Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Securing Critical Projects WG / 15 Jun 2023
OpenSSF / Securing Critical Projects WG / 15 Jun 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Securing Critical Projects WG Bi-Weekly (June 15, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit#heading=h.ylcmpchqsywz

A

Hey hey I'm here how's. It.

B

Going not bad and you yeah pretty good.

C

All right, you can get caught up.

C

I'm gonna.

B

Clean this up a little bit.

B

Do you think, do you think that we should spend some time dedicated time to basically coming to a consensus on?

B

You know, I think the attack came up to about the you know. Who is the consumer of this that you know what is the purpose of the set so I just recopied and pasted my the what we came up with.

A

Yeah I mean I, think it's good for us to have like a somewhat of a definition of what we're trying to accomplish uh which what you wrote is good like, like you know, when we're making it we should say this is what it is. We should be able to describe what it is, but as far as like what it's for I, don't think we can just come up with that on our own. We need to go, go to the other groups and ask them okay, how's it going.

D

uh Things are going really well because, as you can see, it's a beautiful day in Virginia all.

C

Right.

D

So, uh very very soon it's going to be roasting. Hot and I will be back inside, but I'll take advantage of what I can get in the weather.

D

All right, 12 of I have four. After um are we expecting more.

A

um We've been getting more but, except for the one I think two weeks ago was like right. After um open source, Summit I didn't get as many people and our eight pack ones have been a little lower, but this time has been better so we'll see. Okay,.

D

All right, I am going looking through, oh and somebody already added my name. Thank you. Yes,.

E

Foreign.

A

Yeah.

C

Okay,.

A

um Yeah, let's discuss that in your I typed that as the first thing, what is the list for or who are the users? Yes.

B

Yeah so I've I I've been putting this. um Oh absolutely yeah, that's a good point. um David is thinking of specific, um like groups. I think that's great um I was also oh okay.

B

um I was also considering like when we were talking about like essentially having some language on. You know what this is and who it's for so, but this is. This is going to help us a lot because, um because that can help us walk backwards. Sorry.

D

You just lost uh what we were typing. Oh.

B

Okay,.

D

Never mind it's way up higher. Okay. Here you go yeah, sorry, it that's all right. It just moved down and it appeared on my screen. Like everything I've been doing, it was erased, and that was.

E

Just.

D

You know I was misinterpreting what my screen was showing fine fine, yeah, okay,.

B

So yeah I just put this um I, don't know if it's too circular, but you know the purpose of the set of critical projects curated by securing critical projects. Working group is to help guide the open source community in determining highly important open source projects that have been identified through research and discussion with the work group.

B

These include, but are not limited to open source projects that can benefit from additional resources, projects that are generally lacking in resources, projects that can especially benefit from third-party code reviews and Audits and projects that are widely used and adopted in modern technology and infrastructure systems.

D

Yeah, what's the uh what's the the tech, uh German Tech fund and there's another American one.

B

Yes, good point um sovereign.

D

Tech fun. Thank you. Open Tech,.

B

Fund.

D

Yeah, which one's the.

D

Yeah, that's on well: okay, I, guess, I'm, sorry, they're in Germany, but you're right. It's actually EU! That's fine! Oh.

C

It is okay, it's.

D

During government, okay is that's right: that one's I think is the German government I think there was another one that was EU but I'm, not sure. That's active.

C

Yes, yes,.

B

That's.

D

Not.

C

Active okay, all.

D

Right all right.

D

Actually, it uses the projects as candidates for both Alpha and Omega.

C

Okay, because.

D

You know, even if they can't fund it, it still can be on their list of projects. They look more closely at their their top. Ten thousand.

C

um Yeah absolutely.

D

Oh Austin, okay, I, guess I mean technically Asif, isn't a funding source as well. That's.

B

True yeah.

D

But it helps us like: oh okay, all right. Okay, I will put you in a different category, but um okay, because you're not funding the work, but you are.

B

I guess like implement implementation or.

D

I mean if somebody paid you to fix an open source project that only if you know hey, it's only used in nuclear facilities. I'm sure that you would say absolutely, even if it's not on the list. Yeah.

B

I, just I just wondered if like as basically like a data point so like you know, if we want to justify, if someone gives us money to say, hey go, make open source more secure. We can say you know: we've used this as a resource to help guide us. You know, identify those projects.

D

Thank you.

D

Okay- and this is a weirdness for me- I'm- going to put the U.S later and I'm going to do that um in simple, because we love our us friends but I want to I I. Think some people have have missed been misinformed. That were somehow only us. Yes,.

C

There's.

D

A lot of U.S folks there's nothing wrong with U.S folks, but um this is international, and you know, and so by putting a German government thing. First, I think that'll help clarify that the internet. This is something that's International uh issue that we're working on International solutions for um yeah or ostiff I mean what what I bet that there's you know, organizations who need I mean you're, basically trying to guide other organizations right.

B

I guess maybe maybe I.

B

To keep that distinction of you know we are the. We are the people that go and execute on the on that guidance. Maybe it would make sense to just not include include us, but I just am wondering like, for example like when we got some funding to to audit projects.

B

um Like the impact report, the Google and open SSS impact report. We used like the Harvard census, 2 study and, like the preliminary some of the preliminary, our preliminary recommendations, our meaning Hostess preliminary recommendations um which fed into the you know the the predecessor to this step um to determine which projects we would go ahead and audit. So um that's why I wonder I.

B

I wonder where we like how that would fit in, but if it's not as direct, then maybe it doesn't make sense to include it whatever you, whatever you all think, makes more sense.

D

You know what, um how they're, if we eliminate the how we're they're using it.

D

Because I I think I'm not sure that there's a difference here in all cases, they're trying to take some steps to improve up some critical open source software and the problem is that immediately gets you to the and which ones are important.

B

Okay, that makes sense, then I'm sure, there's, there's others I mean um sure and.

C

So now.

D

You know what how about sos.dev.

D

You know I'm gonna put that in as another, you know, I think um MFA distributions and other organizations or whoops what happened. That's what's weird.

D

I think I accidentally captured.

D

Oh now, that's just weird thanks, Google Docs.

D

All right.

E

Okay, um all.

D

Right.

D

So Alpha Omega and okay um SOS dot, Dev um You Know It. uh That funds um provides small funds for OSS projects, but uh would like to prioritize the more critical ones now splitting that up is probably a little weird, because that's also now part of open ssf. So.

D

Yeah but but I think there's a there's. um An organization, that's kind of popping up here. Alpha may get is an example of we're looking for the critical ones and to fund those. There are other organizations who do the same thing and then there's small funds where they do fund a number of different things, but they again you know they're not going out and looking but they'd like to prioritize when they get a request.

D

uh Future MFA distributions all right. Maybe we can probably argue about the order here, but you know you just you know, that's I think that's a that's a nice list.

E

Yeah.

D

Of uh of users and potential users, I mean Alpha, Omega, certainly I know for sure uses it is, is using it. The older version, the MFA one has already done. So you know.

B

All.

D

Right we actually have a couple tokens left, uh so it was a lot of work to get them out. So we haven't tried very hard, but.

D

Alrighty.

B

Awesome and then um so we talked about preparing it and Publishing um I'm. Looking at that.

A

Yeah so David you put that here um we have this process document. Is this up to date? Do you know Amir with what essentially, what we do? It's.

B

It could use updates.

D

Consensus based democracy.

B

This was I think just taken from the note.

D

Yeah, this is.

D

I, don't know what you call this um I mean some of this is aspirational and no no I I need a I. I, don't need some ideas of what the plan is. I here is the list. Here's how it was made.

C

Yeah.

D

And I think you can take what's here copy paste and make something short.

B

Okay, yeah we'd, probably just need to collaborate on something yeah, yeah.

D

And, and also um here's something that that document was really future looking we need to, we need to include you know, ready answer, for how did you make this list and acknowledge you know, weaknesses in current set I mean it's all over. You know varying size.

D

You know, there's some where you can argue the way.

D

Yeah I mean.

B

Oh then, I.

D

Think I would say it needs no work, yeah. Well, no, no comma! It needs work.

C

I.

D

I would go further and just say we need a different doc. A a different doc uh can uh can pull from it. From that and I mean it could be just a paragraph.

C

Just.

D

A paragraph, or maybe two, you know maybe like here's, how we did you know and acknowledged weaknesses, because there's always weaknesses but I mean I. Think that's now uh uh publication. All right, we need it. um Do we need something nice looking.

A

Yeah so preparing set for publishing, you know, I, don't know like yeah, maybe we're just cleaning up the spreadsheet we're taking. Are we copying it? Are we gonna, delete the old tabs and say that any ideas here.

D

There are many ideas yeah. The question is: what do you want.

A

So we make a PDF.

D

I mean we can make a PDF, uh we can make a Mark, we can make an HTML page um now. One thing that we could do is turn it into something that looks legit.

D

um Let me you I, don't think either of you have been involved in the uh fund on the publication of the best practices. Folks, have you yeah all righty? Okay? So let me share with you a link.

D

All right go; click on that.

D

Okay, what you will see is something that looks fairly decent and uh this was generated through a process that I am now I have now given in a name. It is called this, uh the SSP uh something the simplest uh possible, but spp simplest, possible process.

D

um Literally, all I'm do all I did is I enabled GitHub pages and for each repo I created a separate subdomain, so you'll notice that this is under best openssf.org, because the best practices working group has a domain.

D

Okay and creating subdomains is incredibly trivial um used to be. You didn't want to create a new domain for this stuff because of the fundamental problem. When you do that is now, you got to manage the TLs certs thanks. So let's encrypt, that is just not a concern, so um you know, and so right now there's a separate Tac issue about whether or not basically we were originally just pointing the GitHub Pages. It's ugly is awful. It's ugly, it's awful I mean it looks like it looks terrible.

D

um These look all right. Certainly they look better than the old system and we can Muck with the CSS and in fact this uses a special font that marketing folks would like to start using okay. So it's a it's a Google font I, don't care yeah.

E

Tell me what it is.

D

Yeah, uh it's a Sans serif font for the body text. I'm, actually I actually prefer serifs, but this is the most uh seraphy non-sera. This is the most surfy Sans serif font I've ever seen for body decks, so we can live with it.

D

um I, don't care about fonts nearly as much as readability. That's my concern. You know, there's people who are really excited about fonts that are cool looking as long as you don't need to read it boo, hiss to that so anyway. um So this is not an. This is not a statement that we have to do things this way. In fact, you know that something right now that's been raised. Attack is a hey. Is this? You know I think Brian, Brian ballengar from particular is I, don't know if we want all those different domains.

D

um That's fine! um If that's a problem, then let's do something else. In fact, this is part of the problem. There's so many different ways to do publication, workflows that we almost get um we get paralyzed by choice. There are too many ways to do this so.

E

We don't have to do it. This.

D

Way, um but uh what I would like to see, though, is a simple link where you click on it, and you see the document I'm not excited about PDFs, but I. Guess there is the advantage of that. They, uh you know, declare a sort of Complete product.

A

Is this concise guide is that in its own repo, it's.

D

In the best practices working groups repo, so um if you go yeah, give me uh let's see here. Is there an obvious?

D

Well, in fact, if you click on the improve this page at the bottom link, the bottom right hand link it'll jump, you immediately to uh you know an attempt to edit it. So let.

A

Me yeah, unless you're not logged into GitHub, well,.

D

Then yes, then, that won't work um yeah. So, let's see here which one.

E

Did.

D

I show you that's the concise guide.

D

Which guy did I show.

A

You the thing doctor, so you don't have to have. You- can have a subdirectory, be like the web.

D

Page, the top one right right, okay, um I I, actually think I mean different. You don't have to do it that way. That's a configuration setting by the way here is what it used to look like this is the link we've been telling everybody to go to before.

D

Yeah, okay and the problem with this, of course, is that you have just endless number of stuff at the top. We have no control over how it looks. If you look at its properties, you will see the law of the properties are wrong. We can't set, for example, the author or the title or stuff like that.

A

Okay, so we've got.

A

Markdown published through GitHub pages is.

D

An option.

A

This.

D

Is testing.

A

Google doc, it's not editable. We've got PDF any other ideas.

B

And I believe- um and it was mentioned that openssf would do a blog post.

D

Okay uh process, all right, so let's go back the process options; okay, they include, um you know, uh generated PDF.

D

Okay, uh you know well I, guess, link to Google Docs is the easiest possible Right link to Google Docs and and if we generate a PDF, there's actually two options to generate straight from Google doc.

D

But that's kind of ugly uh doesn't have intro and then there's the create a nicer dock, and you know what uh it's almost its own thing generous and then they create a nicer Dock and then there's- and you know- and at that point it's the intro plus the list right and then we intro plus list and then there's endless ways to do that which is PDF.

D

You know HTML Maybe generated from markdown per uh the.

D

I will have to get you a link to the tech discussions on that, but that's a different discussion. uh Yeah. Are there other options here? Well,.

A

I mean I think the well I think simplest processes, its own bullet yeah. Okay, um basically.

E

Like.

A

You know website based on GitHub.

D

In fact, HTML the challenges are, there are many ways to do.

A

um Yes, one word I have with the markdown is tables and markdown are like very hard to deal with I.

D

Mean you probably have to just do.

A

It once right we're not this, isn't a living list, we're keeping it in.

D

uh

A

Sheets yeah.

D

I, don't know that that's a big issue because um we're not trying to hand edit it I, don't think I think we're just taking the Google Doc and translating it.

D

Oh yes,.

C

um Yeah yeah I'll.

D

Be honest: the first thing I'll do is grab for pandok p-a-n-d-o-c. If you've not heard of pandok, uh please hear of pen doctor life will be better.

D

uh Pandok is a program that handles many many document formats and can translate many document formats to other document formats.

D

So awesome, yeah.

B

It's an awesome.

D

Tool it's some depending on what you're doing. If, if you want to deal with tech you to, if you want to generate Tech, then you also need to install a whole bunch of tech stuff, but in general it can do cool things, um and so, while I haven't tried tables from Google Docs, specifically with pandok, it would be unsurprising to me if that wasn't too bad.

D

There's a couple other generators, specifically from Google docs, to markdown uh that I've used also uh for the um uh for for the course, because we actually originally wrote the course in Google Docs and then translated it to markdown and the markdown is actually now the canonical version in that one and yeah translated tables and stuff. Like that, um I, don't know, I! Think our this one's pretty simple, so I, don't know, that's going to be a problem.

D

If we create markdown first, there are many ways to generate.

D

The markdown yeah but I I think fundamentally, if this is going to be a formal release, it should look like it's an actual legitimate thing: yeah uh I have not looked I mean I. I was involved in the process. I actually haven't seen the final doc or can you put uh uh I know it's in the.

B

The spreadsheet.

D

Yep.

B

Yeah should I put it up here.

D

By the Yeah, I may as well slip that in here huh all right right, it's probably in the top. Isn't it yeah.

B

It is yeah, I just threw it in there, though,.

B

I'm.

C

Right, where.

B

Your mouth is.

E

uh

D

Something nicer looking.

D

I don't see where you dropped, it I'm. Sorry, no.

B

Worries where, where, where should It Go what'd, you say.

D

Okay,.

E

Okay,.

D

Link to the existing Google doc is the process option.

C

And.

D

That I mean that is obviously from the point of view of Simplicity. From our point of view, that is obviously the simplest possible solution right now that doesn't mean it's the right solution for our case, because I think um you know the arguments for removal and stuff like that. I'm thinking that.

C

Get rid of it.

D

ah You know I, don't know we were we. We wrote down comments there, they're a little more informal, I, don't know. Maybe that's a good thing, though, because clearly people will complain about things, no matter what we do.

D

In fact, if anything, you could probably argue that uh everything should have some comment, but that's a lot more additional work.

C

um

D

All right, we got angular and ansible.

D

C python.

D

We don't have a Linux just showing here. Do we.

D

That was yeah, I mean we I mean the largest things we've got. Is the Linux kernel, rust, kubernetes yeah we've got several implementations of languages, but that's not and I've got we I. Guess a weirdness. We've got the repo of.

D

Yeah now electron.

D

Should that still be in.

D

You know given Adams disappearance, but I guess we can still make the cases widely used. I'm just looking through here for a quick sanity check.

D

Tour itself is a whole distro. It's kind of focused, though.

A

Okay,.

D

I guess we could say: that's really the specialty parts of of it as opposed to just everything in it: yeah, okay, yeah, okay, ruby, gems. All right I mean presumably that's the code to implement it, not every single Gem and.

A

Yeah um Okay, so we've got some ideas for getting the set ready to go. We need the intro the process, paragraph, um something that looks nice right.

D

um And we create a document and then kind of noodle over it, uh create a Google doc with the content of the intro sure, and then we can, uh you know I would just copy paste the existing one yeah, the the old text uh and then just kill it down to a short thing.

A

um So thinking about what we would do for an announcement plan, uh I think we we want to have a Blog, obviously on open, ssf, um I, don't know what else else we should do.

A

um I wrote a I just jotted some notes here right now for the points we want to make in the blog kind of the stuff that we're going over right now like what is it, how do we make it who's using it? So we just discussed that right um and then typically like a Blog would be like. How should you use- or you know, how might you this be useful to you and then how can you get involved.

D

um Right and really all and there's always an audience question I think we've got two different audiences here. One is just kind of the general hey if you're curious about open source and you're wondering if anybody cares about it. The answer is yes, and some people are working to identify a critical one, really important one so that we can go do some funding of it.

D

um Frankly, there's another audience it's way smaller and that's the folks we just listed earlier. You know who are saying: Hey I want to fund stuff.

D

um Now I will say that some of those a lot of those have very specific angles, like a good part of cisa they're, actually interested in improving the security of Open Source software. That's used by critical infrastructure, so they're thinking about dams, electrical power grids that kind of stuff- and that is not necessarily this list. In fact, I I think that there would be quite a different list so, but for some, like the German government, one I'm sure that they would be very interested and that for them, I think the goal is just hey.

D

Please look at our list now. We can just tell our friends: hey, go look on our list, but uh if we do a blog post, then that gives them cover for looking at the list. So oh wow look at that. They announced it and it's a big announcement. So we should look at that list. Mm-Hmm I suspect they would look at it anyway, but uh um you know I think that would be helpful to them.

D

At least I would hope, so you know, and they can make their own decisions on what not whether or not do anything with it.

A

Any other thoughts on like how you might use it.

A

um Are you curious, like you want to get involved in open source? You, oh you're, a company, and you you want to know if your stuff that you use is critical like I, don't if.

B

You like Google summer of code or like that you know, have these programs.

D

Programs.

B

And that's.

D

A great idea: yeah: are you looking for an area where you might contribute if you're, if you're looking to re, say review open source software and you want to you know, look up for you know, do security reviews of the most critical ones. These would be good ones to look at, not implying that you can't look at others, because that's ridiculous, but um if you're looking to evaluate something now, I think we do have to be careful, um not implying that these are the problem. Children.

D

These are critically disastrous, which is not what we're trying to say here.

B

Yeah look for projects to contribute to yeah.

C

Yeah.

D

But both contribute to in the sense of code. Well, actually, I, don't know some of the mayor. May you know most of them are open to, although you know some of the smaller ones, um especially the ones that think they're more or less feature complete um they're going to have a higher bar, but all of them will be very, very interested if you found a vulnerability and it was a real vulnerability. I would hope that every single one of these projects would say. Oh yeah,.

A

Okay, all right, they do something like something like that: um okay get involved in the working groups, I guess projects, um that's pretty much it. Okay, okay, do.

D

You want to try to create a Google doc with this content or or something for.

A

This blog.

D

Yeah yeah.

E

So I'll do this.

D

Yeah I can do I can create it. If you.

E

Want me, okay, sure.

D

uh Let's see here I, you know now to be honest. I should know see if I was smart, I would go, look for the tries for open ssf.

D

My drive, open I, should have a quick.

D

I should have something that just quickly jumps to the openness itself drives shared drives.

E

No.

D

Oh, that's just sad.

D

All right, uh open this and stuff has a drive um I'm having a little trouble. This is uh problem is between uh keyboard and chair here. All right, you know one. This is gonna, be a short Doc anyway, that not lasting long I suspect. So why don't we uh quickly draft up something and we will.

D

uh Let's see here so final, let's see what are we calling this uh critical critical OSS, a critical open source software projects, 2023.

E

Yeah.

D

All right, uh uh let me see here, I am going to.

D

All right, let's switch to make this to anybody in the link, can comment.

D

All right that means that now I can put here and now you can request. Let's see I mean you are an editor.

E

uh

D

Chef I have an email for you, I, don't know if it's the right, email I have a gmail.com account. Is that a good email for you would.

A

You prefer me to use a different.

D

One I'm sorry.

A

I'll use that.

D

One use that okay I will use that one.

D

All right so at least my theory is we write the text here. We might even just copy paste the tape, the portion, the pretty version of the table in here.

D

uh Sorry.

A

The whole thing.

D

Well, yeah, because this is eventually you're gonna, be the blog post right.

A

Yeah, the blog post can't contain the whole list.

D

Well, okay, all right, I! Guess: I! Wasn't writing the blog post! I was writing the actual introduction for the document.

A

Oh okay,.

D

Okay,.

A

Yeah.

D

So I think we need two things: you're right: okay, we need two things. So what I just did was create the actual uh yeah intro to list list yeah.

A

Yeah, okay, this.

E

Is what the lockdown is going to be, or something.

A

Or something.

D

Right: okay, we could just create a Google doc, but I, don't think that we should because I think that that's a problem all right. So let me create another. Now again, my amazing super powers, uh blog post.

D

Okay, let's see here.

D

uh All right, Vlog, post sorry about the mechanisms here, but uh I really want to make sure that we're we're not blocked by nonsense.

D

Yeah we're gonna editors.

D

And here's the link for that.

D

Now, if I'm really clever.

D

Alrighty I would suggest writing the the report. First.

A

Yeah, because we're essentially I'm saying we want to reuse the, uh what is it, how is it made uh in the blog post, so we.

D

That needs to be done first right and- and this is a report from the uh the open source security Foundation.

E

Thank you.

D

Critical projects working group, okay,.

D

And the intro to the list should be.

D

I will introduce you by the way to weird davidisms.

D

Put triple question marks everywhere and then what I'm gonna say and when I, when, when I start breaking it down, then I start each of those subsections get Triple marks and when I run out of triple question marks the document's done foreign. You don't have to do it that way. Just if you interact with me a lot on my documents, you'll start to see that nonsense.

D

I, don't know if it works for anybody else, because.

C

Otherwise, I'm sorry, it's as long as you've got a system sounds like a good one.

D

Well, it has the incredible advantage of it: it works in all kinds of formats and things. So um now. Yes, the securing critical projects working group- okay, yeah, so you already posted.

C

And that I wonder.

D

Yeah in our little notes, it seems to me that we've already got some of that text right.

A

We've got the: what is the list, but we need to do the. How did we make it right.

D

Okay, so let's, let's start with that, yes, um the the open, ssf and I guess I. Should it when, if it's since that's really the author thing, I probably should repeat that right, okay, the opener closer has been working to update its set of its set of critical, open source software projects.

D

Aka, you know, is it a set or is it a list? That's.

A

Set: it's not ordering.

D

These set of critical projects.

E

All right.

D

um Well,.

D

Wait: that's just past tense. We need to explain what that this is the document. Okay, yeah. This document.

D

Presents the.

D

um

D

uh By from the okay, what is this? This is what this is: okay, the purple.

D

That's now kind of a circular definition.

B

Yeah, that's what I was a little worried about. Yeah I thought it was a little.

C

Oh boy,.

D

These uh have been determined to be highly important, whoop.

D

Can you hear me.

A

Yeah.

D

Okay, uh my access to Google Docs suddenly disappeared.

D

And now we're back the the the risks of uh of this kind of of okay, the uh okay. This set identifies.

D

Our open source software OSS projects that.

D

And you know what now we can introduce this, this set identifies that have been that have been determined.

D

To be uh highly out to be highly important, I mean it's just important, I, don't know a highly important bye.

D

um Through the process described below right.

D

And that means we have to describe the process.

D

Weaknesses, caveats.

D

It any such set will have any.

E

Set.

D

Like this.

D

Limitations, something and and so on now don't we we've got the doc I would copy from that other doc. The process we just used.

D

I'm sorry Wichita.

A

And Markham.

D

uh Well, we've got multiple markdowns.

E

Here.

D

Somebody copied in the actual list.

B

Yeah I just gave it a little cleanup and posted.

D

It in yeah yeah, you know what actually I think that just having the selection reasoning, slash justification uh does help, especially presuming that we're going to explain what the heck those are.

D

A moment ago or earlier.

D

Okay,.

D

Yeah, so that this implies the um process uh uh need to note, need to explain. Selection reasoning, slash justification.

B

You.

D

Know what actually I'm going to kill this list comment. I think that's actually pretty darn good when we, when we only include well okay, now GitHub git lab, oh I, see or or Source repository. Yes, oh, hey, shame on you!

D

You should know better.

E

Oh.

D

In fact, is this really just Source Repository.

B

Yeah, that's more concerned.

D

Boom, in fact, I would argue that should be that way in the original hahaha I.

C

Mean.

D

Now that we're looking at with a clean eye, we're going oh wait. Yeah.

C

Let's Do It.

D

Done, okay, you, but you know what uh you know: what's great about Source repo I I've I've been telling several folks. This I understand the problem when you're talking about proprietary software, but when you're talking about for open source software, you know which X did you mean I mean this repo.

C

Mm-Hmm.

D

Complete with a URL completely eliminates the which one did you mean problem.

D

Okay,.

D

All right now, I think that we can slip in the text that we just talked about earlier today.

D

Okay, I'm gonna copy paste I. Well, we can clean this up, but.

C

Yes, this is actually a pretty good paragraph on the GitHub. Let me see if, if uh it.

D

Helps look at this. We didn't have a report and one is popping up magically.

A

Should we put the users in the report.

D

The potential user I I think yes, because.

A

Should that just be in the blog or be in maybe like our readme or something like that.

E

uh

D

I mean that's a strategic question more than anything else.

A

I kind of feel like it should just be what it is, how we made it. Here's the list, okay,.

D

And then the blog we talk about who we expect.

A

Who's using it, how we think you can use it, how you can get involved. Okay,.

D

And that's a nice distinguisher, okay, I'm gonna cop I'm gonna cut it from this one and it turns out and then suddenly.

C

This is where we put info on the selection criteria, which is going to be here.

C

Oh process, okay, might be too long, but.

D

Do we need to say set in the title.

B

I think so it.

D

Makes it awful long? Why don't we just say critical, open source software projects and then explain that this is a set in this document itself.

C

That's.

B

Fine.

C

Okay, I.

D

Mean okay thanks I'm waiting, because if you disagree, that I mean there's nothing evil wrong. It's just.

B

Yeah we've just gotten good within the work group to keep calling it a set now because uh to make that distinguish.

A

So many people are.

B

Hung up on the order.

A

Yeah.

B

Exactly and they still are calling it away.

D

Okay, this identifies um a set of okay, so, let's head in between the eyes, if that's a key problem, please note that this is not a list. It is a set.

D

uh There is no implied order in the list. uh Well, actually, no, there is an order right. It's alphabetic.

A

There's no.

B

Prioritized.

A

I guess: okay, the order is not it.

D

Does not imply significance right? Do we want to alphabetize this? Yes,.

A

Absolutely.

D

That would be one that would be one obvious solution. Yeah. Can we alphabetize with a table within or do I have to go back? Do we have to go back to uh uh Amir? Did you just copy paste it in or did you do something special to this thing? I.

B

Did a little bit of smithing um and I think it is? It was alphabetized until the very end we added a couple yeah.

D

But now it's not alphabet.

B

Sorry yeah, if we want.

D

To say it's alphabetized see tools.

D

uh Extension.

B

Should.

D

Be done. Oh sorry,.

B

Oh I I was able to do it within the table, but it also factored in me.

D

All right we can move, we can move the header, you know that is incredibly amusing. Would you mind moving the header yeah.

B

I got it all right and then I'll uh I'll, re-alphasize It.

D

Fabulous all right all right, very good, very good, um all right so.

C

There you go all.

D

Right this document presents the test at that. Please note that this is not a list, not a list. It is a set there's. um The um this set is listed in in alphabetical order by project name.

D

Okay, there is no implied ordering within the set.

A

I do need to run to another meeting in one minute: okay, oh.

C

Wow all.

D

Right, quick, well, I'll tell you what um we said we needed. We we've. We basically have agreed that we need to have something that looks good I will say from here on. We can either generate markdown and then generate HTML, or we can just turn this into a PDF. Either works um if you want to create a PDF. Of course, that's super easy and then um so so it sounds like the homework now.

D

Maybe we can post. The slack is uh working on this report and the blog post yeah, and you know if we none of us get to us, then this here's, what I would propose if we don't get to it between now and next being the next meaning is we finish this off yeah.

A

Absolutely yeah absolutely sounds great.

D

All right so I think we're making progress. Yeah.

C

Absolutely yeah a lot thanks.

B

So much yeah, of course, take care of yourself.