►
From YouTube: OpenSSF TAC Meeting (August 10, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
C
Yeah,
so
I
just
saw
the
all-star
project
when,
when
kim
sent
the
blog
around
about
that
that
that's
cool-
I
I
didn't
know
you
guys,
were
working
on
that,
but
I'm
I'm
excited
to
see
that
I
think
it
can
be.
I
know
github
has
been
looking
at
for
a
while
having
some
sort
of
policy
settings
and-
and
they
might,
you
know,
eventually
integrate
something
like
that.
But
in
the
meantime
I
think
the
add-on
works
well.
B
B
Yeah
he
joined
us
three
or
four
months
ago
now
I
can't
remember
exactly
when
yeah
he's
been
working
on
it.
We've
been.
C
C
C
C
G
E
C
All
of
us,
okay,
well
I'll
I'll,
go
ahead
and
and
lead
us
ryan
is
off
on
a
honeymoon,
and
I
I
don't
think
he
had
arranged
for
someone
else
to
fill
in
in
his
absence,
so
I'm
just
jumping
in,
but
if
someone
else
was
was
planning
to
lead
white
feel
free
to
take
over.
C
It's
all
good
with
me.
So
first,
it's
some
exciting
news.
We
have
approved
the
openness
ssf
2021
budget,
and
that
includes
funding
for
some
of
our
technical
projects.
The
specifically
included
in
the
budget
is
for
the
identifying
security
threats
working
group.
I
guess
that
would
be
wg,
not
w
t.
C
We
have
allocated
forty
thousand
dollars
for
development.
I
think
this
was.
I
think
that
the
michael's
request
was
for
the
security
metrics
project
specifically
and
then
also
sixteen
hundred
dollars
in
azure
credits
and
for
best
practices
crow.
We
allocated
thirty
three
thousand
one
hundred
dollars
for
development
and
thirty
thousand
dollars
in
again
in
azure
credits,.
C
C
Okay,
good
and
then
the
last
piece
for
the
securing
critical
projects
working
group
us
to
put
forward
a
proposal
for
work
on
forgetting
this
specific
project.
But
it
was
one
specific
project,
and
so
we
have
funded
that
there
is
still
money
in
the
2021
budget
about
6
500,
for
you
know
available
for
security
projects.
E
C
You,
okay,
there
are
a
couple
of
people
waiting.
C
E
C
Yeah,
okay,
great
the
then
the
other
thing
I
thought
I'd
mention.
So
there
is
a
project
happening
in
the
securing
critical
projects
working
group,
it's
called
all-star,
and
that
is
a
github
app
that
allows
setting
policy
for
github
repositories
so
that
they
they
must
meet
security
requirements,
and
I
think
it's
tied
to.
I
don't
know
all
the
details
of
this
project,
but
I
think
it's
tied
specifically
to
scorecard
dan.
I
know
this
is
not
your
project,
but
it
anything
you
not
a
high
level.
Anything
else
to
add
here.
B
Not
really
no,
it
was
demoed
and
started
a
few
months
ago.
I
think,
and
now
there's
a
blog
post
explaining
how
to
use
it
and
stuff
yeah.
C
So
yeah
so
that'll
come
out
out
soon.
The
the
blog
post
is
quite
up
on
the
open,
ssf
website,
but
we'll
get
that
posted
and
let
everybody
know
about
it.
G
C
C
Ryan
had
done
some
work
to
try
to
schedule
a
meeting
with
that,
and
then
I
think
he
must
have
gotten
tied
up
and
getting
ready
for
honeymoon.
So
I
haven't
seen
I
I
did
while
I
did
see
a
poll
for
the
meeting,
I
didn't
see
an
actual
meeting
request
come
out.
We
did
have
a
brief.
Just
we
had
a
little
more
discussion
about
this
and
a
planning
committee
meeting
yesterday.
C
In
that
meeting
we
had
the
there's
a
group
in
the
cloud
native
compute
foundation,
cncf
that
is
working
on
a
it's
a
an
implementation
of
some
security.
I'm
not
I'm
not
using
all
the
right
words
here,
so
they
had
a
they
did.
They
came
up
with
the
supply
chain
security
framework
and
then
they
have
they're
working
on
a
reference
implementation
of
that
framework
and
so
the
some
of
the
folks
from
that
group.
C
These
are
a
bunch
of
folks
from
citibank,
actually
jonathan
meadows
and
minode
and
michael
I'm
forgetting
his
last
name
anyway,
so
they
came
and
shared
with
us
some
of
the
parameters
that
they're
working
under
for
that
reference
implementation.
C
So
if
you're
interested
in
that
have
a
look
at,
have
a
look
at
the
video
and
there's
also
it's
the
tag,
cncf
security
tag,
I
think
that's
where
that
work
is
being
done.
C
So
you
can
also
check
out
that
website
and
then
you
know
we
talked
some
more
about
how
we
wanted
to
try
to
bring
openss
open,
open
source
projects
up
to
conformance
with
eo
requirements,
and
you
know
what
we
said
is
we
want
that
to
be
driven
through
the
attack,
and
so
I
think
our
next
steps
are,
you
know
once
we
get
ryan
back
and
or
if
there
are
others
who
are
interested,
we
can
go
forward.
You
know
setting
up
a
working
group.
C
What
we,
what
we
thought
is
that
there
are
not
setting
up
a
working
group
but
having
some
deeper
discussions
in
the
tag,
but
maybe
some
side
meetings
to
try
to
keep
it
moving
more
quickly
than
just
the
every
other
week.
Cadence.
C
What
what
was
discussed
in
the
last
hacc
meeting
and
then
in
the
planning
meeting
again
yesterday,
is
that
the
work
needed
to
meet
eo
requirements
falls
logically
across
several
of
the
existing
working
groups,
the
securing
critical
projects
working
group
and
maybe
also
the
identifying
security
threats
but
with,
but
the
feeling
was
that
since
it
impacts
a
lot
of
projects
overall
for
openness,
working
groups
and
projects
overall,
thus
to
be
driven
at
the
attack
level,
so
yeah.
So
just
sharing
with
you.
C
D
I
had
two
hopefully
quick
questions
for
the
tech
sure
the
developer
best
practices
working
group
is
assembling
part
of
a
white
paper
around
known
good
practices.
D
We
want
to
endorse
and
kind
of
be
more
prescriptive
with
teams
and
we've
identified
there's
going
to
be
a
lot
of
synergy
with
the
tooling
working
group,
so
I'm
reaching
out
to
talk
to
ryan
and
try
to
get
a
joint
call
between
the
two
groups,
but
I'm
wondering
if
this
potentially
we
would
be
better
served
to
have
like
one
paper
coming
from
the
foundation
as
opposed
to
kind
of
four
or
five
little
blogs
or
papers.
I'm
wondering
if
there's
any
appetite
for
us
to
kind
of
approach
that
as
a
collective
project
at
all.
C
That
that
makes
a
ton
of
sense
to
to
me.
I'm
not
attack
representative,
though
so
I'm
just
one
one
person
weighing
in
be
good
to
get
thoughts
from
others
on
attack.
A
D
Yeah
something
like
that.
Like
again,
we
have
a
lot
of
really
good.
We've
identified
a
lot
of
really
great
development
practices,
and
I
know
the
tooling
folks
have
done
a
lot
of
review
and
I'm
really
interested
to
talk
to
the
the
securing
critical
project.
So
I
think,
there's
an
opportunity
to
have
kind
of
one
useful
artifact.
Instead
of
a
dozen
little
paper
cut
things.
D
The
idea
up
there,
but
I
think
that's
probably
the
model
we
would
use
is
we
would
stub
out
sections
we
think
would
be
relevant
and
then
I
would
solicit
the
other
working
groups
for
their
input
and
hopefully
I
I
don't
expect
this
is
going
to
be
hundreds
of
hours
of
a
project.
D
F
I
think
it
also
makes
sorry,
I
think
it
makes
a
lot
of
sense
if
you
do
put
out
a
central
document,
that's
going
to
get
the
most
eyes
on
it,
but
I
would
also
put
that
out
with
the
ability
to
give
immediate
feedback
right
by
delineating.
It
immediately
ask
with
a
poll,
for
example.
What
would
you
like
more
information
on,
and
I
think
that
would
be
a
really
efficient
use
of
time
and
I'm
looking
forward
to
reading
that.
A
D
D
My
other
item
is
semi-related
jennifer,
and
I
talked
at
black
hat
last
week,
kind
of
on
behalf
of
the
foundation
talking
about
securing
open
source,
blah
blah
nonsense,
and
for
that
presentation
I
developed
a
very
rough
reference
architecture
for
the
foundation.
D
So
I'm
wondering
I
found
this
very
useful
in
articulating
kind
of
what
the
development
best
practices
working
group
does
kind
of
as
an
explainer
for
beginners,
and
I
noticed
we
don't
really
have
a
lot
of
literature
tying
all
the
groups
together.
So
I'm
is
there
interest
in
kind
of
more
formally
crafting
this
right.
Now,
it's
just
a
diagram,
but
actually
start
to
show
some
of
the
connections
and
interactions
between
the
group
to
try
to
like
better
state
our.
Why
and
try
to
attract
new
new
folks
coming
in
and
participating.
D
Yeah,
it's
kind
of
is
this
something
we're
interested
in
kind
of
articulating
the
all
of
our
groups
and
kind
of
how
they
connect
and
interact,
and
then
it
could.
It
could
turn
into
a
more
formal
reference
architecture
right
now.
It's
just
a
diagram,
just
kind
of
showing
some
rough
off-the-cuff
connections
that
I
was
aware
of.
It's
not
comprehensive.
D
Sure,
if
I
can
find
it,
give
me
a
minute
one
moment.
E
E
So
the
voice
over
while
chrome
looks
for
his
document
is
essentially
you
know
it's.
It's
like
a
big
venn
diagram,
it's
showing
where
different
working
groups
overlap
and
then
it
demonstrates
the
different
types
of
outputs
that
either
already
exist
or
are
well
underway
to
help
people
kind
of
understand
where
different
things
lie
within
the
organization,
and
I
think
that's
helpful
as
well
in
figuring
out
how
to
get
involved
in
some
of
these
things.
F
I
am
so
happy
for
this
when
I
was
before
I
stepped
up.
This
call
I
was
going
to
say
I
started
talking
to
like
clyde
and
tim
from
your
sort
of
education
and
training,
and
I
was
like
where
how
they
have
to
overlap
right
and
it's
in
here.
Would
it
be
possible
to
add
to
this,
if
not
in
the
diagram,
clear
points
of
contacts.
G
So
so,
first
of
all,
I'm
not
a
voting
member.
Just
to
be
clear.
I
had
sent
some
probes
some
earlier
comments.
I
I
love
the
the
diagram
idea.
I
have
a
couple
knits
I've
already
sent
to
him
about.
You
know
making
the
the
overlaps
bigger,
so
the
boxes
fit
and
chaos
shouldn't
be
just
within
because
that's
actually
a
different
group,
some
sort
of
overlap,
but
I
think
the
idea
is
good
to
your
point.
G
Please
tell
me
if
I'm
mispronouncing,
my
apologies,
if
I
am
okay,
so
so
I
I
I
I
like
the
contact
idea,
I
think
probably
what
that
suggests
is
what
was
needed
is
a
short
paper
and
the
diagram's
part
of
it.
And
now
you
have
paper-ness.
You
know
just
a
little
markdown
file
if
you
like,
but
you
know
just
something
that
explains
the
diagram
and
includes
some
important
information
like
points
of
contact
and
bonus
points.
If
we
can
get
people
make
it
so
people
can
click
on
parts
of
the
diagram
and
get
somewhere.
G
D
Yeah,
though
I
absolutely
agree,
I
like
the
idea
of
kind
of
a
dynamic
graphic
that
people
could
click
around
and
you
get
you
can
actually
go
to
the
repositories
or
to
the
individual
little
projects
on
there
and
again
I
wasn't.
This
is
not
represent
an
exhaustive
representation
of
everything.
D
This
was
jennifer
and
I
had
a
oh
crap
moment.
We
need
something
to
fill
out
a
slide,
so
this
is
like
10
minutes
of
work.
G
You
know
what,
actually
you
know
if
we
just
made
it
easy
to
click
on
any
of
those
things,
then
that
might
completely
solve
sal's
concern,
which
is
totally
you
know.
How
do
I
contact
well,
if
you
click
on
a
working
group
name,
and
it
gets
you
to
the
page
that
tells
you
how
to
contact
them
and
tells
you
about
the
group.
G
E
I
want
to
also
mark
where
these
are
collaborations
with
outside
parties,
so
it
doesn't
look
like
trying
to
take
credit
for
things
that
are
partnerships.
G
Yeah
I
was
thinking
about
like
chaos.
It
would
be
an
overlap
part
in
part
out
of
that
circle
because
of
that
but
yeah,
maybe
color
coding
would
make
it
clear
that
the
you
know.
D
So
I
will
I'll
figure
out
how
to
get
this
into
a
editable
format
for
other
people
and
I'll
again
share
with
the
attack
and
the
working
group
leads
and
kind
of
you
know,
roll
that
meatball
around
and
see
if
we
can
get
some
other
folks
to
help
fix
my
mistakes
and
add-
because
I
know
this
is
this
is
not
exhaustive
of
all
of
our
activities.
C
D
And
I
could
post
an
example
right
here
into
the
a
little
google
document
just
so
we
can
kind
of
get
a
little
taste
for
it
in
the
notes.