►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
B
A
Yep
I
actually
have
a
relatively
clear
schedule
that
I
can
attend
some
of
these
lately
my
company's
been
scheduling
a
lot
of
the
meetings,
that's
exactly
at
the
same
time
as
the
meetings
up
I
want
to
go
to
so
I
haven't
I
haven't
been
able
to
make
it,
but
I
know
the
feeling
foreign
got
to
do
your
actual
job.
First,
of
course,
yeah.
A
Yeah,
maybe
we
can
update
the
update
the
calendar,
invite
to
have
the
2023
notes.
B
I
will
when
I
talk
with
Khalil,
hopefully
later
today,
I
will
request
that.
A
I
mean
there's
a
link
to
get
here
on
on
the
old
notes
from
last
year,
but
maybe
we
should
just
update
it
to
be
the
current
yeah.
A
B
Agree
that
process
should
be
starting
soon.
I've
got
we've
had
a
couple
emails
about
the
paper
committees,
so
that
should
be
getting.
They
should
start
reviewing
all
that
stuff
and
I.
Think
there's
actually
have
a
schedule.
A
B
B
All
right
folks,
let
us
get
rolling
for
today
welcome
to
the
Valentine's
Day
edition
of
the
best
working
group.
As
is
tradition,
do
we
have
any
new
friends
or
visiting
the
group
for
the
first
time
that
wanted
to
introduce
themselves
and
say
hello.
B
C
B
D
B
E
Hey
there
I'm
Tabitha
I'm,
with
G
research's,
open
source
program
office.
This
is
my
first
time
joining
I'm
an
open
source,
devrel
and
security
advocate
for
our
hospital,
and
that's
about
it
about
me.
F
Hi
I'm
Gail
mccommons.
This
is
not
my
first
time,
my
first
time,
I
think
no
one
was
here.
It
was
like
an
off
week
or
something
I'm
at
Comcast,
where
I
lead
open
source
compliance
in
the
open
source
program
office
and
I'm
on
the
board
for
openchain,
so
I'm
trying
to
find
opportunities
for
across
collaboration,
nice.
G
I
think
I
may
have
been
here
before
so
I'm
kind
of
new
but
joseppi
from
IBM,
but
also
do
a
lot
of
work
in
the
openjs
foundation.
And
you
know
working
on
security
related
stuff
in
the
JavaScript
space.
B
Okay,
as
we
roll
forward
can
I,
please
have
someone
volunteer
to
help
us
scribe
notes
today,.
B
All
right,
as
anyone
has
opens,
please
add
them
to
the
open
section,
just
a
couple
pieces
of
business
to
chat
through
as
Jonathan
so
observantly
noted.
We
have
a
new,
exciting
effort
kicking
off
tomorrow
we
have
talked
about
a
C
and
C
plus
plus
best
practices
guide,
so
the
group
decided
tomorrow
at
9
00
a.m
or
1400.
Utc
was
the
the
best
time
for
meeting
on
that
topic.
B
If
I
will
spam
everyone
on
the
slack
channel
the
mailing
list
tomorrow
morning,
ideally
we
have
the
calendar
invite,
but
if
we
don't
I'll,
basically
copy
and
paste
this
Zoom
meeting-
and
we
will
meet
on
that
topic
tomorrow
and
you'll
see
our
invite
is
getting
a
little
more
complex
there's
a
couple.
We
also
have
the
source
code
management,
best
practices
guide
that
we
were
working
on,
so
what
we
kind
of
interweaving,
the
notes.
B
So,
as
you
have
questions
or
want
updates
on,
what's
going
on,
take
a
look
at
the
if
you
could
do
a
what
is
that
called
like
a
summary
view?
On
the
left
hand,
side
of
the
page
in
Google
it'll
show
you
it'll
bust
out
all
the
dates
and
everything.
So
you
can
kind
of
look
at
the
individual
meetings.
B
I've
said
I
sent
a
note
and
a
slack
out
and
I
will
do
the
same
again.
I
hope
to
get
it
on
the
calendar
I
requested
a
couple
days
ago.
So
ideally
that
comes
to
fruition
before
the
call.
But
if
not
I
will
make
a
lot
of
noise
and
let
everyone
know
that's
we're
meeting
then.
I
B
Other
observant
people
may
have
noticed.
I
have
slightly
changed
the
top
of
our
agenda
because
we
have
so
much
going
on
I
wanted
to
give
everybody
one
resource
to
go
to
to
quickly
get
to
the
different
efforts.
So
I
started
to
provide
links
to
the
education
Sig.
The
Deni
subcommittee
I
will
start
to
add
any
of
our
sub
projects
that
are
part
of
this
working
group.
B
So
if
they
have
regular
Cadence
for
meetings
or
notes,
I'll
get
all
that
staged
up
at
the
top
of
the
agenda
and
eventually
I
will,
in
my
spare
time,
I'll
get
that
filtered
back
into
our
GitHub
repo,
so
that
we
can
have
all
the
information
available
to
anyone
that
pops
in
and
wants
to
learn
about
all
the
awesome
stuff.
We're
doing
any
questions
about
that.
B
All
right,
we
did
kick
off
the
source
code
management,
best
practices,
guide,
Dan
and
Christine
are
going
to
help
steer
us
through
the
creation
of
that
guide.
Do
we
have
do
you
want
either
of
you
want
to
share
just
a
brief
update
of?
What's
going
on
with
that
little
group.
J
I
can
talk
briefly
yeah
the
we
did
so.
J
Sorry
give
me
one
second
gnome
shared
a
Consolidated
shared
with
me,
a
Consolidated
markdown
view
of
all
the
best
practices
around
source
code
and
then
source
code
configuration,
including
you
know,
things
like
two-packed
authentication,
configuration
repository
and
repository
configuration
permissions
groups,
all
this
kind
of
stuff
right,
and
so
then
I
I
took
that
and
I
dumped
him
into
a
markdown
or
I
dunked
that
markdown
file
into
quickpad,
which
is
that
I've
just
been
using
as
a
good
way
to
edit
markdowns,
so
that
I
can
look
at
the
visual
and
also
edit.
J
You
know
edit
it
at
the
same
time
and
I
posted
that
link
to
the
black.
And
basically,
if
you
take
a
look
at
that,
you
can
see
that
what
I've
been
trying
to
do
is
because
right
now
the
document
is
very
much
in
in
the
format
of
like
GitHub
actions.
It's
very
it's
very
specific.
It's
very
like
it's!
It's
it's
very
oriented
around!
J
You
know
organized
around
the
artifacts
that
it's
talking
about
and
and
then
it
has
so
it
has
a
get
up
section
of
a
git
lab
section.
And
then
you
get
a
GitHub
sexting
text
about
actions
and
repositories
on
gitlab
Section
talks
about
members
and
groups
and
projects
right,
and
these
are
all
but
there's
a
lot
of
commonality
between
them.
So
what
I'm
trying
to
do
is
come
up
with
a
a
table.
J
Contents
that
make
sense
where
those
items
could
be
kind
of
interleaved
together,
but
you
go
through
it
you're
like
two-factor
authentication,
here's
you
know,
here's
how
we
can
manage
here's,
how
it
works
in
GitHub,
here's
how
it
works
in
GitHub,
repo
configuration
here
are
the
things
that
you
need
to
keep
here's
the
general
topic
and
then
here's
how
you
here's,
how
you
need
to
think
about
it
in
these
different
scms
and
then
you
could
plug
in
other
scms
as
well.
J
That
way,
so
that's
kind
of
where
I'm
going
with
that,
and
it's
really
just
more
as
a
proposal.
So
people
have
lots
of
comments.
The
document
is
editable
at
the
URL
that
I
send
out,
but
it's
the
kind
of
thing
where,
if
you
have
that
URL
you
can
edit
the
documents,
but
there
you
can.
So
anybody
basically.
C
J
Going
to
have
our
next
call
I
think.
Is
it
this
week
or
is
it
next
week
next
week.
K
B
H
Okay,
so
give
me
the
next
meeting
date,
time
and
date
and
time.
M
Unprepared,
it
should
be
235
at
10.
C
B
All
right
any
any
additional
thoughts
or
questions
if
anyone's
interested
in
participating
in
that
or
the
C
and
C
plus,
plus
best
practices
guide,
don't
hesitate
to
hop
on
the
call
or
monitor
the
notes
all
right.
My
next
item
is
there's
going
to
be
an
open,
ssf,
Town
Hall
in
the
coming
weeks
and
months,
I
believe
they
Jennifer
was
targeting
March,
but
I'll
get
a
specific
date,
but
basically
she's
doing
a
call,
a
cattle
call
for
presenters
so
I'm
curious.
H
If
nothing
else,
I
mean
the
bat,
the
best
practices
badge
and
the
security
fundamentals
course
we
keep
solely
adding
more
people.
So
there's
not
one.
Oh
my
gosh,
you
know
X
number,
but
I
think
that
those
are
good
numbers
to
share.
B
Yeah
actually
I'll
need
those
once
the
TAC
election
is
done,
which
will
be
starting.
You
ever
want
you
to
receive
an
email
in
a
week
or
so
about
the
TAC
elections
once
that's
complete
I.
Imagine
that
they
will
get
back
on
a
schedule
of
reviewing
the
working
groups,
so
that
would
be
incredibly
useful
information
for
the
group
update,
David
Jay.
N
Yeah,
if
I
remember
last
year
during
the
openness
of
stuff
day,
there
was
a
brief
talk
about
the
Deni
stuff.
N
We
could
bring
up
what
we're
what
we're
actively
doing
here
in
in
this
working
group.
In
this
sick
I
know
we
have
the
cfp
for
for
the
birds
of
a
feather
for
the
for
the
open
Summit.
But
you
know
the
maybe
a
quick
fix,
because
it's
it's
short
anyway
right
on
openness
of
the
day.
So
maybe
a
quick
15
minutes
about
the
initiatives
that
we're
working
on
what
we
got
going
on
here
in
this
working
group.
B
That
stuff,
that's
great
I,
will
ping
Jennifer
about
that
I
think
that's
an
excellent
idea!
Jonathan.
D
I'm
brought
up
on
the
slack
Channel
a
bit
ago
as
a
best
practice,
the
conversation
that
I
had
with
Justin
Hutchins
at
GitHub,
while
we
were
in
Washington
one
of
the
often
missed
best
practices
in
open
source
and
in
you
know,
industry
in
general,
is
if
you
vendor
a
dependency
and
that
dependency
can't
be
updated
by
an
end
user.
D
Then
you,
as
a
maintainer
of
that
project,
should
be
reissuing
a
disclosure
of
that
vulnerability,
mentioning
the
cve
and
then
providing
that
information
back
to
the
cve
master
list
within
with
a
link
to
your
disclosure,
because
it
it
basically
indicates
that
you
had
a
vulnerability
you
you
have
a
vulnerability
that
you
fixed
and
you
fixed
it
in
this
version,
and
that
gives
the
rest
of
the
industry
the
opportunity
to
update
your
package
as
well,
and
so
I
know.
This
is
not
something.
That's
it's
more
more
commonly
done.
D
You'll
see
this
like
red
hat
and
all
the
big
organizations
Apache
soccer
foundation
will
will
have
that
process
in
place,
but
smaller
open
source
projects.
Don't
do
that
and
so
I
think
that
putting
that
into
the
best
practices
guide
somewhere,
I,
don't
know
where,
because
I
actually
haven't
read
through
it
would
be
appropriate.
B
What
does
the
group
think
about
doing
is?
Do
we
have
an
artifact?
We
think
that
would
be
compatible
with
or
do
we
need
a
new
artifact.
B
H
I,
don't
know
that
we
need
a
new
artifact
I
mean
we
already
have
a
guide
on
how
to
develop
secure
software,
so
maybe
that's
an
entry
in
or
or
how
to
evaluate.
Let's
say
how
to
evaluate
this
is
an
evaluation
question.
So
after
what
happens,
but
maybe
add
it
as
a
point
to
developing
secure
software
and
then,
if
more
detail
needs
to
be
explained,
then
create
an
artifact
to
point
that
that
points
to.
H
Is
a
it
is
a
GitHub
markdown
file.
Okay,
if
you
give
me
a
second,
if
you
go
to
the
open,
ssf
guides,
it's
in
the
list,
it's
in
fact
it's
the
very,
very
first
one.
It's
the
concise
guide
for
developing
secure
software
and
I'm,
going
to
put
a
link
in
out
to
that
into
our
note
stock,
concise.
H
So
so,
but
you'll
notice
that
each
item
is
is
intentionally
quite
short
if
it
needs
a
longer
explanation.
Typically,
what
we
do
is
a
short
item
and
then
link
off
to
something
with
more
detail.
You
can
actually
see
that
in
a
number
of
places.
H
B
J
You
mentioned
that
there
was
a
call
for
participation
in
the
town
hall.
Can
you
point
me
to
that,
because
I
haven't
seen
anything
on
the
slack
and
I
haven't
seen
an
email
about
it,
so
she
is
so
where
is
it
I.
B
Believe
it
went
to
the
TAC
mailing
list
Jennifer,
it
might
also
be
in
the
Outreach
channel.
But
if
you.
O
J
If
there's
something
that
can
be
posted
to
the
open,
ssf
Slack,
then
I
can
take
that
link
and
send
it
internally
to
the
people
that,
in
my
organization,
are
engaging
open,
ssad
and
that
helps
me
to
generate
interest
in
getting
somebody
lined
up
to
participate.
So
that
would
be
helpful.
B
K
Thanks
just
reiterating
on
Jonathan's
thought
should:
is
this
only
a
best
practice,
or
should
this
also
be
included
in
the
vulnerability
disclosure
guides
that
we
have?
It
should
that's
yeah
and.
D
Should
but
it's
it's
poor
candle,
Los,
Dos
yeah,
it's
it's
basically,
I
think
this
is
also
a
best
practice
for
maintainers
as
well.
That
may
not
be
directly
related
to
vulnerability
disclosure,
because
people
may
not
be
thinking
about
this
as
a
vulnerability
disclosure
process.
They
might
just
think
about
this.
It's
a
maintenance
step
of
like
revving
dependency
versions,
yeah.
B
B
All
right
any
additional
thoughts
or
feedback
on
Jonathan's
idea
or
the
town
hall
or
a
business
update.
B
All
right,
scooting
through
our
sub
projects,
I,
don't
see.
Any
major
updates
is
any
one
of
our
sub
projects
here
that
they
want
to
share
anything
that
may
not
be
written
down
yet.
D
C
B
Put
a
lot
of
slide
so
yeah
does
any
of
our
sub
projects
have
any
updates?
They
wanted
to
share
any
news
that
is
not
written
down
yet.
B
H
B
All
right
folks!
Well,
if
there
is
no
additional
business,
we
will
adjourn
for
today.
Thank
you
for
your
time
and
attention
and
we
look
forward
to
seeing
you,
maybe
tomorrow,
at
the
CNC
plus
plus
compiler
best
practices
guide,
meeting.
D
Here,
work
for
an
organization
that
regularly
issues
disclosures
for
dependencies
and
or
has
experience
with
the
structure
of
how
that's
supposed
to
work
I
just
know
it's
a
thing
that
you're
supposed
to
do.
I,
don't
actually
know
how.
How
then
like
if
there's
like
a
standard,
the
vendors
are
supposed
to
follow
here.
B
I
used
to
I
don't
work
all
right.
You
could
talk
to
our
friends
at
Red,
Hat,
all
right
for
canonical
or
suse.
C
L
L
H
By
the
way,
let
me
let
me
do
a
quick
ad
here.
You
said
vendoring,
but
frankly
this
also
includes
creating
containers,
because.
C
H
But
but
I
mean
so
let
me
quickly,
since
we
have
just
a
moment,
we've
got
some
other
folks
here
we.
H
I
I'd,
like
a
quick
clarification.
What
you're
pursuing
here,
Jonathan
I,
think
I
know
where
you're
going
I
mean
fundamentally
either
an
end
user.
You
know
either
an
end
user
can
update
a
component
or
they're
depending
on
someone
else,
to
update
the
component
and
repeat
repeat
through
all
the
Cycles.
So
basically
as
soon
as
you
take
in
something-
and
you
are
vendoring
it
to
others
and
I
include
basically
anything
where
you
are
taking
over
the
release
of
a
vulnerable
component.
H
C
H
Which
gate
you
know,
I
would
include.
Vendoring
I
would
include
container
creation,
I
include
virtual
machine
image.
Creation
I
mean
really
any
of
those
cases
we're
creating
something
that
embeds
it
inside
and
it's
not
easily
maintained
by
the
end
user,
and
that
turns
out
to
be
there's
a
whole
lot
of
terms,
for
it
is
the
problem
and
yeah.
D
D
H
M
C
D
All
right
Crow:
do
you
have
a
actually
krobe
and
David?
Do
you
guys
have
30
minutes
free.