►
From YouTube: OSS-SIRT (October 18, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
C
C
C
B
C
B
C
Thank
you,
I
appreciate
it,
it's
very
helpful
because
we
have
a
lot
of
folks
that
can't
make
this
call,
so
they
do
actually
read
the
notes.
So
it's
very
useful
to
it's
a
Brar
really
appreciate
it
all
righty,
if
you
have
any
opens,
go
ahead
and
put
them
into
the
open
section,
we'll
talk
about
those
after
we
review
our
sub
team
activities,
we'll
start
off
with
section
one,
which
is
a
very
fine
beginning
Randall.
Are
you
able
to
give
me
a
quick
summary
of
what
section
one
has
been
up
to.
D
Yeah,
so
we
basically
finished
our
plan.
I
will
put
the
pull
request
in
there
at
least
our
initial
scope
of
the
plan.
I
did
go
back
in
there
and
notice
a
couple
of
little
singing
majiggers
and
yeah,
but
like
typos,
but
one
thing
I
wanted
to
ask
you
crop
going.
Let
me
open
up
my
log
see
because
I
have
a
version
in
my
log.
Seek.
D
Yes,
so
I
don't
know
if
there
was
anything
to
add,
because
there
was
a
one
one
little
glitch
with
that,
so
other
than
that
everything
is
good.
C
At
this
time,
we're
not
in
a
state
to
be
able
to
talk
about
the
lists,
but
that
might
be
a
future
option
for
us
to
explore.
D
Okay,
so
just
for
the
record
I
I
on
I
will
make
an
update
today,
I'm
going
to
move
that
one
back
to
TVA
or
TVD,
because
right
now
we
have
survey
results
that
are
firmer
dispute,
the
top
level
offices
and
clarifies
with
details
of
these
problems.
Other
than
that
everything
is
good.
Everything
is
basically
Final
on
my
side.
C
And
from
you're,
essentially,
your
sections
focused
on
working
and
getting
data
from
Upstream.
He
is
a
good
person.
We
could
talk
to
outside
of
the
anything
with
the
lists.
So
if
we
wanted
his
opinion
on
open
source
CBD,
that
would
be
a
great
resource.
Absolutely.
E
D
E
All
right,
hi
try
a
quick,
quick.
Second,
solar
is
a
great
resource
just
for
Case
by
case
random
things
awesome,
and
in
section
two
there's
a
bit
of
how
would
the
search
you
know,
produce
its
results
or
publish
things
mailing
lists
generically
is
in
there.
So,
whether
or
not
that
turns
out
through
those
mailing
lists
we'll
see,
but
we
have
that
as
one
of
our
outputs
thanks
over
yeah.
C
E
E
There
are
some
edits
and
changes
to
be
made
to
that
doc,
and
there
is
also
I
need
to
do
one
more
pass
of
Google
Docs
land
for
anything
important
that
is
gotten
missed
and
did
not
get
brought
over
to
markdown
land
effectively,
but
the
url's
there
it's
in
the
place,
all
the
rest
of
the
things
are
folks
can
go.
Read
it
I
think!
That's
mostly
it.
You
know.
I'd
say
the
you
know
the
the
the
points,
the
the
least
well
understood
points
involve
right.
E
The
Staffing
and
resource
estimates
are
trickier,
assuming
we're
planning
on
handling
actual
real
world
externally,
driven
incidents
right.
How
many,
how
large,
how
often
over
a
period
of
time
and
everyone
doing
emergency
response,
has
that
that
class
of
Staffing
issue
and
sort
of
related
you
know
how
long
will
you
know
ramp
up,
take
which
I
think
we
have
some
good
estimates
on
I.
Think
section
one
does
also,
and
are
we
how
how
aggressive
a
timeline
would
we
have
to
try
to
offer?
E
You
know
response
to
services
and
I
think
that's
an
open
question
as
well,
but
we
got
it.
You
know
got
it
addressed
in
there
anything
else,
crew
of
you
were
there
I'm,
not
sure
I,
don't
see
Emily,
but
oh
Emily's
here,
yes,
whoever
Emily
were
there,
so
they
may
have
anything
to
add.
Please
do
yeah,
okay,.
B
Not
much
I
mean
short
of
the
discussion
around
with
tech
stack
we
want
to
adopt.
We
now
have
between
five
and
ten
suggestions
to
explore,
and
a
few
of
them
are
definitely
better
suited
than
others,
but
at
the
end
of
the
day,
we
still
need
to
choose,
depending
on
the
services
that
we're
willing
and
wanting
to
offer.
So
this
this
may
be
blocked
for
a
final
decision
on
like
these
kind
of
this
conclusion.
B
E
I'm
sorry
I
had
a
small
go
back
you,
your
your
dependency
blocking
item
recall
make.
Let
me
recall
that
Staffing
model
was
also
an
issue
for
at
least
restriction.
Two
I
think
for
the
whole
thing
right,
I
think,
there's
a
vote
going
on
and
maybe
Chrome
knows
the
answer
to
the
proper
way
to
discuss
this
or
it's
on
the
agenda,
but
that
may
also
guide
or
dictate
and
influence
some
of
our
choices
right
for
more
volunteer
or
less
volunteer
or
where
that,
where
that
comes
out
over.
B
Correct
Randall
go
ahead
after
that
and
I'll
I'll
complete
my
update.
D
I
I
actually
have
a
question
for
probe
if
we
ever
finalized
what
engagement
meant.
C
We
certainly
can
Define
that
it
has
not
been
something
we
have
toiled
to
make
a
more
definite
yet.
C
C
A
Marva's
statement,
so
we
actually
have
an
initial
set
of
types
of
Engagement
defined
within
the
cert
skeleton
dock
that
we
said
that
we
would
revisit
at
a
later
date,
and
that
was
driven
a
little
bit
by
a
loose
outline
of
potential
service
offerings.
A
So,
while
and
this
kind
of
ties
back
to
francis's
update,
while
we
may
not
have
the
specific
Services,
fully
detailed
and
fleshed
out,
we
may
have
enough
for
an
initial
pass
to
move
forward
with
the
draft.
That's
due
by
December
1st
and
then
based
off
of
the
survey
responses.
We
can
put
a
milestone
into
integrate
those
responses
back
into
this
into
the
service
listing
and
refine
that
further.
C
And
maybe
we
make
that
a
conversation
now
that
we
will
be
officially
deciding
on
our
staffing
model
here
within
minutes
after
Francis
wraps
up?
Maybe
we
move
on
to
the
skeleton
kind
of
more
formalizing
what
we
want
to
pull
out
of
that
and
start
fobbing
about
what
services
we
might
like
to
initially
offer,
but
I
will
turn
it
back
over
to
Francis.
B
Yeah,
it's
like
I
mean
just
to
close
out
the
update
two
of
the
major
suggestions
that
we
have
so
far
are
either
GitHub
issues
into
either
a
dedicated
organization
in
order
to
contain
the
permissions
correctly
and
that
needs
that
still
needs
to
be
investigated
or
the
events
an
instance
of
events
that
would
be
managed
by
us,
but
that
comes
with
a
few
coffee
hats
as
well.
So
if
you
have
ideas,
there's
a
discussion
that
is
LinkedIn
from
the
meeting
notes,
do
you
have
a
purchase?
C
C
Okie
doke
I
dropped
a
link
to
Issue
11,
which
is
our
amazing
vote.
We're
going
to
take
here,
so
many
people
Express
their
opinion,
and
it
looks
as
if
we
prefer
to
draft
the
plan
with
a
staffing
model
that
will
be
mostly
volunteers
staffed
by
Foundation
members
and
will
be
supported
by
a
handful
of
ftes
for
administrative
type
tasks.
C
We
had
one
two,
three
four
votes
for
that.
We
had
one
vote
for
one
and
then
Brian
gave
a
a
lengthy
discussion
that
we
can
talk
through.
If
you
have
not
read
it
yet.
Francis.
B
Sorry
to
be
very
annoying
about
this
with
blocking
the
momentum,
but
don't
we
want
to
do
a
survey
as
well
with
the
communities
to
see
what
they
need.
C
We
are,
and
that's
part
of
section
one
and
that,
but
that's
more
like
what
services
they
want,
not
necessarily
how
we're
going
to
staff
it.
Okay,
and
if
we
waited
on
that,
you
know
this.
I
can't
recall
what
estimates
we
put
down
yesterday,
but
Emily
helped
us
kind
of
really
at
least
get
a
a
pretty
good
swag
out
there,
Emily
I.
A
Think
that's
an
interesting
question
though,
and
I
I
would
like
to
take
it.
The
way
that
I
interpreted
it,
whether
or
not
maintainers
or
open
source
communities
and
Foundations
would
respond
better
to
services
that
are
offered
by
volunteers,
driving
that
activity
versus
paid
staff.
D
A
B
Voting
issue
please
Wendell
yeah
Emily
Emily
hit
the
nail
in
the
head
on
this
one,
essentially
I'm
curious
like
because
we're
all
from
like
different
corporations.
A
I
think
that's
something
that
can
be
deliberate
and
and
discussed
more
openly
when
we,
when
we
go
when
we
do
the
education
of
the
services,
because
there
is
the
there's
a
few
different
perceptions
and
we've
seen
them
come
out,
especially
as
of
late
with
bobcos
from
like
Ileana
and
several
others
about
supply
chain
security
and
the
additional
security
requirements
on
maintainers.
A
So
ensuring
that
the
language
used
in
the
expression
of
services
to
maintainers
is
such
that,
while
we
may,
while
some
of
us
may
be
employed
by
large
corporate
entities
which
are
part
of
larger
organizations,
pushing
for
a
lot
of
this
change
that
realistically,
the
agreements
that
we
have
in
place
by
being
members
of
this
cert
means
that
we're
putting
the
vulnerability,
disclosure
and
Reporting
process
first
and
not
necessarily
the
means
and
ends
of
the
employer.
A
All
that
being
said
there
is,
we
still
haven't,
talked
about
like
the
concept
of
embargo
listing
and
if
we're
in
that
situation,
how
does
that
or
the
lack
of
those
processes
work,
particularly
if
it
is
an
extra
large,
like
T-shirt
size,
of
an
incident
very
similar
to
log
for
shawl,
so
I
think
part
of
this
is
going
to
be
how
we
communicate
this
information
and
then
what
kind
of
like
Francis
said,
assert
oath
is
necessary
to
kind
of
move
forward.
Well,.
C
We
need
to
work
with
the
LF
legal
team
and
have
some
agreements
written
based
on
ethical
wall,
that,
when
you
have
this
OSS
cert
hat
on,
you
are
not
necessarily
representing
the
interests
of
your
direct
Corporation
you're
there
representing
the
greater
good
here
there
representing
open
source
and
you
you
are
obligated
not
to
share
internally
unless
there's
specific
allowances
for
me
to
know
so
it
will
lead
to
be
I,
agree
and
be
very
intentional
and
careful
at
how
that
gets
worded
and
get
that
protection
for
not
only
the
volunteers
but
also
protection
for
the
communities
as
well.
C
In
our
companies.
Randallstown
was
first
okay,.
D
Kind
of
to
add
to
that
what
the
feedback
that
was
shared
with
me
was
that,
if
we're
going
to
be
a
like
a
program
that
facilitates
issues
like
security
problems
and
whatnot,
we
should
own
the
problem,
and
sometimes
when
you
deal
with
like
corporations,
there's
change
in
Personnel
for
outside
reasons
and
whatnot.
So
and
then
it
gets
real
messy
because
it
goes
through
lots
of
hands,
nothing
gets
done.
Communication
gets
broken,
so
I
think.
The
observation
is,
if
you're
more
willing
to
take
on
the
problem
and
like
trying
to
solve
the
problem.
C
You're
talking
first
before
I
flip
over
to
Art
Emily.
Are
you
referring
to
the
the
legalese
getting
that
worked
out
yeah.
A
C
Need
to
put
that
in
section
three
okay
also
would
like
to
add
the
hiring
of
a
program
manager
to
oversee
the
execution
of
the
plan
and
kind
of
eventually
operations
of
the
cert
kind
of
helping
coordinate
tools
and
contracts
and
whatever
else.
C
C
E
Unmute
unmute
art
I
think
I'm,
just
agreeing
here.
Yes,
a
you
know,
a
change
of
hats
to
the
cert
team.
Right
I
took
off
my
corporate
hat
I,
put
on
my
OSS
cert
hat
we're
gonna
make
and
we
should
have
hats
and
we
should
have
whatever
someone
said
an
oath,
but
you
know
a
code
of
conduct,
yeah
and,
and
here's
I
was
just
gonna
say
I
I.
E
Would
we
certainly
need
that?
No
question
there
absolutely
I
venture
to
to
assume
not
assume,
but
a
lot
of
people
who
work
in
open
source
are
already
used
to
the
Hat
changing
game,
and
it
would
be
my
hope
that
we
would
find
some
qualified
folks
who
this
is
not
a
surprise,
that
they
are
right:
sort
of
Switching
gears,
we're
able
to
wear
two
at
the
same
time
or
you
know
80
of
one
twenty
percent
of
one.
E
So
you
know
if
we
can
find
a
reasonable
experience
with
Community
people,
which
maybe
we
can
shouldn't
be
a
huge
problem,
definitely
agree.
We
need
something
written
down
and
you
know
blood
thumb
print
on
the
big
paper
that
says
I
promise
to
be
good.
Okay,
that's
it
thanks.
A
I
would
add
on
to
that
something
that
Randall
said
yesterday,
which
was
around
not
the
breakdown
of
communication
between
foundations,.
C
A
There's
a
really
good
example
of
the
discussions
that
have
been
going
on
between
open,
ssf
and
cncf
around
like
projects
existing
underneath
of
both
foundations.
One
of
the
concerns
I
was
raised
is
because
cncf
Security
Professionals,
like
those
folks
in
that
Community,
are
drawn
to
open
ssf.
We
don't
necessarily
want
to
bleed
the
pool
will
dry
for
both
of
them.
We
want
to
take
advantage
of
those
skills.
The
problem
within
open
source,
as
Randall
put
it
yesterday,
is
that
we
don't
have
clear
lines
of
communication
between
different
open
source
communities,
different
foundations.
C
Do
we
think
we
need
a
specific
task
for
other
Foundation
engagement.
B
B
C
I,
don't
know
if
that's
a
deep
enough
well
to
count
as
our
bench
and
we
will
need
to
think
about
and
probably
add
a
task
to
go
intentionally,
recruit
more
Foundation
volunteers
or
protect
the
governing
board
to
ask
them.
You
need
to
Pony
up
X
or
Y
number
of
folks
Emily.
A
As
far
as
the
structure
goes
have
we
discussed
the
idea
of
there's
the
primary
incident
or
a
sponsor
responders
and
then
potentially
there's
advisors
to
the
cert.
That
may
not
necessarily
be
the
active
individuals
responding
to
a
particular
incident
but
could
be
leveraged
either
further
known
specialty
in
this
in
a
particular
space
or
just
as
a
this
person
usually
has
a
good
idea
about
where
things
need
to
head
and
get
done.
Have
we
talked
about
that
at
all?
We.
C
So
now
that
we're
starting
to
put
some
of
these
pieces
together,
I
think
that's
an
excellent
conversation
to
have
and
I
think
that's
a
very
good
proposal
that
we're
going
to
have
a
handful
of
people
kind
of
on
the
bench
that
are
the
incident
commanders
Main
facilitators,
and
then
we
would
have
a
kind
of
a
cloud
of
other
folks.
We
would
lean
into
for
subject
matter,
expertise,
I,
think,
that's
a
good
model!
C
D
Possibly
also
in
my
community
engagement,
there
has
been
interest
expressed
by
different
communities
about
possibly
like
contributing
a
team
member
or
two
from
their
security
team
to
participate.
C
C
You
know
if
we
bumped
into
a
kubernetes
issue,
that's
absolutely
going
to
get
directed
over
to
the
kubernetes
security
team
would
be
probably
more
of
a
support,
support
role
for
them
and
then
some,
if
it's
a
small
project,
that's
not
affiliated
with
anybody.
We
might
have
a
more
Hands-On
role
unless
that
we
wouldn't
necessarily
need
to
lean
into
like
a
commercial
distro
security
team.
But
we'll
see
it's
up
to
us
to
write
that
up
and
staff
that
foreign
bench
bench,
for
instance,.
C
All
right
do
we
have
any
more
thoughts
around
the
vote.
You
know
four
four
votes
in
favor
of
it
as
the
overwhelming
majority.
That
is
the
the
voice
of
our
community
here,
any
dissension
or
counter
ideas.
C
All
right
I
will
note
that
we
will
vote.
We
will
be
Staffing
towards
a
mostly
volunteer
model
with
a
handful
of
Foundation
staff
document
that
in
the
issue
and
the
meeting
notes,
so
that
we
understand
that
decision
going
forward
yeah.
Yes,
we
decided
something
yeah.
B
C
Absolutely
yeah
and
I
think
I
I
think
the
well
we'll
definitely
need
to
probably
put
it
into
when
we
recombine
the
documents
probably
put
that
as
a
documented.
You
know
this
is
we're
following
kind
of
agile
iterative
methodologies
and
we
will
be
constantly
reevaluating
and
we
will
have
certain
review
points
so
we'll
I
think
we'll
have
that
as
a
general
disclaimer
in
the
doc.
But
I
will
specifically
put
that
for
this.
A
Emily,
so
my
question
is
whether
or
not
that
one
year
mark
is
the
expected
due
date
for
completion
of
the
fine
of
this
final
plan
or
whether
or
not
that
is
when
your
post,
completion
and
development
of
the
processes
for
this
group.
C
B
C
Any
other
thoughts
or
discussion
we
desire
to
have
today.
C
I
think
the
sub
teams
are
making
good
progress.
I
don't
feel
we
have
any
major
blockers
to
stop
us
from
delivering
the
plan
back
to
the
foundation.
Folks.
A
So
last
time
you
and
Francis
took
the
Monumental
effort
of
breaking
down
the
original
plan
into
these.
Individual
sections
is
the
same
expectation
that,
upon
completion
of
the
sections
that
you
both
will
then
resume
and
merge
them
all
together.
So
they
are
a
cohesive
story
or
is
that
something
that
you're
looking
for
assistance
with.
C
Oh,
if
someone
wants
to
do
that,
I
wouldn't
stop
them,
but
that
is
a
task.
I
was
planning
on
doing
myself
because
we
have
to
do
things
like
normalizing
the
resource
requests,
so
it's
all
stated
kind
of
the
same
way
and
looks
the
same
and
we're
using
their
same
words.
C
C
D
C
We
talked
about
it
a
little
bit
yesterday
about
how,
after
each
incident,
we'll
do
a
little
bit
of
a
post-mortem
and
figure
out
how
we
can
refine
the
process,
refine
the
training
to
kind
of
avoid
future
incidents
like
that
I
think
we
definitely
need
to
have
some
type
of
tracking
mechanism
to.
We
definitely
need
to
have
metrics
on
success
criteria,
and
then
we
need
to
find
ways
to
capture
and
kind
of
an
improvement.
General
improvements,
log
I.
B
No
worries
just
mentioned
it
on
Friday
when
we
meet
I
will
yes.
C
B
C
Can
even
you
know,
put
the
pr
in
now
or
wait
till
everyone's
there
well.
B
C
Well,
I
want
to
thank
everybody
for
this
vote.
We
are
ready
to
move
forward.
I
suppose
it
feels
like
perhaps
chewing
on.
The
skeleton
proposal
is
something
probably
a
good
next
task
for
the
full
Sig
to
work
on.
Do
we
agree
or
are
there
any
other
ideas?