►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
A
A
Let
we
probably
are
going
to
have
a
guest
speaker
today
to
come
talk
about
GitHub,
best
practices,
project
that
they've
been
asking
me
to
come
talk
to
the
group
about.
So
if
Roy
and
noem
arrive,
we
will
pause
and
let
them
talk
to
us.
But
let
us
jump
into
our
inaugural
backlog,
review.
I
know
everyone's
been
chomping
at
the
bit
very
excited
to
talk
about
items
in
our
backlog.
C
A
A
C
Oh,
that
yeah,
that
this
would
make
a
great
blog
post.
It
was
about
the
the
concise
guides.
Well,
there
was
a
blog
post
in
the
concise
guides
to
that's
them
right
clearly,
but
there
are
a
couple
things
and
I
I
I
went
through
and
I
used
some
of
these
labels
I
marked
things
that
so
maybe
we
should
take
a
look
at
things
that
I
marked
as
next
meeting
first,
but
we
should
really
take
a
look,
maybe
at
a
couple
of
the
other
things
so
Issue
Number
Nine.
C
This
was
somebody
commented
that
they
thought
that
our
best
practices
should
include
a
guiding
people
to
use
memory.
Safe
languages
like
rust
and
I
couldn't
find
any
specific
mention
of
memory
safe
languages
in
our
best
practices,
but
maybe
I
wasn't
looking
hard
enough,
so
it
doesn't.
It
didn't.
Look
like
this
was
incorporated,
but
my
question
is:
is
it
appropriate
because
it's
kind
of
an
opinionated
like
art?
C
It
felt
like
to
me
that
the
guides
that
were
coming
that
were
that
we're
building
here
should
be
more
neutral
when
it
comes
to
language
use
and
so
I
thought
it
might
be
out
of
scope.
So
I,
just
rather
than
close
it
I
just
wanted
to
bring
it
to
the
group
and
and
see
if
it
was
out
of
scope.
I,
don't
know
if
I
don't
want
to
debate
it
here,
but
if
it,
if,
if
I
can
close
it
or
if
we
could,
if
we
can
agree
to
close
it,
then
let's
close
it.
C
A
I
think,
let's
give
the
group
until
Friday
to
post
comments
for
or
against
you
know,
working
on
this
or
citing
examples,
and
if
we
don't
get
any
anything,
you
know
driving
us
forward
to
do
taking
specific
actions
on
this.
Let's
close
it
and
I'll
take
a
note
Dave.
If
you
could
make
a
note
that
I
need
to
send
an
email
out
to
the
list
asking
them
to
review
and
comment
on
this
by
Friday.
Please.
A
A
Somebody
had
made
a
note
that
we
should
Advocate
or
create
materials,
or
you
know,
do
some
work
around
memory
safety
languages
like
rust,
like
rust,
and
we're
going
to
ask
the
group
I'll,
send
an
email
out
today
asking
everyone
to
comment
on
Issue
Number
Nine,
give
your
opinion
on.
Is
this
something
we
want
to
do
something
we
already
did
or
is
it
something
that
is
kind
of
out
of
scope,
because
Dan
mentioned
that
we
do
try
to
be
neutral
because
for
all
developers,
great
yeah.
F
I
guess
the
question
is
in
what
are
we
talking
about
like
for
the
concise
guy
for
the
badge,
for
the
the
course
actually
already
recommends
it
in
many
case
where
it
makes
sense?
The
challenge
is,
of
course,
that
there's
many
cases
where
it
doesn't
make
sense.
So
you
know
I'm
a
modern
memory,
pretty
much
all
languages,
except
for
C,
C,
plus
plus
fourth
assembly
I
mean
most
languages.
F
Is
a
lot
of
code
I
mean
I,
I
will
observe
yeah
I
mean
the
one
of
the
practice
should
be
I
mean
look
at
look
at
all
the
efforts.
The
Linux
kernel
is
about
to
add
support
for
rust.
It
has
been
a
lot
of
work
and
there
is
no
expectation
that
that's
going
to
be
used
for
a
large
proportion
of
of
the
kernel
they're
hoping
to
eventually
use
it
for
certain
drivers.
F
C
E
F
F
F
F
F
Okay,
so
you're
not
rushing
well
and
and
I
understand
I
mean
it's
fundamentally
an
owas
task
and
OAS.
You
know
you're
quite
unlikely
to
write
a
web
app
in
C
or
C
plus
plus
I
won't
tell
you,
it
can't
be
done,
I'm
sure
someone
has,
but
it's
it's
a
less
common
situation,
whereas
embedded
that's
the
world.
E
F
C
Into
the
issue,
point
of
order-
just
you
know
not
not
seeking
to
kind
of
like
just
just
a
suggestion,
I
think
in
the
context
of
issue
triage.
We
should
try
and
keep
discussion
short
and
move
the
debate
to
the
issue,
but
I'm.
What
I'm
trying
to
do
is
is
determine
if
there
are
a
couple
of
these
that
can
just
be
summarily
closed,
like,
for
instance,
issue
38
proposed
high
level
vulnerability
works,
for
there
was
a
a
PR
into
the
working
group.
Vulnerability.
C
C
C
C
C
C
Sorry
issue
number
51.:
it
has
to
do
with
adding
security
and
machine
Learning
Systems
to
thrive
on
guidelines.
So
there
was
some
discussion
on
this.
This
goes
back
to
March,
so
there
doesn't
seem
to
have
been
any
action
that
came
out
of
this
into
the
guidelines
that
I've
seen
and
I.
And
so
my
question
is:
is
this
something
that
is
kind
of
tapered
off?
Do
we
still
think
this
is
desirable?
A
F
There
there
is
already
a
foundation
on
AI
I
mean
that's
not
this
one,
but
now
they
ended
up
merging
it
with
Big
Data,
because
because
a
lot
of
the
machine
learning
stuff
today,
basically
you
have
massive
massive
data
sets
for
training.
So
give
me
a
second
I
will
get
its
actual
name
because
I
keep
getting
it
wrong.
Official.
E
A
D
F
I
guess
I
I
would
say
this
is
in
scope,
but
maybe
what
this
does
is
it
is.
This
ends
up
being
a
mod
to
some
existing
training
materials
and
maybe
the
concise
guide.
If
that
happens
enough
I
think
the
challenge
is
that
for
the
concise
guide
you
know,
most
people
are
building
software,
aren't
building
machine,
Learning
Systems
so
and
obviously
this
only
applies
there.
On
the
other
hand,
it's
it
is
a
significant
number
and
I'm
sure
that
number
will
increase.
F
F
Yeah
yeah
I
will
comment
and
you
can,
if
you
read
the
details
of
the
comments,
I
realize
it's
a
lot
of
text.
The
big
challenge
is
evasion,
basically,
there's
a
widespread
agreement
that
there's
a
problem
that
I
know
of
no
Solutions.
So
you
know
hey,
be
aware
of
a
problem,
but
there
are
no
Solutions
I.
Guess
that's
useful
in
the
sense
of
maybe
you
shouldn't
use
machine
learning
for
that
problem,
but.
A
F
You
know
what
how's
this
I
would
propose
both
of
those
basically,
let's
at
least
add
to
education
for
the
things
that
are
available
and
maybe
paying
off
to
the
Ella
Foundation
to
see.
If
there's
a
solution
for
evasion,
because
I
look
for
I
actually
did
I
I
mean
I
I
spent
weeks.
Looking
for
looking
at
all
the
research
on
The
Invasion
topic
and
basically
there's
an
incredible
number
of
papers
that
describe
us
to
an
idea
that
doesn't
work.
F
C
All
right
so
I
made
a
note
about
that
in
that
issue.
The
one
other
thing
that
I
that
I
put
into
the
agenda
was
issue
28,
which
is
kind
of
ql
on
SKF,
which
looks
like
there
had
been
some
recent
discussion
on
it.
So
I
just
wanted
to
kind
of
raise
that
to
the
agenda
to
see
if
there
was
anything
that
we
could
talk
about
here.
E
C
If
anybody
is
I
mean
again
I'm
just
kind
of
like
approach,
the
the
labeling
thing
in
a
way
that
was
consistent
with
our
discussion
in
the
in
the
discussion
Thread
about
this,
and
if
people
have
different
ideas
about
labels
or
I,
think
the
idea
is
to
be
quite
promiscuous
with
labels.
So
to
speak
right.
So
if
we
have,
if
people
want
to
add
a
label,
they
think
a
label
is
missing.
C
E
A
All
right
did
Roy
or
Noam
ever
join
us.
They
did
not
all
right.
Our
next
agenda
item
was
homework.
Everybody
had
from
last
time.
We
are
trying
to
think
about
the
next
projects.
We
would
like
to
work
on
together
as
a
group,
as
we
determine
these
things,
determine
kind
of
our
next
projects
or
even
to
start
to
even
generate
ideas.
A
I'd
like
to
get
these
things
documented
as
issues
so
that
we
can
again
publicly
work
them
and
talk
about
them,
and
then,
eventually,
you
know,
as
we
are
engaged
in
projects
have
them
as
links
inside
our
agenda
to
show
you
know
we're
talking
about
issue
blah
here's
the
progress
we
made
since
the
last
time
we
talked
about
it,
so
I'll
open
up
the
floor.
What
types
of
things
is
the
group
interested
in
we're
collaborating
on
together
around
the
topic
of
secure
development
practices.
C
C
The
initial
idea
is
that
this
might
turn
into
a
industry
Workshop
that
we
would
run
like
a
physical
Workshop,
where
we
would
run
it
and
sometime
in
the
early
New
Year,
where
we
would
focus
on
developer
materials
or
anything
that
really
helps
web
developers
develop
more
secure
web
applications,
kind
of
looking
at
it
through
the
web
developer
lens,
and
that
is
so
so
that's
one
a
one
particular
one
one
potential
item,
and
then
out
of
that
could
come
additional
deliverables,
either
joint
deliverables
or
or
deliverables.
For
this
working
group.
A
I
personally
think
it's
a
pretty
worthwhile
topic,
which
is
why
I'm
participating,
but
if
anyone
else
has
additional
thoughts
or
they
are
interested,
or
they
have
ideas
that
the
group
could
potentially
work
on,
please
feel
free
to
suggest
them
and
we'll
get
in
it.
We'll
actually
make
a
formal
issue
for
this
going
forward
again,
please
put
your
thoughts
and
comments
there
as
well.
In
addition
to
meeting
notes
chat,
however,
if
you
wish
to
express
yourself.
F
Maybe
this
is
more
education
Sig,
but
the
current
fundamentals
course
talks
a
whole
lot
about
developing
secure
software
and
evaluating
software.
You
know
before
you
bring
it
in
a
reusable
software
before
you
bring
it
in
it,
talks
less
about
the
whole
securing
of
the
build
and
distribution
and
so
on.
There
is
a
section
on
it.
F
I
have
definitely
thought
about
the
idea
of
expanding
that
section
based
on
salsa
and
SSC,
and
so
on,
not
really
to
be
its
own
course.
Just
you
know
expanding
on
that,
so
that
we
cover
that
more
thoroughly.
I,
don't
know
where
I
mean
underneath
this
group
somewhere-
and
this
is
an
idea
not
not
yet
put
into
practice,
but
that's
something
that
I
think
would
be
useful,
valuable,
going
forward.
A
A
I
think
there's
a
lot
of
interest
and
energy
around
this,
and
maybe
this
is
something
we
kind
of
kick
start
to
get
a
a
little
bit
of
ahead
of
the
curve,
because
I
think
this
is
probably
one
of
the
one
of
the
priority
areas
we're
going
to
identify
out
of
the
education
segment.
Whatever
we
have
kind
of
a
gap
in
current
materials,
yeah.
B
Thank
you,
I
no
I
agree.
This
is
a
good
idea.
This
is
a
topic.
I
think
needs
some
more
specific
attention
and
guidance.
So
I
definitely
agree.
I
also
wanted
to
interject
a
point
of
admin
here.
So
these
ideas
to
be
created
into
issues
so
I'm
going
to
assign
issue
creation
to
people
in
this
document
Dan.
Is
it
safe
to
put
you
down
for
the
web
developer
education
issue?
Thank
you.
David
can
I
put
you
down
for
the
idea
you
just
pitched.
F
B
E
E
A
E
F
C
These
communities
is
that
they
all
have
their
own
language
instead
of
speak,
not
programming
language,
but
the
way
that
they
talk
about
the
development
is
different
and
the
words
that
they
use
are
different
and
one
of
the
reasons
that
it
because
I'm
kind
of
coming
from
the
website.
So
one
of
the
reasons
that
I
was
focusing
on
web
is
because
I
see
there
being
a
huge
gap
when
it
comes
to
web
developers,
how
they
talk
and
think
about
security.
D
C
E
E
A
A
Marta
participates
with
this
group
and
she
has
a
lot
of
experience
with
embedded,
so
that's
potentially
an
in-road
that
we
can
get
some
materials
or
connections
with
like
the
embedded
space,
I
I
think
that's
an
excellent
idea,
kind
of
Target
thinking
about
other
constituents.
We
may
need
to
adjust
our
materials
for
or
create
whole
cloth
new
materials
for
potentially.
C
A
A
And
one
thing
will
need
to
be
cognizant
of
is,
as
we
identify
the
need,
we'll
need
to
also
try
to
identify.
Do
we
have
someone
that
has
subject
matter,
expertise
or
someone
that
has
the
ability
to
engage
with
those
particular
constituents,
it's
great
to
find
a
backlog
of
work,
but
if
we
can't
we
don't
have
the
capability
or
capacity
to
do
anything
about
it.
It
doesn't
super
helpful
I.
C
Think
having
a
partner
or
a
partner
organization,
or
something
like
that,
somebody
to
collaborate
with
as
well,
because
that
helps
to
enlarge,
because
if
it's
just
us
talking
about
embedded,
then
that's
one
thing.
But
if
we're
actually
like
working
with
some
embedded
systems
specific
community
together,
then
that
helps
to
amplify
the
voice
of
open
ssf
so
to
speak
and
raise
the
profile
and
therefore
help
to
achieve
our
goals.
A
Excellent
point,
Dan
and
I
would
show
you
an
example
where
we
had.
Several
members
of
this
group
were
very
passionate
about
creating
an
npm
series
of
best
practices,
so
Lawrence
and
several
others
went
off
and
worked
with
that
Community
to
create
that
guide
and
collaboration
with
them,
and
it's
been,
you
know
gotten
some
very
good
comments
and
remarks
so
far
and
that's
I
think
an
excellent
path
to
find
somebody
to
partner
with
and
kind
of
work
with
directly
with
those
communities.
E
A
I
guess
I
would
put
in
a
question
to
the
group.
We
have
a
couple
guides
we've
produced.
What
is
our
desire
to
keep
those
guides
maintained?
Do
we
want
to
put
an
item
that
we
annually
semi-annually
review
them
officially
or
do
we
want
other
suggestions
on
how
we
can
make
sure
that
those
artifacts
we
create
are
current
and
have
you
know,
continue
to
have
accurate
information.
F
I
I
have
a
druthers
and
this
group
can
decide
whether
or
not
that
makes
any
sense,
but
I
sure
would
hate
to
wait
for
an
annual
review
of
of
something.
When
you
know
hey
it's
a
relatively
minor
change,
it
can
just
be
like,
like
the
concise
guides
there
are
lists.
We
can
always
add
another
item
to
a
list
of
things
to
think
about.
So,
for
example,
we
just
had
a
discussion
about
memory
safety.
F
Let
me
use
that
as
an
example
I'm
not
trying
to
redo
that,
but
just
using
an
example
you
know
I
would
say:
hey
somebody
has
a
wants
to
make
a
change,
make
a
pull
request.
Maybe
we're
reviewing
this
group
if
it's
relatively,
if
it's
you
know
not
hey
rewrite
the
Universe
and
people
agree
to
it,
that's
great
and
then
periodically
review
on
and
hey.
F
Is
this
still
reasonably
good
or
has
this
kind
of
gotten
too
old
and
really
needs
a
refresh
or
redo,
but
I
I
hate
to
wait
a
whole
year
for
guidance
now
for
something
that
likes
us
a
standard
where
you
know,
there's
multiple
parties
and
maybe
contracts
involved,
I
think
that's
different,
but
I.
Don't
think
most
of
the
stuff
we're
doing
is
in
that
category.
A
So
I
I
would
highlight
that
everything
we
create
is
essentially
a
living
document
and
always
is
open
for
Improvement
and
contribution,
but
much
like
our
backlog.
If
someone
isn't
looking
at
it
and
remembering
to
try
to
follow
up
on
it,
it
might
get
stale.
So
I
just
want
to
make
sure
that
maybe
on
some
level
we
as
a
group
reflect
on
it
but
yeah,
always
if
there's,
we
always
encourage
things
to
be
actively
updated.
A
C
Related
question:
if
somebody
comes
across
our
or
when
somebody
comes
across
our
our
concise
guy,
I'd
say,
for
instance,
do
they
know,
oh
if
they
find,
if
they
have
a
suggestion,
do
they
know
that
they
should
they're
welcome
to
open
up
an
issue
in
our
repo?
Are
they
welcomed,
open
up
an
issue
in
our
repo,
because
that's
another
way
that
we
can
keep
those
documents
fresh
by
encouraging
external
contributors
or
external
commentaries
anyway
and
I'm,
not
sure?
If
that's
the
case
right
here.
F
E
I
can
I
can
help
you
just
to
add
a
second
voice.
That
was
exactly
what
I
was
curious
about
too.
So
any
repo
that
you're
accepting
PR's
on
you
should
have
a
contributing.md.
It's
actually
one
of
the
base
standards
for
sale,
monitor
that
you
are
just
specifying
what
it
looks
like
for
people
to
contribute.
It
should
have
all
that
information
in
there
I
thought
we.
E
A
F
E
F
C
D
So
I
think
I
think
a
contributing
MD
file
is
definitely
a
thing
to
do.
This
is
definitely
a
best
practice,
but
I
don't
know
that
this
means.
We
don't
also
want
to
add
a
note
to
the
documents
themselves
right
and
I.
Think
in
fact,
I
mean
I
the
we
probably
want
to
direct
people,
and
you
know
if
people
may
have
just
questions
or
raise
issues
right.
D
They
may
not
necessarily
come
up
with
a
proposal,
and
maybe
you
don't
want
them
to
just
start
submitting
a
pull
request
even
before
you
entertain
whether
this
is
a
good
idea.
We
want
to
welcome
or
not
you
know,
and
just
like
the
the
issue
we
talked
about
earlier
with
the
language
about
rust.
We
want
to
recommend
something
like
rest
and
stuff,
like
this
I
think
it's
better
to
have
an
issue
open
than
having
a
pull
request
that
just
modifies
the
text
saying
hey,
you
really
need
to
use
rust
all
the
time
as
much
as
possible.
D
F
I
could
push
back
a
little
bit.
I
do
think.
There's
cases
where
you
can
do
the
pull
request.
I
think
a
number
of
cases.
It's
okay,
it's
perfectly
reasonable
to
do
a
pull
request
directly
if
there's
a
problem,
but
you
have
no
idea
exactly
if
you
perceive
a
potential
problem,
but
it's
not
clear
exactly
what
the
problem
is
or
how
to
solve
it.