►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
Hello
fam,
we
will
get
started
in
a
few
moments
posted
a
link
to
our
agenda.
If
you
have
any
new
items
opens
you'd
like
to
add.
Please
do
so
in
the
open
section.
If
we
have
any
of
our
sub
project
leads
I
want
to
give
an
update
on
their
initiatives.
Please
key
that
in
and
we'll
get
started
a
few
minutes
after
the
hour.
C
A
All
right
team:
it
is
three
minutes
after
the
hour,
welcome
to
the
pie
day,
Gathering
of
the
best
working
group
in
the
open
ssf.
A
First
and
foremost,
we
have
anyone,
that's
interested
in
helping
us
take
notes
today.
Please
please.
A
Thank
you
Dan
really
appreciate
that
all
right
with
that
out
of
the
way
do
we
have
any
new
friends
who
are
to
introduce
themselves
and
say
hello
today.
E
Hi
I'm
Nell,
shamrel,
Harrington
I'm,
a
principal
engineer
at
Microsoft
and
I
am
leading
the
hopefully
soon
to
be
official
memory,
safety,
Sig
and
we'll
be
presenting
later
today.
A
All
right,
as
always,
please
add
any
opens
in
the
open
section
like
Dan-
did
about
the
workshop
first
off
I
wanted
to
let
everybody
know
the
governing
board.
Tech
governance
committee
has
agreed
and
are
currently
reviewing
the
two
proposals
for
the
mobilization
plan
rewrites
at
this
very
moment
so
education
Sig
and
the
OSS
cert
Sig
are
currently
under
review
by
the
governance
committee.
So,
ideally
we'll
get
some
feedback
on
those
proposals
and
see
if
we
can
get
any
Direction
on
how
we're
going
to
move
forward
with
those
any
questions
about
that.
A
Who
Billy
dokely
do
we
have
any
other
sub
project
leads
here
that
wanted
to
give
an
update
on
any
of
our
sigs
or
software
projects.
F
Well
from
the
SKF
team,
we're
actually
very
hard
busy
in
working
on
the
the
new
stack
making
good
progress
there,
we're
actually
now
in
the
stage
to
deploy
what
we
have
to
Azure
as
well
and
build
a
whole
pipeline
for
it.
So
we
have
actually
actions
that
we
then
can
you
know,
automate
the
whole
stuff,
so
we
don't
have
to
do
it
manually,
yeah
so
moving
forward
there.
So
that's
good
other
than
that
same
old,
same
old,
awesome.
G
Oh,
please
go
ahead,
Jay
yeah,
we
have
our.
We
have
the
town
hall
this
week.
G
We've
got
a
great
outline,
we'll
be
looking
at
today
during
the
Sig
meeting,
and
then
we
have
our
our
talk
that
got
picked
up
at
the
open,
Summit
I
think
we're
going
to
submit
as
well
for
openness
and
stuff
day
either
way
we
got
a
lot
of
stuff
to
prepare
for
also
at
the
same
time,
Nicole
and
our
subcommune
put
together
this
outstanding.
G
G
In
addition
to
looking
at
who's
supporting
these
efforts,
so
we
can
drill
down
even
further
what
kind
of
support
we
should
be
looking
for
asking
for
what
should
we
stay
away
from
right?
There's,
there's
so
much
data
here
that
we
can
use
to
pin
to
nail
down
and
have
a
pinpoint
effort
into
what
we're
trying
to
do
that.
It's
amazing!
G
So
a
lot
of
the
Great
Stuff
happening
in
the
subcommittee
there's
also
a
couple
of
proposals
out
for
the
even
larger,
larger
effort,
but
there's
more
to
come
on
that
so
yeah
exciting
times
over
the
next
couple
of
months.
A
Excellent,
if
anyone
is
curious
about
what
the
the
eni
group
is
working
on,
they
actually
meet
at
the
top
of
the
next
hour.
So
join
us
there.
Any
questions
for
Jay
about
the
town
hall,
the
talks
anything
around
our
de
and
I
education
efforts.
A
All
right,
thank
you
for
sharing,
did
Jordan
join
us
all
right.
So,
let's
Shuffle
around
we'll
talk
about
wrong
Secrets
in
a
little
bit.
We
have
our
new
friend
Nell
here
so
we'll.
Let
Nell
talk
all
about
the
proposal
about
potentially
creating
a
new
Sig
ooh.
E
Yes,
and
can
I
have
oh
wait.
Nope
I
already
have
permission
to
share
score.
E
H
Right
cool,
so
let
me
just
Shuffle
Windows
slightly
bring
this
thing
up,
you
can
do
it
computer
there
we
go
and
let
me
share
the
correct
screen.
E
E
So
we
have
met
three
three
or
four
times,
I.
Think
it's
three
as
we've
been
putting
this
group
together
and
last
meeting
Jay
White
who's.
Also
in
this
meeting
very
helpfully,
helped
us
nail
down
a
bit
of
what
we
wanted
to
do
through
defining
a
vision,
a
mission,
scope
and
purpose
and
some
initial
goals.
E
Our
Visions
is
our
big
overarching.
You
know
Pie
in
the
Sky
thing,
is
to
eliminate
memory
safety,
vulnerabilities
in
open
source,
secure
our
open
source
software.
If
we
could
achieve
that,
that
would
be
amazing,
but
looking
at
our
mission,
which
is
a
little
more
targeted
and
a
little
more
pragmatic,
our
mission
is
to
understand
and
reduce
memory
safety,
vulnerabilities
in
open
source
software
and
our
scope
purpose.
E
How
we'd
like
to
achieve
that
that
mission
and
maybe
someday
ultimately
that
vision
is
to
develop
pragmatic
guidance
standards
and
software
to
reduce
memory
safety
issues,
I
emphasize
pragmatic,
because
it
seems
like
any
time
we
talk
about
memory.
So,
if
you're
improving
memory
safety,
some
people
on
Twitter
take
that
as
oh,
we
should
rewrite
the
entire
world
in
Rust
and
that's
not
well,
it's
not
pragmatic.
It's
also
not
a
responsible
thing,
I
think
too,
but
that
would
be
lovely,
but
it's
not
it's
not
it's
not
based
in
reality.
E
So
we
want
to
develop
that
pragmatic
guidance
standards
and
software.
This
will
sometimes
involve
rewrites.
This
will
sometimes
involve
you
know
if
you
are
locked
into
a
language
like
C
plus
plus
using
language
features
that
improve
memory
safety,
even
if
they
don't
guarantee
it,
but
also
identifying
where
it
is
worth
it
to
rewrite.
In
a
memory
safe
language.
E
There
have
been
some
very
some
research
done
on
memory,
safety
and
the
Microsoft
a
few
years
ago,
put
out
a
study
saying
that
you
know
of
the
issues
that
they
assign
cves
to
80
percent,
were
memory
safety
related
and
likely
could
have
been
prevented
by
using
a
memory
safe
language,
so
we'd
like
to
access
more
real
world
data
I'm
the
editor
of
this
week
in
Rust,
again
we're
not
advocating
solely
for
rust
or
solely
for
any
one
language.
E
But
there's
a
lot
of
research
out
there
about
the
data
around
memory,
safety
and
the
risks
of
it
and
our
initial
goals
and
see
Rob
alluded
to
a
little
bit
of
this
earlier
is
to
update
the
language
of
stream
4
of
the
open
source
security
mobilization
plan.
I
was
involved
in
the
drafting
of
that,
and
that
was
drafted
very,
very,
very
fast
and
I.
E
We
would
like
to
update
that
again,
based
on
real
world
data
and
risks
and
pragmatic
guidance,
and
then
identify
and
recommend
specific
initiatives
for
funding
by
the
open,
ssf
and
its
members.
This
might
we
might
recommend
something
within
the
rust
Foundation
to
be
funded.
We
might
recommend
I
know.
E
C
plus
world
is
working
on
profiles
which
I
we,
the
user
could
use
a
memory
safe
profile
with
their
C
plus
code,
and
do
it
any
more
memory,
safe
way,
there's
initiatives
and
go
there's
initiatives
and
plenty
of
other
languages,
we'd
like
to
identify
and
recommend
specific
ones
that
we
think
would
produce
the
most
value
for
the
open
source
ecosystem
again,
based
on
that
real
world
data
and
risks,
and
that
is
it.
A
Please
so
group
what
questions
do
we
have
for
Nell,
whether
it's
about
the
mobilization
plan
or
this
proposal.
E
The
daylight
savings
time
jet
lag.
I
A
G
I
believe
there
are
a
few
of
us
that
are
already
attending
a
lot
of
these
attending
these
meetings.
G
I
know
I'm,
one
of
them
I'm
very
interested
and
more
from
a
learning
perspective
right
so
I'll
say
that
so
not
only
who's
interested
in
collaborating
but
who's
interested
in
learning,
more
and
and
helping
to
push
as
part
of
the
mobilization
plan
and,
as
part
of
I
mean
the
basic
efforts
just
to
solve
for
a
lot
of
the
vulnerabilities
that
are
that
are
that
are
generated
or
exploited
because
of
the
lack
of
use
of
memory.
G
Safe
languages
that'll
be
interesting
to
understand
as
well
I
I'm
involved,
because
I
want
to
learn.
E
J
E
Our
meetings
are
on
the
community
calendar.
We
normally
meet
every
other
Thursday
at
10,
A.M
Pacific.
We
are
skipping
this
week's
meeting,
though,
because
it
conflicts
with
the
town
hall.
A
C
Yeah
I
was
just
wondering
if
you
had
any
links
to
research
about
the
overlap
between
memory
safety
and
like
where
memory
safety
issues
have
been
at
the
or
how
you
know
have
enabled
kind
of
like
the
the
vulnerabilities
that
or
have
been
you
know.
Overlapping
with
that
area
of
vulnerabilities
I
mean
is,
is
it's
just
not
an
area
that
I've
that
I've
looked
at
before
so
I?
So
I
was
just
wondering
if
you
have
more
information,
you
could
share.
E
Sure
I'll
put
some
links
in
the
chat.
One
is
a
report
from
Microsoft.
That's
just
one:
I
have
off
the
top
of
my
head.
There's
been
a
few
other
reports
as
well,
which
I'll
definitely
be
researching
and
bringing
in.
A
G
Yeah
one
question:
do
you
plan
on
are
presenting
this
to
another
working
group
as
a
proposal
to
to
be
part
of
it?
Basically,
is
there
are
there
competing?
G
Are
you
forcing
competition
between
working
groups
for
this
particular
City.
E
I
am
not
not
right.
Now
we
had
considered
the
secure
code
working
group
as
potentially
a
fit,
but
I
think
this
one
would
be
a
much
better
fit
because
of
the
emphasis
on
developer
practices.
Okay,.
G
A
The
more
you
know,
Thomas.
L
Hi
hope
you
can
hear
me.
Yes,
sir.
Thank
you
yeah
thanks,
very
interesting,
very
interesting
proposal.
So
I
was
wondering
so
there
was
a
now
for
about
a
month
ago,
so
we
also
started
this
activity
around
the
C
and
C
plus
plus
compiler
flag,
hardening
guide,
which
also
touches
upon
memory
safety
issues,
but
maybe
from
a
little
bit
of
like
a
narrower
scope.
So
I
was
wondering
a
little
bit
around
like
possible
sort
of
synergy.
L
So
it's
like
this
sort
of
so
it
a
little
bit
sounded
me
that
your
focus
is
more
on
like
this
memory.
Safe
languages
and
I
was
sort
of
wondering
how
this
sort
of
activities
around
compiler
flags
for
C,
plus
plus
sort
of
fits
into
this.
So
is
that
something
that
possibly
has
synergies,
or
is
it
a
little
bit
on
the
sort
of
like
the
side.
E
It
absolutely
has
synergies.
In
fact,
I
was
looking
at
that
Sig
I
I
almost
said
wig,
because
I
was
conflating
working
group
and
Sig
I
was
looking
at
that
Sig
yesterday
and
there's
definitely
some
overlap.
They
they
are
focusing
narrowly
on
Ce
and
C,
plus
compiler
Flags,
which
is
great
and
I,
do
think
the
maybe
not
overlap,
but
there
definitely
will
be
things
that
we
can
work
on
together
around
that.
So,
yes,
there
are.
There
are
synergistic
synergies,
certainly.
L
A
Thanks
awesome
and
Thomas
actually
is
a
helping
lead
that
little
project
awesome.
E
A
Any
additional
comments
or
feedback
or
desire
to
express
your
interest
in
participating.
I
E
M
All
right,
oh
man,
whenever
he
uses
my
title
I
know
I'm
getting
my
chain
pull
yeah.
So
there
is
a
project
called
prossimo
which
is
kind
of
a
meta
project
of
various
efforts.
I
I,
you
know
I
know
you
know
about
this
now,
but
it's
more
of
the
other
folks
here
on
implementing
some
very
important
tasks
in
members
of
safe
I.
Think
all
the
possible
ones
are
rust
specifically,
but
you
know
the
idea
is
to
re-implement
certain
functionalities
in
a
member
safe
language.
M
A
Well,
because
on
a
glutton
for
punishment
and
the
internet,
hates
me,
I
will
create
an
issue
for
all
the
working
group
members
to
formally
vote
on
adopting
this
effort
as
a
Sig
that
we
want
to
collaborate
on
and
contribute
to,
so
I
will
get
that
put
together
and
the
beatings
will
commence
shortly
after
that.
A
So
anyone
that
is
listed
in
our
working
group,
governance,
section
as
a
maintainer,
collaborator
or
contributor,
is
able
to
formally
eligible
to
vote
and
anyone
else
is
interested
to
provide
us
feedback
from
the
internet,
which
is
always
great
a
good
time.
So,
look
for
that.
I
could
do
that
this
afternoon,
so
I
will
shoot
an
email
to
the
mailing
list
and
then
Ping,
On,
slack
and
I
would
encourage
everyone
to.
If
you
could
share
that
presentation
now
and
if
you
have
any
links
to
any
existing
notes
or
any
other
artifacts.
A
I
A
A
That
later
today
and
get
that
out,
David
I'm
sorry,
no.
A
I
I
personally
think
it's
a
great
idea:
I
love,
supporting
kind
of
the
Strategic
vision
of
the
foundation
and
I
think
this
is
definite
opportunity
to
help
improve
the
whole
ecosystem
by
eliminating
all
class
of
issues.
Wouldn't
that
be
great,
less
work
in
the
future.
I
A
I
A
All
right
well,
thank
you
now,
if
you
have
any
questions
in
the
interim
feel
free
to
continue
the
conversation
in
our
slack
and
look
for
that
issue
and
I
look
for
members
to
express
their
opinions
shortly.
A
All
right,
I,
don't
see
Jaren
here
so
Dan.
Would
you
like
to
talk
about
the
w3c
joint
Workshop.
C
Sure,
okay,
let
me
see
if
I
can
bring
up
share
my
screen,
yeah.
Okay,
great
so
a
few
of
us
have
been
working
on
the
idea
of
doing
a
kind
of
a
workshop
jointly
run
between
these
organizations
here
so
open,
ssf,
w3c,
OAS
and
openjs
in
particular,
and
so
we
have
I've
been
working
with
people
probe
as
one
of
them
Jory
as
well
from
Linux
foundation,
and
some
other
folks
aren't
as
well
has
been
has
been
roped
into
this.
C
Thank
you
for
your
time,
but
the
idea
is
to
w3c
I
have
a
background
working
in
w3c
and
I
co-chair
they're,
a
group
called
the
technical
architecture
group,
which
is
kind
of
one
of
the
leadership
groups
in
w3c
and
every
so
often
the
w3c
works
on
things
that
are
like
these
workshops,
which
bring
together
communities.
C
Potentially
people
who
haven't
talked
to
each
other
before
to
think
about
new
work
or
to
just
to
come
together
and
have
a
meeting
of
the
minds
very
often
work
workshops
are
used
as
a
way
to
kick
off
new
work
like
new
working
groups,
or
it
could
be
new
interest
groups.
C
Many
of
the
efforts
that
I've
been
involved
in
w3c
have
started
with
a
workshop.
We've
also
used
workshops
as
a
way
to
bring
communities
together
so
in
in
the
work
that
I
was
involved
in
in
the
immersive
web.
For
instance,
we
had
a
workshop
where
we,
where
we
brought
in
content
and
game
and
application
developers
to
come
and
talk
to
the
people
who
are
building
the
specs
and
took-
and
you
know,
have
a
sharing
of
of
of
concerns
there,
and
that
can
also
be
helpful
so
in
this,
so
the
so.
C
The
purpose
of
the
idea
behind
this
Workshop
we've
got
like
different
strands
of
things.
It's
focusing
on
web
developers
right
and
and
the
needs
of
web
developers
and
how
those
are
different,
possibly
from
the
needs
of
developers
in
other
areas,
and
so
so
or
specifically
thinking
about
the
needs
of
web
developers.
And
there
are
there's
a
kind
of
lack
of
communication,
I
think
going
on
in
the
web
developer,
Community
about
the
good
work
that
is
happening
here
and
in
other
places
around
software
supply
chain.
C
At
the
same
time,
there's
a
lot
of
exciting
new
specifications
that
are
coming
out
of
w3c
that
are
intended
to
secure
things
more.
C
But
there's
a
lot
of
there's
a
lack
of
understanding
of
how
to
use
those
there's
also
quite
a
very
there's,
a
very
kind
of
heterogeneous
development
environment
on
the
web,
which
is
you
know,
which
includes
a
lot
of
Frameworks
and
libraries
and
and
this
sort
of
thing,
and
so
when
web,
so
how
web
developers
develop
is
very
different,
depending
on
which
framework
they're
using
or
which
library
or
whether
they're
doing
bear
HTML.
C
So
all
of
those
issues
kind
of
come
together
in
a
crisis
which
is
that
the
situation
for
web
for
security
on
the
web
is
not
that
great,
and
it's
also
one
of
the
platforms
where
you
can.
You
know
you're
very
often
subject
to
security
issues,
because
you
can
just
be
fished
and
find
yourself
on
a
website
that
looks
like
your
bank
and
before
you
know
it
you've
clicked
on
a
link,
and
that
may
be
enough
user
activation
in
order
to
enable
some
kind
of
advanced
API.
C
That's
going
to
start
sucking
your
personal
details
away.
Getting
at
your
location
down,
even
as
a
vector
for
malware,
so
anyway,
the
point
of
this
we're
going
to
try
and
run
this
Workshop
in
London,
June,
7th
and
8th
we've
got
people
from
all
these
different
groups
involved,
we'll
run
it
under
w3c
rules,
but
it
will
definitely
be
run
as
a
as
a
kind
of
a
joint
workshop
and
right
now
we're
kind
of
working
this
week
to
finalize
the
cfp.
C
The
cfp
will-
hopefully
it's
not
covered
in
here
right
now,
because
it's
still
in
a
PR
but
I
think
we're
what
we're
going
to
be
looking
at
is
opening
up
the
cfp
and
then
looking
for
papers
by
the
end
of
April,
basically,
and
then
we'll
have
a
review
process
and
then
we'll
we'll
run
this.
This
Workshop
in
the
and
in
the
reactor
space
in
Microsoft,
actually
the
Microsoft
reactor
London
is
has
has
told
us
that
they're
happy
to
host
it.
C
So
anyway,
that's
that's
current.
That's
the
current
state,
we're
still
looking
also
for
sponsors
for
food.
C
So,
even
though
we
have
a
spot,
we
have
a
sponsor
in
in
the
form
of
Microsoft
reactor
for
the
space
we
are
looking
for
sponsors
for
food,
so
those
those
are
the
that's.
That's
the
current
state
of
things
and
I
hope
to
it's,
not
that
the
cfp
has
not
been
launched.
Yet.
We
hope
that
to
happen
by
the
end
of
this
week
or
possibly
early
next
week,
and
and
so
so
that
we
give
people
enough
time
to
to
write
input
papers
for
this,
so
that
that's
that's.
It.
C
The
workshop
we
are
going
to
try
to
enable
some
kind
of
remote
participation.
It's
something
that
I've
asked.
Certainly
we
have
done
hybrid
workshops
in
the
past
in
w3c.
You
know
that
there's
this
even
before
pre
pre-pandemic
there's
been
the
facility
to
to
join
remotely.
C
Of
course,
it's
more
because
part
of
the
workshop
agenda
will
be
unconference
it'll
be
more
possible
to
participate
in
the
kind
of
like
presentation
stuff
in
Q,
a
versus
the
unconference
sessions,
which
are
going
to
be
a
little
bit
more
necessarily
chaotic,
so,
but
but
but
there
will
be
some
form
of
remote
participation
available.
That's
for
sure.
A
C
C
A
C
Yeah
yeah
I
know
I
I
will
share
the
URL
the
final
URL
for
the
for
the
workshop
cfp
when
it's
when
it's
when
it's
launched
in
the
slack
and
I'll
share
it
on
the
on
the
mailing
list
as
well.
If
I
can
figure
out
how
to
send
email.
D
I
do
so
I
spent
some
I,
don't.
K
Know
if
I
sent
this
in
the
in
over
the
email
group,
but
there
is
a
document
quite
short,
it's
a
proposal
for
a
section
to
get
added
to
the
best
practices
guide
for
open
source
about
how
to
handle
vendor
dependencies
with
respect
to
cves.
It's
linked
in
the
meeting
group
meeting
notes.
I
will
also
post
a
link
to
it
in
the
Zoom.
A
K
Okay,
anyways,
it's
quite
short,
I
I
could
just
read
it
and
see.
If
anybody
has
any
comments
or
concerns
before
we
try
to
turn
it
into
a
pull
request.
Yeah.
D
All
right,
let's
just
do
that
real
fast,
all
right,
no
I've
lost
the
link.
Great
okay,.
K
A
vendor
dependency
is
any
dependency
that
can't
be
directly
updated
by
the
end
user.
It
is
considered
best
practice
when
updating
a
vendor
dependency
in
order
to
fix
a
vulnerability.
The
project
issues
their
own
disclosure
for
that
of
that
vulnerability.
The
project
should
also
assign
the
existing
cve
ID
of
the
affected
package
to
their
product.
The
impact
should
be
assessed
and
communicated
in
the
context
of
the
Project's
use
of
that
dependency.
Finally,
reach
out
to
the
CNA
for
the
original
vulnerability.
K
To
add
that
add
the
projects
advisory
to
the
to
the
list
of
links
short
sweet
to
the
point:
does
that
make
sense
in
the
context
of
Open
Source
maintenance
and
maintaining
maintaining
ship
maintainership.
A
Bueller
I'll
start
personally
I
think
it's
a
good
idea
to
have
some
guidance
on
I'm,
not
in
love
with
the
term
vendored,
but
I
I
understand
what
you're
going
for.
We
might
be
able
to
find
a
better
word,
but
because
you
know
the
first
time
we
use
this,
a
maintainer
is
going
to
say
I'm,
not
a
vendor.
K
C
A
So
I
had
not
heard
it
used
in
that
context.
I
had
you
know
it's
a
third
party
component
from
my
perspective
again
I
I,
like
the
idea
I,
think
the
guidance
would
be
useful.
I,
just
I'm
tripped
up
by
the
word
yeah.
K
M
D
M
A
I
could
say
when
I
worked
at
the
Hat
Company,
we
I
never
once
referred
to
that
as
this
this
process,
but
again
I'm
open
to.
If
that
is
the
parlance
of
the
community,
great
it
just
personally,
trips
me
up.
What's.
M
K
So
this
was
a.
This
document
was
written
as
a
collaboration
between
myself
and
Rodrigo,
who
works
at
the
Hat
Company.
Okay,.
M
Yeah
I
mean
I
I.
If
somebody
can
find
another
term
and
I
I
have
certainly
no
trouble
with
using
a
different
term
I.
Just
if
we
use
a
different
term,
then
we
should
mention
that
some
people
call
it
this
other
thing
because,
as
I
said
I,
that's
the
only
term
I
know
of
that's
used
for
this
situation.
Yeah.
B
M
Yeah,
how
loud
a
lot
of
Distributors
prefer
trying
to
do
it
that
way,
it's
just
become
harder
and
harder
to
do.
I
mean
you
know,
Chrome's
kind
of
notorious
for
this.
K
Well,
the
other
reason
that
it's
used,
the
term
vendored
right
is
at
least
in
my
experience
with
the
Java
ecosystem,
when
you're
vendoring,
a
dependency
you're,
usually
repackaging
that
dependency
and
then
changing
the
base
package
coordinates
to
be
something
else.
K
So,
for
example,
when
I
was
working
for
Gradle,
we
had
when
you
were
building
the
artifact,
a
a
rule
that
would
go
and
rewrite
all
of
the
vendor
dependencies
to
be
in
a
different
like
they
were
now
part
of,
like
org.gradle
dot,
internal
dot,
vendored
or
whatever,
and,
like
all
the
packages
in
the
compiled
source
code,
would
then
point
to
that
artifact
that
or
to
that
class
file.
That
was
part
of
that
vendored
package
name.
K
M
A
So
team
do
we
have
any
other
opinions
or
should
Jonathan
go
ahead
and
submit
the
pr
to
update
the
guide,
and
then
we
can
comment
there.
I
I
think
that
sounds
good
to
me.
I
just
wanted
to
tell
the
clarification,
so
if
there
is
a
vulnerability
in
one
of
the
dependencies
and
you
make
the
assessment
that
it
doesn't
actually
impact
your
product,
because
you
know
you're
not
actually
using
that
functionality
is
still
supposed
to
do
the
disclosure
and
basically
communicate
the
assessment
that
it
doesn't
concern
your
product.
K
See
discussion
about
vex,
yeah
I
know
sorry
yeah.
So
yes,
no.
K
Know
so
if
you
want
to
be
completely
like
Tran,
so
if
you
want
to
reduce
the
likelihood
of
someone
coming
to
you
and
saying
hey,
does
this
vulnerability
impact
you
your
best
off,
stating
a
and
negative
or
asserting
a
negative
to
state
that
that
it
does
not
impact
you
because
then
you've
already
stated
it
and
you
don't
need
to
do
it
again
for
every
person
that
comes
to
you,
but
it
also
depends
upon
how
like
How
likely,
that
is
given
how
critical
your
project
or
how
commonly
used
your
project
is
right
like
if
you're
we
I
when
I
work
for
Gradle,
we
very
regularly
get
emails
from
people
saying
hey
this
dependency
that
you
know
you've
got
in
this
jar
is
flagging
this
vulnerability
for
us.
K
A
G
G
Yes,
so
to
to
well
I
I,
think
I
think
Arnold
went
there
with
with
with
Vex
that
can
the
worms
can't
be
can't
close,
that
can
the
worms
fast
enough,
can't
close
it
enough.
You
can't
oh
God
anyway.
G
G
That
might
benefit
from
understanding
this
a
little
bit
more
in
detail
and
I'm,
actually
so
to
be
perfectly
because
I'm
actually
with
chrome
and
I'll,
say
this,
because
you
know
being
having
done
third
party
risk
assessments
over
the
last
I,
don't
know
a
decade
and
a
half
the
idea
of
third,
what
we
used
to
call
them
third
party
binaries
right,
third
party
buyers,
third-party
components,
all
that
kind
of
stuff-
some
with
him
with
this,
but
that
lends
itself
to
this.
G
This
I
think
this
is
an
actual
I
think
this
is
an
evolved
in
evolved,
thought
to
that,
even
because,
if
I,
if
I,
if
I'm,
looking
at
what
you're,
what
you're
saying
here,
which
I
think
is
important,
there's
even
a
greater
concern
now
to
when
you're,
when
you're
doing
an
assessment
of
your
package
is
to
identify
hey,
there's
a
component
here
that
was
that
was
given
us
by
somebody
else.
G
That
now
is
that
fault-
and
this
could
impact
this
project
over
here,
but
maybe
it
impacts
a
few
others
they're
using
the
same
damn
I
mean
you
know
so
so
I
think
I
think
that
what
could
be
developed
here
should
also
be
communicated
across
of
the
spectrum
and
not
just
living
a
guide
here.
I
think
that's
what
I'm
saying
what
I'm
saying
is
it
shouldn't
just
living
live
in
the
guide
here?
I
think
that's
something
that's
that
can
actually
be
communicated
outwards
to
a
lot
of
the
other
efforts
that
we're
doing
as
well.
K
Yeah
I
mean
the
guy,
yes,
starting
with
it
in
the
guide
and
saying
hey.
This
is
the
best
practice
for
open
source
and
then
communicating
it
to
other
organ
or
other
subparts.
The
OSF
is
totally
reasonable,
but
I.
You
know
I
need
to
live
somewhere
and
it
wasn't
totally
clear
if
this
should
live
in
the
best
practices
guide
or
on
the
vulnerability
disclosures
working
group
like
it's.
It's
it
kind
of
bridges
both
of
those
I.
Don't.
K
A
A
Would
be
appropriate
for
this
group
within
the
vulnerability
disclosure
working
group
we
might
want
to
update
our
maintainer
cvd
guide
to
also
reflect
this
if
the
group
agrees
and
so
kind
of
hitting
it
in
multiple
places,
so
we're
kind
of
using
a
one
voice
so
to
speak
across
the
different
efforts.
A
Additional
comments
or
feedback
for
Jonathan.
A
All
right,
I
would
strongly
suggest
open
up
PR
against
the
guide.
What's
your
proposed
text
in
there
and
give
us
a
couple
days
to
comment,
if
there's
anyone
that
has
any
additional
thoughts
and
then
I
think
we're
good
to
proceed.
Yeah
we'll
do
absolutely
no
I
have
no
objections
to
the
intent
and
content.
A
All
right
team
do,
we
have
did
Jaron
ever
pop
in
did
not
so
I
will
point
you
all
to
our
slack
Channel.
We
had
a
gentleman
that
is
from
owasp
that
represents
the
wrong
Secrets
project
and
it
looks
like
that
project
is
going
through
our
awesome
best
practices,
badging
process
and
it
looks
like
the
team
had
a
couple
questions
so
I
would
encourage
us
to
reach
out
through
the
slack
Channel
and
see
what
we
can
do
to
help
answer
those
questions.
A
I
thought
so
it
looks
like
they're
going
through
and
they
had
done
a
substantial
amount
of
work
already
and
they
were
mostly
cleaning
green,
a
couple
things
here
and
there.
So
maybe
they
were
just
asking.
Maybe
they
just
the
project
had
questions
about
the
couple
areas
where
they
weren't
able
to
hit
the
perfect
score.
C
A
All
right
do
we
have
any
additional
topics
or
comments
we
want
to
discuss
as
a
group
today,
foreign.
A
Okie
dokie
look
for
an
awesome,
email
and
slack
communication
about
the
proposal
to
create
the
new
memory
safety
Sig
and
also
look
for
Jonathan's
PR
around
vendoring.
If
anyone
has
any
commentary
or
feedback,
please
put
it
in
that
issue
and
we'll
get
that
reviewed
and
potentially
merged
here
in
the
next
couple
days
and
I
would
also
suggest.
We
probably
should
think
about
from
the
volume
group
how
we
might
want
to
update
our
guide
to
reflect
that
as
well.
A
Thank
you.
Everybody
appreciate
your
time
and
attention
if
anyone's
excited
about
our
education,
Sig
Deni
efforts
we'll
be
meeting
in
about
10
minutes,
so
cheers
enjoy
the
rest
of
your
day.
Look
forward
to
talking
to
you
everybody
again
soon.