►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
Happy
March,
28th
everybody
we'll
get
started
in
just
a
few
minutes,
got
a
link
to
the
agenda
in
the
chat.
Please
mark
your
attendance
and,
if
you
have
anything
you
want
to
chat
about
today,
please
add
that
I
ask
any
sub
project
leads
to
put
an
update
on
their
initiative
if
possible
and
flag.
If
you'd
like
us
to
talk
about
it,.
B
A
Does
and
I
need
to
get
off
of
the
I
need
to
get
off
a
couple.
Security
mailing
lists.
A
To
be
able
to
ask
projects
if
they
wanted
tokens.
A
I
have
a
folder
in
my
mailbox
that
has
like
a
couple
thousand
messages
sitting
on
red
got.
It
got
it.
Okay,
all
right!
Everybody
I,
put
a
link
to
the
agenda
in
the
zoom
chat,
please
sign
in
on
the
March
28th
edition
of
our
call,
because
we're
not
talking
about
C
and
C,
plus
plus
compiler,
hardening
options
today
unless
we
wanted
to.
But
that
is
a
future
meeting.
A
Do
we
have
anybody
on
the
call
today
that
is
interested?
Well,
you
could
talk
about
if
you
really
wanted
to
Randall
I'm
not
going
to
stop
you,
that's
just
not
the
sole
topic
of
the
call.
A
We
have
anyone.
That's
interested
in
helping
us
take
notes
today.
A
E
Not
really
that
it's
the
the
us
moving
time
zones
and
then
we're
left
behind
and
then
we're
moving
catching
up
and
everything's.
You
know,
I,
don't
know
where
I
am
anymore.
A
A
All
right,
as
you
have
any
items
you'd
like
to
discuss,
please
add
those
in
the
open
section
of
our
sub
projects,
which
I
have
listed
all
of
them
below.
Do
we
have
any
of
those
leaders
around
that
wanted
to
share
an
update
on
any
of
our
sub
projects
or
cigs.
F
Maybe
a
small
update,
so
we
actually
are
busy
with
the
new
stack
like
I
said
in
the
previous
meeting.
So
we
have
now
the
whole
thing
working
at
this
can
deploy
lab
the
leap,
labs
and
all
that
good
stuff,
automation
of
cert
management
and
all
that
cool
stuff.
F
Myself
and
Randall
also
had
a
meeting
with
the
cre
project
and
they
promised
to
come
back
and
join
a
meeting
as
well.
Probably
this
one
slipped
their
agenda,
but
the
idea
was
that
they
will
join
a
meeting
as
well
and
they
will
show
up
show
up
again.
A
F
We're
also
looking
into
how
we
can
maybe
collaborate
and
get
also
that
data
set
and
the
theory
into
the
Knowledge
Graph
that
we
use
in
skier.
A
Doesn't
look
like
it
Dan
all
right,
so
an
update
about
the
education
Sig
that
effort
is
still
being
a
massage
to
be
to
present
to
the
governing
board.
We
have
a
couple
folks
from
the
governing
board
tax
governance
committee
that
are
reviewing
it,
but
I'm,
working
with
folks
from
LF
legal
on
a
pretty
awesome,
little
presentation,
an
executive
kind
of
summary
for
the
effort.
So
we
anticipate
we'll
get
some
forward
progress
on
that
soon
and
hopefully
get
word
on
what
people
think
about
the
awesome
education
plan.
C
F
A
Last
little
bit
of
a
ministerivia
before
we
move
on
to
opens
the
vote
closed
for
the
adoption
of
the
memory,
safety,
Sig
and
11
eligible
folks
voted
in
favor
of
it.
There
were
no
dissenting
opinions.
So
therefore
we
will
be
adopting
the
memory
safety
group
under
Nell,
so
welcome
now
on
the
crew
to
the
family.
They
meet
every
other
Thursday.
If
you
would
like
to
participate
or
learn
more
Thursdays
at
1
pm
Eastern
every
other
Thursday
is
their
calls.
I
recognize
Dave
Rousseau.
G
Hey
scrub:
is
there
a
landing
page
that
we
can
share
as
we
try
and
drum
up
some
support
for
people
who
might
want
to
join
that
Sig.
A
Well,
it's
funny.
You
mentioned
that
Dave
I
spent
the
morning
monkeying
around
with
our
Repository,
and
so
the
long
answer
is
short
answer
is
yes,
the
long
answer
is
it's
in
flight.
So
if
anyone
is
interested,
I
have
compiled
all
of
the
sub
projects
and
sigs
into
a
table
provided
relevant
links
to
their
git
repos,
their
slack
channels,
their
mailing
lists
so
that
everyone
can
kind
of
see
who
what
and
where
and
how
and
with
them
just
being
adopted.
A
I
got
the
note
from
the
operations
team
I
think
yesterday
that
they
had
completed
it.
So
I
will
begin
working
with
Nell
and
that
group
in
getting
their
landing
page,
set
up
and
kind
of
bringing
over
any
existing
work,
because
they've
been
toiling
away
for
a
while
now
almost
a
year,
maybe
about
about
as
long
as
some
of
the
other
groups,
some
of
the
other
cigs,
so
they
might
have
some
additional
artifacts.
They
want
to
add
into
that
repo
did
I
answer
your
question,
sir.
You.
A
B
Just
real
quick,
we
we're
doing
the
updates
or
everything
else.
I
thought
I'd
do
quick
updates
on
for
for
Best
Practices
badge
we've
been
having
this
rail
7
update
for
a
while,
we
think
we're
getting
close
and
for
the
security
fundamentals
course.
B
B
We
think
we
finally
nailed
down
what
the
thing,
what
the
actual
truth
is
and
therefore
what
we
can
put
in
the
course
which
is
it's
mostly
but
not
completely
gone,
and
therefore
it's
more
complicated
to
talk
about.
So
if
you've
got
any
last
minute
comments
love
to
hear
it,
but
we
heard
back
from
Mozilla
folks
so
from
our
friends
in
Mozilla.
Thank
you
who
kind
of
helped
us
get
the
the
the
the
details
straightened
out
So.
The
plan
is
to
merge
this
very
very
soon,
unless
somebody
says
something
soon.
B
H
A
H
H
So
there
is,
there
are
two
standards
for
parsing
URLs
in
the
industry,
there's
the
old
RFC
spec
and
then
there's
the
second
spec,
which
is
the
current
living
specification
that
is
under
what
wig
and
it
defines
a
newer
standard
for
parsing
urls
and
the
the
news
that,
if
you're,
using
a
URL
parser
to
allow
list
or
deny
list
a
certain
set
of
subdomains
to
be
resolved,
and
the
thing
that
is
doing
the
resolving
of
the
URL
is
different
from
the
thing
that
is
doing
the
allow
listing
you
can
allow
list
domains
or
deny
list
domains
that,
given
a
specific,
a
specially
crafted
domain
can
resolve
to
something
else
and
yeah
so
yeah
great
great
times.
H
Great
security,
vulnerabilities,
orange
Psy
did
a
black
hat
talk
about
this
and
it
covered
like
how
he
changed.
Four
four
vulnerabilities:
to
achieve
remote
code
execution
on
GitHub
that
because
of
github's
filtering
yeah,
I,
think
and
like
he
did
other
research.
He
found
that
like,
for
example,
a
lot
of
PHP
libraries
will
use
php's,
URL
parser,
but
then
make
requests
with
curl
and
the
PHP
par
server.
H
Urls
are
different
from
the
one
that
is
different
from
the
one
that
curl
uses
and
I
spoke
to
Badger,
who
or
Daniel
who
run
who
runs
curl,
and
there
was
a
discussion
about
hey
this.
You
know,
doesn't
your
parser
doesn't
fan,
it
doesn't
support
the
current
working.
You
know
living
standard
and
he's
like
her
curl
implements
the
the
old
RFC
spec
and
not
the
current
spec,
and
so
what
you'll
find
is
that,
because
of
this,
a
lot
of
Old
Lang
like
older
languages,
for
example?
H
Java,
you
know
curl
some
of
the
stuff
will
support
the
old
RFC
spec
for
URL
parsing
and
the
newer,
like
you,
know
anything
web-based
so
JavaScript
libraries,
the
what
the
browsers
all
that
stuff
implement
the
new
standard
for
ulr
URL
parsing,
and
so
we
have
this
ambiguity
in
the
industry
about
certain
URLs
and
whether
or
not
they
are
a
certain
host
or
another.
A
different
host-
and
you
know
I,
was
thinking
like
maybe
somebody
in
the
open,
ssf
or
somewhere.
We
should
like
decide
that
that
the
industry
should
be
doing.
H
You
know
one
of
two
of
these
things
and
I.
Don't
know
what
the
right
answer
to
that
one
of
these
two
of
these
things
is,
but
it
does
lead
to
vulnerabilities
and-
and
there
are
probably
more
than
we
have
currently
found,
because
it's
kind
of
an
obscure
bit
of
knowledge,
anyways.
E
C
Yeah
welcome
to
my
life.
No,
the
the
thing
that
I've
got
to
say
is
this
sounds
like
something
that
the
w3c
tag
might
want
to
get
involved
with
with
which
is
a
group
that
I
happen
to
co-chair,
and
it's
a
group
that
often
gets
in
between
w3c
ITF
and
what
WG
things
that
have
efforts.
This
is
something
that
we've
covered
before:
how
there's
this
ambiguity
between
the
the
living
URLs
back
and
the
RFC
URL
spec
and
I'd
be
happy
to
help.
C
Basically,
even
though
I
can't
I
can't
imagine
that
those
words
just
came
out
of
my
mouth
I'd
be
happy
to
oh
for
this,
because
it's
yeah
there's
some
scars.
Yes
exactly
and
but
it
it
is
something
that
you
know
you
know
it.
C
It
takes
getting
some
people
in
the
room
together
to
facilitate
having
that
discussion
and
those
people
are
people
like
Mark
Nottingham,
who,
like
co-chairs
the
HTTP
working
group
in
in
ITF,
and
maybe
some
folks
like
Anna
van
kestron
who's,
currently
at
Apple
who's,
very
active
in
the
in
the
lot
WG,
and
both
those
people
used
to
be
tag.
Members
as
well.
So
there's
something
that,
like
maybe
I
can
help
is
what
I'm
saying.
Maybe
we
can.
C
Maybe
we
can
have
an
off
Channel
discussion
if,
if
you're
saying
that
it's
something
that
open
ssf
as
well
is
is
like
bringing
concern
to
the
table
on
this,
then
that
is
that
it
that
could
prompt
a
deeper
discussion
on
this
topic
and
maybe
get
some
people
talking
to
each
other.
I
haven't
who
haven't
resolved
this
issue
yet.
H
Thank
you.
So,
let's
chat
more
yeah
David.
B
Yeah
I
would
not
assume
there's
only
two
okay,
you
I
mean
you've
got
the
RFC
you've
got.
You
know
the
what
wig
you've
got
the
there's
the
older
w3c
spec,
it
was
kind
of
implied
and
frankly,
the
what
we
you
know
is
feels
free
to
change
specs
at
any
time.
I
wouldn't
assume
that
the
current
spec
has
oh,
is
what
has
always
been
from
them.
So
there's
probably
multiple
versions,
and
they
don't
make
versions
very
obvious.
B
C
H
Spoke
to
the
guy
I
spoke
to
Dan
Dan,
who
writes
curl
and
he's
like
yeah.
So
we
implement
the
RFC
spec,
but
also
with
some
changes
because
they're
stupid
decisions
that
were
made
and
like.
E
B
Right
and
and
you
you
keep
saying
URLs
but
there's
also
uri's
and
Iris
and
other
glorious
things,
so
I
I
don't
have
a
solution.
I
just
want
to
observe
that
the
problem
is
even
worse,
so
I
don't
have
a
solution,
but
it
does
seem
like
there's
a
need
for
one
and
probably
Step.
One
is
collect
the
different
specs
I'm,
trying
to
identify
the
differences
and
at
least
some
of
the
ways
that
they've
already
been
exploited
or
could
be
exploited.
C
I
really
suggest
focusing
the
discussion
around
threats.
Existing
threats
like
this
bad
thing
is
happening
out
there.
Let's
try
to
fix
it,
because
the
problem
with
this
is,
as
David
pointed
out
there,
all
their
Iris.
There
are
Uris
their
urns.
There
are
all
these
different
things,
some
of
which
are
being
used
in
various
places
in
the
world.
You
know
like
academic
Publications
and
this
kind
of
thing
and
and
there's
there's
a
lot
of
so
putting
the
focus
on
concrete
threats.
H
The
the
best
resource
that
I
found
so
far
is
from
Daniel
on
he's,
got
a
I
think
he
put
a
blog
post
up.
That's
like
my
like
something
like
my
URL
is
not
isn't
your
URL
and
it's
like
the
list
of
like
here
all
the
differences,
and
these
are
all
the
vulnerabilities
that
occur
because
of
that
I
can't.
B
A
I
might
suggest
if
we
find
if
this
group
finds
this
topic
of
Interest,
we
either
could
and
continue
the
conversation
in
slack
or
GitHub
discussion,
and
then
we
can
kind
of
maybe
collect
some
of
the
state
of
the
art,
as
some
of
the
links
are
being
shared
here
and
then
potentially
see
who's
interested
and
maybe
excited
to
try
to
help
solve
a
problem.
H
H
I
don't
feel
at
all
like
I
know
enough
to
to
engage
in
this
topic.
Just
I
can
recognize,
there's
a
problem
here
and
know
that
something
should
be
done
even
though
I
don't
necessarily
have
the
solutions.
B
I
guess
one
real
quick,
which
is
I,
don't
think
you
know
if
it
turns
out
the
tags,
the
better
group
to
resolve
this.
That's
awesome,
I
think.
Basically
at
least
though
trying
to
collect
what
the
problems
threats
issues
are
is
the
no
matter
what
that's
the
first
step.
So
if
we.
F
B
E
B
B
Could
we
could,
by
the
way,
if
there's
Inc,
there's
inconsistencies?
The
long-term
solution,
which
is
rough,
is
convincing
different
projects
and
libraries.
C
B
I'll
make
a
quick
note
for
the
best
practices
badge
we're
ridiculously
picky
about
URLs
for
repos.
B
You
know
forget
the
spec
hack
stack
most
of
that
stuff's
not
allowed.
So
you
know,
oh
you
want
to
you,
want
the
URL
it's
going
to
be
HTTP
or
https.
You
know.
Yes,
you
could
use
FTP,
but
we're
not
going
to
allow
that
only
these
characters.
Only
these
this.
Only
these
that
and
remarkably
I've
only
gotten
one
proposed
change
in
the
last
year.
I
think
where
hey
at
symbols
are
allowed
and
we
actually
use
them.
Okay,
fine,
but
basically,
we've
started
by
being
ridiculously
picky
and
slowly
expand.
A
H
C
Yes,
it's
just
briefly:
I
had
a
discussion.
Last
week,
Brian
Russell
and
Lauren
Simon
from
Google
are
talking
to
different
people
about
scorecards
and
so
I
sat
on
a
call
with
them
and
answered
questions
that
they
had
about
scorecards
and
one
of
the
things
that
they're
talking
about
is
introducing
more
content
into
scorecards
itself
right,
so
where
the
it
would,
instead
of
just
giving
you
a
number-
or
you
know,
would
say
these
things.
C
These
specific
things
are
misconfigured,
and
here
is
the
remediation
right
and
that's
when
my
year
is
pricked
up,
because
I
was
like
okay,
well,
that
now
you're
talking
about
content,
which
is
very
similar
to
content,
that's
being
developed
or
has
been
developed
and
the
best
practices
working
group
and
gosh,
maybe
it'd,
be
good
to
synchronize.
C
That
content
and
I
was
thinking
specifically
because
some
of
these
issues
are
are
already
being
talked,
are
already,
there's
an
overlap
between
these
topics
and
the
stuff
that
we're
talking
about
in
the
SCM
discussion
that
are
coming
out
of
legitify
in
terms
of
like
SCM
configuration
options
and
be
good
if
they're
at
least
saying
the
same
thing,
maybe
even
synchronized
or
maybe
the
scorecard
output
should
be
linking
to
some
material
which
is
being
curated
by
by
the
best
brand
anyway.
There
needs
to
be
some
coordination,
so
I
just
thought.
C
I'd
kind
of
raise
it
to
your
to
your
attention,
probe.
A
I
was
a
participant
in
one
of
laurent's
conversations.
They
Laurent
and
azim
actually
are
working
group
members.
They
haven't
popped
in
a
while
in
a
while.
C
A
They
meet
every
other
Thursday
at
4
pm
Eastern,
which
would
be
1800
UTC,
which
would
be
super
late
for
our
European
friends,
but
yeah
I
think
it's
a
worthwhile
effort.
I've.
We
have
a
great
long-running
relationship
with
that
team.
They
are
officially
part
of
this
group,
so
yeah.
Let's
is
anyone
interested
in
trying
to
help
Wrangle
a
a
meet
and
greet
and
kind
of
a
sink
between
our
groups?
Efficient.
C
A
So
yeah
does
anyone
interested
in
trying
to
set
up
some
time
with
Laurent
and
azim
and
crew,
and
members
of
this
group.
A
Thank
you,
sir
I
appreciate
it.
I
have
all
the
relevant
links
to
scorecard.
If
anyone,
if
and
they're
they
have
their
own
slack
and
they're,
also
in
our
slack
and
everything
so
I
just
reach
out
to
them,
they're
pretty
pretty
Speedy
in
response,
so
I
think
we
should
be
able
to
get
something
set
up
in
the
next
week
or
so,
and
we
would
like
to
try
to
make
it
probably
around
this
time.
Maybe
a
half
hour
further,
so
it'd
be
early
morning.
A
All
right
and
next
up
abishay
wanted
to
talk
about
the
C
and
C
plus
plus
hardening
guide.
I
Right
so
this
update
is,
as
you
said,
the
relevant
for
the
CNC
plus
hardening
guide,
basically
robe
reached
out
to
to.
Let
us
know
that
the
Microsoft
C
plus
plus
compiler,
is
currently
not
represented
in
the
guide
that
is
being
worked
on.
So
we
have
a
new
team
member
who
is
joining
the
course
now,
where
Gabriel
dos
Royce
and
additionally,
we
have
the
Bim
scheme
Tool,
which
is
a
compiler,
slash,
Linker,
checking
tool
that
is
open
source
by
Michael
Fanning's
team
at
Microsoft.
I
They
are
also
currently
working
on
sanitizing
their
rules,
which
are
built
into
Bim
scheme
into
a
format
that
can
be
worked
on
and
by
the
CNC
plus
plus
a
hardening
guide
that
will
complement
what's
already
there,
the
GCC
and
the
C
line.
So
we
are
expecting
that
it's
still
work
in
progress.
So
it's
hard
to
commit
on
a
time
but
safely
saying
that
in
the
next
three
four
weeks
we
should
have
that
document,
sanitized
and
ready
to
be
digested
by
the
same
group.
A
Awesome
any
questions
or
comments
for
abishay
about
that
I'll.
Note
that
I'm
doing
something
similar
with
Diana
as
part
of
the
Intel
compiler,
so
that
we
can
have
a
representation
of
any
all
the
major
popular
compilers
for
developers
to
lean
into
whatever
path
they
pick.
David.
B
Yeah
those
have
been
deeply
involved
in
the
compiler
options.
Stuff
already
know
about
this,
but
there's
actually
rationale
for
this.
The
GCC
sea,
Lang
and
Intel
compilers
all
take
the
same
Syntax
for
options,
and
if
the
options
are
the
same,
they
generally
are
exactly
the
same.
Names
of
a
Microsoft,
C
compiler
is
is
quite
different.
Options
begin
with
Slash.
All
the
names
are
different.
Everything
else
is
different,
and
so
it
makes
more
sense
to
have
them
as
separate
documents.
B
It's
more
like
two
different
programming
languages,
more
than
anything
else,
so
there's
there's!
No
just
you
know
so.
I
I
welcome
it
I
think
just
for
simplicity's
sake.
It
makes
sense
for
them
to
be
in
two
different
documents,
because
there
may
be
out
there
almost
certainly
options
than
one
that
are
not
the
other.
They
don't
always
do
the
same
thing.
So
you
know,
if
you
have
this
situation
go
here.
If
you
have
that
situation,
go
there
thanks
and.
A
So
you
could
either
wait
for
me
to
get
around
to
doing
that
or
if
somebody
was
particularly
motivated,
they
could
reach
out
to
Nathan.
I
can
get
you
his
contact
information.
A
A
A
All
right,
I'm
gonna
sit
down,
hopefully
in
the
next
couple
weeks
and
do
a
backlog,
scrub,
Dan,
David
and
I.
Maybe
can
sit
down
and
just
slack
something
to
kind
of
get
some
of
these
things
dispositioned,
so
that
we
can
have
a
clean
set
of
issues
to
be
working
off
of.
A
Thank
you,
everybody
for
your
time,
attention
and
participation.
We
will
see
you
all
very
soon.
The
Deni
subcommittee
will
be
having
a
call
in
just
about
20
minutes
or
so
so,
if
you're
curious
about
the
education
Sig
and
our
Deni
subcommittee
pop
on
that
call,
we'll
talk
to
everybody
later
have
a
great
day.