►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
C
B
F
F
F
H
Okay,
I'll
chime
in
hi,
everyone,
Bradford
Bartlett,
here
I
work
at
Sonos,
The,
Speaker,
Company
and
I
work
in
I
see
somebody
clapping.
Hopefully,
a
happy
customer
I
work
on
product
security,
so
I've
been
interested
in
openssf
I'm,
getting
to
learn
more
about
that
and
salsa
and
some
of
the
other.
You
know
Frameworks
and
tools
out
there
that
might
help
us
in
our
journey
here
so
nice
nice
to
meet
everyone.
Excellent.
I
Sir
I'll
jump
in
hi
I'm,
Sheila,
saibi
and
I
am
located
in
Silver
Spring
Maryland
I
work
at
Comcast
in
the
open
source
program
office
and
I
am
here
to
lurk
a
little
bit
and
learn
how
to
get
involved
in
this
community,
so
that
I
can
help
our
technologists
also
get
involved
in
this
community.
Excellent.
I
J
K
L
L
F
F
F
So
if
you
are
interested
in
submitting
a
talk,
please
do
so
by
Sunday.
If
anyone
is
interested
in
assistance
in
helping
massage
their
abstract
or
they're.
Looking
for
co-presenters,
please
raise
your
hand.
Let
us
know
we're
glad
to
help
out.
Several
members
of
the
group
have
already
submitted
some
things,
so
we
were
always
welcome
to
see
some
strong
representation
from
the
open
ssf
at
this
Summit.
F
F
F
F
We
started
a
source
code
management,
best
practices
guide,
we
met
last
week
and
we
will
continue
meetings
every
other
week
continuing
next
week
if
anyone's
curious,
what
we
talked
about
and
what
we're
up
to
there's
Issue
102
in
our
repo.
We
have
a
created,
a
folder
for
the
doc
repository
and
we're
already
starting
to
check
in
some
materials,
so
that'll,
be
kind
of
our
next
group
project
will
be
a
source
code
management,
best
practices
guide
pretty
exciting.
F
C
Or
minor
thing-
and
maybe
this
is
just
me-
but
you
know,
source
code
management
is
a
really
broad
topic.
You
know
it
seems
to
me
you're
really
talking
about
configuration
guides
for
forges
like
GitHub
and
get
lab
right.
Yes,
yeah,
so
I'm
wondering
if
you
might
want
to
title
it
to
be
more
specific,
because
there
are
people
who
use
get
locally.
They'll
people
use
completely
different
kinds
of
tools
and
systems.
F
An
excellent
suggestion,
David
I,
would
welcome
that
comment
on
the
issue.
Initially,
it
was
titled
GitHub,
best
practices
right,
so
we're
kind
of
directionally
correcting
things
so
we're
not
endorsing
any
single
vendor,
but
yeah
I
think
that's
good
feedback.
So
why
don't
you
post
a
comment
and
we'll
get
the
group
to
potentially
course
correct
again.
F
K
K
K
B
K
F
B
C
B
B
E
B
B
B
B
Are
they
using
that
best
practice?
Now,
if
they're
not
using
it,
are
they
planning
to
use
it
later
in
2022,
because
we
did
the
survey
back
in
Q2
of
2022.,
so
it
is
getting
a
little
bit
long
on
the
tooth
when
I
have
to
take
responsibility
for
that.
But
nevertheless
we
asked.
Are
they
going
to
do
implement
this
best
practice
later
in
2022
or
sometime
in
2023?
B
I
didn't
have
enough
room
to
say
Beyond
2023,
but
then
I
skipped
then
to
do
or
do
you
have
no
plans
to
use
this
best
practice?
Does
it
not
apply
to
the
particular
way
in
which
you
are
doing
me?
Maintenance
or
do
you
not
know,
or
are
not
sure
about
either
how
to
answer
the
questions
or
kind
of
what
the
state
is
of
this
particular's
best
practice
as
it
applies
to
your
use,
so
those
were
the
let's
see
five
different
types
of
responses.
B
B
I've
got
two
pages
here:
they're
a
total
of
I,
think
nine
on
source
code
management
and
change
control,
and
you
can
you
can
see
that
in
general
there's
a
pattern
that
that
becomes
clear
very
quickly
as
to
you
know
how
many
you
know,
a
lot
of
a
lot
of
best
practice
use
is
happening
if
it's
not
happening.
There's
some
planned
and
the
not
applicable
is
pretty
small.
The
no
plans
to
use
varies
significantly
and
what
I
need
to
ultimately
do
is
follow
up
with
some
maintainers
to
try
to
find.
B
You
know.
Why
is
it
that
people
would
have
no
plans
to
use
some
of
these,
not
sure?
Maybe
it
has
to
do
with
the
ones
I
selected
from
soft,
secure
software
development
best
in
a
list
who
knows
so
this
one
there's
a
panel
here
on
software
builds
sorry
about
that
software
quality
testing
and
then
we
had
I've
got
several
on
security
from
slightly
different
Foci.
This
is
sort
of
overall
security
focused
best
practices.
This
is
specific
to
testing,
and
then
we
had
secure
software
development.
So
what
I'm?
B
So
here's
you
know
one
of
the
obvious
ways
from
a
reporting
standpoint
would
be
able
to
show
the
data.
Much
like
you
just
saw
it
talk
about
the
percentages
that
are
using
it
now
and
the
plans
for
for
future
use
and
what
the
growth
is
looking
like
perhaps
have
a
story
that
I
have
to
obviously
develop
on.
You
know
why
some
people
have
no
plans
to
use.
B
You
know
I'm
just
speculating
at
this
point
anyway,
but,
as
you
can
see,
there's
a
lot
to
think
about
and
talk
about
here
so
before
I
stop
and
sort
of
see
what
people
might
have
to
offer
and
what
people
think.
Let
me
just
talk
about
one
possible
way
to
leverage
this
information.
I
thought
was
potentially
useful,
so
you
know
we
do
have
72
maintainers
that
answered
every
single
one
of
these
questions.
B
B
B
From
the
standpoint
of
usage,
what
we're
seeing
out
there
in
the
industry,
and
so
the
model
can
continually
be
updating
based
on
people
that
essentially
take
the
take
the
survey
and
are
looking
for
results
back,
and
we
can
continue
to
update
you
know
and
then
become
better
informed
over
time.
As
we
try
to
report
back
results
to
people
so
I'm
going
to
stop
there
and
see
whether
or
not
you
know
there
are
anybody
out,
there
has
some
either
other
ideas
for
what
I
can
do
or
some
sort
of
assessment
on
the
you
know.
B
F
B
B
I
could
do
that
if
I,
if
I,
do,
share
the
slides,
the
one
request
I
would
make
was
you
know
you
put,
have
them
for
your
internal
use
only
you
know
I
need
to
be
reporting
on
this
and
put
a
report
together
on
this
subject
and
get
it
out.
For
you
know,
the
use
inside
of
you
know
posting
on
the
open
ssf.
So
you
know
I
don't
want
to.
B
B
B
So
let's
see
we're
getting
some
additional
resources
to
help
with
the
development
of
this,
which
is
really
cool,
I
would
think,
probably
about
three
to
four
months
from
now
it'll
surface
it
takes
about
a
month
in
production,
and
you
know-
and
it's
going
to
have
to
go
through
a
pretty
pretty
a
serious
review
process
where
we
build
a
storyboard.
You
know
we
get
that
reviewed.
We
build
a
draft
and
get
that
reviewed.
B
F
B
Of
the
things
I
can
say
well
well,
people
are
trying
to
unmute
is
there's
a
lot
of
commentary
here
on
SAS
desk
and
I
asked
you
know,
I
don't
have
any
dogs
in
this
hunt,
but
the
reality
is
is
that
all
of
all
of
these
are
really
really
useful
tools.
You
know
both
static
analysis
and
dynamic
analysis
and
the
integrated,
which
is
I,
think
really.
B
I
mean
all
this
research
is
free
it
there
is
I,
think
tools,
tools
for
you
know
either
number
one
or
number
two
way
in
which
significant
improvements
could
be
made
to
you
know
software
from
it
from
addressing
a
software
security
need
that
and
best
practices
both
show
shown
through
as
being
very
important
activities
that
developers
should
take.
So,
and
so
you
know
it's
the
typical
software
tools,
it's
the
fuzz
testing
and
you
know
it's
also.
B
Software
composition,
analysis
where
you
can
look
at
licensing
and
vulnerability
issues
and
it's
a
whole
rafter
tools,
and
you
know
the
the
platforms
for
creating
platforms.
There's
all
sorts
of
there's
tooling
there.
That's
really
fascinating
as
a
way
to
potentially
build
more
bulletproof.
You
know
platforms
essentially,
so
there's
a
lot
of
different
ways
to
do
this.
B
I'm
a
big
fan
of
tools,
but
I
will
have
to
look
closely
at
what
the
data
is
saying
here
in
terms
of
tool
update,
because
I
have
seen
in
other
questions,
approaches
where
maintainers
are
more
apt
to
say
look,
you
know,
I
do
a
lot
of
manual
inspection
of
the
code,
and
that
is,
you
know,
sort
of
the
best
way
in
which
I
know
to
go
through,
and
you
know
either
check
check,
work
or
be
able
to.
You
know
validate
that
the
work
has
been
done
well,
so.
M
M
A
B
M
Yeah,
okay,
so
I
think
my
I'm
just
gonna
be
direct.
If
that's
okay
and
let
me
turn
on
my
camera,
because
that's
probably
not
if
I'm
gonna
talk,
I
I,
think
that
before
when
you
do,
you
know
when
you
do
a
case
study
or
or
a
review
like
this
I
think
it's
important
to
confirm
what
the
criteria
is
ahead
of
time,
because
then
it's
less
fuzzy,
I
I,
think
we
don't
know
what
we're
talking
about.
M
I
would
like
to
see
industry
representation,
even
though
it's
small
I'd
also
like
to
see
a
larger
sample
size
I
think
72
is,
is
really
small
for
me
and
I
think
that
I
would
break
down
the
security
testing
into
agreed
upon
domains
like
I
saw.
You
left
I,
asked
out
and
sure
there's
overlap
between
Das
and
I
asked,
but
it
I
mean
people
are
still
trying
to
adopt
it
right
when
it'd
be
helpful
to
see
where
they
are
with
that
I
think
those
are
my
main
points
with
it.
B
A
M
B
B
B
M
Okay,
it's
a
study.
Studies
usually
help
people
I.
Maybe
you
can
get
the
certification
for
working
with
human
volunteers.
You
know,
have
you
heard
of
that
phrp
or
whatever
I?
Maybe
that
would
make
people
feel
better?
No,
but
I,
because
I,
don't
even
it's
not
even
clear
to
me,
like
one
of
the
things
that
additionally
isn't
clear
that
just
popped
in
my
head,
I,
don't
know
the
the
sizes
like
it's
not
broken
down
by
here's.
You
know
under
50.
You
know
50
to
500.
M
M
Okay,
okay,
so
just
I'm,
I'm
hoping
this
is
helpful
and
I'm
happy
to
talk
to
you
offline.
If
you
wanna,
if
it
helps
to
get
this
feedback,
I
mean
we
because
you
know
at
Google
we
we
do
the
Dora
stuff,
and
maybe
we
can
use
I'm,
not
saying
we
should
do
it
like
that
and
I'm
not
trying
to
boss
you
or
sass
you
but
I'm.
Just
saying
that.
There's
some
methodologies
that
maybe
might
be
useful,
I
just
thought,
I'd
throw
it
out
there.
M
To
make
no
I
I
would
agree
with
that
and
I
wonder
if
you
could
it's
possible
for
you
to
take
this
initial
exploration
and
call
it
that,
like
you,
could
call
it
we
did.
We
performed
an
initial
exploration
we'd
like
to
dive
into
this
further,
but
we
will
need
the
following
assistance
that
might
be
an
opportunity,
I
think
if
you
catch
it
that
way,
as
opposed
to
not
good
enough
or
something
like
that
right,
yeah.
Okay,
that's
good!
A
great
recommend.
C
B
F
So
I
have
a
couple
things
and
then
again,
if,
as
anyone
else
has
additional
thoughts,
please
raise
your
hand
to
queue
up.
I
think
this
is
very
interesting.
I
think
we
all
agree
that
the
sample
size
is
an
opportunity
for
future
Improvement,
but
I
think
the
data
is
interesting.
So
if
you
are
looking
for
additional,
you
know
more
collaborative
feedback,
don't
hesitate.
I
I
would
be
very
glad
to
work
with
you
know
you
and
David,
and
anyone
else
in
this
team.
F
That's
interested
in
kind
of
diving
a
little
bit
more
into
that
information
and
then.
Secondly,
we
also
lead.
We
have
a
Sig
around
education
and
I
think
just
spotting
a
couple
things.
Despite
the
small
sample
size.
We
know
that
multi-factor
authentication
is
a
point
of
contention
in
the
community,
so
that
potentially
could
be
something
interesting.
We
feed
over
to
the
education
Sig.
How
can
we
provide
more
information
to
explain
the
benefits
of
multi-factor
the
same
thing
with
tooling?
F
And
you
know,
as
we
do,
you
know
dive
more
deeply
into
what
you
already
have
and
as
we
get
more
participants,
maybe
there's
some
Trends
or
recommendations.
We
can
make
around
open
source
tooling.
That
might
help.
Maybe
developers
are
unaware
that
there
are
open
source
options
or
even
you
know,
low-cost
commercial
options
in
this
space,
so
I
again,
I'm
really
excited
I.
Think
there's
a
lot
of
opportunity
to
feed
this
into
some
of
our
other
initiatives.
So
please,
let's
set
something
up
to
continue
to
collaborate.
Yeah.
B
A
F
F
F
A
K
Let's
give
this
another
try,
so
there
you
go
I
hope
my
Firefox
window
is
visible
now
to
everyone.
Yes,
okay,
excellent!
Thank
you
very
much
for
the
opportunity
to
to
come
here
and
talk
about
this.
So
I'll
try
to
be
brief,
but
I'll,
maybe
sort
of
say
as
much
for
the
background
on
this
is
that
this
is
sort
of
this
is
sort
of
a
document
on
what
we
call
tool
chain
hardening
for
CMC
plus
plus,
that
started
out
as
a
kind
of
like
an
internal
initially
like
an
internal
PowerPoint.
K
We
would
present
to
our
product
development
units
and
later
it
got
turned
into
this
sort
of
a
part
of
our
internal
internal
security
recommendations
and
sort
of
the
motivation
for
this
work
was
that
we
had.
We
got
this
feedback
from
developers
that
you
know
they.
They
know
that
they
need
to
apply
this
mechanisms,
such
as
stack
protectors
and
things
of
that
nature,
to
C
and
C,
plus
plus
code,
but
actually
getting
to
the
situation
where
they
had
a
grasp
of
how
exactly
these
work
and
what
threats
they
protect
against.
K
They
were
sort
of
like
this
Gap
and-
and
one
of
the
reasons
for
this
was
that,
while
these
options
are
widely
available
in
compilers,
sometimes
the
documentation
was
not
necessarily
that
accessible
to
your
average
developer
right.
So
you
needed
to
have
someone
with
some
security
background
to
understand
what
was
going
on.
K
So
we
we
sort
of
try
to
address
this
Gap
by
by
starting
to
collecting
this
material
on
until
tool
chain.
Hardening
I
know
that
this
is
also
something
that
you
hear
a
lot
of
different
terms
for
this
right,
so
binary
hardening
runtime
protection.
We
we
sort
of
picked
this
name,
because
this
is
the
name
that
ovasp
uses
as
well
as
it
sort
of
goes
nicely
together
with
product
hardening,
which
is
you
know
internally
what
we
used
to
call
like
hardening
the
configuration.
K
So
this
sort
of
goes
nicely
hand
in
hand
right
and
and
and
this
is
sort
of
now,
a
version
of
the
document-
I've
been
turning
the
markdown
to
make
it
a
little
bit
online
friendly.
This
is
still
work
in
progress,
so
excuse
the
rough
edges,
but
but
sort
of
if
I
sort
of
go
up
briefly
through
like
the
content.
So
we
have
some
sort
of
motivating
text.
We
have
a
section
on
recommended
compiler
options
which
is
kind
of
like
the
meat
of
the
document
moment.
K
K
So
one
of
the
things
that
we
hope
to
do,
possibly
with
the
help
of
the
committee,
if
this
is
something
that
that
you
would
be
willing
to
to
sort
of
adopt,
would
be
to
also
extend
this
to
platform
specific
options
so
for
the
support
for
things
like
Intel,
CET
or
arm
pointer,
authentication,
So
So.
Currently
this
is
sort
of
limited
to
the
stuff
that
is
is,
is
sort
of
a
little
bit
more
easier
to
deploy
in
the
sense
of
that
it's
a
software
software
specific.
K
But
so
we
have
a
like
these
tables
and
then
for
each
of
these
options
we
have
a
sort
of
a
short
section
that
tries
to
provide
like
a
synopsis
of
what
is
happening.
That's
the
extent
for
the
warning
flags
and
then,
when
we
go
to
the
actual
runtime
protection,
we
provide
a
little
bit
more
information.
So
some
of
some
of
the
like
commonly
asked
questions
is
that
what
are
the
performance
implications
right?
K
This
is
what
developers
care
about
right,
always
what
what's
the
impact
on
performance,
and
so
we've
we've
taken
the
stance
that
that
you
know
we
try
to
explain
that
if
there
is
a
performance
impact,
where
does
the
performance
impact
come
from
because,
obviously
you
know
the
actual
effects
will
vary
depending
on
what
kind
of
software
you
apply
it
to,
but
but
we
have
sort
of
tried
to
do
our
best
to
somehow
characterize
that.
Are
there
like
any
Corner
cases
that
might
hurt
you
very
badly
in
performance?
K
You
should
be
aware
of
them,
and
and
just
this
notion
that
what
are
the
what
other
aspects
of
this
feature
that
will
actually
contribute
the
performance
overhead
and
then
we
have
a
sort
of
like
a
general
warning
section
like
when
not
to
use.
So
some
of
these
options
can
be,
you
know
problematic,
so
you
cannot
come
with
a
sort
of
General
recommendation.
Like
always
use
it,
so
we
try
to
cover
possible
Corner
cases
which
might
be
problematic
and
and
we've
sort
of
original
format
for
this.
K
So
so
this
this
sort
of
comes
from
like
a
Word
document,
where
each
of
these
should
sort
of
feature
on
a
single
page
to
be
like
accessible.
That
doesn't
necessarily
come
across
here
from
the
like
the
markdown
format,
but
but
sort
of
you.
You
see
that
we
have
sort
of
tried
to
be
fairly
brief
on
this,
so
that
it
would
be
easy
to
easy
to
sort
of
get
at
a
glance.
K
An
idea
of
what
this
feature
does
without
having
to
you
know,
spend
potentially
hours
going
through
compiler
documentation,
go
read
a
mailing
list
or
a
blog
post,
and
so
we've
kind
of
like
done
all
that
effort
and
and
try
to
condense
the
sort
of
this
into
something:
that's
that's
accessible
and
yeah.
So
so,
basically,
this
this
sort
of
mostly
follow
the
the
same
structure.
K
We
have
some
started
work
on
something:
that's
so
discourage
compiler
options,
so
options
that
can
have
a
security
impact
sometime
and
then
we
have
a
working
progress
section
on
sanitizers
as
well.
So
obviously
there
are
more
sanitizers
than
this,
but
again
these
are
the
ones
that
are
I,
think
the
common
ones
that
at
least
our
developers
usually
want
to
want
to
use,
and
then,
lastly,
there
is
a
section
on
handling
debug
information.
So
this
is
another
sort
of
pain
point
that
we
felt
was
sort
of
necessarily
to
necessary
to
address
that.
K
How
do
you,
actually,
you
know,
deploy
binaries
with
that
are
stripped,
but
then,
if
you've
run
into
issues,
you
still
need
to
be
able
to
to
debug
them
yeah.
So
so
this
is.
This
is
sort
of
what
what
we
have
and
as
part
of
this
process.
You
know
we
identified
this.
You
know
interest
to
to
open
source
these
and
we
thought
that
bringing
it
to
open
ssf
would
be
a
a
natural
option,
especially
now
that
Ericsson
has
formerly
formally
joined
and
I.
K
I
know
that
there
is
a
kind
of
like
a
partial
overlap,
with
the
with
the
excellent
work
that
Mr
Wheeler
has
been
has
been
doing,
but
but
sort
of
again
we
sort
of
tried
to
do
like
a
little
bit
of
a
deeper,
deeper
delving
on
partially
these
options,
and-
and
we
are
of
course
very
happy
to
continue
developing
this.
You
know,
and
our
hope
is
that
we
can
do
that
through
a
community
effort,
because
we
also
see
a
benefit
in
this.
C
K
That's
an
excellent
point,
so
that's
also
something
that's
been
brought
up
internally
and
not
just
the
windows
compiler
but
other,
let's
say
proprietary
compiler,
so
so
that
that's
something
that
we
are
currently
limited
ourselves
to
Jesus
young
and
see
Lang,
because,
as
you
can
imagine
like
actually
going
to
find
this
information
is
quite
time
consuming.
So
right,
yeah,
I.
C
C
I
mean
I
like
I,
don't
know
if
you've
looked
how
I
have
people
here
have
looked
at
the
draft,
but
I
mean
we've
got
just
like
two
pages.
It
has
some
discussion.
I.
Think
just
like
you.
Other
folks
have
noted
the
same
problem
of
just
saying:
hey
here's
an
option
is
enough
complete.
You
need
to
explain
why
women
would
care.
C
I
would
love
to
see
this
and
emerge
in
of
some
of
the
other
materials
that
we've
got
into
some
sort
of
you
know.
Basically
large
version
of
you
hear
the
flags
you
recommend
and
why
you've
got
a
lot
of
details.
So
I
would
what
I
would
suggest
is
be
brief
summer
at
the
top
and
then
hyperlink
down
to
all
the
details
so
that
people
can,
if
all
you
want
to
know,
is
what
do
I
do
there.
C
K
C
For
those
who
don't
know,
documents
in
general
are
CC
by
our
Creative
Commons
by
license,
which
means
that,
even
if
you
contribute
I
mean
you
can
obviously
keep
using
whatever
doing
whatever
you
do,
and
then
we
can
all
work
together
to
make
you
know
to
add,
maybe
missing
information
or
whatever,
as
you
go
along,
but
I
love.
This
idea,
others.
F
I
love,
love,
love
this.
This
is
something
we've
been
trying
to
get
going
for.
Quite
some
time
and
I
know
we
have
a
couple
members.
Marta
has
expressed
interest
in
participating,
I'm
trying
to
get
the
internal
Intel
team
and
the
clear
Linux
folks
to
get
their
documents
together
to
share
and
contribute
to
something
like
this,
so
I
think
there
at
least
initially
is
a
lot
of
energy
from
this
group
around
this
idea
and
I
love
the
the
the
details
and
how
you've
laid
this
out
Thomas.
K
So
my
my
own
own
background
into
this
that
I
I
I
I
did
my
PhD
at
Alto
University,
where
I
wrote
my
dissertation
on
using
Hardware,
assisted
Hardware,
assisted
mechanisms
for
runtime
protection.
So
this
is
sort
of
a
topic
close
to
my
heart,
which
is
you
know
so,
but
for
this
we
sort
of
Started
from
the
software
side,
but
I'm
I'm,
looking
forward
to
having
deep
or
extending
this
into
the
into
the
hardware
assisted
mechanisms
now
that
they
are
becoming
more
and
more
relevant
and
available.
C
K
Yeah
exactly
so,
as
I
said,
there
is
there's,
definitely
like
room
for
room
for
additions
here
right,
so
so
our
our
sort
of
motivation
for
why
we
have
big
thesis
that
sort
of
we
have
somehow
felt
that
these
are
the
sort
of
the
low
hanging
fruit
so
to
say,
and
most
most
relevant
for
for
our
product
development
units,
but
obviously
working
together.
We
can.
We
can
extend
this,
extend
this
further
to
to
try
to
be
as
comprehensive
as
as
possible.
K
F
C
D
F
What
I'll
do
is
I
will
get
a
doodle
set
up,
I'll
work
with
David
on
the
wording,
so
I,
don't
put
my
giant
foot
in
my
giant
mouth
and
we'll
get
that
sent
out
so
Thomas
make
sure
we
have
your
email.
I'll.
Add
you
to
that
doodle
and
we'll
shoot
it
out
through
the
mailing
list
and
the
slack
for
anyone.
That's
interested
participating.
So
we
can
pick
up
Marta
and
everyone
has.
F
D
J
D
D
F
C
Let
me
jump
in
real,
quick,
sorry
to
be
the
the
licensing
nerd
here,
but
you
know
Thomas
only
of
course,
you're
always
welcome
to
to
interact.
We
would
love
for
you
to
contribute
this.
You
know,
or
at
least
you
know,
contribute
just
release
this,
as
you
know,
CC
Buys,
so
we
can
use
as
a
starting
point,
but
that's
I'm,
obviously
up
to
you
and
your
organization
to
make
that
decision.
But
but
we
can,
we
can
beg.
K
We
we
already
have,
we
already
have
internal
clearance
for
the
CC
by
licensing,
so
so
we
are
still
so
so
we
are
waiting
for
like
the
final
red
tape
on
this
particular
version.
So
once
we
can
clear
that
internally,
I
would
be
happy
to
make
this
available
on
on
GitHub
in,
in
whatever
ways
is
kind
of
like
easiest
to
work
with
happy
to
get
feedback
on
that.
K
F
F
Work
really
appreciate
you
all
putting
this
together
very
excited
about
the
energy
around
this
particular
little
project.
Thank
you
also
to
Stephen
for
coming
to
share
your
research.
Hopefully,
I
look
forward
to
Future
collaboration
with
you
on
the
best
practices,
helping
get
maintainers
a
little
more
secure
or
focusing
on
areas
where
they
have
some
opportunities
for
improvement.