►
A
A
B
A
A
Typically,
as
I'm
gonna
fire
up
the
get
the
notes
up
going
shortly
here,
while
I
do
that
we'd
love
to
hear
from
anyone.
If
it's
your
first
time
or
if
it's
your
first
one
of
your
first
meetings,
we'd
love
to
hear
from
you
introduce
yourself
or
anything
you'd
like
to
tell
the
group,
so
I'll
open
up
the
floor
for
a
couple
minutes.
B
C
A
So
looks
like
we've
got
that
and
for
the
time
being,
we
don't
have
anything
specific
on
the
agenda.
I
would
definitely
like
to
continue
the
the
conversation
about
the
identifying
critical
projects
and
the
ingestion
form
and
all
that,
but
but
before
we
dive
into
that
is,
are
there
any
agenda
items
or
things
that
anyone
would
like
to
talk
about.
A
A
A
B
A
D
A
C
So
let
me
take
the
opportunity
yeah.
So
three
of
us
myself,
there's
Alex
Kim
from
IBM
and
ishel
from
jfrog.
We
have
volunteered
to
organize
a
virtual
Workshop.
It's
it's
called
a
conference,
but
I
think
it's
more
like
a
workshop
of
Open
Source
maintainers
and
to
hear
about
their
problems,
their
pain
points
and
hopefully
build
some
understanding.
So
it's
it's
a
dialogue
to
and
and
get
the
open
source
maintainers
of
the
top
critical
projects
at
the
at
one
place
and
hear
about
the
clean
points.
C
Get
some
understanding
then
probably
coordinate
with
the
other
working
groups
and
then
get
that
idea
disseminated
and
so
on.
So
that's
kind
of
the
main
main
plan.
Michael's
coveta
was
the
original
guy.
Who
was
the
like,
whose
brain
spawned
this
thing,
and
we
are
just
the
executor
at
this
particular
Point.
C
There
could
also
be
the
different
domains
like
the
fintech
industry
may
have
different
pain
points
than
the
then,
the
let's
say
the
healthcare
industry
and
so
on.
So
we
cannot
be
able
to
address
all
of
those
Concepts,
obviously
in
one
meeting.
So
if,
if
the
event
become
successful,
if
you
can
figure
out
a
format
and
so
on,
the
plan
is
to
make
it
repeatable,
let's
say
every
six
months,
every
three
months,
however,
whatever
is
the
is
the
timeline
that
we
can
agree
or
or
can
arrange
or
organize.
C
But
right
now
we
are
still
figuring
out
about
how
to
identify
the
the
scope.
So
I
would
appreciate,
maybe
like
open
this
up
and
get
feedback
from
other
people,
so
that
I
can
bring
it
to
our
small
group
of
discussion
and
and
finalize
on
that,
so
any
thoughts
on
like
whom
should
we
bring
in
or
how
should
we
determine
them
to
bring
in
and
so
on.
C
It's
a
different
one:
it's
it's
basically
an
actual
Workshop
where
we're
going
to
invite
people
right
now.
The
plan
is
to
make
it
virtual,
but
maybe
on
the
second
round
or
something
we
can
actually
even
have
an
in-person
event.
So
we
don't
want.
We
want
it
to
be
ex.
Like
a
small
group,
we
can't
have
like
500
people
showing
up
it
doesn't
make
sense
or
it
will
not
be
able
to.
You
know
it's
it's
unmanageable
at
that
point,
but
so
for
that
small
group,
very
selective
one.
How
do
we
select
yeah?
D
C
Zoom
we
were
thinking
of,
let's
say:
if
we
partitioned
in
Subway.
Let's
say
we
talk
about
Java,
C,
plus
plus
python,
JavaScript
developers
or
maintainers.
We
can
have
split
groups
that
are
running
in
parallel,
then
have
something
in
the
afternoon
where
we
can
like
together,
so
we'll
have
small
group
sessions.
Then
some
large
group
sessions,
maybe
one
at
the
at
up
front
and
one
at
the
end.
So
for
the
small
groups-
I,
don't
know
whatever
Zoom
allows
you
I
mean
allows
you
in
a
way
like
Zoom
would
allow
you
to
do
anything.
C
I
mean
we
don't
recently
have
to
do
it
in
real
time,
but
I
can
actually
drop.
My
email
address
I
would
appreciate
thoughts
on
on
this
and
thoughts
on
on
how
to
select
projects
also
thoughts
on
the
format.
What
what
can
be
an
effective
format?
I
mean
the
ideal
session
would
have
been
in
person,
but
I,
don't
know
whether
we
have
the
I
mean
it's
gonna,
be
judicious
to
to
do
that
at
least
for
probably
not
for
the
first
time.
A
A
How
can
they
help
you
better
because,
like
just
for
example,
today
I
happen
to
see
a
tweet
on
where
maintainers
were
essentially
complaining
about
getting
a
lot
of
automated
pull
requests
and
automated
notifications,
saying
like
I,
don't
I
mean
you
know
like
people
need
that
Personal,
Touch
and
I?
Think
that's
also
why,
with
our
security
audits,
we've
been
more
successful
is
because
we
do
build
that
relationship
with
the
project,
so
definitely
I
think
the
personal
touch
you
know
we'll
just
reach
out
to.
A
A
Maintainers
or
contributors
is
going
to
be
a
victory
in
its
own,
because
I
I
at
the
end
of
the
day,
you
know
open
source
is
run
by
people
right
and
developed
by
people,
and
we
need
to
have
that
kind
of
personal
touch
and
personal
aspect
with
what
we
do
and
I
think.
This
is
a
good
effort
for
that
and
again,
you
know
be
happy
to
help
with
Outreach
and
but
yeah.
A
It's
it's
definitely
but
and
I
like
the
idea
of
keeping
it
slightly
probably
I
mean
obviously
having
maybe
like
an
agenda
or
something
but
keeping
it
more
informal.
You
know,
and-
and
actually
I
was
just
talking
about
this
in
my
last
meeting-
about
like
incentives
and
whatnot.
So
even
if,
like
I,
don't
know,
you
can
give
them
a
25,
iTunes
gift
card.
I.
Think
open
ssf
could
could
probably
swing
something
like
that,
but
just
like
a
very
you
know,
a
very
small
thank
you.
A
Adjuster
I
do
think
will
go
a
long
way
in
terms
of
incentivizing
or
you
know
just
showing
thanks
for
their
time
and
what
have
you
so
I
kind
of
rambled
a
lot
sorry
about
that.
If
anyone
has
any
thoughts
or
feedback
on
on
what
I
just
said
or
or
or
or
to
minara's
question,
please,
let's
we'd
love
to
hear
it.
A
And
hen
brought
up
a
good
point
too.
Some
of
the
probably
the
bigger
projects
are
likely
going
to
be
probably
a
security
team
of
some
kind
rather
than
like
a
individual
or
group
maintainer,
but
this
I
think
would
be
a
good
way
also
to
to
almost
categorize
projects.
So
you
know
is:
is
Project
X
run
by
you,
know
volunteer-led
by
less
than
10
people,
or
is
it
led
by
you
know
a
corporate
backing
with
a
team?
A
E
Hi
there
guys
I
was
just
wondering
is
like
just
from
what
you
were
just
saying.
I'm
here,
right,
I
was
just
basically
wondering
it
sounds
very
arbitrary.
It's
like
there
is
no
real
defeat.
I
mean
it's
like
from
a
security
perspective.
You
know
it's
like
when
people
talk
to
security
to
open
source,
you
know
single
devs
who
are
just
making
projects.
You
know
as
more.
E
Let's
get
this
knowledge
to
them
to
make
it
benefit
for
them,
so
every
project
they're
after
becomes
secure
and
whereas,
if
we
just
go
start
targeting
projects,
Left
Right
Center
through
the
ecosystem,
it
basically
shows
that
you
know
there
is
a
form
of
favoritism.
What's
the
criteria,
what's
the
selection
process,
etc,
etc,
etc,
whereas
when
it
comes
to,
like
you
know
the
criticality
school
reports,
let's
not
keep
them
so
defined,
and
let's
keep
on
so
to
a
point
that
people
understand.
E
You
know
like
this
project
might
be
at
risk
to
my
project
in
these
certain
ways
and
here's
the
solutions
to
address
it.
That
is
all
my
concern
is
that
it
feels
a
very
loose
when
it
comes
to
a
football
machine
when
I
create
a
calculator
score
report
right,
but
yeah,
here's
a
school
report
good.
What
does
that
mean
is
like
I
did
a
bad
job
in
developing
my
code,
you
know
I
was
like
from
it
from
a
developer's
point
of
view.
It
is
like
it's
just
a
test
result.
E
A
A
Okay,
so
if
there
are
no
other
agenda
items,
we
can
continue
the
discussion
of
how
we're
going
to
set
up
kind
of
some
very
basic
infrastructure
and
processes,
for
you
know
coming
up
with
a
set
of
critical
projects,
essentially
providing
that
that
that
bit
of
analysis
but
I
I
think
the
best
way
to
put
it
is
probably
just
like
some
some
further
guidance.
You
know
these
are
things
that
we
have
identified.
A
B
A
B
So
it's
kind
of
interesting
because
in
a
way
that's
kind
of
what
we're
doing
so,
but
that's
kind
of
where
we're
talking
and
we're
kind
of
trying
to
figure
out
different
ways
that
we
could
put
a
proven
concept
together
right
now,
we're
exclusively
using
npm,
but
that's
just
because
of
ease
of
use
and
it's
easy
to
mess
around
in
JavaScript
but
yeah,
but
eventually
that
should
be
kind
of
universal.
So
right
now
we're
kind
of
in
that
phase
of
everything.
B
B
I
want
to
do
things,
but
yeah
I
think
that
there
might
have
to
be
a
meeting
where
we
have
the
criticality
support
team
and
us
trying
to
figure
out.
Where
are
we
align
and
what
we
don't
align,
because
I
think
they
do
want
to
make
it
work
for
us.
But
it
just
depends
on
kind
of
It
kind
of
seems
like
we're
operating
as
two
different
groups.
Even
though
we're
not
really
supposed
to
be.
D
B
No,
that's
basically
me
and
on
slack
just
kind
of
getting
my
questions
answered
and
on
GitHub,
also
kind
of
when
I
realized
that
I
actually
had
containerized
the
original
criticality
score
and
then
in
like
a
week
ago.
Actually,
when
I
was
doing
the
demo,
it
magically
stopped
working
and
that's
because
the
python
version
got
deprecated.
So
then
I
realized
that
I
had
to
talk
to
them.
Whatever.
B
Don't
know
how
they're
running
the
tool
I
don't
know
all
those
details,
but
I
know
that
the
tool
essentially
now
would
be
something
along
the
lines
that
we
would
have
a
set
of
packages
that
would
be
we'd,
be
tracking
criticality
support
for
and
the
tool
would
run
like
on
that
set
of
packages
now
like
in
the
future.
Could
it
could
it
like
run
back
to
where
the
way
it
was
originally
running,
with
just
a
CLI
tool?
D
D
Caleb
was
able
to
join
he's
based
in
Sydney,
so
it
was
a
time
that
he
could
join
and
did
a
presentation
on
the
work
he's
done
and
a
big
part
of
it
is
something
I've
run
into
which
is
GitHub
API
limits,
yeah
yeah,
but
I
think
that
presentation
is
worth
watching
to
get
get
context
on.
What's
been
done
and
I
think
the
biggest
limitation
right
now
in
terms
of
like
continuous
scanning
is
literally
that
you
know
you
get
a
tiny
dribble
of
5000
API
requests
per
hour.
D
B
B
A
A
You
know
if
a
project,
let's
say,
becomes
deprecated
or
is
no
longer
being
supported
or
an
emerging
project
kind
of
becomes
the
new
standard
I'd
like
us
to
have
a
process
and
I'd
like
our
process
to
be
nimble
enough
and
I'd
like
the
set
list
to
be
curated
enough,
where
it
would
reflect
kind
of
those
changes
over
time
so
I.
That's
definitely
something
I
think
we
would
need
to
think
about
in
terms
of
you
know
how
it
would
be.
How
can
we
make
it
as
close
to
a
living
kind
of
curated
thing?
That's
possible.
D
D
Good
all
right
and
one
of
the
things
was
the
scheduling
problem
right
like
in
what
order?
Should
the
experts
be
asked
to
examine
things
and
some
of
the
sort
of
heuristics
I
looked
at
one
is
to
more
frequently
examine
things
that
are
close
to
a
cutoff
threshold.
So
if
Alpha
Omega,
for
example,
is
typing
the
top
200,
then
anything
that's
sort
of
like
in
the
190
to
210
range
should
be
checked
more
frequently,
because
it's
got
more,
it
has
a
high
probability
of
dropping
dropping
out
of
the
list
or
joining
the
list.
D
The
other
one
is
when
you
have
input
metrics
that
you
know
turn
out
to
be
influential
over
time.
Chris.
Your
microphone
is
on
by
the
way.
Sorry
yep
no
worries.
If
you
have
metrics
that
turn
out
to
be
influential
Based
on
data
that's
collected,
then,
for
example,
you
might
prioritize
for
scheduling
those
things
that
have
big
shifts
in
those
metrics
to
be
re-examined
and
that
sort
of
thing
it
is
a.
D
F
D
F
G
A
G
A
a
project
that
sort
of
grows
in
stature
to
the
point
where
it
becomes.
You
know
like
a
my
sequel,
but
that's
in
the
context
of
a
SQL
database,
all
right.
So
it
would
seem
to
me
that
what
we're
really
looking
at
is
somebody
would
be
looking
around.
I
need
a
single
database
which
one
should
I
choose
and
then
I
want
to
evaluate
in
the
set
of
SQL
databases.
What
does
that?
Look
like
all,
right
or
and
and
I've
I've
mentioned
this
before
I
think
you
know
the
use
case.
G
That
I
would
think
that
certainly
I
would
have
would
be
I
have
a
set
of
things
that
I
use,
which
ones
are.
Those
do
I
need
to
worry
about
this
week
right,
because
all
of
a
sudden
they've
got
a
vulnerability
and
there's
nobody
around
to
fix
it
kind
of
a
thing,
and
so
I
think
we
want
to
do
a
little
bit
of
analysis
on
just
how
we
think
this
is
going
to
be
used
and
then
design
it
such
that
you
know
that
usage
model
fits
neatly
into
what
we're
trying
to
achieve.
Now.
G
You
know
talking
about
whether
or
not
we
need
something
with
a
weekly
degree
of
of
Precision
I
think
is
probably
not
the
case.
I
mean
possibly,
but
I
I
would
think
not.
I
would
think
that
most
of
these
things
most
of
these
attributes
that
we're
looking
at
are
things
that
change
very
slowly
over
time.
G
B
I
may
I
I'm
part
of
a
lot
of
different,
open,
ssf
things
and
I
kind
of
do
a
lot
of
things.
So
there
definitely
is
a
need
for
the
list.
Okay
and
I
think
that
across
open
ssf,
there's,
there's
varying
needs
of
what
type
of
list
is
needed,
but
as
far
as
lists
of
critical
infrastructure
projects,
I
do
think
that
there
is
a
need.
B
I
think
that
it
would
maybe
part
of
what
we
need
to
do
is
figure
out
how
we
can
align,
because
even
with
the
criticality
score,
they
also
have
been
talking
about
maintaining
a
set
of
packages
right
now,
if
I'm
not
mistaken,
it's
more
of
like
a
test
set
of
packages,
but
at
some
point
I
think.
The
intention
is
that
they
would
actually
have
a
set
of
packages
to
put
in
there.
B
Now,
from
my
understanding
in
my
conversations
with
Naveed
I
think
they
said
his
name
right
and
Kayla
they
they
do
want
to
make
criticalities
for
work
for
us,
but
I
think
that
if
we're
going
to
make
a
list,
I
think
to
kind
of
answer,
your
question
I
think
we
should
make
it
focused
on
what
the
needs
of
open,
ssfr
and
then
align
ourselves
with
that.
So
therefore,
there's
not
a
whole
lot
of
duplicate
work
going
on
in
open
SSL.
D
D
You
know
end
users,
so
companies,
governments,
academic
institutions
and
so
on
in
terms
of
cadence,
I
I
think
it
makes
sense
for
automated
scores
to
be
run
more
frequently
because
at
a
very
large
scale,
the
odds
that
something
shifts
dramatically
go
up
just
because
there's
so
many
things
being
sampled.
So
it's
useful
to
have
that
intelligence
quickly.
D
F
Yeah
I
think
it
does,
because
and
then
what
I
would
hear
reading
me
back
a
little
bit
is
that
I
would
trust
you
to
be
doing
clever
things
around
rolling
up
the
weekly
thing
into
the
quarterly
or
every
six
months
whatever,
but
that
it's
not
churn.
There
wouldn't
become
confusing
for
end
users
because
they
wouldn't
see
it,
which
I
think
would
be
a
concern.
But
that
seems
well
handled
by
the
the
Cadence
that
you
propose.
It's.
B
Like
it's
like
the
tail
coyote
index
for
programming
languages
of
the
world
right,
it's
like
you,
know
the
the
languages
go
up
and
down
and
they
may
change
positions
amongst
each
other,
and
that
may
be
interesting
to
like
make
inferences
about,
but
fundamentally
like
the
the
top
lit
on
the
list
is
mostly
going
to
stay.
The.
A
B
F
Okay,
so
hearing
nothing
I'll,
so
minor
question
but
Jacques.
You
know
I
I've
thought
a
lot
about
sort
of
public
consumption
of
these
sorts
of
information
sources
and
I'm
wondering
whether
because
I
haven't
Faithfully
read
all
of
the
notes
but
I,
don't
I
wonder
whether
this
has
been
discussed,
whether
when
the
list
is
published
did
not
actually
published
as
an
ordered
list,
or
at
least
maybe
not
for
the
whatever
top
100
that
are
safely
on
the
list,
so
that
people
don't
sort
of
obsess
about
like
oh
well.
A
Yes,
you
bring
up
a
great
point
and
we
did
and
that
actually
ties
into
Chris's
Point
as
well,
where
we
did
spend
some
time.
Thinking
about
you
know
what
is
what
is
the
reasoning
for
this
or
you
know
why
you
know
who
is
supposed
to
to
digest
this,
and
what
is
the
reasoning
for
this
set
I
do
think
we
came
to
a
pretty
good
conclusion
as
to
what
that
is,
but
I
think
the
more
that
we
talk
about
it.
A
I
do
think
it
makes
a
lot
of
sense
to
really
just
have
if
we
can
focused
sessions
really
dedicated
to
this,
because
I,
because
I
do
think
it's
it's
something
that
is
going
to
require
a
good
amount
of
discussion
and
we
are
going
to
need
to
start
getting
some
something.
You
know
that
we
could
show
or
that
we
could
show
that
the
results
of
our
work
for
so
I'd
like
to
I
know
the
next
I
know.
A
September
is
going
going
to
be
a
little
bit
tough
because
of
conferences
and
travel
folks,
traveling
and
whatnot,
but
I'd
like
to
propose.
Maybe
we
do
one
of
our
next
working
group
sessions,
if
not
the
next
one
in
the
very
near
future,
where
we
can
really
just
solely
try
and
focus
on
this
kind
of
some
of
the
meta
information
of
you
know.
What
is
why
are
we
doing
this?
A
What
is
the
reasoning
for
this
and
then
really
start
to
get
some
things
down
that
we
could,
you
know
again
demonstrate
or
even
put
into
action
and
start
using,
because
because
I,
because
again,
I
I
totally
agree
with
you
jono
that
a
lot
of
times
you
know
people
get
lost
in
the
details
or
and
and
and
that's
okay,
but
I
it's
just.
We
can
do
the
best
we
can
in
terms
of
saying
you
know.
This
is
why
we
did
this.
This
is
what
we
think
you
know.
A
The
use
case
for
this
is
this
is
our
reasoning.
These
are
our
methods,
I.
Think,
if
we're
pretty
clear
about
that,
then
it'll
reduce
the
likelihood
of
you
know
of
folks
kind
of
getting
really
lost
in
in
some
of
the
details,
and
and
questioning
that,
because
we'll
be
able
to
to
Really
demonstrate
everything
we've
been
talking
about.
Basically,
you
know
why:
what
is
our
mission?
What
are
we
trying
to
accomplish?
What
is
the
reasoning
for
this?
A
You
know
kind
of
writing
some
of
this
down
and
getting
some
of
it
down
on
paper
and
and
talking
about
it
there
and
I
think
the
more
we
do
that
the
more
we'll
be
able
to
stay
on
track,
because
it
is
a
very
daunting
thing
to
do
and
I
think
I
I.
Don't
want
perfect
to
be
the
enemy
of
good
here,
where
I'd
like
to
get
something
that
we
can
at
least
iterate
on
out
sooner
rather
than
later
so
is.
A
Is
the
group
okay,
with
kind
of
a
more
focused
intensive
session
on
this
kind
of
phase
one
one
and
the
process
for
identifying
critical
projects?
Okay,
awesome!
So
I
did
ramble
a
lot
there
again.
I'm
sorry.
Do
we
have
any
other
thoughts
or
discussions
either
around
this
or
the
ingestion
form
that
Google
form
or
really
anything
else
related
to
this
specific
topic
that
we
could
drive
home
over
the
next
10
minutes
or
so.
A
A
A
If
there
are
no
other
agenda
items,
we
could
always
conclude
a
little
bit
early
today.
That's
okay,
I
understand,
there's
conferences
next
week,
so
OSS
Summit
in
Dublin
I
believe
a
lot
of
folks
will
be
there.
It's
also
going
to
be
virtual,
so
feel
free
to
participate,
even
if
you
can't
make
it
to
Dublin
and
yeah.
A
Looking
forward
to
that,
looking
forward
to
seeing
a
lot
of
you
there,
I
will
be
there
as
well,
so
feel
free
to
find
me
and
I'd
love
to
see
y'all
in
person
and
then
yeah
I,
like
the
idea
of
like
a
more
intensive
session
on
on
this
ingestion
engine
and
kind
of
this
phase.
One
so
we'll
be
sure
to
do
that
real
soon
and.