►
From YouTube: Security Tooling Working Group (March 29, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Josh
are
you
at
home
that
you've
got
that
cool
old-timey
door
with
the
with
the
glass
in
it.
B
C
A
A
E
E
E
E
Yeah,
although
I
heard
that
they're
selling
the
team,
so
if
I
I
find
that
hard
to
believe.
A
But
I
have
heard
that
I
haven't
heard
that
I
mean
that
rumor
comes
around
every
now
and
now
and
then
they
actually
can't
sell,
which
is
the
only
reason
the
packers
are
still
here.
Their
founding
charter
basically
says
if
they
ever
sell.
The
team,
like
all
of
the
money,
goes
to
some
like
local
vfw
group,
or
something
like
that.
So
there's
there's
no
money
to
be
made.
Even
it's
just
it's
completely
weird.
A
All
right,
let's
get
this
show
on
the
road.
Thank
you,
everyone
for
showing
up.
I
am
the
new.
What
is
my?
What
do
we
call
them
group
leaders,
chair
chair?
Thank
you
sure
that
sounds
good
for
this
working
group
and
I
talked
to
brian
bellendorf
about
it
quite
a
bit
quite
a
while
ago,
and
the
group
was,
I
guess,
flopping
around
a
little
bit.
I
don't
know
what
to
call
it
where
it
was.
It
maybe
didn't
quite
have
as
much
direction
as
we
might
want.
A
If
this
was
just
some
sort
of
bizarre
dictatorship,
where
I
tell
everyone
what
to
do,
it's
obviously
not
going
to
be
that,
so
I
I
hope
to
spend
the
next
couple
of
probably
weeks,
just
refining
what
we
want
this
group
to
be
doing
and
how
it
can
contribute
to
the
just
well-being
of
the
open
source
universe,
and
so
this
is
considered
a
reboot,
I
guess
is,
is
what
we'll
call
it
and
under
goals
and
expectations.
I
would
be
interested
to
just
start
with
kind
of
what
everyone
is
looking
for
and
what
they
want.
A
I
sent
a
mail
to
the
mailing
list.
Oh
it's
been
a
month
or
more
now,
I
think
we're
basically
the
the
thing
I'm
really
looking
for
here
and
the
reason
I
wanted
to
share
this
group
is:
there
was
a
blog
post,
resilient
research
did
here.
Let
me
let
me
pull
it
up.
Where
did
it
go
there?
It
is
back
when
log4j
was
happening
and
I
realized
how
powerful
this
can
be.
I'll
put
it
in
the
chat.
F
Josh,
if
I
could
interrupt
you
for
a
minute,
please
is
there
a
shared
doc
that
we
can
all
add
our
names
to?
Are
we
doing
that?
Yes,
thank
you.
I
just
added.
A
Yep
awesome
yeah
there
we'll
take
notes
in
there.
That's
all
the
running
notes.
Historically,
I
put
it
or
I
didn't
put
it.
I
asked
jennifer
to
put
it
in
the
the
invite
in
the
calendar.
So
if
you
look
at
the
new
invite,
it
should
be
there,
I
actually
haven't
looked
it.
Is
there
cool
so
anyway?
The
the
thing
that
really
inspired
me
for
this
group
was,
if
you
look
at
the
resilient
research
blog
post,
the
only
thing
that
really
matters
are
the
two
pictures.
A
They
took
a
bunch
of
scanners,
they
looked
at
how
well
they
picked
up
log
for
jay
and
then
a
bunch
of
the
vendors
looked
at
that
and
were
like.
Well,
we
can
check
more
boxes
and
they
did
right,
and
so
they
have
two
graphs.
One
has
much
less
blue
check
mark
than
the
other,
and
so
it
kind
of
got
me
thinking
about
this
group
and
I
would
really
love
to
see.
Oh
there's,
yoda
yodam
is
yoda.
My
just
I'll
wait
for
he's
connecting
anyway.
A
Yoda
works
for
his
online
research
and
and
he's
one
of
the
authors
of
this
post.
But
anyway,
I
would
love
to
see
this
group
use
our
collective
abilities
to
kind
of
do
something
like
this,
but
for
open
source,
where
we
can
do
some
measuring
do
some
understanding
of
what
tools
do
and
don't
do
and
then
obviously
it
it
creates
an
opportunity
for
the
tool
makers
to
you
know,
check
more
boxes,
basically,
so
anyway,
that
that's
me
talking
a
lot.
I
don't
yoda
welcome.
A
I
just
was
talking
about
your
blog
post
and
how
I
would
love
to
see
this
group
do
similar
things
and
check
more
boxes.
All
right,
I
will
do
my
best
to
keep
an
eye
on
the
hands,
vicky
you're,
raising
your
hand.
I
appreciate
the
I
guess
sanity
that
brings
to
the
meeting.
So
thank
you.
B
Yeah
things
can
get
a
little
chaotic.
Otherwise
are
you
familiar
with
ort,
open
source
view
toolkit?
Let
me
find
it.
B
Yeah,
I
just
found
it
so.
The
open
source
review
toolkit
is
a
suite
of
tools
that
do
a
lot
of
the
stuff
that
the
vendors
do
and
it's
all
open,
sourcy,
and
where
did
my
chat?
Go?
Oh
there?
It
is.
I
hate
it
when
I
turn
these
things
off
it's
already
under
the
linux
foundation.
It
works
it's
with
the
open
chain
folks
over
there,
but
that
might
be
something
to
to
have
a
look
at.
B
B
A
E
Yeah,
this
is
eric
ties.
I
can't
find
the
raise
your
hand
icon
at
the
moment,
but
so,
from
my
perspective,
I
lead
a
center
of
excellence
of
people,
people
who,
in
our
ospo
within
wipro,
who
work
on
ideating
and
building
new
solutions,
and
a
lot
of
that
is
this
year
very
focused
on
software
supply
chain
security.
E
So
what
I
hope
really
we
can
get
on
top
of
looking
at
tools
like
ort
and
other
component
suites
is
also
talking
about
where
the
gaps
are
in
the
market
and
potentially
discussions
around
ideating
how
to
fill
those
gaps
and
maybe
potentially
creating
some
additional
projects
within
this
group
with
volunteers
and
others
who
may
want
to
collaborate
on
finding
ways
to
solve
that
problem
or
creating
an
integration
structure
for
bringing
together
multiple
tools
to
help
solve
some
of
the
problems
that
that
have
arisen
well
made
that
have
always
been
there
but
have
been
more
to
the
forefront
over
the
last
year.
E
A
E
And
I'm
not
asking
for
this
to
solve
all
the
problems
in
the
industry.
What
I'm
suggesting
is
that,
at
the
very
least,
you
know
as
we
examine
and
look
at
suites
and
other
tools
and
find
best
of
breed
ones
in
the
open
source
community.
You
know
what
gaps
are
essentially
existing
and
helping
to
document
and
potentially
find
use
cases
in
other
areas,
problems
that
people
are
having
to
address
them
as
part
of
this
yeah.
No.
A
H
Hello
thanks.
I
would
like
to
bring
the
topic
of
combining
different
free
software
tools
I
would
like,
if
nobody
opposes,
I
would
like
to
share
my
screen
for
a
second
sure.
G
H
We
find
a
number
of
issues
because
of
a
lack
of
uniformity
again
along
among
them,
not
only
that
not
all
of
them
provide
an
uniform
output
such
as
sarif,
but
also
there
is
a
problem
of
being
unable
to
y
list
the
the
findings,
so
there's
a
concrete
problem
when
someone
is
trying
to
combine
this
set
of
tools,
I'm
just
mentioning
here,
some
of
them.
This
is
the
tool,
the
list
of
tools
we
are
using.
G
I'm
a
little
confused
because
serif
already
exists.
I'm
not
saying
that
it's!
It
solves
all
problems,
but
if
your
goal
is
hey,
I
want
to
be
able
to
combine
static
analysis
tool
data
we
already
have
serif,
so
I'm
assuming
you're
implying
that
there's
some
surface
missing
something
that
is
important
to
you.
H
This
is
exactly
what
I
meant
it's
not
only
about
the
output,
the
output.
We
are
fine
with
zarif.
We
are
contributing
to
a
number
of
these
tools
in
order
for
to
output,
sorry
format,
but
I
am
talking
about
the
different
problem.
The
problem
when
you
need
to
y
list
one
line
in
order
to
hide
a
false,
positive,
there's,
no
standard
way
of
doing
that
no
standard
way
of
across
tools
across
languages.
H
So
if
there
is
a
for
example,
many
tools
require
that
their
own
format
for
while
listing
false
positives,
which
is
through
some
formatted
comments,
but
dot
clashes
with
other
tools.
So
if
we
could
come
up
with
a
standard
for
white
listing
lines,
we
could
implement
them
across
the
different
tools
it's
like
sarif,
but
instead
for
the
output
for
the
input.
D
G
I
G
Only
just
flaw
finder
comma,
ignore
as
a
comment,
but
it
also
accepts
rats
comma
of
ignore
because
there
are
other
tools,
but
there's
no
standard,
but
some
people
use
rats.
So,
yes,
that
would
be
a
way
to
include
to
a
standard
way
to
add
comments
to
ignore
false
positives
so
that
it's
easier
to
use
the
tools
is
probably
something
we
could
easily
do
and
might
actually
have
a
lot
of
quick
benefits.
H
Yeah
indeed,
the
problem:
it's
not
only
about
the
that
there
is
no
standard
way
of
doing
it,
but
there's
a
concrete
problem
that
when
you
run
multiple
tools,
you
need
the
the
line
above
of
the
line
containing
the
false
positive
okay,
to
put
the
comment.
But
if
you
run
several
tools,
you
cannot
come
combine
those
comments
or
those
while
listing
formats.
So
there's
a
problem.
A
D
Thank
you.
I
have
similar
expectations
that
those
that
were
mentioned,
so
I
would
just
go
shortly,
my
own
explication
of
those,
so
I'm
leading
security
for
for
a
distribution.
D
I
find
it's
pretty
hard
first
to
find
out
what
to
learn
exists
because
single
person
cannot
trace
all
of
the
languages
and
all
of
this
framework
to
have
a
reference
of
what
exists
which
data
formats
exist,
will
interchange
between
the
different
tools
and
different
types
of
tools
exist,
and
what
is
missing
here
so
that
we
can
mix
data
from
different
from
different,
applied
types
of
tools
and
different
tools
of
the
same
type,
finding
out
what
are
the
gaps
in
trolling
today,
tooling
and
services?
D
I'm
also
thinking
about
nvd
in
this
case,
it's
because
it's
part
of
2.2
and
sharing
the
knowledge
about
all
the
all
those
aspects
so
that
the
developers
do
not
have
to
figure
it
out
on
their
own.
A
G
Now
I
do
struggle
typing
and
talking
at
the
same
time,
so
I
mean
there's
so
many
different
things
that
we
could
talk
about.
I
I
do
want
to
do
a
quick
shout
out,
though,
because
I
think
some
people
aren't
aware
of
it
josh.
You
may
not
even
be
aware
of
it.
There's
a
subgroup
within
this
group
called
a
fuzzing
working
group.
It
actually
pre-existed
and
merged
in
they
only
meet
once
a
month,
but
they're
actually
pretty
active.
G
It's
a
bunch
of
it
has
a
lot
of
folks
from
google
and
mozilla,
and
some
others,
and
one
of
the
things
that
they've
been
developing
is
a
tool
that
it's
it's
actually
posted
on
the
working
group
homebase
where
which
helps
see
where
the
fuzzers
are
failing
to
find
it
to
go
in
and
that
actually
has
dual
uses.
I
think
they
originally
developed
it
really
more
for
the
fuzz
fuzzing
tool
developers.
G
G
Where
is
it
not
getting,
and
maybe
what
can
I
do
to
to
you
know?
Instead
of
improving
the
tools,
improving
the
use
of
the
tools
I
have
so
just
I
mean
so
I
I
think
I
I
I'm
not
saying
we
have
to
stay
with
with
just
that,
but
I
think
the
idea
of
how
can
we
improve
the
existing
tools
or
improve
the
use
of
the
tools
is
a
great
area
for
that.
For
this
group.
A
G
Mean
you
can
you
can
be
or
you
can
go,
let's.
Let's
talk
later
happy
to
make
introductions
yeah,
but
you
know
they're
they're,
doing
some
cool
stuff
and
I
appreciate
the
hands-on
aspect
of
what
they
what
they
do.
A
Yeah
yeah
and
again
like
if
we
don't
have
to
reinvent
the
wheel,
if
they
have
some
process
and
practice,
we
can
use
I'm
I'm
all
for
it.
There's
also
now
david.
This
group
also
has
speaking
of
subgroups
since
we're
on
the
topic.
There's
also
like
the
cve
benchmarking
suite
or
something
underneath
this
you
know
is
that
like
still
alive
or
is
that
kind
of
dead.
G
I
don't
want
to
speak
for
the
folks
who
contributed
it.
I
have
not
seen
any
recent
activity
which
you'll
notice
didn't
exactly
answer.
Your
question.
G
I
think
dead
is
probably
yeah.
Dead
is
probably
the
wrong
term,
because
I
think
really,
the
issue
is
having
a
test.
Suite
doesn't
help
you,
unless
you
actually
use
it
against
the
tools
and
do
something
about
what
you
learned,
but.
A
Yeah,
I
agree,
but.
G
G
Your
most
okay,
this
is
most
of
the
proprietary
tools,
have
contracts
that
stuff
in
their
contracts.
That
say
that
you
can't
publish
any
results.
A
G
Yeah,
it's
I
mean
it's
not
a
requirement,
it's
just.
If
they're
called
dewitt
clauses,
I
will.
I
will
post
my
standard
blog
post
wine
about
them,
but
it
does
make
you
know
whether
or
not
they
they're
legal.
What
it
does
mean
is
that
we
do
have
to
be
careful
about
publishing
results
about
proprietary
tools.
A
I
mean
so
I'm
kind
of
of
the
opinion
there
david,
where
we
I've
read
that
that's
a
good
blog
post.
Everyone
should
do
that,
but
I'm
of
the
opinion
like
they
come
to
us.
We
don't
run
their
stuff
and
I
think
if
we
create
a
suitable
environment
with
good
data,
they'll
have
no
choice
but
to
work
with
us
and
I
think
that's
a
better
way
to
do
it
than
they're.
Then
they're
playing
on
our
field,
we're
not
playing
on
theirs.
G
Yeah
now
it's
no
problem
for
doing
analyzing,
open
source
tools.
Do
it
all
day?
It's
it's!
It's
it's
the
proprietary
tools.
I
I
don't
think
that
these
contracts
and
laws
should
exist,
but
it
does
mean
that
either
you
need
to
be
willing
to
take
on.
You
know
talk
to
your
lawyer,
otherwise
you
know
you
know.
Beware
I
mean
I'm
trying.
A
To
keep
him
out
of
trouble,
let's,
let's
make
a
point
of
I
don't
I
don't
know
how
we
want
to.
We
have
to
get
good
through
the
charter
at
some
point
too,
I
don't
know
how
we
want
to
make
decisions,
but
I
think
we
should
make
a
point
of
at
some
point
when
we
have
a
decision-making
framework
in
place.
I
would
like
to
see
us
make
like
the
formal
decision
of
we
will
not
run
proprietary
tools
or
comment
on
them
if
they
want
that
they
have
to
come,
get
involved
and
do
it.
A
But
anyway,
we'll
get
there
all
right
all
right,
david
wheeler,
put
your
hand
up,
there's
no
other
hand
yeah
whatever
I
know
you
well,
I
don't
feel
bad.
I'm
commanding
you.
J
Hello,
so
I
just
wanted
to
check:
is
this
working
group
going
to
focus
on
these
kind
of
sassed
like
open
source
library,
ingestion
stuff,
or
will
it
also
cross
into
like
s-bomb
and
analyzing
s-bombs?
And
I,
I
guess,
build
tools
as
well
or
it's
like
anything
security.
A
Ago,
I
think
anything
security
I
mean
from
my
perspective.
My
biggest
interest
is
s-bomb
creation
and
ingestion
and
vulnerability
scanning,
like
those
are
the
two
topics
I
really
care
about,
and
I
think
we'll
all
have
our
topics
and
areas
of
interest,
and
if
we
do
it
right,
we
should
all
be
able
to
benefit
and
do
the
work.
A
I
Oh
there
we
go.
I
was
double
muted
yeah.
I
wanted
to
just
speak
up
a
little
bit
because
my
perspective
may
be
different
than
the
rest
of
the
group
so
yeah.
I
My
interests
are
kind
of
like
identifying
the
use
and
effectiveness
of
security
controls,
more
broadly,
which
may
be
implemented
using
a
specific
tool
or
a
number
of
tools
in
different
places
and
kind
of
identifying
good
ways
to
identify
gaps
in
the
implementation
of
tools,
maybe
discoverability
of
the
use
of
tools
general,
like
observability,
of
an
environment
where
tools
are
running.
I
You
know
projects
to
work
and
meet
the
expectations
of
a
of
a
company,
specifically
in
the
open
source
world.
I
I
am
also
working
on
the
outside
the
ossf
in
the
tag
security
group
on
some
initiatives
that
are
related
to
this
as
well,
and
so
my
interest
in
joining
today
and
a
few
times
in
the
past
is
just
to
kind
of
see.
If
there's
anything
between
these
groups,
that
would
maybe
make
sense,
like
collaboration,
wise
or.
A
I,
if
there's
a
way
we
can
work
together
and
if
there's
some
overlap.
I
think
that's
great.
I
mean
I'm
a
huge
fan
of
not
trying
to
build
a
little
fiefdom
here
and
and
not
working
with
anyone
else,
because
I
I
think
that's
something
you
see
sometimes
in
this
space
is
everyone
tries
to
stake
up
their
turf.
Then
they
yell
at
the
kids
who
walk
on
their
lawn,
which
is
dumb.
A
A
All
right
does
anyone
else
have
any
other
comments.
So
what
what
I
want
to
do,
I
think,
is
take
all
the
notes
that
that
david
has
gracefully
written
for
us
and
maybe
summarize
them
up
a
little
bit
and
use
that
as
the
basis
for
kind
of
defining
the
the
mission
and
vision
of
this
group
for
the
next
meeting,
and
then
we
can
kind
of
talk
about
that
more
more
detailed,
because
I
mean
this
is
obviously
a
really
broad
discussion.
G
G
Okay,
this.
That
is
one
of
those
annoying
little
things
that
it's
super
easy
to
do.
So
if
you
don't
mind,
I'm
gonna
propose
just
going
off
and
writing
like
a
one-page
proposed
spec,
bringing
it
back
to
the
group
and
then
we
can
start
yelling
at
and
that
way
we
have
something
specific
that
we're
working
on.
While
we
also
work
on
the
bigger
picture.
G
Okay,
basically,
what
was
one
of
the
things
that
was
discussed
earlier
about
the
kinds
of
things
we
could
do
is
a
a
standard
way
to
say:
hey
stat,
you
know,
hey
tool,
static
analysis
tool,
you're
about
to
report
on
something
it's
going
to
be
a
false
negative.
Don't
tell
me
about
it
that
turns
out
to
I
mean,
as
as
a
tool
writer
I
had
to
create
such
a
mechanism.
G
I
think
a
lot
of
people
created
such
a
mechanism
there,
and
I
remember
who
proposed
it,
but
I
think
that's
one
of
those
annoying
little
rocks
in
your
shoe.
That
hits
lots
of
folks.
So
I
I
want
to
just
create
a
little
a
little
draft.
Spec,
hey
everybody,
here's
the
standard
marker.
G
If
you
put
this
in
your
source
code,
the
next
comment
it
was
david
gutson
was
the
person
who
okay,
so
we
can
decide
whether
or
not
it's
worth
doing
or
going
any
further,
but
I
mean
sure,
okay,
but
in
my
mind
that
that's
you
know,
writing
a
spec
for
tools
doing
various
things
in
all
sorts
of
different
venues
to
improve
tooling,
I
think,
is
all
within
scope
of
this
group.
K
Yeah,
just
just
a
quick
comment,
something
to
be
mindful
while
you're
working
on
it
is
just
that
every
such
mechanism
is
always
something
that
you
need
to
keep
in
mind
to
look
at
from
an
attacker's
perspective
as
well,
just
to
make
sure
that
that
an
attacker
doesn't
use
this
mechanism
to
kind
of
tell
the
tool
to
ignore
a
specific
vulnerability
that
he
knows
he
wants
to
exploit.
This
is
something
that
is
done
there,
there's,
for
example,
in
checkoff
and
all
sorts
of
scanners.
K
They
have
this
mechanism
built
in
where
you
can
put
a
file
in
in
a
repository
in
the
file
system,
and
then,
if
it
sees
that
file,
it
simply
doesn't
scan
that
directory.
This
is
known
to
be
exploitable
or
possible
to
exploit,
so
just
just
be
mindful
of
that
aspect
as
well.
G
I
totally
agree.
I
will
note
that
you,
I'm
not
thinking,
ignore
this
director,
I'm
saying
it's
in
the
source
code
and
if
you're
looking
at
the
source
code,
you'll
notice
that
it
adds
it.
I
will
also
note
that
at
least
flaw
finder
has
an
option
called
ignore
the
ignore
directives,
which
has
been
one
of
the
most
impossible
to
explain.
A
Cool.
Thank
you.
That's
a
very
good
point
david's,
not
david
saster.
I
apologize
if
I
mispronounced
your
last
name.
There's
too
many
davids
now.
L
That's
the
right
pronunciation,
so
I'm
coming
from
a
slightly
different
background,
I'm
working
as
a
threat
modeler
and
my
interest
in
this
group
is
a
couple
of
things
that
have
been
mentioned
specifically
marta
mentioned
those
aspects
about
aggregating
information
and
I
think
the
one
of
the
key
aspects
of
of
of
the
results
that
all
these
tools
exist
in
our
future
may
provide
is
that
they
are
in
different
formats
again.
L
This
has
been
mentioned
and
I
think
that's
not
something
we
can
in
most
cases
influence
so
will
be
tools
that
generate
different
types,
standard
and
non-standard
outputs.
I
think
one
of
the
interesting
things
I
would
like
to
have
and
and
work
towards
implementing
would
be
some
some
form
of
knowledge.
Graph.
I've
been
doing
some
a
bit
of
research
on
different
capabilities
around
it.
There
is
previous
art.
L
Graphql
sounds
like
a
promising
instrument
to
do
such
a
thing,
but
again
my
my
interest
is
is
coming
from
threat,
modeling
background,
so
mostly
the
ability
to
kind
of
infer
risk
from
different
bits
of
information
that
may
be
available,
yeah,
provided
by
all
these
different
tools.
L
A
A
A
Thank
you
all
right.
Let's
move
on
great.
This
has
been
phenomenal.
Thank
you,
everyone
for
all
your
insights.
I
truly
appreciate
it
all
right.
So
the
next
thing
I
put
on
the
list
is
the
working
group
charter,
which
I'll
put
a
link
in
the
chat
to
that.
We
need
to
got
this
thing
because
ignoring
what
the
working
group
did
or
didn't
do
in
the
past.
This
charter
is
not
representative
of
how
any
of
the
working
groups
in
the
open
ssf
actually
function.
A
Like
section
two
talks
about
a
technical
steering
committee
which
doesn't
exist,
it
talks
about
this
technical
security,
the
technical
steering
committee
voting,
which
obviously
is
also
silly.
So
this
is
one
of
those
things
that
I
think
I
think
jory
was
jory.
Are
you
reviewing
these
for
the
other
working
groups?
Also,
or
I
don't
I
don't
remember
vicki,
do
you
know
your
hand
is
up.
B
Yeah
no
jori,
first
of
all,
she
had
to
step
away
briefly
each
of
the
working
groups.
At
the
top
level,
they've
asked
each
of
the
working
groups
to
review
and
revise
their
own
charters
to
make
sure
that
they
accurately
reflect
the
current
state
of
the
world
and
to
make
sure,
frankly
that
they
have
one
at
all,
because
a
lot
of
working
groups
did
not
have
one
and
it's
so.
This
timing
is
perfect.
A
D
B
Do
this
and
we
do
it
in
this
way,
sort
of
thing.
A
B
Maybe
just
replace
the
existing
charter
with
you
know.
We
are
rebooting
this
group,
this
charter,
as
a
work
in
progress.
Please
join
us
at
these
calls
to
help
us
that's
great
yeah.
Otherwise,
it
looks
like
we're
not
doing
anything
which
is
not
true
at
all.
A
B
You
shave
that
yak
later
and
just
replace
it
now
and
then
add
a
an
issue
to
the
working
group
repo
saying:
let's
come
up
with
a
plan
for
how
we
accept
these
things,
yeah.
B
G
I
G
A
A
A
So
all
right,
awesome
and
there's
one
other
thing
which
was
oh
the
readme
same
same
sort
of
deal.
We
just
need
this
one,
I
think,
will
be
heavily
based
on
what
we
just
talked
about.
A
F
He
thinks
so
you're
talking
about
using
github
as
being
our
primary
place
for
communication.
I
know
the
linux
foundation
is
trying
to
push
us
to
use
bevy.
Is
that
not
going
to
be
used.
G
I'm
trying
to
multitask
bevy.
F
C
F
C
F
C
Yeah
so
bevy
came
about
because
a
lot
of
our
project
communities
were
using
meetup
or
meetup
pro
really
heavily
to
set
up
sort
of
like
local
community
groups
or
virtual
events
and
webinars,
and
things
like
that
and
the
lf
legal
team-
and
you
know
the
and
and
product
were
not
satisfied
with
meetups
privacy
policies,
with
the
fee
structure
for
projects
and
so
on
and
so
forth
for
those
that
were
using
it
and
using
some
of
the
paid
features
of
meetup
and
so
bevy
is
really
meant
to
be
a
tool
for
fostering
those
like
online
communities
and
yeah
like
announcing
virtual
events
getting
folks
together.
C
You
know
for
meetups
and
stuff
like
that.
We
it's
something
we
can
totally
look
into
for
openssf.
If
you
all
would
like
to
to
explore
it.
But
it's
it's
not
meant
to
replace
all
of
our
communications
with
each
other.
Just
want
to
say
that
out
loud.
A
C
Yeah,
as
far
as
I'm
I'm
not
aware
of
any
working
group
that
has
moved
its
activities
a
hundred
percent
to
to
betty.
I
am
only
aware
of
communities
that
are
using
it
for
yeah
social
things
and
and
get
togethers,
and
that
kind
of
fun,
community,
building
stuff.
A
G
Escape
actually
a
quick
thing,
as
I
mentioned,
I'm
I'm
excited
about
that
standard,
false
positive,
because
it's
a
it's
a
bur
I've
had
to
deal
with.
So
I
will
post
in
the
link
a
a
document
link
on
google
docs
and
people
can
beat
me
up.
A
G
A
Right
right,
cool:
this
has
been
a
lot
of
fun.
I
I
have
some
pretty
high
expectations
and
I
think
this
is
going
to
be
great,
so
I
guess
obviously,
if
anyone
has
comments
or
suggestions,
we've
got
the
slack
and
the
the
mailing
list
like
like,
don't
feel
like
you
have
to
wait.
I
I
again
my
goal
is
not
to
make
this
meeting
the
the
once
every
other
week.
We
we
talk
about
something
I'd
really
like
this
meeting,
just
to
be
boring
and
and
a
readout.
So
let's
hope
we
get
there
all
right.
Well,
thank
you.