►
B
B
B
C
B
C
C
C
A
A
Because
one
hour
later,
there's
a
scorecards
meeting
and
an
hour
earlier
is
a
government
sport
thing.
So
was
it
the
is
that
governance
or
is
that
marketing,
I
I
forget
okay,
anyway,
all
right.
C
C
A
Makes
any
sense
so
if,
if
for
nothing
else,
if
I
may
ask
for
a
brief
update
of
where
we
are
on
the
on
the
update,
I'm
happy
to
help
or
needed
I'm
delighted
if
things
are
ongoing
and
you
don't
need,
because
I've
got
three
thousand
I'm
trying
to
be
helpful
in
support
of
the
folks.
But
if
you
don't
need
help,
are
there
other
foods
to
do
so?.
A
First,
okay,
so
all
right,
so
this
is
a
it's
an
update
really
on
the
list
right,
update.
C
C
Yes,
current
status,
the
schedule
updated
is
actually
I'll
talk
about
it
now.
So
let's
talk
about
that
now
no
new
faces
looks
like
thank
you.
David
and
Caleb
I'm
gonna
update
the
table.
So
if
you're
in
the
group
I
don't
think
I'll
present,
but
if
you're
in
the
doc
there's
a
table
further
up
on
work
group
working
session
tracking
table.
So
this
was
our
proposed
timeline
for
getting
the
updated
list,
updated.
I.
A
Guess:
where's
the
where
I
I
see
the
document
but
I'm
looking
for
the
scroll.
C
So
we're
actually
I'm
updating
this
right.
Now
we're
pushing
back
one
meeting
so
where's.
C
So
after
323
is
going
to
be.
C
We
did
our.
We
did
two
working
sessions,
the
last
two
meetings:
okay,
we
finished
polishing
our
updated
list
or
updated
list
with
proposals
and
everything
and
Our
intention
was
to
get
a
RFC
out
last
meeting.
However,
we
were
unable
to
accomplish
that.
C
In
a
last
meeting,
there
was
a
little
bit
of
polishing
of
the
spreadsheet
that
I
needed
to
do
before
the
RFC,
and
then
I
wrote
up
the
RFC
text
and
Amir
and
I
met
earlier
this
week,
just
to
make
sure
we
were
both
on
the
same
page
and
so
what
we
wanted
to
have
was
a
four-week
time
period
for
people
to
respond
to
the
RFC.
So
since
I
only
got
that
out
this
week,
we'll
then
push
everything
back.
C
A
Okay,
so
I
have
a
link
securing
critical
projects
working
group
list
of
projects
identified
as
critical,
Google
doc
ending
in
xtdm.
All
caps
is
that
the
current.
C
C
Yeah
so
I
sent
out
the
RFC
only
to
this
working
group
on
the
mailing
list
and
to
slack
that
contains
the
link
to
the
correct
sheet.
A
C
So
the
first
two
tabs
or
the
RFC
should
contain
the
instructions.
You
know
the
first
two
tabs
show
what
we're
asking
people
to
do.
C
A
With
the
amp
project
and
ends
with
log
for
J,
I
believe
yep.
C
That
looks
right
so
question
for
you
all
is
I
I
wanted
to
send
this
out
more
widely
any
suggestions
there
I
asked
operations.
If
we
could
send
this
to
the
announce
list,
I
don't
know
if
that's
appropriate.
C
But
I
mean
we
do
want
everybody
to
feel
included
in
the
decision
making
process,
even
if
they
can't
attend
our
meetings.
When
we're
doing
the
consensus
discussion.
C
Ain't
so
I
don't
know
what
other
channels
we
should
try
to
use
for
that.
A
I
mean
to
be
fair:
it's
not
that
just
anybody
can
edit
anyone
can
make
a
comment,
but
that's
not
the
same
as
an
actual
edit.
So
yeah.
B
B
Yeah
that
definitely
makes
yeah
in
that,
if
that's
the
case,
I
think,
apart
from
creating
work
for
whoever's
going
to
have
to
read
all
the
comments
more
broadly
sharing,
it
is
not
a
bad
idea.
Yeah.
A
C
C
C
No
we're
not
accepting
projects,
okay,
consider
it
a
new
new
project,
consideration
so
that'll
be
after
we
do
one
one
we'll
make
a
call
for
right
submissions
for
one
two,
and
then
we
can
repeat
the
process
got.
A
C
Are
things
people
suggested
so
I'm
not
taking
we're,
not
we're
not
making
any
judgments?
Now
when
we
made
the
last
release,
we
got
feedback
through
issues.
We
got
feedback
directly.
We've
got
feedback
in
this
in
these
meetings,
so
we
try
to
incorporate
all
that
all
those
suggestions
in
the
candidates.
A
I
see
what
you're
doing
you're
just
saying
hey:
these
are
things
that
people
suggested
that
doesn't
mean
that
they'll
be
necessarily
accepted.
It's
just.
We
want
to
get
everybody's
feedback
on
them.
Okay,
yeah
got
it.
Okay,.
C
No
I
mean
we
don't
have
very
many
comments.
I,
don't
think
we
have
any
comments
so
yeah
we
want
people
to
again,
you
know,
I,
don't
know
like
I.
Would
much
rather
have
people
show
up
at
the
meeting,
but
if
they
can't
you
know,
I
don't
want
anybody
to
feel
excluded.
A
Yeah,
what
okay?
This
is
my
apologies
because
of
course,
I've
been
gone
wrong
on
vacation
for
a
bit.
We
had
talked
about
adding
columns
for
particular
reviewers,
so
they
could
quickly
make
comments
asynchronously
and
then
review
that,
whereas
we,
it
looks
like
there's
just
a
single
column
at
this
point,
which.
B
A
C
A
All
right,
let
me
all
right.
Let
me
oh
oh,
this
is
interesting.
You
have
to
click
on
it.
It's
just
a
little
shade.
There
got
it.
Okay,.
A
B
B
A
C
A
Not
so
sure
I'm
excited,
but
you
know
what
I
think
it
gets
the
job
done
and
that's
the
that's
the
important
thing:
yeah.
Okay,
very
good.
A
Well,
you
know
what
it
was
a
lot
of
work
to
come
up
with
this
initial
list,
so
I
totally
get.
A
I
guess
one
of
the
challenges
here
is:
you
know,
what's
critical
for
some
of
these,
for
the
most
part,
I
would
think
the
biggest
concern
would
be
subversion
like
it's
absolutely
true.
That
bash
has
been
involved
in
a
remote,
remote
code,
execution,
vulnerability,
I'm,
not
sure
if
you're.
If
you're
aware
of
that,
it's
a
funny
story
involving
shell
shock.
A
Shell
shock,
basically,
okay,
bash,
has
supports
shell
functions,
definitions,
okay,
which
is
not
unusual.
In
fact,
it's
in
the
positive
spec,
what's
not
in
the
positive
spec,
is
what
happens
when
a
shell
calls?
A
shell
and
Bash
store
actually
passes
on
functions
to
other
environments,
which
is
cool
the
way
they
did
use
environment
variables.
However,
it
basically
trusted
environment
variables,
and
it
turns
that
there
are
cases
where
and
when
an
attacker
shows
up
on
a
website,
they
can
control
certain
variables.
C
A
You
know
what
no
I
I'm
gonna
take
that
back
though
it
certainly
can
sometimes
so
yeah
never
mind
so
I
I
think
you
know.
I
would
certainly
worry
if
bash
is
subverted,
but
I'd
also
worry
just
if
it's,
if,
if
there's
a
vulnerability-
and
it's
brought
some
data,
so
I'm
talking
myself
into
just
normal
inclusion,
okay,
but
this.
B
C
Yeah
yeah
I
mean
yeah
I.
Think
for
the
wider
RFC.
You
know
we
can
you
know
people
can
make
their
arguments
if
it
for,
for
whatever
reason
they
see
fit,
but
I
think
with
the
working
group
consensus
discussions.
You
know
we're
going
to
have
the
our
kind
of
guidance
guidelines
of
you
know
things
that
reasons
that
make
something
more
critical
or
not,
and
and
try
to
agree
on
that.
A
All
right
so
I,
I
presume
what
we're
going
to
do
is
we're
going
to
encourage
people
to
make
comments
on
these
two
tabs
and,
let's
see
version
one
one
set
on
removal
version,
one
one
candidates:
these
are
new
ones
right
right
and
so
those
two
basically
those
two,
those
two
tabs
so
yeah,
okay,
that's
and
indeed
what
your
okay,
fantastic.
B
I
I
think
that,
like
I
was
just
thinking
about
the
way
that
I,
like
I,
think
that's
very
true.
Most
people
have
an
opinion,
maybe
about
a
small
subset
of
the
entire
list.
So
if
you
have
a
broader
reach,
perhaps
you'll
get
an
opinion
about
most
things.
A
Yeah
yeah,
so
you
know
I
guess
my
one
comment
would
be
if
you're
gonna
send
this
out
more
broadly
Jeff.
So
you
don't
you
know
you
don't
have
to
comment
on
everything
in
fact.
Just
comment
on
the
ones
you
have.
You
know
a
strong
view
upon.
C
A
A
C
Okay,
so
this
is
what
I
sent
out.
C
I
sent
this
to
our
workout.
C
Group
list-
okay,
here
yeah
and
then
I
sent
it
to
Slack
as
well.
C
A
C
A
Let's
see
here,
yeah
I'm
only
seeing
the
right
edge
of
it,
I'm
not
sure.
What's
going
on
here,
I.
A
A
Not
in
the
way
I
would
like
yeah
there's
something
I'm.
Only
getting
half
the
window,
Zoom.
B
A
C
A
All
right
that
is
I
got
it
all
right
technology
sort
of
alrighty.
So
let
me
switch
to
suggestion
I'm
going
to
be
put
in
suggesting
mode.
A
Yeah
so
I
would
say
something
like
please
comment
on
projects
in
either
tab
you
where,
where
you
have
where
you
have
information
to
share,
you
know,
justification
one
way
or
the
other
to
to
add
or
remove
well
I
mean
make
this
a
please
comment
on
projects
in
either
tab
don't
feel
obligated.
C
C
C
On,
of
course,
yeah,
okay
and
any
ideas
for
if
we
should
try
to
send
this
on
another
mailing
list
or.
A
I
think
you
want
a
broader
call,
I,
don't
know
what
the
right
way
to
do.
That
broader
call
is,
but
yeah
I
guess
I
mean
do
we
want
to
send
it
out?
Let's
see
who
I
mean
we
could
try
to
send
it
out
to
everybody
who's
working
on
openssf?
That
seems
a
little
extreme,
which
working
groups
would
be
most
related.
A
B
C
B
The
two
that
I
think
are
somewhat
closely
related:
are
the
the
vulnerabilities
group
working
group
yep
and
actually
maybe
that's
the
only
one
so
even
end
users
identifying
I,
don't
find
security.
No,
it's
identifying
security
threats
is
one
end.
Users
is
probably
possibly
another.
One
I
was
feeling
like
securing
software.
Repos
is
possibly,
but
then
you.
A
A
I
mean
the
the
software
repos
folks,
they're
you're
only
going
to
get
feedback
from
the
folks
who
are
in
that
group
and
I
think
that
it
tends
at
least
last
I
checked.
They
tend
to
be
dominated
more
by
the
language
level
and
not
the
not
the
system
level
and
not
the
container
level.
B
A
The
only
real
problem
will
be
that
they'll
probably
complain
that
wait
a
minute.
Why
are
we
not
adding
some
new
ones
here.
B
That's
probably
that
that
would
be
my
expectation
as
well
and
it
will
be
like
top
end
projects
or,
like
some
personal
opinion,
about
some
from
that
ecosystem,
that
they're
responsible
for
so
but
that's
that's
okay,
I
mean
this
is
the
best
effort
list,
not
a
comprehensive
list.
So.
A
C
C
Yeah
people
keep
suggesting,
then
they
they,
it
just
goes
on
forever.
So
we
have
to
have
iterations
and
rounds.
Okay.
A
A
Yeah
I
mean
I,
don't
see
any
reason
why
you
can't
send
that
out
to
those
other
working
groups,
I
mean
yeah.
On
the
one
hand,
there's
a
risk
of
it.
Looking
like
spam,
but
I
I
think
an
openness
is
a
project
asking
for
help
from
an
open.
Ssf
project
is
fair
game.
Yeah.
A
I,
don't
know
if
we
have
a
decision,
but
let's
see
here
so,
let's
see
here
I'm
going
to
go
back
to
the
RFC,
which
working
groups
are
related,
okay
and
should
be
and
and
should
be
and
should
be
emailed
right.
Yeah,
that's
what
you
want
to
know
everybody's
related!
Oh
wait:
I
gotta,
send
an
email
all
right,
I
heard
securing
software
repositories
pick
a
list
because
we
argued
about
it.
Okay,
yeah,
let's
see
here
and
I,
think
the
vulnerability
disclosures
because
they
know
where
the
vulnerabilities
keep
you
getting
reported.
A
Okay,
which
open
ssf
working
groups
I
really
should
be
emailed
vulnerability.
Securing
critical
projects-
oh
I'm,
sorry,
security
project-
is
this
I
think
we
said
end
users
I
mean,
frankly,
that's
probably
the
best
one
of
the
best
ones.
A
Then
at
least
there's
a
chance.
It
might
be
smart
and.
A
At
least
a
chance
of
reducing
it
yeah
best
to
send
out
simultaneously
so
email
so
to
reduce
this
so
that
duplicates
might
get
removed.
A
I
don't
know
if
the
if
the
sending
software
removes,
because
this
go
actually
goes
during
our
list
of
work.
If
it
doesn't
then
email,
clients
that
receive
it
might
be
smart
enough
to
figure
out
the
remove.
Otherwise,
oh
well.
C
C
Sounds
good
should
we
move
on
or
you
think
these
three
are
enough:
I
guess:
yeah,
okay,
yeah
current
status.
We
did
that
earlier.
C
So
yeah
I
want
to
do
some
project
updates,
so
for
All-Star,
I'm
I
was
looking
at
the
tax
documentation.
It
looks
like
they
have
a
lot
more
documentation.
They
used
to
have,
which
is
great
on
processes
and-
and
things
like
that,
so
it
looks
like
for
if
you
click
the
link
there
to
the
tech
working
group
abilities
under
technical
infrastructure.
C
It
says
working
groups
are
free
to
use
whatever
resources
they
can
find
or
solicit
help
from
Member
organizations
or
to
request
funding
from
the
openssf
governing
board
through
the
TAC
for
All-Star.
I
would
like
to
request
funding
for
technical
infrastructure
and
so
All-Stars
part
of
this
working
group.
So
this
working
group
would
be
requesting
that
would
be
positioning
the
tack
on
behalf
of
of
the
the
project.
Okay,.
A
Formerly
just
so
you
know
in
my
tell
me
if
you
already
know
this
because
I
don't
know,
if
you
do
formally,
only
the
governing
board
can
approve
funding,
but
the
reality.
Is
the
government
board
immediately
when
somebody
says
Hey
money,
they
immediately
turn
around
and
say:
okay,
great
but
pack.
What
do
you
think
yeah.
C
C
Yeah,
so
so,
there's
an
example
there
that
somebody
else
I
think
did
so.
We
wouldn't
want
to
do
something
similar
to
that
and
I
wanted
to
I.
Have
some
text
I
wrote
up.
C
Is
the
event
comes
through
so
essentially
we'd
basically
say
the
secure
incredible
projects
working
group
is
requesting
funding
on
behalf
of
All-Star.
What
what
that.
C
C
C
I
gave
some
kind
of
background
of
the
project
and
then
it's
been
working
on
and
that
people
are
using
it
and
that
essentially,
that
we
were
just
requesting
some
funding
there.
So
the
background
here
is
that
All-Star
has
some
infrastructure
currently,
but
it's
not
there's
some
stipulations
attached
to
it,
which
make
it
not
very
neutral
so
I'd
like
to
have
infrastructure
without
those
stipulations.
A
Okay,
tell
me
if
you
can't
really
talk
about
the
stipulations
now,
but
I
mean
sometimes
the
stipulations
are
just
like
things
like.
Please
don't
run
malware
on
my
on
my
application
and
don't
run
and.
A
And
do
you
know
crypto
coin
mining.
C
C
Secrets
for
the
app
that
that
allows
it
to
talk
to
GitHub
the
data,
any
just
basically
full
access
to
the
infrastructure.
C
When
I
say
when
I
say
instance
run
by
openssf,
that
should
mean
the
maintainers
of
the
project,
not
also
the
infrastructure
providers.
A
A
C
A
If
you
can
make
it
clear
why
it's
needed,
they're,
probably
going
to
say
great
and
tackwell
governing
board,
will
in
fact
the
governing
board
actually
has
approved
some
funding
ahead
of
time
for
some
infrastructure,
so
that
fits
within
within
a
pre-approved
amount.
It
might
even
be
really
easy
to
do
this.
However,
the
tax
is
going
to
immediately
ask
the
questions
that
I'm
asking
iterations.
A
I
didn't
want,
what
exactly
are
there
stipulations
yeah
and
why
are
they
a
problem,
because
every
account
every
cloud
provider
has
stipulations
and
in
fact
every
service
has
stipulations.
A
So
you
know
your
DNS
provider
will
mandate
certain
kinds
of
content
not
be
allowed
whether
or
not
they
should
that's
another
question,
but
they
do
so
it's
just.
You
need
to
make
it
clear
why
or
which
stipulations
are
you're
uncomfortable
with,
and
why
and
I
bet
once
you
do
that
you're,
basically
making
basically
making
an
argue
for
money
for
money
when
things
are
getting
paid
for
right.
C
A
A
problem:
what's
the
problem,
yeah
and
I,
think
you
only
need
a
sentence
or
two
to
resolve
that,
if
you're
not
comfortable
making
that
public
by
the
way
the
details
of
it
feel
free
to
make
that
in
a
private
communication,
we
try
not
to
do
that.
We'd
much
rather
work
in
the
open,
but.
C
I
think
this
is
I
think
this
is
public
yeah,
okay,.
C
C
A
C
C
C
Hey
sass
I'll
start
screening,
La
permissions
and
data
access.
C
The
credits
or
or
our
money
works
that
is
granted
by
the
by
the
funding
yeah
on
flexible
here.
Okay,.
C
A
Although
I
can
see
Lenovo
or
something
else,
wouldn't
they
all
have
the
same
privileges,
not.
C
A
Okay,
so
the
in
in
a
way
that
so
it's
not
just
granted
All-Star
all
elevated
privileges
in
ways
that
aren't
typically
granted
for
running.
Is
that
your
point?
No.
C
A
That
is,
they
must
have
administrative
access.
Yes,.
A
Okay
and
we're
concerned
that,
and
we
and
we
want
to
their
and
we
want
to
limit.
A
Those
who
we
don't
want
I,
don't
know,
maybe
maybe
that's
obvious
yeah.
C
I
mean
I
know
the
skeptic
is
like
yeah,
okay
people.
You
know
if
you're
running
on
a
cloud
they
have
access,
but
that's
I'm,
not
talking
about
that
I'm
talking,
I'm,
saying
I'm,
taking
at
face
value.
You
know,
there's
running
it
on
a
private
on
a
project
that
is
you're
the
only
one
on
the
list
of
of
access
to
it
and
and
not.
A
We
okay,
we
prefer
to
run
in
a
situation
where
the
provider
promises
to
not
access
this
sensitive
data.
C
Okay,
yeah
I
mean
I,
can
Wordsmith
this
or
you
know
to
yeah.
C
Like
what
the
tax
is
going
to
ask
and
like
I
would
also
show
up
to
the
task
attack
meeting,
but
in
general
does
this
seem
correct
for
the
working
group
to
go
ahead
and
request
funding.
A
C
A
Yes,
okay,
yes
sure,
yeah,
yes,
I
think
that's
entirely
appropriate.
Okay,.
C
A
We
also
just
want
to
make
sure
that
we
set
good
precidences,
so
you
know
before
before
we
spend
money.
We
want
to
know
why
the
money
should
be
spent
yeah.
A
C
Yes,
okay,
so
moving
on
another
All-Star
update,
contributor
ladder,
PR
is
out
and
I
think
you
wanted
to
talk
about
that
also
Caleb.
If
we
could
I
don't
know
if
we
have
a
a
general
contributor
ladder
for
the
a
recommendation
for
the
for
the
foundation,
maybe
we
can
adopt
this
for
that.
We.
C
So,
for
in
in
a
in
every
project,
you
know
you
want
to
have
a
contributor
ladder
that
shows
how
you
know.
Community
members
are
what
the
the
expectations
are
for
who's
going
to
be
a
maintainer
who's,
going
to
be
a
leader
that
kind
of
stuff,
so
I
think
it's
always
good
to
have
that
transparent
and
written
down
for
these
code-based
projects,
where,
where
people
contribute
to.
B
B
So
that's
partly
why
I'm
bringing
that
up
here
as
well,
like
I,
can
wait
until
the
All-Star
one
has
been
agreed
upon
and
suggest
that
for
the
criticality
school
repo
or
we
may
want
to
more
I
may
want
to
raise
this
more
broadly
across
the
open
ssf
of
having
like
a
template
or
like
a
default
contributor
ladder
available
for
pro,
like
that's
for
projects
so
that
we
can
give
contributors
who
are
working
on
the
the
code
and
the
repos
some
sort
of
sense
around
how
they
contributed
contributions.
B
May
affect
their
ability
to
be
like
a
member
of
the
project.
I
think
it
may
encourage
people
who
are
unsure
about
how
they're
their
investment
in
time
would
be
rewarded.
I
suppose,
although
being
a
maintainer,
is
not
necessarily
reward
in
that
sense,
but
yeah.
A
A
C
A
You
did
okay
did.
Did
this
one,
have
the
open,
ssf,
URL
email
address,
yeah.
B
I
went
and
changed
a
bunch
of
them
and
I.
Hopefully
that
landed
in.
A
Oh
yeah
I
see
it.
Okay,
oh
I
see
okay,
so
it
is
okay,
it
is
from
there
I
thought
this
was
just
the
okay
all
right,
so
maybe
or
maybe
just
maybe
add
a
link,
maybe
add
at
the
end,
a
link
to
the
open,
ssf,
CSD
yeah.
A
B
Yes,
I
should,
in
terms
of
how
I
should
handle
this
for
criticality
score.
Is
it
worth
waiting
for
Jeff's
PR
to
be
accepted
or
well.
C
Mine
is
basically
from
a
proposal
that
I
made
months
ago
when
we
had
some
Community
discussion
on
so
I
would
say
it's
pretty.
You
know
it's
given
a
once
over
by
a
couple
at
least
two
different
communities
projects
in
the
open
ssf,
so
it's
had
some
some
eyes
on
it.
I
mostly
wanted
Cara
to
kind
of
work,
Smith
that
or
you
know,
I'm
adding
her
as
a
maintainer.
So
I
want
to
try
to
acknowledge
that
as
well
on
the
on
the
review
before
I
merge
it
here,
so
I'm
ready
to
merge
mine.
C
If
you
want
to
copy
it
and
merge
one
I
think
that's
fine
and
and
yeah
like
as
David
said
I
think
you
know
we
any
any
kind
of
template
or
recommendation
would
be
just
that
a
recommendation
or
a
starting
point
that
any
project
should
be
able
to
tweak
this
for
whatever
for
the
needs
of
their
own
project,
but
having
something
to
copy
would
be
nice
yeah.
A
C
Would
there
be
a
repo
that
we
would
check
this
in
is
like
here's,
a
here's,
a
template
I
mean
not
maybe
not
the
template
repo,
because
people
always
copy
that
to
start
a
like
a
working
group
or
something
but
I
don't
know
if
it
would
be
the
tack,
because
maybe
they
don't
have
anything
to
have
an
interest
in
this.
The.
A
Tech
already
has
guidelines
for
how
to
label
projects
yeah.
C
A
It
wouldn't
be
insane
for
them
to
also
declare
here's
how
we
expect
contribution
guidelines
to
run
I
mean
I.
Would
you
know
I
would
say
hey
start
with
this
and
say
hey
tack.
This
is
what
we're
doing
for
now.
We
might
want
to
later
on
propose
this
up
as
guidelines
across
the
open
SSM,
and
you
know
you
can
just
email
them
that
and
then
give
them
a
heads
up,
and
then
you
could
say:
hey
we
tried
it
out.
We
think
it
works
and
we
raise
it
up.
Sounds.
C
B
Yeah
I
think
that's
a
good
idea.
Sorry
I
just
was
distracted
and
missed
that
exactly,
but.
C
B
B
A
Yeah,
in
fact
I
would
I
would
go,
merge
it
in
tell
the
tech.
This
is
what
we're
doing
and
later
on.
You
know
and
presuming
that
it
works
for
us,
we'll
tweak
it
a
little
bit
and
then
we
may
propose
it
up.
You
know
for
a
broader
consent
and
that
way,
they've
you've,
you
stuck
the
idea
in
their
ear
and.
B
For
reference
as
well,
the
six
door
project
has
a
ladder
as
well.
So
yeah
pointed
me
to
that:
Jeff
yeah.
C
A
Yeah
I,
don't
think
anybody
in
the
tech
would
be
surprised
if
you
have
a
ladder,
be
it
formal
or
informal,
but
but
yeah
I
I
think
I
love
the
idea
of
trying
something
out
in
a
particular
project.
It
works,
you
tweak
it
and
then
you
raise
it
up
higher
and
higher
I
think
that's
how
a
lot
of
good
work
gets
done.
B
A
C
B
Yeah
yeah
I
only
have
a
really
short
update
on
package
analysis.
It's
just
worth
some
context.
Oh
it's
worth
providing
that
our
team
at
Google
have
been
talking
to
check
marks
and
that
we're
collaborating
there.
B
B
Some
analysis
features
particularly
around
https
unwrapping
initially,
and
we're
also
collaborating
collaborating
on
how
to
share
publicly
detections
on
malicious
packages
so
that
that
will,
like
so
part
of
the
package
analysis
project,
we'd
like
to
be
consuming
that
data
and
producing
like
public
detections
from
it
that
sorry,
that
I
say
we
as
in
Google
and
would
like
to
like
and
encourage
other
for
profit
or
the
non-profit
companies
who
are
doing
the
same
sort
of
work
to
be
also
publishing
their
work
publicly,
because
that
helps
I
think
in
open
source
world
having
open
source
data
is
kind
of
a
nicer,
a
good
idea.
B
It
also
means
that
people
can
build
tooling
around
it
and
and
repos
can
consume
it
and
all
those
sorts
of
things.
So
that's
another
aspect
to
this
work
that
we're
talking
to
them
about.
Hopefully
we
will
see
some
results
from
that
within
the
next
quarter
or
so
so,
and
I
probably
will
have
to
come
back
and
talk
to
the
open
ssf
about
how
we
make
a
repo
like
well
considering
using
osv
to
do
that
and
how
and
putting
that
in
a
repo.
B
A
C
Yeah
well,
thank
you
all
for
joining
again.
We
have
another
regular
meeting
next
time
and
then
we'll
begin.
The
consensus
in
four
weeks.