►
From YouTube: Security Tooling Working Group (December 20, 2022)
C
B
B
It's
it's
just
that
time
of
year,
it's
hard
to
get
anything
done.
B
C
B
Yeah
yeah
I
mean
that's
exactly
what
it's
been
like
for
the
last
two
weeks
for
me,
I've
got
like
so
much
work
to
do
and
none
of
it's
getting
done
because
I
think
the
problem
is
Christmas
lands
on
the
weekend,
so
all
of
the
people
are
like
they've
got
like
that.
Last
put,
you
know
they
get
the
whole
week
like.
Let's
use
it
and
it's
like,
oh,
my
goodness,
no
stop.
C
Yeah
so
yeah
the
last
week
and
then
also
the
first
week,
a
lot
of
folks
that
I
talked
to
in
Europe
for
some
reason.
Europeans
outside
of
U.S
take
that
week
off,
because
even
they
have
folks
in
South
America.
B
C
A
C
Have
my
son
is
coming
from
Arizona
he's
arriving
in
the
morning
on
Friday
and
then
sister-in-law
arriving
by
train
in
the
afternoon,
so
I
don't
know
which
one
is
going
to
get
here.
First,
wow.
C
C
B
C
B
C
B
Like
Minnesota,
but
the
weather
is,
is
Right,
their
weather
is
even
worse
than
my
weather,
because
I
live
in
Green
Bay,
which
we
get
the
the
lake
kind
of
tempers.
The
climate,
a
bit
and
I
have
some
family
that
lives
in
Minneapolis
and
they
just
get
like
feet
and
feet
of
snow
and
horrible
cold.
And
just
it's
terrible.
C
B
Up
I
know,
I
know,
I've
got
a
co-worker,
that's
there
and
they
just
can't
what
was
it
like?
40,
some
inches
of
snow
I'm,
just
I,
don't
even
know
what
to
do
with
I
can't
imagine
that
I
mean
and
I
live
in
freaking,
Green,
Bay,
I,
think
I
think
we
got
24
inches
once
and
it
nearly
ended
me
because
it
was
just
like
what
do
you
even
do
with
it?
At
that
point,
there's
it's
awful
and
man.
D
B
All
right,
let's,
let's
get
this
this
show
on
the
road
I,
don't
expect
a
lot
of
people
which
is
good,
so
I
guess
thank
you,
everyone
who,
who
made
it
you're
the
dedicated
few.
So
let
me
share
my
screen.
I'm
very
slow.
Today,
I
apologize,
it's
been
in
a
week
all
right,
so
I
will
paste
this
in
the
chat
which
I
find
so
sign
in.
Do
me,
a
favor
people
who
are
here
there's
the
introduce
yourself
in
the
chat.
Do
that
quick.
B
E
F
B
Think
most
of
you
have
been
here
in
the
past,
so
basically
hammering
hammering
this
out
getting
it
in
order,
and
then
we
can
start
using
this
group
to
kind
of
move
the
s-bomb
everywhere
project
forward
the
the
intent
and
purpose
is
we
don't
want
the
group
to
do
anything
for
anyone
who
doesn't
remember.
B
That
sounds
silly,
but
one
of
the
challenges
the
openssf
has
is
getting
working
groups
to
actually
do
work
and
they
they
don't
because
we're
busy
people,
and
so
what
we
really
want
to
do
is
use
the
purse
of
the
openssf
to
accomplish
tasks
not
try
to
acquire
help
from
people
who
are
too
busy
to
do
it.
So
so,
anyway,
let's
just
go
through
this
and
and
see
what
we're
missing
and
we
have
all
right.
We
got
the
overview.
I'm
gonna
ignore
that
for
now,
because
I
think
this
is
easy
enough.
B
So
we
have
scope,
secure
the
software
and
also
I
want
to
add,
if
any
of
you,
oh
hi,
Kate.
If
any
of
you
have
anything
to
say,
just
jump
in
and
talk,
don't
worry
about,
raising
hands
or
anything
like
that.
I'm,
not
watching
the
chat.
So
if
someone
could
speak
up,
if
anyone
makes
a
comment,
that's
relevant,
otherwise
we'll
just
kind
of
keep
going
all
right.
So
secure
software
ecosystem
require
making
production
distribution.
That's
one
easy
in
consumption,
so
this
part
is.
B
We
talk
about
consumption,
a
lot
in
this
group
and
when
we
started
the
group
there
was
going
to
be
a
focus
on
creation
and
then
the
group
basically
said
all
we
care
about
is
consumption,
and
so
I
think
this
one
is
important
and
we
need
to
do
more
with
it.
But
I
don't
know
what
yet.
So
if
anyone
has
thoughts
or
comments,
I
would
value
those,
because
just
saying
consumption
I
think
is
meaningless
in
many
instances.
But.
F
A
B
F
B
Yeah,
that
seems
fair,
yeah,
okay,
now
I
guess
so
here's
so
here's
where
I
think
we
need
to
be
clear
is
are
we
is
our
intent
to
just
explain
what
to
do
with
them
or
do
we
want
to
like
be
involved
in
tooling
that
can
ingest
this
stuff,
I
I?
That's
where
I
think
the
line
gets.
Fuzzy
is
like
how
well.
F
We
want
to
make
sure
that
the
blockers
are
removed
so
that
people
have
Solutions
out
there
that
they
can
use
themselves
to
do
so.
Like
you
know,
there's
some
open
source
projects
out
there.
There's
some
commercial
offerings
out
there,
making
that
visible,
that
these
options
are
there
I
think
it's
something
that
I
thought
we
had
agreed
was
in
scope
for
this
group
already.
Hence
the
landscape
approach,
yeah.
B
B
Talk
about
it
no
I,
agree,
I
think
the
landscape
is,
is
the
key,
so.
F
B
F
F
Does
not
know
they
describe
the
type
of
s-bombs
and
the
consumption
of
the
s-bombs.
Is
you
know
what
you
do
with?
It
is
different,
depending
where
you
get
the
information.
What's
in
the
those
s-bombs
right,
you
know,
we've
got
examples
of
Open
Source
projects
out
there
that
are
consuming
them.
F
Specifically,
daggerboard
is
out
there
in
open
source
yeah
and
it
consumes
it,
and
then
it
basically
does
a
match
up
to
you
know
the
vulnerabilities.
It
gives
you
a
dashboard,
so
you
can
track
them
for
yourself
and
so
getting
more
of
these
things
which
are
taking
the
s-bomb
and
ingesting
the
s-bombs,
and
then
you
know,
transforming
or
communicating
them
like
I
think
you
know,
the
d-bomb
project
will
be
ingesting
them
in
the
sense
of
bringing
them
in
and
encapsulating
them
and
passing
them
on.
What.
C
Policies
and
that's
what
I
was
going
to
bring
up
so
the
consumption
I
think
it
needs
to
be
agreed.
Consumption
rules,
because
something
that
also
came
came
up
yesterday
during
the
season
call
was
as
an
integrator
I
might
consume
an
s-bomb
produced
by
the
producer,
and
then
what
can
I
consumption?
Does
it
mean
that
now
I
can
share
it
with
my
Downstream
customer,
which
might
the
producer
may
not
want
me
to
share?
So
it's
a
little
bit
grayish
area
about
this
consumption
and
the
rules
around
it.
B
F
C
And
you
may
want
to
just
make
a
note
on
it.
For
now
that
cons
is
exactly
what
K
set
the
consumption
could
mean
either,
which
needs
to
be
touched
on
later.
Yeah.
B
F
B
F
F
That
you
know
we
don't
we
don't
come
up
with
all
sorts
of
variants
out
there.
We
have.
You
know
we're
lining
up
with
what
is
being
defined
as
a
couple
of
references
bombs
that
have
some
degree
of
blessing
associated
with
them.
At
this
point,.
F
Shall
defer
that
one
to
Justin
who's
on
the
call
since
I
haven't
been
able
to
be
on
the
calls
for
the
last
couple
weeks
with
my
travel.
A
It's
something
that
comes
up
I
mean
pretty
often
but
there's,
but
there's
no
task
right
now.
That's
that's
working
on
specifically
defining
it.
It's
it's
something!
That's
reflected
in
our
notes
that
whether
the
term
would
be
you
know,
like
completeness
of
the
term,
that's
been
thrown
around.
A
F
F
D
But
I
think
the
I
I
do
think
that's
important
because
we
are
going
to
have
a
problem
with
really
inaccurate
s-bombs.
A
lot
of
folks
are
doing
analysis
they're,
you
know
throwing
bits
in
and
you
know
flipping
the
random
the
digital
coins
to
see
what
they
can
figure
out,
which
is
I
mean
if
that's
what
you
got
to
do,
that's
what
you
got
to
do,
but
I
I
fear
that
people
are
going
to
look
at
that
and
say:
oh,
that's,
all
a
sponsor
could
be
so
I
I
think
we.
F
B
F
Like
verifying
at
this
point,
I'd
say:
don't
fall
off
the
floor
is
something
that
someone
is
a
little
imprecise,
a
thing.
I'd
say
it's
in
that
you
know
some
syntactic
at
least
gate
yeah
make
sure
the
syntax
is
correct
and
you're
following
the
actual
written
down.
Syntax,
yep,
okay,
the
so
I'd
be
explicit
here
that
it's
a
syntactic
check.
F
E
B
All
right,
I'm,
gonna
I'll,
just
bold,
that
as
the
quality
gate
for
the
moment
and
then
I'm
gonna
rewrite
all
this.
So
don't
worry,
I'm
just
taking
notes,
basically
in
the
document.
Okay,
so
I
think
the
other
piece
and
I
don't
know
I,
don't
know
how
much
we
want
to
focus
on
this,
but
there's
the
angle
of
how
do
we
get
open
source
or
not?
Even
how
do
we
get?
We
know
one
of
the
goals
is
we
want
to
see
all
of
Open
Source
producing
s-bombs
for
everything
they
do
right.
B
So
what
does
that
mean
like?
Do?
We
want
to
provide
some
level
of
guidance?
I
mean
like
the
example
is
the
Apache
Foundation
asked
us
for
guidance
and
we
haven't
really
given
them
any
because
we
don't
have
any
like
do
we
do
we
want
to
create
that
kind
of
guidance?
Do
we
just
want
to
tell
open
source
projects
you
should
do
this?
Do
we
want
to
like
give
them
the
tool?
I
I,
don't
know,
I,
don't
know
where
to
draw
this
line.
F
F
Everyone
thinks
they
know
everything
in
their
own
space,
so
I
think
figuring
out
what
Min
we
already
have,
a
definition
of
what
minimum
is
and
helping
them
figure
out
how
they
can
achieve
minimum
in
one
of
the
recognized
formats
as
opposed
to
creating
their
own,
because
they're
all
seeming
to
want
to
create
their
own
is
I.
Think
what
we
need
to
help
do
and
make
it
easy
for
them.
So
reference
tooling
examples-
and
you
know.
F
F
E
F
E
F
B
One
challenge
we're
going
to
have
is
I
mentioned
this
on
a
call.
It's
been
a
couple
months
now,
I
think,
but
Brian
Fox
was
there
from
sonotype
and
like
the
Java
ecosystem
kind
of,
does
it
their
own
way,
and
there
was.
B
F
Well,
I
think
finding
people
who
are
have
connections
into
these
communities
who
also
understand
this
space.
In
effect,
if
you
create
you,
know,
get
a
set
of
ambassadors
who
actually
understand
the
format
and
who
can
you
know
talk
to
these
people
and
help
put
pull
requests
in
and
discuss
things
in
their
own
spaces
is
probably
what's
going
to
be
needed.
F
C
I'm
going
to
go
back
to
reference
tooling
yeah,
so
that's
isn't
that
like
a
live
reference
tooling
or
something
that
can
continuously
be
updated
because
otherwise
it's
a
snapshot
and
this
whole
area
is
growing
so
fast.
You
know
every
morning
you
get
up
there,
there's
a
new
tool,
there's
a
new
way
to
this,
or
should
it
be.
F
F
You
know
that's
what
the
open
source
project
sphere
looked
like
they're,
not
going
I
it'll,
be
pretty
rare.
I
think
that
the
open
source
projects
will
take
and
use
some
of
the
commercial
tooling
that's
freely.
F
F
D
F
Clarity
would
be
good
yeah,
you
know,
and
quite
frankly,
as
the
specs
change
the
the
tool,
you
know,
the
reference
tooling
needs
to
change,
as
do
the
reference
examples.
Definitely.
B
Now
now
David
I,
I'm
gonna,
ask
you
on
this.
One
is,
is
I,
think
Brian
said
at
some
point
long
ago
that
the
open
ssf
is
comfortable
being
a
king
maker
when
it
comes
to
like
these
tools,
because,
obviously,
if
we
create
a
reference
architecture,
that's
it
right.
That's
that
those
are
the
tools
that
win
are.
Is
that
still
true
I.
D
I
think
that
is
still
true,
I
I
would
say,
with
a
caveat
that
King
maker,
but
wise
King
maker.
In
other
words,
we
shouldn't
just
roll
the
dice
I'm,
hoping
that
we
like
and
you
actually
Josh.
You
actually
started
down
this
road
and
I.
Think
you
had
the
right
Road,
you
know
sit
down
what's
close
and
even
if
something,
even
if
nothing
is
perfect
today,
what's
a
good
basis.
D
Right
I
mean
there's,
there
are
advantages
to
doing
100
different
things,
but
if
we
want
to
focus
resources
on
one
thing,
it's
helpful
to
know
what
the
one
thing
is
by
the
way.
I,
don't
think
we'll
actually
have
one
thing,
I
think
there'll
be
a
thing
for
a
particular
ecosystem
and
it
might
not
be
the
same
thing
for
every
ecosystem.
I.
B
F
And
actually
that's
one
question
I've
got
for
Justin
since
I've
got
him
on.
The
call
is
that
document
now
published.
Is
that
document
considered
final
now
because
I
couldn't
like
say,
I
was
traveling
still
last
week,
so
I
don't
know.
If
Justin
was
on
the
tooling
call.
A
Let
me
do
some
checking
on
that.
I
know
that
that
was
the
goal,
and
so
it's
not
it's
not
final
from
the
sense
of
that
it
still
has
to
go
through.
This
is
a
chain
of
approvals,
but
let
me
just
double
check
the
notes,
because
I
was
in
North,
Carolina
and
Idaho
last
week.
F
F
We've
got,
you
know,
I
think
the
build
one
is
the
one
that
you
know
everyone's
sort
of
focusing
on
the
industry
in
the
in
the
industry
right
now,
but
certainly
the
deployed
one
is
ones
I
think
will
be
moving
to
next
but
I.
Maybe
we
should
sort
of
choose
an
order
of
what
we
think
is
most
important
from.
B
F
E
F
D
B
Bit
exactly
100,
and-
and
this
is
the
other
reason-
I
want
to
start
better,
just
documenting
and
tracking
a
lot
of
this,
because
it
feels
like
there's
so
many
projects
and
it's
so
fragmented
and
no
one
knows
what
anyone
else
is
doing,
and
it's
just
no
one
wins
in
an
environment
like
that.
We
all
just
suffer
well.
F
B
100
all
right
so
I
I
feel
like
there's
enough
notes
in
this
scope
that
I
can
take
this
and
and
spin
it
into
spin
the
straw
into
gold
and
put
together
something
passable,
probably
let's
jump
to
the
mission,
because
we're
also
running
ourselves
out
of
time.
Mission
of
this
work
stream
encourage
collaboration
between
esperan
producers,
Distributors
between
all
the
s-bomb
people,
identify
barriers,
usage
of
s-bomb.
F
Yeah,
well,
let's
say:
rather
it
falls
to
the
yes,
but
I
think
you
want
to
put
something
in
here
about
the
software
supply
chain
and
basically
fostering
s-bomb
usage
through
all
points
in
the
software
supply
chain,
or
something
like
that.
F
B
F
Basically,
I
think
the
mission
of
this
work
stream
is
to
have
high
quality
to
have
high
quality,
s-bomb
or.
F
B
B
F
B
F
I
would
also
say:
high
quality
stint.
You
know
I'm
tempted
to
put
the
word
standardized
in
front
of
s-bombs
but
or
like
I
said.
How
do
we
refer
so,
let's
just
leave
it
as
pumps,
never
mind
I.
B
F
Maybe
shareable,
what
I'm
trying
to
do
is
you
know
if
someone's
creating
something
someone
else
has
to
be
able
to
ingest
it,
which
is
why
the
support
software
supply
chain
is
I'm,
going
to
be
looking
for
that
right
and
I
guess
we
established.
That
means
it
happens.
Okay,
fine,
yeah,
okay,
I'm,
not
gonna,
word
Smith
any
further
there.
Let
other
people
Wordsmith
a
bit
better.
D
Yeah,
the
one
thing
that's
worrying
me
a
little
bit
and
maybe
maybe
it
doesn't
belong
here,
but
in
the
end
we've
got
to
have
you
know-
and
this
is
American
thing-
the
king
maker
comment
earlier
from
Josh.
We
need
to
get
good
high
quality,
s-bomb
generators
for
the
various
ecosystems.
Ideally,
there
be
at
least
an
obvious
OS
open
source
software
tool
for
it
and
I
would
be
more
specific
for
at
least
the
bill
dust
bombs
for
an
ecosystem
in.
D
In
some
sense,
you
can
argue
that
that's
hidden
underneath
the
getting
more
open
source
software
projects
generating
s-bombs,
because
they're
not
going
to
do
it
unless
it's
easy
right.
D
F
Ecosystems
is
what
I'm
sure
I'm
raising
my
voice
a
little
in
the
sense
that
what
defines
common,
I
think
it's
a
rat
hole.
We
can
go
down,
I,
just
thinking
to
say,
open
source
ecosystems.
D
Them,
okay,
all
right,
oh
I,
see
I,
see
I,
see,
yes,
all
right,
fair
enough.
You
know
for
for
for
each
Eco,
for
each
for
each
ecosystem,
there'd
be
at
least
one
obvious
way
to
do
it
easy
one
easy
obvious
way
to
do
it.
I
I.
B
F
E
B
F
B
B
E
D
Nice
I
also
don't
want
to
get
too
bogged
down
into
the
words,
but
it's
just
in
the
end.
What
I
want
to
make
sure
is
that
we
are,
we
are
ensuring
we
have
generator
tools
that
are
you
push
the
button
off?
It
goes
super
easy,
I
think
we're
all
in
agreement.
We
just
got
to
put
that
down
because
when
people
join
I
want
them
to
come
in
and
oh
that's
what
you're
doing
and
not
have
to
re-explain
it.
F
E
B
100.
and
even
then
oh
man,
it's
gonna,
be
it's
gonna,
be
a
treat,
but
that's
right.
Okay,
so
the
requirements
is
old,
so
I
don't
want
to
put
too
much
focus
on
that.
But
the
approach
is
not
so
to
to
reiterate
what
I've
said
at
the
beginning.
We
don't
want
to
do
any
work
right.
We
want
to
fund
work
and
encourage
others
to
maybe
do
work,
and
we
could
potentially
create
like
a
special
group
or
a
project
beneath
this
group
to
do
the
work.
A
A
B
D
Okay,
we
I
would
call
that
oversight
management,
something
like
that.
So
basically
we're
not
going
to
write
code
in
this
meeting.
D
E
B
B
Man,
open,
don't
get
me
started
that
I
feel
like
that,
so
that's
kind
of
covered
in
the
scope,
but
the
approach
should
be
more
clarified.
I
think
this
is
where
I
guess
we
we
create
so.
B
Okay,
do
we
have.
F
B
So
one
of
the
oh,
let
me
let
me
write
this
down
first
and
then
I
have
a
I
have
something
to
ask
you
Kate
sure,
whatever
that's
gonna,
so
you
talk
about
the
gaps
and
there's
I
think
there's
two
important
gaps,
but
we
don't
talk
about
them
correctly.
So
there's
the
angle
of
there's
just
tooling
missing,
be
it.
You
know
some
sort
of
blind
spot
like
we
can't
generate
s-bombs
for
like
Cobalt
or
something
we'll
say,
but
then
there's
also
I
think
the
angle
of
like.
B
If
we
look
at
the
Go
python
library,
that
was
a
gap
in
maintainership
right
like
the
the
tooling
existed,
but
we
didn't
have
anyone
actually
taking
care
of
it
and
I
feel
like
we.
A
landscape
can
help
identify
gaps
of
like
a
tool,
not
existing
or
a
feature
not
existing,
but
a
landscape
isn't
going
to
tell
us
which
projects
have
funding
or
you
know.
D
You
know
what
I'll,
although
Landscapes,
typically
don't.
If
that's
one
of
our
primary
concerns,
there's
no
reason
we
can't
the
landscape
tool.
We
could
add
data
about,
you
know
number
of
contribute.
Has
it
been
contributed
to
or
released
in
the
last
we
can
grab
the
data
straight
from
scorecards
and
just
extract
that
out.
If
we
think
that's
a
high
enough
risk
for
these
kinds
of
projects
and
I
think
that's
plausible,
we
can
do.
F
That
one
of
the
things
might
be
quite
frankly,
is
once
we've
identified.
The
projects
we
know
about
is
to
actually
take
a
look
at
using
some
of
the
other
openssf
initiatives
like
scorecards
and
do
an
assessment
yeah.
B
F
Then
use
that
too
put
some
structure
around
the
Gap
discussions
other
than
you
know.
Until
some
extent,
I'll
probably
come
down
to
tribal
knowledge.
F
D
Yeah
so
Josh
I
know
that
you
had
already
started
down
that
path.
I
I
think
that
basically
some
acceleration
and
you
know
people
to
work
alongside
you
know.
Here's
here,
here's
some
sample
code
I
mean
we
can
just
there's
a
whole
lot
of
Open
Source
projects
we
can
use,
you
know,
go
grab,
you
know,
grab
some
tools.
D
What
if
we?
What
can
we
learn?
Where
are
the
gaps
which
ones
are
most
likely
going
to
be
plausible
bases
and
your
recommendations
so.
B
That's
another
interesting
problem,
I
think
so
there
is
tooling
right.
There's
cooling
that
needs
help
and
I.
Think
again,
like
your
comment:
scorecard's
fine,
but
then
there's
also
the
I
guess
architecting.
Is
that
the
right
term,
maybe
of
like
all
this
tooling
exists,
there's
a
need
to
use
it
and
someone
needs
to
glue
it
all
together,
and
that
is
not
really
so
we
we
say
that
we
want
this
group
to
do
that
right
up
in
the
we're
up
in
the
scope.
We
talk
about
tooling.
B
How
do
we
do
that
and
I
think
that's
part
of
the
approach
here
is
like
here.
This
is
actually
a
number
three
you
know
start
with
tool
sets
that
will
be
fastest
to
release
economically
efficient
to
build.
But
who
is
going
to
do
that
right,
like
we
can't
pay
an
upstream
project
to
do
this?
Necessarily
we
can't
pay
I,
don't
know
we.
D
B
You
didn't
say
we
could
do
it,
but
we
need
like
some
sort
of
structure
to
say,
like
this
person
is
going
to
architect
this
and
then
the
their
work
will
live
in
this
project
and
I.
Also,
the
most
important
thing
I
do
not
want
to
see
us
like
fund
something
get
it
done,
and
then
it
rots
because
no
one
is
responsible
for
it.
Absolutely.
F
F
So
they
can't
just
sort
of
Define
it
as
a
fight
for
themselves
and
continue
yeah,
and
you
know
that
was
one
of
the
conditions
that
we've
tried
to
set
up,
and
you
know
we're
going
to
be
continuing
to
work
on
it
for
the
python
side.
I
think.
But
you
know
we're
seeing
people
start
to
help
us
out
the
ghost
libraries
and
things
like
that.
So.
D
Yeah
and
the
good
news
is
that
you
know.
Certainly
the
US
government
is
really
interested
in
this
I
think
there's
some
other
folks.
Europe
is
also
the
European
commissioned
is
floating
requiring
us
bombs
in
certain
cases
as
well.
So
I
I
think
that
there's
a
even
though
this
is
a
huge
kind
of
radical
change
on
the
industry.
There
is
some
stomach
in
trying
to
make
it
happen
and
therefore,
at
least
some
folks
willing
to
put
some
money
in
there
if
there's
a
plausible
path
for
it.
Well,.
F
F
I
was
getting
all
excited
when
you
know
the
s-bomb
initiatives
were,
and
there
was
the
small
small.
Was
it
Silicon
Valley
program,
and
you
know,
but
when
you
start
going
into
the
details
of
that
program,
there's
no
way
that
sort
of
an
open
source
project
could
easily
take
advantage
of
that
funding.
You
had
to
be
a
commercial
entity
right.
F
D
Right
I
I
think
for
some
of
these
things
you
need.
We
need
to
talk
to
some
of
the
government
folks,
because
I
mean
the
question
here
is:
is
your
goal
to
be
a
small
business
funding
mechanism
and
you
know
what?
If,
if
that's
your
goal,
then
be
honest
about
it?
D
If
the
goal
is
to
produce
results,
then
that's
a
different
mechanism,
but
the
US
government
and
Europeans
governments
both
have
funded
quite
a
bit
of
Open
Source
software
development
and
sustainment
in
the
past,
you're,
absolutely
right,
Kate
that
it
can
be
a
struggle
and
particular
projects
shoot
themselves
in
the
foot,
but
I
think
that
there's
there's
a
hope
for
at
least
some
of
these
cases
the
particular
project
you're
talking
about
that
they
may
be
too
far
down
the
road,
I
think
they're
more
interested
in
being
a
small
business
funding
than
solving
the
problem,
but
I
could
be
wrong.
D
I
would
like
to
be
wrong,
in
which
case
you
know.
Let's,
let's
talk
about
that.
D
B
F
F
D
D
I
also
think
that
there's
a
there
there
is
a
stage
where
I
have
you
know
it
works
sort
of,
but
not
quite
quite
enough
for
a
large
enough
Community
to
be
willing
to
use
it.
And
there
is
always
the
challenge
of
getting
the
software
for
enough
use
cases
so
that
people
will
just
grab
it
and
use
it.
And
then,
and
then
you
you
pick
up
the
rest
as
it
gets
better
and
better.
F
F
B
C
B
Has
some
of
that
so
I
I
want
to
jump
to
four
here
it
says
incentivize
and
educate
blah
blah
blah
maintainers.
It
includes
helping
open
source
maintainers
implement
this,
which
I
think
is
the
obvious
second
step
after
the
first
step.
So
if
we
have
the
tool
sets,
if
we
have
the
guidance,
if
we
have
money
to
give
people
to
implement
this
stuff
like
how
do
we,
how
do
we
actually
start
turning
that
crank
and
is
there
something
we
can
do
to
incentivize?
That.
F
So
I
think
part
of
it
is
sponsoring
meetups
at
the
some
of
the
shoulder
events,
so
maybe
having
a
hackathon
type
of
deal
where
all
the
tool
vendors
can
come.
You
know
people
are
doing
tooling,
can
come
and
collaborate
together,
and
you
know
so
those
who
are
sort
of,
like
maybe
using
sort
of
the
open
source
events.
F
F
Linux
people
always
have
sort
of
like
the
meet
up
and
make
it
make
progress
on
things
for
any
tool
vendor
to
show
up
the
open
source
or
otherwise,
and
you
know
it
makes
explicit
Outreach
to
invite
some
of
the
ones
when
we
know
this
problems,
possibly
even
help
support
funding
getting
some
of
the
remote
people
in
from
the
their
communities
into
some
of
this,
too.
F
E
F
D
B
F
B
100
so
like
what
else
is
there,
though,
like
sponsor
I,
don't
think
I
feel
like
sponsoring
meetups
is
the
boring
default
answer
we
might
not
have
when
we
maybe
can't.
B
F
Okay,
I'm
calling
that
meetups
for
whatever
reason,
but
you
know
in-person
get-togethers
whatever.
However,
what
we
might
want
to
do
is
have
sponsor
a
seminar
series
of
you
know:
people
have
a
tool
and
they
can
talk
about
how
to
use
their
tool
in
a
lightweight
fashion
and
have
a
q
a
session.
So,
as
you
know,
projects
have
tools
visible
and
available
and
they
want
to
show
people
how
to
use
them.
F
B
Let
me
I
I
do
like
that.
That's
a
cool
idea,
I
think
we
should
definitely
have
some
sort
of
forum,
but
actually
I,
think
the
CNC
app
does
stuff
like
this,
where
they
have
regular
show
me
webinars
and
stuff
yeah,
where
people
like
to
show
off
their
cool
stuff,
I'm,
seeing
even
even
higher
level
than
this.
So
let's
say
I'm
gonna
pick.
B
Just
because
I
was
running
their
tools
this
morning
and
I
was
getting
grumpy
about
it,
but
so
open
office
right,
let's
say
open
office
needs
an
s-bomb.
How
do
we
incentivize
a
project
like
that?
That
is
already
running
thin
to
dedicate
resources
or
something
into
making
and
maintaining
esperan
content
are.
C
B
D
I
think
we
should
identify
a
few
and
literally
work
with
hand
and
Glo
I
would
call
what
we
call
White
Glove
work
with
a
few
projects
to
help
them
over
the
starting
line,
because
when
nobody,
how
else
does
it
everybody's
gonna
say
nobody
else?
Does
it
and
you
get
keep
repeating
that
and
Kate's
going
to
point
out
that
some
projects
already
do,
which
is
true
but
I,
think
there's
some
other
kinds
of
products
that
are
widely
used.
D
That
don't
LibreOffice
might
make
a
very
good
case
because
there's
a
wide
variety
of
folks
who
bring
that
in
as
a
desktop
application,
I,
don't
know
what
the
right
list
is.
Doesn't
matter
right,
you
pick
a
few
help
them
get
going
once
you've
got
a
few
as
examples
now
you
can
point
to
them
and
say:
look
do
X
and
they're
doing
it
already,
and
you
can
do
it
too,
following
exactly
what
they
did
and
so.
D
Now
I
won't
guarantee
you
that
everybody
will
do
that
once
that
happens:
okay,
but
I
I,
don't
if
I
think
we
have
to
help
things
start
and
then
once
things
have
started
more
will
come
or
at
least
it's
way
more
likely.
That
more
will
come.
F
F
F
We
basically
Alexis
Adolfo
and
myself
are
you
know,
sponsors
we
got
so
many
submissions
in.
They
took
us
from
a
half
day
up
to
a
full
day,
nice,
okay,
so
we're
we
were
scrambling
to
get
everything
agreed
to
right
now,
but
yeah.
So
we
have
a
full
day
worth
of
content
already.
F
F
You
know
there
are
people
wanting
to
talk
about
what
they've
got
or
explore
or
say
what,
like
you
know,
we
had
to
turn
about
a
third
of
the
proposals
away:
okay
because
of
space
wow,
so
like
I,
say
so:
sponsoring
in-person,
get-togethers
of
some
form
and,
quite
frankly,
collaboration
forums
where
people
can
talk
to
each
other,
and
you
know
explore
these
things.
I
think
is
a
way
to
advance
this
and
get
adoption
in
a
lot
of
these
other
projects.
F
What
we
might
also
want
to
do
is
in
the
notion
of
celebrate.
You
know
celebrate
when
people
achieve
things
is.
You
know
as
projects
make
things
visible
or
have
done
things
you
know
it
should
we
have
some
sort
of
way
of
badging
equivalent
I
don't
want
to
use
the
term
I
didn't
want
to
use
such
a
badging,
but
nonetheless,
badging
is
kind
of
what
I'm
talking
about
as
hey.
We
speak
s-bomb.
D
F
That
many
badges
have
many
ways
of
signaling
it,
but
having
it
an
easy
way
for
projects
to
basically
you
know,
let
people
know
they
can
generate
out
s-bombs
I'd.
E
F
To
dig
into
it
too
far
level,
it.
E
Sorry
haven't
been
in
one
of
these
in
a
while,
so
you
know
it's
got
me
thinking
about
something
along
the
lines
of
the
blackhead
Arsenal.
So
having
something
you
know,
if
you
already
have
a
conference
around
these
issues,
whether
it's
sisa
or
the
Linux,
Foundation
or
whatever,
and
then
simply
opening
up
a
track
for
tools
for
guys
to
be
able
to
show
presents
and
people
can
ask
questions
similar
to
what
they
do
in
the
bracket.
E
Arsenal
I
think
that
could
be
nice
to
to
to
raise
awareness
and
get
people
talking
and
sharing
knowledge.
B
So
the
kukan
had
this
when
I
in
Detroit,
they
had
like
a
whole
Community
section
where
people
were
showing
off
their
tools
and
stuff
like
this,
which
is
really
cool
yeah,
but.
F
Yes,
I
love
that
having
a
focus
on
so
there's
I
think
a
couple
of
events
that
the
allele
f
is
already.
You
know
sponsoring,
there's
also
and
I.
Think
openssf
is
likely
to
have
a
role
in
some
of
them.
B
F
Yeah
I
mean
you've,
been,
you
know
like
I
say
this
is
why
we've
been
working
with
the
Octo
so
see
earlier
point
about
the
white
glove
treatment.
Like
you
know,
we've
been
working
with
the
Octo
and
that's
a
good
inflection
point.
I'd
say
like
any
of
build
chain,
like
you
know,
compiler
tool
chain
with
a
Linker
step
as
the
information
necessary
here.
Yeah.
D
F
Reach
into
those
guys
is
all
good,
but
getting
it
so
that
we've
got
ways
in
the
embedded
side,
so
maybe
openness
like
maybe
we
should
use
this
funding
here
to
sponsor
a
track
at
these
places
and
So
like
I,
you
know
I,
think
Angela's
for
the
embedded,
open
source,
Summit
I
think
is
like
you
know
we
can
sponsor
a
track
for
20K
and
then
we
basically
go
forward.
F
We
say
we
want
to
have
a
track
on
tooling
for
s-bombs,
and
we
say
that
our
you
know
whatever
we
want
to
call
it
here.
S-Bomb
everywhere
track
yeah
yeah,
and
we
do
that
at
EOS
and
we
can
do
it.
Maybe
Angela
Matthew
to
doing
it
for
some
of
the
other
ones
too.
I
know
she'll.
Do
it
for
Eos.
B
Yeah
yeah
I,
like
that.
That's
a
good
idea,
okay,
so
we're
out
of
time,
but
this
has
been
a
phenomenal
hour.
I
I
want
to
thank
you
all
for
everything.
I'm
I'm,
incredibly
grateful.
B
So
what
I'm
going
to
do
now
is
take
everything
we
have
and
I'm
going
to
turn
this
into
like
a
a
proper
draft
document
that
we
can
then
like,
like
nitpick
words
and
Wordsmith
and
do
whatever
we
need
to
do
and
kind
of
get
this
under
sort
it
out
and
and
and
like
get
moving
after
that,
like
I,
think
I
think
we
have
all
the
pieces
we
need
now.
We
just
need
to
put
it
together
and
then
like
get
moving
so
awesome.
F
F
A
A
A
F
It
anyhow,
if
you've
got
some
Cycles
this
afternoon
and
want
to
talk
further
yeah.
B
Yeah
I'll
hit
you
up
on
slack
Kate,
because
I
want
to
get
that
proposal
for
the
landscape
kind
of
sorted
out.
So.
F
Yeah
we've
also
like
I,
said,
there's
also,
there's.
There's
was
a
lot
of
that's
bomb
interest
in
Japan
and
there
we
we
had
some
other
sort
of
stuff
there.
That
I
can
do
a
bit
of
a
recap
on.