►
From YouTube: OSS SIRT Best Practices (August 23, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right:
well,
we
waited
long
enough
if
mr
scovetta
pops,
in
a
little
later,
we
will
allow
him
yield
the
floor
to
him
for
his
amazing
presentation
and
request
of
the
sig,
hello
everybody.
This
is
the
august
23rd
edition
of
my
favorite
working
group,
my
favorite
sig,
the
open
source
cert
sig.
B
Hey
there
sorry,
I
had
camera
problems
there,
but
I'm
jill
I
got
invited
by
madison
here,
I'm
also
at
github.
I
am
the
director
of
product
security
engineering
response,
which
has
our
bug,
bounty
and
our
piecer
so
welcome.
B
A
Glad
to
have
you
here,
speaking
of
github,
my
other
favorite
sig,
I
encountered
a
boggle
when
one
of
our
members
was
trying
to
submit
a
pull
request.
A
So
in
order
to
correct
that
situation,
I'm
asking
if
you're
interested
in
working
with
us,
I
through
submitting
prs
and
whatnot.
If
you
could
give
me
your
ids,
so
I
can
get
the
short
term
problem
fixed
quickly
for
us
and
then
ask
the
foundation
folks
to
address
the
longer
term
problem.
So
if
you're
interested
in
collabing
through
github,
which
is
where
we're
going
to
move
the
plan,
hopefully
this
week,
give
me
your
id
and
I'd
be
glad
to
get
you
added
in.
A
All
right,
I
see
mr
scovetta
still
is
not
here,
so
let
us
our
the
next,
we
finished
reviewing
the
initial
draft
of
the
plan
and
we
all
agreed
on
the
language
we
initially
wanted
to
see.
So
what
francis
and
I
did
is
we
took
that
information
and
kind
of
reassembled
it
and
tried
to
organize
it
a
little
bit.
Our
next
task
is
going
to
be
to
kind
of
divide
up
the
plan
into
smaller
focus
areas
and
then.
B
A
Some
folks
to
potentially
take
leadership
of
that
section
and
lead
a
small
group
discussion
in
fleshing
out
that
plan
more
fully
so
francis
and
I
got
our
wires
crossed,
so
we
started
doing
the
same
thing
in
two
different
documents.
A
So
francis's
proposal
is
in
the
plan
that
we
have
been
working
on
I'll,
put
a
link
here
in
the
google
in
the
zoom
meet.
If
you
go
down
to
proposed
short
form
final
version,
he
also
broke
the
plan
up
into
three
sections
and
then
in
parallel
I
had
started
to
flesh
out
the
same
thing,
basically
copying
and
pasting
what
we've
already
agreed
upon
into
a
new
structure,
and
essentially
we
both
came
up
with
having
three
sections
a
piece.
A
So
I'm
wondering
I
think,
looking
at
these
ideas,
I'll
put
the
three
categories
into
the
meeting
notes
here
in
a
second.
What
does
the
group
feel
about
chopping
up
the
plan
into
logical
chunks
and
then
kind
of
dividing
and
conquering?
So
we
can
work
in
parallel
on
some
of
this.
A
A
And
they're
very
similar-
and
I
also
want
to
show
off
a
an
example
of
how
we're
doing
this
in
another
sig
kind
of
show
you
how
this
might
how
our
next
phase
potentially
will
start
to
look
all
right.
So
in
the
meeting
agenda
I
have
put
the
two
kind
of
proposed
wordings:
I'm
not
emotionally
connected
to
either
one,
but
essentially
what
we're
doing
is
we
are
trying
to
collect
information,
understand
the
problem
space
and
we've
already
talked
about
things.
We
want
to
do
there
and
if
I.
A
B
B
A
Defining
what
the
core
services
and
processes
of
the
cert
would
be
and
then
we'll
be
turning
the
thing
on
assembling
the
team
and
the
tools
and
we
kind
of
phrase
it
a
little
differently
now.
What
does
the
group
think
about
either
of
those
choices?
Do
you
have
hopefully
a
better
suggestion
for
phrasing
or
maybe
a
way
to
split
the
work
up.
B
B
Core
services
and
processes
kind
of
go
hand
in
hand,
that's
relatively
straightforward,
assembling
the
team
and
the
tools
assembling
the
team
and
tools
portion
of
it
doesn't
sound
necessarily
operational
to
me.
So,
like
day-to-day
processes,
which
I
I
don't
know
if
that
is
the
intent
that
we're
not
capturing
pro
operational
day-to-day
work
or
if
we're
really
just
talking
about
the
criteria
and
the
qualifications,
because
the
group
in
the
past
had
expressed
concern
about
being
too
specific
within
the
planned
document
itself
and
trying
to
migrate
as
much
of
that
out
as
possible.
B
So
sticking
more
functionally
to
the
course
scope,
the
goals
and
objectives,
the
guiding
principles
of
the
search
and
then
leaving
those
detailed
implementations
to
a
separate
document
would
be
ideal.
So,
for
the
purposes
of
this
definitely
understanding
the
problem
space.
That's
the
scope,
minimal
core
services
like
no
matter
what
happens.
These
are
the
fundamental
areas
of
focus
that
need
to
be
accomplished
and
then
beyond
that,
I'm
I'm
not
sure,
and
you
probably
have
more
insight.
What
all
did
you
have
planned
for
assembling
team
and
tools
and
operate.
A
So
my
clumsy
wording
if
you
want
to
go
at
the
lowest
link,
which
is
the
prototype
document.
If
you
want
to
go
down
to
section
three,
what
I
did
is
I
I
tried
to
logically
organize
the
points
we'd
already
discussed,
so
I
put
4
5,
8,
11
and
12
in
there,
and
I
clumsily
named
it
assembling
the
team
and
tools.
But
again
I'm
not
in
love
with
any
names.
A
We
can
call
it
whatever
we
want,
but
that's
how
I
was
thinking
about
those
appeared
to
be
more
operational
and
more
team
focused
than
talking
to
linus
about
kernel
security
process,
which.
A
He
he
started
to
add
lib
a
little
more,
so
he
was
adding
in
some
things.
He
was
not
working
specifically
off
the
plan,
but
he
was
working
off
of
things
like
selecting,
tooling,
creating
playbooks
and
whatnot,
so
he
had
started
to
add
in
some
potential
details
we
may
not
have
specifically
laid
out
if
I
could
what
my
intention
would
be
while
I
continue
to
drag
out
until
scoveto
shows
up,
let's
see
where
my
chat
go,
what
you
have.
B
B
A
What
I
envision
is,
if
I
can
have
you
look
at
this
repository
real
quick.
If
we
like
the
structure
and
again,
we
always
have
the
ability
once
it's
in
git,
we
can
start
to
file
issues
and
pr's
against
it.
So
hopefully
the
process
will
be
a
little
easier,
more
transparent,
but
what
I
propose
is
to
load
the
plan
up
into
a
git
repo.
A
We
would
have
a
landing
page
that
I'm
going
to
be
borrowing
material
from
the
original
plan
for
kind
of
a
problem
statement
and
that's
framing
the
problem,
but
then
for
each
of
these
sections,
each
of
the
groupings
that
we
agree
upon
so
like,
for
example,
we
turn
section
three
into
execution.
We
would
have
a
md
file.
A
A
Part
of
the
pr
process
will
be
fixing
my
terrible
markdown
skills.
But
what
the
intention
would
be
is
that
we
would
elect
a
section
leader
for
each
one
of
the
three
sections.
People
will
volunteer
to
be
on
a
team
and
everybody
could
be
on
every
team
if
you
want,
but
the
idea
is,
we
would
split
off
into
three
small
group
meetings.
We
would
focus
on
that
topic
and
then
report
back
to
this
larger
group
on
our
progress.
A
We
would
provide
a
layperson
explanation
of
that
goal
and
then
we're
going
to
start
documenting
the
key
steps
and
milestones
for
each
one
of
those
goals,
things
we
are
going
to
do
we're
going
to
commit
to
do
and
then
we're
going
to
provide
a
time
and
resource
estimate.
So
if
you,
the
whole
1.1
is
for
my
exemplar
of
how
I
would
like
to
see
the
final
proposal
of
the
plan
look
is
that
we
have
the
goal
some
context
around
it,
some
specific
things
we
commit
to
doing
and
then
any
people
tools
or
other
resources.
A
A
Any
other
thoughts,
any
other
different
suggestions,
yeah,
I'm
open
to
other
ways
of
doing
this,
too.
A
Yeah,
that's
a
good
point.
Emily
she
made
in
a
chat
and
my
dream
is
we
have
some
more.
We
have
some
verbose
text
as
some
of
our
goals.
I
would
like
to
shorten
those
down
into
smaller
statements
and
then
keep
that
text
as
part
of
the
explanation.
So
we're
not
going
to
throw
out
what
we've
done,
but
I'd
like
to
kind
of
again
have
a
short
focused
goal,
a
few
words
and
then
have
that
longer
text.
Explanation.
A
Since
we
are
missing
some
people
I'll
send
a
note
to
the
mailing
list
to
ask
for
full
the
full
group.
If
anyone
has
any
interest,
but
does
anyone
here
because
I'll
give
you
first,
oh
rob.
If
no
one
volunteers
I'll
do
it,
I
don't
have.
I
can
yeah,
I
can
do
it,
but
is
there
a
section
you're
interested
in
randall?
Oh,
I
think
I
volunteered.
B
For
all
the
sections,
because
I
kind
of
have
a
lot
of
time,
but
I
think
section
one
is
the
one
that
interests
me.
The
most
okay.
A
And
that
is
cool,
and
this
and
I
gotta
mention
everyone's
free
to
participate
in
all
the
groups
and
and
you'll
have
the
ability,
through
once
we
get
this
moved
into
git
hub
to
be
able
to
comment
there.
But
there's
only
so
much
of
me
to
go
around
and
I
can't
lead
every
meeting
I'd
like
to
give
everyone
the
opportunity
to
try
to
lead
and
help
shape.
This
idea
help
shape
this.
So
we
have
you
know
a
more
diverse
set
of
ideas
and
perspectives
and
putting
this
together
I'll
put
down
middle
has
section
lead.
A
Do
we
have
anyone
that
is
interested?
Who
would
like
to
participate
in
kind
of
understanding,
the
problem
space,
hey
art?
We
are
talking
about
we're,
dividing
up
the
plan
into
chunks,
and
once
we
do
that,
once
we
get
agreement
upon
those
sections,
I'm
going
to
move
it
into
github
so
that
we
can
start
manipulating
it
there
and
we're
going
to
split
off
into
small
groups
to
focus
in
on
the
these
sections
and
try
to
fill
out
the
details
of
the
plan.
A
So,
instead
of
you
know,
if
the
goal
is,
do
piecert
I'd
like
to
have
a
little
more
definition,
and
you
know
our
commitments
on
what
we're
going
to
be
delivering
when
we
do
piecert,
for
example.
A
But
do
we
have
anyone
who's
interested
in
participating
in
section
one
and
again,
I'm
not.
This
won't
be
a
full
list
right
now,
but
if
we
could
just
start
to
get
some
idea.
B
I'll
put
myself
down,
can
you
reiterate
what
exactly
section
one
is
I'm
sorry
I'm
looking
at
like
I've
got
four
google
docs
open
and
I
think.
A
Different
proposals
for
wording
and
we
can
do-
are
we
okay
with
section
one
generally
being
understand
the
problem?
Space.
A
It's
going
to
be
starting
to
develop
procedures
on
how
we're
going
to
outreach
to
communities
assisting
maintainers
through
the
kind
of
talking
them
through
the
certs
offerings,
and
I
feel
that
this
one's,
probably
more
external
maintainer
project,
focused
and
then
the
next
section.
The
core
services
is
going
to
be
kind
of
the
operating
like.
How
does
the
piecer
work,
for
example?
I
think
the
initial
proposal
here
so
the
first
section
is
more
focused
on
upstreamy
things
and
engaging
developers
and
whatnot
so
jill.
You
have
your
hand
up.
B
Yeah
I'm
happy
to
join
in
on
that.
First
one,
sorry,
I
think
I
left.
A
And
I'm
back
on
our
agenda
if
you
are
interested
in
kind
of
being
part
of
that
team
and
you're
not
excluded,
if
you
don't
put
your
name
down
right
now,
go
ahead
and
we
can
start
to
fill
this
out
just
so,
we
can
have
an
idea
and
what
I,
what
the
homework
from
this
is
going
to
be.
A
Is
I'm
going
to
ask
the
section
lead
to
coordinate
a
time
with
those
people
interested
to
start
to
organize
themselves
on
how
they
want
to
fill
the
section
out
so
for
section
two,
which
I
mentioned,
is
kind
of
identifying
core
services
and
processes
more
of
the
building
the
mechanisms
of
the
p
piecert?
A
Art
all
right
art
would
love
to
help
facilitate
that
conversation
and
lead
us
there,
maybe
maybe
like
not
love,
but
yes,
I
did
raise
my.
A
A
A
I
just
need
help
in
project
managing
this
large
body
of
work
and
so
by
delegating
out
to
our
enthused
participants
that
helps
us
go
faster,
but
yeah
yeah.
None
of
these
are
a
blocker,
and
if
we
like
these
sections,
what
I'll
do
is
I
will
francis
and
I
will
move
the
plan
into
github
that
way
you
can
see
how
we've
shuffled
things
around
and
how
we'd
like
it
structured
and
then
the
section
we
can
go
ahead
and
schedule.
B
A
All
right,
mr
scoveda,
have
you
shown
up
nope.
A
And
then
so,
what
I
will
do
is,
after
this
call
I'll
move
this
to
github
I'll,
send
a
note
out
to
the
mailing
list.
So
everyone
has
that
information.
You
can
take
a
look
at
it.
I
will
get
everyone
that
gave
me
their
github
id.
A
I
will
get
you
added
with
the
ability
to
make
changes
and
we
will
take
the
next
meeting
to
re,
to
review
the
structure
making
sure
we
think
we
got
things
in
the
right
place
and
then
I
would
propose,
after
our
next
meeting,
that
we
either
move
this
call
to
bi-weekly
for
updates
for
the
smaller
groups
or
we,
you
know
split.
This
call
into
three
sections
and
figure
out
a
way:
20
minutes
per
small
team
to
talk
about
to
jam
on
their
stuff.
A
Yeah
but
the
the
idea
was,
I
don't
want
to
overburden
the
team
with
meetings.
I
want
to
burden
us
with
doing
the
work
and
moving
this
forward,
so
we
can
accelerate
things
and
if
we,
you
know
by
giving
you
back
an
hour
here
every
other
week
that
might
allow
people
more
time
to
collaborate.
A
All
right,
so
I
apologize
for
being
a
little
disorganized.
I
was
hoping
that
our
presentation
would
have
soaked
up
30
minutes
or
so
I
will
ask
mike
to
come
back
at
a
future
call.
He
has
an
interesting
proposal.
A
B
A
A
I
am
not
able
to
tell
you
that,
because
it
is
not
my
proposal,
I
I
don't
want
to
color
anyone's
opinion
on
whether
that's
a
good
thing
or
a
bad
thing.
I
have
my
own
feels
I'll
reserve,
but
he
would
like
he
feels
that
this
would
be
a
great
place
for
that
work
to
happen.
I
just
want
to
give
him
his
day
in
court,
so
to
speak,
to
propose
to
us
and
kind
of
explain
what
he's
interested
in
what
his
ideas
and
the.
A
I
know
I
won't
be
sitting
watching
a
seam
scraping
the
internet,
but
if
someone's
interested
in
doing
that
work,
they
think
it
aligns
with
this
awesome.
A
Do
we
have
any
other,
I'm
zooming
have
any
opens
or
any
ideas
or
comments
about
how
we're
moving
forward
any
changes
indicates.
He
made.
A
All
right
we
will
adjourn
for
today
that
will
give
me
time
to
start
my
brushing
off
my
amazing
markdown
powers.
A
So
thank
you
all
for
attending
you'll
see
a
proposal
for
how
things
will
be
organized
and
get,
and
then
you'll
see
a
mail
on
the
mailing
list,
soliciting
for
more
more
help
and
leadership
of
the
section
three
execution.