►
From YouTube: OpenSSF TAC Meeting (March 23, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
dan
had
to
step
away
for
a
second
and
he's
digital
identity
and
securing
critical
projects.
We'll
have
to
wait
a
minute,
especially
if
kim's
not
able
to
make
it
and
then
do
we.
B
C
A
D
A
D
Awesome
all
right,
so
here
is
the
repo
and
the
readme
here.
This
is
the
digital
identity.
At
a
station
working
group,
when
we
first
started
was
called
the
developer
identity
worker,
but
it
was
a
pull
and
got
a
bunch
of
community
feedback
through
a
bunch
of
options.
This
is
the
it's
kind
of
wordy,
but
this
is
the
one
that
I
think
best
captured.
D
The
group
was
intending
to
focus
on
ways
for
developers
and
systems
and
tools
and
anything
involved
in
a
supply
chain
that
has
an
identity
to
attest
to
that
identity,
and
things
like
that.
We've
been
mostly
focused
in
this
group
on
exploring
and
researching
and
identifying
problems
in
this
area,
which
concretely
means
that
every
single
week
so
far,
we've
had
really
awesome
presentations
from
like
pretty
much
experts
in
the
field
or
people
that
are
trying
to
secure
their
open
source
supply
chains
for
their
projects.
D
I
think
we
started
with
constantine,
who
runs
the
security
and
signing
and
build
systems
for
kernel.org
in
the
linux
kernel
releases
talking
about
how
they
do
it.
We've
had
other
people
from
completely
different
projects
like
node.js,
where
they
have
a
couple
dozen
maintainers
that
can
all
do
releases.
It's
a
very
different
trust
model
from
the
linux
journal,
where
there
are
two
people
that
can
do
releases
that
are
very
well
known
all
the
way
out
to
what
other
presentations
we
had.
D
Do
you
remember
david?
No,
I'm
blanking
kim
wrote
an
awesome
blog
post
that
links
to
all
the
presentations
and
videos,
though
up
on
youtube.
E
D
D
Everybody
does
things
very
differently.
There
is
no
standard
practice
for
how
you
sign
your
release.
Artifacts
that
we
found
the
tooling
varies
greatly.
The
trust
models
vary
greatly.
There
are
some
common
themes
like
everybody
seems
to
be
using
pgp
because
they
can't
find
much
else,
but
nobody
is
using
web
of
trust
stuff
like
that
that
we've
kind
of
found
then
there's
the
kind
of
human
elements
on
top
of
it.
D
Oh
yeah,
we
had
presentations
from
the
demian
maintainers
here
who
have
some
really
interesting,
well
thought
through
solutions
for
the
human
elements
where
debian
maintainers
today
I
guess
before
2020
started,
debian
maintainers
had
a
very
strict
and
difficult
and
cumbersome
process
to
become
onboarded
and
have
release
permissions
in
debian.
D
You
had
to
meet
three
other
debian
maintainers
and
have
them
sign
your
key
in
person,
and
they
would
look
at
your
government
identification
and
verify
that
it
matched
who
you
are,
that
obviously
didn't
work
for
2020,
where
we
could
meet
each
other
in
person.
So
I
started
relaxing
and
allowing
things
like
videos
people
to
do
that
over
video
and
webcams,
as
well
as
some
systems
to
start
moving
to
allow
more
pseudonymous.
D
I
don't
know
how
to
pronounce
that
pseudonymous
contributions
where
people
can
establish
a
reputation
over
time
without
a
real
name
and
by
signing
work
repeatedly
with
the
same
key
over
a
period
of
months,
I'm
gonna
have
people
vouching
for
your
identity.
That's
pretty
interesting!
D
What
else
have
we
done?
What
other
presentations
have
there
been?
I
guess
some
research
style
stuff
people
from
nyu
and
purdue
university
came
and
presented
a
bunch
of
supply
chain
integrity,
research
in
the
update
framework
and
in
total
projects
yeah.
You
should
just
find
a
link
to
that
blog
post.
I
don't
it's.
Let's
find
it.
It's
on
the
open,
ssf
blog.
E
D
D
Yeah
I
found
it
here:
no
okay,
yeah
linus
kernel
in
total,
oh
yeah
self
summer
night,
keep
forgetting
that
one.
This
is
a
very
new,
very
exciting
area
where
people
can
kind
of
do
zero
knowledge
proofs
and
establish
the
parts
of
their
identity
they
need
to
in
a
verifiable
way
without
exposing
parts
of
their
community.
They
don't
need
to
it's
based
on
a
bunch
of
the
work
in
hyperledger
and
the
different
blockchain
research
efforts.
This
was
an
awesome
presentation
from
arnod
who
chairs
the
hyperledger
project
is
part
of
the
lf
skit.
D
One
is
really
cool
too,
when
we're
pursuing
actually
trying
to
get
this
work
finished
git,
similar
to
the
way
git
integrates
shot
one
today
inside
of
git,
it's
very
hard-coded,
very
wide-reaching.
Throughout
the
code
base,
they've
spent
a
couple
years
trying
to
refactor
it
to
allow
shot
256
and
other
hash
algorithms.
D
There's
been
a
bunch
of
work
to
reduce
the
coupling
of
git
to
gpg
tooling.
For
signing
I
mean
one
of
the
cool
ideas
here
is
that
you
can
actually
perform
digital
signatures
with
ssh
keys
and
the
ssh
toolset.
Very
few
people
on
github
and
open
source
world
have
long
term
gpg
keys.
They
maintain
way
more
people
have
ssh
keys
that
they
use,
because
you
kind
of
need
it
to
publish
to
github
at
all,
and
so
this
is
some
work
to
allow
people
to
actually
start
signing.
D
Git
commits
step,
one
is
to
allow
people
to
sign
git
commits
with
something
that's
not
gpg,
and
then
step
two
would
be
to
allow
signing
with
your
ssh
keys
that
you
already
have,
and
people
do
a
pretty
good
job
securing
with
ubi
keys
and
hardware
and
stuff
like
that.
That
was
pretty
interesting.
We're
actually
pursuing
finishing
that
work.
Now
over
the
next
couple
months.
E
Let's
see
here,
I
guess,
sig
store
is
another
thing
that
yeah.
E
Latest
one,
the
latest
presentation
right-
that's
probably
worth
mentioning
because
I
don't
think
is
that
in
the
blog
post,
I
don't
think
it
was
in
the
blog
post.
D
Yeah,
we'll
have
to
do
another
one
of
those
blog
posts
after
the
next
set
yeah
the
a
week
ago,
luke
hans
and
I
presented
some
work.
We've
been
doing
also
in
the
linux
foundation,
called
six
store,
which
is
a
bunch
of
different
technologies.
We're
putting
together
try
to
try
to
address
a
lot
of
these
problems.
Things
like
transparency,
logs
certificate
authorities
that
kind
of
stuff
it's
been
pretty
exciting.
D
I'm
too
there's
others
that
we
missed
in
the
last
couple
after
the
blog
post
came
out
but
yeah,
I
guess
the
main
work
product
so
far
in
this
group.
It's
kind
of
non-traditional-
I
guess
it's.
You
know
publishing
this
background,
catalog
of
all
of
the
prior
art
and
efforts
in
this
space,
and
you
know
personally,
I
found
it
really
valuable
to
see.
A
So
I
agree,
these
presentations
have
been
awesome.
I
was
just
kind
of
wondering,
like
you
know,
cataloging
all
this
is
really
cool
like
what
are
sort
of
the
next.
I
guess
more
tangible
steps
like.
Are
we
looking
to
try
to
adopt
or
get
behind
one
of
these
initiatives
to
try
to
drive
it
forward
or
kind
of
like?
What's
what
sort
of
the
long-term
vision
look
like
there.
D
Yeah,
I
think
the
idea
early
on
was
that
we
wanted
to
do
some.
You
know
research
figure
out
what
people
were
doing
and
start
to
distill
some
best
practices
from
that
and
then
the
more
we
dug
the
more.
We
realized
that
nobody
seems
to
be
at
a
point
where
we
can
actually
start
to
do
that,
yet
every
project
is
doing
things
completely
differently.
D
Stuff
like
that.
So
I
think
that
is
the
goal.
We
do
want
to
start
to
publish
some
best
practices
and
distill
out
the
patterns
and
tell
people
what
they
should
be
doing
where
we
can,
but
I
yeah,
I
think,
we're
still
a
little
ways
away
from
that
there's
kind
of
there's.
There
is
no
good
set
of
best
practices
so
far
only
things
that
other
people
have
tried
that
all
have
their
own
sets
of
shortcomings.
A
Yeah,
that's
fair,
I
mean
like
do
we
think
that
some
of
them,
like
I
know
a
couple
of
ones
like
that
you
mentioned,
are
really
really
fascinating.
Like
the,
I
think
what
it's
called
the
self
identity,
or
you
know
where
you
format
the
pieces
of
it.
It
was
really
interesting,
but
do
we
think,
like
some
of
those
are
more
further
along
that
we
might
want
to
like
help,
push
or
just
kind
of
still
not
wait
and
see
sort
of
step.
D
I
don't
think
that
I'm
I've
been
convinced-
I
guess
enough
by
any
of
them
to
say
that
they
solve
everything.
I
think
the
blog
post
is
kind
of
the
best
we've
been
able
to
do
so
far,
which
is
just
explain
what
people
have
done,
what
the
pros
and
cons
of
that
are
and
provide
that
let
people
make
their
own
decision.
I
definitely
don't
feel
like
we
can
actually
like
make
any
general
recommendations.
Yet
you
should
do
this
for
your
project
under
all
circumstances.
D
If
you're
a
project
like
the
linux
kernel,
then
the
models
that
the
latest
kernel
people
put
together
is
pretty
good.
Unsurprisingly,
they've
spent
a
lot
of
time
and
thought
and
energy
on
it,
but
if
you're
a
different
project
that
has
a
different
contribution
model,
then
maybe
some
of
these
other
ones
are
more
appropriate.
D
E
I
I
hope
you
don't
mind
me
asking
dan
don't
mean
to
put
you
on
the
spot,
but
this
conversation
leads
me
to
think.
Maybe
what
might
be
helpful
be
a
white
paper
of
at
least
you
know
here
are
the
various
things
here.
Are
the
various
approaches
all
in
one
place?
You
can
pick
this
thing
up
and
at
least
see
what
people
are
doing.
The
blog
post
is
actually
pretty
close
to
that.
It's
just
not
something
we're
actively
updating,
but
we
could.
D
Yeah
we
we
kicked
around
the
white
paper
idea,
there's
probably
an
issue
somewhere
here,
actually
tracking
it.
I
think
that
would
be
a
great,
a
great
great
deliverable.
We
could
do
because
the
videos
are
really
useful,
there's
good
question
and
answer,
but
it
is
not
as
digestible
as
something
written
down
would
definitely
be
supportive
of
helping
out
with
that.
D
The
videos
have
actually
kind
of
been
kind
of
fun.
Given
the
whole,
you
know
pandemic
situation.
It's
almost
been
like
a
long-running
conference
series,
it's
kind
of
how
I
thought
of
it.
Instead
of
having
all
these
talks
in
one
day
we
kind
of
get.
You
know
another
like
an
expert
talk
every
two
weeks
that
we
get
to
kind
of
plan
and
schedule
and
invite
people
to
do
as
we
learn.
F
Thinking
about
the
the
the
criteria
that
we
set
for,
showing
that
a
group
is
active
right,
we
had
there's
a
certain
number
of
contributors
that
that
regularly
show
up
to
form
that
community.
Do
you
feel,
like
you've,
got
a
core
group
that
regularly
shows
up.
D
Yes,
the
average
attendance
is
probably
somewhere
between
10
and
20.
I
would
say,
and
yeah
there's
definitely
a
core
group
of
probably
five
temperature
there.
For
at
least
you
know,
two
thirds
or
three
quarters
of
the
phoenix.
A
D
F
I
found
this
helpful.
This
is
probably
the
the
hardest
working
group
for
me
to
describe
when
people
ask
you
know
what
what
what's
going
on
at
openssf
or
what
do
you
do?
Well,
there's
these
six
working
groups-
and
I
don't
know
exactly
how
to
describe
this
one.
D
Yeah,
that's
not
what
I
predicted
early
on
either.
It's
the
space
is
way
more
of
a
mess
and
broader
and
deeper
than
I
think
I
imagined
when
we
started.
I
thought
there'd
be
some
best
practices.
We
could
figure
out
pretty
quickly
and
start
recommending
and
building
tools
to
make
them
easier.
But
it's
we're
definitely
not
at
that
spot.
D
Yeah,
I
don't
think
we're
even
at
that
point
yet
there's
just
basic
gaps
like
tooling,
and
everything.
D
You
read
all
the
posts
from
experts
in
cryptography
and
everything
they
say,
stop
using
pgp,
it's
old,
it's
outdated,
it's
broken
and
they
have
a
long
list
of
replacements
for
every
single
use
case
in
pdp,
except
for
digital
signing,
and
they
say,
there's
got
to
be
something
in
there.
There
really
isn't.
There's
like
the
ssh
keygen
tool
can
kind
of
do
it.
There's
not
a
lot
else
out
there.
You
can
do
openssl
if
you
feel
like
remembering
all
those
commands.
B
Not
to
take
us
on
a
tangent,
but
even
around
vulnerability
disclosure.
We
have
the
exact
same
thing
where
it's
like
people
are
still
largely
relying
on
pgp
to
like
send
an
encrypted
bug
report
or
whatever,
and
it's
pretty
wild
that
it's
2021
and
we
don't
have
like
something
that
we
can
all
rely
on
that
we're
comfortable
with,
and
that
is
like
somewhat
usable
yeah.
C
A
E
D
All
right
yeah,
so
the
other
working
group
that
I've
been
involved
in
is
the
securing
critical
projects
working
group
this
one,
the
working
group
meetings,
have
kind
of
been
run
in
a
similar
fashion
to
the
digital
identity,
ones
where
they're
mostly
presentations
except
there's,
also
a
bunch
of
code
and
other
projects
that
people
have
been
working
on,
and
I
actually
feel
really
bad
because
we
keep
trying
to
set
aside
time
in
these
meetings
to
discuss.
D
You
know
things
going
on
and
the
projects,
but
we
never
seem
to
have
time
because
the
presentations
go
so
well
and
I
never
really
want
to
cut
them
off
this
one
likes
it's
a
little
bit
different
the
model.
I
guess
most
of
the
presentation
requests
are
inbound
rather
than
outbound
like
we're
not
going
soliciting
people
there's
just
a
giant
backlog
of
people
asking
to
come
and
present
here,
which
is
kind
of
cool,
but
yeah.
D
We've
had
groups
like
the
open
source
technology,
innovation
fund,
austif
that
does
a
bunch
of
grants
and
security,
auditing
and
funding
like
that
come
and
talk
about
how
their
models
work.
Josh
asks
from.
Let's
encrypt
came
to
talk
about
their
efforts
to
start
rewriting
things
in
memory,
safe
languages
like
rust,
and
I
think
they've
actually
got
quite
a
few
companies
interested
in
contributing
funding
to
these
efforts
from
these
presentations
and
stuff,
which
is
pretty
cool.
D
We
don't
have
a
direct
funding
model
set
up
through
the
open
ssf
yet,
but
it
is
nice
to
see
that
you
know
people
are
kind
of
still
taking
advantage
of
these
forums
and
supporting
projects
in
a
more
ad
hoc
fashion
kind
of
meeting
each
other
in
this
meeting
and
using
this
almost
as
like
a
matchmaking
service
to
some
extent.
D
I
think
this
xkcd
here,
I
don't
remember
when
it
came
out.
It
was
sometime
after
the
group
started,
but
we
had
to
add
it
because
it
was
perfect,
so
perfectly
described
the
goals
of
this
working
group
to
try
to
identify
these.
You
know
tiny
little
blocks,
supporting
everything
and
then
figure
out
ways
to
reinforce
them.
D
It's
challenging
both
sides
of
that
are
challenging.
I
guess
identifying
those
pieces
holding
everything
up.
D
We've
been
working
with
and
supporting
the
linux
foundation's
partnership
with
harvard
their
laboratory
for
innovation
and
free
one
stands
for
lish,
but
they
do
a
bunch
of
survey
work
every
single
year
to
ask
people
what
they're
using
ask
developers
what
support
they
need
and
stuff
like
that.
The
one
coming
out
now
is
called
census
2..
I
believe
it
started
to
come
out
last
year
and
they've
been
releasing
more
and
more
data
throughout
the
spring
and
they're
currently
working
on
scoping.
D
The
next
version
of
all
this,
the
projects
that
we
have
going
on
in
here
there
are
a
few
switch
back
to
their
question,
no,
never
mind.
I
just
heard
a
penguin
thought
it
was
a
question
in
chat.
Sorry,
some
of
the
other
stuff
yeah.
B
D
On
here
we've
been
writing
code
and
using
some
donated,
you
know,
compute
resources
where
we
tend
to
help
some
projects.
D
While
he
was
between
jobs,
to
try
to
find
malware
on
the
python
package
index
and
he
found
a
bunch
of
stuff
wrote
an
awesome
blog
post
people
got
really
excited
and
then
he
had
to
turn
it
off,
because
it
was
his
personal
credit
card,
and
so
we
figured
out
some
ways
to
get
him
long-running
infrastructure
and
rerun
that
analysis
and
actually
start
scaling
it
up
to
other
package
managers
to
hopefully
shorten
the
gap
between
the
an
individual,
writes
this
code
and
runs
it
every
six
months
and
writes
a
blog
post
to.
D
We
can
actually
start
to
catch
this
stuff
in
a
more
continual
basis,
so
that
one's
been
pretty
fun.
There
have
been
a
bunch
of
people
from
the
community
helping
out
and
working
on
that
infrastructure.
We
actually
found
a
bunch
of
spam
issues
on
pipeline
with
that,
where
people
were
uploading.
A
whole
bunch
of
seo
style
spam.
D
You
know
hundreds
and
hundreds
of
packages
with
links
to
malware
and
all
sorts
of
other
stuff,
like
that,
like
advertising,
free
discord,
credits
and
stuff
like
that,
so
this
project
actually
found
something
sort
of
malware-ish
and
we
had
some
pretty
good
blog
posts
and
publicity.
From
that
I
think
going
forward.
D
We
want
to
start
kind
of
separating
the
presentations
and
people
asking
for
funding
and
stuff
like
that
from
the
actual
technical
conversations
they've
been
more
ad
hoc,
just
because,
like
I
said,
we
never
really
have
time
in
the
meetings
for
them,
because
the
presentations
go
so
well,
so
kind
of
coming
up
with
some
way
to
separate
out
the
meetings
between
project
updates
and
unblocking
all
of
our
contributors
versus
the
awesome
presentations
on
things
that
need
help
and
funding
for
them
other
long-term
stuff.
D
A
D
Yeah
that
one's
kind
of
challenging
this
has
actually
been
pretty
helpful
because
it's
pointed
out
that
that
is
not
actually
the
hard
part
of
the
problem.
I
thought
that
was
going
to
be
the
hard
part
too
coming
in,
but
there
are
way
more
critical
projects
out
there.
The
the
problem
is
finding
ones
that
can
actually
take
and
use
funding.
It
turns
out,
so
you
can
come
up
with
lists.
However,
you
want
to
and
rank
things
and
everything
like
that,
but
it's
actually
it's
non-trivial
on
a
lot
of
these
projects
too.
D
If
you
have
a
check,
no
matter
how
many
zeros
you
put
on,
actually
turn
that
into
results
for
that
project,
it
takes
months
to
find
people.
You
know
that
have
the
expertise
and
don't
already
have
some
full-time
job
that
prevents
them
from
taking
on
side
work
like
this
and
negotiate
those
those
terms
get
things
set
up
and
then
actually
get
them
helping
out
on
the
project.
D
D
D
That
project
is
maintained
by
a
single
person,
had
a
ton
of
problems,
and
if
you
asked
a
hundred
people
what
services
they
run
on
their
machines,
I
don't
think
anybody
would
have
named
ntpd.
It's
just
something
you
never
think
about.
So
that's
kind
of
the
more
important
one
in
my
head,
rather
than
kind
of
coming
up
with
some
ranking
or
scoring
or
a
list
of
critical
projects.
D
It's
trying
to
come
up
with
some
techniques
to
make
sure
that
we're,
not
forgetting
huge
parts
of
the
software
stack
that
you
don't
think
of
on
a
daily
basis
and
then
seeing
what
we
can
do
there
does
that.
A
Totally
yeah-
and
I
think
it's
an
interesting
idea
right
because
it
kind
of
hearts
back
to
like
that
xkcd
picture,
where
it's
there's
that
little
cube
right,
that's
holding
it
all
together,
but
we
don't
think
about
it
and
I
think
there's
a
lot
of
packages
out
there
that
that
are
like
that.
D
F
Cool
is
the
package
feeds
project
underneath
this
working
group.
D
Yeah,
so
the
package
feeds
and
the
malware
analysis
were
kind
of
the
same
thing
and
they
split
up
the
repos
a
little
bit
because
that
one's
actually
more
independently
useful
the
way
it
started
was.
We
were
watching
all
packages
uploaded
to
pi-pi
and
then
running
some
analysis
on
to
see
if
they
were
malicious
and
then
we
wanted
to
add
other
package
feed
static,
npm
and
ruby,
and
they
all
have
mechanisms
to
watch
for
new
packages,
but
they're
all
slightly
different.
Some
are
polling,
some
are
just
pub
sub
stuff.
D
Some
are
rss
feeds
where
you
have
to
check
every
couple
minutes
to
make
sure
you
don't
drop
something,
so
the
team
decided
to
just
unify
all
of
that
make
a
standard
format
for
watching
all
those
package
feeds
to
make
that
easy
to
do.
For
the
analysis
stuff,
it
turned
out
that
was
useful
to
a
bunch
of
other
people
who
were
trying
to
do
things
like
type
of
squatting
detection,
and
you
know
other
types
of
analysis,
other
than
just
kind
of
the
dynamic
runtime
malware
stuff.
So
we
split
that
off.
D
D
Cool
thanks
stuff,
if
you
don't
actually
want
to
install
the
thing
or
see
what's
inside
of
it,
and
then
you
can
just
watch
that
feed
and
do
typo
squatting
stuff
by
comparing
names
or
bloomberg,
reached
out
recently
because
they're
about
to
start
a
similar
effort
internally
to
set
up
the
unified
feed
about
all
of
this.
So
they're
going
to
be
contributing
to
that
project
too,
rather
than
build
their.
D
D
B
That
was
that
was
exactly
the
question.
I
was
going
to
ask
one
thing
that
came
up
in
the
vulnerability
disclosures
group
I
think
it
was
yesterday
was
folks
asking
like
how
is
this
thing
going
to
operate
once
it
is
launched?
I'm
like
well,
you
guys
have
a
well-defined
procedure,
and
I
know
that
we're
on
on
track
to
have
that.
But
there's
this
question
of,
do
you
need
to
come
forward
with
a
recommended
funding
body
and
I
think
the
answer
to
that
is
no,
but
some
clarification
around
like.
D
Quality
yeah,
I
think
that's
a
yeah,
I
think
that's
a
question.
I
guess
for
the
governing
board
and
stuff,
as
we
start
figuring
out
how
to
allocate
funding
we
we
don't
actually
get
that
many
requests
of
people
just
coming
in
saying
they
need
money
for
something
we
get
a
lot
of
ideas
like
people
coming
in
and
saying.
I
think
we
should
spend
money
on
this
space
or
we
think
this
would
be
a
good
area
to
invest.
D
But
then
you
have
to
do
the
work
finding
out
who's
going
to
do
the
who's
going
to
do
that,
work,
how
you
can
actually
go
and
turn
that
into
like
an
operational
model,
which
is
what
I
expected.
I
thought
we'd
get
a
whole
bunch
of
people
coming
and
saying.
I
need
money
to
go
fix
my
project
or
I
need
this.
D
I
need
that
it's
it's
pretty
rare,
like
we
get
a
couple
of
them,
but
it's
it's
way
more
rare
compared
to
the
everybody
has
a
giant
list
of
like
we
should
fix
networking
software
or
we
should
invest
in
this.
We
should
invest
in
that.
It's
like
great
that
doesn't
make
sense.
I
would
love
to
who
can
we
pay?
D
B
B
But
then
maybe
we
also
have
some
mechanism
for
raising
like
generic
topics,
even
if
you're,
not
the
one
asking
for
the
money
where
people
can
like
submit
ideas
and
maybe
periodically
the
critical
projects
group
or
whatever,
can
either
look
at
those
and
like
prioritize
some
and
allocate
funding
or
we
should
figure
out
like
will
we
find
anything
that
comes
in
as
a
formal
proposal
ahead
of
some
of
those
more
abstract
ideas.
B
Or
is
there
going
to
be
like
this
prioritization
exercise
of
like
well
just
because
this
one's
a
formal
proposal
doesn't
mean
we
want
to
give
it
money
ahead
of
this
other
thing
that
we
think
is
way
more
important.
These
are
little
things
that
I
guess
like
based
on
what
you're
saying
it
sounds
like
have
a
risen
through
defining
this
group
that
we
might
not
have
thought
of
in
advance
as
something
that
we'd
have
to
think
about.
D
Yeah
I
like
the
way
you
put
having
the
required
fields,
because
we
really
need
three
to
fund
something.
It's
like.
We
need
the
name
of
the
person
or
company.
We're
gonna,
give
the
money
to
what
they're
going
to
do
and
then
how
much
money.
And
if,
if
you
come
with
just
one
or
two
of
those
things,
then
there's
a
huge
amount
of
work
defined
to
the
other
one
or
two
missing
fields.
D
I'm
trying
to
encourage
people.
If
you
only
have
a
couple,
then
we
can
kind
of
brainstorm
with
you
and
come
up
with
ideas.
And
but
if
you
have
all
three,
then
it's
a
lot
easier
for
us
to
make
a
decision.
It
doesn't
mean
we're
gonna
fund
it,
but
yeah,
there's
like
nice,
putting
proposals
through
like
a
a
life
cycle
of
finding
all
the
information.
D
How
much
money,
how.
D
B
Are
you
thinking
that
this
group
will
also
do
leg
work,
and
this
is
kind
of
back
to
the
thing
I
was
saying
before
when
people
come
in
with
this
idea
of
like
we
need
to
make
x
more
secure?
Are
you
thinking
that
the
securing
critical
projects
group
will
start
to
source
potential
people
to
do
the
work
and
start
getting
quotes,
or
is
that
out
of
scope.
D
B
D
Think
yeah
getting
quotes
and
running
rfps
and
stuff
like
that,
would
make
sense
once
we
get
more
formalized.
D
Yeah
yeah,
if
you
have
the
the
first
idea,
if
we
want
to
do
this
and
you
can
formalize
it
enough
to
where
somebody
could
actually
write
an
I
rfp
if
you
come
in
so
vague,
is
like
we
should
improve
this
piece
of
software.
I
think
it'd
be
hard
for
a
firm
or
a
person,
or
anybody
to
write
a
proposal
for
that
yeah,
fair
enough.
E
This
is
this
is
david
wheeler,
if
I
may,
I
I'd
like
to
add
just
some
experiences
from
the
cii
which
tried
to
run
something
like
that.
There
were
some
great
proposals,
but
there
was
definitely
a
problem
that
you
often
got
the
people
who
were
good
at
maybe
making
proposals
as
opposed
to
what
was
important
things
like
ntp.
Never
still
it
would.
That
was
clearly
important,
but
it
wasn't
that
they
came
to
us.
E
A
Yeah,
I
wonder
if
the
let's
encrypt
guys
and
the
projects
that
they've
been
doing
might
have
a
a
good
model
for
that,
because
I
know
they've
been
reaching
out
to
different
projects
like
directly
and
just
but
how
they've
identified
them.
I'm
not
sure
I
don't
know
if
somebody
like
mentioned
it
to
them
initially
and
then
they
kind
of
went
from
there
or
if
you
know
like.
I
know
that
they're
doing
the
the
curl
rewrite,
but
that
could
be.
I
don't
know
if
that
was
their
own
doing,
and
the
guy
was
like
yep.
A
D
Yeah
we
chat,
josh
came
and
presented
actually
about
this.
I
mean
that
was
one
of
the
first
questions.
I
asked
him:
how
did
you
pick
these
projects
to
start
with?
Were
they
your
top
choices?
No,
these
are
not
our
top
choices.
We
had
a
list
of
like
10,
we
wanted
to
target,
and
these
are
the
first
ones
that
said
yes,
we
would
do
it.
D
They
think
some
of
the
other
ones
are
just
more
skeptical
and
by
doing
a
couple
first,
like
curl
and
russells
and
stuff
like
that,
they'll
show
the
model
works,
get
more
people
interested
the
next
time
they
go
around
and
come
back
and
ask
yeah
they've
really
tried
to
avoid
hiring
like
random
external
people
to
go.
Do
stuff,
it's
really
like
you're,
the
maintainer
of
curl.
A
D
The
lunar
one's
coming,
I
don't
think
they
got.
A
A
F
So
I
haven't
had
an
opportunity
to
make
it
to
one
of
your
meetings.
Yet
you
mentioned
there's,
there's
sort
of
two
flavors
of
things
that
are
going
on
the
package,
feed
analysis
and
these
funding
discussions
in
the
meetings.
Do
they
sort
of
tend
towards
one
or
the
other
or
just
kind
of
oscillates
between
them?.
D
D
The
discussion
just
gets
going
so
well
and
there's
conversations
and
questions
and
everything
like
that
that
we
end
up
with
like
five
minutes
left
at
the
end
to
over
development
stuff,
and
then
we
usually
end
up
handling
that
over
slack
or
email
instead
of
the
meeting
and
that's
what
I
meant
by,
I
feel
pretty
bad.
We
never
get
time
to
discuss
that
stuff.
In
these
meetings
we
should
probably
just
set
up
a
separate
call
for
only
that
stuff
and
not
the
presentations.
F
And
then
I
guess
in
terms
of
the
the
readme
it
looks
like
like
goals
and
non-goals
aren't
populated
here.
D
Yeah
good
point
yeah.
I
think
I
described
it
as
the
goal
is
to
find
that
little
thing
in
the
comic
but
yeah.
I
just
never
typed
it
in
here
and
then.
B
And
I
guess
around
the
goals
and
finding
the
little
thing
in
the
diagram,
it
might
be
useful
to
hear
more
about
prioritization.
So
it
sounds
like
right
now,
it's
very
hard
for
us
to
even
write
checks.
So
this
is
a
hard
problem
to
imagine
that
we
would
have
to
allocate
limited
resources.
I
think
right
now
we're
on
the
opposite
problem,
where
it's
like.
Please
take
our
resources,
which
is
a
great
problem
to
have,
I
guess,
but
we
should
also,
maybe
think,
longer
term
about
like
once.
B
We
have
a
more
robust
pipeline
of
stuff
coming
in
how
this
group
and
how
like
how
this
group
will
interact
with
the
tech
and
the
governing
board,
and
some
of
that's
maybe
like
what
we've
been
figuring
out
in
the
off
site,
but
in
addition
to
that
like
regardless
of
which
actual
group
is
handling
it,
how
open
ssf,
regardless
of
which
subgroup
or
whatever
will
do
prioritization
of
projects.
So
like
will
we
on
a
periodic
basis,
set
targets
for
things
that
we
want
to
invest
in
and
like
rank
them
and
allocate
funding?
B
According
to
that,
is
it
going
to
be
that
we
say
you
know
we're
going
to
do
this.
Many
rfps
this
year
for
this
amount
of
money
and
anything
left
over
can
be
allocated
to
something
else.
Is
it
going
to
be
kind
of
first
in
first
out
where
it's
like?
Oh,
we
got
a
proposal,
so
let's
write
a
check.
B
D
Yeah,
I
would
love
to
be
in
that
position.
You
know
just
we
did
get
a
bunch
of
budget
internally
at
google
like
we
asked
for
it.
You
know
six
months
nine
months
ago.
Now
I
guess
we
got
it
for
2021
and
the
plan
we
came
up
with
was
break
it
down
and
try
to
aim
to
spend
a
fourth
of
it
each
quarter,
so
we
don't
spend
it
all
on.
You
know
low
quality
stuff
in
january.
D
If
we
get
it
and
we're
way
behind
we're
almost
done
with
q1,
and
we
have
not
gotten
close
to
what
we're
supposed
to
spend
so
yeah
gotta
ramp
it
up
as
we
go
and.
B
I
guess
to
that
point
as
well
thinking
about
when
certain
like
corporate
donations
expire,
like
you,
have
probably
a
deadline
at
google
by
which
you
have
to
spend
this
money
or
you
don't
get
it
anymore.
B
So
if
we
also
maybe
had
some
kind
of
calendar
around
the
availability
of
different
like
funds
and
that
part
of
the
group
that's
like
handling
these
proposals
knows
when
there's
funding
that's
about
to
expire,
that
we
better
spend
and
like
maybe
having
an
idea
as
to
how
we
would
deal
with
those
scenarios
as
well
like
not
leaving
money
on
the
table.
D
Yeah,
I
there's
probably
some
whole
industry
of
people
that
work
with
big
companies
that
have
those
calendars
already.
I
would
assume
knowing
exactly
when
companies
and
budgets
expire
and
stuff.
D
Sure
you
probably
have
a
good
sense
of
it.
Yeah
we're
just
on
a
normal,
like
ours,
is
easy,
we're
on
a
normal
calendar
year
but
yeah.
I
know
other
companies
around
fiscal
years
that
are
offset
and
stuff
like
that.
B
Yeah,
I
guess
I
mean
like
we
don't
need
to
track
the
world's
tech
spending,
although
that
would
be
interesting.
But
what
I
mean
more
is
like
okay,
so,
let's
say
google's
giving
x
amount
of
dollars
we
should
know
by
when
we
must
spend
that
number
of
dollars
before
it
evaporates
into
thin
air,
so
maybe
just
internally
tracking
like
when
these
offers
come
in.
B
What
are
the
dates
by
which
we
have
to
have
allocated
the
money
like
decided
who
gets
it
and
what
are
the
drop
dead
dates
for
when
we
have
to
have
written
the
check?
Just
because
I
know
at
least
in
in
my
past
experience
and
I'm
sure
everyone
here
as
well,
you
get
these
budgets
where,
if
you
don't
spend
them,
they're
just
gone
forever
and
we
wanna.
B
I
guess
I
guess
it's
just
kind
of
like
a
logistical,
not
very
interesting,
bureaucratic
point
that
we
should
keep
track
of
when
we
have
to
spend
the
money
to
still
have
access
to
it.
F
So
I
reached
out
to
ryan
he's
very
apologetic.
He
didn't
realize
that
this
meeting
was
today,
so
he
said
that
he'd
be
available
at
the
next
one,
which
I
guess
is
two
weeks
from
today.
A
Yes,
I
was
actually
gonna
bring
that
up.
So
since
we
don't
have
the
next
group,
though,
I'm
really
interested
in
doing
because
just
to
mention
real
quick,
the
I
think
there's
a
a
lot
of
potential
interaction
between
these
two
groups
and
tooling
at
least
for
future.
So
I'd
really
like
to-
I
know
dan
you're
here
every
week
anyway,
so
you
know
we
can
still
have
that
conversation
but
just
kind
of
bootstrap
it
for
next.
A
The
next
meeting,
I
think,
it'd
be
interesting
to
think
about
how
we
can
have
a
little
bit
more
interplay
between
between
those
working
groups,
but
but
thank
you
so
much
for
presenting
today
and
that
was
definitely
very,
very
helpful.
I
think
officially
you've
these
groups
have
met
all
the
criteria
that
we've
set
out
to
move
to
the
next
phase,
so
I
think
we're
good
there
and
then
the
only
other
thing
that
I
had
on
the
on
the
agenda.
A
There
was
a
lot
of
discussion
around
this
in
email
over
the
past
two
weeks,
but,
as
we
know,
maya
stepped
down
aboard
she's
actually
resigned
from
github
and
is
moving
on
to
something
else,
and
so
now
we
have
this
opening
and
there
was
some
discussion
around.
Should
we
fill
her
seat
now?
Should
we
wait
until
the
official
elections
that
we've
set
out
happen
in
august
or
have
some
sort
of
interim
thing?
A
My
interpretation
and
people
feel
free
to
correct
me
was
that
we
were
all
cool,
just
go
ahead
and
waiting
and
things
are
continuing
on
and
not
a
lot
of
need
to
go
ahead
and
add
disruption,
so
that
was
kind
of
my
take
on
it
did
do
people
have
other
opinions
on
that?
Do
they
want
to
try
to
fill
that
official
role
now
and
not
wait?
What
are
thoughts
there.
B
I
think
dan
had
raised
a
good
point
in
the
email
thread
about
not
wanting
to
put
someone
in
the
role
that
wasn't
like
democratically
elected
and-
and
I
share
that
sentiment.
I
think
that
we
can
operate
with
one
seat
empty,
since
the
election
is
not
too
far
away
anyway,
and
that
I
I
personally
would
rather
do
that
and
then
have
that
person
voted
in
during
the
election,
but
I'm
certainly
open
to
other
proposals.
A
Yeah,
I
agree
as
well.
I
don't
dan.
If
you
have
a,
I
think
in
the
email
it
seemed
like.
You
were
okay
with
that
as
well
too,
but
just
for
official
reasons,
yeah,
okay,
so
officially
we're
good
with
waiting.
I
do
want
to
say.
I
think
that
there
is
the
potential
for
this
to
happen
down
the
road
as
well,
and
so
we
should
come
up
with
a
process
of
how
we
want
to
handle
this
in
the
future,
and
then
we
can
document
that
make
it
part
of
the
official
thing.
B
We
decided
how
we're
going
to
figure
out
and
when
we're
going
to
figure
out
who
stays
on
and
whose
seat
is
up
for
election
later.
A
That
is
a
really
good
question.
No,
we
have
not
officially
figured
that
out.
You
know
we.
The
only
thing
we've
done
so
far
is
that
we've
split
you
know
we
said
we're.
Gonna
have
community
seats
and
we're
gonna
have
governing
board
elected
seats
and
what
that
election
looks
like,
but
we
said
that
there
would
be
a
voluntary
basis
and
then,
if
there
were
no
volunteers,
we
would
essentially
randomly
select
people
to
be
re-elected,
but
I
think
it's
still
tbd.
A
I
kind
of
had
this
thought
the
other
day
that
we
didn't
decide
that
in
august,
are
we
doing
the
community
ones
or
are
we
doing
the
governing
board
seats?
First,
so
that's,
I
think,
still
open
for
discussion.
A
B
Even
if
it's
going
to
take
us
a
while
to
actually
do
it,
it
would
be
good
to
know
like
by
this
date
we
will
have
decided
which
seats
are
up
by
this
date.
We
will
have
decided
whether
it's
community
or
governing
board,
or
the
third
option-
I
guess,
which
is
to
have
a
couple
of
them-
be
community
and
a
couple
of
them
governing
board.
A
Yeah,
that's
a
good
point.
I
mean
we
should
probably
have
a
timeline
on
that.
I'm
trying
to
pull
up
a
calendar.
A
So
our
next
meeting
will
be
on
the
6th
of
april,
so
we
could
bring
it
up
for
discussion.
Then
you
know
we
could
kick
it
off
an
email.
After
this
meeting,
google
can
discuss
over
an
email
and
slack
if
we
want
and
we
can
get
through
it-
make
it
an
official
topic
on
the
sixth.
So
we'll
have
one
presentation
for
tooling
and
then
we
could
use
the
rest
of
the
meeting
to
work
through
this.
A
We
could
at
least
decide
what
are
the
like.
You
said
which
positions
fall
into
which
categories,
and
then
that
way,
we'll
know
what
we're
actually
electing
in
august.
Does
that
seem
reasonable.
A
A
Oh,
we
have
for
the
previous
election
stuff
we'd
created
a
github
issues;
okay,
we
tagged
them
with
the
election
process,
so
just
an
easy
way
to
keep
track
of
them
as
well.