►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
B
A
Yep
I
actually
have
a
relatively
clear
schedule
that
I
can
attend
some
of
these
lately
my
company's
been
scheduling
a
lot
of
the
meetings,
that's
exactly
at
the
same
time
as
the
meetings
up
I
want
to
go
to
so
I
haven't
I
haven't
been
able
to
make
it,
but
I
know
the
feeling
foreign
got
to
do
your
actual
job.
First,
of
course,
yeah.
A
B
A
B
B
B
C
B
D
B
E
F
Hi
I'm
Gail
mccommons.
This
is
not
my
first
time,
my
first
time,
I
think
no
one
was
here.
It
was
like
an
off
week
or
something
I'm
at
Comcast,
where
I
lead
open
source
compliance
in
the
open
source
program
office
and
I'm
on
the
board
for
openchain,
so
I'm
trying
to
find
opportunities
for
across
collaboration,
nice.
G
B
All
right,
as
anyone
has
opens,
please
add
them
to
the
open
section,
just
a
couple
pieces
of
business
to
chat
through
as
Jonathan
so
observantly
noted.
We
have
a
new,
exciting
effort
kicking
off
tomorrow
we
have
talked
about
a
C
and
C
plus
plus
best
practices
guide,
so
the
group
decided
tomorrow
at
9
00
a.m
or
1400.
Utc
was
the
the
best
time
for
meeting
on
that
topic.
B
If
I
will
spam
everyone
on
the
slack
channel
the
mailing
list
tomorrow
morning,
ideally
we
have
the
calendar
invite,
but
if
we
don't
I'll,
basically
copy
and
paste
this
Zoom
meeting-
and
we
will
meet
on
that
topic
tomorrow
and
you'll
see
our
invite
is
getting
a
little
more
complex
there's
a
couple.
We
also
have
the
source
code
management,
best
practices
guide
that
we
were
working
on,
so
what
we
kind
of
interweaving,
the
notes.
B
B
I
B
Other
observant
people
may
have
noticed.
I
have
slightly
changed
the
top
of
our
agenda
because
we
have
so
much
going
on
I
wanted
to
give
everybody
one
resource
to
go
to
to
quickly
get
to
the
different
efforts.
So
I
started
to
provide
links
to
the
education
Sig.
The
Deni
subcommittee
I
will
start
to
add
any
of
our
sub
projects
that
are
part
of
this
working
group.
B
So
if
they
have
regular
Cadence
for
meetings
or
notes,
I'll
get
all
that
staged
up
at
the
top
of
the
agenda
and
eventually
I
will,
in
my
spare
time,
I'll
get
that
filtered
back
into
our
GitHub
repo,
so
that
we
can
have
all
the
information
available
to
anyone
that
pops
in
and
wants
to
learn
about
all
the
awesome
stuff.
We're
doing
any
questions
about
that.
B
J
You
know
edit
it
at
the
same
time
and
I
posted
that
link
to
the
black.
And
basically,
if
you
take
a
look
at
that,
you
can
see
that
what
I've
been
trying
to
do
is
because
right
now
the
document
is
very
much
in
in
the
format
of
like
GitHub
actions.
It's
very
it's
very
specific.
It's
very
like
it's!
It's
it's
very
oriented
around!
J
You
know
organized
around
the
artifacts
that
it's
talking
about
and
and
then
it
has
so
it
has
a
get
up
section
of
a
git
lab
section.
And
then
you
get
a
GitHub
sexting
text
about
actions
and
repositories
on
gitlab
Section
talks
about
members
and
groups
and
projects
right,
and
these
are
all
but
there's
a
lot
of
commonality
between
them.
So
what
I'm
trying
to
do
is
come
up
with
a
a
table.
J
That
way,
so
that's
kind
of
where
I'm
going
with
that,
and
it's
really
just
more
as
a
proposal.
So
people
have
lots
of
comments.
The
document
is
editable
at
the
URL
that
I
send
out,
but
it's
the
kind
of
thing
where,
if
you
have
that
URL
you
can
edit
the
documents,
but
there
you
can.
So
anybody
basically.
C
K
B
C
B
All
right
any
any
additional
thoughts
or
questions
if
anyone's
interested
in
participating
in
that
or
the
C
and
C
plus,
plus
best
practices
guide,
don't
hesitate
to
hop
on
the
call
or
monitor
the
notes
all
right.
My
next
item
is
there's
going
to
be
an
open,
ssf,
Town
Hall
in
the
coming
weeks
and
months,
I
believe
they
Jennifer
was
targeting
March,
but
I'll
get
a
specific
date,
but
basically
she's
doing
a
call,
a
cattle
call
for
presenters
so
I'm
curious.
H
B
Yeah
actually
I'll
need
those
once
the
TAC
election
is
done,
which
will
be
starting.
You
ever
want
you
to
receive
an
email
in
a
week
or
so
about
the
TAC
elections
once
that's
complete
I.
Imagine
that
they
will
get
back
on
a
schedule
of
reviewing
the
working
groups,
so
that
would
be
incredibly
useful
information
for
the
group
update,
David
Jay.
N
We
could
bring
up
what
we're
what
we're
actively
doing
here
in
in
this
working
group.
In
this
sick
I
know
we
have
the
cfp
for
for
the
birds
of
a
feather
for
the
for
the
open
Summit.
But
you
know
the
maybe
a
quick
fix,
because
it's
it's
short
anyway
right
on
openness
of
the
day.
So
maybe
a
quick
15
minutes
about
the
initiatives
that
we're
working
on
what
we
got
going
on
here
in
this
working
group.
B
D
Then
you,
as
a
maintainer
of
that
project,
should
be
reissuing
a
disclosure
of
that
vulnerability,
mentioning
the
cve
and
then
providing
that
information
back
to
the
cve
master
list
within
with
a
link
to
your
disclosure,
because
it
it
basically
indicates
that
you
had
a
vulnerability
you
you
have
a
vulnerability
that
you
fixed
and
you
fixed
it
in
this
version,
and
that
gives
the
rest
of
the
industry
the
opportunity
to
update
your
package
as
well,
and
so
I
know.
This
is
not
something.
That's
it's
more
more
commonly
done.
D
You'll
see
this
like
red
hat
and
all
the
big
organizations
Apache
soccer
foundation
will
will
have
that
process
in
place,
but
smaller
open
source
projects.
Don't
do
that
and
so
I
think
that
putting
that
into
the
best
practices
guide
somewhere,
I,
don't
know
where,
because
I
actually
haven't
read
through
it
would
be
appropriate.
B
B
H
I,
don't
know
that
we
need
a
new
artifact
I
mean
we
already
have
a
guide
on
how
to
develop
secure
software,
so
maybe
that's
an
entry
in
or
or
how
to
evaluate.
Let's
say
how
to
evaluate
this
is
an
evaluation
question.
So
after
what
happens,
but
maybe
add
it
as
a
point
to
developing
secure
software
and
then,
if
more
detail
needs
to
be
explained,
then
create
an
artifact
to
point
that
that
points
to.
H
H
H
B
J
B
O
J
B
K
D
Should
but
it's
it's
poor
candle,
Los,
Dos
yeah,
it's
it's
basically,
I
think
this
is
also
a
best
practice
for
maintainers
as
well.
That
may
not
be
directly
related
to
vulnerability
disclosure,
because
people
may
not
be
thinking
about
this
as
a
vulnerability
disclosure
process.
They
might
just
think
about
this.
It's
a
maintenance
step
of
like
revving
dependency
versions,
yeah.
B
B
D
C
B
B
H
B
D
Here,
work
for
an
organization
that
regularly
issues
disclosures
for
dependencies
and
or
has
experience
with
the
structure
of
how
that's
supposed
to
work
I
just
know
it's
a
thing
that
you're
supposed
to
do.
I,
don't
actually
know
how.
How
then
like
if
there's
like
a
standard,
the
vendors
are
supposed
to
follow
here.
B
C
L
H
C
H
H
I
I'd,
like
a
quick
clarification.
What
you're
pursuing
here,
Jonathan
I,
think
I
know
where
you're
going
I
mean
fundamentally
either
an
end
user.
You
know
either
an
end
user
can
update
a
component
or
they're
depending
on
someone
else,
to
update
the
component
and
repeat
repeat
through
all
the
Cycles.
So
basically
as
soon
as
you
take
in
something-
and
you
are
vendoring
it
to
others
and
I
include
basically
anything
where
you
are
taking
over
the
release
of
a
vulnerable
component.
H
C
H
Which
gate
you
know,
I
would
include.
Vendoring
I
would
include
container
creation,
I
include
virtual
machine
image.
Creation
I
mean
really
any
of
those
cases
we're
creating
something
that
embeds
it
inside
and
it's
not
easily
maintained
by
the
end
user,
and
that
turns
out
to
be
there's
a
whole
lot
of
terms,
for
it
is
the
problem
and
yeah.