►
A
A
Just
backtracking
and
catching
up
on
the
discussion
from
last
time.
A
A
A
A
A
Hi
Randall
and
Nathan.
We
can
give
everyone
a
two
about
two
more
minutes
before
getting
started,
but
Happy
New
Year.
A
A
We
can
go
ahead
and
get
started,
we're
at
five
minutes
past
the
hour.
Yes,
it
does.
We
are
in
fact
recording
today's
session
today
is
the
12th
of
January
2023,
so
happy
New
Year
to
everyone
and
hope.
2023
is
a
great
year
for
everyone
here
and
for
open,
ssf
and
open
source
security
as
a
whole.
A
To
give
a
quick
recap.
So,
at
our
last
meeting
of
2022
on
the
15th,
we
had
discussed
the
importance
of
really
putting
together
a
timeline
and
a
timetable
for
putting
out
a
set
of
of
critical
projects
that
we
can
that
we
can
showcase
that
we
can
put
out
and
iterate
from
largely
how
that's
going
to
how
based
on
what
we
discussed
for
the
time
being,
because
we
are
shooting
for
March
the
exact
date
being
yes,
March.
A
23Rd
of
this
year
to
basically
have
a
cut
of
a
set
of
projects,
so
the
way
that
we
had
discussed
was
to
kind
of
break
it
down.
We
broke
down
the
next
one,
two
three
four
five
six
working
group
sessions
and
the
objective
is
to
really
take
this
time.
A
These
working
group
sessions,
while
we're
all
together
to
to
focus
on
that
and
and
get
that
cut
out
so
for
today
we
have
the
the
main
topic
is
to
go
over
the
plan,
as
well
as
an
update
and
begin
update,
updating
the
our
list
or
I'm.
Sorry,
our
set
for
the
26th,
we're
looking
at
doing
yes,
more,
a
very
dedicated
session
to
just
updating
that
first
cut
that
we
came
up
with.
A
We
put
a
break
for
2-9
for
February
9th
and
then
the
23rd
of
February
would
be
for
voting
and
discussion,
as
well
as
the
three
nine,
the
March
9th
meeting
for
voting
and
discussion.
And
then,
hopefully,
by
the
end
of
the
March
23rd
working
group
meeting,
we
can
basically
finalize
the
version
and
set
so
and
then
yeah
I
would
highly
recommend.
A
Looking
over
some
of
the
the
notes
from
the
last
meeting,
because
we
kind
of
talked
about
kind
of
how
to
break
that
down
and
go
through
that,
but
largely
it
would
consist
of
going
through
our
first
cut,
you
know
determining
what
should
stay,
what
should
go,
what
to
add
and
then
collaborate
on
a
set
of
proposed
Deltas,
so
any
and
any
of
the
the
new
projects
that
we
come
up
with
and
then
and
then
launch
since
download
now
I'm
just
looking
over
these
notes
here:
okay,
yeah
and
so
largely.
A
That's
that's.
How
that's
going
to
look
I
figured.
The
first
thing
that
we
can
dive
into
would
be
really
seeing
how
we
can.
Oh
sorry,
I,
believe
I
heard
something:
oh
yeah
go
ahead.
C
I
just
wanted
to
add,
because
I
did
do
some
research,
so
it
appears
in
open
ssf,
there's
a
need
for
an
actual
unranked
list,
but
there's
a
heavy
opinion
that
if
we
can
rank
things
there
are
some
people
that
would
appreciate
a
ranked
list.
I,
don't
know
how
you
want
to
go
about
that,
but
I
was
talking
to
Brian
about
some
other
stuff
and
SKF
mostly,
and
it
did
come
up
and
I
was
just
relaying.
C
That
I
know
that
we
said
that
we're
going
to
be
a
set,
but
I
think
some
people
are.
Some
projects
are
depending
or
are
expecting
us
to
have
something
that
is
actually
curated
is
the
key
word.
A
I
I
feel
you
on
that.
I
think
where
that
gets
tricky
is
everyone
is
going
to
want
to
prioritize
it
based
on
their
own
criteria,
correct
so
I
think
just
getting
this
I
mean
everything
on
this
set
is
going
to
be
prioritized
in
a
way
so
and
I
think
as
long
as
we
get
that
out,
I
think
I
mean
I,
think
prioritizing
it
cutting
it.
A
Different
ways
is
definitely
a
a
great
Next
Step,
but
I
think
really
for
the
sake
of
what
we're
looking
to
get
out
and
really
all
of
them
would
be
priority.
I
mean
that's
really
the
point
of
the
exercise
right,
we're
saying
out
of
all
these
projects
in
the
world.
This
is
a
set
of
Wands
that
we
think
are
important.
So.
C
C
A
C
If
I
can
update
real
quick,
so
I
I
have
I
have
a
list
also
of
what
we're
pulling
in
the
GitHub
thing.
So
I
pulled
everything
minus
criticality
score.
C
If
you
go
to
the
criticality
score
page,
he
has
a
sample
on
there
of
what
you
can
pull
now
like
number
of
contributors
date
of
last
commit
I
mean
he
has
a
lot
of
stuff
that
not
a
lot
of
stuff
but
a
fair
amount,
so
basically
I'm
just
taking
all
of
that
and
posting
it
into
a
comment
and
I
kind
of
explained
that
but
I
think,
as
I
said,
that
I
kind
of
specifically
said
that
we're
not
going
to
be
ranking
them
per
like
order
of
importance
or
order
of
criticality
score
or
any
order
whatsoever.
D
C
B
Yeah,
when
we
did
the
last
list
we
had
discussed,
you
know
doing
subsets
or
buckets
of
right
to
group
them
in.
We
probably
would
never
do
like
an
exact
ranked
order
of
100
packages,
because
that's
just
too
tedious
but
yeah
I
mean
breaking
the
list
down
into
subsets
is
something
that
we
discussed,
that
we
could
do
as
a
Next,
Step
but
I.
B
Think,
since
that
it's
been
a
while,
since
we
have
the
list
I
think
it's
important
I
think
it's
more
important
to
proceed
forward
with
getting
the
updated
list,
and
then
we
can
think
about
doing
the
buckets
afterwards.
I
agree
with
that.
A
Yes,
absolutely
so
yeah,
so,
thankfully
we
have
a
rough
and
a
plan
in
place.
A
So
hopefully
you
know
we'll
make
good
use
of
this
time
that
we
have
in
our
working
group
sessions
to
to
put
something
together.
So
so,
looking
at
the
notes,
one
thing
I'm
curious
about
is
essentially
how
we're
gonna
track
like
Version
Control
of
this
process.
A
I
know
that
our
GitHub
repository
could
be
a
good
at
least
a
place
for
it
to
to
house
this
and
I
know.
Github
is
pretty
good
with
with
kind
of
tracking
Version
Control
of
stuff,
but
I
thought
I
would
kind
of
open
up
to
discussion
kind
of
if
we
had
any
thoughts
or
or
or
Insight
on.
As
to
you
know
how
we're
going
to
go
from,
you
know
version
one
to
version
1.1
in
a
way
where
we
can
kind
of
track.
B
B
Tab
is
nice
because
it's
right
there
but
copying
it
means
we
could
have
like
different
links.
You
know
there'd
be
different.
Artifacts
right.
We
could
have
a
link
to
one
and
a
link
to
the
other
from
our
GitHub
repo.
As
our
as
we
come
out
with
new
versions.
We'd
have
new
links
to
new
docs
yeah.
A
My
immediate
thought
is:
I
I,
definitely
I
I
I'm
with
you
on
using
the
Google
sheet.
My
immediate
thought
is
to
maybe
create
a
new
one,
because
each
sheet
looks
like
is
probably
going
to
have
a
number
of
tabs
to
kind
of
help
us
get
to
that
set.
So
maybe,
if
we
just
call
it,
you
know
we
call
this
original
one.
You
know
version
1.0
and
then
we
create
a
new
one
called
you
know:
version
1.1,
yep,.
C
If
I
may,
couldn't
we
couldn't,
we
just
tag
it
on
GitHub
every
time
we
add
something,
so
we
can
start
with
like
2.0.0
and
the
first
edition
would
basically
get
merged
and
that
would
be
2.0.1.
The
second
edition
would
be
2.0.2
and
successively
I,
don't
know
how
he
would
sember
it,
but,
like
I,
don't
know
what
a
minor
change
would
be
versus
a
breaking
change,
but
not
just
an
idea.
B
B
They
were
talking
about
so
so
I
think
you
should
take
a
step
back
we're
talking
about.
We
need
to
update
our
V1
sheet
yeah
what
we've
what
we
have
so
this
is
not.
D
B
A
That
sounds
good,
okay,
so
then
to
get
started.
Let
me
do
this.
B
A
That's
a
wonderful
I'm
just
going
to
update
some
notes
here.
So
v1.1
is
going
to
be
foreign.
A
Let's
link
to
that
and
I
made
this
just
public
so
I.
Ideally,
we
won't
have
issues
with
with
accessing
this
document:
okay,
okay,
good
and
then
so.
We're
gonna
go
through
the
set
collaborate
on
a
set
of
proposed
Delta
swap
group.
A
A
A
So,
let's
try
that
so
I'm
going
to
go
back
to
naming
this,
and
this
way
everyone
already
has
access
to
this
anyway,
which
is
good.
So
this
is
the
version
of
employment.
A
And
then
we're
going
to
add
in
here
the
version,
okay,
so
and
I
think,
maybe
just
because
it
might
make
more
sense,
I'm
going
to
share
my
screen,
so
you
all
can
look
at
it
and
have
a
have
a
common
reference
point.
Obviously
any
thoughts
or
feedback
as
this
is
happening,
feel
free
to
to
jump
in
so
okay,
yes,
so
so
this
was
version
1.0.
A
The
first
version
that
we
did
and
then
created
a
new
tab
here
called
version
1.1,
so
I
think
part
of
the
the
objective
is
to
kind
of
clean
this
up.
So
let's
see.
A
I
mean
I'm
immediately.
One
thing
that
comes
to
mind
is
I
wonder.
Well,
maybe
it
would
be
helpful
if,
like
I'm,
trying
to
see
what
information
we
can
take
out
of
this
so
I
think
maybe
tracking
the
language
is
important
because
I
mean
maybe
that's
a
way
we
could
identify
like
common
themes
and
things
of
that
nature.
I,
wonder
if
license
is
a
super
important
data
point.
Does
anyone
have
thoughts
on
that?
Here's.
A
C
B
D
B
The
the
current
list,
and
then
we
need
a
list
of
proposals
right
and
I
I,
see.
We've
got
some
already
in
candidate
projects.
B
I
see
we
have
some
already
in
Community,
open,
ssf
member
editions
and
some
already
in
survey
responses.
So
we
need
to
put
all
those
onto
a
new
tab
for
proposals,
okay
and
then
dedupe
that
and
then
add
stuff
like
Randall.
We
could
add
the
languages,
whichever
ones
you
want
and
then
that's
kind
of
I
think
that's
what
we
need
to
get
done
in
these
next.
B
Two
three
meetings
is:
let's
get
that
that
list
of
candidates
cleaned
up
and
deduped
so
that
we
can
have
people
commenting
on
either
on
candidates,
whether
you
know
why
they
should
or
shouldn't
be
there
or
on
lines
on
the
existing
list
like
why
they
should
maybe
be
removed.
A
Okay,
yeah.
That
makes
a
lot
of
sense
back
to.
B
The
license
question
I
think
it's
one
thing
that
we
were
doing
is:
we
were
taking
out
anything
that
was
not
OSI
approved,
open
source
license,
so
it
could
be
a
binary
like.
Is
this
an
OSI
approval
license?
You
know,
because
some
things
were
put
on
the
list
that
were
not,
and
we
had
to
just
kick
it
out.
For
that
reason,.
A
Yeah,
that's
a
good
point
because
because
yes,
because
it
goes
without
saying
but
I
mean
all
of
these
are
obviously
open
source
projects
that
we're
focusing
on.
That
probably
goes
without
saying
it's
in
the
title
but
yeah
license
then
so
yeah.
Maybe
it
makes
sense
then
to
or
do
we
just
put
like
a
like
a
approved
list
of
licenses
and
a
you
know,
non-approved
list
of
license.
A
B
C
Both
of
the
people
that
are
asking
me
are
asking
it
more
like
I
guess
from
an
ingestion
standpoint.
Like
so
I,
don't
know,
yeah
I
would
say
that
then
license
wouldn't
necessary,
because
that's
something
you
can
get
from
a
lot
of
tools.
A
lot
of
tools
will
tell
you
what
license
it
is,
or
you
go
on
GitHub
and
find
out
what
license
it
is.
B
A
Okay
and
then,
let
me
just
add
something
real
quick
right
here-
understand
prerequisites
for
all
projects.
A
Did
I
word
that
correctly?
What
would
you
say?
Jeff
OSI,
approved
open
source
license.
Okay,
excellent!
So
then,
yes,
for
the
sake
of
this-
and
this
probably
isn't
going
to,
let
me
do
it
because
it's
emerged.
So,
oh,
it
does
awesome.
Okay!
So
for
the
oh
yeah
for
some
Simplicity
for
V
1.1,
we
got
rid
of
the
license
column
and
then
I
think
this
TBD
tier
is
really
the
thing
that
we're
looking
for,
which
is
you
know
basically
approved
from
the
1.0,
is
that
is
that
right,
Jeff?
B
B
I,
don't
know
that
we
needed
I,
don't
know
that
we
need
to
start
from
scratch
and,
like
reapprove,
every
single
one
I
think
we're
gonna
when
we,
when
we
send
this
out
for
comments,
we're
gonna
want
people
to
say
like
probably,
if
it's,
if
it's
on
the
list,
we
want
people
to
save
reasons
to
take
it
off.
You
know
we
should
go
through
those.
A
Okay,
okay,
so
I
wonder
then,
if.
C
I
would
actually
say
if
it's
a
this
list
is
about
to
be
critical.
I,
don't
know
if
languages
is
that
important,
because
in
all
honesty
like
all
of
it
will
be
important
regardless
of
the
language
and
a
lot
of
projects
also
use
a
lot
of
different
languages
too.
So
very
few
are
like
one
straight
language
that
is
true,
fair
amount
but
yeah,
but
I
would
say
that
that's
not
really
needed,
because
I
think
that
just
distracts
us
from
like
these
are
the
projects.
I
think
like
link
is
really
needed.
C
B
So
selection
criteria
captures
when
we
did
the
initial
list,
like
what
are
the
the
primary
reasons
why
we
decided
to
include
it
so.
B
A
Yeah
I
mean
the
the
whole
point
of
it
is
so
that
we
can
show
that
you
know
we're
not
just
pulling
this
out
of
our
hats.
You
know
we're
we're
at
least
referring
to
some
kind
of
point
of
data
that
you
know
we
are
that
is
justifying
or
providing
the
the
reasoning
for.
Why
this?
Why
you're,
seeing
what
you're
seeing
right
so
yeah,
we
could
always
word
Smith,
but
I,
think
maybe
selection,
reasoning
or
justification.
A
It
is
is
pretty
straightforward,
but
yeah
we
can.
We
can
always
word
submit
that,
but.
A
Good
with
that,
okay
and
then
I'm
thinking,
then
I
mean
if
we
had
like
one
column,
that
basically
just
said
like
I'll.
Just
put
just,
do
it
and
see
what
you
guys
think
something
along
the
lines
of
like
support
or
rejection,
maybe
just
call
it
support,
rejection
and
cut
because
I'm,
so
that,
like
let's
say
you
know
in
the
week
in
the
weeks
we're
going
through
this
or
no
because
I
think
this
is
something
we're
going
to
do
as
a
group.
A
So
would
this
be
something
like
or
I
guess,
like
I'm,
just
I'm,
trying
to
like
kind
of
like
simulate?
What
this
would
look
like
in
my
head
and
thinking
out
loud?
Does
anyone?
Does
anyone
have
any
kind
of
thoughts
based
on
what
we've
talked
about
so
far.
B
Yeah
I
mean
we're:
gonna
need
a
column
where,
like
people
can
comment
for
the
you
know,
for
the
yeah
argument
in
favor
or
against.
D
B
I
think
people
we
want
people
to
put
use
the
comment
feature
not
actually
just
type
in
here
randomly
okay,
the
existing
comment.
Thoughts
are
good.
We
might
want
to
label
those
as
an
artifact
like
v1.1,
like
so
that
when
people
come
to
comment,
they
see
like
what
the
previous
reasoning
was
and
then
they
can.
You
know
know
that
that
was
a
A
Relic
yeah
and
then
they
can
add
their
their
comments,
but
I
do
think
we
don't
need
people
to
go
and
add
support
comments
to
every
single
line.
C
B
D
D
I
mean
this
is
sort
of
missing
the
whole
Arc
here
of
what
you're
trying
to
do
and
where
this
is
going
to
fit
into
the
open
source
security
Foundation
pipeline
I
mean
this
is
a
matter
of
hopefully
figuring
out
critical
projects
that
then
can
be
invested
in
and
it's
not
about
trying
to.
Like
micromanage.
You
know.
Oh,
we
get
to
vote
on
this
and
what
exactly
is
I
mean
it's
just
getting
really
off
track.
A
I
mean
I
I.
Definitely
don't
disagree.
I
mean
I,
it's
tough.
When
you
know
there,
this
isn't
like
a
single
like
if
it
was
like
just
develop
a
let's
say:
a
critical
set
of
projects
for
the
open,
ssf
member
companies,
for
example
like
that
would
be
much
easier
but
I
think
in
trying
to
be
accommodative
and
I
mean
you
know,
inclusive
I
think
we
are
getting
a
little
bit
bogged
down
so
I
mean
any
thoughts
you
have
on
how
to
do
this
in
a
effective
but
still
quick,
but
you.
D
So
we
just
need
to
sort
of
you
know,
you
know,
throw
a
dart
at
the
board
and
just
start
going
because
I
mean
I.
Think
part
of
the
problem
is
that
you
know
a
lot
of
these
working
groups
were
created
and
I
switch
ad
hoc,
but
I
mean
when
the
open,
ssf
itself
was
still
sort
of
finding
its
legs
and
they're
a
lot
and
or
in
existed
sort
of
independently
of
that
and
then
were
brought
under
the
auspices
of
the
operations
attack.
D
Doesn't
really
have
a
overall
strategy
yet
an
overall
View,
and
so
there
is
this:
there's
Alpha
omegas
all
these
projects
that
are
sort
of
related
and
but
there's
no
real
pipeline
or
workflow
and
I.
Think
that's
part
of
the
problem
is
that,
as
I
said,
we're
going
to
produce.
This
is
not
clearly
okay,
we
can
create
this
list
and
okay,
maybe
it
can
be
a
check
mark
or
a
you
know,
a
blog
post
from
the
open
ssf
because,
like
then,
what
and
it's
like?
Okay,
you
can.
What
does
it
mean
to
consume?
D
This
I
mean
like
if
we
give
this
to
people,
but
there's
no
real
sense
of
okay.
What
are
they
and
that's?
Why
we're
getting
this?
Well,
should
it
be
ordered?
Should
it
not
be
ordered
who
why
it
was
or
that's
why
there's
no
there's
sort
of
no
clear
message
or
no
clear
understanding
of
where
this
is
going
to
be
consumed
and
other
than
okay?
We
create.
You
know
you
need
a
list
come
on,
get
us
a
list.
Fast
I
mean
like
that's.
D
D
Just
just
give
me
some
list,
I
mean
that's
the
problem,
and
so,
if
that's
the
problem-
and
they
we
don't
have
any
sign
from
the
tax
I
say
just
stop
micromanaging
this
and
just
create
a
list,
and
then
we
can
iterate
it
after
that,
but,
like
you
know,
just
give
them
a
list,
and
then
this
is
what's
wrong
with
like
okay
well.
This
is
why
we
did
it
this
way.
Then
we
can
move
forward
and
figure
out
how
to
refine
the
list
and
not
try
to
get
into
all
this.
So
you
know
officiating.
D
You
know
you
know
we
voted
on
this
and
it's
like
give
them
some
list,
and
then
we
can.
You
know
they
can
say
it's
right,
it's
wrong!
It
doesn't
serve
our
purpose.
Fine!
Sorry!
Well,
you
know
that's
what
we
do
the
V2,
but
just
like
that's
my
suggestion,
just
you
know
we
don't
we
don't
have
any
true
guidance.
So
we'll
just
do
something
and
not
try
to
get
too
fixated
on
perfecting
this,
because
it's
not
going
to
be
perfect.
A
Okay,
that's
reasonable,
so
yeah
I
mean
okay.
So
with
that
in
mind,
so
we've
got
about
104
100
or
about
100
right
here
from
version
1.0
100
open
source
projects.
A
A
A
Okay,
get
all
candidates.
C
A
Yes,
as
well
as
I
think
people
can
comment
if
they
want
to
add
other
things
as
well.
You
know
something
we
might
have
missed
or
not
considered.
B
Yeah
I
don't
know
if
we
should
do
that,
because
we've
already
got
a
good
list
of
comments,
a
good
list
of
of
proposals.
From
the
last
time
we
released
the
list
and
I
think
it's
more
important,
I
think
it's
better
to
just
say
like
this.
Is
these
are
all
the
projects
we're
considering?
Please
say:
please,
like
you,
know,
comment
and
support.
If
you,
if
you
think
it
should
be
added
yeah,
because
it's
just
gonna
get
it's
just
going
to
be,
never
ending
right
and
we
have.
B
We
have
another
like
another
iteration,
where
we're
going
to
get
more,
where
we're
going
to
have
suggestions
like
our
V2
is
going
to
have
suggestions
so
or.
C
Another
another
thought
Jeff
is
that
we
could
just
refine
it
later
on,
like,
like
sorry
like
what
we
were
just
talking
about
just
making
a
list
right
now
we
can.
B
B
Mean
there
can
be
a
v
1.2
right,
so
anybody
that
like
is
doing
this
and
says
you,
you
missed
this,
throw
down
into
some
some
side
list
and
then
we'll,
maybe
we'll
consider
them
next
next
cycle,
but
we've
gotta
we've
got
there's
what
like
23
on
the
candidate
projects,
tab
on
the
community,
open
ssf
member
editions,
tab,
there's
70
on
the
survey
response
tab.
B
There's
not
you
know,
there's
like
probably
like
30
here,
so
we've
got
plenty
to
consider.
You
know
and
discuss.
A
C
B
B
It's
probably
been
submitted
in
five
different
ways
right
so
yeah.
That's
what
we
need
to
do
this
meeting
and
next
meeting
is
get
these
onto
I'll,
put
all
those
onto
a
single
sheet
dedup.
It
maybe
take
out
the
ones
that
yeah.
If
we
can
look,
do
a
quick
pass
and
things
that
need
to
be
switched
out
or
removed.
The.
D
Other
thing
is:
maybe
we
should
actually
include
Docker
not
to
sleep,
but
include
documents
say
this
is
not
open
source,
but
is
critical,
I
mean
like
just
you
know,
put
it
for
everybody's
like.
Why
is
it
on
the
lid?
It
should
have
been
like
yeah,
we
saw
it.
We
understood
this
is
wise
nails
like
put
in
the
cup
you're,
not
I'm,
not
saying
list
every
single
proprietary,
and
you
know
oracle
and
everything,
but
like
for
the
things
that
people
are
mentioning.
You
know
an
appendix
or
something
on
there
and
just
say
you
know.
C
D
D
A
Is
a
great
Point
actually
I
like
that,
a
lot,
let
me
get
that
in
our
notes.
Here.
C
A
Okay,
so
then
I
think
what
we
can
do,
then,
for
the
for
the
remaining
time
that
we
have
is,
as
we
are
continuing
to
discuss
these,
have
these
discussions
and
ideas
and
kind
of
keep
track
of
of
keep
track
of
them.
I'll
keep
I'll.
Have
this
candidates
tab
done
by
the
end
of
our
meeting
so
that
by
the
next
one
we
can
spend
basically
doing
the
updating
and
requests
for
comments.
A
Yeah
absolutely
please
any
thoughts
that
you
have
on.
That
would
would
absolutely
love
that
I
I,
like
the
comments
idea,
because
you
can
hear
those
are
tracked,
I
believe
within
the
Google
sheet.
So
we
can
go
back
and
see
you
know
if
we
wanted
to
backtrack
to
you
know
what
was
the
supporting
comments
for
this
or
that
I
think
we
could
access
those
pretty
easily.
A
Yeah
yeah
any
anything
to
make
it
more
more,
more
descriptive,
more
accurate,
absolutely
yeah.
That
was
one
of
the
suggestions,
but.
C
Nine
package
managers
there's
nine
packaging
teams.
Therefore,
there's
a
nine
parent
distros,
which
is
like
Arch
Gen
2
Debian
Ubuntu
is
not
one
of
them,
because
Ubuntu
actually
takes
everything
from
Debian,
so
RPMs,
which
is
red
hat
and
there's
a
few
more
I
forget
all
of
them,
but
yeah.
There's,
there's
nine
in
total
I
know:
there's
nine.
A
A
A
B
C
We
were
actually
just
talking
about
this
earlier
today
about
how,
in
the
securing
software
repos
group
we're
going
to
come
up
with
a
list
and
maybe
a
better
terminology,
because
there's
three
different
types
of
packagings
that
exist
right
now,.
B
B
As
David
said,
we
should
keep
them
somewhere
else.
Okay,.
A
C
Can
I
can
I
just
say
this?
That
I
think
that
this
is
one
of
the
obvious
problems
that
like
when
you
have
things
like
waterfox
on
the
list,
but
then
you
don't
have
Firefox
or
you
don't
have
like
spider
monkey
or
the
other
millions
of
things
that
Firefox
or
Mozilla
actually
takes
care
of.
I.
Think
that's
where,
like
one
of
the
problems,
pops
up.
C
C
I
almost
think
that
we
should
start
with
like
the
cool,
because
I
mean
if
you're
gonna
start
going
with
that
ideology.
There
are
a
lot
more
important
projects
to
talk
about.
Just
from
like
a
hierarchy,
point
of
view
like,
if
you
don't
have
HTTP,
you
really
can't
have
a
browser
right
or
so
I
would
say
that
maybe
like
just
thinking
about
it
from
that
way,
because
I
mean
you
can
get
to
like
you
can
go
down
the
rabbit
hole
really
easily
and
yeah.
You
know
what
I'm
saying,
but.
B
Yeah
I
agree,
but
you
know
I
think
the
other
question
is
like
you
know
what
makes
a
browser
critical.
Is
it
that
the
HTTP
works
well
or
is
it
that
you
know
the
JavaScript?
B
The
end
very
good
point
compromised
easily?
You
know
no.
C
Know
you
know,
but
you
see
my
point
but
that
that
still
goes
to
what
I'm
saying,
because
then
you
also
have
JavaScript,
and
then
you
have
there's
a
lot
of
things
there
that
you
could
consider
critical.
You
know
and
a
lot
of
things
that
people
don't
know
about
like
I
would
say
everyone
knows
about
Firefox.
They
don't
know
what
runs
Firefox.
You
know
like
the
different
engines,
they
run
behind
it.
You
know,
like
spider,
monkey
and
duct
tape,.
C
It
be,
would
it
be
smart
though
Jeff
I
wondered
to
maybe
start
with
core,
so
there
that
way
we
don't
end
up
with
like
like.
Let
me
give
you
an
example.
Gnome
would
not
be
core
because
it's
known
like
there's
a
lot
of
things
before
gnome.
In
my
opinion,
before
you
even
get
to
gtk
as
a
toolkit
for
interfaces,
would
it
would
it
be
made
better
to
think
about
core
projects
before
we
start
going
down
the
rabbit
holes
of
what's
happened
with
these
projects
like
here's,
one
like
Docker
would
be
nothing
without
CA.
True.
B
Yeah
I,
don't
know,
I,
don't
think
it's
our
job
to
break
down
the
suggestions.
You
know
and
say
like:
oh,
you
suggested
Firefox,
but
you
really
mean
you
really
mean
this
other
thing
that.
C
Like
that
way,
I
mean
that,
just
in
the
way
of
because
I
mean
eventually
you're
gonna
go
down
these
rabbit
holes
right
and
it's
going
to
be
really
hard
to
justify
like
something
like
waterfox.
If
you
don't
have
Firefox
and
if
you
don't
have
Firefox,
how
do
you
not
have
spider
monkey
or
you
know
what
like
there's
a
lot
of
things
that
make
up
Firefox
that
are
used
by
a
lot
of
people?
Well,.
B
I
mean,
like
I,
think
we
can
discuss
so
if,
if
we
have
the
suggestion
of
Firefox
and
then
we
get
to
the
discussion
in
a
few
weeks
from
now
or
a
few
or
you
know
a
few
meetings
from
now,
let
me
say
like
is
this
critical
that
can
be
an
argument
that
is
not
critical,
that
the
fire,
you
can
say,
I'm
I'm,
arguing
it's
not
critical,
because
it
doesn't
include
that
the
Firefox
project
doesn't
include
the
critical
portions
that
need
to
be
safe.
C
B
And
again,
it's
not
like
is
that
a
is
a
jealousy
is
there,
but
is
that
a
it
should
be
again?
It's
the
same
argument.
You
know
it's
not
just
like
it
would.
This
software
exist
without
this
other
project.
It's
which
project
is
critical
for
open
source
security
or
critical,
for
my
infrastructure
are
critical
for
supply
chain
attack
that
kind
of
stuff
look.
If
this,
if
this
project
was
compromised,
how
big
of
a
deal
would
it
be
right.
C
B
C
So
maybe
can
the
suggestions
bring
up
those
discussions
where
like
like,
if
we
are
missing
jiblib
C,
which
we
hope
our
moose
will
even
like
both
of
those
are
pretty
important,
because
Linux
wouldn't
run
with
one
or
the
other
and
kind
of
need
to
see?
No
matter
what,
unless
you're
doing
a
lot
of
Plumbing.
C
I've
been
involved
in
building
distros
for
a
very,
very
long
time
and
I've
pretty
much
been
involved
with
everyone
at
this
point
so
like
like
I,
can
tell
you,
there's
like
core
utilities
that
are
everywhere,
even
in
like
virtual
distros
that
are
not
even
real
distros
that
are
just
meant
to
be
booed
up
in
light
and
containers.
There's
just
certain
things
that
I
would
say
are
absolutely
critical
that
you
won't
like.
If
you
don't
have
this,
it's
just
not
going
to
run.
B
Yeah
I,
don't
I,
don't
think
we
should
do
that
with
with
this
iteration
if
I
think,
if,
if
we
get
a
suggestion
for
any
program-
and
that
doesn't
mean
that
we
should
just
like
add
G
libsy,
unless
somebody
else
already
suggested
it-
which
it
has
been
in
that
particular
case,
but
in
the
cases
where
it
hasn't.
Let's,
let's
leave
that
to
the
process
where,
like
we
will
have
people
in
that
people
person
can
be.
You
suggest
the
the
underlying
like
critical
packages
or
tools
for
for
consideration
independently.
D
A
D
Go
ahead:
David,
no
I,
I
agree
but
I'm
on
the
fence,
because
I
mean
like
I
I
work
for
IDM
and
I've,
seen
the
same
sort
of
thing
in
IBM,
where
you'll
have
IBM
clients
who
are
saying
they'll
give
some.
You
know
high
level,
some
buzzwords
some.
You
know
that
they
are
aware
of,
but
don't
understand
what
the
actual
requirement
is
or
understand
what
they're.
You
know
it's
on
some
check
box,
so
you
know
we
busy.
They
know
the
buzzword.
They
know
the.
You
know
the
the
publicized
application,
but
they
don't
know
that.
D
Oh
this
application,
you
know
tensorflow
really
depends
on
open
blast,
I
mean.
So
if
you
actually
hear
about
performance,
you
should
compare
open
blast
or
eigen
or
you
know
they
know
you
see.
You
know
we
want
python
to
work
fast.
Well
like
this
is
num
Thai,
and
so
what
I
mean
so
there's
okay,
so
I
see
that
in
what
Randall
said,
but
I
agree,
we
can't
sort
of
do
the
you
know
archeology
on
every
single
one
of
these
as
well,
but
I
agree.
D
We
need
to
be
open
to
that
and
and
not
and
maybe
put
in
a
note
or
something
that
that
people
are
gonna
put
in.
You
know
you
know
again,
like
a
client
they're
going
to
say
you
know,
Docker
they're
gonna
say
you
know
they're
going
to
say
what
is
the
sexy
thing?
What's
you
know
the
the
the
headline,
the
tent
pole
type
of
application
and
they
don't
really
know
well,
this
depends
on
libxml
and
this
depends
on
you
know.
You
know
s
blib
SSL
and
this
they
don't
necessarily
know
about
the
underlying.
D
You
know
dependency
tree
for
this
and
that
and
I
mean
in
some
ways
it's
I
think
that
they're
relying
on
us
for
it.
But
you
know
we
especially
I.
Don't
have
an
answer.
I
agree
to
not
over
engineer
this,
but.
D
A
All
right
great!
Well,
we
are
at
time
fantastic
discussion
today.
Thank
you
all
so
much
I
think
we
made
some
really
good
progress
on
this,
so
what
we
will
do
then
plan
for
the
next
meeting
in
two
weeks
is
to
essentially
go
through
these
candidates,
dedupe
them
and
talk
about
them
and
ask
and
justify
them
and
analyze
them
and
cross-reference.
Everything
with
1.0
get
the
full
work.
A
Groups,
discussion,
give
also
time
offline
to
comment,
discuss
so
forth
and
then
and
then
hopefully
finalized
to
a
version
1.1
that
we
feel
good
about
that
we
can
iterate
on
sounds
good.
Thank
you
great
awesome.
Thanks
so
much
everyone
yeah.