Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / SIRT / 1 Nov 2022
OpenSSF / SIRT / 1 Nov 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OSS-SIRT (November 1, 2022)

Description

About
The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)

Github Repo: https://github.com/ossf/SIRT

A

We will get started in a few moments.

A

Anybody have anything exciting going on today.

B

We've got selection in Israel.

A

Also openssl patching day.

A

If you're on.

B

Version.

A

Three.

A

All right.

A

Emily had sent her regrets, we'll give folks another minute or so, since we all just met like 14 hours ago,.

A

I guess, uh while we are waiting for folks to join Let's.

A

I can have a little small group discussion.

A

How do we feel we want to use this meeting time in the very near future, we're very close to having the draft of the plan more or less short up to pass up upwards for approval, so once that happens, and we start to move into execution mode, how do we want to leverage the full Sig time any uh thoughts or suggestions, Beyond, just kind of a readout.

C

um I would say, if sure, things of that nature feedback for stuff that needs people like stakeholder approval, because I think that we act as a stakeholder at this league. So.

A

Make a little note.

C

Here, just a.

A

Thought any other thoughts.

B

Would it be still before the actual search will start working.

A

Well, I think will be a ways away from you know, being able to coordinate anything I think the first bunch of months is going to be uh finding and installing tooling writing process and training.

A

uh I I think we're several months away from being able to do anything around CBD.

C

I know that most of our focus is being volunteer based, so I know that uh I just feel like that. That would make a lot of sense if we had a time where we could all just kind of gather and make decisions, because I know there's a lot of things. That kind of require at least the sections to work together.

C

Which I know after we present the plan is no longer going to really be a thing. The sections right.

A

um We still could folk, we could uh transform those into, uh for example, someone that's interested in developing triage documentation and then some other group might be working on that one page slick to engage maintainers but another. Another component of us could be thinking up ideas and trying to figure out a program on how to encourage volunteers.

C

Right I would say: I would say that um yeah, the the the all the issues that need collaboration between sigs I, think that would be the best use of the time here and maybe also reporting those groups that we're going to do. Group based activities, maybe a time where that or this time can be used for those groups to come back and kind of share what they got somewhere like a show and tell mm-hmm.

A

uh Francis yeah.

B

I think I think Randall has a good idea here. I would convert this with the following features like No Agenda no meeting and the nature of this sink is now for decision making between the sections and or presentation of proposals.

B

Like if we do have eventually like proposals that I that are enticing for the whole sake for the whole, like a working group to work on or say, yeah, let's adopt and like change the format but I would move to something less like even less aggressive and bi-weekly. At this point because, like you, said it's kind of moved right now we're waiting on a lot of approvals to go through and.

A

And maybe we uh become a little more disciplined and before we can have a a stub agenda and as people have things they want to share, they would put that in there and if we didn't have any topics to discuss, we would not necessarily meet.

B

I, like meetings that are canceled yeah.

A

It's like a little gift in your day.

A

All right, I think any other suggestions or comments on the kind of uh show and tell proposal, transforming this column or something like that. Once we get the plan rolling.

A

Sounds good all right.

A

Do we have any? um We have Francis from section three and Randall from section one? We have any updates on anything or do you need help from anyone uh from this group here, foreign.

C

Did Francis I looked into Vince, but we need an AWS account because I can't run it on local stack because they actually have like real AWS features. They use not just like their local environment.

C

um I was telling probe also that I talked to or got in touch to some with some other cert teams that have some cert tooling. That I put in your issue.

A

There yeah.

C

That that one The Hive looks pretty interesting. Apparently it's pretty widely used.

B

um I.

C

Think it's.

B

Posted a hive in the past, it does get the job done, but it's mostly As like on the large Gathering Place. It's less of a coordination place right.

C

Right.

B

Right.

C

So.

B

Yeah maintenance needs.

C

Right so I was I did add all that there.

B

And then there was another one.

C

That I found that was pretty open source, which was interesting because it was pretty extensible and pretty easy to like extend so I did add that one there too, the Phipps one perfect.

A

Thank you.

A

um Go ahead that.

C

One is made I think by like a cert group in in Latin America Brazil, if I'm not mistaken, so it's it was interesting because it seemed very official if you know how to read Spanish so yeah yeah, but uh but yeah, but so I did add those two for your uh consideration and both of those seemed pretty open source or a pretty vendor agnostic. If you will that's the word, I was looking for.

A

Io Francis a pull request on adding the uh cert program manager to section three so I'll get details in there. So we have a stub to have somebody to help manage running the plan once it's in place and then to help with some of the facilitation for the Sig. Once it's up and going I'll do that today.

A

uh Any additional uh thoughts anybody need anything else from the group or any other topics you want to discuss.

A

All right, we will adjourn at 11 after the hour. Thank you, everyone for your time and attention, uh if you're working on please take time this week, to look at the three sections, provide any last uh thoughts or comments through PR's, so that we can get these uh wrapped up into the tack and then the GB in the coming weeks. So uh thanks everybody enjoy the rest of your day.

B

Oh thanks.