►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
Happy
March,
28th
everybody
we'll
get
started
in
just
a
few
minutes,
got
a
link
to
the
agenda
in
the
chat.
Please
mark
your
attendance
and,
if
you
have
anything
you
want
to
chat
about
today,
please
add
that
I
ask
any
sub
project
leads
to
put
an
update
on
their
initiative
if
possible
and
flag.
If
you'd
like
us
to
talk
about
it,.
B
A
I
have
a
folder
in
my
mailbox
that
has
like
a
couple
thousand
messages
sitting
on
red
got.
It
got
it.
Okay,
all
right!
Everybody
I,
put
a
link
to
the
agenda
in
the
zoom
chat,
please
sign
in
on
the
March
28th
edition
of
our
call,
because
we're
not
talking
about
C
and
C,
plus
plus
compiler,
hardening
options
today
unless
we
wanted
to.
But
that
is
a
future
meeting.
A
A
E
A
A
F
F
A
A
Doesn't
look
like
it
Dan
all
right,
so
an
update
about
the
education
Sig
that
effort
is
still
being
a
massage
to
be
to
present
to
the
governing
board.
We
have
a
couple
folks
from
the
governing
board
tax
governance
committee
that
are
reviewing
it,
but
I'm,
working
with
folks
from
LF
legal
on
a
pretty
awesome,
little
presentation,
an
executive
kind
of
summary
for
the
effort.
So
we
anticipate
we'll
get
some
forward
progress
on
that
soon
and
hopefully
get
word
on
what
people
think
about
the
awesome
education
plan.
C
F
A
Last
little
bit
of
a
ministerivia
before
we
move
on
to
opens
the
vote
closed
for
the
adoption
of
the
memory,
safety,
Sig
and
11
eligible
folks
voted
in
favor
of
it.
There
were
no
dissenting
opinions.
So
therefore
we
will
be
adopting
the
memory
safety
group
under
Nell,
so
welcome
now
on
the
crew
to
the
family.
They
meet
every
other
Thursday.
If
you
would
like
to
participate
or
learn
more
Thursdays
at
1
pm
Eastern
every
other
Thursday
is
their
calls.
I
recognize
Dave
Rousseau.
A
Well,
it's
funny.
You
mentioned
that
Dave
I
spent
the
morning
monkeying
around
with
our
Repository,
and
so
the
long
answer
is
short
answer
is
yes,
the
long
answer
is
it's
in
flight.
So
if
anyone
is
interested,
I
have
compiled
all
of
the
sub
projects
and
sigs
into
a
table
provided
relevant
links
to
their
git
repos,
their
slack
channels,
their
mailing
lists
so
that
everyone
can
kind
of
see
who
what
and
where
and
how
and
with
them
just
being
adopted.
A
I
got
the
note
from
the
operations
team
I
think
yesterday
that
they
had
completed
it.
So
I
will
begin
working
with
Nell
and
that
group
in
getting
their
landing
page,
set
up
and
kind
of
bringing
over
any
existing
work,
because
they've
been
toiling
away
for
a
while
now
almost
a
year,
maybe
about
about
as
long
as
some
of
the
other
groups,
some
of
the
other
cigs,
so
they
might
have
some
additional
artifacts.
They
want
to
add
into
that
repo
did
I
answer
your
question,
sir.
You.
A
B
B
We
think
we
finally
nailed
down
what
the
thing,
what
the
actual
truth
is
and
therefore
what
we
can
put
in
the
course
which
is
it's
mostly
but
not
completely
gone,
and
therefore
it's
more
complicated
to
talk
about.
So
if
you've
got
any
last
minute
comments
love
to
hear
it,
but
we
heard
back
from
Mozilla
folks
so
from
our
friends
in
Mozilla.
Thank
you
who
kind
of
helped
us
get
the
the
the
the
details
straightened
out
So.
The
plan
is
to
merge
this
very
very
soon,
unless
somebody
says
something
soon.
B
A
H
H
Great
security,
vulnerabilities,
orange
Psy
did
a
black
hat
talk
about
this
and
it
covered
like
how
he
changed.
Four
four
vulnerabilities:
to
achieve
remote
code
execution
on
GitHub
that
because
of
github's
filtering
yeah,
I,
think
and
like
he
did
other
research.
He
found
that
like,
for
example,
a
lot
of
PHP
libraries
will
use
php's,
URL
parser,
but
then
make
requests
with
curl
and
the
PHP
par
server.
H
Urls
are
different
from
the
one
that
is
different
from
the
one
that
curl
uses
and
I
spoke
to
Badger,
who
or
Daniel
who
run
who
runs
curl,
and
there
was
a
discussion
about
hey
this.
You
know,
doesn't
your
parser
doesn't
fan,
it
doesn't
support
the
current
working.
You
know
living
standard
and
he's
like
her
curl
implements
the
the
old
RFC
spec
and
not
the
current
spec,
and
so
what
you'll
find
is
that,
because
of
this,
a
lot
of
Old
Lang
like
older
languages,
for
example?
H
Java,
you
know
curl
some
of
the
stuff
will
support
the
old
RFC
spec
for
URL
parsing
and
the
newer,
like
you,
know
anything
web-based
so
JavaScript
libraries,
the
what
the
browsers
all
that
stuff
implement
the
new
standard
for
ulr
URL
parsing,
and
so
we
have
this
ambiguity
in
the
industry
about
certain
URLs
and
whether
or
not
they
are
a
certain
host
or
another.
A
different
host-
and
you
know
I,
was
thinking
like
maybe
somebody
in
the
open,
ssf
or
somewhere.
We
should
like
decide
that
that
the
industry
should
be
doing.
H
E
C
Yeah
welcome
to
my
life.
No,
the
the
thing
that
I've
got
to
say
is
this
sounds
like
something
that
the
w3c
tag
might
want
to
get
involved
with
with
which
is
a
group
that
I
happen
to
co-chair,
and
it's
a
group
that
often
gets
in
between
w3c
ITF
and
what
WG
things
that
have
efforts.
This
is
something
that
we've
covered
before:
how
there's
this
ambiguity
between
the
the
living
URLs
back
and
the
RFC
URL
spec
and
I'd
be
happy
to
help.
C
C
It
takes
getting
some
people
in
the
room
together
to
facilitate
having
that
discussion
and
those
people
are
people
like
Mark
Nottingham,
who,
like
co-chairs
the
HTTP
working
group
in
in
ITF,
and
maybe
some
folks
like
Anna
van
kestron
who's,
currently
at
Apple
who's,
very
active
in
the
in
the
lot
WG,
and
both
those
people
used
to
be
tag.
Members
as
well.
So
there's
something
that,
like
maybe
I
can
help
is
what
I'm
saying.
Maybe
we
can.
C
Maybe
we
can
have
an
off
Channel
discussion
if,
if
you're
saying
that
it's
something
that
open
ssf
as
well
is
is
like
bringing
concern
to
the
table
on
this,
then
that
is
that
it
that
could
prompt
a
deeper
discussion
on
this
topic
and
maybe
get
some
people
talking
to
each
other.
I
haven't
who
haven't
resolved
this
issue
yet.
B
Yeah
I
would
not
assume
there's
only
two
okay,
you
I
mean
you've
got
the
RFC
you've
got.
You
know
the
what
wig
you've
got
the
there's
the
older
w3c
spec,
it
was
kind
of
implied
and
frankly,
the
what
we
you
know
is
feels
free
to
change
specs
at
any
time.
I
wouldn't
assume
that
the
current
spec
has
oh,
is
what
has
always
been
from
them.
So
there's
probably
multiple
versions,
and
they
don't
make
versions
very
obvious.
B
C
H
E
B
Right
and
and
you
you
keep
saying
URLs
but
there's
also
uri's
and
Iris
and
other
glorious
things,
so
I
I
don't
have
a
solution.
I
just
want
to
observe
that
the
problem
is
even
worse,
so
I
don't
have
a
solution,
but
it
does
seem
like
there's
a
need
for
one
and
probably
Step.
One
is
collect
the
different
specs
I'm,
trying
to
identify
the
differences
and
at
least
some
of
the
ways
that
they've
already
been
exploited
or
could
be
exploited.
C
I
really
suggest
focusing
the
discussion
around
threats.
Existing
threats
like
this
bad
thing
is
happening
out
there.
Let's
try
to
fix
it,
because
the
problem
with
this
is,
as
David
pointed
out
there,
all
their
Iris.
There
are
Uris
their
urns.
There
are
all
these
different
things,
some
of
which
are
being
used
in
various
places
in
the
world.
You
know
like
academic
Publications
and
this
kind
of
thing
and
and
there's
there's
a
lot
of
so
putting
the
focus
on
concrete
threats.
H
B
H
B
F
B
E
B
B
C
B
B
You
know
forget
the
spec
hack
stack
most
of
that
stuff's
not
allowed.
So
you
know,
oh
you
want
to
you,
want
the
URL
it's
going
to
be
HTTP
or
https.
You
know.
Yes,
you
could
use
FTP,
but
we're
not
going
to
allow
that
only
these
characters.
Only
these
this.
Only
these
that
and
remarkably
I've
only
gotten
one
proposed
change
in
the
last
year.
I
think
where
hey
at
symbols
are
allowed
and
we
actually
use
them.
Okay,
fine,
but
basically,
we've
started
by
being
ridiculously
picky
and
slowly
expand.
A
H
C
Yes,
it's
just
briefly:
I
had
a
discussion.
Last
week,
Brian
Russell
and
Lauren
Simon
from
Google
are
talking
to
different
people
about
scorecards
and
so
I
sat
on
a
call
with
them
and
answered
questions
that
they
had
about
scorecards
and
one
of
the
things
that
they're
talking
about
is
introducing
more
content
into
scorecards
itself
right,
so
where
the
it
would,
instead
of
just
giving
you
a
number-
or
you
know,
would
say
these
things.
C
That
content
and
I
was
thinking
specifically
because
some
of
these
issues
are
are
already
being
talked,
are
already,
there's
an
overlap
between
these
topics
and
the
stuff
that
we're
talking
about
in
the
SCM
discussion
that
are
coming
out
of
legitify
in
terms
of
like
SCM
configuration
options
and
be
good
if
they're
at
least
saying
the
same
thing,
maybe
even
synchronized
or
maybe
the
scorecard
output
should
be
linking
to
some
material
which
is
being
curated
by
by
the
best
brand
anyway.
There
needs
to
be
some
coordination,
so
I
just
thought.
A
C
A
They
meet
every
other
Thursday
at
4
pm
Eastern,
which
would
be
1800
UTC,
which
would
be
super
late
for
our
European
friends,
but
yeah
I
think
it's
a
worthwhile
effort.
I've.
We
have
a
great
long-running
relationship
with
that
team.
They
are
officially
part
of
this
group,
so
yeah.
Let's
is
anyone
interested
in
trying
to
help
Wrangle
a
a
meet
and
greet
and
kind
of
a
sink
between
our
groups?
Efficient.
C
A
Thank
you,
sir
I
appreciate
it.
I
have
all
the
relevant
links
to
scorecard.
If
anyone,
if
and
they're
they
have
their
own
slack
and
they're,
also
in
our
slack
and
everything
so
I
just
reach
out
to
them,
they're
pretty
pretty
Speedy
in
response,
so
I
think
we
should
be
able
to
get
something
set
up
in
the
next
week
or
so,
and
we
would
like
to
try
to
make
it
probably
around
this
time.
Maybe
a
half
hour
further,
so
it'd
be
early
morning.
I
Right
so
this
update
is,
as
you
said,
the
relevant
for
the
CNC
plus
hardening
guide,
basically
robe
reached
out
to
to.
Let
us
know
that
the
Microsoft
C
plus
plus
compiler,
is
currently
not
represented
in
the
guide
that
is
being
worked
on.
So
we
have
a
new
team
member
who
is
joining
the
course
now,
where
Gabriel
dos
Royce
and
additionally,
we
have
the
Bim
scheme
Tool,
which
is
a
compiler,
slash,
Linker,
checking
tool
that
is
open
source
by
Michael
Fanning's
team
at
Microsoft.
I
They
are
also
currently
working
on
sanitizing
their
rules,
which
are
built
into
Bim
scheme
into
a
format
that
can
be
worked
on
and
by
the
CNC
plus
plus
a
hardening
guide
that
will
complement
what's
already
there,
the
GCC
and
the
C
line.
So
we
are
expecting
that
it's
still
work
in
progress.
So
it's
hard
to
commit
on
a
time
but
safely
saying
that
in
the
next
three
four
weeks
we
should
have
that
document,
sanitized
and
ready
to
be
digested
by
the
same
group.
A
B
Yeah
those
have
been
deeply
involved
in
the
compiler
options.
Stuff
already
know
about
this,
but
there's
actually
rationale
for
this.
The
GCC
sea,
Lang
and
Intel
compilers
all
take
the
same
Syntax
for
options,
and
if
the
options
are
the
same,
they
generally
are
exactly
the
same.
Names
of
a
Microsoft,
C
compiler
is
is
quite
different.
Options
begin
with
Slash.
All
the
names
are
different.
Everything
else
is
different,
and
so
it
makes
more
sense
to
have
them
as
separate
documents.
B
It's
more
like
two
different
programming
languages,
more
than
anything
else,
so
there's
there's!
No
just
you
know
so.
I
I
welcome
it
I
think
just
for
simplicity's
sake.
It
makes
sense
for
them
to
be
in
two
different
documents,
because
there
may
be
out
there
almost
certainly
options
than
one
that
are
not
the
other.
They
don't
always
do
the
same
thing.
So
you
know,
if
you
have
this
situation
go
here.
If
you
have
that
situation,
go
there
thanks
and.
A
A
A
A
Thank
you,
everybody
for
your
time,
attention
and
participation.
We
will
see
you
all
very
soon.
The
Deni
subcommittee
will
be
having
a
call
in
just
about
20
minutes
or
so
so,
if
you're
curious
about
the
education
Sig
and
our
Deni
subcommittee
pop
on
that
call,
we'll
talk
to
everybody
later
have
a
great
day.