►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
Hello
fam,
we
will
get
started
in
a
few
moments
posted
a
link
to
our
agenda.
If
you
have
any
new
items
opens
you'd
like
to
add.
Please
do
so
in
the
open
section.
If
we
have
any
of
our
sub
project
leads
I
want
to
give
an
update
on
their
initiatives.
Please
key
that
in
and
we'll
get
started
a
few
minutes
after
the
hour.
C
A
A
All
right,
as
always,
please
add
any
opens
in
the
open
section
like
Dan-
did
about
the
workshop
first
off
I
wanted
to
let
everybody
know
the
governing
board.
Tech
governance
committee
has
agreed
and
are
currently
reviewing
the
two
proposals
for
the
mobilization
plan
rewrites
at
this
very
moment
so
education
Sig
and
the
OSS
cert
Sig
are
currently
under
review
by
the
governance
committee.
So,
ideally
we'll
get
some
feedback
on
those
proposals
and
see
if
we
can
get
any
Direction
on
how
we're
going
to
move
forward
with
those
any
questions
about
that.
F
Well
from
the
SKF
team,
we're
actually
very
hard
busy
in
working
on
the
the
new
stack
making
good
progress
there,
we're
actually
now
in
the
stage
to
deploy
what
we
have
to
Azure
as
well
and
build
a
whole
pipeline
for
it.
So
we
have
actually
actions
that
we
then
can
you
know,
automate
the
whole
stuff,
so
we
don't
have
to
do
it
manually,
yeah
so
moving
forward
there.
So
that's
good
other
than
that
same
old,
same
old,
awesome.
G
In
addition
to
looking
at
who's
supporting
these
efforts,
so
we
can
drill
down
even
further
what
kind
of
support
we
should
be
looking
for
asking
for
what
should
we
stay
away
from
right?
There's,
there's
so
much
data
here
that
we
can
use
to
pin
to
nail
down
and
have
a
pinpoint
effort
into
what
we're
trying
to
do
that.
It's
amazing!
A
A
E
E
E
So
we
have
met
three
three
or
four
times,
I.
Think
it's
three
as
we've
been
putting
this
group
together
and
last
meeting
Jay
White
who's.
Also
in
this
meeting
very
helpfully,
helped
us
nail
down
a
bit
of
what
we
wanted
to
do
through
defining
a
vision,
a
mission,
scope
and
purpose
and
some
initial
goals.
E
Our
Visions
is
our
big
overarching.
You
know
Pie
in
the
Sky
thing,
is
to
eliminate
memory
safety,
vulnerabilities
in
open
source,
secure
our
open
source
software.
If
we
could
achieve
that,
that
would
be
amazing,
but
looking
at
our
mission,
which
is
a
little
more
targeted
and
a
little
more
pragmatic,
our
mission
is
to
understand
and
reduce
memory
safety,
vulnerabilities
in
open
source
software
and
our
scope
purpose.
E
How
we'd
like
to
achieve
that
that
mission
and
maybe
someday
ultimately
that
vision
is
to
develop
pragmatic
guidance
standards
and
software
to
reduce
memory
safety
issues,
I
emphasize
pragmatic,
because
it
seems
like
any
time
we
talk
about
memory.
So,
if
you're
improving
memory
safety,
some
people
on
Twitter
take
that
as
oh,
we
should
rewrite
the
entire
world
in
Rust
and
that's
not
well,
it's
not
pragmatic.
It's
also
not
a
responsible
thing,
I
think
too,
but
that
would
be
lovely,
but
it's
not
it's
not
it's
not
based
in
reality.
E
So
we
want
to
develop
that
pragmatic
guidance
standards
and
software.
This
will
sometimes
involve
rewrites.
This
will
sometimes
involve
you
know
if
you
are
locked
into
a
language
like
C
plus
plus
using
language
features
that
improve
memory
safety,
even
if
they
don't
guarantee
it,
but
also
identifying
where
it
is
worth
it
to
rewrite.
In
a
memory
safe
language.
E
But
there's
a
lot
of
research
out
there
about
the
data
around
memory,
safety
and
the
risks
of
it
and
our
initial
goals
and
see
Rob
alluded
to
a
little
bit
of
this
earlier
is
to
update
the
language
of
stream
4
of
the
open
source
security
mobilization
plan.
I
was
involved
in
the
drafting
of
that,
and
that
was
drafted
very,
very,
very
fast
and
I.
E
We
would
like
to
update
that
again,
based
on
real
world
data
and
risks
and
pragmatic
guidance,
and
then
identify
and
recommend
specific
initiatives
for
funding
by
the
open,
ssf
and
its
members.
This
might
we
might
recommend
something
within
the
rust
Foundation
to
be
funded.
We
might
recommend
I
know.
I
A
G
G
E
J
E
A
C
Yeah
I
was
just
wondering
if
you
had
any
links
to
research
about
the
overlap
between
memory
safety
and
like
where
memory
safety
issues
have
been
at
the
or
how
you
know
have
enabled
kind
of
like
the
the
vulnerabilities
that
or
have
been
you
know.
Overlapping
with
that
area
of
vulnerabilities
I
mean
is,
is
it's
just
not
an
area
that
I've
that
I've
looked
at
before
so
I?
So
I
was
just
wondering
if
you
have
more
information,
you
could
share.
E
A
G
E
G
L
Hi
hope
you
can
hear
me.
Yes,
sir.
Thank
you
yeah
thanks,
very
interesting,
very
interesting
proposal.
So
I
was
wondering
so
there
was
a
now
for
about
a
month
ago,
so
we
also
started
this
activity
around
the
C
and
C
plus
plus
compiler
flag,
hardening
guide,
which
also
touches
upon
memory
safety
issues,
but
maybe
from
a
little
bit
of
like
a
narrower
scope.
So
I
was
wondering
a
little
bit
around
like
possible
sort
of
synergy.
L
So
it's
like
this
sort
of
so
it
a
little
bit
sounded
me
that
your
focus
is
more
on
like
this
memory.
Safe
languages
and
I
was
sort
of
wondering
how
this
sort
of
activities
around
compiler
flags
for
C,
plus
plus
sort
of
fits
into
this.
So
is
that
something
that
possibly
has
synergies,
or
is
it
a
little
bit
on
the
sort
of
like
the
side.
E
It
absolutely
has
synergies.
In
fact,
I
was
looking
at
that
Sig
I
I
almost
said
wig,
because
I
was
conflating
working
group
and
Sig
I
was
looking
at
that
Sig
yesterday
and
there's
definitely
some
overlap.
They
they
are
focusing
narrowly
on
Ce
and
C,
plus
compiler
Flags,
which
is
great
and
I,
do
think
the
maybe
not
overlap,
but
there
definitely
will
be
things
that
we
can
work
on
together
around
that.
So,
yes,
there
are.
There
are
synergistic
synergies,
certainly.
L
E
I
M
All
right,
oh
man,
whenever
he
uses
my
title
I
know
I'm
getting
my
chain
pull
yeah.
So
there
is
a
project
called
prossimo
which
is
kind
of
a
meta
project
of
various
efforts.
I
I,
you
know
I
know
you
know
about
this
now,
but
it's
more
of
the
other
folks
here
on
implementing
some
very
important
tasks
in
members
of
safe
I.
Think
all
the
possible
ones
are
rust
specifically,
but
you
know
the
idea
is
to
re-implement
certain
functionalities
in
a
member
safe
language.
M
A
So
anyone
that
is
listed
in
our
working
group,
governance,
section
as
a
maintainer,
collaborator
or
contributor,
is
able
to
formally
eligible
to
vote
and
anyone
else
is
interested
to
provide
us
feedback
from
the
internet,
which
is
always
great
a
good
time.
So,
look
for
that.
I
could
do
that
this
afternoon,
so
I
will
shoot
an
email
to
the
mailing
list
and
then
Ping,
On,
slack
and
I
would
encourage
everyone
to.
If
you
could
share
that
presentation
now
and
if
you
have
any
links
to
any
existing
notes
or
any
other
artifacts.
A
I
A
A
I
A
I
C
Sure,
okay,
let
me
see
if
I
can
bring
up
share
my
screen,
yeah.
Okay,
great
so
a
few
of
us
have
been
working
on
the
idea
of
doing
a
kind
of
a
workshop
jointly
run
between
these
organizations
here
so
open,
ssf,
w3c,
OAS
and
openjs
in
particular,
and
so
we
have
I've
been
working
with
people
probe
as
one
of
them
Jory
as
well
from
Linux
foundation,
and
some
other
folks
aren't
as
well
has
been
has
been
roped
into
this.
C
Many
of
the
efforts
that
I've
been
involved
in
w3c
have
started
with
a
workshop.
We've
also
used
workshops
as
a
way
to
bring
communities
together
so
in
in
the
work
that
I
was
involved
in
in
the
immersive
web.
For
instance,
we
had
a
workshop
where
we,
where
we
brought
in
content
and
game
and
application
developers
to
come
and
talk
to
the
people
who
are
building
the
specs
and
took-
and
you
know,
have
a
sharing
of
of
of
concerns
there,
and
that
can
also
be
helpful
so
in
this,
so
the
so.
C
The
purpose
of
the
idea
behind
this
Workshop
we've
got
like
different
strands
of
things.
It's
focusing
on
web
developers
right
and
and
the
needs
of
web
developers
and
how
those
are
different,
possibly
from
the
needs
of
developers
in
other
areas,
and
so
so
or
specifically
thinking
about
the
needs
of
web
developers.
And
there
are
there's
a
kind
of
lack
of
communication,
I
think
going
on
in
the
web
developer,
Community
about
the
good
work
that
is
happening
here
and
in
other
places
around
software
supply
chain.
C
So
all
of
those
issues
kind
of
come
together
in
a
crisis
which
is
that
the
situation
for
web
for
security
on
the
web
is
not
that
great,
and
it's
also
one
of
the
platforms
where
you
can.
You
know
you're
very
often
subject
to
security
issues,
because
you
can
just
be
fished
and
find
yourself
on
a
website
that
looks
like
your
bank
and
before
you
know
it
you've
clicked
on
a
link,
and
that
may
be
enough
user
activation
in
order
to
enable
some
kind
of
advanced
API.
C
That's
going
to
start
sucking
your
personal
details
away.
Getting
at
your
location
down,
even
as
a
vector
for
malware,
so
anyway,
the
point
of
this
we're
going
to
try
and
run
this
Workshop
in
London,
June,
7th
and
8th
we've
got
people
from
all
these
different
groups
involved,
we'll
run
it
under
w3c
rules,
but
it
will
definitely
be
run
as
a
as
a
kind
of
a
joint
workshop
and
right
now
we're
kind
of
working
this
week
to
finalize
the
cfp.
C
The
cfp
will-
hopefully
it's
not
covered
in
here
right
now,
because
it's
still
in
a
PR
but
I
think
we're
what
we're
going
to
be
looking
at
is
opening
up
the
cfp
and
then
looking
for
papers
by
the
end
of
April,
basically,
and
then
we'll
have
a
review
process
and
then
we'll
we'll
run
this.
This
Workshop
in
the
and
in
the
reactor
space
in
Microsoft,
actually
the
Microsoft
reactor
London
is
has
has
told
us
that
they're
happy
to
host
it.
C
C
So,
even
though
we
have
a
spot,
we
have
a
sponsor
in
in
the
form
of
Microsoft
reactor
for
the
space
we
are
looking
for
sponsors
for
food,
so
those
those
are
the
that's.
That's
the
current
state
of
things
and
I
hope
to
it's,
not
that
the
cfp
has
not
been
launched.
Yet.
We
hope
that
to
happen
by
the
end
of
this
week
or
possibly
early
next
week,
and
and
so
so
that
we
give
people
enough
time
to
to
write
input
papers
for
this,
so
that
that's
that's.
It.
C
C
Of
course,
it's
more
because
part
of
the
workshop
agenda
will
be
unconference
it'll
be
more
possible
to
participate
in
the
kind
of
like
presentation
stuff
in
Q,
a
versus
the
unconference
sessions,
which
are
going
to
be
a
little
bit
more
necessarily
chaotic,
so,
but
but
but
there
will
be
some
form
of
remote
participation
available.
That's
for
sure.
A
C
C
A
C
K
Know
if
I
sent
this
in
the
in
over
the
email
group,
but
there
is
a
document
quite
short,
it's
a
proposal
for
a
section
to
get
added
to
the
best
practices
guide
for
open
source
about
how
to
handle
vendor
dependencies
with
respect
to
cves.
It's
linked
in
the
meeting
group
meeting
notes.
I
will
also
post
a
link
to
it
in
the
Zoom.
A
K
K
A
vendor
dependency
is
any
dependency
that
can't
be
directly
updated
by
the
end
user.
It
is
considered
best
practice
when
updating
a
vendor
dependency
in
order
to
fix
a
vulnerability.
The
project
issues
their
own
disclosure
for
that
of
that
vulnerability.
The
project
should
also
assign
the
existing
cve
ID
of
the
affected
package
to
their
product.
The
impact
should
be
assessed
and
communicated
in
the
context
of
the
Project's
use
of
that
dependency.
Finally,
reach
out
to
the
CNA
for
the
original
vulnerability.
A
K
C
A
K
M
D
M
A
M
K
M
Yeah
I
mean
I
I.
If
somebody
can
find
another
term
and
I
I
have
certainly
no
trouble
with
using
a
different
term
I.
Just
if
we
use
a
different
term,
then
we
should
mention
that
some
people
call
it
this
other
thing
because,
as
I
said
I,
that's
the
only
term
I
know
of
that's
used
for
this
situation.
Yeah.
B
M
K
So,
for
example,
when
I
was
working
for
Gradle,
we
had
when
you
were
building
the
artifact,
a
a
rule
that
would
go
and
rewrite
all
of
the
vendor
dependencies
to
be
in
a
different
like
they
were
now
part
of,
like
org.gradle
dot,
internal
dot,
vendored
or
whatever,
and,
like
all
the
packages
in
the
compiled
source
code,
would
then
point
to
that
artifact
that
or
to
that
class
file.
That
was
part
of
that
vendored
package
name.
M
I
I
think
that
sounds
good
to
me.
I
just
wanted
to
tell
the
clarification,
so
if
there
is
a
vulnerability
in
one
of
the
dependencies
and
you
make
the
assessment
that
it
doesn't
actually
impact
your
product,
because
you
know
you're
not
actually
using
that
functionality
is
still
supposed
to
do
the
disclosure
and
basically
communicate
the
assessment
that
it
doesn't
concern
your
product.
A
G
G
G
That
now
is
that
fault-
and
this
could
impact
this
project
over
here,
but
maybe
it
impacts
a
few
others
they're
using
the
same
damn
I
mean
you
know
so
so
I
think
I
think
that
what
could
be
developed
here
should
also
be
communicated
across
of
the
spectrum
and
not
just
living
a
guide
here.
I
think
that's
what
I'm
saying
what
I'm
saying
is
it
shouldn't
just
living
live
in
the
guide
here?
I
think
that's
something
that's
that
can
actually
be
communicated
outwards
to
a
lot
of
the
other
efforts
that
we're
doing
as
well.
K
Yeah
I
mean
the
guy,
yes,
starting
with
it
in
the
guide
and
saying
hey.
This
is
the
best
practice
for
open
source
and
then
communicating
it
to
other
organ
or
other
subparts.
The
OSF
is
totally
reasonable,
but
I.
You
know
I
need
to
live
somewhere
and
it
wasn't
totally
clear
if
this
should
live
in
the
best
practices
guide
or
on
the
vulnerability
disclosures
working
group
like
it's.
It's
it
kind
of
bridges
both
of
those
I.
Don't.
K
A
A
All
right,
I
would
strongly
suggest
open
up
PR
against
the
guide.
What's
your
proposed
text
in
there
and
give
us
a
couple
days
to
comment,
if
there's
anyone
that
has
any
additional
thoughts
and
then
I
think
we're
good
to
proceed.
Yeah
we'll
do
absolutely
no
I
have
no
objections
to
the
intent
and
content.
A
All
right
team
do,
we
have
did
Jaron
ever
pop
in
did
not
so
I
will
point
you
all
to
our
slack
Channel.
We
had
a
gentleman
that
is
from
owasp
that
represents
the
wrong
Secrets
project
and
it
looks
like
that
project
is
going
through
our
awesome
best
practices,
badging
process
and
it
looks
like
the
team
had
a
couple
questions
so
I
would
encourage
us
to
reach
out
through
the
slack
Channel
and
see
what
we
can
do
to
help
answer
those
questions.
A
I
thought
so
it
looks
like
they're
going
through
and
they
had
done
a
substantial
amount
of
work
already
and
they
were
mostly
cleaning
green,
a
couple
things
here
and
there.
So
maybe
they
were
just
asking.
Maybe
they
just
the
project
had
questions
about
the
couple
areas
where
they
weren't
able
to
hit
the
perfect
score.
C
A
A
Okie
dokie
look
for
an
awesome,
email
and
slack
communication
about
the
proposal
to
create
the
new
memory
safety
Sig
and
also
look
for
Jonathan's
PR
around
vendoring.
If
anyone
has
any
commentary
or
feedback,
please
put
it
in
that
issue
and
we'll
get
that
reviewed
and
potentially
merged
here
in
the
next
couple
days
and
I
would
also
suggest.
We
probably
should
think
about
from
the
volume
group
how
we
might
want
to
update
our
guide
to
reflect
that
as
well.