►
From YouTube: OSS-SIRT SIG - Part of BEST WG (November 29, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Know
right,
I'm
not
gonna
lie,
I
was
I.
Was
here,
let's
see
if
you
can
see
me
since
oh.
B
B
A
Back
in
days
of
yore,
how
you
did
upgrades
was
the
law
firm,
bought
brand
new
servers
for
our
headquarters
in
Cleveland
and
then
our
second
headquarters
in
LA.
Then
we
go
fly
out
to
LA
for
California
for
a
month
and
we
would
take
those
devices
install
them
in
LA
and
then
take
those
servers
and
kind
of
cascade
them
down
the
coast
down
to
Irvine
and
San
Diego
and
Woodland
Hills,
and
so
yeah.
B
Yeah
very
nice,
yeah
I
I
do
a
lot
out
here,
because
I
do
some
stuff
with
broadcom
and
UCI
and
stuff
like
that
and
I.
B
A
Not
bad
I
was
always
shocked.
We
had
the
the
on-site
administrator.
We
had
there
Alice.
She
would
like
whenever
we
got
done
with
our
upgrades
early
she'd.
Take
us
for
a
drive
around
the
county
and
Ohio
has
incredibly
low
cost
of
living
and
we
were
driving
around
and
she
pointed
out.
She
see
that
house
on
the
hill
like
yeah,
that
used
to
be
like
Richard
Nixon's
house
and
that
just
sold
for
like
three
million
dollars.
C
B
B
Cool
yeah
well
I,
remember
that,
like
because
you
know
in
Irvine,
like
everyone's
a
celebrity,
so
we
had
Mark
McGuire
used
to
come
to
our
church
and
the
CEO
of
Verizon.
B
That's
actually
a
funny
story,
because
Verizon
has
terrible
signal
in
Irvine
and
as
it
turns
out,
the
CEO
of
Verizon
had
to
rent
some
space
from,
like
our
church
repair
from
our
Parish,
because
I
grew
up
Catholic
so
but
yeah
he
had
to
rent
some
space
to
put
up
a
fake
Tower
to
get
cell
phone
reception
at
his
house.
C
East
Coast,
nice,
so
just
an
hour
and
a
half
outside
of
DC
in
Maryland
in
the
countryside.
A
But
I
work
with
the
gal
Katie
and
she
used
to
work
in
the
government
and
her
husband's
in
the
FBI.
So
they
were
downtown
DC
and
they
finally
just
got
fed
up
with
it,
because
they
were
installing
an
Amazon,
Warehouse
or
Distribution
Center
like
right
down
the
block
from
them
and
they
officially
shut
down
that
whole
part
of
the
city.
So
they
got
fed
up
and
they
just
bought
property
on
the
side
of
a
mountain
in
Virginia.
A
And
it's
like
literally
on
the
side
of
a
hill
and
they're
building
a
A-frame,
cabin
and
she's
her
her
two
requirements
were
it
had
to
have
a
secret
door
and.
D
A
C
B
A
A
D
My
my.
A
Wife
has
cousins
and
they're
in
just
east
of
downtown
Denver.
D
A
C
D
But
the
the
average
starter
home,
as
you
guys
were
talking
about
home
prices,
the
average
starter
home
in
Colorado
is
pushing
seven
hundred
thousand
dollars
or
so.
A
A
All
right,
I
posted
the
agenda.
If
you
have
anything
you'd
like
to
talk
about,
please
add
it
I,
just
the
only
topic
I
had
was
I
would
love
to
get
the
group's
feedback
on
the
total
plan
by
Friday,
because
I'd
like
to
get
the
proposal
that
basically
all
the
math
done
and
get
that
bundled
up
and
wrapped
up
and
formally
given
to
the
tech
next
week.
A
B
Talk
about
that
yeah
I
put
on
there
I
think
it's
1.4
and
2.2
are
kind
of
both
related
to
the
same
thing.
So
I
was
going
to
ask
permission
or
what
you
guys
thought
if
I
just
integrated
the
two
or
I
made
1.4
a
sub
item
of
the
engagement
model.
So
after
the
engagement
model
is
established,
then
basically
the
Outreach
happens.
A
I,
don't
have
a
problem
with
that.
What
does
everybody
else
think.
A
B
Right
and
then
the
other
thing
I
was
going
to
add
real
quick
was
in
your
diagram
probe,
you
already
kind
of
established
some
service
areas,
like
communication,
I
think
was
one
that
was
established.
So
did
we
want
to
start,
maybe
like
because
I
I
know
that
we
talked
about
the
first
structure
but
I
feel
like
maybe
starting
at
least
in
service
areas,
and
then
Services
would
not
be
bad,
and
then
we
don't
have
to
get
into
functions.
Some
functions.
B
I
know
they
get
real
crazy
with
it,
but
at
least
service
areas
and
like
then
we
can
add
the
services
underneath
that
would
that
be
good
for.
A
2.1
to
help
okay
yeah.
That
would
be
good
that
I'm
perfectly
fine
with
that
that
was
kind
of
the
next
logical
evolution
was
to
I
mean
what
I
did
he's
looking
at
SEC
goal.
2-1
of
the
plan,
I
put
a
diagram
in
where
I
lined
us
up
to
show
the
first
piece
search
services
framework
has
seven
service
areas
of
things
that
a
product
security
team
should
do
and
I
just
basically
kind
of
roughly
lined
us
up
to
that.
A
Just
to
show
we're
not
making
this
up,
we
have
some
foundation
in
a
working
model,
and
then
it
gives
us
the
ability.
You
know
I
have
a
the
stakeholder
ecosystem
management
bucket.
We
can
change
the
name
for
that,
but
that's
basically
kind
of
what
we're
doing
with
section
one
is
where
we're
talking
with
upstream
and
maintainers
and
researchers
trying
to
get
opinions
to
formulate
how
we
want
to
manage
this,
the
cert,
so
that
a
lot
of
that
would
eventually
kind
of
fall
into
a
service
in
that
area.
Just
as
a
for
example,.
A
A
And
that's
where
kind
of
the
siren
service
idea
comes
in?
That
would
be
a
particular
service
underneath
that,
like
a
surface
area,
six
kind
of
thing.
B
Another
input
that
I
had
this
is
last
on.
My
notes
is,
and
I
kind
of
shared
this
with
you
is
that
nowhere
in
the
plan
do
we
ever
actually
like,
say
where
we're
going
to
identify
stakeholders
and
I
know
that
stakeholders
is
on
this
diagram
as
well.
Stakeholder
Eco
assistant
management,
so
I
just
wanted
to
point
that
out,
just
because
I
feel
like
I.
B
Think
that,
like
the
projects
that
we're
going
to
be
working
with
are
kind
of
the
more
important
stakeholders
but
I
think
having
you
know,
how
would
that
work
would
it
be
like
they
would
have
to
elect
a
representative
or
some
of
them
do
have
security
teams?
Some
of
them
do
not.
You
know.
I
I
also
noticed
that
in
first
a
big
focus
is
helping.
People
establish
their
own
sort
of
piece
cert.
If
they
don't
have
one,
which
is
you
know
so,
I
I,
don't
think
we
have
that
in
the
plan.
B
But
I
was
maybe
going
to
touch
things
up
here
and
there,
but
I
did
send
in
my
PR
just
so.
You
guys
know
where
I
feel
my
section
is
more
or
less
finalized.
But
yes,
sorry.
C
I
was
gonna,
say:
1.2
survey,
the
search
intended
audiences,
the
closest
alignment
we
have
with
understanding
who
those
stakeholders
are,
and
that
could
very
easily
be
modified
to
include
that
Milestone.
So,
like
we've,
got
developed
questions
and
then
gather
this
big
feedback
you
can
under
analyze
results.
You
can
determine
identify
stakeholders
as
part
of
that
result,
output
and
development
of
the
report.
A
Thank
you,
and
if
you
scroll
up
a
little
bit
to
1-1
I,
did
a
very
basic,
highly
inaccurate,
Venn
diagram
of
kind
of
five
stakeholder
groups
with
the
cert
being
one
of
those
groups.
You
know
we
want
to
make
sure
we're
taking
care
of
our
people
as
well,
but
of
those
kind
of
those
are
some
areas
of
some
types
of
stakeholders
from
what
you
want
to
account
for.
A
Okay,
yeah
I
have
no
problem
and,
as
we
continue
in
our
kind
of
review
and
tightening
up
the
plan,
if
anyone
has
ideas
of
suggestions
for
diagrams,
let
me
know
I've
got
my
diagramming
tool
loaded
up
here.
We
can
get
some
rough
stick
figure
people
in
there
to
illustrate
points
if
someone
feels
something
would
be
would
benefit
from
an
illustration.
B
A
B
Okay,
so
art
I'll
be
changing
around
engagement
model
I,
really
like
what
they
had
for
developer
Outreach
because
they
broke
it
down
really
well.
A
So
any
other
anything
else
we'd
like
to
discuss
today
any
other
thoughts
you
might
have
for
where
we
want
to
go
next.
A
Yes,
I
would
I,
don't
spend
any
money,
but
anything
that
is
like
I
want
to
write
a
process
or
I
want
to
draw
a
diagram
that
type
of
the
small
things
that
are
just
volunteer
hours.
Please
feel
free
to
start
working
on
that
would
be
A-Okay,
but
understand
that
we
may
need
to
Pivot,
so
potentially
don't
invest
a
million
hours
in
it
and
then
be
very
angry
when
it
gets
knacked.
C
C
We
would
be
required
to
develop
what
is
the
expected
outcome
of
those
discussions
with
those
particular
project?
Maintainers
I
would
also
say
that
in
January
and
I
want
to
say
it's
the
end
of
January.
There
is
the
virtual
open
source
maintainer
Summit,
that
they're
inviting
a
few
different
open
source
foundations
to
come
an
open
source
project
maintainers
to
come
and
like
share
their
experiences
and
understand
more
things
about
it.
C
So
it
might
be
interesting
to
get
the
results
of
that
or
put
in
a
request
for
like
the
survey
results,
because
they
are
developing
a
survey
to
collect
additional
information
about
maintainer
and
foundation
and
interactions
with
openssf
and
kind
of
what
are
those
expectations
of
services.
All
of
that,
so
that
might
be
beneficial
same
thing
with
the
open
source
security
teams,
kubernetes
Apache,
those
ones,
if
we've
already
defined
what
it
is
that
we're
looking
to
get
out
of
it.
Those
conversations
could
potentially
start
happening.
C
A
I
agree:
I,
don't
think
we
have
our
survey
yet
so
I
think
that'd
probably
be
a
first
step
is
to
write
down
what
questions,
what
objectives
we
want
and
then
I
agree.
We
absolutely
should
start
talking
to
these
folks,
because
that's
the
long
poll
and
a
lot
of
this
is
getting
that
feedback
and
thinking
about
it.
Do
you
know
who's.
Organizing
the
maintainer
Summit
is
that
an
LF.
A
Okay,
so
like
so,
then
we
I
did.
We
definitely
have
a
contact
to
reach
out
to
for.
E
Hi,
who
is
writing
and
issuing
the
survey,
is
that
us
someone
else.
A
We
could
start
writing
that
anytime,
we'd,
like.
E
B
B
E
We
could
do
both
yeah,
we
can,
or
one
first
in
one
second
I
I,
like
the
interview,
because
right
just
said
it
I
can
get
so
you
can
kind
of
get
into
things,
what's
not
with
people
that
way.
But
then,
if
people
are
busy
and
they're
willing
to
spend,
you
know
all
of
three
minutes
clicking
some
buttons.
You
can
collect
that
as
well.
So
I,
don't
I,
don't
know
I'm,
not
a
survey
expert.
That's
why
I'm
asking.
B
E
No
or
at
least
not
not
that
succinctly,
I
guess
I
mean
I,
guess
it's
possible
and,
and
then
my
you
know,
my
20
years
was
also.
We
were
this
odd
third
party,
you
know
cert,
we
weren't,
you
know
asf's
team
or
open
ssl's
team,
or
you
know
part-time
of
two
people
right.
So
you
know
I
was
always
I.
I
ended
up
at
a
pretty
big
picture
of
you.
If
there
was
a
security
person
doing
security
stuff
or
they
called
themselves
whatever
A
Team
I
was
like
Jack.
E
Yes,
you
have
somebody,
that's
great,
we'll
interface
with
you
at
your
level,
and
that
was
the
the
way
forward.
So
yeah,
not
not
at
least
as
cleanly
as
you
described.
It
I've
not
really
run
into
that.
Well,.
B
That
that's
what
I
I
started
with
packaging
teams,
because
I'm
heavily
involved
in
packaging
yeah
and
that's
what
I
I
got
a
lot
of
that
like
gently.
But
we
have
a
security
team
yeah
but
you're
not
really
organized
like
a
piece
or
like
assert
at
all.
But
why
do
you
have
to
be?
And
then
it
gets
into
this
like
yeah?
But
we've
had
this
for
like
20
years
and
we've
never
had
an
issue.
Well.
E
So
you
know
what
a
way
to
a
way
I
might
go.
Try
to
get
through.
That
is
yeah
here.
That
here
are
the
the
services
or
the
things
we
might
offer
or
the
things
we're
asking.
If
you
want
hey
here's
six
things,
do
you
already
do
these?
Do
you
want
these
and
they
say
no?
No,
no!
No!
No!
No!
All
right
we're
talking
about
different
things.
If
they
say
we
call
it
a
foo
and
we
do
five
of
the
six
already
yeah.
They
have
a
piece.
They
just
don't
call
it
a
piece
right.
E
B
C
Recommendation
would
be,
you
can
always
start
with
a
basic
survey
with
some
initial
questions
and
then,
depending
on
how
some
of
those
individuals
respond,
you
can
request
to
follow
up
with
an
interview,
and
then
you
can
actually
have
that
as
a
question
if
they
are
open
to
doing
like
a
30
minute
or
a
45
minute
interview.
Now.
A
If
we
I
agree
with
that
approach,
let's
start
off
with
the
survey.
Maybe
we
target
The
maintainer
Summit
to
have
it
ready.
Maybe
we
get
some
time
to
be
able
to
share
it
as
part
of
that
to
say
hey,
we
have
this
thing.
C
Like
I
can
read
them
to
you
sure
so,
the
first,
so
the
intent
of
the
survey
by
the
way
is
to
curate
topics
and
questions
and
framing
ideas
for
attendees
once
they're
at
the
summit.
So
the
first
one
is:
how
long
have
you
been
a
maintainer
or
held
a
leadership
position
in
a
project?
What
is
the
most
important
security
concern
for
your
project
in
2023?
Are
you
familiar
with
the
open,
ssf
working
groups
or
the
mobilization
plan,
and
then
there's
a
follow-on
question
about
that?
One,
like
here's,
their
mission
to
assist
maintainers?
C
What
is
the
most
challenging
area
of
the
project
maintenance
openssf
can
assist
with
from
a
security
perspective,
so
I
can
see
us
getting
some
good
data
out
of
that.
For
sure.
Another
question
is:
what
areas
are
you
most
interested
in
seeing
deliverables
for
and
how
would
you
use
them?
What
areas
are
you
most
concerned
in
seeing
deliverables
for,
and
what
do
you
think
should
be
focused
on
if
you
were
to
partner
with
other
project
maintainers
on
solving
a
particular
problem
in
open
source
security?
C
What
would
it
be
and
how
do
you
expect
to
be
engaged
in
open
source
maintainer
when
such
efforts
request
your
participation
and
influence
and
then
the
last
three
are?
If
you
could
pick
one
thing
for
the
betterment
of
all
open
source,
what
would
it
be?
Have
you
been
involved
in
any
of
those
activities?
If
so,
if
one,
which
ones
and
if
there
were
three
things
and
it
open,
ssf
and
its
groups
needed
to
know
in
order
to
be
successful,
what
is
it
so?
It's
really
about
soliciting
that
information
back
from
them.
E
Who,
who
sees
and
might
respond
to
that
survey.
C
That
survey
is
going
to
be
sent
out
to
40
individuals,
I
think
that's
the
last
count.
It's
a
close.
C
They've
reached
out
to
a
few
different
foundations
and
I.
Don't
remember
what
the
current
status
on
all
that
is.
There
is
a
public
slack
channel
in
open
ssf,
it's
a
virtual
maintainer,
Summit
slack
channel.
So
if
you
drop
a
line
in
there
and
want
to
check
things
out,
there
has
been
some
discussions
going
on
no.
E
I
was
asking
the
question
sounds
at
a
at
a
quick
glance.
Like
sounds
like
a
good
first
survey.
For
us,
almost
straight
up
so
I
was
asking,
you
know
is
that
is
it
something
we
can
reach
everyone
or
a
wider
audience
with,
but
you've
already
got
a
plan
for
it.
I
don't
want
to
mess
up
the
yeah.
C
C
B
Randall
just
kind
of
going
over
what
I
found
out
so
like.
If
you
were
to
ask
all
the
packing
teams,
pretty
much
they'll
all
give
you
an
explanation
of
why
they
fix
things
for
their
group
of
users
separately
and
then,
if
you
ask
Upstream
they'll
tell
you
they
shouldn't
do
that.
So
what
I'm
trying
to
say
is
that
I
feel
like
in
certain
groups,
you'll
kind
of
like
boiled
it
down
to
like
a
root
problem
is
what
I'm
trying
to
say,
foreign.
B
B
E
A
Right
so
Randall's
gonna
make
the
adjustment
to
the
plan
we
talked
about.
Are
there
any
other
things
we'd
like
to
discuss
today?
A
Maybe
we
probably
should
put
maybe
a
milestone
in
to
say
around
the
members
of
The
maintainer
Summit
to
kind
of
in
review
that
survey
material
when
it's
available.
B
A
We
we
can
I
I.
Think
a
lot
of
like
the
governing
board,
isn't
going
to
understand
the
nuances
of
the
the
framework.
Oh
yeah.
We
will
be
distributed
because
we're
not
we
don't
operate
underneath
a
central
Authority
we're
not
all
paid
the
same.
We
don't
have
you
know,
control.
We
don't
have
captive
Engineers,
we
don't
aren't
beholden
to
product
managers,
so
to
speak.
B
Another
quick
question
that
I
have
Chrome
final
question:
I
promise
I
noticed
that
in
the
section
two
plan
you
have
it
where
basically
like
milestones
and
all
the
sections
kind
of
make
up
a
sub
number,
so
you
have
like
SEC
or
let
me
pull
it
up.
You
have
two
and
then
you
have
like
2.1.1,
which
is
explanation,
I,
basically
axed
all
that
because,
like
the
markdown
lint
doesn't
really
like
it.
A
A
Yeah
I
would
I
see
the
numbering
now.
I
I
would
Knack
the
numbering,
because
again
explanation
is
just
describing
what
this
topic
area
is.
Why
we
want
this
goal
and
it's
not
necessarily
something
that
we
will
be
there,
aren't
any
costs
or
any
resources
needed
for
the
explanation.
I
need
to
start
with
the.
D
A
I
I,
don't
I
I
understand
why
it
did
that
but
I,
don't
I,
don't
hate
it,
but
I,
don't
love
it
fair
if
it's
a
big
pain
in
the
rear,
get
rid
of
it
or
if
it's
a
big
fan
of
the
weird
don't
bother,
but
if
you
can
that
I
would
prefer
to
maybe
get
rid
of
that.
Okay.
B
E
Real
briefly,
so
the
the
draft
completed
plan
I'm,
not
sure
who
you
said,
the
attack
of
higher
levels
of
yeah
higher
levels
would
be
looking
at
this
and
then
my
feedback
for
us.
We
may
have
changes
coming
from
that,
but
there's
a
we
have
this
late,
January
I
think
Milestone
of
some.
Maybe
some
data
coming
back
any
other
like
sort
of
time
estimates
for
the
plan
getting
whatever
its
process
is
approval
at
multiple
layers.
The
check
gets
written.
You
know
yada
yada,
yada,.
A
We
are
the
very
first
group
to
go
through
this
and
we
are
the
only
ones
that
have
this
in
the
education
Sig
we're
the
only
ones
to
actually
re-work
the
the
written
plan.
Okay,
everybody
else
is
like
well.
Let's
do
this
project
that'll
kind
of
help
us
it's
kind
of
piecemeal,
so
I,
don't
know
we're
going
to
give
the
governing
once
we
go
to
the
governing
board.
I
would
ask
you
know
for
a
two-week
comment
period,
but
we're
kind
of
beholden
to
governing
board
dates.
Yeah,
yeah,
I,
I,
don't
know
what
to
expect.
A
A
Can
I
would
imagine
that,
since
some
of
these
funds
have
already
been
allocated
by
the
members
that
it
may
some
pieces
may
be
able
to
on
ramp
up
quickly,
if
there's
a
cost
involved,
because
you
know
big
companies
earmarked
I'm
going
to
spend
a
million
dollars
towards
this
effort.