►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
A
A
A
If
you
are
interested
in
running
for
the
TAC,
there
is
a
self-domination
form
that
takes
more
than
30
seconds
to
fill
out,
but
that
would
be
the
second,
the
tech
candidate
form.
So
if
you're
interested
in
running
for
the
TAC
to
trying
to
help
steer
the
technical
direction
of
the
foundation,
throw
your
hat
in
the
ring
with
that
form,
and
then
there
is
another
category
the
scir.
So
there
is
a
security
Community
individual
representative.
So
this
is
someone
from
the
open
source
security
community
that
works
very
closely
with
board.
A
Roger
dodger
next
up
next
week
we
will
be
presenting
this
working
group
to
the
TAC
every
quarter.
We
are
responsible
for
providing
feedback
as
to
the
working
group's
activities
and
kind
of
status
of
any
projects,
initiatives
or
sigs.
So
I've
put
together
a
brief
Google
slide
that
I
am
waiting
on
Randall
and
Glenn
to
give
me
SKF
updates,
but
if
anyone
else
had
any
additional
feedback,
please
drop
me
a
comment
on
that
doc.
A
A
A
All
right
there
will
be
a
town
hall
for
the
open
ssf,
where
our
esteemed
members,
Christine
and
Jay
will
be
presenting
about
their
efforts
on
the
de
Andi
subcommittee.
So
this
is
a
town
hall,
that's
open
to
the
general
public,
but
we
generally
get
several
hundred
attendees.
It's
recorded
and
just
kind
of
giving
a
status
update
on
assorted
things.
So
we'll
be
talking
about
our
de
and
I
efforts
within
the
education,
Sig
they'll
be
giving
an
alpha
and
omega
update
and
I
believe
Mr
bressers
is
going
to
give
us
an
s-bombs
everywhere.
A
A
All
right,
let's
move
into
the
exciting
part,
if
you
have
any
additional
opens,
you
want
to
add
to
the
agenda.
Please
do
so
right
below
the
new
friends
section.
I
am
going
to
ask
our
folks
talking
about
the
C
and
C
plus
plus
best
practices
guy.
If
you
just
want
to
give
a
brief
update
on
where
things
are
with
that,
while
I
get
some
links.
A
As
you
may
know,
we
elected
to
start
up
a
new
project
around
refining
our
C
and
C,
plus
plus
compiler
options
got
document.
Our
friends
Ericsson
have
a
fairly
mature
document
that
they
will
be
contributing
to
us,
we're
going
to
use
as
a
Baseline
and
then
we'll
be
weaving
in
some
of
the
additional
materials
like
David
had
started
and
a
couple
others
I
was
had
poked
at
about
a
year
or
so
ago.
So
there
is
a
note
to
where
the
pull
request
is
for
that
information.
A
E
I
I
do
have
one
it's,
it's
really
a
procedural
question.
Frankly,
I've
been
in
so
many
meetings,
it's
hard
for
me.
It
I
sometimes
lose
a
track.
A
little
bit.
Do
we
need
to
procedurally
accept
I,
mean
accept
the
Erickson
one,
because
if
we
do
I
want
to
make
sure
the
answer
is
yes,
if
there's
a
process
thing
I
want
to
make
sure
we
have
agreed.
Let's
pull
it
in
I'm
excited
about
this
game
moving.
E
A
F
So
I
sure
don't
want
to
oppose
it.
I
have
no
issue
personally
with
this,
though,
they're
welcome
to
contribute
that
content,
but
I
I
know
that
normally
LF
does
some
kind
of
at
least
for
software
right.
There
is
some
process
for
like
IP
clearance
and
whatnot.
Does
that
matter
here,
I
think
Dave
has
David,
has
a
point,
I
mean
procedurally
the
working
group.
Should
you
know,
make
a
decision
that,
yes,
we
are
welcoming
this
content,
we're
going
to
take
over
control
over
that
content,
which
you
know
the
working
group
could
say.
F
E
E
E
There
needs
to
be
a
copyright
license
and
in
the
end,
if
there's
a
trademark
that
you
know
that
specific
for
that
particular
work,
then
we
need
to
deal
with
that
and
if
there's
a
domain
in
this
particular
case,
there's
no
domain
I
believe
I
mean
please
correct
me.
If
I'm
wrong,
I
thought
it
was
CC
buy,
but
I
I
may
be
mistaken,
but
I
think
it
was.
We
can
see
from
the
proposal
right
did.
A
E
A
E
E
A
E
E
This
basically
came
up
because
you
know
it
says
it's
a
guide
for
evaluating
open
source
software
and
I.
Think
when
we
wrote
this,
we
were
thinking
hey
for
software
developers
bringing
in
libraries,
but
it
turns
out
that
there's
end
user
software
as
well,
and
people
aren't
always
as
sophisticated
and
although
we
could
rewrite
it
more
generally,
most
of
it
reads
well
enough
for
that
case,
except
that
there's
an
implication
that
the
person
who
brings
in
the
software
will
directly
evaluate
the
software,
but
that's
actually
not
always
true.
E
Even
for
developers
oftentimes,
you
ask
somebody
else.
You
may
even
pay
somebody
else
to
do
the
evaluation,
so
I'd
like
to
tweak
it
a
little
bit
so
that
hey
you
can
do
your
own
evaluation
or
you
can
ask
someone
else
to
do
it,
for
you
I
think,
that's
a
reasonable
alternative!
You
can
see
the
specifics
there.
Any
objections
to
this
change.
E
I
have
a
I
have
a
superpower,
it's
being
able
to
push
the
button
that
says,
merge,
pull
request,
I
have
pushed
it
look
at
this.
We've
already
progressed,
although
you
know
what
the
date's
wrong
at
the
top.
Do
we
actually
want
to
keep
that
date?
No,
all
right!
I'm
gonna
make
a
quick
motion.
Let's
just
remove
the
date
on
the
top
I
mean
second.
A
E
E
A
Well
and
ideally,
I'd
like
us
to
get
to
the
point
where
we're
doing
a
lot
of
this
bookkeeping
through
issues
and
PR's,
and
we
can
curate
the
list
all
right
through
our
agenda.
If
there's
anything
that
needs
a
broader
group
discussion
and
then
just
have
people
chime
in
via
GitHub
on
their
opinions
on
stuff.
Like
you
know,
smaller
stuff,
like
this.
A
A
So,
while
David
refreshes
his
memory,
you
will
remember
that
we
had
agreed
another
project.
We're
going
to
work
on
is
a
source
code
management,
best
practices
guide.
A
group
of
us
are
meeting
every
other
week
and
those
calls
are
la
la
la
those
are
every
other
Thursday
at
10
A.M.
The
next
call
will
be
on
the
in
the
future
and.
A
So
Noam
has
had
some
good
content
that
we
were
starting
to
use
as
a
Baseline,
and
then
Dan
has
put
this
into
a
delightful
little
app
called
Crypt
pad,
where
we
can
simultaneously
edit
and
preview,
how
it
might
look
so
Dan
has
staged
a
kind
of
a
just
a
draft
right
now
of
we
are
starting
to
ingest
the
content
and
starting
to
think
about
how
we
want
to
organize
it.
So
would
anyone
else
like
to
talk
about
this
exciting
topic.
D
I,
don't
think,
there's
much
to
say
other
than
what
you
said:
I
I,
the
the
last
the
last
meeting
we
we
talked
there
was
another
gnome
also
circulated
a
spreadsheet
which
also
broke
down.
In
fact
the
or
the
some
suggested
organizational
points.
The
idea
is
to
take
the
document,
which
is
here's
the
pad
link
which
careful
with
that
link.
It's
an
edit
that
link
allows
to
edit
rides
so
don't
spread
it
around,
but
the
you
can
see
from
that
document.
D
H
Oh
hi,
everybody.
It
looks
first
of
all
this
out.
It's
the
first
time,
I've
seen
this.
So
thank
you
for
sharing
I'm
I'm
in
awe
and
I'm
going
to
look
into
this
I
was
just
it
looks
first
glance
in
the
last
five
minutes.
It
looks
great.
My
initial
question
was
how
the
severities
were
being
rated.
I
read
the
link
back
to
cwe
or
cbss
scoring
are
how
did
he
come
up
with
those
anybody?
That'd
be
great.
Thank
you.
I
I
I
D
Especially
was
great,
I
was
looking
at
the
spreadsheet.
I
was
like
yes,
yes,
this
is
this.
Is
this
is
great,
so
yeah
really
yeah
and
by
the
way
on
pad
the
link
that
I
circulated.
That
is
a
self-hosted,
so
out
is
an
open
source
project
that
particular
link
is
self-hosted
at
w3ctag.org,
because
that's
the
that's
a
self-hosted
one
that
we
use
in
one
of
the
other
groups
that
I'm
in
in
the
tag
group
in
w3c.
H
A
A
A
We
have
a
couple
of
Our
member
projects
that
typed
in
some
updates,
so
please
take
a
moment
and
just
take
a
peek
at
that
I
will
showcase.
Our
friends
over
in
scorecard
are
going
like
wildfire
right
now.
They've
had
a
lot
of
pretty
substantial
updates,
including
that
their
API
just
went
GA.
So
please
take
a
look
at
that
and
you
know
feel
free,
I
think
I
have
there
no
I,
think
azim
and
crew
got
their
meeting
agenda
and
notes
put
at
the
stage
at
the
top
of
our
document.
A
E
There
is
an
interesting
discussion
his
and
this
is
a
highly
technical,
but
one
of
those
which
I've
been
struggling
for
information
so
historically
in
HTML,
if
you
add
a
Target
value
in
an
a
tag,
it
refers
to
anything
other
than
well
underscore
self.
It
can
lead
to
a
vulnerability
if
this
sounds
highly
specific
and
Technical.
You
ain't
kidding
that
said.
Historically,
there
have
been
some
potential
security
problems,
so
the
the
pull
request
is
108.
E
It's
in
the
link
there
right
now
is
a
discussion
of
browsers
have
made
some
changes
in
an
attempt
to
counter
this
problem.
If
this
is
this,
now
a
historical
problem-
and
it
turns
out
that
it's
very
very
hard
to
be
there's
endless
discussions
about
well,
there's
a
problem:
here's
a
counter
measure,
it's
not
clear
if
we've
solved
it
or
not,
is
this
historical?
Is
this
still
a
problem?
What
is
the
problem?
So
if
anybody
has
any.
E
C
J
You
can
do
nice,
phishing
attacks
stuff
like
that
right,
yeah,
I'm,
I,
made
myself
look
like
a
clown
in
the
last
trainings
I
did
because
I
have
a
nice
lap
about
it
and
I
tried
it
in
every
browser
that
I
got
on
my
operating
system,
and
indeed
it
is
not
it's
an
issue
from
the
past
now
there
is
something
to
say,
of
course,
you
know
if
we
still
want
to
teach
it
or
add
the
fitness
to
it,
because
yeah
reality
is
not.
Everybody
updates
and
uses
the
latest
version
of
router
right.
J
So
that's
a
bit
where
the
the
yeah,
where
I
also
have
the
issue
like
yeah
theoretical.
If
you
use
one
of
the
latest
versions
of
browsers,
it
is
not
an
issue
anymore,
but
again
if
you're
yeah,
not
so
security
aware
and
you
use
an
old
browser
yeah,
you
have
that
issue,
but
probably
you
have
bigger
issues
than
that.
There.
E
We
go
I
I.
Don't
think
that
we,
you
know
if
the.
If
the
moral
of
the
story
is
that,
if
you
use
an
old
browser,
old
security
vulnerabilities
will
happen,
this
is
not
news
and
it's
just
not
worth
I.
You
know
if,
if
it's
an
old
and
no
longer
relevant,
I'd,
rather
just
cut
the
material,
it's
a
life
is
hard
enough
to
teach
stuff
without
teaching
stuff.
That's
no
longer
relevant.
I
mean
it
would
be
fine
to
have
a
very
short
statement.
That
said,
hey
this
used
to
be
a
problem.
K
E
L
D
B
E
E
A
E
K
E
Seriously
seriously
there
there
is,
there
is
no
point
in
trying
to
explain
the
the
The
Impossible
now
I
do
think
it's
appropriate
to
briefly
mention
this
used
to
be
a
problem.
If
that's
the
case,
if
it's
still
a
problem,
then
we
need
to
say
so
and
where
it
is
and
what
to
deal
with
it,
but
I
I
don't
want
to
explain
how
to
avoid
a
problem
that
isn't
a
problem
anymore.
A
E
Yep
and
I
would
be
delighted
to
get
rid
of
it
or
some
something
short
like
this
is
a
problem
and
then
it
was
solved
and
here's
how
that
that
would
actually
be
my
deal
would
be.
This
was
a
problem,
here's
how
it
was
solved
and
we
move
on
because
you
know
there's
no
point
in
expecting
a
lot
of
Cycles
trying
to
explain
a
problem.
That
is
historical.
E
Right,
we
actually
do
talk
about
that
and
in
fact
we
specif
that
one's
actually
all
readdressed,
where
we
it's
actually
countered
in
multiple
ways,
the
same
site
cookie
does
counter
it.
For
the
general
case,
pretty
much
all
Frameworks
use
the
hidden
tokens
also
and
frankly,
having
both.
But
but
it's
it's
much
easier
to
explain.
We
don't
really
have
to
go
far.
We
just
tell
them
hey,
use
a
framework
that
does
this
and
you
know,
use
the
same
site
cookies,
which
are
the
default,
and
we
move
on.
J
E
L
E
J
E
E
E
Enough
but
but
you
know
same
problem,
if
you,
but
for
for
virtualization
container,
it's
not
someone
who
is
creating
a
container,
it's
someone
who's,
creating
the
runtime.
That
runs
the
container
where
this
really
hits
you,
but
most
people
aren't
doing
that.
So,
while
it's
important,
let's
see
here,
I,
don't
know
that
we
do.
D
There's
a
lot
of
stuff,
that's
coming
so
in
my
other
life,
I
I'm
in
tag
we
review.
This
is
a
weird.
This
is
a
very
strange
I,
don't
know
convergence
here,
because
in
in
my
in
tag
group
that
I
mentioned
we,
we
spend
a
lot
of
time
reviewing
other
people's
web
specifications
and
there
are
a
lot
of
new
things
that
are
coming
specifically
out
of
the
chromium
security
team
that
are
all
trying
to
address
these
issues
around
processor
origin.
D
E
Okay,
fair
enough
yeah
I
mean
so
so
the
the
course
does
talk
briefly
about
side,
Channel
attacks.
It
doesn't
really
primarily
in
within
the
scope
of
crypto
libraries,
so
it
talks
about
timing,
attacks
and
cash
attacks
and
so
on.
We
don't
talk
about
Spectrum
meltdown
specifically,
but
but
basically
it
notes
the
the
existence
of
that,
and
but
really
what
we're
suggesting
is
hey
these
kinds
of
counter.
These
kinds
of
attacks
exist
when
you're
selecting
crypto
systems,
they
often
are
targets
of
these
kinds.
E
So
you
need
to
make
sure
that
any
crypto
you
use
is
implemented
to
counter
those.
You
know-
and
this
is
the
challenge
here-
the
the
audience
is
a
general
app
developer.
I
am
painfully
aware
of
Specter
meltdown
I,
actually
LED,
the
a
group.
Yes
yeah,
you
can
cover
your
escrow
I,
actually
led
a
team
that
dealt
with
guidance
and
response
to
Specter
and
meltdown
within
a
certain
large
government
agency
where
that
really
matters
but
the,
but
you
know
the
expected
audience
for
this
is
different.
E
E
Yeah,
please,
you
think,
there's
something
missing:
missing's,
always
the
hardest
thing
to
determine
in
any
document
you
know.
So,
for
example,
we
I
did
walk
against
the
owas
top
duck.
Well,
the
owas
top
10,
both
of
the
previous
and
current
version,
the
cwe
top
25,
which
is
actually
a
top
40,
both
the
previous
and
current
versions.
So
we
cover
all
those
we
cover
all
those
All
Souls
in
Schroeder,
Mr
Crowe.
Your.
A
E
Yeah
I
love
the
idea
of
of
making
that
kind
of
of
thing.
A
separate
dock
I
mean
I
have
a
double
e
degree,
so
I
can
be
dangerous
in
electronics
as
well,
but
I
I,
think
there's
so
many
software
developers
who
there
are
a
number
of
folks
who
are
doing
code
development,
they'll,
develop
the
hardware
and
the
software
simultaneously.
It
makes
sense
to
have
some
overlap,
but
I
think
a
lot
of
people
never
touch
the
hardware.
You
know
they
wouldn't
know
a
resistor
if
it
smacked
him
in
the
face.
E
E
G
A
B
Like
yeah,
hey
Glenn,
do
you
wanna,
basically
we're
talking
about
a
meeting
to
like
discuss,
SKF
things,
things?
How
like
additions?
That'll
go
into
SKF
improvements,
we're
talking
to
Jay
and
a
bunch
of
different
people
about
different
things
that
we
want
to
do,
and
we
just
think
it
would
be
good
to
involve
and
keep
open
ssf
in
the
loop,
and
we
also
think
it
would
be
good
to
bring
some
of
our
Linux
Foundation
friends
to
a
gathering
point
there
as
well.
A
No
I
think
that'll
be
very
useful.
I
would
strongly
encourage
anyone
interested
in
SKF,
which
has
been
a
member
project
since
almost
the
beginning,
a
great
Tool
kind
of
the
linchpin
of
a
lot
of
our
ideas
around
the
education,
Sig,
so
I
think
more
participation
and
collaboration.
There
would
be
very
useful
for
everybody.
M
M
M
If
you
have
a
vulnerability
in
a
vendor
dependency,
you
should
be
issuing
a
advisory
with
the
same
existing
cve
number
stating
which
version
of
your
product
fixes
that
vulnerability
and
so
I
am
working
with
somebody
at
Red.
Hat
I
have
somebody
on
there
on
the
calendar,
I've
heard
of
them
yeah
to
try
to
discuss,
discuss
that
topic
and
come
up
with
a
short
guide
for
that
topic.
So
there's
a
thread
in
the
best
practices
working
group
as
far
as
I
know,
if
anybody's
interested
in
that
topic.
B
B
B
So
yeah,
so
certain
system
integrators
that
work
in
Linux,
I,
don't
know
whatever
you
want
to
say,
because
let
me
finish
what
I
was
going
to
say
so:
canonicals
decided
to
endorse
snaps,
where
there
was
a
movement
late
last
year
to
endorse
flat
pack
and
there's
a
lot
of
security
jargon,
that's
being
thrown
around
and
a
lot
of
investment.
That's
being
done
around
these
security
improvements
and
I,
don't
know
if
they're
all
necessarily
security
improvements,
but
we've
never
really
talked
about
these
groups
and
I.
B
Don't
know
if
that's
something
we
want
to
talk
about
eventually,
because
there
is
a
lot
of
investment
going
into
both
of
these
next-gen
packaging
ecosystems
and
there's
a
lot
of
talk
about
how
they
operate.
Why
they
operate
the
way
they
that
they
do
and
whatnot
and
I
feel
like
to
a
certain
degree
they're
operating
with
no
oversight,
so
they
can
kind
of
say
whatever
they
want
to
say
and
I.
Think
that
that's
going
to
end
up
being
a
problem.
E
A
E
Not
yet
okay,
yeah,
all
right
so
I
would
suggest
Jonathan
that,
first
of
all,
I'm
actually
fine
with
the
idea
of
if
you
vendor
it.
The
CV
applies
to
you
too,
but
but
if
that's
the
rule,
that
would
apply
not
just
to
open
source
but
to
all
closed
Source
vendors,
who
you
know
typically
release
products
with
a
lot
of
components
inside
them
and
they're
vendoring
them.
Basically,
in
many
many
cases,
you're.
E
M
This
is,
if
you
look
at
any
current
cve,
you
will
see
that
as
the
cve
life
cycle
continues,
vendors
do
disclose.
Vulnerabilities
are
just
they
like
look
at
any
old,
TV
and
you'll
see
that
Oracle.
You
know
Apache
soccer
Foundation,
all
of
those
other
links
get
added
to
that
cve
stating
this
project
that
project
this
other
project
all
fixed,
the
cve
at
this
point
in
our
history-
and
so
this
this
is
a
this.
Is
me
not
like
interpreting
CV
this
way.
This
is
a
well-established
process
that
you
can
see
on
any
existing
cve
number.
M
E
All
right,
I
I
that
wasn't
as
clear,
okay,
fair
enough
yeah,
it's
just
it's
I
think
it
will
be
wise
to
coordinate
with
the
cve
folks.
Even
though
this
is
past
process
practice.
You
know
it's
past
practice
for
the
closed
source,
but
I'm
not
sure
it's
always
as
consistent
as
it
should
be,
and
if
we're
going
to
do
this
for
the
open
source
as
well,
frankly,
I
think
it
makes
sense.
We
just
I.
Think
we
want
to
talk
to.
This
is
the
thing
we're
going
to
suggest.
A
M
M
E
M
Also
I'm
also
talking
to
GitHub
and
Madison
Oliver
about
hey,
Can
Vendor,
or
can
maintainers,
publish,
CDE
or
publish
GitHub
security
advisories
with
existing
cves,
and
can
you
go
and
update
the
Upstream
cve
for
them?
So
that's
like
a
thing
that
automatically
happens
and
Madison,
and
so
they
don't
do
that
now,
but
that's
something
that
they
could
do
in
the
future.
For
us
to
just
make
the
maintain
our
life
easier
for
who
are
using
GitHub.
A
L
Yeah
hi
everyone
I'm
new
here,
let
me
chairman
on
the
on
that
subject
of
next-gen
packaging,
because
it
actually
calls
back
to
the
subject
of
transitive
dependencies
and
Series
in
them,
because
flat
packs,
snaps,
container
images
for
that
matter.
They
all
include
a
bunch
of
things
in
a
kind
of
a
in
a
flat,
packed
way
pun
intended
where
there
is
no
particular
regard
to
to
to
a
dependency
on
some
other
baggage.
L
Rather
it's
it's
just
included,
as
as
it
is,
and
when
it
comes
to,
for
example,
addressing
particular
CD,
a
flat
pack,
almost
always
has
to
be
reissued.
If
something
inside
of
this
has
like
contains
a
vulnerability
now,
so
that's
I,
I
think
I
I
have
to
agree
with
David
that
it's
just
something
that
CD
people
might
not
realize,
but
it's
already
happening
in
a
very,
very
widespread
manner,
both
in
open
source
and
in
closed
Source
community
and
by
the
way
David
I.