►
B
B
B
C
B
C
C
C
A
A
C
C
A
Makes
any
sense
so
if,
if
for
nothing
else,
if
I
may
ask
for
a
brief
update
of
where
we
are
on
the
on
the
update,
I'm
happy
to
help
or
needed
I'm
delighted
if
things
are
ongoing
and
you
don't
need,
because
I've
got
three
thousand
I'm
trying
to
be
helpful
in
support
of
the
folks.
But
if
you
don't
need
help,
are
there
other
foods
to
do
so?.
C
C
Yes,
current
status,
the
schedule
updated
is
actually
I'll
talk
about
it
now.
So
let's
talk
about
that
now
no
new
faces
looks
like
thank
you.
David
and
Caleb
I'm
gonna
update
the
table.
So
if
you're
in
the
group
I
don't
think
I'll
present,
but
if
you're
in
the
doc
there's
a
table
further
up
on
work
group
working
session
tracking
table.
So
this
was
our
proposed
timeline
for
getting
the
updated
list,
updated.
I.
C
C
In
a
last
meeting,
there
was
a
little
bit
of
polishing
of
the
spreadsheet
that
I
needed
to
do
before
the
RFC,
and
then
I
wrote
up
the
RFC
text
and
Amir
and
I
met
earlier
this
week,
just
to
make
sure
we
were
both
on
the
same
page
and
so
what
we
wanted
to
have
was
a
four-week
time
period
for
people
to
respond
to
the
RFC.
So
since
I
only
got
that
out
this
week,
we'll
then
push
everything
back.
A
C
A
C
C
C
A
B
B
A
C
C
A
C
Are
things
people
suggested
so
I'm
not
taking
we're,
not
we're
not
making
any
judgments?
Now
when
we
made
the
last
release,
we
got
feedback
through
issues.
We
got
feedback
directly.
We've
got
feedback
in
this
in
these
meetings,
so
we
try
to
incorporate
all
that
all
those
suggestions
in
the
candidates.
A
C
A
Yeah,
what
okay?
This
is
my
apologies
because
of
course,
I've
been
gone
wrong
on
vacation
for
a
bit.
We
had
talked
about
adding
columns
for
particular
reviewers,
so
they
could
quickly
make
comments
asynchronously
and
then
review
that,
whereas
we,
it
looks
like
there's
just
a
single
column
at
this
point,
which.
B
A
C
A
A
B
A
C
A
A
I
guess
one
of
the
challenges
here
is:
you
know,
what's
critical
for
some
of
these,
for
the
most
part,
I
would
think
the
biggest
concern
would
be
subversion
like
it's
absolutely
true.
That
bash
has
been
involved
in
a
remote,
remote
code,
execution,
vulnerability,
I'm,
not
sure
if
you're.
If
you're
aware
of
that,
it's
a
funny
story
involving
shell
shock.
A
Shell
shock,
basically,
okay,
bash,
has
supports
shell
functions,
definitions,
okay,
which
is
not
unusual.
In
fact,
it's
in
the
positive
spec,
what's
not
in
the
positive
spec,
is
what
happens
when
a
shell
calls?
A
shell
and
Bash
store
actually
passes
on
functions
to
other
environments,
which
is
cool
the
way
they
did
use
environment
variables.
However,
it
basically
trusted
environment
variables,
and
it
turns
that
there
are
cases
where
and
when
an
attacker
shows
up
on
a
website,
they
can
control
certain
variables.
C
A
You
know
what
no
I
I'm
gonna
take
that
back
though
it
certainly
can
sometimes
so
yeah
never
mind
so
I
I
think
you
know.
I
would
certainly
worry
if
bash
is
subverted,
but
I'd
also
worry
just
if
it's,
if,
if
there's
a
vulnerability-
and
it's
brought
some
data,
so
I'm
talking
myself
into
just
normal
inclusion,
okay,
but
this.
B
C
Yeah
yeah
I
mean
yeah
I.
Think
for
the
wider
RFC.
You
know
we
can
you
know
people
can
make
their
arguments
if
it
for,
for
whatever
reason
they
see
fit,
but
I
think
with
the
working
group
consensus
discussions.
You
know
we're
going
to
have
the
our
kind
of
guidance
guidelines
of
you
know
things
that
reasons
that
make
something
more
critical
or
not,
and
and
try
to
agree
on
that.
B
A
A
A
C
A
C
A
B
C
A
C
C
A
I
think
you
want
a
broader
call,
I,
don't
know
what
the
right
way
to
do.
That
broader
call
is,
but
yeah
I
guess
I
mean
do
we
want
to
send
it
out?
Let's
see
who
I
mean
we
could
try
to
send
it
out
to
everybody
who's
working
on
openssf?
That
seems
a
little
extreme,
which
working
groups
would
be
most
related.
A
B
C
B
The
two
that
I
think
are
somewhat
closely
related:
are
the
the
vulnerabilities
group
working
group
yep
and
actually
maybe
that's
the
only
one
so
even
end
users
identifying
I,
don't
find
security.
No,
it's
identifying
security
threats
is
one
end.
Users
is
probably
possibly
another.
One
I
was
feeling
like
securing
software.
Repos
is
possibly,
but
then
you.
A
A
A
B
A
C
C
A
A
A
I,
don't
know
if
we
have
a
decision,
but
let's
see
here
so,
let's
see
here
I'm
going
to
go
back
to
the
RFC,
which
working
groups
are
related,
okay
and
should
be
and
and
should
be
and
should
be
emailed
right.
Yeah,
that's
what
you
want
to
know
everybody's
related!
Oh
wait:
I
gotta,
send
an
email
all
right,
I
heard
securing
software
repositories
pick
a
list
because
we
argued
about
it.
Okay,
yeah,
let's
see
here
and
I,
think
the
vulnerability
disclosures
because
they
know
where
the
vulnerabilities
keep
you
getting
reported.
A
A
C
C
C
So
yeah
I
want
to
do
some
project
updates,
so
for
All-Star,
I'm
I
was
looking
at
the
tax
documentation.
It
looks
like
they
have
a
lot
more
documentation.
They
used
to
have,
which
is
great
on
processes
and-
and
things
like
that,
so
it
looks
like
for
if
you
click
the
link
there
to
the
tech
working
group
abilities
under
technical
infrastructure.
C
It
says
working
groups
are
free
to
use
whatever
resources
they
can
find
or
solicit
help
from
Member
organizations
or
to
request
funding
from
the
openssf
governing
board
through
the
TAC
for
All-Star.
I
would
like
to
request
funding
for
technical
infrastructure
and
so
All-Stars
part
of
this
working
group.
So
this
working
group
would
be
requesting
that
would
be
positioning
the
tack
on
behalf
of
of
the
the
project.
Okay,.
A
Formerly
just
so
you
know
in
my
tell
me
if
you
already
know
this
because
I
don't
know,
if
you
do
formally,
only
the
governing
board
can
approve
funding,
but
the
reality.
Is
the
government
board
immediately
when
somebody
says
Hey
money,
they
immediately
turn
around
and
say:
okay,
great
but
pack.
What
do
you
think
yeah.
C
C
C
C
C
C
I
gave
some
kind
of
background
of
the
project
and
then
it's
been
working
on
and
that
people
are
using
it
and
that
essentially,
that
we
were
just
requesting
some
funding
there.
So
the
background
here
is
that
All-Star
has
some
infrastructure
currently,
but
it's
not
there's
some
stipulations
attached
to
it,
which
make
it
not
very
neutral
so
I'd
like
to
have
infrastructure
without
those
stipulations.
A
C
A
A
C
A
If
you
can
make
it
clear
why
it's
needed,
they're,
probably
going
to
say
great
and
tackwell
governing
board,
will
in
fact
the
governing
board
actually
has
approved
some
funding
ahead
of
time
for
some
infrastructure,
so
that
fits
within
within
a
pre-approved
amount.
It
might
even
be
really
easy
to
do
this.
However,
the
tax
is
going
to
immediately
ask
the
questions
that
I'm
asking
iterations.
A
So
you
know
your
DNS
provider
will
mandate
certain
kinds
of
content
not
be
allowed
whether
or
not
they
should
that's
another
question,
but
they
do
so
it's
just.
You
need
to
make
it
clear
why
or
which
stipulations
are
you're
uncomfortable
with,
and
why
and
I
bet
once
you
do
that
you're,
basically
making
basically
making
an
argue
for
money
for
money
when
things
are
getting
paid
for
right.
C
A
C
C
A
C
C
C
C
C
A
C
C
I
mean
I
know
the
skeptic
is
like
yeah,
okay
people.
You
know
if
you're
running
on
a
cloud
they
have
access,
but
that's
I'm,
not
talking
about
that
I'm
talking,
I'm,
saying
I'm,
taking
at
face
value.
You
know,
there's
running
it
on
a
private
on
a
project
that
is
you're
the
only
one
on
the
list
of
of
access
to
it
and
and
not.
A
C
C
A
A
C
C
So,
for
in
in
a
in
every
project,
you
know
you
want
to
have
a
contributor
ladder
that
shows
how
you
know.
Community
members
are
what
the
the
expectations
are
for
who's
going
to
be
a
maintainer
who's,
going
to
be
a
leader
that
kind
of
stuff,
so
I
think
it's
always
good
to
have
that
transparent
and
written
down
for
these
code-based
projects,
where,
where
people
contribute
to.
B
B
A
A
C
A
A
B
C
Mine
is
basically
from
a
proposal
that
I
made
months
ago
when
we
had
some
Community
discussion
on
so
I
would
say
it's
pretty.
You
know
it's
given
a
once
over
by
a
couple
at
least
two
different
communities
projects
in
the
open
ssf,
so
it's
had
some
some
eyes
on
it.
I
mostly
wanted
Cara
to
kind
of
work,
Smith
that
or
you
know,
I'm
adding
her
as
a
maintainer.
So
I
want
to
try
to
acknowledge
that
as
well
on
the
on
the
review
before
I
merge
it
here,
so
I'm
ready
to
merge
mine.
A
C
Would
there
be
a
repo
that
we
would
check
this
in
is
like
here's,
a
here's,
a
template
I
mean
not
maybe
not
the
template
repo,
because
people
always
copy
that
to
start
a
like
a
working
group
or
something
but
I
don't
know
if
it
would
be
the
tack,
because
maybe
they
don't
have
anything
to
have
an
interest
in
this.
The.
C
A
It
wouldn't
be
insane
for
them
to
also
declare
here's
how
we
expect
contribution
guidelines
to
run
I
mean
I.
Would
you
know
I
would
say
hey
start
with
this
and
say
hey
tack.
This
is
what
we're
doing
for
now.
We
might
want
to
later
on
propose
this
up
as
guidelines
across
the
open
SSM,
and
you
know
you
can
just
email
them
that
and
then
give
them
a
heads
up,
and
then
you
could
say:
hey
we
tried
it
out.
We
think
it
works
and
we
raise
it
up.
Sounds.
C
C
B
B
A
Yeah,
in
fact
I
would
I
would
go,
merge
it
in
tell
the
tech.
This
is
what
we're
doing
and
later
on.
You
know
and
presuming
that
it
works
for
us,
we'll
tweak
it
a
little
bit
and
then
we
may
propose
it
up.
You
know
for
a
broader
consent
and
that
way,
they've
you've,
you
stuck
the
idea
in
their
ear
and.
B
C
A
Yeah
I,
don't
think
anybody
in
the
tech
would
be
surprised
if
you
have
a
ladder,
be
it
formal
or
informal,
but
but
yeah
I
I
think
I
love
the
idea
of
trying
something
out
in
a
particular
project.
It
works,
you
tweak
it
and
then
you
raise
it
up
higher
and
higher
I
think
that's
how
a
lot
of
good
work
gets
done.
B
A
C
B
B
It
also
means
that
people
can
build
tooling
around
it
and
and
repos
can
consume
it
and
all
those
sorts
of
things.
So
that's
another
aspect
to
this
work
that
we're
talking
to
them
about.
Hopefully
we
will
see
some
results
from
that
within
the
next
quarter
or
so
so,
and
I
probably
will
have
to
come
back
and
talk
to
the
open
ssf
about
how
we
make
a
repo
like
well
considering
using
osv
to
do
that
and
how
and
putting
that
in
a
repo.