►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
Put
a
link
to
our
agenda
in
the
chat.
So
if
you
could,
please
Mark
your
attendance.
D
E
E
A
E
A
Lazy
I
don't
make
another
Google
Document,
so
I'm
using
the
best
practices.
Oh.
E
A
A
A
Okie
doke
it's
three
after
the
hour,
I
would
like
to
welcome
everybody
to
the
new
little
sub
project
here.
Around
source
code
management,
best
practices
we're
going
to
be
making
a
a
new
guideline
document
based
off
of
some
of
the
efforts
of
gnome
and
legit
security.
So
I
would
love
for
us
to
do
a
round
of
introductions,
so
we
can
all
just
get
to
know
each
other.
F
Time
down
apple
quest,
I
work
at
sneak
I'm
director
of
Open
Source,
it's
an
Open,
Standards
stuff
there
and
I'm
very
supportive
of
this
work
and
I'm
looking
to
see
how
I
can
support
and
add,
add
value
to
this
document,
and
let's
get
this
done.
F
G
E
E
Christine,
Abernathy
and
I
am
with
F5
and
the
open
source
program
office
and
just
kind
of
like
it's
an
interesting
topic
to
me,
especially
around
GitHub
management,
specifically
because
that's
what
we've
used,
but
definitely
here
to
learn.
So
I
am
gonna
pick
Sergio
foreign.
H
Best
practice
for
open
source
project
since
I
contribute
to
some
like
other
open
source
projects
and
I
pick
Jay.
H
You
guys
are
killing
me
softly
now.
You
get
me
right
in
the
middle
of
a
set
trying
to
come
I'm
on
my
phone
any
case
this
is.
This
is
Jay
Jay
white,
with
Microsoft
I'm,
all
over
the
place
in
in
the
open
ssf.
H
A
lot
of
working
groups
do
a
lot
of
things,
but
one
thing:
a
couple
of
things
that
are
near
and
dear
to
my
heart
was
a
source
code
management
I,
had
the
pleasure
of
doing
a
lot
of
audits
and
and
a
lot
of
a
lot
of
odds
and
a
lot
of
advisory
projects
around
source
code
management,
and
you
know
not
surprising
to
the
people
on
this
call,
but
you,
but
to
those
who
who
would
be
surprised
at
a
lot
of
the
a
lot
of
the
crazy,
a
lot
of
the
craze
that
goes
on
organizations
around
around
maintaining
their
source
code
and
et
cetera,
so
I'm
here
for
it
and
I'm
ready
to
rock.
H
I
All
right,
I
can
do
it.
I'm
Randall
I
come
from
Gen
2
I'm,
also
involved
in
SKF
and
now
involved
in
LF
and
I,
like
Jay.
Do
a
bunch
of
stuff
around
open,
ssf,
I'm,
pretty
much
everywhere
and
yeah
pretty
much.
That's
me
and
the
go
next
avishays.
D
Thanks
Rhonda,
so
yeah
I'm
also
in
the
car.
Are
you
in
the.
D
D
I'm
gonna
be
shy
with
with
Microsoft
I'm
involved,
with
with
the
best
practices
and
the
education
working
groups,
software
Engineers.
So
much
of
my
work
is
a.
H
E
D
B
C
Thanks
Tom,
actually
he's
not
so
far
from
me,
so
yeah
I'm,
leading
the
research
here
at
the
legit's
theory
and
the
topic
of
SCM
best
practices
is
really
close
to
our
hearts
and
I
really
hope
we'll
be
able
to
do
provide
a
lot
of
from
a
lot
from
our
insights
on
this
topic
and
I'm
sure
we
will.
We
will
get
a
good
project
out
of
this
topic.
C
A
All
right
well,
next
up,
we
don't
have
any
opens
yet,
since
this
is
our
first
meeting
but
could
I
ask
someone
on
the
call
here
to
help
assist,
taking
notes
for
us
so
that
those
that
couldn't
attend?
Thank
you,
Dan,
oh,
and
we
have
one
more
new
friend
looking
to
join
us
Jonathan.
Would
you
like
to
introduce
yourself
to
the
group.
G
Interesting
hi,
my
name
is
Jonathan
lichu
I
am
and
open
source
security
researcher,
currently
working
for
the
Linux
Foundation
under
the
open
source
security
Foundation
no
other
way
around,
but
anyways
yes
and
I'm
part
of
project
alpha
omega
as
the
security
researcher
role
so
yay
fellow.
A
Excellent,
so
that
should
be
everyone
Welcome
Friends.
As
always,
these
meetings
will
be
recorded
so
that,
if
someone
missed
the
call
they'll
be
able
to
look
out
on
our
YouTube
channel
and
watch
a
meeting
happen
very
exciting
long
term.
As
we
move
forward
I'm
going
to
look
to
one
of
our
working
group
collaborators
to
potentially
try
to
co-lead
this
effort.
A
For
us,
our
collaborators
are
listed
on
our
GitHub
repo
page,
and
those
are
folks
that
have
been
long
term
with
the
working
group
have
demonstrated
their
enthusiasm
participation
and
we
just
like
to
have
those
folks
try
to
help
Shepherd
things
so
I
don't
have
to
end
up
running.
Every
single
thing
would
be
super
groovy,
so
think
about
that.
Anyone
that
is
a
collaborator.
Please
consider
that,
let's
talk
about.
G
Know
can
we
can
we
also
get?
Can
we
can
we
carve
and
copy
you?
So
we
can
get
two
of
you
so
that
you
can
like
run
like
the
meetings
that
are
dual
booked
on
the
same
hour
or
two
or
three?
Maybe
we
just
need
to
get
you
a
a
Harry
Potter
Time
Turner,
so
you
can
go
back
in
time
and
co-chair
the
meetings
that
are
that
are
now
overlapping
one.
Another
I.
A
Don't
know
I
think
one
of
you
is
more
than
enough,
but
thank
you
for
the
praise.
Let's
talk
about
the
existing
guide
Noam.
Do
you
want
to
talk
about
the
project
that
you
started
and
that
we're
looking
to
contribute
and
will
be
the
basis
for
this
best
practices
guide
going
forward.
B
So
thanks
so
can
I
share
my
scan.
You
can
just
show
the
guitar
and
the.
B
Sick
and
so
basically,
we've
developed
and
open
source
tool
that
scans
currently
it
supports
GitHub
and
gitlab
and
find
a
many
misconfigurations
and
security
issues
from
our
knowledge
and
legit,
and
so
we
have
this
tool
and
also
we
created
this
database
of
policies.
So
this
is
the
repository.
B
Get
directions
collaborators
and
Etc,
and
we
also
also
have
the
database
over
here
that
lists
all
of
all
of
our
policies
to
date.
So,
whoever
some
nice
content
over
there,
it's
it's.
You
can
see
the
it's
it's
divided
by
the
namespace,
so
we
call
it
namespace
here.
So
there
are
actions
and
members
organizations
group,
and
we
also
have
this
for
a
gitlab.
B
A
All
right,
if
you
could
drop
a
link
to
this
repo
in
the
agenda.
G
A
Be
great
sorry,
so
what
questions
do
we
have
right
now
about
the
tool
and
about
where
we
want
to
get
started?.
E
B
F
Do
we
think
that
we
want
to
Drive
the
content
of
whatever
this
guide
is
from
Rules
from
a
database
or
and
or
sorry?
Or
do
we
think
that
it's
better
to
take
a
snapshot
of
what
these
rules
are
bring
them
over
into
a
like
a
markdown
and
then
work
on
it
from
there
and
iterate
on
the
markdown,
because
the
because
I
can
see
advantages
to
both
ways
of
working
one
of
them?
F
The
advantages
to
the
the
first
way
is
that
you
only
have
to
change
something
in
the
database
in
order
to
affect
the
change
in
the
document
right,
so
you
Auto
generate
stuff
based
on
on
that.
F
F
So
if
we
expect
people
to
like
join
us
join
our
journey
by
reading
a
document
which
is
like
educational
material,
then
we
want
it
to
be
kind
of
welcoming,
and
you
know,
with
a
lot
with
some
explanatory
material
attached
to
it
and
and
organized
in
a
way
that
kind
of
makes
sense
for
when
you,
when
you're,
when
you're
working
your
way
through
a
document
like
this
and
and
so
that,
that's
where
I
I
kind
of
want
to
get
to-
or
you
know
like
from
editorial
perspective,
I
think
that
would
make
sense
and
I'm
just
trying
to
think
about
people
coming
to
it
from
from
that
perspective,
rather
than
coming
to
it
through
the
tool.
F
So
I
guess
one
of
the
questions
that
I
have
is:
how
often
do
the
rules
change?
Do
we?
You
know
what
what
do
we
all
think
about
that
am
I
are?
Are
these
the
right
questions
to
be
asking.
A
I
I
see
Merit
in
both
approaches,
Dan
pros
and
cons
on
both
sides
being
a
double
English.
Major
I
personally,
prefer
the
latter
education
person
I'd
like
to
see
a
beautiful
document
with
pictures
and
links,
but
there's
nothing
to
say
that
we
couldn't
go
with
the
former,
so
it'll,
just
kind
of
up
to
the
people
that
want
to
contribute
to
this
group.
What
you're
interested
in
collaborating
on
and
kind
of
what
we
want
to
deliver
as
a
team
going
forward,
Christine.
E
One
thing
that
was
useful
because,
when
I
was
consuming,
this
dock
is
again
just
having
to
kind
of
Click
on
each
one
of
those
to
try
to
figure
out
for
whatever
it
is.
That
I
was
interested
in
what
I
needed
to
turn
on
and
off
what
are
the
pros
and
cons
and
in
a
nice
readable
way,
and
also
what
would
be
useful
is
that
kind
of
keeping
in
mind
of
who
is
the
audience
for
this
talk,
let's
say
I'm
coming
at
it
from
I
am
an
open
source
maintainer.
E
What
should
I
be
paying
attention
to
or
I
am
somebody
who's
managing
our
admin
administrating,
the
GitHub,
all
what
should
I
be
paying
attention
to
so
for
the
different
audiences?
What
are
the
things
that
we
need
to
kind
of
have
on
and
on
and
also
for
the
policies?
How
can
we
customize
it
and
make
it
easy?
And
then,
after
that,
post
we've
set
it
up?
How
do
we
continuously
Monitor
and
manage
it?
So
those
are
some
of
the
things
that
I
found
would
be
useful.
I
I
I
know
that
there
are
some
other
tools
that
do
similar
functions
so
at
some
point
I
think
it
would
be
nice
to
do
or
compare
and
contrast
what
we
do
versus
what
they
do
kind
of
there's
some
other
tools
that
right
now
are
very
popular
but
I
think
well,
at
least
from
the
what
I've
received,
probably
because
of
what
I
received
I
received
a
lot
of
stuff
about,
like
finding
people
secrets
on
their
GitHub
but
I'm
pretty
sure.
That's
the
other
way
around.
G
C
Sorry
just
wanted
to
add
that,
first
of
all,
if,
if.
C
It's
another
thing
that
we
can
definitely
add
to
the
to
the
best
practices
guide.
We
were
more
focused
on
the
configuration
aspect
and
settings
like
various
settings
that
sem's
provide
you
with
and
with
regards
to
the
database.
C
So
the
way
it's
currently
maintained
in
with
legitify
is
with
Regal
files,
and
it's
maybe
Norm
can
can
share
how
it
looks
like,
but
this
is
something
that's
very
easy
to
maintain
if
we
feel
like
it's,
the
idea
behind
using
Rigo
files
was
so
that
it
would
be
easy
to
contribute
to
so
that
people
will
be.
People
could
easily
easily
add
new
policies
and-
and
it
includes
a
few-
a
few
parameters
for
each
policy
like
what's
the
threat
behind
each
policy
with
severity
and
Remediation
steps.
C
So
all
this
data
is
a
historian
in
in
those
textual
Rigo
files.
So
I
don't
know
if
it's
something
to
consider,
but
just
so
you
know.
A
Thank
you
for
that.
Have
a
share.
D
G
A
I
A
I
I
I
kind
of
like
what
abishay
was
saying.
I
was
also
going
to
add.
Maybe
first
it
would
be
good
to
determine
like
what
the
scope
of
the
tool
would
be,
because
you
know
there's
a
lot
of
other
stuff
out
there
and
if
we
don't
need
to
necessarily
take
care
of
it
than
we
shouldn't.
A
I
think
it'll
be
important
for
us
to
set
some
long
and
short-term,
very
clear
goals.
What
we
want
to
do,
I,
there's
a
lot
of
things
we
can
do
and
potentially
could
do,
but
I
think
we'll
be
more
successful
in
achieving
something
if
we
State
and
we
will
focus
in
on
a
thing
in
the
short
term.
A
So
you
know
short
term
could
be
documenting
a
process
to
update
the
database
or
creating
a
consumer
consumable
document
that
describes
all
the
good
practices
for
a
source
code,
securing
a
source
code
management,
repo,
so
I
think.
As
a
group,
we
should
decide
on
kind
of
what
our
goals
and
objectives
can
be,
and
then
we
can
kind
of
prioritize
them
and
start
to
zero
in
on
what
we
want
to
work
on
first,
first
next
and
then
future.
F
Maybe
we
could
focus
in
on
this
goals
thing
and
that
that
could
help
to
to
get
us
moving.
F
I
I
think
that
this
is
about
configuration
primarily
so
I
actually
think
like
Secrets,
which
was
mentioned
earlier.
I,
think
that
might
be
out
of
scope
for
what
for
what
we're
trying
to
do
here
and
the.
F
F
Trying
this
is
stuff
that
we
haven't
talked
about
in
other
places
yet
and
and
to
me,
like
two-factor
authentication
is
the
thing
that
I
always
use
as
the
poster
child.
It's
obviously
not
the
only
thing
in
here
that
would
be
a
pretty
small
document,
but
like
to
me
that
that's
what
that's,
what
I
use
when
I,
when
I
tried
when
I
talk
to
other
people
like
within
my
company
about
why
we
should
get
it?
F
Why
why
this
is
gonna,
be
an
important
effort
and
so
I
think
we
should
try
and
put
the
focus
on
on
on
configuration,
and
that
would
so
I
think
the
the
statement
that
you
made
Pro
about.
We
will
focus
in
on
creating
consumable
document
that
describes
the
practices
for
securing
a
source
code
management
repo.
F
A
And
there's
nothing
to
say:
we
couldn't
expand
or
write
additional
things
in
the
future,
but
it's
I
think
it's
good
for
the
group
to
have
kind
of
one
to
two
goals
that
we
can
all
kind
of
get
behind
and
we're
more
likely
to
deliver
something
in
a
timely
manner,
as
opposed
to
trying
to
work
on
eight
things.
At
the
same
time,.
A
So
does
everyone
agree,
or
do
you
disagree
with
what
Dan
said
about
maybe
starting
off
with
a
document
focusing
in
on
those
configuration
items
as
kind
of
the
the
theme
of
what
we
want
to
deliver?
First.
I
A
Any
other
thoughts
or
suggestions
counter
or
in
support.
G
I
have
a
quick
question
Roy
for
you,
this
scanner
that
you
currently
have
as
it
is,
can
only
be
run
with
permit
with
elevator
permissions
on
the
repository.
This
is
not
something
that
anybody
externally
can
run
this
scanner
against
a
project.
They
have
to
be
an
admin
correct.
C
G
All
right,
the
the
reason
that
I'm
asking
is
Alpha
Omega
is
always
looking
for
additional
scanners
to
scan
repositories
to
like
find
common
misconfiguration
vulnerability.
So
if
it
was
something
that
anybody
could
use
for
us,
I
think
that
it's
less
useful
for
us,
because
we
can't
right
we're
not
going
to
become
admins
on
every
single
directed
across
the
internet.
Unfortunately
so
yeah.
But
thank
you.
Thank
you.
A
Well,
I
I
would
counter
that
Jonathan
isn't
Alpha
and
Omega,
typically
like
a
consultative
engagement
where
you're
working
with
the
maintainer
or
project.
So
potentially,
you
could
use
this
tool
in
concert
with
the
maintainer.
Maybe
the
maintainer
might
run
it
on
your
behalf
and
share
the
output
potentially
Alpha.
G
Not
omega
omega
is
a
wide
Alpha
eye
projects,
so
yes
for
Alpha
Omega,
because
we
are
building
a
working
with
yesnia,
we're
building
a
portal
for
researchers
like
myself
and
as
to
have
aggregate
results
from
a
bunch
of
different
scanning
tools,
including
code
ql,
and
you
know
a
bunch
of
other
tools
that
are
all
run
against
repositories.
We're
looking
for
tools
like
this
one
to
be
able
to
give
us
a
signal
of
this
is
a
common
security
vulnerability
that
we
can
fix
across
the
entire
organization
or
these
repositories.
F
What's
the
status
of
the
legitify,
because
I
know
that
has
legitified
or
how
has
have
you
all
worked,
sorry
contributed
or
suggested
to
contribute
that
work
or
that
database
into
openssf
as
itself
or
or
is
that
I
I'm
I'm
just
a
little
unclear
on
what
the
current
status
is.
F
Just
thinking
sorry
I,
because
we
had
a
bit
of
a
discussion
about
driving
it
by
the
driving
the
document
from
the
database
or
or
taking
a
cut
of
the
database
and
writing
a
document
and
I'm
just
trying
to
think.
If
there's
how
you
know,
I
think
the
first
option
only
makes
sense
if
the
database
is
an
openssf
database
right
versus
being
a
database,
that's
actually
owned
by
some
some
one
entity.
F
Do
you
see
what
I
mean
or
am
I
or
am
I
wrong?
I
mean
I
that
that
to
me,
I
and
again,
I
I'm,
coming
back
to
how
I
I'm
kind
of
thinking
about
this
and
how
I
think
it
would
be
most
useful
for
people
is
if
they
are
coming
to
a
document
that,
or
you
know,
there's
a
document
that
can
be
distributed
or
it's
at
an
end
of
a
URL
that
it's
it's
a
bit
like
the
the
concise
guides
or
the
other
best
practices
material.
F
That
then
contains
a
lot
of
links
off
to
here's.
Here
are
the
things
that
we
think
you
really
need
to
think
about.
Here.
Are
the
rules
right
or
and
here's
why
they're
important
and
then
here
are
the
tools
that
you
can
use?
You
know
that
are
provided
by
open.
You
know
open
ssf
members
which
help
you
help
you
keep
to
those
so
anyway
that
that
sorry,
that's
kind
of.
What's
behind
my
question,
I'm
just
trying
to
figure
out
right.
What's
the
best
way
forward,
go.
A
F
B
How
the
database
looks
like
inside
the
energy
file?
Basically,
we
have
the
policies
inside
LEGO
files
in
the
source
code
and
we
have
an
automatic
process
that
takes
them
and
creates
from
them
A
yaml
and
A
markdown
slides.
Now
there
are
two
options:
one
is
to
lesson
to
show
you.
It
looks
like
this.
This
is
the
the
regular
files
with
the
with
the
policies,
what
we
saw
in
the
GitHub
Pages
description,
titled,
threads
and
all
the
data
we
take
this
and
create
DML
and
then
generate
the
GitHub
Pages
for
markdown.
B
So
we
can
either
take
this
data
and
move
it
inside
and
ossf
Repository,
and
we
can
do
it
like
whenever
we
create
new
policies
and
then
to
compile
something
that
is
more
easily
consumed,
because
I
I
don't
think
for
now
that
you
want
us
to
move
the
entire
tool
into
ossf
and
coordinate
if
I'm
wrong.
B
So
I
think
the
process
is
to
generate
that
these
policies
move
them
to
an
also
Fair
repository
and
then
compile
them
to
something
that
is
more
consumable
and
what
we
want
to
generate.
The
eventually.
C
Can
I
ask
just
out
of
curiosity
what
would
be
required
say
say
we
want
to.
We
eventually
decided
we
want
to
use
the
GFI,
as
is
in
the
open
sfab.
What
would
it
require
like
which
modification
would
be
required
to
use
it
as
an
official
open,
sff
two.
A
There
is
a
process
for
donating
intellectual
property
and
software
and
I
can,
if
we
want
to
go
that
route.
I
can
share
that
with
you,
gentlemen,
there's
you
know,
I
got
a
talk
with
LF,
legal
and
other
than
probably
your
legal
team
and
whatnot.
So
there
is
a
process
if
we
want
to
go
down
that
route,
I'm
not
suggesting
we
go
down
that
route,
but
that
is,
you
know,
potentially
an
option
if
you
guys
are
interested
in
doing
that
or
if
the
group
feels
that
very
strongly
they
want
that
done.
H
Yeah,
so
so,
what
that
will
all
that?
Well
before
we
jump
into
the
real
technical
parts
of
this
I
might
I
my
suggestion.
I
guess
in
this
regards
to
take
a
step
back
and
make
sure
we
ironed
out
our
our.
Why?
H
What's
the
what?
What
is
our,
what
is
our
intent
in
producing
this
guide
right?
What
what,
when
the
person
picks
up
the
guide,
what
are
they
going
to
get
from
it?
What
are
they
not
going
to
get
from
it
and
and
and
then.
H
What
are
they
going
to
get
from
it,
whether
they're
not
going
to
get
from
it?
And
then,
ultimately,
you
know
what's
up?
What's
what's
our
intent
behind
the
guy
to
you
know
to
begin
with
right,
so
we
you
know
we're
producing.
This
is
we're
producing
this
guide
in
order
to
provide
the
the
reader
or
something
the
ability
to
do
X,
Y
and
Z,
so
that
they
can
avoid
this
right
so
that
everything
that
comes
after
that
you
know,
if
they're,
avoiding
whatever
we
tell
them,
they're
going
to
avoid
hey.
H
We
win
right
and,
of
course
that
allows
us
to
expand
and
contract
the
scope
of
the
document
right.
So
we
can
say
well
what
about
these
things,
and
then
we
can
put
that
stuff
in
the
attempt
of
them.
What
gets
created
from
that
is
the
ability
now
to
make
sure
we're
focused
throughout
the
technical
portion
of
the
document,
with
the
the
tools
and
the
services
that
are
provided
towards
making
sure
they
have
the
outstanding
source
code
management.
H
I
I
I
I,
and
so
please
somebody
ask
us
I,
said
a
lot
of
words
there.
So
ask
a
question:
if
that,
if
I,
if
I'm,
not
if
you
didn't
understand
what
I
would
or
if
there's,
if
it's
not
understood
what
I
just
said,
I'm
in
the
middle
of
a
working
set
here
saying
this
stuff,
so
I'm
rambling
at
this
point
trying
to
get
my
blood
to
my
brain,
so
I
can
verbalize
the
stuff
the
best
I.
Can
please
ask
questions
yeah.
F
I
I
think
what
we
need
to
do
is
start
with
a
with
a
markdown
and
start
like
like
mocking
up
what
we
think
that
we
want
this
document
to
look
like
and
how
we
want
it
to
read
and
I'm
totally
willing
to
contribute
to
that
effort.
F
If,
in
that
process,
we
feel
we
start
to
feel
like
you
know
what
we
could
strip
these
bits
in
to
this
document
automatically
through
a
yaml
process
or
or
however,
then
I
think
that
that
makes
sense.
If,
if,
through
that
process,
we
determine
you
know
what
actually
we
need
to
reorder
these
things,
there's
an
awful
lot
of
editorial
work
that
we
need
to
do.
Maybe
it
makes
sense
to
maintain
it
separately
from
the,
but,
but
but
but
sort
of
you
know,
triggered
by
changes
to
the
to
the
to
the
source
files.
F
Then,
then,
then,
so
be
it,
but
to
to
to
Jay's
point
I
think
if
we
start.
F
With
the
document-
and
you
know
we'll-
try
and
put
the
focus
on
that,
then
then
we're
going
to
end
up
with
something
you
know
right
now.
We
there
there's
not
a
lot
to
to
focus
on
I
mean
there
there's
a
lot
there
there's
a
lot
of
great
stuff
there
I'm
not
downplaying
to
work
at
all
I'm,
just
I'm,
just
saying:
let's
try
and
come
at
it
from
a
perspective
of
we
want
to
produce
this
document,
let's
figure
out
what
should
be
in
it
and
what
what
the?
F
Point
about
who,
who
Who's
Who
are
the
different
people
that
are
picking
this
up
and
what
what
do
we
want
them
to
get
out
of
it.
A
So
I
think
that
is
a
good
Next
Step
Dan.
So
what
I
might
ask
is
that
maybe
noem
can
get
us
an
output
of
the
yaml
file
into
our
repo
and
I
will
put
I
just
created
a
folder
for
us
wait
till
the
typing
is
done
now.
If
you
could
do
an
export
of
the
current
data
into
this
folder
that
will
be
super
groovy
and
then
we
all.
A
So
if
you
could
do
that
this
time-
and
maybe
we
can
start
to
talk
about
that
next
time-
I
also
put
a
suggestion
in
we
might
want
to
make
some
user
stories
to
kind
of
help
shape.
What
we're
looking
to
do,
I
think
there's.
Definitely
the
maintainer
perspective.
How
can
the
maintainers
take
actions
to
protect
themselves?
There's
the
potential
for
an
open
source
consumer,
maybe
as
an
open
source,
consumer
I,
need
to
understand
the
security
posture
of
how
software
projects
I
use
store
their
software.
F
I
I
see
from
the
from
the
perspective
of
who
this
is
aimed
at
I,
see
this
I
see
us
bows
as
being
one
of
the
key
kind
of
like
constituencies
for
this
right
or
organizations
that
are
trying
that
are
yeah
that
are
trying
to
get
with.
F
A
That
sounds
great,
so
first
homework
is
no
one.
Please
get
us
that
export
into
the
folder
a
second
bit
of
homework
would
be
for
everybody,
think
about
what
personas
or
what
type
of
roles
we
want
to
address.
And
then,
if
you
have
any
user
stories
attached
to
those
personas,
that
would
be
useful
to
kind
of
help
steer
that
and
then
we
can
all
as
a
group
kind
of
chew
on
that
and
decide
what
we
want
to
address
immediately
and
What
needs
to
go
into
the
backlog.
So
to
speak.
A
A
As
you
have
ideas
and
then
we
can
and
we
can
either
use
the
the
readme
as
the
source
of
Truth
or
if
it's
particularly
Dynamic,
we
can
use
this
or
another
Google
document
as
we're
iterating
over
what
the
final
scope
and
personas
are
and
then
ultimately
how's
it
in
the
markdown
file.
A
As
you
can
see,
there
are
some
opportunities
co-editing,
it's
occupied.
At
the
same
time,.
A
Any
other
thoughts,
questions
desired
outcomes
for
our
next
call.
A
All
right
and
then
a
third
piece
of
homework
is
going
to
be
we'll
be
looking
for
someone
to
help
co-lead
this
effort.
I
will
put
a
cattle
call
out
to
this
group
and
the
whole
BP
community
and
I
need
to
update
the
best
practices
repo
with
some
new
updated
attendance
information.
A
But
so
we
will
take
a
look
at
the
exported,
yaml,
markdown
file,
think
about
personas
and
user
stories
and
then
consider
who
we,
who
is
interested
and
has
the
time
to
be
able
to
help
herd
us
along
this
path.
A
If
you
really
want
to
do
it
now
great,
if
you
want
to
take
some
time
and
Ponder
feel
free,
we'll
talk,
we
make
that
the
first
agenda
item
next
time,
if
anyone
so
ideally,
we
have
a
couple
people
that
are
willing
to
help
Wrangle
the
efforts.
So
that
way,
no
one
person's
overly
burdened.
A
I
Real
quick
I
know
that
we
have
a
lot
of
different
personas
floating
around
in
different
user
groups.
At
some
point,
are
we
gonna
like
archive
those
so
that,
if
like
no
or
anyone
wanted
to
reference
them
because
I
know.
E
A
The
personas
I
typically
use
are
from
the
vulnerability
disclosures
working
group
they've
been
published
for
several
years
now.
Yep.
We
can
definitely
alter
and
add
to
those,
but
they
they
tend
to
be
very
high
level.
So
they
they're
not
going
to
have
anything
like
a
repo
or
an
org
admin,
but
they
would
have
open
source,
maintainer
or
open
source
consumer.
So
we
may
need
to
either
add
on
to
those
if
we
want
to,
but
there
is
no
move
yet
for
an
organizational
wide
library
of
personas.
A
I
A
If
you're
in
one
of
my
working
groups,
I
always
Source
the
vulnerability
group
but
I'm
open
to
being
persuaded
to
use
different
sets
and
then
again,
we
can
always
augment
and
add
on
specific
use
cases
and
specific
views.
If
we
need
to.