►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
B
A
A
A
D
Hi
everyone
good
morning
my
name
is
Rosario
Carr
I
am
definitely
new
to
the
team.
I
work
at
indeed
I've,
taken
on
a
new
role,
and
indeed
in
the
open
source
program
office
working
as
a
conduit
between
the
office,
the
open
source,
Foundation
security
foundation
and
our
security
team.
So
I've
been
making
my
way
through
a
lot
of
these
working
groups,
trying
to
just
get
an
understanding
of
the
strategy
and
what
the
teams
are
working
on.
So
it's
nice
to
meet
everybody,
and
thank
you
for
having
me.
A
All
right
do
we
have
anyone
that
is
interested
in
helping
scribe
notes
for
us
today.
Oh
thank
you
Dan
appreciate
that,
sir,
all
right,
if
you
have
any
opens,
you
would
like
to
discuss
with
the
group,
please
add
those
in
the
open
section.
As
a
reminder,
this
will
be
our
last
call
for
the
year
we
will
start
back
up
bright
and
early
in
the
new
year
January
3rd.
There
will
be
a
new
Google
document
that
will
be
our
meeting
notes.
A
So
I
will
update
the
slack
Channel
sometime
in
the
next
week
or
two
to
reflect
that.
So
you
always
can
look
at
the
top
of
most
open
ssf
Slack
channels
pinned
to
the
top,
is
typically
meeting
agendas
and
get
repos
and
stuff.
So
I'll
update
that,
and
we
will
start
off
with
a
brand
new
set
of
meeting
notes
next
year,
because
if
we
have
too
many
edits
in
a
Google
doc,
it
goes
crazy.
B
Maybe
very
short
SKF
we
rolled
it
out
a
couple
of
months
ago.
We
still
see
that
we
have
around
110
unique
registrations
per
week,
so
that's
pretty
okay.
I
also
see
a
lot
of
universities
actually
enrolling
and
using
it
with
like
masses
like
a
whole
class,
so
they
bump
up
the
average
per
week,
yeah
and
other
than
that.
We're
already,
you
know,
like
we
said
we're,
building
and
preparing
for
the
next
steps
of
the
platform
and
the
releases
so
actually
yeah
excellent
yeah.
So
so
that.
E
B
Yeah
I
see
like
five
or
six
unique
universities
that
are
using
it.
They
seem
I,
say
it
oriented
to
more
the
technical
side
in
terms
of
universities,
but
yeah
I
think
we
should
probably
in
the
beginning
of
next
year,
in
January,
somewhere
just
reach
out
to
them
and
see
if
we
can
yeah
do
like
a
guest
lecturing
or
something
like
that.
I
mean
probably
sell
from
her
plan.
Also
has
some
ideas
for
that
as
well.
A
And
that's
actually
a
task.
I
would
like
us
to
work
on
aside
from
picking
up.
Potentially
some
a
new
project
to
collaborate
on
I
would
like
us
to
think
about
how
we
can
increase
the
utilization
of
our
existing
sub-projects,
how
we
can
increase
our
reach
of
the
best
practices
group
in
general.
So
maybe
we
can
brainstorm
on
that
a
little
bit
January
next
year
to
think
about
and
I
like
the
idea
of
reach
out
trying
to
reach
out
to
these
universities
and
see
if
they
would
like
some
additional
expert
time.
A
A
We
will
get
everything
complete
this
week,
send
out
to
the
working
group
and
the
education
Sig
for
a
two-week
comments
official
period
and
then
it
will
get
pushed
to
the
tack
and
that'll
probably
make
it
January.
I
would
assume
so
like
that
first
week
of
January
is
probably
when
we
would
push
the
plan
to
the
tack
and
then
eventually
the
governing
board.
B
A
So
please,
please,
please
best
practices
working
group.
Tell
your
friends!
Tell
your
neighbors!
Please
look
at
the
plan.
Give
us
your
thoughts
either
in
an
email
in
a
PR
in
an
issue
depending
on
kind
of
what
form
that
feedback
is
in.
So
we
can
get
that
acted
upon
before
we
kind
of
lock
it
down
this
week.
A
All
right
three
items
of
business
I
would
like
to
discuss
first
off
issue.
103
I
see
many
smiling
faces
here
on
the
call,
but
I
don't
see
a
lot
of
comments
on
my
issue
so
potentially
maybe
at
the
end
of
this
call
those
of
you
that
are
long
time,
attenders,
which
is
most
everyone
here.
Please
review
issue.
103
read
the
charter
Express.
A
A
A
F
A
E
A
E
Are
all
of
the
other
starters
as
like
my
point
that
I
tried
to
make
him
get
a
burnout
in
and
GitHub
in
a
slack,
you
know
it's
the
the
part
of
the
charter
that
actually
describes
what
the
working
group
does
is
fairly
small.
Is
that
intentional,
on
your
part,
like
I,
guess,
I'm
used
to
Charters
that
kind
of
prescriptively
list
out?
These
are
the
things
that
the
word
these
are
the
deliverables
the
working
group
will
will
provide.
A
Charter
is
a
copy,
a
clone
of
the
from
up
from
the
attack
repo,
where
it
was
provided
across
all
working
groups,
so
it
is
intentionally
generic.
The
working
group
has
the
ability,
if
they
desire
to
make
modifications,
but
my
job
is
not
prints
of
paperwork.
So
I
have
not
invested
a
lot
of
energy
into
that.
I've
tried
to
invest
more
energy
into
things
like
the
plan,
helping
promote
our
sub
tools
like
the
badges
and
SKF.
So
if
the
team
wants,
we
are
welcome
to
add
more
meat
in
there,
but
it
is
intentionally
generic
right
now.
E
I
I
guess
the
question
is:
is
there
some
kind
of
governance
reason
for
having
more
more
prescriptive,
Charter
I?
Guess
my
example
that
I
give
is
like
in
w3c
working
groups.
You
want
things
to
be
listed
in
the
charter
because
there's
an
IP
commitment
that
is
made
on
the
part
of
participating
parties
that
only
extends
to
the
things
that
are
actually
listed
in
the
charter
of
the
group.
E
A
Yeah,
we
don't
have
a
similar
restriction
and
this
Foundation
is
not
as
mature
as
other
foundations.
So
if
it
adds
value
for
us,
that's
something
again
like
I
mentioned
to
Randall:
let's
try
to
fix
it
everywhere,
instead
of
just
our
repo.
So
if
that's
a
suggestion
you
think
is
valid.
Let's
push
that
up
to
the
tack
and
state.
You
know
unless.
E
A
A
There
was
a
suggestion
that
we
add
essentially
a
statement
in
our
collateral.
Specifically
the
concise
guides
that
you
know
PRS
are
welcome.
We
love
patches,
we
love
contributions.
So
does
the
group
agree?
This
is
something
we
think
is
good,
and
is
anyone
interested
in
submitting
some
PRS
to
across
our
different
items
to
make
that
a
reality
I
think
it's
a
great
idea,
because
I
would
love
more
external
contributions.
C
A
A
This
was
submitted,
I
know
them,
but
one
of
our
previous
working
group
call
and
based
off
of
our
history,
where
we
do
concise,
guides
and
kind
of
best
practices
literature.
He
suggested
it
might
be
a
great
project
for
us
to
collaborate
on
together
around
GitHub
security,
best
practices
and
I
want
to
Echo
Daniel's
comment.
I
can't
recall
if
it
was
in
the
issue
or
if
it's
in
slack,
we
will
not
create
a
artifact
that
specifically
endorses
a
vendor
or
a
ecosystem.
A
So
we
would
probably
change
this
topic
to
source
code
repository
best
practices,
and
then
we
can
definitely
showcase
some
of
the
tools
that
are
available
in
GitHub
or
gitlab
as
exemplars,
but
we
don't
want
to
be
seen
as
in
completely
endorsing
a
particular
only
one
vendor.
We
want
to
try
to
remain
as
neutral
as
possible.
E
A
Exactly
Edison
I've
been
talking
to
her
about
the
shirt
too
awesome
Madison's
awesome,
yeah.
We
need
to
pull
her
into
here,
too.
Yeah
she's
been
trying
to
get
back
in,
but
she
says
that
she's
juggling
a
lot
day,
jobs
foreign,
so
that
would
be
another
tactic-
is
that
as
we
are
talking
about
at
more
of
a
principal
level,
you
know
you
should
do
these
specific
techniques.
A
E
E
Like
vote,
you
know,
for
instance,
we
have
this
I
and
I
referenced
it.
We
had
this
discussion
around
the
end
about
right.
So
if,
if
GitHub
or
whoever
has
a
particular
solution
that
they
have-
and
there
are
other
possibly
msf,
members
that
have
competing
Solutions,
then
we
need
to
be
very
careful
about
what
we
say,
because
on
the
on
the
one
hand,
we
don't
want
to
be
telling
people
to
do
something,
that's
overly
complex.
We
want
to
give
people
a
good,
simple
way
to
to
do
what
the
best
practice
is.
E
On
the
other
hand,
we
really
want
to
be
making
sure
that
people
are
aware
that
other
options
exist
and-
and
we
don't
want
to
unnecessarily
push
one
vendor-
has
one
particular
approach.
Other
people,
other
people
in
the
ecosystem
might
have
a
different
idea
about
how
their
you
know
about
how
to
do
things
best
in
their
in
you
know,
in
GitHub,
right
or
in
gitlab
or
whatever,
so
so
anyway,
that
that's
the
kind
of
nuance
of
the
vendor
neutrality
thing
that
I
wanted
to
bring
to
pair.
A
From
yeah,
and
so
for
an
example,
if,
if
we
all
agree
that
using
dependabot
is
the
best
practice,
we
would
want
to
rephrase
that
into
you
need
you
know:
thou
should
use
dependency
management
tools
that
check
the
for
known
vulnerabilities
and
whatever
else
the
dependabot
features
are
and
more
generify
it
and
then
at
the
end
you
could
say
an
example
of
this
Behavior
could
be
github's,
dependabot
or
git
lab
blah
or
commercial
tools
that
do
X
or
Y
yeah
and
I
do
agree.
We
came
when
we
did
the
concise
guide.
A
B
Yeah
I
think
I
said
this
before
I
I
would
indeed,
rather
you
know
reference
to
open
source
capabilities
that
do
the
same,
maybe
not
that
well,
but
the
same
and
the
same
concept
same
idea,
because
you
know
what
you
don't
want.
I
guess
is,
you
know,
create
a
whole
lot
of
words
and
and
documents
that
is
very
abstract
and
you
know
not
really
helping
them.
You
know
what
I
mean.
A
Yeah
I
I
anywhere
we
can
so
if,
if
our
best
practice
around
source
code
management
is
to
you
know,
turn
on
multi-factor
Authentication,
we
would
want
to
provide
links
to
the
actual
technical
documentation
on
how
to
do
that
across
the
the
main
implementations.
So
we're
not
going
to
rewrite
like
GitHub
or
gitlab
or
the
other
repos
documentation
for
them.
But
we
would
say
if
you
use
these
here's
how
to
quickly
get
in
and
configure
this
particular
principle.
B
B
Is
if
you
go
to
the
link,
of
course,
what
the
the
guys
already
did
in
terms
of
the
tool
and
the
documentation
they
wrote.
I
mean:
okay,
it's
already
gets
a
Centric,
but
I
think
like
a
lot
of
these
Concepts
should
actually
or
can
be
one-on-one
even
copied
for
all
the
other
code
repository.
So
how
are
we
going
to
deal
with
that?
Are
we
going
to
extend
their
documentation
or
content,
or
are
we
going
to
copy
theirs
and
we
make
our
own
sauce
of
it
or
I
mean.
A
That's
a
detail:
we'd
have
to
work
out.
I
would
prefer
you
know
if
they're
going
to
donate
this,
like
Google
did
with
the
vulnerability
disclosure
guide.
We
would
need
to
strip
out
all
of
the
corporate
links
from
you
know,
legit
security,
and
we
would
need
to
kind
of
rewrite
it
as
the
openssf
if
they're
going
to
donate
it.
If
it's
just
a
reference,
you
know
if
it's
just
a
reference
for
us,
we
definitely
can.
You
know,
make
our
own
statements
based
off
of
if
we
like
this
structure
and
the
pattern
they're
using.
B
F
A
B
A
E
A
C
A
A
A
So
it
sounds
like
the
group
agrees,
and
this
will
be
a
work
item.
We
pick
up
if
anyone
has
any
other
projects
that
they're
interested
in
kind
of
working
on
with
this
group
having
this
group
be
Steward
of
please
file
an
issue
send
the
mail
to
the
mailing
list
so
that
we
can
get
that
your
thoughts
talked
about
as
part
of
the
group
and
then
just
as
an
FYI
the.
G
A
question
there
was-
or
there
still
is,
the
C
plus
plus
hardening
guide
document
listed
in
the
repo
listed
as
incubating,
but
and
even
though
I
haven't
attended
like
every
meeting
here.
Unfortunately,
it
seems
to
be
dormant.
I
was
wondering
about
the
state
of
this,
because
I
do
have
some
conversations
with
folks
internally,
of
course,
like
every
larger
organization
has
C,
plus
plus
hardening
guides,
they
kind
of
were
interested
in
maybe
picking
this
up
and
I'm
not
picking
this
up.
A
We
had
a
meeting,
it's
been
a
couple
months
back
now
where
we
talked
about
this
and
the
group
agreed.
This
is
something
that
would
be
useful
and
we
had
several
people
that
were
interested
in
contributing
to,
but
I
I
think
our
our
blocker
right
now
is
Mr.
Wheeler's
time
he's
been
the
primary
Steward
of
this
and
he's
been
just
crazy
with
travel
and
whatnot.
So
this
is
definitely
something
the
group
wanted
to
do
and
we
absolutely
can
do
multiple
things
in
parallel.
A
As
you
can
see,
you
know
we
have
the
badges
and
the
training
and
SKF
and
scorecards
all
kind
of
operate
independently.
So
if
there
was
a
group
of
people
that
wanted
to
work,
contribute
on
this,
there's
nothing
stopping
you
and
overall,
the
group
thought
it
was
good.
It's
just
a
matter
of
kind
of
finding.
A
Thanks
a
lot
feel
free
to
write
a
comment
on
the
issue,
saying
hey
I'm
interested
in
collaborating
here
and
ideally
that'll
Inspire,
some
other
folks
to
also
kind
of
chime
in,
and
then
we
can
organize
asynchronous
meeting
or
just
slack
chat.
We
can
figure
out
some
way
to
organize
and
get
that
project
moved
forward
cool.
Thank
you.
You're
welcome,
sir
Dan.
E
All
right,
this
is
from
Left
Field.
The
you
mentioned.
Scorecards
you've
just
reminded
me
that
the
I
was
wondering
if
the
question
of
adding
a
test
to
see
if
there's
a
Code
of
Conduct
was
ever
discussed
in
the
context
of
the
scorecards,
because
I
recently
found
myself
doing
a
series
of
scorecard
tests,
or
you
know,
on
a
number
of
different
repos
and
kind
of
reporting
back
on
so
I
was
actually
using
the
tool
internally
to
evaluate
and
send
some
information
to.
E
Somebody
and
I
found
myself
doing
that
and
then
also
looking
to
see
if
it
was
a
critical
conduct
and
I
was
just
wondering
if
it
had
ever
been
discussed
or
if
it
was.
You
know
it
kind
of
is.
Is
there
an
opportunity
to
have
that
discussion
within
the
scorecards,
the
substrate,
where
that
can
be
fine,
yeah.
A
I
am
not
aware
of
what
the
inventory
of
all
the
current
checks
are,
but
that
group
is
very
open
to
suggestions
and
refinement
of
their
checks.
So
I
think
that
would
make
an
excellent
PR
forum
should
be
fairly
simple
check
to
add
in
do
you
have
a
code
of
conduct
file
in
your
repo,
or
is
there
any
kind
of
reference
to
that?
So
that
should
be
programmatically
fairly
simple
for
them
to
add
and
historically
Laurent
nazim.
E
A
Something
yeah
an
issue
probably
would
be
most
appropriate
and
then
again,
they're
very
respite.
I've
sent
them
an
email
and
within
a
half
hour,
I've
gotten
a
response
from
because
intel
was
very
interested
in
trying
to
see
how
we
could
the
corporation
work
with
the
scorecard
team.
So
we
I
made
a
love
connection
between
that
project
and
my
internal
folks,
so
very
responsive
guys.
The
gals.