►
From YouTube: Securing Critical Projects WG Bi-Weekly (July 14, 2022)
B
A
Taking
over
the
david's,
I'm
here,
there's
always
an
opportunity
for
you
to
change
your
name
today.
A
I'm
looking
at
the
56
the
the
pull
request.
C
A
Yeah,
I'm
gonna
apologize
in
advance.
I
have
a
conflict
at
12
30
that
he
just
found
out
about
yesterday.
A
A
C
Sorry
me
hi,
I
accidentally
threw
off
your
attendance
there.
A
Yeah
we
we
characters
by
the
way
for
those
of
you
who
don't
know,
basically
we're
trying
to
make
sure
that
all
working
groups
have
representation
for
multiple
different
organizations
and
like
people
are
showing
up
so
and
I
I
and
frankly
I
find
it
helpful
to
know
oh
yeah
so
we're
at
this
meeting,
and
I
don't
remember
exactly
what
that's
all
about,
but
I
know
that
person
was
there,
so
I
know
that
we're
also
recording,
but
it's
awful
handy
just
to
have
the
list.
C
Jeff,
would
you
like
to
do?
Would
you
like
to
facilitate
today.
C
I
must
have
caught
him
at
a
bad
time,
but
yeah,
I'm
more
than
happy
to
my
voice,
is
a
little
hoarse
from
seeing
rage
against
the
machine
earlier
this
week.
So.
A
Oops,
do
we
lose
yeah,
I'm
wondering
if
I
I
see
I
saw
jeff
a
moment
ago,
but
it
looked
like.
A
I
know
hopefully
jeff
can
fix
that
fix
those
problems
up.
C
Excellent,
yes,
more
than
happy
to
so
hello
and
welcome
everybody
to
the
july
14th
securing
critical
projects
working
group
meeting
very
happy
to
see
you
all.
Thank
you
for
joining
today,
as
we
normally
do.
We
love
to
start
with
introductions.
You
know
anyone
who
might
be
new
to
the
group.
C
Not
to
put
you
on
the
spot,
but
mihai,
would
you
like
to
to
do
a
quick
intro.
F
Oh
sure
I
have
been
joining
in
the
past
several
times
like
oh.
C
F
So
and
so
I'm
from
google
I
joined
a
little
bit
before
the
summit
in
austin
and
have
been
joining
from
time
to
time,
but
mostly
keeping
silent.
So
I
joined
the
supply
chain
security
group
at
google
now
awesome.
C
F
Probably
be
working
more
on
s
boom
and
sell
society.
C
G
C
You
a
chance
to
introduce
yourself
so
wonderful
again.
Welcome,
I'm
very
excited
to
have
you
here
looks
like
the
first
agenda
item
is
the
dcos
david.
Is
that
would
you
like
to
talk
about
that?
One.
A
Sure
this
is
actually
pretty
straightforward.
This
is
more
of
a
heads
up,
the
tac
agreed
at
their
meeting
earlier
this
week.
They
want
to
start
enforcing
dcos
they're
actually
in
the
charter,
but
because
we're
not
enforcing
them,
they
don't
always
happen.
How's,
I'm
trying
to
be
gracious,
so
it
turns
out
it's
not
that
hard
to
turn
on
a
requirement
and
whine
at
you.
A
If
you
do
a
pull
request
to
forget
to
do
a
dco
for
those
who
don't
know
what
a
dco
is,
that's
the
little
signed
off
by
at
the
bottom
of
every
get
commit,
and
what
what
it
asserts
is
that
you
have
the
legal
right
to
actually
prepare
that
commit
either
you
wrote
it
or
you're,
providing
it
from
somewhere
else
and
under
an
appropriate
license.
A
So
it's
basically
a
super
inexpensive
way
to
provide
some
extra
legal
protections
that
a
lot
of
projects
use
so
just
want
to
give
give
a
heads
up
the
the
plan
is
to
enforce.
If
there's
a
problem
that
we
don't
know
of
you
know,
let
us
know
we're
we're
trying
to
give
a
little
time.
Just
in
case
we
there's
a
problem.
What
do
you
mean
basically,
okay,.
A
Right
right
I
mean
you
know
the
the
point
of
the
dco
is
to
make
it
relatively
easy.
Just
it's
a
reminder
that
before
you
commit
oh
wait,
do
I
have
the
legal
right
to
do
this
for
most
of
this,
this
is
not
a
problem
I
mean
you
know,
hopefully
most
folks
work
with
your
employer
and
making
sure
that
you're
not
doing
something
illegal
or
you
know,
in
violation
of
your
your
employment
or
con
contractual.
A
B
A
No,
no!
No!
This
is
purely
a
we're
going
to
turn
on
probot
and
there's
a
little
flag
on
github
that
checks
for
it
and
whines
at
such.
If
you
don't
do
it.
A
Right,
that's
right,
right
and-
and
my
experience
has
been,
if
you've
never
done
it
before
and
say:
oh
wait,
new
step
and
then
after
you
do
a
little
bit.
You
start
just
doing
it
everywhere,
because
it's
I
mean
it's,
it's
a
lowercase
s
option.
If
you
use
git
commit
it's
not
hard
and
please
do
read
the
dco
it's
what
a
third
of
a
page
and
basically
just
says
before
of
this
commit
I'm
asserting.
I
have
a
legal
right
to
do
so.
I
mean
that
that's
all.
It
is.
A
For
those
of
you
who
are
history
buffs,
it's
it's
a
side
effect
of
the
skull
attack
on
the
linux
kernel,
folks,
steamy
more
over
drinks.
If
you
want
to
hear
the
long
and
starry
tale
you're.
E
You're
causing
ptsd
to
ibmers
on
this
call
david
I'd
like
you
to
be
a
little
bit
more
sensitive
to
the
ramifications
of
the
words
that
you
choose
to
use
in
public.
Sir.
A
Oh,
my
goodness,
yes,
indeed
you,
you
know
what
I
at
my
house
off
to
ibm,
who
really
my
understanding
is
not
the
first
time
ibm
has
been
well.
I
don't
know
how
to
say.
Subject.
A
A
Go
anyway,
this
this
is
a
simple
mechanism
that
provides
legal
protection
without
a
lot
of
effort
once
you
get
used
to
it
so
anyway,
thank
you
that
took
more
time
than
expected,
but
hopefully
it
was
useful.
Excellent.
C
Yeah
this,
what
this
makes
me
think
of
is
I
I
do
think
it
makes
sense
to
maybe
at
some
point
in
the
near
future.
I
know
we
had
talked
about
this.
I
think
a
couple
months
ago
about
really
kind
of
dotting
our
eyes
and
crossing
our
tees
in
terms
of
like
everything
we
need
to
do
with
governance,
like
with
our
charter
and
and
kind
of
kind
of
formalizing.
C
All
of
that,
so
I,
if
it
sounds
good
to
jeff
and
and
everyone
else
in
the
work
group,
I
think
it
makes
sense
to
maybe
take
one
work
group
meeting
in
the
near
future.
To
once
we
have,
I
would
say,
good
guidance
of
what
we
need
to
actually
deliver,
really
just
kind
of
all
put
our
heads
together
and
and
kind
of
get
all
of
that
taken
care
of
with
with
kind
of
our
governance
and
some
of
our
administrative
tasks
that
we
need
to
do.
C
Awesome:
okay,
next
on
the
agenda
is
oss
europe,
so
that
is
going
to
be,
if
I'm
not
mistaken
in
dublin
ireland
in
from
september,
I
believe
it's
13th
through
the
15th
should
be
a
good
event.
I
know
oss
oss.
What
am
I
trying
to
say?
North
america,
I
almost
said
native
america,
sorry
oss,
north
america
was
a
fantastic
event
and
I'm
anticipating
oss
europe
to
to
be
very
similar,
so
do
check
it
out.
Let's,
like
looks
like
they're.
C
Okay
looks
like
they're
trying
to
do
an
open
ssf
day
for
that
as
well.
Do
we
have
any
kind
of
up-to-date
updates
on
that
david
about
the
event
itself
or
open
ssf
date
at
oss,
europe.
A
G
Oh
sorry,
what
was
that
you
said
jeff
yeah,
I
didn't
see
it
open
yet,
but
I
I
remember
the
initial
communication
to
the
working
groups
was,
you
know
tell
the
working
group
that
there
will
be
a
formal
cfp
and
and
to
prepare
proposals
for
when
it's
when
it
happens
it
might,
it
might
be
fast.
It
seems
like
it's
coming
up,
yeah
yeah.
I
have
a
feeling
it
is
and
that's.
C
Okay,
that's
correct,
okay,
awesome!
Thank
you!
Thank
you.
Everyone
for
the
confirmation,
okay,
yeah,
so
yeah
definitely
check
out
the
event.
If
you
can
make
it,
I
would.
I
would
recommend
it.
Lf
events
are
great
and
they're
a
good
way
to
see
people
in
person
and
and
catch
up
and
learn
about
all
the
the
great
initiatives
going
on.
C
Okay.
Next
on
the
agenda,
we
have
ad
leads
and
contributors
to
project,
slash
sigs,
referring
to
the
pull
request.
Number
56
from
the
github.
G
C
G
Had
discussed
this
in
a
previous
meeting
and
the
idea
was
just
to
get
some
names
down
before
we
get
to
the
point
of
the
whole.
Was
it
charter
and
things
like
that
of
the
more
strict
definition,
but
at
least
get
something
down
so
that
we
can
kind
of
have
more
focus
around
each
effort
that
this
group
is
doing
so
and
good
comment
there,
david
yeah,
I
should
add
caleb.
G
I
think
he
seemed
to
agree
that
he
could
do
package
feeds
so
I'll
change
that
to
set
of
question
marks
there
for
package
feeds
to
be
caleb
as
well.
C
C
G
Any
any
other
concerns
in
the
meeting
on
that
pr,
the
idea
of
putting
that
those
names
there.
C
No,
no
objections
for
me
looks
good.
C
And
then
the
next
thing
we
I
I
threw
something
up
on
the
agenda
from
as
a
continuation
of
the
conversation
from
two
weeks
ago
about
this
this
process
dock
for
identifying
critical
projects.
I
thought
before
we
dive
into
that
if
there
were
any
other
kind
of
open
agenda
items
or
topics
that
anyone
would
like
to
bring
forward
first
before
we
kind
of
dive
into
that,
I'd
be
happy
to
hear
from
from
the
work
group.
C
If,
if
you
had
any
either
agenda
items
or
things
you
want
to
talk
about
before
we
kind
of
dive
into
this.
A
C
A
C
Yeah
I'll
share
it
now
so
just
to
be
easier
and
if
you're
in
the
in
the
google
group
for
this
working
group,
you
should
have
full
access
to
the
document,
but
in
case
you're
having
issues
with
access.
Please
let
me
know,
and
I'm
aware
we
still
need
to
to
kind
of
get
that
fully
figured
out
to
the
google
docs
and
and
the
permissions
and
what
have
have
we.
But
if,
if
we
have
the,
if
we
have
the
document
up,
I
could
even
just
for
ease.
C
Let
me
see:
oh,
I
can't
share
my
screen:
okay,
yeah.
So
the
first
thing
that
I
added
that
I
would
love
to
have
some
discussion
on
and
maybe
come
to
consensus
on.
Is
we
talked
a
little
bit
about
you
know
what
is
the
really
the
purpose
or
the
objective
of
this
list,
and
so
underneath
underneath
objective,
which
I
put
you
know
a
process
for
nominating,
identifying
and
prioritizing
critical
projects,
critical,
open
source
projects.
C
The
reasoning
for
the
list
I
put
to
provide
a
best
effort,
analysis
of
quantitative
and
qualitative
research
in
the
open
source
ecosystem
and
generate
a
curated
living
list
of
projects
deemed
critical
to
organizations
and
individuals
open
the
floor
for
discussion.
If
that
sounds
kind
of
like
what
we're
looking
to
to
accomplish
here,
more
than
happy
to
include
thoughts
and
feedback
to
improve
this.
A
That's
okay
is
the
we
probably
ought
to
make
it
clear
that
this
is
our
an
initial
process,
except
it
may
be
a
process,
an
initial
process,
because
I
I
really
liked
jacques
presentation,
I'm
sorry
that
everybody
didn't
get
to
hear
it,
I'm
hoping
that
video
is
going
to
be
out
soon.
It
was
a
great
pitch
on
a
I
think,
a
better
long-term
process.
A
I
think
there's
acknowledgement
that
it's
going
to
take
time
to
get
there,
so
I
have
no
trouble
with
using
this
process
the
starter
and
I
think
doc
was
proposing
the
same.
So
I
you
know,
I
didn't
do
that
suggesting,
but
okay.
C
That's
fine,
we
could
do
an
initial
yeah,
okay,
okay
and
then
is
is
the
does
the
reasoning
kind
of
capture
really
kind
of
what
our
intention
is
for
what
this
is
supposed
to
look
like.
C
Yeah,
so
the
under
deliverables-
I
I
thought
the
first
phase
could
be
just
kind
of
a
list
of
projects
deemed
critical,
not
necessarily
prioritized
or
chopped
up
in
any
given
way
kind
of,
like
vicky's
example
of
like
100
greatest
hits
to
use
kind
of
a
music
reference.
So
I
think
at
least
to
my
understanding
that
is
the
kind
of
phase
one
or
step
one
is
to
just
get
a
list
of
projects
that
we
kind
of
ran
through
some.
C
You
know
some
analysis,
some
some
some
feedback
and
came
up
with
this
list
for
people
to
ingest
and
use
how
they
seem
fit,
because
I
think
it's
important
that
we
don't
be
too
prescriptive
and
say
like
this
is
something
for
you
to
consume,
but
again
that's
kind
of
what
we're
discussing
here
to
figure
out
and
make
sure
we
we
are
in
agreement.
So
david.
You
have
your
hand
up.
A
Yeah,
first
of
all,
I
do
want
to
support
a
you
know:
a
co
not
ordering
within,
mainly
because
I
I
think
it's
we're
going
to
struggle
trying
to
come
up
with
that
order.
We're
not
jacques
more
sophisticated
approach,
I
think,
would
would
be
better
if
we
were
trying
to
have
a
more
differentiated
ordering,
but
given
that
we're
right
now,
just
trying
to
come
up
with
that
rough
order,
I
think
I'm
differentiated
is
better
just
because
we're
not
going
to
have
that
sophistication.
C
Yes,
so
does
the
and-
and
I
guess
to
conceptually
yeah
so
the
goal
is
to
just
kind
of
come
up
with
100
greatest
hits.
You
know
of
all
time
more
or
less,
as
kind
of
like
a
phase
one
and
the
reasoning
for
that
is
again.
We
want
to
have
something
that
people
can
use.
You
know
as
a
data
point
and
you
know
to
to
for
their
own
use.
C
I
guess
and
does,
would
you
would
you
all
say
that
that
captures
really
what
the
kind
of
what
the
intention
of
this
of
this
list
is
supposed
to
be,
or
this
set
is
supposed
to
be.
C
Okay
and
again,
and-
and
thank
you
david-
I
actually
like-
if,
if
you
want
to
either
do
suggested
mode
to
include
suggestions,
they
are
more
than
welcome.
So
let
me
look
at
the
notes,
so
I'm
actually
going
to
put
this
in
the
notes
for
people
to
comment,
and
then
yes
and
then
we
started
talking
about
kind
of
the
first
step
of
that
at
least
how
I
kind
of
visualize.
It
is
what
I'm
calling
an
ingestion
engine
like
something
that
we
take.
C
You
know
data
in
to
this
is,
I
guess,
goes
to
your
question,
jacques
of
if
we
have
any
thoughts
of
kind
of
what
tools
or
what,
what
what
to
use
to
actually
capture
this
information.
If
anyone
has
any
feedback
on
that
be
more
than
happy
to
discuss
that
now,.
D
I
mean
for
a
first
a
first
pass.
Looking,
let
me
look
at
the
dates.
We're
talking
about
august
15th,
so,
four
weeks,
roughly.
C
Yeah
I
I
I
like
to
set
very
aggressive
targets,
just
so
that
you
know.
I
understand
that
there
is
a
there
is
a
time
there's
an
end.
D
D
You
like
to
see
the
light
at
the
end
of
the
tunnel
instead
of
more
tunnel.
I
know
that
feeling
yeah,
so
I
think
that's
fine.
That
would
to
me
meditate
and
favor
a
very
simple
solution,
something
like
google
forms,
plus
you
know
backing
into
a
spread
spreadsheet
a
google
sheet
yeah,
just
something
really.
C
Simple:
okay,
yeah!
That's
that's!
That
is
what
I
was
leaning
towards
too.
I
don't
want
to
be
too
my
too
myopic
and
just
think
about
what
we
did
in
our
first
iteration,
but
when
I
think
of
what
can
be
done
relatively
quickly
and
easily,
I
I
even
have
that
here
too,
a
google
form
and
that
feeds
into
like
a
sheet
of
of
of
identified
projects
being
kind
of
like
the
first
phase.
C
So
do
we
have
any
thoughts
on
that?
I
I
think
github
could
potentially
work
in
some
ways
because
there's
strong
kind
of
change
controls
and
you
can
kind
of
see
what
other
people
are
doing
and
and
contributions
they're
making.
But
but
again
it's
we're
walking.
The
fine
line
of
you
know
actually
having
something
a
deliverable
to
show
people
and
but
wanting
to
do
it
in
a
way,
that's
effective
and
can
be
built
on
so
do
we
have
any
thoughts
on
that.
A
I
mean,
I
think,
something
where
we
can
work
together
and,
and
it
is
going
to
be
necessary-
I
mean
frankly,
a
goo.
A
a
simple
table
like
we
did
last
time,
is
perfectly
reasonable.
I
do
think,
and
I'm
gonna
have
to
run
before
I
go.
We
need
to
capture
rationale.
A
Okay,
I'm
going
to
propose
that
into
cool.
Yes,
google
form
is
the
right
thing.
H
C
Yeah
yeah,
that
was
yeah,
and
that
was
exactly
my
intention
too.
I
I,
like
the
idea
of
you,
know
a
small
project
maintainer
being
able
to
to
make
their
case
and
say
you
know,
have
the
opportunity
to
be
like
hey.
I
think
my
project,
for
example,
could
be
considered
critical
due
to
these
reasoning
and
just
really
give
folks
the
opportunity
to
to
to
do
that.
David
david,
you
have
your
hand
up.
B
Yeah,
I
mean
one
all
through
that
sort
of
related
to
this
is
actually
talking
with
a
colleague
of
mine
july
4th
former
colleague,
who
works
on
a
couple
small
projects
and
what
I
actually
suggested
him
is.
Why
don't
you
go
over
to
the
lf,
the
was
the
critical
infrastructure
initiative
or
whatever
this
dispatches
and
fill
it
out
and
fail.
B
Just
to
say
another
alternative
to
how
to
end
this.
It's,
like
you
know
it's
already
publicized.
Sorry,
we've
been
saying:
okay,
you
know,
we've
got
whatever
this
lf,
the
whatever
the
badge
is
called
now.
Whatever's
inside
go
go
to
the
business
like
this
entire
forum.
You
fill
out
of
okay,
I've
got
this
characteristic
and
I've
got.
You
know
this
committee
and
I
get
said:
go
to
the
forum.
Add
your
project
and
fail.
B
So
that
was
you
know
it's
like
easy.
You
know
the
lf
is
already
even
for
years
I
mean
the
previous
core
infrastructure
initiative,
project
equipment,
sort
of
critical
infrastruc,
whatever
the
heck
that
acronym
stands
for.
You
know,
let's
just
you
know
publicizing
this,
so
you
know
we.
You
know
people
at
least
there's
some
awareness
with
those
two.
You
know.
Studies
and
reports
of
you
know
here
is
a
a
funnel.
D
Just
you
know,
without
counter
case,
I'm
gonna,
I'm
gonna
enter
a
account
case,
oneness,
which
we're
sort
of
roughly
focusing
on
like
impact
or
magnitude.
D
D
B
D
B
But
I'm
just
thinking
we're
looking
for
other
I
mean
I
thought
part
of
this
was
how
to
get
other.
You
know
other
data
points
I
mean
how
to
get
you
know
other
places
for
for
things
that
are
missing
off.
I
mean
sort
of
this
alpha
omega.
I
mean
like
what
what
we've
got.
You
know
what
the
the
the
the
big
high
you
know,
publicity
you
know
top
of
the
line
projects
are,
but
how
to
be
aware
of
these
other.
You
know,
in
addition
to
you,
know
all
the
great
work
that
you're
doing.
B
B
Okay,
take
a
thought,
take
it
just
in
the
segment.
This
is
just
another
place
to
to
potentially
acquire
additional
data
points.
Additional
input
for
this
projects
that
are
important
that
are
that,
are
you
know,
falling
beneath
the
the
observability
horizon.
H
Yeah,
I
think,
a
rich
jock.
I
think
primarily
we
want
to
make
sure
we
encourage
things
that
are
less
subjective
or
more.
You
know
it
feels
like
gaming,
you
know
we
don't
want.
You
know
we
want
to
invite
people
to
say
I
have
a
project
and
I'm
sincere,
I'm
not
trying
to
game
the
system.
H
Please
pay
attention
to
me,
but
we
need
to
give
them
tools,
and
you
know
if
we
we
might
have
tools
to
determine
a
blast
radius
or
you
know
severity.
You
know
even
for
a
small
blast
radius
or
some
things
like
that
that
that
fit
into
our
criteria,
but
we've
acknowledged
we
still
want
to
make
it
flexible,
so
we
can
give
them.
You
know,
give
teams,
proof
say:
pay
attention
to
my
project.
H
We
use
the
same
tools
you
did
and
I
can
prove
from
my
ecosystem
or
from
my
language
or
whatever
it
is,
but
I
have
a
similar
blast
radius
within
this
this
domain
or
this
ecosystem.
So
I
you
know,
I
don't
want
to
encourage
build
a
game
system
by
saying
fail
something
to
get
on
the
radar.
You
know
this
team.
This
group
has
proven
through
our
conversations,
that
we
want
to
be
considerate
of
a
larger
community
and
that
we
acknowledge
that
we
can
never
get
a
perfect
set
of
tools
or
readouts.
H
C
It
would
just
be
so
there's
a
google
form
where
you
can
basically
nominate
projects
and
then
that
feeds
to
this
sheet
of
identified
projects
that
we're
calling
does
it
make
sense
to
just
kind
of
have
it
singular,
meaning
the
only
way
to
basically
get
a
project
nominated
onto
this
sheet
of
identified
projects
is
through
the
google
form
as
a
process,
or
are
there
better
ways
to
potentially
to
do
that
or
offer
multiple
ways
to
get
projects
basically
nominated
or
on
to
this
kind
of
this
identified
list?
Thank
you.
Jeff
take
care.
H
Well
again,
it
comes
you
know
if,
as
long
as
they
have
a
way
to
you
know
if
they
show
up
to
the
work
group
meeting,
you
know,
I
think
the
former
is
the
best
approach.
Having
a
single.
You
know
point
of
entry,
a
single
path
for
everybody.
You
know
they
can.
They
can
come
to
this
meeting
and
plea
their
case
and
bring
other
evidence
or
whatever,
but
in
the
end
they
can
attach
it
to
a
form.
H
C
Okay,
yeah
that
certainly
makes
sense
too
kind
of
having
a
making
the
process,
like
you
said,
like
a
single
pipeline,
where
there's
only
really
one
way
to
to
do
it,
and
we
do
it
in
a
way
that
you
know
is
accommodating
to
to
to
all
sorts
of
projects
and
folks.
C
C
And
I
feel
like
maybe
we
shouldn't
constrict
ourselves
to
where
you
can
only
nominate,
like
one
project
perform
correct
like
if
you
are
familiar
with
a
large
list
of
projects
that
you
think
are
critical,
being
able
to
nominate
all
of
them
via
one
form
might
be
easier
than
you
know.
If
you
have
to
go
one
by
one
and
nominate,
you
know
only
one
project
at
a
time.
C
Does
that
make
sense,
sorry
if
that
was
confusing
yeah.
G
I
mean
we
may
want
to
judge
projects
as
groups
too,
so
I
don't
know
if
we'll
end
up
wanting
to
have
multiple
lines
for
like
a
set
of
repos,
that
kind
of
represent
a
single
project.
C
So
that's
a
good
point
too,
because,
like
a
project
like
argo,
you
know
that's
just
one
word,
but
you
go
onto
their
github
and
you
see
that
it's
actually
like
multiple
projects,
multiple
githubs.
So
that's
a
great
point:
how
we
think
to
capture
that.
G
Yeah,
so
I
don't
know
if
we'll
have
like
just
a
generic
name,
that
represents
multiple.
Like
a
group
and
that's
okay
for
people
to
submit,
I
mean
I
think
that
if
that's
how
people
think
of
it,
that's
the
right
way
for
us
to
think
of
it
as
well.
C
Okay
and
so
okay,
so
basically
a
space
for
to
put
the
name
of
the
project,
probably
a
a
github
link
just
to
because
that's
something
we'll
probably
pull
up
ourselves
anyway.
So
that
can
make
it
a
little
bit
easier,
as
well
as
rationale
or
selection
criteria.
C
Maybe
having
like
being
able
to
choose
from
a
like
a
menu
of
selection
criteria
or
like
an
other
for
you
know
if
you
would
like
to
put
in
your
own,
basically
rationale.
G
Yeah,
what
about
the
categories,
or
you
know,
are
we
going
to
have
people
like
say?
Is
this
like
which
package
manager
ecosystem?
It
belongs.
F
G
Like
language
or
the
other,
one
that
you
like
pointing
out
frameworks,
languages,
libraries,
databases
yeah.
If
people
can
fill
it
out,
they'll
save
us
some
work
right.
C
It
certainly
would
yeah
actually,
after
looking
into
into
julia's
presentation
and
her
powerpoint
about
yeah,
just
like
you
said
the
frameworks,
languages,
libraries,
databases-
I
mean
if
that
is
already
a
pretty
well
established
kind
of
structure
for
categorizing,
open
source
infrastructure,
then
maybe
we
could
just
use
that
and
call
it
a
day
and-
and
you
know.
G
I
mean
all
these:
these
boxes
can
be
optional
on
the
form
and
the
more
columns
we
have
that
we're
we're
looking
at,
I
think
the
better
like.
I
don't
know
that
we
should
that's.
C
H
H
Yeah
so
I
mean
so
it
got
me
thinking.
You
were
talking
about
granularity
of
project
relative
to
number
of
repos,
but
I
think
it's
also
relative
to
packages
so
well.
We
have
a
way
to
say:
give
us
an
s
bomb
for
for
argo
for
tekton
or
something
you
know
things
that
we
even
reference
here
and
open
ssf,
saying
here's
my
s-bomb
and
you
can
use
the
the
composite
components
for
that
software
to
help
weight.
You
know
lower
level
building
blocks
there's
their
severity.
H
C
Yeah
depth.dev
comes
to
mind
as
a
as
I've
as
a
tool
that
could
potentially
be
used.
Jacques,
do
you
have
any
thoughts
on
that
or
on
matt's
point.
D
Yeah,
I
was
just
gonna,
say,
probably
a
good
source,
for
that
would
be
the
harvard
census
rankings,
because
they've
already
sort
of
done
that
that
heavy
lifting
defined
dependencies
of
dependencies
of
dependencies.
That
sort
of
thing
and
the
really
nice
thing
about
the
harvard
data
is
that
it's
based
on
basically
telemetry
from
software
composition,
analysis
on
sort
of
private
code
basis.
So
basically
what
what?
D
H
Yeah
yeah,
I
agree.
The
harvest
comes
to
mind
heavily
in
every
every
time
we
meet
in
my
back
of
my
mind,
but
it
goes
back
to
additive
waiting.
So
you
know
we.
We
acknowledge
that
you
know
there
there
has
to
be
willingness
and
in
in
you
know,
by
submission
of
form,
you're
willing
to
participate,
you're
asking
for
help
you,
you
know
those
type
of
things.
So,
in
addition
to
any
base
waitings,
we
have
that
kind
of
indirectly
adds
to
awaiting
to
this
to
the
set
of
these
dependencies.
H
You
know
an
indicator
that
there
also
is
a
willing
set
of
you
know
contributors
either
knowingly
at
a
top
level
saying
I
know
this
package
is
important.
I
submit
that
package
again
or
I'm
spending
techton
and
indirectly
we
can
say
oh
you're.
We
we
see
that
techcon
is
highly
dependent
on
the
signing
library
and
that
adds
to
the
weight
again
type
of
thing.
So.
D
Sure
that
would
be
a
lot.
D
G
C
Okay:
okay!
Wonderful!
So,
are
there
any
other
thoughts
on
how
this,
basically,
this
ingestion
engine,
this
form
could
would
look
like
or
ask
for,
or
any
thoughts
on,
how,
basically,
how
that
would
feed
into
the
sheet
of
identified
projects.
D
I
think
one
thing
is
that
we'll
want
to
link
to
the
sheet,
so
people
can
look
to
see
if
what
they're
about
to
suggest
is
already
there
since
it'll
be
a
google
form,
it
won't
be
able
to
do
something
smart,
like
say
you
know,
do
a
type
of
head
search
to
show
you
that
you're
about
to
nominate
gcc
for
the
15th
time.
D
Which
you
know
very
very
deserving
of
being
nominated
15
times,
of
course,
but
know
how
to
how
to
rank
15
versions
of
gcc.
B
C
I
I
D
Yeah
npm
has
that
I
believe
pi
pi
and
rubygems.
You
can
download
a
dump
of
the
database
that
contains
download
counts
because
I've
done
some
stuff
with
that
and.
D
G
G
I
mean,
I
think,
there'll
be
a
step,
so
I
think
on
the
form,
we're
not
going
to
ask
people
to
type
that
in,
but
I
think
there's
going
to
be
a
step
between
a
and
b
here,
the
ingestion
engine
and
the
identify
projects
where
there
are
columns
that
we
need
to
fill
out
based
on
data
like
the
harvard
ranking
and
things
like
that.
So
the
the
list
there
under
b
poll
count
data
harvard
census.
Data
et
cetera,
should
probably
include
that
as
well
and
hopefully
there's
a
way.
We
can
automate
that
through
the.
C
Yeah
yeah
so
and
kind
of
like
our
our
test,
run
of
of
this
that
we
did
a
couple
months
or
a
while
ago.
Now
it
seems
we.
We
certainly
use
that
as
what
we
called
selection
criteria
or
justification.
C
So
if
it's
come
up
pretty
consistently,
let's
say
on
on
the
harvard
research,
then
that
that
is
a
is
a
valid
selection
criteria,
and
I
think
we
also
we
had
poll
count
data
as
another
selection
criteria
too,
because
we
had
folks
nominate
projects
that
basically,
they
just
generated
a
list
of
the
top
docker
polls
or
the
top
docker
downloads.
C
What
projects
and
recommended
some
of
those
and
a
lot
of
those
cross-referenced
with
stuff
on
you
know
the
harvard
study
criticality
score,
for
example,
so
that
we
definitely
do
want
to
capture
selection
criteria,
or
you
know
why
a
why,
basically
and
lots
of
times,
I
think,
a
pretty,
probably
an
easy
way
that
we
could
at
least
do
some
automated
analysis
of
this
is
seeing
what
projects
come
up
on
multiple
on
multiple
selection
criteria.
So
something
comes
up
in
the
harvard
study,
as
well
as
the
criticality
score
as
well.
C
As
you
know,
poll
count
data,
then
you
know
that
ideally
would
would
raise
its
it's.
It's
ranking
or.
C
Yeah
exactly
so,
that's
why
I
definitely
think
we
we
should
be
capturing
yeah,
the
why
or
the
selection
criteria
and
have
like
maybe
have
a
a
a
menu
of
some
really
common
ones.
C
So
you
know
like
the
harvard
census,
2
or
criticality
score
poll,
count
data
and
then,
but
also
have
that
room
for
other
justification
in
case
as
as
david
e
was
mentioning
earlier,
you
know
we
want
to
also
try
and
maybe
find
ways
to
capture
some
of
those
projects
that
fly
under
the
radar,
and
this
could
be
a
good
way
for
to
capture
that.
C
So
yeah
yeah
does
that
does
that
and
does
that
give
you
some
insight
on
that?
What
you're
saying
earlier,
randall.
J
Yes,
it
does.
I
was
also
going
to
add
something
that
I
forgot.
C
D
Yeah,
I'm
glad
you
got
to
me
because
I
I'm
basically
a
sentient
jar
of
jello
at
the
moment
having
flown
from
the
other
side
of
the
world.
Earlier
this
week
I
was
so
keen
on
making
that
joke
the
dark
camera.
D
What
I
was
trying
to
say-
oh
yes,
I'm
concerned,
I'm
a
little
concerned
that,
like
what
we're
talking
about
is,
is
all
great,
but
it's
going
to
be
a
lot
of
manual
work
so
filling
out
the
columns
for
the
harvard
census,
ranking
filling
out
columns
for
criticality
score
and
filling
out
stuff
like
download
counts,
like
somebody's
got,
to
go
and
pull
those
numbers
or
write
software
to
do
it
and
that
sort
of
starts
to
interfere
with
the
goal
of
getting
a
quick
and
dirty
number
less
a
quick
and
dirty
set,
rather
so
to
get
the
ball
rolling.
C
Yep,
that's
a
good
point.
I
mean
we
do
want
to
make
this
less
as
as
less
manually
intensive
as
possible,
but
I
think
if
we,
if
we're
able
to
to
get
help
from
you,
know
the
community,
for
example,
people
who
are
nominating
projects
to
to
do
some
of
this
stuff
as
they
as
they
get
involved
to
to
nominate
a
project.
Hopefully
that'll
ease
some
of
that
that
manually
intensive
work
that
needs
to
be
done,
yeah
and
hopefully,
as
we
iterate
more.
You
know,
maybe
we'll
find
you
know
clever
ways.
C
Thankfully,
we've
we're
in
the
room
with
a
lot
of
really
really
clever
people
who
can
figure
out
ways
to
automate
things
so
maybe
as
well.
I'm.
I
Yes,
kinda,
I
was
gonna
say:
couldn't
we
just
make
this
a
github
repo
and
make
people
do
pr's
against
the
github
people
and
automate
everything
else
like
criticality
scores
and
everything.
C
It's
a
that's
a
good
point.
I
I
I
mentioned
github
earlier
in
the
meeting
of
a
potential.
Basically,
I
can't
think
either
but
yeah
using
github,
but
I
don't
know
I
I
don't
know
github
very
well,
but
it
could
be
something
we
could
migrate
to
or
even
do
from.
You
know,
as
we
start
to
do
this.
I
do
a
lot.
I
C
C
Well
could
could
I
potentially
ask
you
to
do
something
randall,
absolutely
so
I'm
I'm.
I
have
an
action
item
set
to
have
this
to
just
have
like
a
draft
template
of
this
form
done
for
our
next
meeting,
which
is
in
two
weeks
on
the
28th.
C
But
if
you
could
basically
what
you
just
said
so
take
a
look
at
what
we're
trying
to
do
and
maybe
get
a
very
basic
idea
of
what
that
would
look
like
if
we
just
did
it
all
on
github
yeah.
C
Okay,
so
yeah,
if
you'd
be,
if
you
could
maybe
give
us
some
basic
insight
on
that
by
the
next
meeting.
And
then,
if
that.
C
Maybe
we
can
well,
we
can
work
with
you
on
on
on
formalizing
that
a
little
bit
and
actually
implementing
it
as
part
of
this
process.
If
that's
something.
C
Awesome
jeff,
you
had
your
hand
up
for
a
minute.
What's
going
on.
G
I
was
gonna
say
to
jacques
point:
you
know
if
we
get
a
lot,
if
if
our
list
is
really
long-
and
we
want
to
maybe
like
take
a
pass
first
of
whittling
it
down
and
then
when
we
did
this
the
last
time
it
wasn't
that
it.
It
wasn't
that
hard
to
like
kind
of
look
up
these
some
of
these
stats
in
real
time
going
through.
But
if,
if
the
list
isn't
that
long,
so
we
might
have
to
do
a
staged
approach
or
something
like
that,
but
yeah.
G
C
Awesome
awesome,
yeah
and
I
would
agree
jeff,
I
think,
even
though
it
was
pretty
rough,
the
first
time
that
we
kind
of
went
through
this-
I
I
mean
it
wasn't
perfect,
but
I
I
think
it
was
good.
I
mean
we.
C
C
Well,
it
comes
up
in
every
conversation
about
criticality
that
we've
had
so
being
able
to
justify
it
a
little
bit
better
but
but
yeah
and
like
what
we're
attempting
to
do
now
in
terms
of
just
formalizing
it
a
little
bit
more
having
a
little
bit
more
of
a
process,
I
think
will
definitely
go
a
long
way
so
for
action
items.
C
For
two
weeks
from
now,
I
will
have
a
draft
template
done
for
a
what,
for
the
first
part
of
the
ingestion
engine
and
then
we're
also
gonna,
hopefully
hear
from
randall
and
discuss,
maybe
just
migrating
everything
and
doing
it
all
on
github.
C
Thank
you,
randall,
okay,
so
we've
got
about
five
minutes
left
I
like
to
keep
the
end
of
meetings
open
for
just
general
discussion.
If
there
was
something
that
maybe
someone
didn't
get
to
or
didn't
get
a
chance
to
to
voice
their
opinion
and
we'd
love
to
hear
from
you
as
well
as
I
guess,
any
general
project
updates
that
either
are
directly
or
indirectly
related
to
the
work
group.
We'd
love
to
hear
from
you.
So
the
floor
is
open
to
anyone
who
would
like
to
to
bring
up
a
topic.
G
Do
we
want
to
set
any
agenda
for
next
next
time
ahead
of
time
like
continuing
this
same
topic,.
C
C
Yes,
absolutely
send
my
email
in
the
chat,
yes
yeah
and
I'll
forward
it
to
jori
who
has
been
doing
helping
us
with
a
lot
of
that.
I
know
she's
on
vacation
for
until
I
think
the
very
beginning
of
august.
So
but
there
there's
other
people
that
I
think
can
help
with
this.
So
but
yeah
we'll
get
you
on
the
on
that
on
that
working
group
list.
C
Actually,
I'm
not
sure,
maybe
matt
you
know
this
is
there
a
way
that
you
can
auto
join.
C
C
I
don't
blame
you,
but
yeah.
I
believe
joining
the
mailing
list
is
the
way
to
get
into
the
into
the
google
group,
which
will
make
a
lot
of
the
things
a
lot
easier
but
yeah.
Thank
you
chris,
for
that,
do
we
have
any
other
any
other
thoughts
or
topics
or
ideas.
C
Okay,
I
have
a
very
quick
one,
just
shh.
Let
me
just
grab
that
link
real
quick.
C
We
just
I
think
it
was
monday,
monday
or
tuesday-
oh
stiff,
open
source
technology
improvement
fund.
We
released
another
audit
report.
This
one
was
of
the
cncf
project
cube
edge
and
it
I
thought
it
went
really
well.
We
found
some
some
some
issues
fixed,
some
of
them
actually
most
of
them
and
then
incorporated
some
new
fuzzers
and
wrote
some
new
fuzzers
for
the
project
so
that
they
can,
you
know,
continue
to
to
monitor
and
find
vulnerabilities
in
their
project.
C
C
One
last
thing
I
thought
of
is,
I
believe,
there's
a
town
hall
on
monday.
Is
that
right,
an
open,
ssf
town
hall?
Oh
I'm,
behind
on
my
email.
I
don't
blame
you
me
too.
Let
me
double
check
my
email
here.
D
I
don't
I
don't
see
it
on
my
calendar,
so
quite
a
shackle.
That
means
it
doesn't
exist.
C
C
Okay,
well,
I
guess
if,
if
we
don't
have
any
insight
on
that,
maybe
we'll
just
look
out
for
for
announcement
or
something
like
that
awesome.
Do
we
have
anything
else
before
we
adjourn
for
today.