►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
D
E
E
A
E
E
A
A
A
Okie
doke
it's
three
after
the
hour,
I
would
like
to
welcome
everybody
to
the
new
little
sub
project
here.
Around
source
code
management,
best
practices
we're
going
to
be
making
a
a
new
guideline
document
based
off
of
some
of
the
efforts
of
gnome
and
legit
security.
So
I
would
love
for
us
to
do
a
round
of
introductions,
so
we
can
all
just
get
to
know
each
other.
F
G
E
E
H
H
I
D
F
D
H
E
D
B
C
Thanks
Tom,
actually
he's
not
so
far
from
me,
so
yeah
I'm,
leading
the
research
here
at
the
legit's
theory
and
the
topic
of
SCM
best
practices
is
really
close
to
our
hearts
and
I
really
hope
we'll
be
able
to
do
provide
a
lot
of
from
a
lot
from
our
insights
on
this
topic
and
I'm
sure
we
will.
We
will
get
a
good
project
out
of
this
topic.
C
A
All
right
well,
next
up,
we
don't
have
any
opens
yet,
since
this
is
our
first
meeting
but
could
I
ask
someone
on
the
call
here
to
help
assist,
taking
notes
for
us
so
that
those
that
couldn't
attend?
Thank
you,
Dan,
oh,
and
we
have
one
more
new
friend
looking
to
join
us
Jonathan.
Would
you
like
to
introduce
yourself
to
the
group.
A
Excellent,
so
that
should
be
everyone
Welcome
Friends.
As
always,
these
meetings
will
be
recorded
so
that,
if
someone
missed
the
call
they'll
be
able
to
look
out
on
our
YouTube
channel
and
watch
a
meeting
happen
very
exciting
long
term.
As
we
move
forward
I'm
going
to
look
to
one
of
our
working
group
collaborators
to
potentially
try
to
co-lead
this
effort.
A
For
us,
our
collaborators
are
listed
on
our
GitHub
repo
page,
and
those
are
folks
that
have
been
long
term
with
the
working
group
have
demonstrated
their
enthusiasm
participation
and
we
just
like
to
have
those
folks
try
to
help
Shepherd
things
so
I
don't
have
to
end
up
running.
Every
single
thing
would
be
super
groovy,
so
think
about
that.
Anyone
that
is
a
collaborator.
Please
consider
that,
let's
talk
about.
G
Know
can
we
can
we
also
get?
Can
we
can
we
carve
and
copy
you?
So
we
can
get
two
of
you
so
that
you
can
like
run
like
the
meetings
that
are
dual
booked
on
the
same
hour
or
two
or
three?
Maybe
we
just
need
to
get
you
a
a
Harry
Potter
Time
Turner,
so
you
can
go
back
in
time
and
co-chair
the
meetings
that
are
that
are
now
overlapping
one.
Another
I.
A
B
B
Get
directions
collaborators
and
Etc,
and
we
also
also
have
the
database
over
here
that
lists
all
of
all
of
our
policies
to
date.
So,
whoever
some
nice
content
over
there,
it's
it's.
You
can
see
the
it's
it's
divided
by
the
namespace,
so
we
call
it
namespace
here.
So
there
are
actions
and
members
organizations
group,
and
we
also
have
this
for
a
gitlab.
B
G
E
B
F
Do
we
think
that
we
want
to
Drive
the
content
of
whatever
this
guide
is
from
Rules
from
a
database
or
and
or
sorry?
Or
do
we
think
that
it's
better
to
take
a
snapshot
of
what
these
rules
are
bring
them
over
into
a
like
a
markdown
and
then
work
on
it
from
there
and
iterate
on
the
markdown,
because
the
because
I
can
see
advantages
to
both
ways
of
working
one
of
them?
F
A
I
I
see
Merit
in
both
approaches,
Dan
pros
and
cons
on
both
sides
being
a
double
English.
Major
I
personally,
prefer
the
latter
education
person
I'd
like
to
see
a
beautiful
document
with
pictures
and
links,
but
there's
nothing
to
say
that
we
couldn't
go
with
the
former,
so
it'll,
just
kind
of
up
to
the
people
that
want
to
contribute
to
this
group.
What
you're
interested
in
collaborating
on
and
kind
of
what
we
want
to
deliver
as
a
team
going
forward,
Christine.
E
One
thing
that
was
useful
because,
when
I
was
consuming,
this
dock
is
again
just
having
to
kind
of
Click
on
each
one
of
those
to
try
to
figure
out
for
whatever
it
is.
That
I
was
interested
in
what
I
needed
to
turn
on
and
off
what
are
the
pros
and
cons
and
in
a
nice
readable
way,
and
also
what
would
be
useful
is
that
kind
of
keeping
in
mind
of
who
is
the
audience
for
this
talk,
let's
say
I'm
coming
at
it
from
I
am
an
open
source
maintainer.
E
What
should
I
be
paying
attention
to
or
I
am
somebody
who's
managing
our
admin
administrating,
the
GitHub,
all
what
should
I
be
paying
attention
to
so
for
the
different
audiences?
What
are
the
things
that
we
need
to
kind
of
have
on
and
on
and
also
for
the
policies?
How
can
we
customize
it
and
make
it
easy?
And
then,
after
that,
post
we've
set
it
up?
How
do
we
continuously
Monitor
and
manage
it?
So
those
are
some
of
the
things
that
I
found
would
be
useful.
I
I
I
know
that
there
are
some
other
tools
that
do
similar
functions
so
at
some
point
I
think
it
would
be
nice
to
do
or
compare
and
contrast
what
we
do
versus
what
they
do
kind
of
there's
some
other
tools
that
right
now
are
very
popular
but
I
think
well,
at
least
from
the
what
I've
received,
probably
because
of
what
I
received
I
received
a
lot
of
stuff
about,
like
finding
people
secrets
on
their
GitHub
but
I'm
pretty
sure.
That's
the
other
way
around.
G
C
C
So
the
way
it's
currently
maintained
in
with
legitify
is
with
Regal
files,
and
it's
maybe
Norm
can
can
share
how
it
looks
like,
but
this
is
something
that's
very
easy
to
maintain
if
we
feel
like
it's,
the
idea
behind
using
Rigo
files
was
so
that
it
would
be
easy
to
contribute
to
so
that
people
will
be.
People
could
easily
easily
add
new
policies
and-
and
it
includes
a
few-
a
few
parameters
for
each
policy
like
what's
the
threat
behind
each
policy
with
severity
and
Remediation
steps.
C
D
G
A
I
A
I
A
A
So
you
know
short
term
could
be
documenting
a
process
to
update
the
database
or
creating
a
consumer
consumable
document
that
describes
all
the
good
practices
for
a
source
code,
securing
a
source
code
management,
repo,
so
I
think.
As
a
group,
we
should
decide
on
kind
of
what
our
goals
and
objectives
can
be,
and
then
we
can
kind
of
prioritize
them
and
start
to
zero
in
on
what
we
want
to
work
on
first,
first
next
and
then
future.
F
F
F
Trying
this
is
stuff
that
we
haven't
talked
about
in
other
places
yet
and
and
to
me,
like
two-factor
authentication
is
the
thing
that
I
always
use
as
the
poster
child.
It's
obviously
not
the
only
thing
in
here
that
would
be
a
pretty
small
document,
but
like
to
me
that
that's
what
that's,
what
I
use
when
I,
when
I
tried
when
I
talk
to
other
people
like
within
my
company
about
why
we
should
get
it?
F
Why
why
this
is
gonna,
be
an
important
effort
and
so
I
think
we
should
try
and
put
the
focus
on
on
on
configuration,
and
that
would
so
I
think
the
the
statement
that
you
made
Pro
about.
We
will
focus
in
on
creating
consumable
document
that
describes
the
practices
for
securing
a
source
code
management
repo.
A
And
there's
nothing
to
say:
we
couldn't
expand
or
write
additional
things
in
the
future,
but
it's
I
think
it's
good
for
the
group
to
have
kind
of
one
to
two
goals
that
we
can
all
kind
of
get
behind
and
we're
more
likely
to
deliver
something
in
a
timely
manner,
as
opposed
to
trying
to
work
on
eight
things.
At
the
same
time,.
A
I
G
C
G
All
right,
the
the
reason
that
I'm
asking
is
Alpha
Omega
is
always
looking
for
additional
scanners
to
scan
repositories
to
like
find
common
misconfiguration
vulnerability.
So
if
it
was
something
that
anybody
could
use
for
us,
I
think
that
it's
less
useful
for
us,
because
we
can't
right
we're
not
going
to
become
admins
on
every
single
directed
across
the
internet.
Unfortunately
so
yeah.
But
thank
you.
Thank
you.
A
Well,
I
I
would
counter
that
Jonathan
isn't
Alpha
and
Omega,
typically
like
a
consultative
engagement
where
you're
working
with
the
maintainer
or
project.
So
potentially,
you
could
use
this
tool
in
concert
with
the
maintainer.
Maybe
the
maintainer
might
run
it
on
your
behalf
and
share
the
output
potentially
Alpha.
G
Not
omega
omega
is
a
wide
Alpha
eye
projects,
so
yes
for
Alpha
Omega,
because
we
are
building
a
working
with
yesnia,
we're
building
a
portal
for
researchers
like
myself
and
as
to
have
aggregate
results
from
a
bunch
of
different
scanning
tools,
including
code
ql,
and
you
know
a
bunch
of
other
tools
that
are
all
run
against
repositories.
We're
looking
for
tools
like
this
one
to
be
able
to
give
us
a
signal
of
this
is
a
common
security
vulnerability
that
we
can
fix
across
the
entire
organization
or
these
repositories.
F
Just
thinking
sorry
I,
because
we
had
a
bit
of
a
discussion
about
driving
it
by
the
driving
the
document
from
the
database
or
or
taking
a
cut
of
the
database
and
writing
a
document
and
I'm
just
trying
to
think.
If
there's
how
you
know,
I
think
the
first
option
only
makes
sense
if
the
database
is
an
openssf
database
right
versus
being
a
database,
that's
actually
owned
by
some
some
one
entity.
F
Do
you
see
what
I
mean
or
am
I
or
am
I
wrong?
I
mean
I
that
that
to
me,
I
and
again,
I
I'm,
coming
back
to
how
I
I'm
kind
of
thinking
about
this
and
how
I
think
it
would
be
most
useful
for
people
is
if
they
are
coming
to
a
document
that,
or
you
know,
there's
a
document
that
can
be
distributed
or
it's
at
an
end
of
a
URL
that
it's
it's
a
bit
like
the
the
concise
guides
or
the
other
best
practices
material.
F
That
then
contains
a
lot
of
links
off
to
here's.
Here
are
the
things
that
we
think
you
really
need
to
think
about.
Here.
Are
the
rules
right
or
and
here's
why
they're
important
and
then
here
are
the
tools
that
you
can
use?
You
know
that
are
provided
by
open.
You
know
open
ssf
members
which
help
you
help
you
keep
to
those
so
anyway
that
that
sorry,
that's
kind
of.
What's
behind
my
question,
I'm
just
trying
to
figure
out
right.
What's
the
best
way
forward,
go.
A
F
B
How
the
database
looks
like
inside
the
energy
file?
Basically,
we
have
the
policies
inside
LEGO
files
in
the
source
code
and
we
have
an
automatic
process
that
takes
them
and
creates
from
them
A
yaml
and
A
markdown
slides.
Now
there
are
two
options:
one
is
to
lesson
to
show
you.
It
looks
like
this.
This
is
the
the
regular
files
with
the
with
the
policies,
what
we
saw
in
the
GitHub
Pages
description,
titled,
threads
and
all
the
data
we
take
this
and
create
DML
and
then
generate
the
GitHub
Pages
for
markdown.
B
C
A
There
is
a
process
for
donating
intellectual
property
and
software
and
I
can,
if
we
want
to
go
that
route.
I
can
share
that
with
you,
gentlemen,
there's
you
know,
I
got
a
talk
with
LF,
legal
and
other
than
probably
your
legal
team
and
whatnot.
So
there
is
a
process
if
we
want
to
go
down
that
route,
I'm
not
suggesting
we
go
down
that
route,
but
that
is,
you
know,
potentially
an
option
if
you
guys
are
interested
in
doing
that
or
if
the
group
feels
that
very
strongly
they
want
that
done.
H
H
H
What
are
they
going
to
get
from
it,
whether
they're
not
going
to
get
from
it?
And
then,
ultimately,
you
know
what's
up?
What's
what's
our
intent
behind
the
guy
to
you
know
to
begin
with
right,
so
we
you
know
we're
producing.
This
is
we're
producing
this
guide
in
order
to
provide
the
the
reader
or
something
the
ability
to
do
X,
Y
and
Z,
so
that
they
can
avoid
this
right
so
that
everything
that
comes
after
that
you
know,
if
they're,
avoiding
whatever
we
tell
them,
they're
going
to
avoid
hey.
H
We
win
right
and,
of
course
that
allows
us
to
expand
and
contract
the
scope
of
the
document
right.
So
we
can
say
well
what
about
these
things,
and
then
we
can
put
that
stuff
in
the
attempt
of
them.
What
gets
created
from
that
is
the
ability
now
to
make
sure
we're
focused
throughout
the
technical
portion
of
the
document,
with
the
the
tools
and
the
services
that
are
provided
towards
making
sure
they
have
the
outstanding
source
code
management.
H
I
I
I
I,
and
so
please
somebody
ask
us
I,
said
a
lot
of
words
there.
So
ask
a
question:
if
that,
if
I,
if
I'm,
not
if
you
didn't
understand
what
I
would
or
if
there's,
if
it's
not
understood
what
I
just
said,
I'm
in
the
middle
of
a
working
set
here
saying
this
stuff,
so
I'm
rambling
at
this
point
trying
to
get
my
blood
to
my
brain,
so
I
can
verbalize
the
stuff
the
best
I.
Can
please
ask
questions
yeah.
F
If,
in
that
process,
we
feel
we
start
to
feel
like
you
know
what
we
could
strip
these
bits
in
to
this
document
automatically
through
a
yaml
process
or
or
however,
then
I
think
that
that
makes
sense.
If,
if,
through
that
process,
we
determine
you
know
what
actually
we
need
to
reorder
these
things,
there's
an
awful
lot
of
editorial
work
that
we
need
to
do.
Maybe
it
makes
sense
to
maintain
it
separately
from
the,
but,
but
but
but
sort
of
you
know,
triggered
by
changes
to
the
to
the
to
the
source
files.
F
With
the
document-
and
you
know
we'll-
try
and
put
the
focus
on
that,
then
then
we're
going
to
end
up
with
something
you
know
right
now.
We
there
there's
not
a
lot
to
to
focus
on
I
mean
there
there's
a
lot
there
there's
a
lot
of
great
stuff
there
I'm
not
downplaying
to
work
at
all
I'm,
just
I'm,
just
saying:
let's
try
and
come
at
it
from
a
perspective
of
we
want
to
produce
this
document,
let's
figure
out
what
should
be
in
it
and
what
what
the?
A
So
I
think
that
is
a
good
Next
Step
Dan.
So
what
I
might
ask
is
that
maybe
noem
can
get
us
an
output
of
the
yaml
file
into
our
repo
and
I
will
put
I
just
created
a
folder
for
us
wait
till
the
typing
is
done
now.
If
you
could
do
an
export
of
the
current
data
into
this
folder
that
will
be
super
groovy
and
then
we
all.
A
So
if
you
could
do
that
this
time-
and
maybe
we
can
start
to
talk
about
that
next
time-
I
also
put
a
suggestion
in
we
might
want
to
make
some
user
stories
to
kind
of
help
shape.
What
we're
looking
to
do,
I
think
there's.
Definitely
the
maintainer
perspective.
How
can
the
maintainers
take
actions
to
protect
themselves?
There's
the
potential
for
an
open
source
consumer,
maybe
as
an
open
source,
consumer
I,
need
to
understand
the
security
posture
of
how
software
projects
I
use
store
their
software.
A
That
sounds
great,
so
first
homework
is
no
one.
Please
get
us
that
export
into
the
folder
a
second
bit
of
homework
would
be
for
everybody,
think
about
what
personas
or
what
type
of
roles
we
want
to
address.
And
then,
if
you
have
any
user
stories
attached
to
those
personas,
that
would
be
useful
to
kind
of
help
steer
that
and
then
we
can
all
as
a
group
kind
of
chew
on
that
and
decide
what
we
want
to
address
immediately
and
What
needs
to
go
into
the
backlog.
So
to
speak.
A
A
A
A
I
E
A
The
personas
I
typically
use
are
from
the
vulnerability
disclosures
working
group
they've
been
published
for
several
years
now.
Yep.
We
can
definitely
alter
and
add
to
those,
but
they
they
tend
to
be
very
high
level.
So
they
they're
not
going
to
have
anything
like
a
repo
or
an
org
admin,
but
they
would
have
open
source,
maintainer
or
open
source
consumer.
So
we
may
need
to
either
add
on
to
those
if
we
want
to,
but
there
is
no
move
yet
for
an
organizational
wide
library
of
personas.