►
From YouTube: OSS-SIRT SIG - Part of BEST WG (November 14, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Yeah,
so
what
did
you
want
me
to
do
about
because
I
know
that
you
had
podcasts
on
there?
Did
you
want
me
and
I
know
that
you
have
the
budget
for
the
podcasting
equipment
in
the
education
Sig?
The
do
those
two
go
together
should
I
link
those
or.
A
C
A
C
C
C
C
C
Let's
see
while
Randall
types
art,
if
you
want
to
type
in
any
small
updates
in
section
two
we'll
talk
about
that
in
a
second.
C
So
Randall
do
you
want
to
verbally
give
us
your
update
and
then
we
can.
A
Be
great
so
for
my
section
we're
I'm
finalizing
the
plan.
Pretty
much
have
everything
done,
but
1.4
I
also
made
an
issue
on
issue
one
or
a
comment
on
issue,
one
to
add
the
scope
as
1.3
to
my
document,
because
we've
discussed
it
before
and
I
think
it's
currently
in
stream.
Three,
but
I,
don't
and
I
think
it
originally
was
going
to
move
to
stream
two
but
I'm,
proposing
it
and
moving
it
to
stream.
A
One
since
we're
doing
the
discussions
in
the
surveying
of
people
there,
so
I
figure
that,
after
the
surveys
we
could
do
the
scope
or
finalize
the
scope,
but
I
also
kind
of
put
an
initial
scope
into
issue
one.
A
But
beyond
that,
I
would
say
check
the
pr
to
to
for
final
updates
and
maybe
anything
jumps
out
at
you.
You
know
please
make
a
comment.
B
B
A
D
So
I
think
that
there
is
a
fair
amount
of
overlap
between
the
engagement
with
the
community
and
section
one,
but
I
want
to
understand
and
I
can't
remember
off
the
top
of
my
head,
because
I
haven't
had
my
coffee.
Yet
whether
or
not
the
the
intent
behind
that
in
section
three
for
reaching
out
to
those
communities
was
different
than
what
we
had
intended
for
the
intent
in
section
one.
D
The
section
one
if
I
remember
correctly,
was
about
understanding
a
little
bit
more
of
the
problem
space,
doing
the
level
of
Engagement
with
the
community
to
hear
their
concerns
their
problems
and
challenges
and
ask
them
for
what
it
where
we
can
help
or
where
we
can
provide
the
most
value
and
benefit
to
them
potentially
offloading
some
of
that
burden.
Where
is
stream?
Three
is
more
of
an
awareness
and
an
engagement
if
I,
remember
correctly
and
I
want
to
make
sure
that
we
don't
lose
what
the
intent
behind
each
of
them
is.
C
A
A
In
section
two
and
another
thing,
Emily
I've
been
looking
over
a
lot
of
the
education
from
first
and
a
lot
of
crow
videos
and
different
education
General,
and
one
of
the
things
that
first
pointed
out
is
that
you
want
to
be
very
like
you
want
to
track
your
audience,
and
you
want
to
Define
exactly
who
you're
solving
problems
for,
and
that's
like
a
big
thing
for
them,
and
we
don't
really
have
that
anywhere
in
the
plan.
D
All
right,
so
with
that,
what
I'm
going
to
recommend
then
and
I
think
the
ink?
We
need
a
line
item
in
the
engagement
model
section
which
is
2-2
to
talk
about
how
we
engage
with
them
or,
alternatively,
into
two.
You
add
a
line
item
to
defer
to
the
engagement
model
in
one
for
the
open
source
communities
and
the
maintainers
as
part
of
that
research
activity
and
then
Define
more
specifically
about
the
appropriate
engagement
as
part
of
going
through
an
incident
or
doing
a
communication
and
collaboration
activity.
A
Fair,
do
you
think
that
we
should
also
do
a
one
or
put
or
I
was
going
to
put
in
or
switch
one
three
and
make
it
like
actually
record
the
scope?
I,
don't
know
we
have
to
go
as
far
as
developing
personas,
but
it's
heavily
recommended
by
first
that
if
you're
gonna
do
a
p
cert,
you
should
probably
put
personas
together.
D
So
this
is
this
is
now
what
I'm
also
trying
to
remember
so
I
apologize
for
being
out
for
a
while
conferences,
they're
a
pain
but
they're
fun,
so
I
think
in
the
education
Sig.
D
They
were
also
working
on
personas
and
I
think
it
would
be
beneficial
to
either
issue
requirements
to
the
education
Sig
of
the
kinds
of
personas
that
we're
looking
for,
because
I
believe
their
goal
with
those
personas
is
slightly
different,
but
they
would
get
value
in
defining
the
kind
of
incident
response
and
open
source
maintainership
personas
that
we
are
looking
for
within
the
cert,
because
I
had
somebody
asked
me
a
question
the
other
day.
A
I
agree
now
this
is
a
question
for
Crowe,
because
you
and
I
are
both
in
the
education
Stig,
so
the
personas
that
we
do
have
are
not
are
vastly
different
from
the
examples
that
first
gave.
Is
that
okay,
or
is
that
something
that
I
should
like
think
about
in
education?
Perfectly.
C
Fine
again,
the
education
has
not
received
a
payload
from
us,
yet
that
we
need
assistance
with
CBD
training,
dessert
training.
The
vulnerability
working
group
does
have
a
set
of
personas
that
we
potentially
can
tweak.
C
You
know
better
refine,
because
right
now
it's
a
maintainer
finder
supplier,
consumer
coordinator,
so
they're
very
high
level.
So
if
we
wanted
to,
we
could
dive
into
and
refine
like
the
maintainer
Persona
and
have
I
am
a
project
contributor
or
I
am
a
devops
engineer.
Whatever
we
wanted
to
focus
in
on
or
I'm
a
piece
of
person
right.
E
A
Could
I
so
are
we
in
agreement
that
I
can
make
that
1.3
and
I
could
also
make
it
a
line
item
to
record
the
scope?
Maybe
review
it
every
year,
because
right
now,
one
of
the
things
Emily
is
that
we
don't
really
have
a
scope,
so
we're
kind
of
going
or
what
krobe
and
I
have
talked
about
is
maybe,
starting
with
it's
always
come
up
about
facilitating
communication.
So
maybe
we
could
start
there.
A
So
that
way
we
could
start
presenting
something
to
the
tax,
because
that
seems
to
be
something
that
everybody
mentioned
in
my
initial
discussions
about
how
Auto
communicate
with
this
person,
because
they're,
hostile
or
Auto
communicate
with
this
person
because
they
never
respond,
or
you
know
like
stuff
like
that.
So
I
think
that
that
would
be
the
most
obvious
thing
that
we
could
solve
like
blow
level
I
would
say
and
then
from
there
I
think
every
year
we
could,
depending
on
how
that
goes,
we
can
expand
our
scope
or
maybe
even
modify
our
scope.
D
Yeah
I
think
1.3
will
be
fine
for
right
now.
Procedures
around
Outreach
to
deaf
communities
about
our
services,
I
think
that's
fine
and
then
just
make
sure
that
we
add
the
Milestone
to
refine
the
existing
just
personas
that
the
Vault
disclosures
group
already
has
set
up
as
part
of
that
process.
B
A
A
C
So
I
have
in
the
notes,
please
feel
free
to
edit
Delete
augment
Emily
notes.
We
want
to
add
refining
personas
as
section
one
to
hone
in
on
who
our
audiences
are.
This
is
going
to
help
us
craft
services
to
address
those
viewpoints.
As
a
group
we
want
to
craft,
we
need
to
fit
and
craft
a
mission
vision
statement
around
kind
of
what
we
are,
what
we're
doing.
D
C
C
Do
have
we
did
not
take
them
for
those
materials
you
and
Francis
worked
on.
We
didn't
transfer
that
over
yet
okay.
C
All
right
any
more
feedback
or
questions
for
Randall
on
stream,
one
foreign.
E
Yes,
yes,
I,
don't
have
the
update
is
that
I
observed
I?
Think
probably
last
week,
some
of
the
folks
on
this
call
worked
on
it.
I
saw
the
Milestones
I,
don't
know
if
I
put
the
milestones
in
I
didn't
look
carefully
at
the
at
the
commit
or
whatever
I
should
have
looked
at,
but
I
saw
that
stuff,
that's
close
to
the
close
to
all
of
it
that
I've
done
I've
been
out
for
at
least
two
weeks,
I
think
with
travel
and
such
or
day
job
things.
E
E
Although
just
earlier
today,
I
think
Emily
said
something
about
2.2
or
1
as
in
something
might
need
to
be
added
and
I
didn't
catch.
What
you
said:
Emily
otherwise
I
don't
have
anything
sort
of
substantial
other
than
you
know,
edit.
The
dock.
E
D
E
C
And
art
we
are,
the
clock
is
yes
past
due
rapidly
ticking,
so
I
would
suggest
that
we
put
together
a
minimum,
viable
cert
set
of
services
and
get
that
out
to
the
group
like
this
week
saying
the
cert
will
commit
to
do
these
three
things
as
our
first
year
offering
and
let
people
start
providing
feedback
on
that.
A
B
D
E
Sure,
let
me,
let's
see
so
almost
everything
I've,
that
as
input
is
in
here
now,
I,
don't
think
I
have
anything
sort
of
new
or
substantial
or
different
I
was
about
to
ask
Crowe
if,
if
that
minimum
minimum
year,
one
c-search
services
is
something
that
goes
in
this
stock
or
at
the
top
of
it
or
it's
a
different,
different
doc
entirely.
The
stock
is
longer
than
that.
C
C
To
add
in
like
hey
in
year,
two
blah
blah
blah
okay,
I
think
this
would
be
a
good
spot
to
do
it,
because
the
governing
board
is
going
to
look
at
it
and
they're
going
to
make
their
choice
for
funding
on
kind
of
what
we're
planning
on
doing
sure.
There
was
a
there
was
a
governing
board
Tac
meeting
last
Friday
and
there
was
a
strong
sentiment
from
the
room
that
boy
howdy.
C
The
governing
board
would
love
it
if
there
was
some
type
of
threat:
intelligence
capability
for
the
open
source,
so
that
is
something
we
could
consider
or
Knack
out
of
hand
depending
on
what
we
want
to
do.
But
basically
their
idea
was
there's
a
problem.
How
do
we
tell
people
about
this
problem
like
let's
say,
open,
SSL
V3,
how
Mark
sent
the
pre-notification,
which
was
awesome,
but
Downstream
consumers
were
confused
and
middle
middle
people
didn't
necessarily
do
what
they
were
supposed
to
do.
D
C
Busy
yeah
well
I
I
didn't
want
to,
but
I
got
voted
to
go,
show
up
there
ball
and
told
that's.
C
And
the
while
the
name
sounds
like
wow.
That
is
exactly
what
we
would
want
to
who
would
want
to
collaborate
with
I
believe
what
the
intention
is
is
to
get
members
to
tell
this
group
of
academics.
These
researchers
like
these
are
the
open
source
prop
packages
I'm
using
in
all
my
dependencies
and
allow
the
academics
to
kind
of
go
through
and
do
research
and
say:
hey
banking
really
uses
a
lot
of
openssl.
C
Exactly
now,
they
have
not
taken
any
steps
forward.
They
have
not
that
group,
that's
one
of
the
many
groups
from
the
plan
that
has
had
no
action.
So
if
we've
come
forth
with
a
proposal
to
say,
wouldn't
it
be
great
if
somebody
managed
kind
of
a
a
what
is
that
an
Isaac
style
knowledge
sharing
Network?
C
That
is
completely
in
the
realm
of
possibility,
but
they
they
are
they're
not
doing
anything
and
that
wasn't
precisely
what
they
had
stated
they
were.
They
would
would
have
liked
to
have
done.
C
C
E
And
that's
the
yeah.
E
C
E
No,
no,
no,
no
yeah,
sorry
I
anchored
on
the
word
threat
and
it
was
about
to
I,
was
gonna.
I
was
muttering
under
my
breath.
Knack
we
should
Knack
it,
but
then
you
described
to
me
sounds
like
what
a
Cirque
would
do,
which
would
be
hey,
there's
a
thing
coming
up:
notify
Downstream
under
embargo,
which
is
a
classic
kind
of
in,
and
that
should
be.
That
should
be
service
one
of
year.
One
in
my
opinion,
that's
like
the.
E
E
You
have
all
the
sharing
fun
that
comes
along
with
that,
and
you
have
openssl
who
went
off
and
made
their
own
policy
which
no
judgment
they
had
reasons
to
and
they
reap
what
they've
sown
and
that's
that's
their
choice.
E
But
that's
that's
the
whole
can
of
worms
of
getting
people
to
agree
to
be
in
the
open
source,
secret
sharing
club
or
not
be
in,
and
it
should
be
done,
though,
if
it's
just
painful
but
I,
think
it's
still
the
right
thing.
I.
C
Mean
yeah
to
wax
philosophical,
a
bit
I
like
the
idea
of
hey
middlemen.
You
have
some
work
coming
up
next
Tuesday,
you
better
be
ready,
because
all
the
people
in
the
know
like
all
of
them
already
are
doing
it
and
already,
but
this
was
for
the
downstream
that
actually
could
deliver
to
the
end.
Consumers.
That's
like
they
I
think
about
the
intention
of
that
notification
was
and
yeah
it.
It's
caused
people.
Some
feels
yeah.
E
A
Well,
I
was
adding
on
to
that,
because
one
thing
that
came
up
during
some
of
the
discussions
I
had
with
Upstream
projects
is
that
they,
because
they
know
I'm
a
lot
involved
with
a
lot
of
packaging-
is
that
we
need
to
stop
solving
things
in
isolation
because
they
do
cause
more
problems
than
not
so
I
wonder
if
the
threat
intelligence
is
a
way
of
maybe
helping
address
that
so
that,
because
yeah
it
gets,
it
gets
really
tricky.
No,
but
yeah
Upstream
really
wants
us
to
stop
solving
things.
You
know
they
say
us.
E
E
The
apt-17
is
coming
after
your
Jimmy's
with
a
ransomware
malware
thing
called
this,
like
that's,
that's
I,
believe
that's
the
a
poor
description
of
threat,
intelligence,
yeah,
vulnerability,
just
coordination,
coordination,
coordinate
disclosure,
vulnerability.
E
E
Meeting
is
now
about
branding
yeah,
okay,.
E
E
C
Everything
else
I
will
happily
cancel
right
now.
In
fact,
I'm
just
gonna
cancel
it
anyway.
B
E
A
C
C
But
do
we
want
to
do
like
morning,
like
okay,.
E
C
E
I
know
once
a
week
I
go
figure
out
why
I
am
not
in
the
anyway
I'll
figure
that
out
probably
asking
you
for
invitation
again.
E
A
C
Francis
and
Emily
put
together,
you
know:
I
can
pull
out
my
old
first
framework,
diagrams
and
Lop
off,
like
talking
to
legal
and
briefing
your
sales
team.
A
My
fear
of
the
P
skeleton
because
I
looked
at
it
yesterday,
is
that
it
we
have
to
define
a
lot
of
things
and
I
think
that
we
really
can't
Define
most
of
it
until
we
have
like
a
survey
or
we
have
like
intended
targets,
because
it
would
be
really
hard
to
like
Define
ingestion.
I
was
trying
to
see
if
I
could
maneuver
it,
but
it
would
be
really
hard.
No.
C
C
Well,
we'll
get
there,
we
need
some
type
of
yeah
triage
once
we
get
the
issue,
how
do
we
what's
our
bug
bar?
What's
in
scope?
What's
not
in
scope
and
then
we
need
some
type
of
output,
whether
that's
you
know
making
a
patch
that's
negotiating
with
a
researcher.
It's
writing.
B
E
Art
so
I
I,
don't
know
if
that
was
quote
unquote
exactly
three
services
or
not,
and
that's
that's
fine
to
me.
That
is
the
core
thing
that
that
pipeline
the
engine.
How
I
propose
we
say:
that's
it
for
year,
one
we're
gonna,
do
that
I
would
say
we
do
not
propose
anything
further
but
and
as
I've
personal
experience
and
I'm
sure
some
of
others.
But
you
do
that
and
you
pretty
quickly
from
your
experience,
figure
out
some
other
interesting
and
good
ideas
that
you
might
need,
and
those
are
your
year,
two
you're
in
things.
E
And
we've
we've
captured
a
lot
of
other
possible
things,
so
we
can
leave.
We
can
leave
all
that
stuff
and
say
you're
one.
This
is
the
core
Focus
fault,
we'll
learn
from
that
we'll
learn
from
our
feedback,
we'll
learn
from
the
things
we
thought.
We
might
also
do
already
written
down
here
see
later
in
the
doc.
E
C
A
I'm
I've
been
privy
to
some
conversations
about
GitHub
advisories,
so
there
might
be
a
chance
that
we
might
be
able
to
leverage
that
as
because
apparently
a
lot
of
people
will
use
it.
So
they
do
have
apis
and
a
bunch
of
stuff
that
they're
integrating
and
releasing
that
are
interesting
to.
If
you
were
to
want
to
kind
of
make
like
a
meta,
cert
and
another
thing,
I
wanted
to
point
out
someone.
We.
C
Also
have
Vince
that
potentially
could
plug
into
that
correct.
A
A
E
Pre-Notification,
almost
any
notification
post
notification
with
no
embargo
is
still
useful
because
cve
or
it
didn't
happen,
sorts
of
things
happen
right
so
and
I
did
this
firsthand
recently
and
it
was
crazy
to
see
that
someone
had
patched
something
and
not
called
it
a
security
issue.
Someone
else
had
not
noticed
the
patch
Downstream,
no
one
had
noticed
frog
or
Downstream,
because
there
was
no
advisory
cve
whatever
to
it.
So
post
notification
can
also
be
pretty
useful.
Absolutely
when
you
find
a
missing
a
missing
supply
chain
thing
that
didn't
happen
so
and.
C
And
that's
I
feel
a
real
pain
point
for
end
consumers.
Oh
yes,
they
don't
know
where
to
look
and
they
don't
have
the
the
staff
to
go,
find
all
of
their
Source
streams
and
if
we
can
help,
you
know,
make
those
connections
yep.
E
I
just
wanted
to
unlimit
our
plan
yeah
from
pre-only,
pre-notification
and
I.
Don't
expect
they're
going
to
be
long,
90-day
embargoes
in
this
world
and
no
one
likes
them
and
no
one
wants
them.
In
fact,
we
may
have
trouble
with
people
keeping
embargoes
and
that's
okay,
I'm,
not
even
not
even
a
judgment.
Just
I
would
expect
very
short
embargoes
if
any
on
on
sort
of
an
average
sort
of
basis.
Well,.
C
And
until
year,
five
I
don't
know
that
we're
going
to
have
an
issue
of
impact.
That
is
that,
like
I
think
initially
we'll
have.
You
know
some
small
to
medium
projects
that
need
some
help
and
we
can
make
some
connections
for
them
and
I
think
that's
how
we'll
probably
be
starting.
Well,
you
know
it's
not
going
to
be
a
heart
lead
right
out
of
the
gate
that
we
need
to
coordinate
thousands
of
companies.
E
E
This
gets
back
to
the
right.
The
10
incidence
a
year
sort
of
discussion.
Do
we
want
do
we
want
to
attempt
to
estimate
or
characterize
what
we
expect
to
happen,
or
do
we
want
to
just
I
mean
this?
It's
a
re.
It
comes
down
to
resources,
though
okay.
The
reason
I
ask
is
my
former
colleague
Alan
householder
has
some
work
that
he
based
on
cert
CC's
data,
which
is
only
certain
CC's
data,
but
probably
not
surprisingly,
it
follows
a
pretty
standard
power
loss,
sort
of
thing
and
you
keep
getting
these
like.
E
C
C
Get
our
our
minimum
viable
set
of
services
together,
and
then
we
can
kind
of
talk
through
kind
of
tabletop
what
we
think
utilization
would
be,
and
then
we
could
put
an
estimate
for
because
again
we're
going
to
be
all
volunteers
plus
a
couple
staff.
You
know
like
a
program
manager,
so
we
can
kind
of
game
out.
We
think
we'll
have,
and
if
we
have
data
that
says
statistically
that
every
year
you've
got
this
many
criticals
or
you
know
you
have
embargo
these
embargoes-
were
this
long.
A
I
think
that
it
would
be
difficult
to
approach
a
project
that
we
haven't
approached
before
and
not
to
mention
they
might
take
it
the
wrong
way.
So
I
almost
think
that
the
goal
that
we
should
have
is
maybe
say
something
like.
We
want
to
get
10
projects
and
then
see
what
type
of
influx
that
creates
and
then
build
off
of
that
to
see
how
many
people
we
can
service
it
might
be
a
way
of
measuring
stuff.
C
And
that's
potentially,
where
we
talk
with
the
Omega
folks,
which
is
you
know
the
bottom:
the
next
thousand
critical
projects
that
aren't
going
to
get
the
hand
the
white
glove
treatment.
It's.
Maybe
we
kind
of
reach
out
to
some
of
those
folks
and
say
you
know,
talk
about
their
problems,
but
I
think
we'll
be
getting
a
lot
we'll
be
collecting
a
lot
of
data
that
will
help
us
for
year.
Two
be
much
more
accurate.
B
E
Yeah
I
mean
oh
shoot,
never
mind,
we
do
have
sorry.
I
did
I'm
going
to
look
for
again.
Former
former
employer.
We
had
a
t-shirt,
101
sort
of
training
course
actually
and
it's
possible.
Those
materials
are
published
somewhere.
A
A
A
C
And
then
let
me
give
up
so
the
update
on
section
three
is
Francis
is
going
to
be
stepping
back
he's
got
some
reprioritization
at
work,
he's
some
new
tasks.
He
has
to
focus
on
the
section
three
we're
basically
kind
of
holding
for,
for
example,
picking
our
Tech
stack.
E
What
is
issue
one?
Oh
sorry,
I.
B
C
C
C
C
E
I'm
busy
typing
into
a
comment
into
issue,
one.
C
And
then
just
so,
you
all
know
for
the
vulnerability
disclosure
working
group,
which
is
our
Mothership
I,
have
a
request
in
to
set
up
some
APAC
meetings,
and
since
we
are
associated
with
that
group,
there
is
the
potential
we
might
be
able
to
recruit
some
additional
collaborators
from
the
APAC
time
zone.
So
as
that
develops
I'll,
let
everybody
know
how
that
progresses.
C
C
D
D
Yeah,
so
if
we're
ready,
I
filed
a
new
issue
on
the
repo.
B
C
The
mission
of
the
cert
is
to
empower
open
source
security
teams
like
open
source
projects
to
be
self-sufficient
and
to
apply
learnings
from
engagement
with
the
cert.
The
cert
will
be
responsible
for
open
source
projects,
requests
for
assistance,
guidance
and
support
and
handling,
processing,
Communications
and
general
management
of
suspected
and
confirmed
vulnerabilities
and
findings
reported
to
them
directly
or
by
proxy
in
a
manner
that
considers
the
community's
existing
response
processes.
C
B
A
A
C
I
really
enjoyed
it.
Everything
up
to
that
sentence,
I'd
like
to
propose
some
rewording
on
that,
but
I
I
liked
the
first
several
sentences,
I
agreed.
E
I
have
a
I
hate
to
Hate
to
be
not
really
a
complaint,
but
I
like
the
self-sufficient
opening,
but
I
I
should
read
more
carefully.
First
there's
a
my
gut.
My
gut
reaction
to
that
is.
We
have
a
bunch
of
independent,
self-sufficient
projects,
which
is,
which
is
a
valid
point
and
good
I.
Don't
think
that
is
well
anyway,
I
think
there's
more
of
a
community
like
we
have
to
work
together
piece,
and
it's
not
that
it's
not
that
a
project
doesn't
have
its
own.
E
You
know
it
can
make
its
own
decisions,
can't
be
its
own.
Adult
can't
can't
work
on
its
own
recognizance,
but
there's
sort
of
no
way
for
a
single
project.
Downstream
of
open
Foo,
that's
Library,
to
kind
of
go
on
their
own
and
I.
Think
that's
where
the
cert
can
glue
together
the
independent
self-sufficient
projects
when
needed
on
a
case-by-case
basis,
so
that
sorry,
the
basically
reacting
very
much
to
that
very
first
sentence,
but
I'll
I.
It's
a
very
quick
first
reaction,
so
just
wanted
to
throw
that
out.
There's
no.
C
D
I'm
hearing
is
a
request
to
include
more
collaboration
with
the
open
source
projects,
either
through
their
requests
for
assistance,
guidance
and
support,
or
maybe
General
questioning,
removal
of
the
significant
critical
concern,
because
that
is
a
execution
detail
that
doesn't
need
to
be
included
within
the
mission
statement.
What
about
the
last
part
in
the
course
of
serving
open
source
projects?
The
cert
will
consider
all
information
provided
seek
to
understand
any
outside
influences
or
additional
factors
to
consider
prior
to
engaging
in
rendering
decision
on
engagement
and
execution
accordingly,
so
that
one's
good.
D
The
intent
of
the
of
how
that
is
structured
is
such
that,
if,
let's
say
several
consumers
of
an
open
source
project
were
coming
to
the
cert
and
say
hey,
we
think
that
there's
a
real
vulnerability
with
this
project
and
the
project
is
not
doing
anything
about
it
that
we're
not
going
to
necessarily
go
knocking
on
their
door.
Unless
it's
like
it's.
C
C
Yeah
I
mean
the
answer
might
be
hey.
Have
you
looked
at
this
mailing
list
or
you
know
here's
the
git
repo,
where
you
we
can
file
an
issue
or.
E
C
Right
I
play.
B
E
E
E
E
E
Just
break
down
I
I
I'm
a
broken
record
here,
but
I
think
the
word
coordinates
or
coordination
would
address
my
yes,
we
can
all
be
self-sufficient
and
empowered
and
learn
from
our
experiences,
but
when
those
shared
issues
come
up,
they
are
indeed
shared,
and
if
the
cert
coordinates,
that's
I
mean
it's
a
word.
We
chose
many
years
ago
to
mean
no
we're
not
telling
you
what
to
do.
No
we're
not
being
completely
hands
off
for
those
who
want
to
play
we're
going
to
get
the
information
shared
and
create
the
facilitate
the
facilitate.
E
All
of
that
enable
it,
but
not
shove
it
down
your
throat.
I
propose
the
word.
Coordination
somewhere
would
would
address
that
my
thought
there
and,
if
you've
already
written
something,
then
don't
worry
about
it
and
we'll
just
look
at
it
in
a
minute.
D
D
The
cert
will
consider
all
information
provided
seek
to
understand
any
outside
influences
or
additional
factors
to
be
considered
prior
to
engaging
and
render
a
decision
on
engagement
and
execution.
Accordingly,
the
search
shall
balance
the
needs
and
constraints
of
the
Project's
requesting
support,
as
well
as
the
needs
of
the
consumers
of
those
projects
to
the
Practical
extent
possible
foreign.
C
B
C
Other
top,
thank
you
very
much
for
that
Emily.
That's
excellent!
Work
really
appreciate
that.
Is
there
any
other
topics
we
want
to.
C
All
right,
thank
you,
we'll
talk
tomorrow
at
10
art.
Do
you
want
to
send
out
a
meeting
or
shall
I.