►
From YouTube: OpenSSF TAC Meeting (March 22, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
All
right
we're
at
the
three
after
so
I
guess
we'll
go
ahead
and
get
started.
Everybody
that
had
put
an
item
on
the
agenda
is
in
attendance,
so
I
think
we
can
go
so
welcome
everybody
to
the
march
22nd
meeting
of
the
attack.
First
on
the
agenda,
we
have
josh
with
topic
around
worker
charters,.
E
Yeah
I
added
this
last
week,
probably
so
so
chrome
filed
all
these
issues.
Basically
saying
like
this
issue
is
still
should
we
close
it
and
then
jason
kirsten
noticed,
like
a
bunch
of
those
issues
were
charter
reviews
and
if
you
looked
at
the
charters
a
bunch
of
them
were
empty.
Basically
it
was
just
still
the
boilerplate,
and
so
I
mean
I
think
this
is
one
of
those
things.
A
A
B
B
D
Yeah,
I
think
a
template
update
is
not
a
bad
idea.
I
think
that
I
I'm
gonna
get
to
this
in
my
topic
in
a
few
minutes,
I
think
it's
worthwhile
for
the
tac
to
really
ensure
this
is
done
well,
which
might
mean
taking
some
time
in
our
tag,
meetings
to
have
a
burn
down
chart
or
a
list
of
all
the
working
groups,
walk
through
them
together
and
go
okay
yep.
These
are
done.
These
are
not
done.
D
Okay,
who's,
following
up
who
are
the
points
of
contact
with
those
working
groups
and
have
that
visibility
come
up
into
this
meeting?
Not
just
be
something
we
leave
to
github
to
happen.
Asynchronously
like
let's
try
to
light
on
this
part
of
it
until
this
is
done
to
our
satisfaction
and
then
move
on
to
the
next
part
of
cleaning
up
the
governance
process.
Here.
F
Maybe
we
can
put
an
email
out
to
the
working
group
leads
today
and
asks
them
to
review
their
charters
with
their
communities
over
the
next
two
weeks
and
then
check
back
in
with
us
at
the
tac.
Call
next
at
our
next
tac
call
to
report
whether
they
you
know
they
feel
it's
done
or
no.
D
And
krobs
did
you
as
you're
looking
at
the
various
charters,
maybe
more
recently
than
I
did
is
there,
which
is
the
best
template
to
start
from?
If
we're
going
to
revise
the
template,
is
there
a
good
one
to
to
pick
that's
closest
to
what
we
want.
A
There
was
talk
about
a
template,
but
it
was
a
dead
link.
It
looks
like
the
original
tac
had
something
they
pushed
it
out
to
each
of
the
groups
to
modify
so
I
can
replicate
that
or
identify
one.
There
was
one
of
the
groups
was
very
complete.
They
just
needed
to
note.
Basically
they
needed
to
define
what
their
tsc
was,
which
was
a
artifact
of
the
template
itself.
Basically,
the
the
body
that
governs
the
working
group-
and
I
suggested
that
that
could
be
the
contributors
to
the
repository
as
a
easy
solution.
A
D
Yeah
to
our
announced,
comment
and
chat,
I
think
that's
really
crucial
when
we
send
out
an
email
to
all
the
working
group
leads
giving
them
an
example
of
what
we
expect.
A
Jory,
would
you
be
able
to
build
the
table
that
eva
mentioned
around
the
list
of
working
groups
and
then
all
of
the
requisite
collateral
that
we
could
fit
into
this
working
or
in
the
meeting
notes
here
so
that
upon
the
next
meeting,
we
can
kind
of
have
that.
F
Yes
and
there's
there
was
one
repo
I
just
want
to
ask
kroeb
if
this
was
the
the
format
that
it's
this
project
template
repo.
Was
this
the.
A
B
A
That
is
the
landing
page.
I
believe
everyone's
using.
H
G
A
So
does
it
seem
reasonable
to
set
a
goal
for
by
the
next
two
weeks
we
have
that
template
finalized
and
and
get
confirmation
on
this
call
that
we're
good
with
it
and
then
to
send
out
an
email
and
ask
for
that
to
be
completed
within
one
month
from
now.
So,
basically,
two
weeks
to
finalize
the
instructions,
then
two
weeks
to
have
those
submitted.
Does
that
seem
reasonable
to
folks.
A
All
right,
then
we'll
we'll
go
ahead
and
note
that
in
the
in
the
meeting
notes
and
go
from
there
thanks
jory
for
helping
with
that.
A
All
right
next
on
the
agenda
is
also
jory,
meaning
administrative.
F
Yeah,
so
it's
actually
a
great
segue
into
sort
of
the
other
topic
that
I
would
love
to
kind
of
just
finish.
F
Polishing
up
we
had
started
to
get
this
is
before
I
went
on
leave
all
of
the
working
groups
on
a
group's
I
o
mailing
distribution
list
and
all
names
spaced
the
same
in
slack,
you
know
all
the
working
group
leads
identified
just
like
trying
to
eliminate
that
sort
of
hunting
and
pecking
for
where,
where
is
you
know
x,
that
I'm
looking
for
I've
noticed
that,
though,
we've
kind
of
some
of
our
groups
have
started
a
pattern
of
using
google
groups
to
control
access
to
notes
documents,
and
this
is
kind
of
a
problematic
pattern,
because
it
does
actually
kind
of
make
it's
another
little
paper
cut
thing
for
a
newcomer
right
when
you
come
in
and
you're
like,
oh
cool,
I
want
to
contribute.
F
I
want
to
add
my
name
to
this
document.
The
first
thing
I
hit
is
a
access
denied
thing.
Well,
that's
kind
of
lame
and
there's
really
nothing
that
we
need
to
put
behind
that
kind
of
access
log.
Anyway.
These
are
just
meeting
notes.
F
They
should
be
public
and,
frankly,
we
should
be
printing
them
into
our
working
group
repos
when
the
meeting
is
over
because
that's
a
record
of
the
of
the
agenda,
and
so
you
know,
I'd
love
to
put
out
a
recommendation
to
the
group
and
the
pmo
staff
have
talked
about
how
we
can
roll
this
out
to
you.
F
We
want
to
convert
all
your
note
stocks
to
something
that
is
accessible
to
anyone
on
the
internet
with
the
link
they
can
view
it
and
then
help
support
you
all
by
printing
your
past
agendas
into
your
working
group
repos
and
encouraging
the
use
of
a
running
agenda.md
file
or
something
a
lot:
the
kubernetes
community,
for
example,
or
the
cncf
community,
and
just
making
all
of
that
a
lot
more
visible
and
accessible
to
to
newcomers
and
making
that
pattern
very,
very
clean
and
consistent
across
all
of
our
groups.
F
This
is
a
bit
of
a
chore.
Hence
why
why
I'm
we're
here
to
do
it
for
you
because
and
hate
for
you
to
spend
your
time
converting
docs
to
mark
down?
But
you
know
I
would
love
to
kind
of
hear
if
that's
going
to
cause
duress
for
you,
if
you
have
an
alternative
preference,
please
please
let
us
know.
A
Story
any
thoughts
or
comments
from
the
group.
B
F
Yes,
so
to
to
be
very
specific,
what's
going
to
happen
or
what
I
would
like
to
do,
what
I'm
proposing
to
do
is
for
each
of
our
working
group
notes,
which
almost
all
of
our
groups
are
taking
notes
in
a
google
document,
which
is
fine.
I
totally
think
that's
great,
but
what
we
want
to
do
is
make
sure
that
that
link
is
not
restricted
to
membership
of
a
google
group.
F
We
have,
for
you
all
shared
external
drive,
folders
that
you
can
use.
F
So
if
you
have
working
group
materials
that
you
want
to
and
you
know
put
on
google
drive,
we
can
do
that
for
you
and
make
sure
that
anybody
that
you
need
can
access
it
and
that
sort
of
thing
we
we've
got
those
folders
for
you
we'd
like
for
you
to
use
them,
because
it
makes
it
easier
for
you
and
us
to
to
help
you
like
share
access
to
people
who
need
it
and
then
worst
case
scenario,
because
we've
definitely
had
this
in
the
past.
F
Sometimes
people
host
documents
on
their
accounts,
they
leave
their
company
and
then
we
lose
access
to
those
documents
and
that's
a
big
bummer.
So
we
want
to
move
those
from
those
closed
groups
and
from
those
restricted
domains
to
something
that's
open.
F
We
want
to
update
your
calendar,
invites
to
the
new
notes
document
and
we
want
to
pr
in
your
old
notes,
documents
to
like
a
slash
minutes,
folder
or
slash
meetings
folder,
so
that
the
community
has
a
record
of
the
things
that
were
discussed
at
past
meetings
and
those
will
be
converted
to
margam.
F
This
will
be
a
one
at
a
time
sort
of
thing,
but
it
could
be
a
pattern
too
that
we,
we
all
helped
switch
to.
You
know
in
april.
You
know,
for
example,
and
then
and
then
we
will
help
go
back
and
get
all
of
that
past
stuff,
but
but
moving
forward
we
can
adopt
a
pattern.
Vicki
vm,
you
have
your
hand
up.
Sorry,
hey
george.
I
I
just
want
to
let
folks
know
that
this
is
pretty
similar,
not
not
identical,
but
pretty
similar
to
what
spdx
does.
So,
if
you
want
to
see
an
example
of
a
live
version
of
this,
if
that's
helpful,
it
works
really
really
well
with
spdx.
The
one
big
difference
between
the
two
is
that
they
build
their
agenda
and
put
live
notes
during
the
call
in
a
an
ether
pad,
and
then
they
move
them
into
the
into
the
wiki.
I
Oh
sorry,
not
the
wiki,
oh
my
gosh,
no
I'm
into
into
the
issues
and
such
so
that
makes
a
lot
easier
for
people
to
just
quickly
type
their
name
into
the
ether
pad.
Yes,
I'm
here,
rather
than
having
to
make
a
comment
on
an
issue
or
anything
like
that,
but
yeah
it
works
really
great.
So
if
you
all
want
to
head
on
down
to
spdx
and
have
a
look,
that
would
be
that
might
be
helpful
for
you.
A
Story,
one
one
other
quick
question
for
me:
if
we
were
to
spin
up
a
new
working
group
like,
for
example,
the
securing
package
manager
group,
do
we
have
a
set
of
instructions,
for
here?
Are
the
steps
to
follow
to
ultimately
get
compliant
with
the
process.
F
We
absolutely
do
need
that
documentation
and
I
think
I'd
send
an
email
like
a
couple
weeks
ago,
saying:
hey,
let's
work
on
this
documentation
together,
because
we
don't
have
it
and
yeah.
We
we
want
to
make
this
something
that
is
largely.
You
know
clone
this
and
off
we
go
and
and
make
it
that
easy.
So,
with
apologies
to
the
securing
software
repos
group,
which
I
will
be
kind
of
fixing
a
little
bit
you
you
need
that,
and
we
will
we
will
get
that
for
you.
B
A
Makes
sense
does
it,
I
guess
what
are
folks
thoughts
in
terms
of
I
guess
going
back
to
the
previous
discussion
around
charters.
Do
we
need
a
separate
column
for
kind
of
just
tidiness
in
cleaning
up
some
of
these
issues
and
have
a
checkbox
to
say
hey
as
we
go
across
the
working
groups,
we've
got
charters
done,
we've
got
mailing
lists
done,
we've
got
meeting,
notes
processed
just
to
go
through
and
again
make
sure
that
we've
got
everything
in
order.
D
I'm
just
going
to
jump
in,
I
think
we
a
risk
we
have
is
repeating
the
the
past,
where
different
working
groups
do
different
things
here.
Some
adopt
tools,
some
don't
dory
since
you
seem
to
be.
D
Able
to
empower
people
with
these
new
tools,
I'd
love
it
if
you
were
the
sort
of
point
of
contact
as
working
groups
or
projects
or
onboarding.
If
we
can
point
folks
to
you
to
say
you
know,
jory
knows
where
the
information
is
not
that
you
have
to
write
it
all,
but
that
you'd,
be
you
wouldn't
know
where
those
documents
are
landing,
where
they're
being
written
the
state
of
drafts,
a
single
point
of
contact
for
any
team
or
working
group
and
wants
to
start
adopting
these.
D
D
At
least
for
that
part
of
it,
how
do
we
onboard
the
groups
at
io-
and
I
really
want
to
reiterate,
having
meetings
or
meeting
minutes
in
private
or
not
on
the
public
calendar
in
a
lockdown
group-
is
really
an
anti-pattern
that
I'd
like
us
to
all
avoid
and
encourage
everybody
in
the
open
ssf
to
avoid.
A
F
So
so
absolutely-
and
this
is
the
kind
of
support
that
that
I
hope
you
all
come
to
expect
and
trust
from
the
lf
program
staff-
and
I
I
have
backups
jen
and
kahil-
are
awesome
individuals
and
and
they're
learning
the
tools
as
well
so
that
they're
there's.
They
know
what
I
know
most
of
the
time
and
so
yeah.
B
Yeah,
so
here
here's
what
I
would
propose
that
onboarding
doc.
Why
don't
you
try
to
write
that
first
I'll
I'll
try
to
help?
You
know
and
you'll
use
this
use
this
and
a
brief
mention
about
why
certain
things?
Basically
things
like
this
helps
us
avoid
losing
data
and
then
once
we
know
how
that
works,
then
we
can
slowly
move
groups
over
to
it
once
we
know
what
the
objective
objective
is
and
people
will
hopefully
be
less
likely
to
work
unintentionally
against
you.
B
Basically,
not
you
know
once
we
know
that
we're
trying
to
do
this
as
opposed
to
just
you
know,
hey,
I
just
just
choose
whatever
and
it
doesn't
matter.
F
Melba
had
asked
a
question
in
chat
that
I
I
want
to
address
about
normalizing
websites
and
blogs
related
to
open
ssf
and,
namely
the
issue
being
that
it's
not
clear
when
a
project
is
or
is
not
affiliated
with,
with
open
ssf,
for
example,
the
sig
store
website,
which
is
super
pretty,
doesn't
really
have
any
mention
of
of
open
ssf
on
it.
F
So
what
we
would
like
to
do-
and
this
is
a
common
pattern
across
other
lf
and
umbrella
foundations,
as
well
as
just
to
have
a
standard
footer
that
we
provide,
but
that's
something
that
we
haven't
really
discussed
yet
with
projects
or
proposed
yet,
but
that
would
kind
of
let
the
person
know
hey.
This
is
this
group
is
part
of
open
ssf
and
you
know
it
it's
part
of
this
working
group
or
these
policy
supply
or
whatever.
So
I
hope
that
answers
this
question.
C
Thanks
bob,
I
would
also
love
to
mention
that
we
have
some
confusion
as
to
which
projects
are
actually
part
of
the
open
ssf,
because,
as
of
my
last
understanding,
sig
store
was
donated
as
an
independent
project
to
the
lf
all
up,
and
we
need
to
make
a
decision
to
move
it
to
the
open
ssf.
Once
we
have
criteria
to
accept
projects,
though
I
may
be
behind
on
this,
so.
B
I
think
yeah
you're
behind
on
that
that
was
already
voted.
Okay,
so
that's:
okay,
that's
okay!
That
was
that
was
voted
in
and
approved
and
everything's
fine.
So
we
don't
have
to
worry
about
that
one,
but
it's
fair
to
say
that
there
needs
to
be
more
done
about
documenting
entry
and
so
on,
which
I
believe
is
next.
A
C
Yes,
the
the
concern
that
I
have
is
that
if
we
have
a
process
to
accept
projects,
that's
awesome
now
we
have
to
go
through
the
motions
and
get
them
accepted
and
then
add
those
footers,
because
that's
the
piece
I
really.
I
would
like
this
to
look
more
like
it's
official
and
that
it's
all
tracked
in
open
documents.
The
way
we
like
in
open
source.
D
Yeah
part
of
the
challenge
here
is
that
there
isn't
an
official
list
as
far
as
I've
been
able
to
find
and
and
david.
As
far
as
the
vote
you
mentioned
to
approve
sig
store,
just
because
I
didn't
know
that
either
I
would
love
it
if
there's
a
reference,
I
couldn't
find
it
when
I
skimmed
past
minutes
from
tac
meetings.
C
B
J
G
B
A
B
A
B
Notes
right,
it's
in
the
attack
meeting
notes,
but
we
do,
but
the
same
is
not
true
for
persia
or
of
the
the
package
repositories
nascent
working
group,
neither
of
those
have
been
formally
approved
so
that
the
issue
of
we
need
to
make
this
for
you
at
least
up
to
this
point.
The
mechanism
has
been
tack
votes
and
you
record
it
in
the
tag
meeting
minutes,
but
that
doesn't
mean
that's
the
right
process
right.
D
So
the
follow-on
here
is
creating,
since
the
the
github
project
also
tac
has
a
list
of
working
groups
and
projects
just
ensuring
that
that
is
the
correct,
canonical
place
to
list
all
of
this
and
make
it
visible
to
the
world
and
that
we
are
always
updating
that
when
there
are
changes-
and
I
do
see
a
sig
store
listed
there
now.
B
Yes,
the
bigger
challenge
right
now,
the
biggest
challenge
has
been
working
groups
except
sub
projects
within
them,
and
they
have
not
always
been
consistent
about
documenting
in
their
github
repos
projects
accepted
or
not.
D
I
might
even
go
out
on
a
limb
here
and
say
that
the
working
groups
shouldn't
accept
code
projects
without
at
least
visibility
by
the
tag,
not
that
we
need
a
full
review,
but
like
just
an
awareness
that
and-
and
there
are
well
the
linux
foundation,
I'm
sure
has
views
on
accepting
ip
without
linux
foundation.
Lawyers
getting
a
chance
to
look
at
it.
D
B
So
I
I
think,
that's
probably
the
biggest
question
here
for
this-
the
group,
the
attack
here
historically,
the
individual
working
groups
have
just
accepted
and
taken
on
at
least
starting
new
projects
without
raising
it
up
to
the
attack.
I
don't
think
it's
insane
to
say
we
we
accept
it
in
principle,
but
we'll
raise
it
up
to
the
tax
for
questions
and
ava
makes
an
excellent
point.
If
it's
a
pre-existing
project,
you
know
maybe
an
opportunity
to
hey.
B
Is
there
anything
that
we
should
worry
about,
particularly
if
it
didn't
start
with
an
open
source
license
in
the
first
place?
I
think
that's
a
decision
for
the
attack,
but
here
you
are.
B
C
Onto
that
for
one
second,
because
yeah,
I
think
I
think
you've
hit
on
exactly
the
right
difference
david.
When
working
groups
go,
oh,
we
have
a
need
and
we
should
make.
You
know
a
widget,
that's
different
from
when
you
know
one
of
our
company
shows
up
and
says
I
have
a
widget,
it's
an
80
widget,
but
I
want
you
all
to
love
it
and
you
know
spawn
it.
So
that's
a
very
different
thing
that
takes
a
little
bit
more
process.
In
my
experience,
when
you
bring
a
whole
project
in.
D
A
I
think
that's
a
great
point.
Sarah,
I
guess
back
to
the
same
sort
of
dialogue
around.
We
need
to
survey
and
get
ratified
the
current
view
of
what
exists
under
each
working
group
and
a
status
as
to
whether
it
was
officially
voted
on,
and
we
need
to
continue
to
clean
up
and
do
a
review
is
to
check
all
those
boxes.
A
We
should
certainly
do
that
in
my
opinion,
but
in
parallel
to
if
we
are,
I
know,
ava
and
many
many
of
the
issues
on
github.
We
are
trying
to
formalize
a
donation
process,
and
so
what
I
would
want
to
try
to
avoid
is
changing
the
criteria
as
we
go
along
versus.
If
there's
good
work
already
going
on,
we
just
need
to
make
sure
that
we're
we're
aware
of
it
and
that
we
document
it
so
that
everybody
feels
like
there's
a
fair
process.
A
D
Not
the
right
word
to
use
like
if
a
company
has
a
trademark
and
they're
contributing
the
project
to
a
foundation
and
the
trademark
is
not
handed
to
the
lf
like
there
is
a
process.
I've
seen
other
projects
walk
through
that
process
in
other
foundations,
and
if
we
do
find
that
that
has
not
been
done,
then
we
do
need
to
revisit
those
acceptances
and
you
know,
help
them
and
I'm
not
saying
then
reject
them,
but
like
oh
well,
then
there's
work
to
do
and
the
ella
can
help
us
do
that.
Work.
I
Hey
so
I'm
only
a
few
months
into
open,
ssf
here
and
this
conversation
does
answer
some
questions.
I
had
rumbling
around
the
back
of
my
head
as
far
as
you
know.
How
is
this
even
done
and
why
are
projects
showing
up
to
to
working
group
calls
asking
to
be
considered
when
it's
actually
a
tax
sort
of
thing
to
guide
the
technical
direction
of
that's
the
whole
technical
advisory
part
of
the
attack?
I
So
this
answers
a
lot
of
questions,
and
it's
really
really
encouraging
to
me
to
see
that
these
are
the
things
that
the
tac
is
taking
on
right
now,
because
they
are
very
important.
It's
a
shame
that
it
wasn't
done
earlier,
but
it's
being
done
now
and
that's
great,
and
I
want
to
give
a
big
plus
one
to
bob's.
You
know
don't
relitigate
past
decisions,
just
clean
them
up
if
necessary,
to
ava's
point
about.
You
know:
potential
trademarks
if
necessary
and
other
ip
stuff.
I
Otherwise
it
sounds
like
this
is
all
headed
in
the
right
direction
and
I'm
very
grateful
that
this
work
is
happening
thanks
for
everyone.
K
K
So
when
I
say
gray
area,
we,
we
we've
been
working
as
a
bootstrapping
project,
which
was
approved
by
the
previous
attack
to
start
in
that
phase
within
open
ssf
we've
basically
been
following
the
the
charter
in
terms
of
having
meetings.
Posting
public
notes
like
like
doing
all
the
community
process
which
we
need,
but
we
we're
in
the
gray
area,
because
we've
never
actually
been
approved
and
technically
vetted.
K
I
think
where
we've
kind
of
normed
as
a
project
is
we're
focused
specifically
on
the
problem
of
distribution
of
secure,
open
source
binaries.
So
what
I'd
like
to
propose
as
a
way
forward
on
this
project
and
I'm
looking
for
feedback
from
tac
members
on
on
what
they
think
about
this
is,
I
think,
it'd
be
helpful
if
I
can
present
either
if
we
have
time
this
meeting
or
a
future
meeting
about
what
the
persea
project
is
and
then
see
if
it
makes
sense
to
actually
include
it
as
an
open,
ssf
effort.
Officially.
D
I
think
we,
the
tac
kind
of
needs
to
clean
up
our
process
for
accepting
projects,
and
I
know
that
isn't
the
answer.
That
is
exactly
what
you
want
to
hear
right
now,
but
I
think
we
really
do
need
to
focus
on.
How
do
we
evaluate
technical
projects
coming
in
and
how
do
we
make
sure
that
working
groups
when
a
working
group
accepts
a
project?
That's
also
visible
at
the
tack
layer
and
across
working
groups.
B
Yeah,
but
as
I
think
the
key
is,
we
need
to
move
on
on
that
because,
like
the
the
poor,
persia
folks
have
been
kind
of
stuck,
and
I
think
there
are
actually
two
issues
you
know
accepting
in
and
there's
some
question
about
the
name
persia,
I
know
you've
done
a
lot
of
stuff
with
it.
There
have
been
some
questions,
but
I
think
you
know,
I
think
those
two
things
can
be
separable
or
separable,
and
you
know
I
don't
have
any
personal
objection.
B
I
think
there
were
some
other
folks
who
had
some
rejection,
but
but
I
think
we
don't
want
to
have
them
just
like
dangling
forever.
We
need
to
that's
not
really
fair.
K
Okay-
and
I
think
that
helped
us
as
well
one
of
our
project,
members
from
deploy
hub,
also
put
an
example
in
issue
83
of
how
the
the
cdf
handles
projects
which
which
come
from
within
work
technical
efforts
and
also
how
they
handle
project
intake.
So
hopefully,
that
gives
a
good
example
of
how
to
handle
those
two
situations
separately.
G
A
One
like
we
don't
want
to
keep
kicking
the
can
down
the
road,
because
it's
not
fair
to
to
the
team
and
the
good
work.
That's
being
done.
I
would
say:
there's
a
bit
of
a
chicken
in
the
egg
problem,
though
in
terms
of
us
pushing
this
forward
and
then
it
getting
dropped
off
as
we
get
into
conference
season
and
folks
start
traveling
again.
My
concern
is:
if
we,
if
we
don't
draw.
G
A
In
the
sand
and
get
this
ratified
and
get
it
published
correctly
that
it's
going
to
continue
to
creep
on,
so
what
I
guess
I
would
throw
out
for
for
input
on
is
that
we
set
a
date
on
the
calendar
to
say:
let's
have
the
document
published
and
then
the
the
next
meeting,
if
you're
open
to
this
steve,
we
would
basically
can
you
start
that
process
with
persia
officially
in
terms
of
the
actual
donation
discussion,
so
that
we
we
have
a
deadline
of
you
know,
I'm
just
throwing
out
numbers
here,
but
let's
say
that
by
the
third
meeting
or
second
meeting
in
april.
G
A
K
K
D
Just
pulling
in
a
point
from
what
I
wrote
in
chat,
I
think
we
should
both
set
a
date
and
set
an
owner,
possibly
multiple
people
who
all
work
together,
but
still
one
owner
and
a
work
stream.
Parallel
to
this
meeting
since
one
hour,
every
two
weeks
with
all
of
us
isn't
enough
to
really
drive
this
to
rapid
conclusion.
E
D
D
A
Yeah,
I
was
going
to
say
so,
leaving
aside
cmcf
process
for
its
merits
versus
others,
which
I'm
I'm
not
trying
to
weigh
in
positively
or
negatively
on,
but
more
of
the
do.
We
have
a
group
of
volunteers
that
correct
me.
If
I'm
wrong,
it
sounds
like
you're
you're,
putting
your
hand
up
to
say,
I'm
willing
to
help.
Are
there
other
people
on
the
attack
or
otherwise
that
are
willing
to
commit?
I
see
one
comment
already
from.
H
D
H
C
D
A
I'm
willing
to
help
as
well.
I
guess
what
I
would
add
is:
let's
also
use
the
mailing
list
here.
We
can
put
out
a
call
for
any
other
folks
that
want
to
participate,
and
then
we
can
schedule
a
maybe
a
kickoff
discussion
to
divvy
up
the
work
and
provide
some
structure,
but
I
think,
having
a
having
a
target
to
come
back
with
a
draft
and
some
some,
maybe
it's
kind
of
the
right
word
kind
of
some
guide.
G
A
A
A
lot
of
work
to
be
done
over
the
next
few
weeks,
but
I
think
it
is
very
important
work
that
this
group
needs
to
own.
So
I
guess
ava.
Would
you
be
willing
to
send
out
that
that
email
to
the
attack
mailing
list
and
then
we
can
try
to
drive
to
get
together
here
as
a
group,
at
least
of
the
folks
that
have
added
added.
H
A
A
All
right
I'll
take
that
silence
as
we're
ready
to
move
on
to
the
next
issue.
Ava,
that's
also
yours.
B
Yeah,
I'm
yeah,
so
this
is
really
just
an
fyi.
B
The
open,
ssf
fundamentals
course
is
one
of
the
first
things
that
open
ssf
released,
but
I've
I've
just
recently
found
that
the
plan
is
to
open
it
up
also
on
a
second
platform
managed
by
lf
by
elf
itself,
and
the
reason
to
do
that
is
so
that
we
can
issue
free
certificates
showing
that
they
have
learned
the
course
materials.
The
plan
is
not
to
get
rid
of
edx
a
lot
of
folks
use
edx
and
we
want
as
many
people
to
learn
the
materials
possible.
B
I
I
just
found
there's
been
concern
for
a
while
about
the.
How
do
we
deal
with
the
costliness
of
the
certificates
on
edx
and
when
I
just
came
back
for
some
health
issues,
I
found
out
that
this
was
a
new
plan,
but
I'm
all
for
getting
the
information
out
and
getting
more
people
certificates.
So
if
that
helps
it's
awesome,
but
didn't
want
to
surprise
anybody
with
that
change.
So
got
further
questions.
Ask
me:
I
will
try
to
find
out
answers
anything
real,
quick.
D
Okay,
coming
back
to
my
github
issue,
triage
one
of
the
things
that
I
have
seen
similar
communities
been
sort
of
facilitated
by
as
they're
moving
to
github
using
github.
More
is
having
a
consistent
set
of
tags
that
all
the
projects,
at
least
at
the
top
level
attack.
Maybe
the
working
groups
use
technical
products
might
do
their
own
thing
because
they
have
a
different.
You
know
development
cycle
and
then,
in
their
actual
weekly
meetings.
D
Take
a
look
at
that
list
on
github,
with
a
little
filter
applied
and
go.
Here's
the
you
know
more
than
a
week
old,
pretty
important,
there's
been
some
discussion.
Let's
talk
about
them
and
actually
use
github
as
a
tool
to
surface
up
those
issues
from
their
own
tracking.
D
D
So
I
would
like
to
propose
that,
as
part
of
the
sort
of
overall
work
we're
doing,
one
tactical
thing
we
do
is
create
a
set
of
github
tags
that
can
facilitate
a
more
focused
discussion
on
these
sorts
of
work,
and
then
that
becomes
part
of
the
template
that
working
groups
are
encouraged
to
adopt.
D
No
any
concerns.
If
I
copy
from
a
different
community
like
the
cncf
okay,
then
I
will
take
that
as
probably
the
first
actions
by
the
next
well
yeah
on
the
way
to
getting
to
the
next
tac
meeting,
that's
already
in
place
and
something
that
we're
using
great
thanks.
That
was
easy.
A
Last
year,
the
vulnerability
disclosures
working
group
created
an
oss
ordinated
vulnerability
disclosure
guide,
and
that
was
a
project
within
the
open,
sss
git
repo
up
off
the
head
end
of
everything.
So
I'm
curious
should
we
do
a
similar
thing?
We
have
a
new
project.
The
group
wants
to
work
on
about
a
similar
cbd
guide,
but
this
time
focused
on
security
researchers
to
try
to
help
them
have
more
productive
engagements
with
open
source
maintainers.
E
A
There's
a
lot
of
repos,
I
agree
and
the
reason
I
would
ask
if
the
group
team
here
said
copy
what
you
did
before.
A
A
I
guess
the
thought
that
comes
to
my
mind,
chrome,
is
not
so
much
about
where
to
put
the
repo
it's.
What
can
the
open
ssf
be
doing
to
make
sure
that
folks
are
aware
and
driving
eyes
to
those
guides
and
making
sure
that
we're
actually
amplifying
that
message
like
where
they,
where
they
end
up
in
code,
whether
it's
in
a
subdirectory
somewhere
versus
a
new
repo
like
I
agree,
more
repos,
just
makes
it
more
confusing.
But
I
guess
from
a
prescriptive,
if
you
have.
D
A
Questions
about
these
topics
are
we
actually
helping
to
guide
people
to
this
content?
So
we
do
have
a
action
plan
for
that.
We're
going
to
try
to
we're
submitting
to
announce
it
at
black
hat
this
year
and
going
to
try
to
tactically
work
out
a
plan,
how
we
can
start
to
advertise
these
guides
and
their
use.
A
But
we
would
welcome
feedback
on
how
we
can
amplify
that
we
did
a
blog.
I
think,
for
the
last
one.
We
probably
would
also
do
a
blog
for
the
new
one
through
the
open,
ssf
gotcha
david.
B
Yeah,
I
was
just
I
think,
for
for
smaller
things
like
this,
I
would
say
just
put
them
in
you
know,
I
would
say
in
general,
let
the
working
group
decide
if
it's
better
as
a
separate
repo
or
just
within
the
repo
of
their
org.
In
this
particular
case,
I
think
within
the
org,
is
the
right
solution
carry
on
go
forth?
I
think,
as
things
get
larger,
you
know,
particularly
if
they
are
their
own
code,
repo
that
has
kind
of
their
own
life
cycle.
B
A
I
I
I
get
it
but
having
a
separate
repo
and
then
pointers
to
it
does
make
it
actually
kind
of
more
discoverable
in
times,
and
it
also
if
this
is
something
that
really
takes
off
it'll,
make
it
easier
to
convert
that
repo
into,
for
instance,
it's
on
website
right,
which
we
can
then
point
people
to
quite
easily
as
a
microsite
or
otherwise
used
with
the
nascent
and
budding
open,
ssf
marketing
right
to
help
have
them
help
us
expose
that
a
lot
more.
I
So
I
and
you
know
if
we
it
turns
into
its
own
sort
of
thing,
then
that
also
makes
it
easier
to
provide
access
to
a
different
team.
A
B
I
I
actually
have
a
signed
contract
says
I
can't
show
up
then
learning
yeah
learning,
but
but
in
all
seriousness
I
I
I
don't
know
how
this
group
would.
I
mean
I
guess
we
could
make
some
general
guidance,
but
I
I
hate
to
micromanage
at
that
level
other
than
you
know
if
it's
helpful
credit
new
repo,
if
it's
not
helpful,
don't
okay.
B
A
A
Awesome
all
right,
I
think,
we've
gone
through
everything
that
was
on
the
agenda
for
today.
I
guess
one
last
call
for
any
other
topics
for
folks
would
like
to
raise.
G
G
B
I
guess
in
principle
it
makes
sense
to
me
that
the
the
current
tax
membership
should
have
right
access
to
the
the
tax
repo
yeah.
I
think
there
is
a
broader
question
about
the
github
permissions
to
the
github
repo
itself.
There's
a
least
privilege
issue.
Some
of
you
were
already
aware.
You
know
if
you
grant
total
ownership
to,
for
example,
the
entire
github
org.
B
That
means
anyone.
Those
privileges
can
delete
the
entire
org,
which
is
yikes
so
crop
is
giving
a
face.
That's
right,
so
we
just
we.
We
want
to
give
people
every
permission
that
they
need,
but
we
don't
want
to
create
a
dangerous
situation
where
somebody's
account
is
taken
over
bad
things
happen
to
the
extent
we
can
reduce
the
risk
of
that.
D
Yes,
so
this
is
a
thing
that
I
run
into
in
many
other
projects.
Github
does
not
have
a
fine-grained
permission
system.
D
It's
not
set
up
for
very
large
organizations
like
the
open,
ssf
or
the
cncf
or
even
kubernetes
event.
Right
pry
was
created
by
kubernetes
when
they
needed
per
directory
permissions,
and
so,
if
we
are
already
at
a
scaling
point
where
we
need
either
per
repository
or
per
directory
permissions,
we
need
something
like
prow
and
prow.
Isn't
the
only
option
out
there,
but
it
is
the
one
that's
sort
of
most
adjacent
to
this
community.
C
It
gave
us
an
audit
trail,
which
is
one
of
the
big
things
plus
it
gave
us
the
ability
to
offer
merge
to
people
who
didn't
you
know
who
who
didn't
have
additional
permissions
and
it
gave
people
the
permission
to
review
and
approve,
and
then
you
know,
bots
could
go
auto,
merge
things
etc,
because
we
tried
to
move
away
from
humans.
D
To
to
arnold's
comment
and
chat,
there's
a
difference
between
giving
someone
the
ability
to
merge
a
change
and
giving
someone
control
over
the
repository
on
github
and
github
doesn't
really
have
that
sense
on
its
own
right.
I
So
I
generally
I
I
mean
I
I
see
that
browser
is
a
very
useful
tool.
I
don't
know
that
we
have
a
good
handle
on
what
our
current
problem
is
right
now,
let
alone
suggesting
you
know
how
we
might
fix
it.
So
I
would
rather,
we
got
a
handle
on
that
first
and
then
decide
what
the
right
option
is
for
fixing
it,
because
otherwise
we're
just
adding
a
lot
of
complication
that
we
might
not
need
right.
You
can't
unring
that
bell.
It
might
be
good
to
just
figure
out
the
problem.
I
First
then
solution,
but
it's
good
to
know
that
there
are
some
tried-and-true
alternatives
out
there
that
we
could
turn
to
if
necessary.
However,
I'd
like
to
see
what
else
is
out
there,
what
are
the
other
alternatives
before
we
just
jump
at
one,
because
cncf
does
it
right,
which
seems
to
be
something
that
a
lot
of
projects
do.
I
know
they've
done
a
lot
of
great
work,
but
it
isn't
always
the
best
fit
for
everyone
right.
I.
C
Totally
agree
vicky,
I
was
having
lived
that
particular
pain
that
ended
up
requiring
this.
As
this
scales
I
was
like
hey.
Maybe
we
could
avoid
some
of
that
pain,
but
I
totally
respect
the
view
of
we
have
to
really
get
a
better
definition
before
we
go
solving
it.
So
thank
you.
A
So
I
believe
some
of
this
was
resolved
since
the
last
hacc
meeting,
where
we
we
noted
that
we
did
not
have
correct
permissions
for
the
current
tac
within
that
github
organization,
for
example,
on
that
specific
issue,
number
87
josh,
I
believe,
has
approved
with
merge
rights,
and
I
also
have
the
ability
to
merge
right
now.
I'm
not
clicking
the
button
to
be
clear,
but
I'm
I'm
saying
I
think
from
a
for
that
specific
issue
to
emerge
that
I
think
we've
resolved,
that
very
short-term
tactical
need.
A
I
guess
the
question
I
have
is:
do
we
to
or
no
to
your
point
like
do
we
need
tac
eyes
on
that
issue
to
say,
as
a
stopgap
measure,
to
maintain
the
status
quo?
Do
we
need
to
merge
that
pr
and
then
forward
the
discussion
around
what
automation
tooling?
Should
we
pursue
within
the
broader
open
ssf?
Is
that
the
correct
sequence
of
actions
that
need
to
get
taken.
G
Well,
so
the
configuration
file
actually
addresses
another
issue
that
was
also
raised,
which
had
to
do
with
giving
more
information
description
about
the
repository
that
would
be
grabbed
by
some
other
lf
tool
to
populate
the
website
so
independently
of
the
right
access
privilege
question,
there
is
also
this
question
of
providing
additional
information.
So
I
don't
know
the
answer
to
that
part.
B
B
Won't
we
just
try
to
capture
that
real
quickly
in
a
tack
issue,
I'll
I'll
post
it
you
know,
hey,
I
can't
do
x
and
I
think
I
should
be
able
to
or
I
can
do
x
and
I
don't
think
I
should
be
able
to
and
that'll
at
least
start
moving
towards
what
what
vicky
had
already
mentioned,
the?
What
are
we
trying
to
accomplish
and
then
we
can
look
and
say:
oh,
we
can't
really
do
that
with
github
permissions
or
not.
I,
I
suspect,
you're
right.
B
There
may
be
some
problems
that
are
just
simply
that
the
current
configuration
is
easily
fixed.
But
it's
not
correct.
Let's
fix
that
first
and
then
we
can
identify
we're
going
to
need
something
like
brow
or
prob
itself.
So
that
seemed
like
a
way
to
forward
at
least.
A
That
makes
sense
to
me.
I
don't
want
to
if
we
can
do
something,
like
click
a
button
to
solve
the
the
short-term
issue
that
provides
a
minimal
amount
of
structure.
That
then
facilitates
us
having
a
broader
discussion
that
seems
like
it
makes
sense
to
me,
but
I
don't
also
if
it's
jumping
too
quickly
to
a
solution
that
people
are
already
saying,
wait
a
minute.
This
may
not
be
sufficient
for
what
we
may
broadly
need.
I
would
agree
with
you
david
that
we
need
to
capture
the.
B
Okay,
well,
I'm
gonna
quickly
create
just
permission
issues
issue
and
you
know
people
a
post
against
that
and
then
we'll
try
to
fix
it
with
just
the
current
settings
and
then
with
things
that
we
can't
fix.
Then
we'll
have
at
least
the
start
of
that
list.
That
vicky
mentioned.
G
Yeah,
I
think,
as
I
said,
I
mean
we.
I
agree,
you
need
to
figure
out
the
long-term
goal
so
that
you
know
which
steps
make
sense.
Otherwise
you
might
do
something
now
that's
kind
of
pointless,
because
it's
going
to
be
replaced.
If
you
want
to
use
pro,
for
instance,
maybe
putting
a
settings,
yaml
file
makes
no
sense.
So,
yes,
I
think
that's
right.
A
Okay,
great
all
right,
well
we're
at
the
end
of
the
time.
I
appreciate
everybody's
engagement
today
and
look
for
many
of
the
action
items
in
terms
of
the
project.
Donation
work,
that's
going
to
happen
offline
as
well
as
the
table.
The
jury
is
graciously
agreed
to
to
work
on
for
us,
thanks
for
all
those
who
are
raising
their
hand
and
stepping
in
and
helping,
and
we
will
speak
as
a
group
again
in
two
weeks.
So
thanks
everybody,
okay,.