized
questions
and
answers,
and
the
less
user
response
that
they
put
in
the
better
I
mean
we
could
even
automate
in
the
back
end.
You
know
to
go
Gather
in
fact
find
photos
and
then
gather
that
information
for
us
and
be
able
to
display
that
you
know
through
the
UI
kind
of
thing
and
that's
possible,
but
the
other
one
was
basically
yeah
like
what
is
this?
C
D
Yeah,
it's
it's
a
good
question,
my
gut.
My
initial
gut
answer
is
that
we
just
want
to
capture
basic
information
because
again
it's
it's
just
it's
a
set
of
nominations
and
it's
really
kind
of
up
to
The,
Interpreter
I
think
to
do
a
lot
of
the
I
guess,
analysis
or
Insight,
but
I
do
agree
that
we
want
to
make
it
a
rich
experience
and
we
we
want
to
make
it
in
a
way
where
folks
feel
like
they're,
contributing
to
something
and
providing
you
know
the
right
information
and
so
yeah.
E
D
F
I
wanted
to
give
some
color
that
I
I
think
fussy
might
have
missed
I'm,
not
sure
about
Randall
a
while
back
I
proposed
a
very
ambitious
scheme
of
you
know:
ranking
projects
according
to
risk.
There's
a
YouTube
talk,
I'll
I'll
dig
up
in
a
second
and
the
main
problem
with
that,
of
course,
is
it's
going
to
take
a
while
to
get
that
underway
right?
It
requires
building
a
piece
of
software
and
test.
F
You
know
doing
a
pilot
study
with
a
couple
of
people
to
do
estimates
and
so
on
and
so
forth.
Then
we
need
to
work
out
what
projects
go
into
the
to
the
front
of
it
and
the
gist
of
which
is
ain't.
Nobody
got
time
for
that
and
we
do
need
a
list
in
the
meantime,
and
so
it's
it's
partly
like
a
dumbbell
shaped
situation
where
we
have
one
end
where
we
want
it
to
be
quick
and
fast
and
dirty
and
just
get
like.
F
F
So
that's
that's
kind
of
like
the
spread
of
the
portfolio
that
I
think
that
we're
aiming
for,
and
hopefully
that
gives
more
context
as
to.
Why
like
why
they're
sort
of
like
a
reluctance
to
introduce
too
much
to
this
this
part
of
the
effort
and
trying
to
keep
it
as
simple
as
possible.
C
E
No,
the
the
one
that
you,
sir
I,
think
you
circulated
a
while
back
on
the
package
ranking.
Oh
yes,
yes,
yeah.
D
Yeah
and
yeah
and
I,
and
going
back
to
the
question
of
scope,
I
always
go
back
to
you
know
what
is
our
reasoning
and
I
just
I
don't
know,
I
think
it
makes
sense
to
lean
on
that,
because
it's
documented
and
we
can
update
it
if
needed,
but
yeah
and
I.
Think
that's
why
you
know
we
just
wanna.
D
We
wanna
just
help
Shine
the
Light.
Basically
right,
we
don't
want
to
necessarily
do
all
of
the
analysis
for
the
person
we
just
want
to
kind
of
help
them
with
folk.
You
know
what
to
focus
on
I
would
say
so
what.
D
That's
getting
that's
flirting
with
the
metrics
effort,
so
they
they
are
working
on
like
metrics.openssf.org
is,
is
what
it
currently
is
at.
But
what
you're
describing
is
starting
to
look
like
that,
where
it's
really
more
of
like
I'm,
going
to
look
up
information
about
a
project
and
that's
kind
of
what
the
the
metrics
the
metrics.open
ssf.org
and
what
that
is
developing
into
is
supposed
to
be
more
of
like
something
that
provides
Insight
all.
A
Jeff,
yes,
like
I,
think
the
I
think
the
you
know.
Judging
the
existing
security
posture
is
in
the
frequency
category
and
and
we
were
trying
to
separate
that
from
the
critical
criticality.
A
So
if
we
were
like
you
know,
even
even
the
question
about
the
team
versus
Foundation,
like
that's
good
I,
think
that's
good
to
capture,
but
I.
Don't
know
if
you
know
we're
using
that
on
our
in
our
Judgment
of
what's
critical
or
not.
A
Know
it's
probably
good
to
capture
like
again
like
yeah:
do
they
have
CIA
best
practice
badge?
Where
does
their
scorecard
score,
that
kind
of
stuff
but
I
think
when
we
go
like
if
we're
building
this
the
system,
that's
going
to
just
look
up
a
bunch
of
things
that
can
be
looked
up
and
throw
it
into
a
table.
Sure
like
let's
look
up
more
stuff,
that's
easy
to
automate,
but
yeah.
We
need
to
be
careful
when
we
actually
do
the
criticality
judgments
to
to
separate
those.
D
D
I
mean
it's
kind
of
open,
but
I'm
curious.
If,
if
anyone
was
thinking
otherwise.
B
D
Okay,
but
yeah
so
I'm
hoping
this
ingestion
engine
can
be
at
least
used
to
help
guide,
maybe
what
our
template
might
look
like
and
how
we
might
structure
some
of
this
information
that
we
capture,
so
any
feedback
on
that
is,
is
very
welcome.
I'm
gonna.
D
Yeah,
so
the
stuff
in
that
screenshot,
so
the
what
you
saw
was
yeah
the
OST
ostiff
managed
audit
program
and
the
the
the
idea
behind
that
was.
Yes,
us.
As
you
know,
a
organization
that
advocates
for
security
and
audits,
open
source
projects-
and
you
know,
has
some
insight
into
that
field.
D
We
wanted
to
also
serve
as
like
a
data
source
too,
so
we
created
our
own.
Originally,
it
was
a
list
of
25
projects
that
we
said.
You
know
these
are
projects
we
can
audit.
Today,
we
think
they're,
you
know
important,
you
know
based
on
a
number
of
different
factors
and
we
basically
created
another
data
point
that
could
be
used.
You
know
I
think
to
it,
for
you
know
as
a
selection
criteria
or
judging
these
projects,
because
you
know
we
like
to
think
of
ourselves.
D
Obviously
you
know
trans
we're
all
about.
Our
biggest
focus
is
on
transparency
and
and
and
Publishing
our
work,
which
is
why
it's
all
available
on
our
website,
but
I
I,
like
the
idea
of
us,
serving
as
like
another
source
of
insight
for
projects
to
audit.
So
we
have
a
couple
short
lists
that
we
would
like
to.
You
know
contribute
as
as
a
data
point,
for
you
know,
helping
select
projects.
Yeah
do.
D
Do
bring
up
a
good
point
because,
like
in
our
first
iteration,
which
is
this
Google
sheet,
we
do
have
a
specific
tab
called
selection
criteria
where
we
explain
what
the
selection
criteria
mean
and
have
like
links
to
learn
more
I
I
do
think
it's
at
least
some
further
information
will
be
important.
You
know
for
folks
to
do
their
own
to
do
their
homework,
but
but
yeah
as
long
as
I.
D
E
B
D
B
D
Okay,
I'll
share
it
with
the
whole
I
thought
it
was
already,
but
I'll
share
it
with
the
with
the
whole
Google
group,
but
yeah.
The
selection
criteria
is
where
we
tried
to
explain.
You
know
why
we
are.
You
know
why
a
selection
criteria
is
what
it
is
and.
E
D
Absolutely
yes!
Yes,
absolutely.
There
is
also
a
tab
in
there
called
summary
which
yeah
we
tried
to
summarize
all
the
information
and
so
yeah
in
terms
of
a
site
yeah
I
I.
We
we
should
definitely
talk
about
it.
D
Going
back
to
what
Jacques
was
saying,
you
know
and
I'm
sorry
to
always
be
the
annoying
one
about
this,
but
I'm
I'd
really
love
to
have
like
an
MVP
or
something
that
we
could
maybe
show
to
the
attack
in
a
couple
weeks
when
I
give
them
an
update
of
what
we're
doing,
for
example,
so
I
I,
always
I.
Always
try
and
politely
suggests
that
you
know
we
also
try
and
think
about
deliverables
and
things
that
we
can.
We
can
actually
show
to
demonstrate
the
great
work
we've
been
doing.
I.
E
Think
by
next
week,
fuzzy
and
I
can
can
Gronk
that
together
for
you
guys
with
the
yaml.
D
A
I
was
gonna,
just
you
know,
suggest
organizationally
like
we.
You
know
we
only
meet
every
two
weeks,
but
we
can
meet
like
if
we
want
to
have
people
that
are
working
on
the
technical
site
or
the
repo
automation
to
to
meet.
You
know
have
a
sub
meeting,
that's
totally
cool.
Like
we've
got
slack
I
mean
we
could
do
it
ad
hoc
we've
got
slack,
you
could
be
like
hey
I,
have
something
I
want
to.
You
know
that
I
worked
on
I
want
to
bounce
it
off.
Some
people
do.
A
Is
anybody
around
to
to
to
meet
or
or
we
could
get
more
formal,
which
you
know?
Maybe
we
could
do.
You
know
see
how
it
goes,
but
right
now
on
the
working
group
you
know
like
the
selection
of
critical
projects
is
an
official
I
guess
Sig
or
something,
but
as
far
as
the
technical
side
of
it,
that
could
be
a
another
project
that
so
we
it's
not
just
us
saying:
hey
Randall
fuzzy,
go
work
on
this
and
come
back.
D
Yeah
yeah
I
think
in
general
we
could
try
and
keep
it
asynchronous
on
slack
and
then,
if
we
wanted
to
yeah,
like
you
said,
we
could
always
set
up
an
ad
hoc
meeting
or
stay.
You
know
30
minutes
after
our
regularly
scheduled
meeting
to
work
on
something
if
that
works
for
everyone
else.
E
Yep
yeah
I'm,
always
on
slack
guys
too.
If
you
ever
need
want
to
get
in
touch
with
me
or
like
see,
what's
up
but
I'm,
pretty
sure
we'll
get
that
to
you
guys
by
the
next
meeting
and
then
from
there
we
can
figure
out
I
think
once
we
get
the
demo
or
the
MVP
together
for
our
next
meeting
I
think
then
we
can
start
cooking
with
gas.
D
And
and
just
a
heads
up,
so
I
am
gonna
drop,
a
line
to
Jory
to
maybe
do
our
next
meeting
for
the
new
time
zone,
which
will
be
alternating.
Is
that
just
to
confirm
is
that
right,
Jeff,
so
we
were
just
going
to
alternate.
Every
other
meeting
would
be
the
APAC
friendly
time,
okay
cool,
so
we'll
likely
start
with
the
next
call.
D
What
the
last
couple
meetings
I
just
wanted
to
quickly
share
with
everybody,
the
impact
report
that
we
just
released.
This
is
OST
ostiff's
impact
report
that
we
did
in
partnership
with
cncf.
So
basically
cncf
comes
to
us
when
they
want
a
project
audited
to
get
to
graduation
status
and
we
handle
it
as
we
do
start
to
finish,
and
so
we
aggregated
some
of
the
results
over
the
last
basically
end
of
last
year,
up
until
July,
so
I
invite
everyone
to
take
a
look.
D
If
you
have
any
questions
on
it,
please
let
me
know
it's
the
first
impact
report
we've
done,
but
I'm
hoping
it
demonstrates.
You
know
the
kind
of
work
that
we're
capable
of
producing
and
yeah.
As
always,
feedback
is
welcome
on
that.
D
D
So,
yes,
thank
you
so
much
any.
Would
anyone
like
to
take
us
home.
G
Yeah,
this
is
OJ
I'm,
so
sorry
I'm,
just
simply
jumping
on
it
anyways
my
hand
so
I
you
mentioned,
then
a
couple
of
weeks
you'd
be
talking
to
the
tech
given
given
a
report,
some
sort,
any
thoughts
to
you
know
and.
G
This
too,
getting
the
getting
the
charter
squared
away
prior
to
that.
G
No,
no
so
I
and
I'll
tell
you
just
just
this
is
coming
from
some
inside
conversations
as
they
go
through
their
processes
of
getting
that
getting
things
together.
Governance
wise
there's
about
to
become
a
a
great
importance
on
making
sure
the
charter
and
scope
are
squared
away
for
for
all
of
the
working
groups.
So
you
know
I
I,
wanna,
I
wanna
make.
This
is
a
great
working
group,
an
American
and
Jeff.
You
guys
are
doing
some
outstanding
work
and
I
get
a
chance
to
see
all
that
stuff.
G
Just
want
to
make
sure
that
when
you
go
up
to
report
to
the
text,
everything
is
dressed
right
dress.
So
there
are
no
hiccups
in
case
of
funding
is
needed.
Etc.
D
Yeah,
no,
it's
a
great
it's
a
great
Point,
Jay
and
I.
Do
really
appreciate
you.
Bringing
that
up.
I
I
always
see
it
as
something
like
I
know.
We
need
to
do
so.
I
do
think
you're
right
that
we
should
try
and
knock
that
out.
G
I'll
make
it
up
I'll
make
it
a
to-do
for
me
and
what
I'll
do
is
you
know,
I'll
put
something
together:
send
it
out
to
the
both
of
you
to
dot
the
eyes
and
cross
the
T's
or
upload,
as
you
see
fit,
I
don't
mind
doing
that
at
all.
Okay,
it's
just
just
to
help
out
and
push
us
in
the
right
direction.
A
Yeah
I
recall,
is
that
essentially
like
we
have,
we
have
like
our
our
work
groups
Mission,
it's
kind
of
written
there
on
the
readme
we
kind
of
have
the
idea
of
like
the
roles
you
know,
we've
been
working
on
like
the
different
projects
and
who's
who's,
leading
that
who's
working
on
that.
So
whenever
we.
B
A
Like
the
right
template
or
something
to
shove
that
information
into
we
can
we
can
do
that
so
yeah,
if
you,
if
you
know
of
any
any
Insider
stuff
from
the
tech
that's
coming
down,
that
would
be
that's
super
helpful.
We
can
get
our
our
mission
and
stuff
plugged
into
that
and
adopted.
G
Cool
cool
y'all
have
a
I,
have
a
charter
template
to
both
of
you
and
now
what
I'll
do
is
I'll
get
some
together
and
I.
Guess
we'll
we'll
do
it
over
slack
right,
I'll,
get
something
together
and
send
it
out
to
the
both
of
you
and
then
just
just
upload
it.
We
can
work
on
it
all
together
right
make
it
a
little
make
it.
You
know
we're
gonna,
make
it
make
it
open
and
all
that
and
then
vote.
A
G
It
I
guess
I
guess
you
have
to
vote
on
it
right,
vote
on
it
adopted
and
all
that,
but
that,
but
that's
that's
a
that's
a
quick
fix
right.
You
can
do
that
over
slacker
over
email,
I.
Imagine.