►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
A
C
Yeah,
hey
I'm,
namita
I've
been
joining
the
other
working
group
since
my
first
time
here
for
the
best
practices
I
work
with
Comcast,
so
yeah
nice
to
be
here.
A
Appreciate
that
a
couple
businessy
things
to
deal
with
I,
don't
know
if
the
foundation
sent
it
out
broadly,
but
it
went
out
to
the
TAC
and
other
lists
that
I'm
on
we
have
finalized
the
2023
election
process.
A
A
If
you
are
interested
in
running
for
the
TAC,
there
is
a
self-domination
form
that
takes
more
than
30
seconds
to
fill
out,
but
that
would
be
the
second,
the
tech
candidate
form.
So
if
you're
interested
in
running
for
the
TAC
to
trying
to
help
steer
the
technical
direction
of
the
foundation,
throw
your
hat
in
the
ring
with
that
form,
and
then
there
is
another
category
the
scir.
So
there
is
a
security
Community
individual
representative.
So
this
is
someone
from
the
open
source
security
community
that
works
very
closely
with
board.
A
So
if
you
feel,
if
you're
not
affiliated
with
a
a
member,
org,
feel
free
and
you
want
to
participate
in
again
helping
govern
and
steer
the
foundation,
you
can
self-nominate
yourself
for
the
scir
and
there
are
oh
I
cut
out
the
details
when
I'm
not
talking
I'll
grab
the
details,
if
there's
a
schedule
with
which
this
is
going
to
happen,
but
basically
the
nomination,
the
voting
will
be
done
so
we'll
have
the
attack
elected
by
the
end
of
March.
A
Roger
dodger
next
up
next
week
we
will
be
presenting
this
working
group
to
the
TAC
every
quarter.
We
are
responsible
for
providing
feedback
as
to
the
working
group's
activities
and
kind
of
status
of
any
projects,
initiatives
or
sigs.
So
I've
put
together
a
brief
Google
slide
that
I
am
waiting
on
Randall
and
Glenn
to
give
me
SKF
updates,
but
if
anyone
else
had
any
additional
feedback,
please
drop
me
a
comment
on
that
doc.
A
There
is
a
call
for
papers
for
open
ssf
day
at
the
OSS
n,
a
summit
which
will
be
held
in
Vancouver
British
Columbia
Canada
in
May.
That's
going
to
close
off
on
May
17th.
A
So
if
this
group
is
interested
in
presenting
anything
representing
any
of
our
projects,
initiatives
or
sigs
feel
free
to
submit
to
that
cfp
and
I
will
track
down
a
link
for
that
again.
Once
I'm
not
yammering
on
any
questions
about
that.
A
All
right
there
will
be
a
town
hall
for
the
open
ssf,
where
our
esteemed
members,
Christine
and
Jay
will
be
presenting
about
their
efforts
on
the
de
Andi
subcommittee.
So
this
is
a
town
hall,
that's
open
to
the
general
public,
but
we
generally
get
several
hundred
attendees.
It's
recorded
and
just
kind
of
giving
a
status
update
on
assorted
things.
So
we'll
be
talking
about
our
de
and
I
efforts
within
the
education,
Sig
they'll
be
giving
an
alpha
and
omega
update
and
I
believe
Mr
bressers
is
going
to
give
us
an
s-bombs
everywhere.
A
A
All
right,
let's
move
into
the
exciting
part,
if
you
have
any
additional
opens,
you
want
to
add
to
the
agenda.
Please
do
so
right
below
the
new
friends
section.
I
am
going
to
ask
our
folks
talking
about
the
C
and
C
plus
plus
best
practices
guy.
If
you
just
want
to
give
a
brief
update
on
where
things
are
with
that,
while
I
get
some
links.
A
As
you
may
know,
we
elected
to
start
up
a
new
project
around
refining
our
C
and
C,
plus
plus
compiler
options
got
document.
Our
friends
Ericsson
have
a
fairly
mature
document
that
they
will
be
contributing
to
us,
we're
going
to
use
as
a
Baseline
and
then
we'll
be
weaving
in
some
of
the
additional
materials
like
David
had
started
and
a
couple
others
I
was
had
poked
at
about
a
year
or
so
ago.
So
there
is
a
note
to
where
the
pull
request
is
for
that
information.
A
So
if
you're
interested
in
keeping
track
of
that
or
participating,
don't
hesitate
to
show
up
meetings
are
every
other
Wednesday
starting
23
hours
from
now.
So
tomorrow,
at
9
00
a.m.
Eastern
Standard
time
we
will
have
the
C
and
C
plus
plus
compiler
guide
chat.
E
I
I
do
have
one
it's,
it's
really
a
procedural
question.
Frankly,
I've
been
in
so
many
meetings,
it's
hard
for
me.
It
I
sometimes
lose
a
track.
A
little
bit.
Do
we
need
to
procedurally
accept
I,
mean
accept
the
Erickson
one,
because
if
we
do
I
want
to
make
sure
the
answer
is
yes,
if
there's
a
process
thing
I
want
to
make
sure
we
have
agreed.
Let's
pull
it
in
I'm
excited
about
this
game
moving.
E
But
if
we're
waiting
for
an
agreement
from
this
group
that
I'd
like
to
call
you
know
raise
it
look
around
and
say
yay,
which
I
suspect
is
the
answer
and
then
move
on.
Are
we
yay
at
this
point
right?
Is
that
already
has
that
kind
of
been
assumed
already
I.
A
F
So
I
sure
don't
want
to
oppose
it.
I
have
no
issue
personally
with
this,
though,
they're
welcome
to
contribute
that
content,
but
I
I
know
that
normally
LF
does
some
kind
of
at
least
for
software
right.
There
is
some
process
for
like
IP
clearance
and
whatnot.
Does
that
matter
here,
I
think
Dave
has
David,
has
a
point,
I
mean
procedurally
the
working
group.
Should
you
know,
make
a
decision
that,
yes,
we
are
welcoming
this
content,
we're
going
to
take
over
control
over
that
content,
which
you
know
the
working
group
could
say.
F
E
E
E
There
needs
to
be
a
copyright
license
and
in
the
end,
if
there's
a
trademark
that
you
know
that
specific
for
that
particular
work,
then
we
need
to
deal
with
that
and
if
there's
a
domain
in
this
particular
case,
there's
no
domain
I
believe
I
mean
please
correct
me.
If
I'm
wrong,
I
thought
it
was
CC
buy,
but
I
I
may
be
mistaken,
but
I
think
it
was.
We
can
see
from
the
proposal
right
did.
A
A
E
E
A
All
right
we'll
make
that
one
of
the
first
points
of
the
call
tomorrow,
but
if
anyone
has
any
strong
objections
or
counter
proposals,
please
note
that
or
show
up
in
the
call
tomorrow
and
we'll
get
moving
forward
on
that.
Ideally
very
shortly.
A
All
right
David,
would
you
like
to
talk
about
the
concise
guides.
E
E
This
basically
came
up
because
you
know
it
says
it's
a
guide
for
evaluating
open
source
software
and
I.
Think
when
we
wrote
this,
we
were
thinking
hey
for
software
developers
bringing
in
libraries,
but
it
turns
out
that
there's
end
user
software
as
well,
and
people
aren't
always
as
sophisticated
and
although
we
could
rewrite
it
more
generally,
most
of
it
reads
well
enough
for
that
case,
except
that
there's
an
implication
that
the
person
who
brings
in
the
software
will
directly
evaluate
the
software,
but
that's
actually
not
always
true.
E
Even
for
developers
oftentimes,
you
ask
somebody
else.
You
may
even
pay
somebody
else
to
do
the
evaluation,
so
I'd
like
to
tweak
it
a
little
bit
so
that
hey
you
can
do
your
own
evaluation
or
you
can
ask
someone
else
to
do
it,
for
you
I
think,
that's
a
reasonable
alternative!
You
can
see
the
specifics
there.
Any
objections
to
this
change.
E
I
have
a
I
have
a
superpower,
it's
being
able
to
push
the
button
that
says,
merge,
pull
request,
I
have
pushed
it
look
at
this.
We've
already
progressed,
although
you
know
what
the
date's
wrong
at
the
top.
Do
we
actually
want
to
keep
that
date?
No,
all
right!
I'm
gonna
make
a
quick
motion.
Let's
just
remove
the
date
on
the
top
I
mean
second.
A
E
E
Fairy
enough,
but
so
much
voting
I
think
voting
is
the
last
the
last
desperate,
if
we
absolutely
must
but
I'd
rather
work.
My
broad
consensus,
but
more
more,
more
specifically
I'd
rather
know
if
there
is
an
objection.
A
Well
and
ideally,
I'd
like
us
to
get
to
the
point
where
we're
doing
a
lot
of
this
bookkeeping
through
issues
and
PR's,
and
we
can
curate
the
list
all
right
through
our
agenda.
If
there's
anything
that
needs
a
broader
group
discussion
and
then
just
have
people
chime
in
via
GitHub
on
their
opinions
on
stuff.
Like
you
know,
smaller
stuff,
like
this.
A
A
So,
while
David
refreshes
his
memory,
you
will
remember
that
we
had
agreed
another
project.
We're
going
to
work
on
is
a
source
code
management,
best
practices
guide.
A
group
of
us
are
meeting
every
other
week
and
those
calls
are
la
la
la
those
are
every
other
Thursday
at
10
A.M.
The
next
call
will
be
on
the
in
the
future
and.
A
So
Noam
has
had
some
good
content
that
we
were
starting
to
use
as
a
Baseline,
and
then
Dan
has
put
this
into
a
delightful
little
app
called
Crypt
pad,
where
we
can
simultaneously
edit
and
preview,
how
it
might
look
so
Dan
has
staged
a
kind
of
a
just
a
draft
right
now
of
we
are
starting
to
ingest
the
content
and
starting
to
think
about
how
we
want
to
organize
it.
So
would
anyone
else
like
to
talk
about
this
exciting
topic.
D
I,
don't
think,
there's
much
to
say
other
than
what
you
said:
I
I,
the
the
last
the
last
meeting
we
we
talked
there
was
another
gnome
also
circulated
a
spreadsheet
which
also
broke
down.
In
fact
the
or
the
some
suggested
organizational
points.
The
idea
is
to
take
the
document,
which
is
here's
the
pad
link
which
careful
with
that
link.
It's
an
edit
that
link
allows
to
edit
rides
so
don't
spread
it
around,
but
the
you
can
see
from
that
document.
D
What
are
we
talking
about
and
then
have
the
thing
that
to
do
and
GitHub
the
thing
to
do
in
gitlab
and
then
potentially
the
thing
to
do
in
other
SCM
projects
as
well,
and
that
so
there's
this
organization
of
some
suggested
top
level
orgs
and
then
no
circulated
another
thing
which
was
a
which
was
in
the
form
of
a
Google
sheet
that
broke
down
the
things
into
other
into
a
a
different
set
of,
but
overlapping,
set
of
organizational
top
top
level.
D
Organizational
items
which
I
took
the
action
to
try
and
resolve
and
I
haven't
done
that.
Yet.
But
I
will
do
it
before
the
next
call.
The
SCM
right
yeah.
G
And
on,
in
addition
to
that,
we're
also
looking
at
figuring
out
who's
going
to
be
reading
this
best
practices
guide
and
organizing
it
in
a
way
that
would
make
sense
for
them,
and
so
one
of
the
other
action
items
that
are
coming
out
of
this
is
to
think
about
the
personas.
G
And
so
some
of
the
personas
could
be
folks
who
deal
with
a
lot
of
repos
with
the
repo
maintainer
and
then
the
other
thing
that
we
are
also
looking
at
is
reorganizing
some
of
the
content
in
terms
of
like
operations
like
how
does
somebody
think
about
it,
because
CM,
if
they're
doing
something
for
the
first
time
like
creating
a
report
or
an
organization.
A
Any
questions
for
the
group
I
see
Judy
has
one
you
want
to
talk
about
that
real
quick
Judy.
H
Oh
hi,
everybody.
It
looks
first
of
all
this
out.
It's
the
first
time,
I've
seen
this.
So
thank
you
for
sharing
I'm
I'm
in
awe
and
I'm
going
to
look
into
this
I
was
just
it
looks
first
glance
in
the
last
five
minutes.
It
looks
great.
My
initial
question
was
how
the
severities
were
being
rated.
I
read
the
link
back
to
cwe
or
cbss
scoring
are
how
did
he
come
up
with
those
anybody?
That'd
be
great.
Thank
you.
I
I
D
Especially
was
great,
I
was
looking
at
the
spreadsheet.
I
was
like
yes,
yes,
this
is
this.
Is
this
is
great,
so
yeah
really
yeah
and
by
the
way
on
pad
the
link
that
I
circulated.
That
is
a
self-hosted,
so
out
is
an
open
source
project
that
particular
link
is
self-hosted
at
w3ctag.org,
because
that's
the
that's
a
self-hosted
one
that
we
use
in
one
of
the
other
groups
that
I'm
in
in
the
tag
group
in
w3c.
H
Thanks
Tom
yeah
I
was
wondering
thank
you.
That's
brilliant
yeah
and
thanks
for
the
update
on
the
severity
I'll
watch
a
space
on
the
decisions
on
how
you've
gone
to
because
it
is,
is
all
about
context.
Successfuls.
E
I'm,
assuming
that
we're
going
to
be
editing
this
a
little
while
and
eventually
pulling
into
GitHub
it's
into
GitHub,
correct,
yeah,.
A
G
Yeah
on
the
severity
Point,
one
of
the
things
that
came
from
the
previous
meeting
David
suggested
we
look
into
scorecards
or
kind
of
like
matching
up
some
of
the
information
from
there,
so
that
probably
will
play
into
the
decision
of
the
severity
as
well.
A
Awesome
any
additional
questions
or
feedback
about
either
of
the
guides.
A
A
We
have
a
couple
of
Our
member
projects
that
typed
in
some
updates,
so
please
take
a
moment
and
just
take
a
peek
at
that
I
will
showcase.
Our
friends
over
in
scorecard
are
going
like
wildfire
right
now.
They've
had
a
lot
of
pretty
substantial
updates,
including
that
their
API
just
went
GA.
So
please
take
a
look
at
that
and
you
know
feel
free,
I
think
I
have
there
no
I,
think
azim
and
crew
got
their
meeting
agenda
and
notes
put
at
the
stage
at
the
top
of
our
document.
A
So
if
you're
curious,
you
can
go
look
at
their
repo
or
their
meeting
notes.
So
at
this
point,
do
we
have
any
opens?
We
would
like
to
discuss
as
part
of
our
time
together,
Mr.
E
Wheeler
yeah
one
I
put
it
in
the
security
fundamentals
course,
but
yeah
there's.
E
There
is
an
interesting
discussion
his
and
this
is
a
highly
technical,
but
one
of
those
which
I've
been
struggling
for
information
so
historically
in
HTML,
if
you
add
a
Target
value
in
an
a
tag,
it
refers
to
anything
other
than
well
underscore
self.
It
can
lead
to
a
vulnerability
if
this
sounds
highly
specific
and
Technical.
You
ain't
kidding
that
said.
Historically,
there
have
been
some
potential
security
problems,
so
the
the
pull
request
is
108.
E
It's
in
the
link
there
right
now
is
a
discussion
of
browsers
have
made
some
changes
in
an
attempt
to
counter
this
problem.
If
this
is
this,
now
a
historical
problem-
and
it
turns
out
that
it's
very
very
hard
to
be
there's
endless
discussions
about
well,
there's
a
problem:
here's
a
counter
measure,
it's
not
clear
if
we've
solved
it
or
not,
is
this
historical?
Is
this
still
a
problem?
What
is
the
problem?
So
if
anybody
has
any.
E
C
J
J
You
can
do
nice,
phishing
attacks
stuff
like
that
right,
yeah,
I'm,
I,
made
myself
look
like
a
clown
in
the
last
trainings
I
did
because
I
have
a
nice
lap
about
it
and
I
tried
it
in
every
browser
that
I
got
on
my
operating
system,
and
indeed
it
is
not
it's
an
issue
from
the
past
now
there
is
something
to
say,
of
course,
you
know
if
we
still
want
to
teach
it
or
add
the
fitness
to
it,
because
yeah
reality
is
not.
Everybody
updates
and
uses
the
latest
version
of
router
right.
J
So
that's
a
bit
where
the
the
yeah,
where
I
also
have
the
issue
like
yeah
theoretical.
If
you
use
one
of
the
latest
versions
of
browsers,
it
is
not
an
issue
anymore,
but
again
if
you're
yeah,
not
so
security
aware
and
you
use
an
old
browser
yeah,
you
have
that
issue,
but
probably
you
have
bigger
issues
than
that.
There.
E
We
go
I
I.
Don't
think
that
we,
you
know
if
the.
If
the
moral
of
the
story
is
that,
if
you
use
an
old
browser,
old
security
vulnerabilities
will
happen,
this
is
not
news
and
it's
just
not
worth
I.
You
know
if,
if
it's
an
old
and
no
longer
relevant,
I'd,
rather
just
cut
the
material,
it's
a
life
is
hard
enough
to
teach
stuff
without
teaching
stuff.
That's
no
longer
relevant.
I
mean
it
would
be
fine
to
have
a
very
short
statement.
That
said,
hey
this
used
to
be
a
problem.
K
E
L
D
B
D
Mean
you
know
it's
brows
have
been
auto
updating
for
a
while,
so
right,
yeah.
E
E
D
The
problem,
the
problem,
the
problem
is,
it
comes
on
exercise,
machines
and
refrigerators
and
stuff
like
that,
whether
whether
where
the
browser
I'll
be
right
back
my.
A
E
K
E
Seriously
seriously
there
there
is,
there
is
no
point
in
trying
to
explain
the
the
The
Impossible
now
I
do
think
it's
appropriate
to
briefly
mention
this
used
to
be
a
problem.
If
that's
the
case,
if
it's
still
a
problem,
then
we
need
to
say
so
and
where
it
is
and
what
to
deal
with
it,
but
I
I
don't
want
to
explain
how
to
avoid
a
problem
that
isn't
a
problem
anymore.
A
So,
if
I
could
get
the
group
to
put
your
feedback
into
PR,
108,
yes
and
Dan
mentioned
that
he
would
talk
about
it
with
the
chromium
folks
and
see
it
comes
from
his
other
contacts.
So
we
can
actually
maybe
get
a
straight
from
the
horse's
mouth
so
to
speak,
the
browser
folks.
That
would
be
helpful.
E
Yep
and
I
would
be
delighted
to
get
rid
of
it
or
some
something
short
like
this
is
a
problem
and
then
it
was
solved
and
here's
how
that
that
would
actually
be
my
deal
would
be.
This
was
a
problem,
here's
how
it
was
solved
and
we
move
on
because
you
know
there's
no
point
in
expecting
a
lot
of
Cycles
trying
to
explain
a
problem.
That
is
historical.
E
Right,
we
actually
do
talk
about
that
and
in
fact
we
specif
that
one's
actually
all
readdressed,
where
we
it's
actually
countered
in
multiple
ways,
the
same
site
cookie
does
counter
it.
For
the
general
case,
pretty
much
all
Frameworks
use
the
hidden
tokens
also
and
frankly,
having
both.
But
but
it's
it's
much
easier
to
explain.
We
don't
really
have
to
go
far.
We
just
tell
them
hey,
use
a
framework
that
does
this
and
you
know,
use
the
same
site
cookies,
which
are
the
default,
and
we
move
on.
J
E
L
E
E
J
The
other
things
that
is
not
the
session
cookie,
that's
okay,
right
but
yeah
for
your
session
cookie.
You
should
indeed
have
that
same
site
to
very
restrictive
mode
and
and
then
you
have
also
csrf
protection,
but
only
if
you
use
latest
browsers
right
so
yeah.
E
It's
been
true
for
a
couple
years
now,
so
we've
been
telling
people
to
do
both.
You
know
it's
because
that's
cheap,
that's
easy
and
it
deals
the
problem
of
people
who
turn
off
the
the
same
site
stuff
which
they
shouldn't.
Yeah
people
do
yes,
Dan.
D
Does
does
your
document
already
talk
about
things
like
Specter
and
meltdown
and
weird
cross
process
right,
but
you
know
exploits
and.
E
Channels,
yeah
I,
don't
it
may
briefly
talk
about
it?
The
the
problem
there
is
that
meltdown
inspector
are
really
important
for
kernel
authors
and
for
people
who
are
writing
crypto
libraries.
That's
not
the
primary
expected
audience
for
this.
E
Enough
but
but
you
know
same
problem,
if
you,
but
for
for
virtualization
container,
it's
not
someone
who
is
creating
a
container,
it's
someone
who's,
creating
the
runtime.
That
runs
the
container
where
this
really
hits
you,
but
most
people
aren't
doing
that.
So,
while
it's
important,
let's
see
here,
I,
don't
know
that
we
do.
D
There's
a
lot
of
stuff,
that's
coming
so
in
my
other
life,
I
I'm
in
tag
we
review.
This
is
a
weird.
This
is
a
very
strange
I,
don't
know
convergence
here,
because
in
in
my
in
tag
group
that
I
mentioned
we,
we
spend
a
lot
of
time
reviewing
other
people's
web
specifications
and
there
are
a
lot
of
new
things
that
are
coming
specifically
out
of
the
chromium
security
team
that
are
all
trying
to
address
these
issues
around
processor
origin.
D
D
This
is
a
perfect
topic
for
the
workshop
that
we
should
be
having
in
in
June,
exactly
was
where
we
bring
w3c
and
and
web
security
people
and
and
openness
of
people
together.
So
yeah.
E
Okay,
fair
enough
yeah
I
mean
so
so
the
the
course
does
talk
briefly
about
side,
Channel
attacks.
It
doesn't
really
primarily
in
within
the
scope
of
crypto
libraries,
so
it
talks
about
timing,
attacks
and
cash
attacks
and
so
on.
We
don't
talk
about
Spectrum
meltdown
specifically,
but
but
basically
it
notes
the
the
existence
of
that,
and
but
really
what
we're
suggesting
is
hey
these
kinds
of
counter.
These
kinds
of
attacks
exist
when
you're
selecting
crypto
systems,
they
often
are
targets
of
these
kinds.
E
So
you
need
to
make
sure
that
any
crypto
you
use
is
implemented
to
counter
those.
You
know-
and
this
is
the
challenge
here-
the
the
audience
is
a
general
app
developer.
I
am
painfully
aware
of
Specter
meltdown
I,
actually
LED,
the
a
group.
Yes
yeah,
you
can
cover
your
escrow
I,
actually
led
a
team
that
dealt
with
guidance
and
response
to
Specter
and
meltdown
within
a
certain
large
government
agency
where
that
really
matters
but
the,
but
you
know
the
expected
audience
for
this
is
different.
E
E
Yeah,
please,
you
think,
there's
something
missing:
missing's,
always
the
hardest
thing
to
determine
in
any
document
you
know.
So,
for
example,
we
I
did
walk
against
the
owas
top
duck.
Well,
the
owas
top
10,
both
of
the
previous
and
current
version,
the
cwe
top
25,
which
is
actually
a
top
40,
both
the
previous
and
current
versions.
So
we
cover
all
those
we
cover
all
those
All
Souls
in
Schroeder,
Mr
Crowe.
Your.
A
Ears
are
covered,
and
then
your
hands
are
up.
I
know
if
we're
interested
some
of
the
training
material.
My
organization
is
donating
to
the
education.
Sig
is
around
troubleshooting
Hardware
vulnerabilities
like
side
channels.
A
So
if
we're
interested
and
I
also
happen
to
know
many
of
the
researchers
that
discovered
many
of
these
vulnerabilities,
if
we
feel
that
would
be
useful
for
the
common
body
of
knowledge,
we
could
try
to
coordinate
finding
information
if
it's
useful
for
developers
to
have
this
stuff
outside
of
like
crypto
for
crypto
folks,
it's
critical,
but
for
a
lot
of
other
folks,
it's
not
quite
as
interesting.
E
Yeah
I
love
the
idea
of
of
making
that
kind
of
of
thing.
A
separate
dock
I
mean
I
have
a
double
e
degree,
so
I
can
be
dangerous
in
electronics
as
well,
but
I
I,
think
there's
so
many
software
developers
who
there
are
a
number
of
folks
who
are
doing
code
development,
they'll,
develop
the
hardware
and
the
software
simultaneously.
It
makes
sense
to
have
some
overlap,
but
I
think
a
lot
of
people
never
touch
the
hardware.
You
know
they
wouldn't
know
a
resistor
if
it
smacked
him
in
the
face.
E
Right
so
so
Dan
and
Glenn,
and
oh
no,
everybody
else.
Thank
you
so
much
for
helping
me
track
this
down,
because
it's
been
one
of
those.
You
know
my
Google
food
is
just
not
good
enough.
I
find
lots
of
people
discussing
well.
E
You
know,
in
spite
of
that,
it
really
is
amazing
Tech,
it's
it's
going
to
change
a
whole
lot
of
things,
but
the
problem
in
this
case
is
I.
Don't
need
an
answer.
I
need
a
something,
a
justification
and
evidence.
That's
actually
the
correct
answer.
So.
G
A
A
All
right
do
we
have
any
other
opens.
We
would
like
to
discuss
today
good
conversation
so
far.
B
Like
yeah,
hey
Glenn,
do
you
wanna,
basically
we're
talking
about
a
meeting
to
like
discuss,
SKF
things,
things?
How
like
additions?
That'll
go
into
SKF
improvements,
we're
talking
to
Jay
and
a
bunch
of
different
people
about
different
things
that
we
want
to
do,
and
we
just
think
it
would
be
good
to
involve
and
keep
open
ssf
in
the
loop,
and
we
also
think
it
would
be
good
to
bring
some
of
our
Linux
Foundation
friends
to
a
gathering
point
there
as
well.
A
No
I
think
that'll
be
very
useful.
I
would
strongly
encourage
anyone
interested
in
SKF,
which
has
been
a
member
project
since
almost
the
beginning,
a
great
Tool
kind
of
the
linchpin
of
a
lot
of
our
ideas
around
the
education,
Sig,
so
I
think
more
participation
and
collaboration.
There
would
be
very
useful
for
everybody.
M
I'm,
just
gonna
give
a
brief
update
on
the
topic
of
that's
the
best
practices
for
maintainers.
There's
a
topic
going
on
about
CDE
issuance
for
or
sorry
disclosing
vulnerabilities
in
software
that
you
vendor
is
that
bringing
a
Velcro.
M
M
It's
fair
anyways,
so
there's
a
there's,
there's
a
discussion,
pretty
sure
it's,
this
group,
The
Working,
the
the
best
practices
working
group
around
or
the
Vaughn
group,
and
well
it's
a
little
bit
of
both
it's
about
how,
if
you
are
a
maintainer
of
a
piece
of
software
and
that
piece
of
software
vendors
dependencies,
for
example,
you
take,
you
know
a
dependency
that
is
a
jar
and
then
repackage
that
inside
of
your
project
in
a
way,
basically,
you
take
a
dependency
and
you
repackage
it
in
such
a
way
that
it's
not
easy
for
your
Downstream
consumers
to
update
their
dependencies
update
transitive
dependencies.
M
If
you
have
a
vulnerability
in
a
vendor
dependency,
you
should
be
issuing
a
advisory
with
the
same
existing
cve
number
stating
which
version
of
your
product
fixes
that
vulnerability
and
so
I
am
working
with
somebody
at
Red.
Hat
I
have
somebody
on
there
on
the
calendar,
I've
heard
of
them
yeah
to
try
to
discuss,
discuss
that
topic
and
come
up
with
a
short
guide
for
that
topic.
So
there's
a
thread
in
the
best
practices
working
group
as
far
as
I
know,
if
anybody's
interested
in
that
topic.
A
You
babe,
you
opened
an
issue
issue
114.
Yes,.
M
114.,
so
if
anybody's
interested
in
that
topic
feel
free
to
ping
me
on
slack
or
respond
to
that
issue
in
the
yeah
in
the
threat
in
the
GitHub.
B
B
B
B
So
yeah,
so
certain
system
integrators
that
work
in
Linux,
I,
don't
know
whatever
you
want
to
say,
because
let
me
finish
what
I
was
going
to
say
so:
canonicals
decided
to
endorse
snaps,
where
there
was
a
movement
late
last
year
to
endorse
flat
pack
and
there's
a
lot
of
security
jargon,
that's
being
thrown
around
and
a
lot
of
investment.
That's
being
done
around
these
security
improvements
and
I,
don't
know
if
they're
all
necessarily
security
improvements,
but
we've
never
really
talked
about
these
groups
and
I.
B
Don't
know
if
that's
something
we
want
to
talk
about
eventually,
because
there
is
a
lot
of
investment
going
into
both
of
these
next-gen
packaging
ecosystems
and
there's
a
lot
of
talk
about
how
they
operate.
Why
they
operate
the
way
they
that
they
do
and
whatnot
and
I
feel
like
to
a
certain
degree
they're
operating
with
no
oversight,
so
they
can
kind
of
say
whatever
they
want
to
say
and
I.
Think
that
that's
going
to
end
up
being
a
problem.
A
Then
I
can
Circle
back
to
Randall's
next
gen
Packaging.
E
A
E
Not
yet
okay,
yeah,
all
right
so
I
would
suggest
Jonathan
that,
first
of
all,
I'm
actually
fine
with
the
idea
of
if
you
vendor
it.
The
CV
applies
to
you
too,
but
but
if
that's
the
rule,
that
would
apply
not
just
to
open
source
but
to
all
closed
Source
vendors,
who
you
know
typically
release
products
with
a
lot
of
components
inside
them
and
they're
vendoring
them.
Basically,
in
many
many
cases,
you're.
E
M
This
is,
if
you
look
at
any
current
cve,
you
will
see
that
as
the
cve
life
cycle
continues,
vendors
do
disclose.
Vulnerabilities
are
just
they
like
look
at
any
old,
TV
and
you'll
see
that
Oracle.
You
know
Apache
soccer
Foundation,
all
of
those
other
links
get
added
to
that
cve
stating
this
project
that
project
this
other
project
all
fixed,
the
cve
at
this
point
in
our
history-
and
so
this
this
is
a
this.
Is
me
not
like
interpreting
CV
this
way.
This
is
a
well-established
process
that
you
can
see
on
any
existing
cve
number.
M
E
All
right,
I
I
that
wasn't
as
clear,
okay,
fair
enough
yeah,
it's
just
it's
I
think
it
will
be
wise
to
coordinate
with
the
cve
folks.
Even
though
this
is
past
process
practice.
You
know
it's
past
practice
for
the
closed
source,
but
I'm
not
sure
it's
always
as
consistent
as
it
should
be,
and
if
we're
going
to
do
this
for
the
open
source
as
well,
frankly,
I
think
it
makes
sense.
We
just
I.
Think
we
want
to
talk
to.
This
is
the
thing
we're
going
to
suggest.
A
Jonathan's
verification
through
me,
but
I
I
understand
what
he's
going
going
for
yeah.
M
I
sure
CDs,
the
CV
board
and
the
CV
teams
are
traditionally
really
hard
to
get
in
communication
with,
but
sure.
A
Though,
if
you
can
write
me,
a
well-written
email
and
I
will
take
that
and
approach.
My
friends
within
the
cve
community
yeah.
M
E
M
E
M
Also
I'm
also
talking
to
GitHub
and
Madison
Oliver
about
hey,
Can
Vendor,
or
can
maintainers,
publish,
CDE
or
publish
GitHub
security
advisories
with
existing
cves,
and
can
you
go
and
update
the
Upstream
cve
for
them?
So
that's
like
a
thing
that
automatically
happens
and
Madison,
and
so
they
don't
do
that
now,
but
that's
something
that
they
could
do
in
the
future.
For
us
to
just
make
the
maintain
our
life
easier
for
who
are
using
GitHub.
A
L
Yeah
hi
everyone
I'm
new
here,
let
me
chairman
on
the
on
that
subject
of
next-gen
packaging,
because
it
actually
calls
back
to
the
subject
of
transitive
dependencies
and
Series
in
them,
because
flat
packs,
snaps,
container
images
for
that
matter.
They
all
include
a
bunch
of
things
in
a
kind
of
a
in
a
flat,
packed
way
pun
intended
where
there
is
no
particular
regard
to
to
to
a
dependency
on
some
other
baggage.
L
Rather
it's
it's
just
included,
as
as
it
is,
and
when
it
comes
to,
for
example,
addressing
particular
CD,
a
flat
pack,
almost
always
has
to
be
reissued.
If
something
inside
of
this
has
like
contains
a
vulnerability
now,
so
that's
I,
I
think
I
I
have
to
agree
with
David
that
it's
just
something
that
CD
people
might
not
realize,
but
it's
already
happening
in
a
very,
very
widespread
manner,
both
in
open
source
and
in
closed
Source
community
and
by
the
way
David
I.
E
L
E
A
So
any
additional
feedback
or
comments
for
either
Jonathan's
vendoring
PR
or
the
kind
of
next-gen
flat
pack
conversation.
M
A
E
A
E
M
M
A
J
A
All
right,
any
additional
questions
comments
anything
to
discuss.
A
All
right,
we
chatted
about
a
lot
of
things
today.
Thank
you
all
for
your
participation,
and
we
will
see
you
all
very
soon
and
again.
Tomorrow
is
the
C
and
C
plus
plus
guide
a
little
group
so
feel
free
to
join
us
there
to
talk
more
about
that,
enjoy
the
rest
of
your
day.
Everybody.