►
From YouTube: OpenSSF TAC (March 7, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
C
B
D
D
We
continue
to
see
progress
on
the
education,
Sig
mobilization
plan
and
we
have
newly
created
a
Deni
subcommittee
to
focus
in
on
the
educational
needs
of
historically
underserved
communities
and
some
awesome
news.
We've
got
a
great
set
of
updates
from
our
scorecards
team.
The
API
is
now
GA.
The
scorecards
badge
is
being
displayed
in
over
500
open
source
projects,
including
such
critical
projects
as
tensorflow
and
Apache
Commons.
D
So
that's
the
high
level
notes.
As
you
may
know,
we
are
a
group
that
is
focused
on
providing
open
source
developers
with
best
practice,
recommendations
and
easy
ways
to
learn
and
apply
them.
We
focus
in
on
three
main
areas
of
focus,
identifying
good
practices,
providing
ways
to
learn
about
those
good
practices
and
then
ways
to
adopt
those
good
practices.
D
We
meet
every
two
weeks,
there's
about
18
or
so
of
us
that
regularly
meet
plus
a
Galaxy
of
about
20
other
folks
that
pop
in
from
time
to
time,
I
mentioned
the
concise
guides,
which
is
what
we
are
currently
working
on
for
Service,
Pro,
Management
and
C
and
C,
plus
plus
we
are
having.
We
need
to
find
some
more
information
about
one
of
our
member
sub
projects,
cre
the
common
requirements,
the
enumeration.
D
They
are
technically
an
OAS
project
that
we
collaborate
with
quite
a
bit
and
owasp
is
going
through
some
changes
right
now,
so
I
just
want
to
make
sure
I
need
to
reach
out
to
the
maintainers
of
the
project
and
kind
of
get
an
update
if
they're
still
interested
in
collaborating
with
us
or
if
they
are
the
part,
the
stage
where
they
want
to
retire
education
Sig.
The
plan
has
been
reviewed
by
the
attack
and
is
on
its
way
to
be
reviewed
by
a
sorted
governing
board
potential.
Donators
there's
still
time.
D
D
D
D
B
B
Let's
do
it
now,
all
right,
so
I
guess
I
read
the
first
one
of
explore
the
idea
that
a
project
is
required
to
use
scorecards,
so
I
guess
maybe
looking
at
virtually
at
Dr
Wheeler.
We
do
have
a
it's
part
of
the
pr
112
work
that
we
did
last
year
we
did
put
in
requirements
that
were
commensurate
with
the
badging
levels,
from
Silver,
LeBron,
silver
and
gold
versus
sandbox
incubated
and
graduated.
So
I
guess.
The
question
is,
you
know,
is
use
of
scorecard
mandated
at
a
particular
badge
level.
E
F
A
B
B
F
B
Agreed
but
I
think
we
had
if
I
remember
correctly,
which
I
could
be
wrong,
but
I
believe
we
had
said
it
for
a
project
to
reach
the
state
of
incubated.
For
example,
part
of
the
requirements
would
be
to
get
a
get
and
demonstrate
compliance
with
a
badge
at
from
the
best
practices
or
the
the
infrastructure
level
of
silver,
for
example,
or
gold.
The
chain
that
level
you
had
to
do
that
as
a
prerequisite.
F
B
Okay,
that
sounds
good
I,
guess
to
the
point
of
the
the
there's
raising
this
bullet.
If
we
believe
that
scoring
card
has
value-
and
we
think
that
we
would
want
to
align
that
in
a
similar
way,
I
guess
the
question
I
I
would
go
to
is.
Is
that
something
we
could
naturally
just
tuck
into
the
leveling
of
the
gold
silver
bronze?
Or
simply
do
we
need
to
call
out
scorecard
as
a
one-off,
a
requirement
that
would
be
a
proposal
to
be
discussed.
D
E
Yeah,
there's
nothing
that
prevents
a
project
from
doing
both
so
I
think
it
would
be
entirely
reasonable
to
say:
hey,
open,
ssf
projects
run
scorecards.
Now
you
may
get
answers
and
say,
disagree
or
decide
that
the
results
aren't
useful
for
your
particular
circumstance.
But
that
said,
I
think
it's.
It
I
think
there's
value
in
adding
scorecards.
E
F
Course
there
is
a
minimum
bar
set
that
you
are,
and
you
are
correct
to
recall
that
it's
not
the
scorecard,
which
is
a
zero
to
ten.
It
is
a
badge
and
when
they
are
distinct,
so
the
graduated
tier
does
include
the
wording
at
the
link
here
that
a
project
must
follow
security.
Best
practices,
including
having
achieved
a
gold
badge.
B
In
my
opinion,
and
by
expecting
that
projects
are
consumers
of
the
projects
that
we
have
and
we,
when
somebody
goes
to
Something
in
the
open,
ssf
namespace,
they
should
see
that
as
a
shining
example
of
what
good
looks
like
when
it
comes
to
the
comprehensive
things
that
we
analyze
with
scorecards
and
badges
and
though
to
be
clear,
like
I,
think
there
are,
it
is
a
per
project
by
purp.
You
know
project
decision
around,
what's
appropriate
versus,
what's
not
but
I.
Think
leading
by
example
is
one
point
here.
H
Yes
concert
looked
at
both
projects
for
a
while
and
I.
Think
like
having
school
cards
in
use
would
be
great.
One
thing
that
Tac
would
have
to
consider
are
like
there's
different
types
of
things,
so
you
might
want
to
qualify
which
specific
ones
should
people
should
run
through
so
I
know
not
all
projects
kind
of
apply.
H
E
If
I
may
respond
because
I
lead
the
best
practices,
badge
and
I
also
participate
on
the
scorecards
working
group.
We've
actually
talked
about
that,
and,
in
particular,
scorecards
includes
as
one
of
its
criteria
the
best
practices
badge,
but
there's
a
fundamental
problem
with
trying
to
merge
them
and
set.
They
have
completely
diametrically
different
approaches.
E
You
run
it
you're
done,
there's
nothing
else.
You
need
to
do.
You
do
not
have
to
be
part
of
the
project.
You
don't
have
to
be
involved
in
any
way.
The
great
advantage
of
that
is
that
you
can
use
it
on
any
project.
The
big
downside
is
that
many
of
the
results
are
wrong.
It
often
doesn't
detect.
You
know.
One
of
the
requirements
is
static.
Analysis
tools.
It
doesn't
detect
most
static
analysis
tools,
it
only
works
on
GitHub.
We
are
working
on
these
things.
E
It
often
can't
detect
cicd
pipelines,
and
this
is
not
a
beat
on
scorecards,
okay,
I'm,
actually
going
to
want
to
make
okay
scorecards
is
trying
to
do
in
an
automated
way,
something
that
is
very
challenging
to
do.
Historically,
always
tools
have
false
positives
and
false
negatives.
It's
kind
of
the
nature
of
the
Beast.
The
best
practices
badge
does
have
some
automation,
but
a
lot,
but
when
it
was
designed
originally
the
focus
was
what
is
important,
not
what
is
automatable.
E
E
E
The
problem
is
one
of
resources
at
that
point,
but
the
reality
is
fundamentally
the
best
practices
badge
criteria
are
focused
on
what
was
important,
not
what's
automatable
and
a
lot
of
things
are
very
challenging
to
automate
and
whereas
scorecards
the
primary
goal
is
automation.
How
far
can
you
go
with
pure
Automation
and
right
now,
people
have
found
it
valuable
to
be
able
to
express
that.
You
know
what
this
does
this,
that
does
that,
and
because
there
are
different
kinds
of
data
sources,
it's
helpful
to
separate
them.
So
that's
how
this
is.
H
D
D
Then
we
have
SKF,
which
is
our
Hands-On
lab
platform,
lots
of
activity
going
on
and
we
would
love
assistance
from
the
attack
and
getting
word
out
as
we
are
releasing
a
new
platform.
We
just
need
help.
Evangelizing
the
SKF
is
a
thing:
it's
pretty
cool
and
can
help
developers
learn
secure
development
techniques.
D
B
B
I
think,
to
the
last
point
that
you
said
around
the
the
SKF
framework:
I
guess
we
have
Jennifer
and
Brian
on
the
call.
So
if,
in
the
sense
of
awareness
to
hey
we,
we
need
some
potential
marketing
support
for
this
I
guess
any
questions
or
comments.
We
can
take
some
of
that
offline,
but
I,
guess
anything.
Quick!
No.
F
Thank
you
very
much
for
the
update
I
would
make
one
sort
of
process
suggestion
for
all
of
us
in
the
attack
and
working
group
leads
going
forward,
because
your
presentation
had
some
specific
asks
in
it,
which
were
great
and
super
helpful.
I
would
love
to
see
that
deck
circulated
a
couple
days
ahead
of
time,
along
with
an
email
saying
to
the
fact:
hey,
here's
a
couple
questions
we're
going
to
ask:
let's
make
sure
that
everyone's
prepped
and
has
time
to
discuss
them
in
case.
D
A
B
I
I
Shh,
so
what
I'm
going
to
do
is
do
a
sort
of
a
verbal
report.
Basically,
because
I'm
doing
this,
ad
hoc
lay
out
some
of
the
things
we've
been
working
on
some
of
the
issues
that
we're
concerned
about
and
I
like
the
tag
to
think
about
and
I
apologize
over,
that
we
didn't
sign
all
this
in
advance
and
also
give
you
some
some
sort
of
like
working
group
news.
Now
previously,
we've
reported
to
you
about
the
taxonomy
of
supply
chain
attacks.
I
That
has
been
an
ongoing
effort
that
is
based
on
a
paper
which
I
can
link
to
in
the
chat
after
I
finish
talking,
which
essentially
laid
out
a
preliminary
taxonomy
of
supply
chain
attacks,
different
sorts
of
things.
Attackers
can
do
now.
We've
been
working
on
that
to
expand
or
generalize
it
make
it
more
robust,
seek
more
feedback.
We've
also
been
looking
at
Outreach
to
other
organizations
who
are
interested
in
security
matters
and
supply
chain
matters
to
make
sure
that
we
have
a
wide
set
of
eyes
on
it.
I
We've
also
been
testing
it
against
existing
data
sets.
Jonathan
Meadows
has
gone
through
the
inqutel
attacks
data
set
and
essentially
fed
it
through
that
taxonomy.
To
see
that
it's
successfully,
you
know
mutually
exclusive
and
completely
exhaustive
is
the
sort
of
the
goal
for
taxonomy
we're.
Also
looking
at
the
cncf
data
set,
I
believe
is
the
next
one.
So
that's
an
ongoing
effort
happening
in
a
quasi-sec,
basically
an
informal
side
group
that
has
been
dipping
in
out
of
different
folks.
I
The
second
big
sort
of
project
that
we've
been
pursuing
is
developing
reference
architectures
with
guidance
on
what
you
need
to
go
and
look
at
from
the
ever-growing
menu
of
offerings
from
the
open
ssf.
So
one
of
the
difficulties
that
end
users
faces
they
show
up
there's
about
50
different
websites,
there's
about
500
standards.
Many
working
groups,
many
projects
now
I-
want
to
give
a
shout
out
here
to
the
Fantastic
work
being
done
by
the
diagram
of
society.
Crow
attends
the
end.
I
Users
group
keeps
us
up
to
date
with
what
diagram
is
doing
and
we
see
the
diagrams
as
essential
and
in
that
Spirit
the
architecture
guide
is
essentially
to
say
here
is
a
reference
architecture
that
will
probably
resemble
at
least
Loosely.
What
you
have
internally
here
are
some
guidance
on
where
to
go.
What
to
do
who
to
talk
to
what
documents
you
can
consume?
What
tools
are
available
to
get
you
started,
so
that's
been
been
going
along
with
as
well.
There
was
an
effort
that
arose
spontaneously
in
several
groups.
I
I
think
we've
talked
about
it
here
in
the
past,
which
is
collecting
data
on
a
number
of
factors
around
software
repositories,
particularly
looking
for
malware
samples
looking
for
metadata,
so
that
researchers
can
essentially
do
cross
ecosystem
studies
at
the
moment.
Every
time
a
researcher
comes
in
to
do
a
Supply,
Chain
study
on
language,
ecosystem
or
package
ecosystem,
they
have
to
basically
start
from
scratch
and
build
all
the
apparatus
themselves
to
these
kinds
of
studies.
I
We
know
from
previous
studies
that
results
in
one
ecosystem
do
not
always
generalize
to
other
ecosystems,
so
to
ensure
that
we
don't
basically
sort
of
like
leave
people
behind
or
create
misleading
impressions
of
what
actions
should
be
taken.
It's
important
to
have
inside
a
data
data
store.
It
would
also
later
on,
allow
us
to
even
potentially
have
you
know,
guidance
or
assistance
or
Warnings
to
package
maintainers
about
campaigns
appearing
in
one
place
that
will
eventually
spread
to
others.
I
Now
that
came
out
of
the
end
users
group,
but
it
also
spontaneously
Rose
in
the
securing
software
repos
group
and
I,
believe
it
was
identifying
security.
That's
had
a
similar
idea
called
assimilation
at
the
moment.
We've
sort
of
centralized
those
efforts
in
securing
software
repos,
but
I
wanted
to
note
that
end
users
had
sort
of
made
that
transfer
of
Interest
in
terms
of
the
things
we're
thinking
about
at
the
moment,
I
would
say
the
big
one
that
sort
of
came
last
week
was
the
national
cyber
security
policy.
I
I
know
it's
on
everybody's
agenda.
It's
a
big
deal.
There
might
be
a
while
before
legislation
shows
up.
Obviously,
given
the
current,
shall
we
say
configuration
of
the
US
government
in
its
various
branches,
but
it's
it's
it's
out
there
now
like
the
word
is
out
there.
So
definitely
we
want
to
make
sure
that
an
attack
is
thinking
about
it
and
would
be
interested
in
what
tax
thinking
will
be,
and
we
understand
that
it
will
necessarily
evolve.
I
The
other
thing
that
came
up
recently
was
an
open
source.
Consumption
Manifesto,
which
has
been
worked
on
by
Brian
Fox,
its
owner
type
I,
will
again
put
a
link
in
the
chat
after
I
finish
talking
looking
for
comments
and
feedback,
but
bearing
in
mind
that
a
Manifesto
tries
to
be
short
and
punchy,
it's
essentially
to
motivate
people
to
think
aggressively
about
their
supply
chain
posture.
Now
it's
not
meant
to
be
a
replacement
or
a
substitute
or
anything
like
that
for
S2,
c2f
or
salsa.
I
For
that
matter,
it's
meant
to
be
a
motivational
document.
More
than
anything,
let
me
see
what
have
I
got
up
to
okay,
so
the
last
thing
I'll
talk
about
is
sort
of
a
Changing
of
the
Guard
Andrew
eichen
is
stepping
down
as
Vice
chair
of
the
group.
He
is
going
to
be
focusing
on
recruitment,
that's
where
he
feels
he
can
have
the
greatest
value
and
impact
for
the
ngos's
working
group,
which
makes
a
lot
of
sense.
I
He's
he's
got
a
lot
of
contacts,
a
lot
of
Industries
and
sectors,
I've
put
out
my
hand
and
been
made
Vice,
chair
or
accepted
advice,
chair,
I,
guess
is
a
better
way
to
put
it
so
I'll
be
doing
that
for
the
foreseeable
future,
and
that
is
pretty
much
it
I
know
it
didn't,
come
in
a
very
convenient
slides
bomb
out
again
I
apologize
this.
This
Came
Upon
me
suddenly,
but
I
am
happy
to
answer
any
questions
that
you
might
have.
I
I
How
the
open
ssf
is
going
to
position
itself
in
view
of
the
national
cyber
security
policy
and
for
those
who
are
wondering,
particularly
that
the
interesting
part
is
that
there
is
a
discussion
in
that
policy
of
changing
liability,
so
that
companies
cannot
disclaim
all
liability
for
software.
They
are
on
the
hook
for
security
work
and
unless
they
do
take
sort
of
meaningful
security
practices
into
account,
they
can't
get
into
a
safe
harbor.
I
Now
that
will
require
legislation
to
bring
it
out,
but
the
fact
that
it's
it's
even
been
broached
when
you
consider
the
Decades
of
precedent
for
disclaiming
all
liability
for
software
products,
and
you
know
the
economic
structure
that
has
formed
around
that.
It's
it's
an
earthquake
which
will
last
for
several
years.
I
saw
a
hand,
go
up,
but
I
don't
see
it
anymore.
It's.
J
Me
and-
and
this
is
much
longer
conversation
and
something
that
lots
of
us
are
having
and
folks
on
the
public
policy
committee
are,
you
know,
have
been
who
have
drafted
comments
to
the
European
Union
CRA
and
and
are
going
to
be
working
up
a
at
the
very
least,
a
blog
post.
Definitely
for
for
us
on
the
the
cyber
security
strategy.
J
The
topic
of
liability
is
is
an
important
one.
It
is
a
little
outside
of
the
security
issues
only
in
that
it
is,
it
is
fundamental
change
to
licensing
and
and
and
I
think,
is
a
threat
more
generally
speaking
to
open
source
software
and
that
kind
of
a
social
contract
between
producer
and
consumer
of
it.
J
J
Portion
of
the
adoption
of
you
know
the
phases
of
adoption
of
security
Technologies,
but
you
know
I
I
think
if
there's
an
opportunity
here,
if
we're
able
to
show
here's,
here's
the
the
minimum
viable
kind
of
way
to
go
and
be
conformant
with
the
right
combination
of
Technologies
from
us
from
other
parts
of
the
open
source
ecosystem.
Then
we
might
move
faster
against
all
of
the
security
objectives.
We
all
have.
I
I
didn't
disagree
with
any
of
that.
I
do
put
asterisk,
though,
and
end
users
are
mostly
interested
in
this
from
an
end
user's
perspective,
which
is
that
we
would
like
very
much
to
be
able
to
hold
our
suppliers
to
account
for
lack
security
practices.
I
wear
both
hats
as
an
end
user
and
as
a
person
who
works
in
the
Upstream,
so
I
am
definitely
Keen
that
they
also
don't
kill
the
Golden
Goose,
but
I
also
don't
want
to
derail
the
rest
of
text
discussions
today,
I.
F
This
question,
both
in
the
CRA
and
the
NCS,
is
very
Broad
and,
as
Brian
said,
affects
all
of
Open
Source,
so
I
would
expect
in
the
openssf
we're
looking
at
it
from
the
perspective
of
security
and
security
tooling,
and
implications
thereon,
not
so
much
on
the
impact
on
open
source,
but
that
we
would
participate,
as
Brian
said,
working
with
other
open
source
foundations
to
to
build
responses,
whether
it's
blog
posts
or
otherwise.
On
those
issues.
F
C
B
D
Yeah
I'm
working
with
Sam,
thank
you
to
the
TAC
for
your
initial
review
and
expression
of
support,
so
we
will
be
creating
some
new
artifacts
to
actually
go
in
front
of
the
potential
funders
shortly
and
my
request
to
the
tack
would
be.
We
have
two
awesome
plans
out
there.
There's
links
to
the
issues
if
you
have
any
feedback,
if
anything
is
unclear
about
the
plans
or
if
you'd
like
to
see,
if
you
identify
any
gaps
or
have
additional
suggestions,
please
express
those
on
those
issues.
D
D
So
we
assembled
a
group
of
folks
we
get
together
and
talk
about
how
we
might
be
able
to
solve
that
problem
and
provide
simple
examples
of
how
the
organization
is
laid
out.
Talk
about
what
the
challenges,
the
different
working
groups
and
sigs
are
trying
to
solve
and
how
those
components
relate
to
each
other.
D
Many
everybody's
welcome.
You
can
hang
out
and
drop
pictures
and
have
fun
and
what
we
realized
early
on
is.
There
is
not
going
to
be
any
one
picture
that
accurately
describes
all
the
complexities
and
nuances
of
the
work
going
on
in
the
foundation,
so
we
will
have
to
produce
multiple
artifacts
and
we
have
just
a
blast
through
a
series
of
quick,
Doodles
and
kind
of
talk
about
where
we
are
and
feedback
is
always
welcome.
Please
all
these
diagrams
are
available
in
our
repo.
This
dot
PowerPoint
is
available
in
our
repo.
D
D
So
this
is
very
useful
to
certain
personas
and
certain
viewers
and,
for
example,
a
lot
of
the
folks
in
the
governing
board
found
a
lot
of
value
out
of
this
style
diagram
and,
theoretically,
you
could
take
any
of
these
work
products
work
with
a
professional
graphic
designer
and
embellish
them.
So,
for
example,
if
we
had
this
diagram
on
our
web
page
and
you
hovered
over
the
best
practices
working
group,
it
might
link
directly
to
that
GitHub
repository
or
if
we
had
a
website
or
show
our
top
projects
next
view
is
we
call
Bubbles?
D
Basically,
we
can
take
a
all
the
work
within
the
working
groups,
all
of
the
sigs
and
projects
and
align
them
up.
You
could
color
code
things
to
show
a
maturity
level.
You
also
can
physically
move
the
bubbles
next
to
each
other,
to
show
that
the
vulnerability
disclosures
working
group
works
a
lot
with
the
end
users
working
group
because
end
users
care
about
vulnerabilities.
For
example.
D
Another
view
is
a
traditional
sdlc
model.
You
could
take
any
kind
of
process
and
lay
the
foundation
over
top
of
it
and
the
cool
thing
about
something
like
this
is:
if
you
had
again
a
professional
artist
as
you
hovered
over
any
of
those
bubbles,
you
could
blow
out
and
show
specific
details
and
then
hyperlink
over
to
those
assorted
groups.
Output.
D
We
have
a
mind
map
layout,
which
this
was
a
very
intense
Deep
dive,
looking
at
all
of
the
assorted
artifacts
within
the
foundation,
and
we
discovered
a
lot
of
duplication
across
the
working
groups
and
a
lot
of
missing
things
like
Charters
or
read
me
MDS.
So
this
style
diagram
is
helpful.
If
you
want
to
March
Group
by
group
and
kind
of
see
how
consistent
we
are
kind
of
fun,
we
have
the
ability
to
do
things
by
Persona,
so
as
an
open
source
developer.
D
G
D
Group
or
maybe
listen
to
what's
going
on
with
the
open
source
searching
as
a
for
example,
we
could
line
things
up
based
off
of
the
vision.
You
know
we
had
talked
late
last
year
about
revising
our
tax
Vision,
so
we
could
very
easily
take
those
four
statements
and
line
the
working
groups
up
and
show
which
working
groups
are
directly
supporting
which
parts
of
that
vision.
D
We
have
the
stickers
view
back
to
my
Lightning
McQueen
example.
This.
You
also
see
this
with
the
CNC
F
landscape
and
the
continuous
delivery
foundation's
landscape.
So,
basically,
you
can
take
like
a
plan,
build
run
category
and
show
all
the
different
working
groups
and
throw
a
little
badge
up
and
be
able
to
drill
down
to
see
what
how
each
of
those
apply
to
those
particular
areas
and
how
to
get
information
on
more
then.
D
What
was
very
popular
with
both
the
TAC
GB
governance
committee
and
the
governing
board
is
laying
the
foundation
over
top
of
a
CI
CD
model.
So
you
can
see
moving
from
developer
to
Consumer,
seeing
the
little
Loop
you
can
plug
in
where
the
different
working
groups,
projects
and
sigs
impact
different
areas.
So
if
you
are
concerned
about
solving
packaging
security
concerns,
you,
for
example,
could
use
something
like
Fresca
as
a
for
example,.
D
And
finally,
the
trail
map
which
you've
seen
the
cncf
trail
map-
you
could
take
a
picture,
a
metaphor
like
a
map
and
showcase
your
most
important
things
that
you
want
to
draw
your
participants
and
Outsiders
too,
haven't
had
time
to
get
to
this.
If
we
want
to
do
this,
we
need
to
spend
a
little
more
time
and
have
a
metaphor.
D
D
B
B
There's
a
subcommittee
of
the
governing
board
that
had
reviewed
this
a
couple
weeks
back
and
I
think
there
was
alignment
around
that
that
software
development
life
cycle
View
and
trying
to
think
about
how
would
it
is
a
fundamentally
complex
problem
both
from
the
end
user
perspective,
as
well
as
the
software
produced
producer's
perspective,
as
well
as
from
an
you
know,
a
member
point
of
view
how
to
net
this
out.
I
think
it
is
a
multi-dimensional
challenge.
B
B
Society
meetings
are
definitely
a
fun
time,
so
encourage
you
all
to
join
all
right
with
that.
We
have
one
other
topic
on
the
agenda,
which
is
a
new
Sandbox
level
request.
It
was
PR
137
I
did
email
this
out
last
week
to
take
a
look
at
it.
I
know
there
has
been
some
discussion
on
the
pr
already,
but
maybe
just
for
helping
the
reset
context
for,
for
others.
B
I
believe
Joshua
may
be
on
the
on
the
line
with
us
now
as
well,
but
Cairo
and
Zach
I
think
are
also
here
with
context
on
the
pr.
So
maybe
just
a
couple
minute
overview
of
the
ask
and
the
project
what
we
cannot
open
open
it
up
for
questions
and
take
it
from
there.
So
Joshua
I,
don't
I'm
assuming
that's
you
on
the
plus
four
four
number,
but
if.
K
Sure,
yeah,
okay,
so
repository
so
tough.
It's
something
that
Cairo
started
basically
based
on
observations
of
how
invasive
it
was
trying
to
implement
pep
458,
which
is
a
repository
signing
implementation
using
tough
for
the
pipi
python
packaging
deck,
and
we
kind
of
or
Cairo,
took
a
step
back
and
saw
that
we
were
making
fairly
deep
code
changes
with
fairly
like
expert
level,
required
understanding
of
tough
to
follow
the
logic
and
reason
about
the
changes
and
he
took
the
the.
K
He
came
up
with
this
idea
for
this
project,
which
is
basically
to
encapsulate
all
of
that
behind
a
much
high
level
rest
API,
to
enable
anything
that
is
doing
something
kind
of
either.
In
the
first
instance
repository
signing
kind
of
operations.
I
eventually
would
like
to
extend
it
to
include
developer,
signing
and
potentially
other
features,
and
the
idea
is
really
just
to
provide
a
service
that's
easier
to
integrate
so
that
all
kinds
of
artifact
delivery
workflows
can
offer
this
sort
of
signing
functionality
that
provides
in
the
initial
efforts.
K
Our
current
focuses
aren't
tough,
so
we're
providing
kind
of
integrity
and
freshness
guarantees
and
consistency
guarantees
so
you're
always
getting
a
consistent
view
of
the
Repository
yeah
that
may
be
I.
Don't
know
that
tldr,
maybe
too
too
long
still
so
I'm
going
to
pause
them
and
see
if
anyone
has
any
questions,
but
that's
kind
of
the
brief
history
and
context.
C
G
A
C
C
C
K
It's
code
code
on
some
comprehensive
documentation,
but
yeah
it's
Eric
can
speak
to
this
better,
but
it's
a
set
of
microservices
effectively
with
a
rest
API,
and
so
you,
the
documentation,
kind
of
describes,
the
rest
API
and
how
to
operate
service.
And
then
you
can
make
rest
API
calls
to
integrate
this
into
your
artifact
delivery
flight.
L
C
F
L
G
L
L
Python
tough
I
would
say,
because
python
type
is
the
main
dependence
from
for
managing
the
test.
Repository
I
mean
the
managing
the
data
metadata,
but
on
top
of
this,
we
use
a
different
resources
together
with
the
containers,
for
example,
database.
Everything
because
the
other
they
are
the
choice
to
have
as
container
image
is
to
achieve
the
possibility
to
scale
it.
L
When
we
think
of
a
repository
with
high
activity,
for
example,
Pipi
the
number
of
packets
that
are
added
daily,
we
need
to
be
able
to
scale
it,
so
that
was
the
decision
made.
Oh,
let's
first
provide
us
containers.
Let's
say
that
we
choose
Pi,
Pi
and
pep458
as
the
first
real
case,
but
it
also
we
we
notice
that
it
can
be
used
for
small
deployments
as
well.
L
B
B
B
F
Yeah
I
think
I
I
have
more
questions
for
the
maintainers
in
particular.
What
path
do
they
see
within
the
open,
SS
app,
how
they
foresee
engagement
across
the
two
foundations
that
we've
had
a
brief
discussion
today?
I'd
love
to
have
more
engagement,
maybe
sort
of
an
office
hours
with
the
maintainers
of
the
project
where
we
can
spend
a
dedicated
amount
of
time
chatting
about
that
or
discussion
in
the
slack
where
we
can
take
a
little
more
time
to
explore
joining
a
foundation
is
a
big,
a
big
step.
F
I
want
everyone
to
go
in
with
with
good
intentions,
open
eyes
on
the
same
page
and
know
how
we,
as
the
tank,
can
also
support
the
project
long
term.
What
are
they
expecting
from
us
right?
There's
a
questionnaire
that
Anne
bertuccio
and
I
developed
a
couple
years
ago,
I'd
love
to
see
the
kind
of
information
that
that
questionnaire
asks
of
projects
be
explored.
We
did
this
when
Persia
applied,
we
spent
quite
a
while
exploring
it
with
them.
I'd
love
to
see
the
same
kind
of
dialogue.
F
A
B
I
J
B
J
Right,
no
I
in
either
another
path.
We
would,
you
know,
confirm
copyright,
you
know,
do
those
those
processes
and
just
just
in
in
the
interest
of
process
and
structure,
was
trying
to
figure
out,
because
we
we
have,
in
the
past,
allowed
working
groups
to
accept
new
projects
and
and
sigs
within
those
working
groups
without
requiring
a
voted
attack.
And
so
just
wanting
to
to
understand
the
intent
here
that.
K
Oh
yeah
I
count
right
times
because
I'm
on
a
cell
phone
but
the
documentation
that
exists
for
contributing
projects
that
open
ssf
doesn't
talk
about
this
past,
at
least
being
different
paths
effectively
right.
So
we
we
want
to
contribute
the
project
to
the
openness.
We
don't
have
a
a
strong
feeling
on
whether
it
should
be
a
top
level
project
or
not
I
I
suspect
in
terms
of
scale
and
potential
user
base.
It
doesn't
necessarily
make
sense
for
it
to
be
a
top
level
project.
K
B
B
E
Yeah
so
I
mean
my
understanding
has
been
at
least
from
past
exercises.
Is
the
working
groups
can
accept
projects
as
long
as
it's
within
their
scope,
but
they
usually
report
up
to
the
attack
to
just
notify,
and
you
know
if
there's
some
issue,
I
have
to
admit
since
there's
a
vote
but
I
I
kind
of
assumed,
oh
top
level
project,
okay,
so
all
right
so
and
that's
fine,
you
know:
okay,
Miss
minor
misunderstanding,
not
serious,
I
I
think
there
was
some
questions
earlier
on.
E
Also
about
wait
a
minute,
there's
some
related
cncf
projects
we
want
to
yeah
and
so
I
think
there
is
some
extra
discussion
about
that
and
I
think
that
led
to
this
minor
confusion,
but
I
mean
there's
nothing
wrong
with
having
a
brief,
backpack
discussion
to
make
sure
there's
no
issues.
So
you
know,
tally
ho.