►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
A
B
B
A
A
C
D
E
New
today
my
name
is
David
alcantar
I
work
at
Microsoft
and
I
am
definitely
here
to
listen,
but
I
also
have
a
very
sudden
proposal
that
I
want
to
make
for
a
project
that
we
are
trying
to
head
up
over
here
at
Microsoft.
That's
something
we're
interested
in
donating
clinical,
donating,
really
collaborating
with
open
ssf
on
so
I
will
speak
to
you
guys
about
that
when
it's
my
turn,
go.
B
B
A
Well,
thank
you
yeah,
so
trying
to
keep
people
in
the
loop
of
what's
going
on.
First
of
all,
quick
welcome
to
a
new
maintainer,
Andrew,
fader
I.
Don't
think
he's
on
the
call
today,
but
you
know
I
I'm
doing
too
many
things
and
I'm
still
going
to
leave
this
project,
but
this
is
going
to
bring
some
very,
very
welcome.
A
Help
he's
going
to
be
focusing
on
doing
some
updates
like
moving
us
from
rails
to
six
to
seven
and
that
sort
of
stuff
one
kind
of
nitpicky
thing,
but
just
for
those
of
you
who
are
keeping
score
heroku's
removed
their
free
tier
we
historically,
we,
although
we
pay
for
the
production
site
we've
been
using.
We've
typically
had
two
other
tiers
called
Main
and
staging
we're
dropping
one
of
them,
because
now
we've
got
to
pay
for
each
of
those,
so
pull
requests
and
rationales.
And
such
there
questions.
A
A
That's
right,
that's
right!
So,
and
the
thing
is
the
rationale:
is
you
know
it's
it's
a
requirement
for
them
for
graduation
and
historically
they
had
a
lot
more
funding
and
you
know,
but
you
know
it
would
make
sense
to
move
over,
but
right
now
I,
don't
in
the
grand
sense
it
doesn't
matter,
because
I
want
to
try
to
minimize
the
cost
of
whoever
is
paying
the
check.
A
B
A
A
A
I've
actually
had
two
separate
meetings
with
the
SKF
leads.
We've
talked
a
lot
about
how
to
better
integrate
SKF
and
the
fundamentals
quarters
for
those
who
aren't
familiar
the
fundamentals
course
we
work
on
having
a
really
high
quality.
But
you
know
very
simple:
here:
are
the
fundamentals
on
how
to
develop
secure
software
and
we've
emphasized
minimizing
the
amount
of
time
for
developers,
because
a
lot
of
developers
don't
have
a
lot
of
time.
A
One
of
the
decisions
is,
you
know,
lots
of
little
quiz
questions
as
you
go
and
a
little
final
exam
to
see
whether
or
not
you
learn
anything
but
no
Labs
intentionally.
So
SKF
takes
a
different
approach.
Labs,
you
I
think
we
all
agree
that
labs
are
better
for
learning,
but
they
take
a
lot
more
time
and
a
lot
of
people
don't
have
the
time.
So
it
makes
sense
to
have
both,
but
the
SKF
folks
do
of
course
need
you
know
that
kind
of
linking
material.
A
So
it
makes
more
sense
for
them
to
integrate
the
fundamentals
course
in
so
that's
what
they
did,
but
what
they
did
is
they
hand
jammed.
They
took
the
course
and
hand
converted
it
into
SKF
and
that
had
some
I
mean
it
ran,
but
the
problem
is,
we
keep
making
updates
Glenn
and
our
updates
aren't
getting
reflected
as
Jeff
Glenn.
A
Fun
so
I
mean
it
actually
made
sense,
they're
trying
to
get
something
done
to
hurry,
and
and
so
they
got
something
done,
but
the
longer
term
plan
is
they're
going
to
create
a
converter.
I
said
it's
filed,
where's
the
script,
some
kind
of
script,
that's
going
to
read
the
markdown
and
convert
and
that'll.
Let
them
automatically
do
updates
enabling
enabling.
A
Automatic
updates
and
there
and
the
plan
now
they
need
some
information
in
the
markdown
to
point
off
to
say:
hey
right
here,
you
you
could
do
a
lab.
Well,
I,
don't
know
who's.
Putting
in
get
up
actions
that
wasn't
committed
to
I
mean
I
I.
Think
that's
the
obvious
way
to
do
it,
but
that's
up
to
the
SKF
folks
yeah
we're.
A
When
something
gets
updated,
you
know
everybody
can
just
quietly
take
the
update.
No
must
no
fuss
and
and
I
think
that
just
makes
sense.
Let
me
pause
at
that
point,
because
that's
an
integration
issue
between
projects
I
think
it's
just
the
obvious
way
to
do
it
and
I
I.
Think
it
just
kind
of
you
know
it.
It
makes
sense
to
everybody
so
we'll
work
out
the
details
as
we
go,
but
I
mean
as
always
or
HTML
comments.
A
It
won't
matter
for
markdown
and
as
long
as
SKF
can
read
it,
then
all
is
well
and
so
as
careful
decide
what
they
want
and
put
it
in
and
and
all
will
be
awesome.
Okay,
all
right,
I,
don't
see
any
issues
at
least
comments.
So
little
knit
we're
gonna
move
quizzes
from
heading
level.
Three
to
four:
there
are
over
seven
they're
about
75
quiz
sections
in
the
fundamentals
course,
and
that's
not
just
quizzes.
That's
sections.
A
Many
of
them
have
more
than
one
question,
but
the
idea
is
to
help
people
learn
as
you
go
it's
you
know,
instead
of
instead
of
labs,
they're
much
faster,
but
at
least
you
know,
it
keeps
them
off.
The
I
I
read
words,
but
nothing
entered
my
brain
and
there's
some
really
awesome,
really
old
books
that
did
this.
That
I
found
for
this
very
effective
in
so
I
think
it's
a
really
effective
technique.
A
But
this
makes
the
generated
table
of
contents
much
much
easier
to
understand
and
we're
also
going
to
tweak
the
name
so
that
every
section
name
is
unique.
That's
gonna
make
Mark
Donald
happy
well,
that'll,
allow
us
to
add
markdown
link,
check
and
more
importantly,
it'll
mean
that
every
section
will
have
an
obvious,
unique
HTML
anchor.
So
you
can
jump
to
anything
and
that's
that's
important
for
being
able
to
link
between
sections
and
making
sure
we
don't
screw
things
up
I'm
out
for
my
crazy
updates
anything
else.
G
Yeah
well
normally,
it
would
be
way
more
actually,
but
we're
pretty
swamped
with
the
whole
ad
plan,
actually
so,
actually,
no
real
updates
in
the
platform.
But
what
I
can
say
that
it's
actually
running
quite
smoothly
now
for
like
a
good
old
month,
since
we
did
the
SSO
implementation
and
some
other
fixes,
we
see
that
we
have
around
like
one
unique
new
registered
users
or
logins
through
SEO
like
a
GitHub
and
that
type
of
stuff.
So
that's
quite
nice
also
a
lot
of
people
from
the
universities.
Actually.
G
So
that's
also
good,
so
yeah
I
just
wanted
to
share
it's
running
it's
working
and
we
have
around
100
unique
users
who
use
the
security
requirements
or
starting
Labs,
actually
yeah
to
learn
yeah
and
the
other
thing
yeah
we're
really
busy
with
your
Adu
safe,
so
yeah,
not
a
lot
of
updates.
Unfortunately,
for
my
site
in
SKF
at
least.
B
A
E
B
F
Sure
so,
our
section
again
we're
focused
on
collecting
and
curating
the
content,
so
everyone
hopefully
knows
that
the
spreadsheet
we
put
together
to
gather
all
this
information
to
get
a
one
source
of
Truth
is
out
there.
It's
available
I
see
that
there's
been
more
information
added
to
that
spreadsheet.
So
please
asking
everyone
who
knows
of
any
of
these
materials
that
may
be
accessible
and
available.
Please
put
the
information
in
the
spreadsheet.
F
We
are
working
on
a
road
map
milestones
and
objectives,
primarily
for
2023
and
a
little
bit
into
2024,
trying
to
figure
out
what
the
needfuls
are,
what
budgetary
requirements
might
be
included
in
some
of
the
things
that
we
want
to
do
and
how
to
actually
prove
that
we're
being
successful
at
what
it
is
we're
trying
to
accomplish.
So
that
is
also
in
Flight
it's
in
the
the
git
repo.
F
G
G
G
The
the
section
two
plan
I
also
created
an
issue
because
there
was
actually
also
a
sort
of
overlap
between
the
section
of
us
and
section
one,
and
that
was
about
I,
think
the
translation
Parts
actually
because
I
saw
in
section
1.5,
there
was
a
hey
we're
going
to
hire
to
translate
actually
to
like
five
proper
spoken
languages,
and
we
also
had
in
section
two
something
and
I
think
we
already
discussed
that
as
well.
I,
don't
know
in
the
whole
group
only
in
our
section,
but
that
was
basic
like
hey.
G
B
B
A
As
far
as
different
human
languages,
correct
yeah
I
mean,
if
we
don't
mind
having
a
quick
conversation
right
now,
I
mean
I'm
all
for
translation
to
multiple
languages,
but
step
one
is
to
make
sure
that
the
content's
worth
worth
it
so
typically,
I
would
suggest,
try
to
get
things
a
little
more
firmed
up
first
before
because
it's
costly
to
do
translations
and
keep
them
up
to
date.
So.
B
A
A
H
H
A
A
B
They're
still
making
progress
in
section
three
went
through
and
I've
adjusted
the
style
of
the
plan
so
that
it's
a
little
more
consistent.
So
we
have
the
Milestones
are
more
clearly
documented
and
I'm,
also
providing
a
placeholder
for
future
issues
to
be
filed
and
linked,
and
that's
let's
talk
about
the
full
Sig.
B
Ideally,
the
plan
is
Target.
I
want
to
have
it
done
by
before
the
end
of
the
month
and
have
the
full
education
Sig
review
it.
Anyone
from
this
working
group
is
welcome
to
join
in
that,
if
they
desire
from
there
we'd
like
to
give
it
to
the
TAC
in
early
December
and
then
the
governing
board
before
the
end
of
the
year.
So
that's
kind
of
the
schedule
working
on
for
the
education
sake
to
get
funding
on
these
efforts.
B
B
I
E
A
Mr
Wheeler
yeah,
so
I'm
looking
over
the
2-0
plan
and
here's
the
blob
that
I'm
looking
at
now,
we
I
know
we
had
earlier
had
short
lists,
and
then
we
have
an
expansion
and
I'm
not
sure
what
happened
between
the
short
and
this
longer
list,
but
I'm,
okay
to
delay
a
little
bit
on
the
K-12
I
I.
Don't
really
see
that
but
I
I
think
we're
gonna
need
to
get
the
met.
You
know
some
sort
of
management.
A
You
know
training
for
managers,
not
manage
the
training,
which
is
what
2o
only
seems
to
discuss
if,
if
it's
there
and
I
missed
it,
please
point
it
out
to
me,
but
somehow
in
between
our
high
level
discussions
and
writing
this
down.
I
I'm,
not
seeing
it
don't
miss
it
and
admit
my
apologies
I'm
doing
too
many
things,
and
sometimes
things
get.
A
B
A
B
B
E
A
E
A
B
All
right
so
I
am
we
have
a
guest
today.
Awesome
has
stopped
by
to
give
us
a
short
presentation,
so
I'm
going
to
skip
and
do
that
and
then
we'll
Circle
back
and
hit
the
agenda
and
the
other
opens
so
know
them
if
you'd
like
to
take
away.
If
you
have
anything
to
share,
show
us-
or
if
this
is
just
verbal,
you
know
take
it
away.
C
C
A
C
C
Additionally,
in
open
source
projects,
a
there
is
even
a
it's
even
more
important,
because
the
internal
configuration
is
open
for
everyone.
So
if,
for
example,
I
I
go
to
an
or
a
popular
open,
open
source
project
and
I
save
a
GitHub
actions,
workflows
and
pipelines,
I
can
say
that
is
misconfigured
and
I
can
as
an
attacker
a
exploited
because
I
know
the
internals.
C
C
To
this
we
call
it
namespaces
database
organization,
organizations
and
organizations,
and
misconfigurations
such
as
MFA
is
not
enabled
SSO
is
not
used.
You
have
repository
misconfigurations,
which
is
like
peer
review,
is
not
a
mandatory
or
the
repository
allows
forking
or
it's
public.
You
have
members
style
members,
a
GitHub
actions
related
misconfigurations
code
spaces
and
Runners.
There
are
many
areas
in
the
GitHub
platform
that
devops
Engineers
need
to
know
and
understand,
and.
C
B
C
J
D
H
C
A
A
Shortening
his
name
I
see
that
okay
well
I'm
I,
already
started.
I'll
start
start
unresponding
to
Dave,
so
I'm
going
the
other
way
yeah.
So
I
I
do
think
that
there
is
a
need
for
guidance
for
using
some
of
these
major
forges
like
GitHub
I,
don't
know
if
it
makes
sense
to
have
a
single
doc
that
covers
multiple
or
a
single
dock
per
each
I
wouldn't
be
surprised
if
it
make
more
sense
to
like
one
for
GitHub
and
a
step.
One
forget
lab
because
their
user
I
mean
there
are.
A
There
are
overlaps
and
functionality,
but
the
user
interfaces
are
different
enough
that
it
would
probably
make
more
sense
to
have
separate
documents.
I
would
certainly
want,
if
at
all
possible
collaboration
with
the
respective
organizations,
so,
like
you
know,
recommended
configuration
for
for
GitHub
I
would
very
much
want.
You'd
have
to
be
involved.
A
Let
me
kind
of
ask
the
elephant
in
the
room
question,
because
somebody's
gonna
ask
it
sooner
or
later
so,
let's,
let's
confront
it
head
on
hey
that
sounds
like
github's
problem
like
GitHub.
Do
it
I
think
there's
some
answers
for
it,
but
before
we
take
on
work,
I'm
always
happy
to
let
other
people
do
work
instead
of
us.
We
have
limited
time
that
we
can
do
things
and
granted
scorecards
does
hit
a
little
bit
on
some
GitHub
recommended
configurations.
C
A
Okay,
all
right,
so
so
let
me
rephrase
what
you
just
said.
Tell
me
if
I
I,
because
sometimes
I
I
find
it
sometimes
useful,
to
paraphrase
something
to
see
if
I
got
it.
So
the
issue
is
that
github's
trying
to
provide
a
very
general
service
with
lots
of
General
functionality,
but
that
can
be
complicated
to
figure
out
how
to
use
something.
That's
more
opinionated
that
says:
hey,
there's
lots
of
ways
to
do
it,
but
here's
a
happy
path
with
some
specific
opinions
that
will
quickly
get
you
where
you
need
to
go.
H
C
Of
like
GitHub
create
the
platform,
but
companies
use
the
platform
in
many
ways
and
they
have
many
use
cases
and
it's
not
a
one-to-one
relation.
So
there
is
some
interaction:
interaction
between
the
misconfiguration
without
everyone,
everything
is
straightforward
and
there
is
a
lot
of
research
about
this
stuff
and
yeah.
B
J
Yeah
I'd
like
to
add
a
comment,
but
I'm
not
against
the
kind
of
document.
What
time?
What
I'm
really
really
missing
here
is
the
why
we
have
a
quite
many
list
of
the
things
developers
should
do,
but
what
I'm
facing
in
practice
is,
for
example,
for
the
two-factor
dedications
people
say,
but
why?
Why
should
I
use
it?
I
don't
want.
It
requires
me
to
have
a
phone
app
or
whatever
I,
don't
like
it.
C
Project
in
that
scorecard
is
focused
on
a
specific
Repository,
and
this
looks
holistically
on
the
wall.
Github
assets
organization,
members
get
directions
all
of
the
repositories
of
the
planners
and
give
you
a
detailed
list
of.
Where
are
the
problems,
and
if
you
don't
mind,
I'd
be
happy
to
present
it.
Here's
a
quick
demo
yeah.
C
C
C
H
H
J
C
Namespace,
you
can
see
that
you
have
different
name,
spaces
organization,
actions,
member
and
repository.
You
have
the
specific
policy
that
is
violated
and
how
many
of
your
assets
have
passed,
failed
or
skipped
skip
this
when
you
don't
provide
sufficient
permissions,
and
this
is
the
summarize
table
and
if
you
go
up,
you
have
a
data
description
for
each
violation.
So
let's
go
here.
For
example,
we
can
see
the
the
policy
default.
C
A
C
A
A
C
A
I
I
have
to
admit
I
I
wouldn't
be
surprised
if
you
made
a
per
document
for
these
different
forges,
but
then
immediately
try
to
unify
as
much
as
possible,
because
although
there
there
are
like
a
pull
request
in
GitHub
is
a
merge
request
in
get
lab.
However,
there's
a
whole
lot
of
commonality
between
some
of
the
things
that
some
of
the
things
that
you
most
want
to
enforce
are
things
that
are
commonly
supported,
though
not
always
by
the
same
name.
C
C
A
I'm
very
intrigued,
I
would
love
to
see
the
rule
set
of
this.
Now
you
you
made
a
statement
earlier,
so
I
I
just
want
to
come
forward
and
say
it.
This
is
totally
within
scope
of
this
group.
I
mean
scorecards.
Does
the
similar
kind
of
thing
at
a
project
level
you're,
including
both
you
are?
You
are
doing
things
in
org
level,
although
a
lot
of
these
frankly
look
at
a
repo
level,
and
that's
fine
too
so,
but
I
think
this
is
totally
within
scope
of
this
group.
A
B
E
H
A
Right
and,
for
example,
the
scorecards,
the
current
implementation
only
works
on
GitHub.
However,
I
worked
with
the
scorecards
folks
to
make
sure
that
all
the
criteria
are
neutral,
they're
not
specific
to
GitHub
at
all,
and
it's
only
the
current
implementation
and
there's
been
some
effort.
The
the
intent
is
to
move
Beyond.
B
A
A
A
A
B
A
E
B
H
A
H
Right,
sorry,
no
I
just
wanted
to
express
support,
I
mean
you
know.
As
long
as
we
keep
in
mind,
the
vendor
neutrality
aspect
and
everything
I've
seen
in
the
presentation
seems
to
support
that
ideal.
So
yeah
this
looks
really
good
and
I.
Don't
think
it
I
think
it
feels
to
me
like
it
would
be
a
good
compliment
for
scorecards.
B
Like
for
integration
options,
we
would
have
to
go
to
the
scorecard
project
and
talk
with
them
kind
of
like
how
we
had
you
know
best
practices
and
SKF
talking
kind
of
arranging
out
of
band
how
they
might
better
synchronize.
So
you
need
to
probably
have
you
go
talk
with
the
with
Laurent
and
azim
and
everyone
and
the
scorecards
group
to
kind
of
present
to
them
and
share
your
ideas,
specifically
with
any
kind
of
integration
there.
A
There
are
many
ways,
including
Federation
approaches,
I
mean
the
best
practices
badge
and
the
scorecards
scorecards
takes
the
totally
automated
best.
Practices
takes
the
mostly
form
filling
with
some
Automation,
and
the
integration
is
basically
the
scorecards
Yanks
in
the
back.
The
badge
info
were
available,
so
there
are
many
ways
to
skin
this
cat
step.
One
is
to
discuss.
A
Yeah,
no
more
I
I
got
the
GitHub
link
to
the
legitify
overall
page.
Is
there
one
that's
more
specific,
with
the
rules
that
you've
got
because
I
I
think
those
are
that's?
The
the
cool,
especially
cool
nugget,
is
all
the
things
you're
looking
for
yeah,
okay,
legitify.dev?
Okay,
that's
that's
the
thing
I
wanted
to
know.
Yeah.
C
C
B
So
if
there
is
something
specific
you
want
to
propose
for
the
group
like
if
we
want
to
collaborate
on
the
source
code,
best
practices
or
even
about
a
kind
of
yeah,
including
your
tool
as
part
of
our
working
group,
we'll
put
an
issue
we'll
need
to
put
an
issue
together
and
kind
of
talk
through
that
and
then
have
the
we'll.
Have
the
whole
group
vote
on
that.