►
From YouTube: OpenSSF TAC (March 7, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
C
A
All
right
so
we'll
go
ahead
and
get
started
good
to
see
everybody
first.
B
On
today's
agenda,
we
have
update
from
the
best
practices
working
group
from
chrome,
so
see.
You've
got
some
slides,
Linked
In,
the
notes
there
I
will
copy
that
link
and
put
them
in
case
oops
want
to
see
them.
But
with
that
Crow
go
ahead
and
take
us
away.
D
D
We
continue
to
see
progress
on
the
education,
Sig
mobilization
plan
and
we
have
newly
created
a
Deni
subcommittee
to
focus
in
on
the
educational
needs
of
historically
underserved
communities
and
some
awesome
news.
We've
got
a
great
set
of
updates
from
our
scorecards
team.
The
API
is
now
GA.
The
scorecards
badge
is
being
displayed
in
over
500
open
source
projects,
including
such
critical
projects
as
tensorflow
and
Apache
Commons.
D
So
that's
the
high
level
notes.
As
you
may
know,
we
are
a
group
that
is
focused
on
providing
open
source
developers
with
best
practice,
recommendations
and
easy
ways
to
learn
and
apply
them.
We
focus
in
on
three
main
areas
of
focus,
identifying
good
practices,
providing
ways
to
learn
about
those
good
practices
and
then
ways
to
adopt
those
good
practices.
D
We
meet
every
two
weeks,
there's
about
18
or
so
of
us
that
regularly
meet
plus
a
Galaxy
of
about
20
other
folks
that
pop
in
from
time
to
time,
I
mentioned
the
concise
guides,
which
is
what
we
are
currently
working
on
for
Service,
Pro,
Management
and
C
and
C,
plus
plus
we
are
having.
We
need
to
find
some
more
information
about
one
of
our
member
sub
projects,
cre
the
common
requirements,
the
enumeration.
D
They
are
technically
an
OAS
project
that
we
collaborate
with
quite
a
bit
and
owasp
is
going
through
some
changes
right
now,
so
I
just
want
to
make
sure
I
need
to
reach
out
to
the
maintainers
of
the
project
and
kind
of
get
an
update
if
they're
still
interested
in
collaborating
with
us
or
if
they
are
the
part,
the
stage
where
they
want
to
retire
education
Sig.
The
plan
has
been
reviewed
by
the
attack
and
is
on
its
way
to
be
reviewed
by
a
sorted
governing
board
potential.
Donators
there's
still
time.
D
If
you're
curious
to
provide
feedback
to
the
plan,
you
could
hop
on
attack,
issue
134
and
provide
your
feedback
on
it
or
questions
that
will
be
super
groovy
best
practices,
badge
Mr
Wheeler
has
had
a
ton
of
stuff
going
on
and
really
what
he
wanted
to
highlight
to
the
tack
is:
do
we
want
to
explore
the
idea
of
encouraging
openssf
projects
to
go
through
the
best
practices,
badge
process
and
attain
a
badge,
and
we
have
a
similar
question
for
the
scorecards
which
we'll
get
to
in
a
slide
or
two?
D
D
D
The
secure
developer
fundamentals
course
right
now.
There
is
nothing
needed.
You
can
see
some
speeds
and
feeds
of
what
folks
we've
had
over
14
000
people
enroll.
D
We
currently
had
in
the
summer
we
announced,
or
this
fall
we
announced
we
did
translations
of
the
Japanese
and
we
actually
have
a
member
that
will
be
transfer
translating
the
course
content
to
both
Hebrew
and
Arabic
I.
See
Mr
Callaway
has
a
question.
B
B
Let's
do
it
now,
all
right,
so
I
guess
I
read
the
first
one
of
explore
the
idea
that
a
project
is
required
to
use
scorecards,
so
I
guess
maybe
looking
at
virtually
at
Dr
Wheeler.
We
do
have
a
it's
part
of
the
pr
112
work
that
we
did
last
year
we
did
put
in
requirements
that
were
commensurate
with
the
badging
levels,
from
Silver,
LeBron,
silver
and
gold
versus
sandbox
incubated
and
graduated.
So
I
guess.
The
question
is,
you
know,
is
use
of
scorecard
mandated
at
a
particular
badge
level.
E
F
Yeah-
and
it
was
not
part
of
the
at
least
initial
drafting
of
PR
112,
not
pried,
to
project
maturity,
levels
I
could
easily
imagine
a
Sandbox
project
that
already
reaches
a
gold
badge
or
a
high
score
right.
I,
don't
think
these
are
necessarily
gate
kept
in
sync.
A
B
B
F
B
Agreed
but
I
think
we
had
if
I
remember
correctly,
which
I
could
be
wrong,
but
I
believe
we
had
said
it
for
a
project
to
reach
the
state
of
incubated.
For
example,
part
of
the
requirements
would
be
to
get
a
get
and
demonstrate
compliance
with
a
badge
at
from
the
best
practices
or
the
the
infrastructure
level
of
silver,
for
example,
or
gold.
The
chain
that
level
you
had
to
do
that
as
a
prerequisite.
F
B
Okay,
that
sounds
good
I,
guess
to
the
point
of
the
the
there's
raising
this
bullet.
If
we
believe
that
scoring
card
has
value-
and
we
think
that
we
would
want
to
align
that
in
a
similar
way,
I
guess
the
question
I
I
would
go
to
is.
Is
that
something
we
could
naturally
just
tuck
into
the
leveling
of
the
gold
silver
bronze?
Or
simply
do
we
need
to
call
out
scorecard
as
a
one-off,
a
requirement
that
would
be
a
proposal
to
be
discussed.
D
E
Yeah,
there's
nothing
that
prevents
a
project
from
doing
both
so
I
think
it
would
be
entirely
reasonable
to
say:
hey,
open,
ssf
projects
run
scorecards.
Now
you
may
get
answers
and
say,
disagree
or
decide
that
the
results
aren't
useful
for
your
particular
circumstance.
But
that
said,
I
think
it's.
It
I
think
there's
value
in
adding
scorecards.
E
It
is
my
by
the
way.
It
is
my
recollection
that
various
levels
require
various
best
practices,
badge
levels
but,
on
the
other
hand,
I
think
Ava's
right.
If
a
a
Sandbox
can
can
get
it
go,
get
a
gold.
If
it
wants
to
I
mean
that
it
wasn't
a
requirement.
F
But
you
know
right:
you.
F
Course
there
is
a
minimum
bar
set
that
you
are,
and
you
are
correct
to
recall
that
it's
not
the
scorecard,
which
is
a
zero
to
ten.
It
is
a
badge
and
when
they
are
distinct,
so
the
graduated
tier
does
include
the
wording
at
the
link
here
that
a
project
must
follow
security.
Best
practices,
including
having
achieved
a
gold
badge.
B
In
my
opinion,
and
by
expecting
that
projects
are
consumers
of
the
projects
that
we
have
and
we,
when
somebody
goes
to
Something
in
the
open,
ssf
namespace,
they
should
see
that
as
a
shining
example
of
what
good
looks
like
when
it
comes
to
the
comprehensive
things
that
we
analyze
with
scorecards
and
badges
and
though
to
be
clear,
like
I,
think
there
are,
it
is
a
per
project
by
purp.
You
know
project
decision
around,
what's
appropriate
versus,
what's
not
but
I.
Think
leading
by
example
is
one
point
here.
B
F
I
agree,
and
and
in
turn,
that
we're
applying
it
as
projects
apply
to
join.
H
Yes
concert
looked
at
both
projects
for
a
while
and
I.
Think
like
having
school
cards
in
use
would
be
great.
One
thing
that
Tac
would
have
to
consider
are
like
there's
different
types
of
things,
so
you
might
want
to
qualify
which
specific
ones
should
people
should
run
through
so
I
know
not
all
projects
kind
of
apply.
H
All
the
different
things
like
like
the
eclipse
Foundation
did
an
analysis
and
they
turned
off
certain
ones
for
reasons
that
didn't
apply
to
their
projects
and
the
other
thing
I
guess
for
the
best
practices
working
group
it
feels
like
there
is
an
overlap
with
scorecards
and
the
badges
and
in
the
interest
of
driving
for
clarity
across
the
community.
H
If
there's
ways
the
two
could
start
to
kind
of
merge
together,
you
know
badges
could
start
having
results
as
code
and
anything
that
overlaps
that
can
come
from
scorecards
gets
redirected
to
scorecards
I,
think
long
term.
It
would
be
good
to
to
have
them
on
a
path
to
just
making
sense
holistically.
E
If
I
may
respond
because
I
lead
the
best
practices,
badge
and
I
also
participate
on
the
scorecards
working
group.
We've
actually
talked
about
that,
and,
in
particular,
scorecards
includes
as
one
of
its
criteria
the
best
practices
badge,
but
there's
a
fundamental
problem
with
trying
to
merge
them
and
set.
They
have
completely
diametrically
different
approaches.
E
You
run
it
you're
done,
there's
nothing
else.
You
need
to
do.
You
do
not
have
to
be
part
of
the
project.
You
don't
have
to
be
involved
in
any
way.
The
great
advantage
of
that
is
that
you
can
use
it
on
any
project.
The
big
downside
is
that
many
of
the
results
are
wrong.
It
often
doesn't
detect.
You
know.
One
of
the
requirements
is
static.
Analysis
tools.
It
doesn't
detect
most
static
analysis
tools,
it
only
works
on
GitHub.
We
are
working
on
these
things.
E
It
often
can't
detect
cicd
pipelines,
and
this
is
not
a
beat
on
scorecards,
okay,
I'm,
actually
going
to
want
to
make
okay
scorecards
is
trying
to
do
in
an
automated
way,
something
that
is
very
challenging
to
do.
Historically,
always
tools
have
false
positives
and
false
negatives.
It's
kind
of
the
nature
of
the
Beast.
The
best
practices
badge
does
have
some
automation,
but
a
lot,
but
when
it
was
designed
originally
the
focus
was
what
is
important,
not
what
is
automatable.
E
E
Oh
yeah
yeah
for
the
questions
for
for
the
issues
where
it
has
automation.
You
can
go
look
at
the
this
was
probably
an
offline
discussion,
but
there
there
is
some
automation
where
we
could
do
it
and
we've
tried
to
talk
about
you
know.
Maybe
we
could
do
a
little
more.
E
The
problem
is
one
of
resources
at
that
point,
but
the
reality
is
fundamentally
the
best
practices
badge
criteria
are
focused
on
what
was
important,
not
what's
automatable
and
a
lot
of
things
are
very
challenging
to
automate
and
whereas
scorecards
the
primary
goal
is
automation.
How
far
can
you
go
with
pure
Automation
and
right
now,
people
have
found
it
valuable
to
be
able
to
express
that.
You
know
what
this
does
this,
that
does
that,
and
because
there
are
different
kinds
of
data
sources,
it's
helpful
to
separate
them.
So
that's
how
this
is.
H
D
Am
I,
okay
to
proceed?
Yep
all
right,
I
was
talking
about
the
class
again
We're,
translating
to
most
recently
Hebrew
and
Arabic.
D
Then
we
have
SKF,
which
is
our
Hands-On
lab
platform,
lots
of
activity
going
on
and
we
would
love
assistance
from
the
attack
and
getting
word
out
as
we
are
releasing
a
new
platform.
We
just
need
help.
Evangelizing
the
SKF
is
a
thing:
it's
pretty
cool
and
can
help
developers
learn
secure
development
techniques.
D
B
Thanks
Greg
to
answer
your
specific
question:
I
I
think
this
style
update
is
is
is
useful
and
impactful
I.
Think
specifically
the
call
outs
to
say
hey.
This
is
what
you
want.
The
talk
to
adjudicate
I
think
is
particularly
beneficial.
B
I
think,
to
the
last
point
that
you
said
around
the
the
SKF
framework:
I
guess
we
have
Jennifer
and
Brian
on
the
call.
So
if,
in
the
sense
of
awareness
to
hey
we,
we
need
some
potential
marketing
support
for
this
I
guess
any
questions
or
comments.
We
can
take
some
of
that
offline,
but
I,
guess
anything.
Quick!
No.
F
Thank
you
very
much
for
the
update
I
would
make
one
sort
of
process
suggestion
for
all
of
us
in
the
attack
and
working
group
leads
going
forward,
because
your
presentation
had
some
specific
asks
in
it,
which
were
great
and
super
helpful.
I
would
love
to
see
that
deck
circulated
a
couple
days
ahead
of
time,
along
with
an
email
saying
to
the
fact:
hey,
here's
a
couple
questions
we're
going
to
ask:
let's
make
sure
that
everyone's
prepped
and
has
time
to
discuss
them
in
case.
D
A
B
Right,
there's
no
other
questions
on
Chrome's
presentation.
We
have
next
on
the
agenda,
an
update
from
the
end
user
working
group,
so
not
sure
who's.
The
representative
who's
going
to
be
speaking
on
that
behalf,
hey
that'll,.
I
Be
me
I'd,
rather
short
notice,
I'm,
afraid
I
was
not
aware
that
I
would
be
on
point
for
it.
So
this
one's
a
little
more
informal
Curry,
but
I
personally
hate
you
for
producing
such
a
fantastic,
enlightening,
informative
presentation.
I
Shh,
so
what
I'm
going
to
do
is
do
a
sort
of
a
verbal
report.
Basically,
because
I'm
doing
this,
ad
hoc
lay
out
some
of
the
things
we've
been
working
on
some
of
the
issues
that
we're
concerned
about
and
I
like
the
tag
to
think
about
and
I
apologize
over,
that
we
didn't
sign
all
this
in
advance
and
also
give
you
some
some
sort
of
like
working
group
news.
Now
previously,
we've
reported
to
you
about
the
taxonomy
of
supply
chain
attacks.
I
That
has
been
an
ongoing
effort
that
is
based
on
a
paper
which
I
can
link
to
in
the
chat
after
I
finish
talking,
which
essentially
laid
out
a
preliminary
taxonomy
of
supply
chain
attacks,
different
sorts
of
things.
Attackers
can
do
now.
We've
been
working
on
that
to
expand
or
generalize
it
make
it
more
robust,
seek
more
feedback.
We've
also
been
looking
at
Outreach
to
other
organizations
who
are
interested
in
security
matters
and
supply
chain
matters
to
make
sure
that
we
have
a
wide
set
of
eyes
on
it.
I
We've
also
been
testing
it
against
existing
data
sets.
Jonathan
Meadows
has
gone
through
the
inqutel
attacks
data
set
and
essentially
fed
it
through
that
taxonomy.
To
see
that
it's
successfully,
you
know
mutually
exclusive
and
completely
exhaustive
is
the
sort
of
the
goal
for
taxonomy
we're.
Also
looking
at
the
cncf
data
set,
I
believe
is
the
next
one.
So
that's
an
ongoing
effort
happening
in
a
quasi-sec,
basically
an
informal
side
group
that
has
been
dipping
in
out
of
different
folks.
I
The
second
big
sort
of
project
that
we've
been
pursuing
is
developing
reference
architectures
with
guidance
on
what
you
need
to
go
and
look
at
from
the
ever-growing
menu
of
offerings
from
the
open
ssf.
So
one
of
the
difficulties
that
end
users
faces
they
show
up
there's
about
50
different
websites,
there's
about
500
standards.
Many
working
groups,
many
projects
now
I-
want
to
give
a
shout
out
here
to
the
Fantastic
work
being
done
by
the
diagram
of
society.
Crow
attends
the
end.
I
Users
group
keeps
us
up
to
date
with
what
diagram
is
doing
and
we
see
the
diagrams
as
essential
and
in
that
Spirit
the
architecture
guide
is
essentially
to
say
here
is
a
reference
architecture
that
will
probably
resemble
at
least
Loosely.
What
you
have
internally
here
are
some
guidance
on
where
to
go.
What
to
do
who
to
talk
to
what
documents
you
can
consume?
What
tools
are
available
to
get
you
started,
so
that's
been
been
going
along
with
as
well.
There
was
an
effort
that
arose
spontaneously
in
several
groups.
I
I
think
we've
talked
about
it
here
in
the
past,
which
is
collecting
data
on
a
number
of
factors
around
software
repositories,
particularly
looking
for
malware
samples
looking
for
metadata,
so
that
researchers
can
essentially
do
cross
ecosystem
studies
at
the
moment.
Every
time
a
researcher
comes
in
to
do
a
Supply,
Chain
study
on
language,
ecosystem
or
package
ecosystem,
they
have
to
basically
start
from
scratch
and
build
all
the
apparatus
themselves
to
these
kinds
of
studies.
I
We
know
from
previous
studies
that
results
in
one
ecosystem
do
not
always
generalize
to
other
ecosystems,
so
to
ensure
that
we
don't
basically
sort
of
like
leave
people
behind
or
create
misleading
impressions
of
what
actions
should
be
taken.
It's
important
to
have
inside
a
data
data
store.
It
would
also
later
on,
allow
us
to
even
potentially
have
you
know,
guidance
or
assistance
or
Warnings
to
package
maintainers
about
campaigns
appearing
in
one
place
that
will
eventually
spread
to
others.
I
Now
that
came
out
of
the
end
users
group,
but
it
also
spontaneously
Rose
in
the
securing
software
repos
group
and
I,
believe
it
was
identifying
security.
That's
had
a
similar
idea
called
assimilation
at
the
moment.
We've
sort
of
centralized
those
efforts
in
securing
software
repos,
but
I
wanted
to
note
that
end
users
had
sort
of
made
that
transfer
of
Interest
in
terms
of
the
things
we're
thinking
about
at
the
moment,
I
would
say
the
big
one
that
sort
of
came
last
week
was
the
national
cyber
security
policy.
I
I
know
it's
on
everybody's
agenda.
It's
a
big
deal.
There
might
be
a
while
before
legislation
shows
up.
Obviously,
given
the
current,
shall
we
say
configuration
of
the
US
government
in
its
various
branches,
but
it's
it's
it's
out
there
now
like
the
word
is
out
there.
So
definitely
we
want
to
make
sure
that
an
attack
is
thinking
about
it
and
would
be
interested
in
what
tax
thinking
will
be,
and
we
understand
that
it
will
necessarily
evolve.
I
The
other
thing
that
came
up
recently
was
an
open
source.
Consumption
Manifesto,
which
has
been
worked
on
by
Brian
Fox,
its
owner
type
I,
will
again
put
a
link
in
the
chat
after
I
finish
talking
looking
for
comments
and
feedback,
but
bearing
in
mind
that
a
Manifesto
tries
to
be
short
and
punchy,
it's
essentially
to
motivate
people
to
think
aggressively
about
their
supply
chain
posture.
Now
it's
not
meant
to
be
a
replacement
or
a
substitute
or
anything
like
that
for
S2,
c2f
or
salsa.
I
For
that
matter,
it's
meant
to
be
a
motivational
document.
More
than
anything,
let
me
see
what
have
I
got
up
to
okay,
so
the
last
thing
I'll
talk
about
is
sort
of
a
Changing
of
the
Guard
Andrew
eichen
is
stepping
down
as
Vice
chair
of
the
group.
He
is
going
to
be
focusing
on
recruitment,
that's
where
he
feels
he
can
have
the
greatest
value
and
impact
for
the
ngos's
working
group,
which
makes
a
lot
of
sense.
I
He's
he's
got
a
lot
of
contacts,
a
lot
of
Industries
and
sectors,
I've
put
out
my
hand
and
been
made
Vice,
chair
or
accepted
advice,
chair,
I,
guess
is
a
better
way
to
put
it
so
I'll
be
doing
that
for
the
foreseeable
future,
and
that
is
pretty
much
it
I
know
it
didn't,
come
in
a
very
convenient
slides
bomb
out
again
I
apologize
this.
This
Came
Upon
me
suddenly,
but
I
am
happy
to
answer
any
questions
that
you
might
have.
A
Thanks
for
the
the
update,
especially.
B
On
short
notice,
shock
questions.
I
I
think
the
main
thing
in
the
short
term
I'd
ask
for
is
eyes
on
the
OSS
consumption
Manifesto,
as
I
said,
I'll
post
the
link
in
a
minute
and
while
not
immediate,
definitely
in
the
long
term
this.
This
might
even
be
a
governing
board
matter.
I
How
the
open
ssf
is
going
to
position
itself
in
view
of
the
national
cyber
security
policy
and
for
those
who
are
wondering,
particularly
that
the
interesting
part
is
that
there
is
a
discussion
in
that
policy
of
changing
liability,
so
that
companies
cannot
disclaim
all
liability
for
software.
They
are
on
the
hook
for
security
work
and
unless
they
do
take
sort
of
meaningful
security
practices
into
account,
they
can't
get
into
a
safe
harbor.
I
Now
that
will
require
legislation
to
bring
it
out,
but
the
fact
that
it's
it's
even
been
broached
when
you
consider
the
Decades
of
precedent
for
disclaiming
all
liability
for
software
products,
and
you
know
the
economic
structure
that
has
formed
around
that.
It's
it's
an
earthquake
which
will
last
for
several
years.
I
saw
a
hand,
go
up,
but
I
don't
see
it
anymore.
It's.
J
Me
and-
and
this
is
much
longer
conversation
and
something
that
lots
of
us
are
having
and
folks
on
the
public
policy
committee
are,
you
know,
have
been
who
have
drafted
comments
to
the
European
Union
CRA
and
and
are
going
to
be
working
up
a
at
the
very
least,
a
blog
post.
Definitely
for
for
us
on
the
the
cyber
security
strategy.
J
The
topic
of
liability
is
is
an
important
one.
It
is
a
little
outside
of
the
security
issues
only
in
that
it
is,
it
is
fundamental
change
to
licensing
and
and
and
I
think,
is
a
threat
more
generally
speaking
to
open
source
software
and
that
kind
of
a
social
contract
between
producer
and
consumer
of
it.
J
Yet
it's
a
little
bit
something
beyond
what
we
alone
can
carry
so
I'm,
trying
to
figure
out
the
right
way
to
position
that,
with
the
other
open
source
projects
out
there
and
is,
is
important,
I
think
and
actually
Mike
milinkovic
at
Eclipse
has
written
quite
a
bit
about
this
I
think
coming
back
to
the
open
SSS
of
what
it
you
know,
in
addition
to
trying
to
both
with
the
CRA
and
with
this
look
for
ways
to
to
push
for
fine-tuning
and
what
those
requirements
are,
the
one
silver
lining
to
some
of
this
might
be
that
creating
demand
for
the
kinds
of
things
that
we've
been
advocating
for
isn't
a
bad
thing
if
we
are
ready
to
say
here
are
the
tools
here.
J
J
Portion
of
the
adoption
of
you
know
the
phases
of
adoption
of
security
Technologies,
but
you
know
I
I
think
if
there's
an
opportunity
here,
if
we're
able
to
show
here's,
here's
the
the
minimum
viable
kind
of
way
to
go
and
be
conformant
with
the
right
combination
of
Technologies
from
us
from
other
parts
of
the
open
source
ecosystem.
Then
we
might
move
faster
against
all
of
the
security
objectives.
We
all
have.
I
I
didn't
disagree
with
any
of
that.
I
do
put
asterisk,
though,
and
end
users
are
mostly
interested
in
this
from
an
end
user's
perspective,
which
is
that
we
would
like
very
much
to
be
able
to
hold
our
suppliers
to
account
for
lack
security
practices.
I
wear
both
hats
as
an
end
user
and
as
a
person
who
works
in
the
Upstream,
so
I
am
definitely
Keen
that
they
also
don't
kill
the
Golden
Goose,
but
I
also
don't
want
to
derail
the
rest
of
text
discussions
today,
I.
F
This
question,
both
in
the
CRA
and
the
NCS,
is
very
Broad
and,
as
Brian
said,
affects
all
of
Open
Source,
so
I
would
expect
in
the
openssf
we're
looking
at
it
from
the
perspective
of
security
and
security
tooling,
and
implications
thereon,
not
so
much
on
the
impact
on
open
source,
but
that
we
would
participate,
as
Brian
said,
working
with
other
open
source
foundations
to
to
build
responses,
whether
it's
blog
posts
or
otherwise.
On
those
issues.
F
C
B
All
right
I'll,
thank
you
again,
Jacques
for
the
update,
appreciate
the
the
dialogue
all
right
next
on
the
agenda.
Chrome
mobilization
plan
proposals.
D
Yeah
I'm
working
with
Sam,
thank
you
to
the
TAC
for
your
initial
review
and
expression
of
support,
so
we
will
be
creating
some
new
artifacts
to
actually
go
in
front
of
the
potential
funders
shortly
and
my
request
to
the
tack
would
be.
We
have
two
awesome
plans
out
there.
There's
links
to
the
issues
if
you
have
any
feedback,
if
anything
is
unclear
about
the
plans
or
if
you'd
like
to
see,
if
you
identify
any
gaps
or
have
additional
suggestions,
please
express
those
on
those
issues.
D
So
I'm
gonna
go
fast,
like
Lightning,
McQueen
kachow
all
right.
There
is
a
group
of
us
that
get
together
and
doodle
on
Barn
Atkins,
and
we
are
here
to
show
some
of
our
work.
D
D
So
we
assembled
a
group
of
folks
we
get
together
and
talk
about
how
we
might
be
able
to
solve
that
problem
and
provide
simple
examples
of
how
the
organization
is
laid
out.
Talk
about
what
the
challenges,
the
different
working
groups
and
sigs
are
trying
to
solve
and
how
those
components
relate
to
each
other.
D
Many
everybody's
welcome.
You
can
hang
out
and
drop
pictures
and
have
fun
and
what
we
realized
early
on
is.
There
is
not
going
to
be
any
one
picture
that
accurately
describes
all
the
complexities
and
nuances
of
the
work
going
on
in
the
foundation,
so
we
will
have
to
produce
multiple
artifacts
and
we
have
just
a
blast
through
a
series
of
quick,
Doodles
and
kind
of
talk
about
where
we
are
and
feedback
is
always
welcome.
Please
all
these
diagrams
are
available
in
our
repo.
This
dot
PowerPoint
is
available
in
our
repo.
D
D
So
this
is
very
useful
to
certain
personas
and
certain
viewers
and,
for
example,
a
lot
of
the
folks
in
the
governing
board
found
a
lot
of
value
out
of
this
style
diagram
and,
theoretically,
you
could
take
any
of
these
work
products
work
with
a
professional
graphic
designer
and
embellish
them.
So,
for
example,
if
we
had
this
diagram
on
our
web
page
and
you
hovered
over
the
best
practices
working
group,
it
might
link
directly
to
that
GitHub
repository
or
if
we
had
a
website
or
show
our
top
projects
next
view
is
we
call
Bubbles?
D
Basically,
we
can
take
a
all
the
work
within
the
working
groups,
all
of
the
sigs
and
projects
and
align
them
up.
You
could
color
code
things
to
show
a
maturity
level.
You
also
can
physically
move
the
bubbles
next
to
each
other,
to
show
that
the
vulnerability
disclosures
working
group
works
a
lot
with
the
end
users
working
group
because
end
users
care
about
vulnerabilities.
For
example.
D
Another
view
is
a
traditional
sdlc
model.
You
could
take
any
kind
of
process
and
lay
the
foundation
over
top
of
it
and
the
cool
thing
about
something
like
this
is:
if
you
had
again
a
professional
artist
as
you
hovered
over
any
of
those
bubbles,
you
could
blow
out
and
show
specific
details
and
then
hyperlink
over
to
those
assorted
groups.
Output.
D
D
So
you
could
take
a
devsecops
infinity
loop
diagram,
showing
the
kind
of
seven
agreed
upon
stages
of
devsec
opsing,
and
then
you
can
race
track
over
top
the
different
working
groups
to
show
that,
for
example,
developer
best
practices
touches
on
all
seven
kind
of
phases
of
a
devsecops
life
cycle,
but
the
vulnerability
disclosures
working
group
may
only
touch
upon
release,
configure
and
monitor
as
a
for
example,
and
none
of
the
placements
of
the
example
diagrams
are
finalized.
D
We
have
a
mind
map
layout,
which
this
was
a
very
intense
Deep
dive,
looking
at
all
of
the
assorted
artifacts
within
the
foundation,
and
we
discovered
a
lot
of
duplication
across
the
working
groups
and
a
lot
of
missing
things
like
Charters
or
read
me
MDS.
So
this
style
diagram
is
helpful.
If
you
want
to
March
Group
by
group
and
kind
of
see
how
consistent
we
are
kind
of
fun,
we
have
the
ability
to
do
things
by
Persona,
so
as
an
open
source
developer.
D
G
D
Group
or
maybe
listen
to
what's
going
on
with
the
open
source
searching
as
a
for
example,
we
could
line
things
up
based
off
of
the
vision.
You
know
we
had
talked
late
last
year
about
revising
our
tax
Vision,
so
we
could
very
easily
take
those
four
statements
and
line
the
working
groups
up
and
show
which
working
groups
are
directly
supporting
which
parts
of
that
vision.
D
We
have
the
stickers
view
back
to
my
Lightning
McQueen
example.
This.
You
also
see
this
with
the
CNC
F
landscape
and
the
continuous
delivery
foundation's
landscape.
So,
basically,
you
can
take
like
a
plan,
build
run
category
and
show
all
the
different
working
groups
and
throw
a
little
badge
up
and
be
able
to
drill
down
to
see
what
how
each
of
those
apply
to
those
particular
areas
and
how
to
get
information
on
more
then.
D
What
was
very
popular
with
both
the
TAC
GB
governance
committee
and
the
governing
board
is
laying
the
foundation
over
top
of
a
CI
CD
model.
So
you
can
see
moving
from
developer
to
Consumer,
seeing
the
little
Loop
you
can
plug
in
where
the
different
working
groups,
projects
and
sigs
impact
different
areas.
So
if
you
are
concerned
about
solving
packaging
security
concerns,
you,
for
example,
could
use
something
like
Fresca
as
a
for
example,.
D
And
finally,
the
trail
map
which
you've
seen
the
cncf
trail
map-
you
could
take
a
picture,
a
metaphor
like
a
map
and
showcase
your
most
important
things
that
you
want
to
draw
your
participants
and
Outsiders
too,
haven't
had
time
to
get
to
this.
If
we
want
to
do
this,
we
need
to
spend
a
little
more
time
and
have
a
metaphor.
D
D
We
want
to
try
to
engage
Jennifer
and
maybe
get
a
professional
graphic
designer,
as
opposed
to
some
Joker
with
a
crayon,
and
then
we
want
to
make
sure
that
everything's
vetted
through
the
lens
of
accessibility
and
usability
so
that
we're
making
sure
that
the
things
aren't
you
know
excluding
people
with
color
blindness,
for
example.
D
B
I
knew
you
were
going
to
work
at
Goose
reference
in
there
somewhere
Chrome.
So
thanks
for
thanks
for
walking
us
through
I
think
again
just
to
quickly
Echo,
with
some
of
the
feedback
that
Crow
mentioned.
B
There's
a
subcommittee
of
the
governing
board
that
had
reviewed
this
a
couple
weeks
back
and
I
think
there
was
alignment
around
that
that
software
development
life
cycle
View
and
trying
to
think
about
how
would
it
is
a
fundamentally
complex
problem
both
from
the
end
user
perspective,
as
well
as
the
software
produced
producer's
perspective,
as
well
as
from
an
you
know,
a
member
point
of
view
how
to
net
this
out.
I
think
it
is
a
multi-dimensional
challenge.
B
B
The
countdown
from
you
know
double
digit
to
single
digit,
but
even
then
one
one
picture
is
probably
not
going
to
rule
them
all.
So
if
you
have
thoughts,
I
would
encourage
you.
The.
B
Society
meetings
are
definitely
a
fun
time,
so
encourage
you
all
to
join
all
right
with
that.
We
have
one
other
topic
on
the
agenda,
which
is
a
new
Sandbox
level
request.
It
was
PR
137
I
did
email
this
out
last
week
to
take
a
look
at
it.
I
know
there
has
been
some
discussion
on
the
pr
already,
but
maybe
just
for
helping
the
reset
context
for,
for
others.
B
I
believe
Joshua
may
be
on
the
on
the
line
with
us
now
as
well,
but
Cairo
and
Zach
I
think
are
also
here
with
context
on
the
pr.
So
maybe
just
a
couple
minute
overview
of
the
ask
and
the
project
what
we
cannot
open
open
it
up
for
questions
and
take
it
from
there.
So
Joshua
I,
don't
I'm
assuming
that's
you
on
the
plus
four
four
number,
but
if.
K
Sure,
yeah,
okay,
so
repository
so
tough.
It's
something
that
Cairo
started
basically
based
on
observations
of
how
invasive
it
was
trying
to
implement
pep
458,
which
is
a
repository
signing
implementation
using
tough
for
the
pipi
python
packaging
deck,
and
we
kind
of
or
Cairo,
took
a
step
back
and
saw
that
we
were
making
fairly
deep
code
changes
with
fairly
like
expert
level,
required
understanding
of
tough
to
follow
the
logic
and
reason
about
the
changes
and
he
took
the
the.
K
He
came
up
with
this
idea
for
this
project,
which
is
basically
to
encapsulate
all
of
that
behind
a
much
high
level
rest
API,
to
enable
anything
that
is
doing
something
kind
of
either.
In
the
first
instance
repository
signing
kind
of
operations.
I
eventually
would
like
to
extend
it
to
include
developer,
signing
and
potentially
other
features,
and
the
idea
is
really
just
to
provide
a
service
that's
easier
to
integrate
so
that
all
kinds
of
artifact
delivery
workflows
can
offer
this
sort
of
signing
functionality
that
provides
in
the
initial
efforts.
K
Our
current
focuses
aren't
tough,
so
we're
providing
kind
of
integrity
and
freshness
guarantees
and
consistency
guarantees
so
you're
always
getting
a
consistent
view
of
the
Repository
yeah
that
may
be
I.
Don't
know
that
tldr,
maybe
too
too
long
still
so
I'm
going
to
pause
them
and
see
if
anyone
has
any
questions,
but
that's
kind
of
the
brief
history
and
context.
C
G
C
So
I
would
be
supportive
of
this
going
ahead.
C
I'm
and
this
isn't
in
any
way
any
sort
of
hurdle
for
us
to
get
over,
but
I'm
still
trying
to
rock
why
the
open
ssf
is
better
than
maybe
better's,
not
the
right
word
to
use,
but
I'm,
just
trying
to
think
is
there
advantages
to
everything
being
in
the
same
location,
GitHub,
org,
wise
and
and
I'm,
assuming
maybe
open
ssf,
because
we
perhaps
have
good
wide
Outreach
channels,
I'm
sure,
there's
a
good
reason:
I'm,
not
not
sort
of
questioning
that
I'm
just
trying
to
sort
of
get
up
to
speed
and
understand
myself.
K
Yeah
so
I
think
the
two
main
reasons
for
or
two
of
the
main
reasons
for
open
SF
are
the
people
we
care
about
advocating
to,
in
the
first
instance
already
here
gathered
under
the
securing
software
repositories
working
group
and
the
other
factor
is
to
not
make
this
seem
like
it's
a
only
a
cloud
native
technology
and
because
there's
nothing
about
tough
or
the
repository
service
for
tough,
which
should
restrict
it
to
that
audience
and
sure
you
know.
A
C
C
C
That's
a
very
good
point:
it's
a
very
good
point
yeah,
and
just
just
again
just
for
my
own
curiosity.
So
so
would
this
be
code
or
specs
or
both
of
the
above
or.
K
It's
code
code
on
some
comprehensive
documentation,
but
yeah
it's
Eric
can
speak
to
this
better,
but
it's
a
set
of
microservices
effectively
with
a
rest
API,
and
so
you,
the
documentation,
kind
of
describes,
the
rest
API
and
how
to
operate
service.
And
then
you
can
make
rest
API
calls
to
integrate
this
into
your
artifact
delivery
flight.
L
Yeah
we
provide
the
containers,
images
and
also
CLI
command,
but
the
cell
is
just
an
interface
for
the
API,
so
people
can
also
build
other.
On
top
of
that.
C
F
L
It's
also
possible
because
now
we
we
provide
the
containers
to
make
easy
deployment,
but
from
these
containers
we
are
able
to
also
provide,
for
example,
a
python
application
that
you
could
just
deploy
in
a
bare
metal
machine
not
running
on
top
of
containers,
or
something
like
that.
It's.
G
L
For
now,
our
documentation
is
just
explicit
about
how
to
run
the
containers,
but
it's
possible
also
to
run
it
as
a
standalone
application,
because
we
just
build
the
containers
on
top
using
our
source
code.
We
just
add
it
inside
the
container.
So
basically
you
can
deploy
it
directly.
L
Python
tough
I
would
say,
because
python
type
is
the
main
dependence
from
for
managing
the
test.
Repository
I
mean
the
managing
the
data
metadata,
but
on
top
of
this,
we
use
a
different
resources
together
with
the
containers,
for
example,
database.
Everything
because
the
other
they
are
the
choice
to
have
as
container
image
is
to
achieve
the
possibility
to
scale
it.
L
When
we
think
of
a
repository
with
high
activity,
for
example,
Pipi
the
number
of
packets
that
are
added
daily,
we
need
to
be
able
to
scale
it,
so
that
was
the
decision
made.
Oh,
let's
first
provide
us
containers.
Let's
say
that
we
choose
Pi,
Pi
and
pep458
as
the
first
real
case,
but
it
also
we
we
notice
that
it
can
be
used
for
small
deployments
as
well.
L
Let's
say,
I'm
have
I,
have
a
small
company
and
I
need
I
want
to
use
the,
but
I
don't
have
other
resource
to
build
it
from
scratch.
It
could
also
help
those
small
organizations.
B
B
B
B
Did
I
miss
somebody
Josh,
sorry,
Mr
Josh,
there
you
are
so
I
believe
we
have.
We
have
Quorum
if
you
want
to
go
ahead
and
please
use
the
check
mark
feature
in
Zoom
or
plus
one
in
the
chat
either
way
we
can
record
this.
So
the
meeting
is
recorded
so
either
way
we're
fine.
F
Yeah
I
think
I
I
have
more
questions
for
the
maintainers
in
particular.
What
path
do
they
see
within
the
open,
SS
app,
how
they
foresee
engagement
across
the
two
foundations
that
we've
had
a
brief
discussion
today?
I'd
love
to
have
more
engagement,
maybe
sort
of
an
office
hours
with
the
maintainers
of
the
project
where
we
can
spend
a
dedicated
amount
of
time
chatting
about
that
or
discussion
in
the
slack
where
we
can
take
a
little
more
time
to
explore
joining
a
foundation
is
a
big,
a
big
step.
F
I
want
everyone
to
go
in
with
with
good
intentions,
open
eyes
on
the
same
page
and
know
how
we,
as
the
tank,
can
also
support
the
project
long
term.
What
are
they
expecting
from
us
right?
There's
a
questionnaire
that
Anne
bertuccio
and
I
developed
a
couple
years
ago,
I'd
love
to
see
the
kind
of
information
that
that
questionnaire
asks
of
projects
be
explored.
We
did
this
when
Persia
applied,
we
spent
quite
a
while
exploring
it
with
them.
I'd
love
to
see
the
same
kind
of
dialogue.
F
A
B
Okay
I
see
two
hands
up:
Jacques
I
believe
you
were
first.
B
I
Called
on
you
go
ahead:
yeah,
okay,
very
quickly.
There
was
a
great
aristaf
product
production.
It
was
a
production,
but
also
a
presentation
to
the
securing
software.
Repos
group
I
will
dig
out
the
session
for
you
and
and
post
it
in
the
notes.
J
Brian
and
just
to
understand
the
hierarchy
here
is
the
The
Proposal
is
and
the
and
the
vote
is
to
accept
it
as
a
new
top
level
project
comparable
to
six
store.
Or
is
it
one
that
is
within
and
managed
by
the
securing
software
repos
working
group.
B
I
I
think
the
approval
here
is
to
to
adopt
it
like
it's
VMA
want
to
to
donate
the
code
of
copyright
and
so
on.
J
Right,
no
I
in
either
another
path.
We
would,
you
know,
confirm
copyright,
you
know,
do
those
those
processes
and
just
just
in
in
the
interest
of
process
and
structure,
was
trying
to
figure
out,
because
we
we
have,
in
the
past,
allowed
working
groups
to
accept
new
projects
and
and
sigs
within
those
working
groups
without
requiring
a
voted
attack.
And
so
just
wanting
to
to
understand
the
intent
here
that.
F
Is
a
great
question:
Brian
I
I
assumed
that
this
was
intended
to
be
a
top
of
a
project
because
it
had
come
to
the
attack.
K
Oh
yeah
I
count
right
times
because
I'm
on
a
cell
phone
but
the
documentation
that
exists
for
contributing
projects
that
open
ssf
doesn't
talk
about
this
past,
at
least
being
different
paths
effectively
right.
So
we
we
want
to
contribute
the
project
to
the
openness.
We
don't
have
a
a
strong
feeling
on
whether
it
should
be
a
top
level
project
or
not
I
I
suspect
in
terms
of
scale
and
potential
user
base.
It
doesn't
necessarily
make
sense
for
it
to
be
a
top
level
project.
K
It's
very
well
aligned
with
the
securing
software
repositories.
Working
group
yeah,
that's
kind
of
our
our
position
from
the
VMware
site.
B
I
think
back
to
the
comment
earlier
around
using
GitHub
as
the
source
of
Truth.
The
file
in
the
pr
explicitly
does
list
this
as
a
project
that
would
be
sponsored
and
reported
into
securing
software
repositories
working
group.
So.
B
E
Yeah
so
I
mean
my
understanding
has
been
at
least
from
past
exercises.
Is
the
working
groups
can
accept
projects
as
long
as
it's
within
their
scope,
but
they
usually
report
up
to
the
attack
to
just
notify,
and
you
know
if
there's
some
issue,
I
have
to
admit
since
there's
a
vote
but
I
I
kind
of
assumed,
oh
top
level
project,
okay,
so
all
right
so
and
that's
fine,
you
know:
okay,
Miss
minor
misunderstanding,
not
serious,
I
I
think
there
was
some
questions
earlier
on.
E
Also
about
wait
a
minute,
there's
some
related
cncf
projects
we
want
to
yeah
and
so
I
think
there
is
some
extra
discussion
about
that
and
I
think
that
led
to
this
minor
confusion,
but
I
mean
there's
nothing
wrong
with
having
a
brief,
backpack
discussion
to
make
sure
there's
no
issues.
So
you
know,
tally
ho.
F
If
it's
a
talkable
project,
then
cue
all
of
my
comments
about
doing
diligence
and
having
a
better.
You
know
deep
dive.
G
E
H
B
J
I
think
I
think
that
the
key
thing
is
opening
an
issue
to
fix
the
documentation
about
the
project,
submission.
A
B
Right,
well,
that
was
the
last
item
we
had
on
the
agenda
for
today,
thanks
everybody
for
your
attention
and
engagement,
and
we
will
see
everyone
in
two
weeks.
Thank
you
thanks.
So.