►
From YouTube: OpenSSF TAC Meeting (September 6, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
B
B
I,
actually,
don't
remember,
I
have
many
kinds.
Actually,
this
is
one
I
picked
up
from
the
Eastern
European
Grocery
up
the
street
and
it's
a
Russian
tea
with
rose
petals
and
strawberry,
slivers
and
stuff.
It's.
E
F
I'm
drinking
Blue
Mountain
roast
from
the
mountains
of
Jamaica.
C
C
A
All
right,
well,
I,
thanks
everybody
for
joining
today.
First
up
on
the
agenda
is
a
update
from
the
supply
chain.
Integrity
working
group
and
I
see
it
under
the
agenda
that
Michael
Lieberman
is
going
to
present
on
behalf
of
that
working
group
this
morning
so
or
this
afternoon,
depending
on
where
you
are
so
with
that
Michael
we'll
give
you
the
floor,
aim
to
try
to
keep
it
under
10
minutes.
Please.
I
Well,
it's
probably
even
less
than
that,
but
so
give
me
one
second
here
to
share
with
this,
and
let
me
see,
can
folks
see
the
slides.
Yes,.
C
I
Right
cool
well
only
got
a
couple
of
them,
so
should
go
quickly
so
just
giving
an
update
on
where
we
are
today
and
where
we're
kind
of
going.
I
So
the
meetings
are
still
you
know
focused
around
talking
through
and
getting
demos
about
some
of
the
new
stuff.
That's
happening
in
the
supply
chain
space.
So
these
are
things
like.
Like
Vex,
you
know
a
bunch
of
the
s-bomb
stuff.
You
know,
we've
been
relatively
open,
as
folks
have
tried
to.
You
know
want
to
come
in
and
demo
different,
interesting
things
in
the
supply
chain.
Space
I
believe.
I
Actually,
you
know
we're
trying
to
get
a
schedule
for
the
new
consumer
facing
supply
chain
framework
that
came
out
of
Microsoft
recently.
So
we
want
to
kind
of
get
a
demo
of
that
soon
and
then
so.
The
two
main
projects
that
are
kind
of
underneath
the
supply
chain-
Integrity
working
group
right
now,
the
first
one
being
is
salsa,
so
salsa
is
trying
to
hit
1.0
soon
and
so
there's
a
bunch
of
different
work.
I
That's
been
done
on
that
recently,
so
we
released
the
salsa
3
generator
for
GitHub
actions.
I
That's
a
sort
of
a
language
agnostic,
generator
of
of
of
Providence,
sorry
of
salsa
provenance,
there's
also
as
gearing
up
for
the
1.0
release.
Three
sort
of
sigs
have
been
spun
up
to
help,
push
and
drive
towards
1.0,
there's
the
specification,
positioning
and
tooling
groups.
The
specification
group
is
mostly
focused
on
literally
the
language
of
the
requirements,
making
sure
that's
clear,
making
sure
that
if
a
certain
requirement
maybe
doesn't
belong
in
salsa
or
if
something
is
missing
from
salsa,
how
do
we
get
it
added
in
there?
I
The
positioning
group
has
been
focused
on
sort
of
collaboration
with
other
things.
So
that's
like
how
do
we
map
to
things
like
ssdf,
some
of
the
work
from
the
cncf
and
and
so
on,
as
well
as
a
lot
of
other
work?
In
sort
of
that,
you
know
collaboration
space
and
you
know
working
with
like
stuff
like
hey.
How
does
this
interact
with
the
broader
sdlc
work?
That's
being
done,
and
how
does
that
fit
in
there?
Those
sorts
of
things?
I
And
finally,
there
is
the
tooling
group
and
the
tooling
group
is
focused
on
sort
of
finding
out.
You
know
where
the
gaps
are
in
the
actual
tooling,
that
supports
the
salsa
requirements,
salsa
provenance
and
those
sorts
of
things.
So
these
are
things
like
tooling
for
generating
the
Providence,
or
you
know
a
builder
that
builds
following
the
salsa
requirements
or
or
also
sort
of
distribution
and
Discovery
like
stuff.
I
Like
you
know,
oci,
you
know
tools
that
can
you
know,
sign
the
provenance
like
like
six
door
and
so
on
and
and
figure
out
where
there
might
be
gaps
where,
where
you
know
there
might
be,
there
might
need
to
be
the
some
additional
work
areas
in
you
know
addition,
you
know,
exist,
pre-existing
tools
like
let's
say
Jenkins
and
and
how
do
we
kind
of
you
know
develop
plugins
or
whatever
for
that?
I
So
that's
one
of
the
other
groups
that
got
spun
up
a
fourth
group
will
be
spun
up
soon,
which
is
adoption
so
we're
waiting
for
specification,
positioning
and
tooling
get
really
solidified
on
on
the
scope
and
and
where
we're
pushing
it
and
then
once
that
gets
done,
we
can
then
spin
up
adoption
to
make
sure
that
you
know
now
that
we're
all
aligned
we
can
push
broader
adoption.
I
I
I
It's
an
implementation
of
the
cncf,
secure
software
Factory
reference
architecture,
but
trying
to
be
more,
you
know,
broadly,
you
know,
just
hey
here's
what
you
could
do
with
a
secure,
build
it's
trying
to
kind
of
Hit
the
high
salsa
level
as
as
possible
and
and
so
on,
and
so
most
recently
we
integrated
workload
identity
into
it.
So
this
is
like
spiffy,
spirework
and
and
to
sort
of
essentially
verify
that
you
know
as
a
build
is
happening.
I
Work
Set
as
a
build
is
happening
that
you
know
it's
happening
on
the
right
nodes
with
the
work
right.
You
know,
identity,
workloads
and
so
on
and
we're
also
integrating.
We
recently
integrated
runtime
observability
in
a
POC
capacity,
so
that's
stuff,
like
ebpf
and
so
on,
so
that
we
can
actually
track
exactly
what
is
happening
in
a
build.
I
We
also
as
part
of
this.
We
have
it
all
set
up
via
you
know,
automation
to
sort
of
have
it
all
get
installed
all
right
and
then
here's
kind
of
where
we're
spinning
up
in
the
future.
So
we
are
collaborating
with
cncf
and
a
few
others
to
help
collect
supply
chain
attacks
and
do
some
threat
modeling
in
supply
chain
around
the
supply
chain.
I
So
the
cncf
has
a
bunch
of
had
a
sort
of
I
guess,
a
spreadsheet
or
a
table
of
a
bunch
of
a
different
attacks.
A
list
of
all
these
different
things,
we're
looking
to
see
if
we
can
sort
of
include
the
cncf,
is
looking
to
include
that
in
the
open
ssf
as
part
of
the
broader,
just
like
here's
just
general
supply
chain
attacks,
not
just
Cloud
native
related
ones,
salsa,
as
kind
of
mentioned
before
really
pushing
for
the
1.0
release.
I
There's
also
trying
to
as
part
of
that
as
well,
trying
to
spin
up
a
conformance
program
so
that
we
can
establish
a
set
of
rules
for
folks
to
sort
of
say
hey
if,
if
you
are
claiming
salsa,
this
is
what
you
need
to
do
to
actually
be
able
to
claim.
You
are
salsa
and
use
the
branding
and
that
sort
of
thing
and
then
we're
also
looking
to
sort
of
support
wider.
You
know,
have
wider,
tooling
support
So,
as
kind
of
mentioned
before
you
know.
I
A
lot
of
the
stuff
right
now
has
been
built
out
as
a
poc
in
sort
of
GitHub
and
that
sort
of
thing,
but
we
want
to
still
keep
pushing
to
other
other
assassins,
as
well
as
open
source
tools
as
well
Fresca,
one
of
the
big
things
that
it's
pushing
our
developer
environment
as
well
as
we're
pushing,
as
potentially
as
like
a
secondary
builder
for
some
open
source
tools
and
then
finally,
we're
looking
to
do
some
increased
collaboration
with
the
CD
Foundation.
I
Given
that
Fresca
itself
is
a
build
tool
and
the
CD
Foundation
is
very
focused
on
the
the
sort
of
organizational
aspects
of
of
supply
chain
security.
Stuff,
like
you,
know
the
the
S,
the
holistic
sdlc
thinking
about
not
just
purely
the
technical
aspects
but
like
how
do
lawyers
get
involved
from
the
legal
perspective?
And
how
do
you
know,
stakeholders
get
involved
and
those
sorts
of
things
so
we're
looking
to
sort
of
integrate
or
sorry
collaborate
a
bit
more
with
the
CD
foundation
on
some
of
those
things.
I
The
Continuous
delivery,
Foundation
they're,
another
Linux,
Foundation
group
and
then
Fresca
I,
just
noticed.
There's
a
thing
there.
So
Fresca
is
it's
a
background.
Originally
we
called
it
ssf,
but
to
not
confuse
it
with
the
open
ssf
or
any
of
the
other
things
like
openssl
or
whatever.
I
We
created
a
acronym,
which
is
a
factory
for
repeatable,
secure
creation
of
artifacts,
and
so
the
reason
why
it's
under
the
build
SEC
and
to
be
clear,
build
SEC
is
well.
Let
me
stop.
Sharing
buildsec
is
owned
by
the
Linux
Foundation.
I
The
reason
why
it's
under
that
org
has
been
because
we're
going
to
be
hosting
a
whole
bunch
of
different
projects
and
some
of
those
projects
are
going
to
be
listed
specifically
as
hey.
This
is
do
not
use
this
project.
This
is
an
example
of
like
an
evil
project
and
we
didn't
want
to
sort
of
pollute
the
ossf
GitHub
org,
with
a
bunch
of
different
like
things
that
probably
are
not
going
to
make
a
lot
of
sense
for
folks,
Brian.
E
Hey
a
great
presentation
deck
if
we
can
get
the
link
to
that,
because
what
I
think
we
really
want
to
do
with
these
updates
is
make
sure
that
people
can
get
caught
up
and
stay
caught
up
in
asynchronous
ways
with
what's
going
on
in
the
different
projects,
so
the
very
least
link
it
in
it
caused
me
to
wonder:
if
maybe
for
these
reports,
we
want
some
sort
of
like
standard
template
or
something
like
that,
but
we
don't
have
to
go
there
now.
E
The
release
just
link
it
in
and
I
I
I
I
think
I'll
try
to
keep
up
notes
for
some
of
the
other
points,
but
just
in
general
that
would
be
great
and
secondly,
on
buildsec
respectfully
yeah
I
get
the
not
wanting
to
pollute.
The
openness
is
if
GitHub
organization,
but
it
also
means
like
for
statistics.
We
don't
know
what's
going
on
in
there
there
at
least
it
wouldn't
count
towards
other
statistics
in
the
GitHub
org
that
we're
tracking.
E
It
also
means
you
know
we're
not
sure
what
the
bus
Factor
issues
are
because
I
I
don't
know
who
owns
that
on
the
Linux
Foundation
side
who
owns
that
repo.
So,
probably
just
worth
coming
back
to
that
and
talking
offline
just
to
make
sure
it's
managed
the
same
way.
We
can
manage
some
of
the
other
alternate
GitHub
organizations
at
the
open,
ssf.
I
Sure
yeah,
no,
that
works,
yeah
I,
had
briefly
in
the
past,
worked
with
Jory
on
that,
but
yeah
we
can
sync
back
up
on
it.
A
I
I
believe
it's
the
chain
guard.
One
I'll
have
to
double
check,
because
this
is
a
I've
worked
on
this
with
Kim
who
couldn't
make
it
today.
I
C
Right,
yep,
real
quick
at
this
point
of
order,
I
believe
we
now
have
all
Tech
members
on.
Thank
you.
Everybody.
A
Yep.
Thank
you
thanks
all
right,
and
next
is
the
vulnerability
disclosures
working
group
shared
by
krobe,
so.
C
B
F
Sir
Ruby
well,
everybody
I
am
here
today
to
talk
about
my
favorite
working
group,
The
vulnerability,
disclosure
working
group,
giving
our
September
updates
the
vulnerability
disclosure
group
has
16
regular
attendees
with
up
to
15
other
folks
that
kind
of
cycle
in
and
out.
We
predominantly
are
organized
into
four
some
projects.
We
have
coordinated
vulnerability,
disclosure,
personas
and
pain
points.
There's
a
couple
documents
we
maintain.
F
We
have
a
vulnerability
report,
standard
metadata,
a
repository
that
we
curate
and
then
the
open
source
vulnerability
schema,
participates
with
our
group,
that's
another
affiliation
and
then
our
main
work
out
for
my
main
deliverables
recently
have
been
coordinated
disclosure
guides.
The
first
guide
we
created
was
for
the
developer
maintainer
Persona.
So
it's
a
guide
on
how
Upstream
projects
could
potentially
improve
their
CBD
practices.
F
Learn
from
how
you
know
good
ways
to
share
information
about
problems
where
most
recently
been
toiling
away
at
a
guide
focused
on
the
security
researcher,
slash
finder
Persona,
which
we'll
talk
about
in
a
slide
or
so
and
then
in
the
future,
we'll
focus
on
a
CBD
guide
for
consumers
and
then
most
recently,
the
openss
mobilization
plan
stream.
Five,
the
open
source
security
incident
response
Sig,
is
housed.
F
Underneath
this
group
and
I'll
give
you
a
brief
update
on
that
and
future
planned
work
is
we
might
we're
looking
to
work
collaborate
with
an
organization
called
cert
CC
that
they
have
created
a
vulnerability
coordination
tool
called
Vince
and
we're
looking
at
ways
that
the
community
can
potentially
reshape
that
into
a
more
open
source
friendly
and
the
more
holistic
vulnerability
management
solution
that
and
the
open
source
maintainer
potentially
could
Leverage.
F
This
guide
currently
is
a
Google
doc,
but
I'm
going
to
talk
to
one
of
our
members
and
get
that
flipped
over
to
a
GitHub
repo
this
week
in
anticipation
of
the
announcement
at
the
Conference
next
week,
and
this
provides
an
overview
of
coordinated
vulnerability,
disclosure
practices
within
the
open
source
ecosystem
and
provides
practical
advice
on
how
security
researchers
can
best
engage
with
open
source,
maintainers
and
developers
and
projects
and
communities.
We
provide
a
series
of
templates
to
Exemplar
here's
a
what
a
good
vulnerability
report
looks
like
that.
F
An
open
source
project
can
easily
ingest,
we
have
just
a
whole
series
of
templates
and
then
useful
links
to
good
resources
that
are
available
within
the
ecosystem
and
again
we're
looking
at
formally
announcing.
This
I
owe
Jennifer
a
short
blog
for
next
week,
we'll
be
announcing.
This
is
a
part
of
open
ssf
day
and
I
mentioned
in
the
future,
we're
looking
at
CBD
guide
for
consumers
of
Open
Source
and
then
we're
looking
to
expand
our
repo
of
cvd
templates
and
then
I
forgot
to
put
the
Vince
work
in
here.
F
F
Down
I'll
turn
my
game
down,
so
some
of
the
most
exciting
news
is
around
the
Stream
5
of
the
mobilization
plan
we
have.
A
group
of
us
have
been
collaborating
on
this
refinement
of
the
published
plan
about
12
to
15
of
us
have
a
meeting
on
a
weekly
basis
and
we
are
going
to
be
creating
a
drafting
a
proposal.
F
That'll
go
up
to
the
governing
board
for
consideration
for
funding
on
how
we
can
create
a
group
of
incident
responders
that
help
mentor
and
work
with,
and
collaborate
with,
project,
maintainers
and
developers
and
security
researchers
to
kind
of
further
coordinate
vulnerability,
disclosure
practices
throughout
the
open
source
ecosystem.
We
have
the
first
run
of
the
plan
done
already
and
we
hope
to
have
the
final
proposal
ready
to
share
upwards
sometime
this
last
quarter
of
the
year-
and
you
know
patches-
are
welcome
anyone
interested
in
collaborating
on
this.
We
would
love
to
talk
with
you.
F
We
now
are
about
ready
to
split
up
into
three
focus.
Groups
focused
on
three
main
aspects
of
the
plan.
The
first
aspect
is
going
to
be
engaging
the
Upstream
Community
existing
security
teams,
existing
open
source
security,
Persons
of
Interest
and
things
like
the
distros
list,
kind
of
talking
and
learning
what
existing
practices
are
today.
F
The
second
group
will
then
be
focused
on
drafting
the
set
of
capabilities
and
services
that
the
cert
will
be
providing
then
we'll
have
a
third
team
focused
on
the
execution
of
the
cert
things
like
you
know
how
many
fdes
we
might
need
how
we're
going
to
incorporate
volunteers
into
this.
What
types
of
tools
we
might
need,
what
types
of
infrastructure
would
this
group
need
to
be
able
to
execute
on
their
mission
and
with
that
I
think
I?
Am?
That
is
the
end
of
my
slides.
So
thank
you
all.
F
A
All
right
take
that
as
a
note,
thanks
for
the
update
appreciate
all
the
all,
the
information
will
sound
like
there's
a
ton
of
good
work
going
on
there,
even
though
it
isn't
the
best
working
group.
I
know
you
have
to
play
favorites,
but
all
right.
A
Next,
on
the
agenda,
we
last
meeting
ran
out
of
time
to
get
to
Jennifer
who
had
a
couple
items.
One
is
around
the
blog
post,
which
I
know
went
out,
but
Jennifer
I
wanted
to
give
you
a
at
least
an
opportunity
to
bring
anything
back
to
the
tech.
Given
that
you
we
didn't
quite
get
to
your
stuff
on
the
agenda
last
time.
So
without
the
floor
is
yours.
Yeah.
J
Thank
you,
I
appreciate
it.
So
I
just
dropped
in
the
chat,
the
link
to
the
blog
about
the
npm
best
practices
guide.
J
J
For
anything
that
we
want
to
include
in
our
press
kit,
so
we
have
later
this
week
an
announcement
from
scorecards
SP
spdx
funding,
best
practices
working
group
guides,
as
Grove
mentioned,
the
vulnerability,
vulnerability,
disclosure
working
group,
CBD
guide,
a
new
end
user
working
group,
some
announcements
from
Alpha
Omega
and
gnu
tool
chain
announcement.
So
there's
quite
a
few
things.
If
there's
anything
missing
from
that
list
that
should
be
in
there.
Please
connect
act
with
me
offline
and
we
can
talk
and
if
you're
working
on
any
of
these,
please
let's
get
moving.
A
All
right
cool!
Thank
you
all
right.
Next
item
on
the
agenda.
Brian
is
an
email
that
went
out
to
the
attack
last
week,
I
believe
around
the
mobilization
plan.
E
Yeah
just
summarizing
that
email,
you
know
that
I've
I
had
a
a
proposal
for
how
the
tech
might
wish
to
oversee
the
teams
that
would
develop
the
technical
plans
around
each
stream,
as
well
as
try
to
identify
and
pursue,
and
then
oversee
funding
opportunities
to
direct
well
opportunities,
direct
resources
to
execute
on
those
plans.
E
I
it's
been
through.
You
know
quite
a
few
kind
of
changes
and
and
discussions
and
the
like
and
in
fact
there's
a
couple
of
as
I
mentioned
a
couple
of
sigs
that
have
already
started
kind
of
under
that
model.
Three
already
there's
a
at
least
one
more
kind
of
being
spun
up
around
stream
number
two
as
well
pretty
soon
thanks
to
David,
wheeler
and
and
a
few
other
folks
and
so
I
would
I
be
looking
for
would
be.
Is
this
the
way
we
want
to
do
it?
E
Is
there
a
different
approach?
Do
we
want
to
fine-tune
this
there's
a
complimentary
side
to
this
at
the
governing
board?
That
would
need
to
be
implemented
to
for
them
to
kind
of
oversee
the
matchmaking
between
you
know
the
calls
for
for
funding
in
certain
ways
and
and
the
folks
who've
pledged
against
this
plan
and
I'd
like
to
get
that
side
started
and
I
know
they
would
really
look
to
the
attack
to
kind
of
bless
the
approach
blessing.
E
The
approach
would
also
give
kind
of
me
and
the
openness
of
Staff
the
impetus
to
go
for
for
each
of
the
other
streams
and
see
all
right
are
the
folks
who
are
involved
in
drafting
it
or
some
new
people
interested
in
starting
up
sigs
around
the
remainder
of
the
streams
to
get
those
started
and
if
there's
a
stream
that
ends
up
not
having
that
energy.
That's
fine!
E
That's
that's
a
good
reason
to
to
call
it
from
the
plan
basically,
but
but
I
think
for
each
of
the
other
ten
there's
a
constituency
to
to
interested
in
moving
things
forward.
They
just
wanted
kind
of
a
signal
that
this
is
how
the
tech
wanted
to
go
so
anyways
I
humbly
offer
it
and
and
I
see
there
was
some
conversation
online
after
I
posted
I've
been
offline
most
of
the
Labor
Day
weekend.
So
apologies
if
I'm
not
up
on
a
couple
of
the
comments,
but
this
is
a
plan.
E
I
I,
you
know
I
offer
humbly,
but
it
really
does
need
the
tech
to
kind
of
both
bless
and
then
be
willing
to
to
take
on
is
how
it
wishes
to
over
oversee
this
work.
A
D
My
my
first
thought
and
apologies
also
for
not
having
caught
up
on
email,
I,
was
also
out
for
past
five
days.
Is
that
we
take
another
look
at
Brian's
proposal.
Thank
you
for
it.
In
light
of
all
the
changes
that
PR
112
went
through
as
we
got
to
merging
it
last
week,
congrats
on
that
everybody,
but
I
I
have
not
done
the
the
sort
of
squaring
that
Circle
of
how
the
new
PR
112
fits
with
us
I
think
we
should
start
there.
This
I
would
like
to.
E
I
can
offer
a
take,
which
is
that
I
think
it
was
designed
with
the
changes
called
for
in
112
in
mind
I.
It
specifies
the
positioning
of
special
interest
groups
of
sigs
for
each
stream
reporting
into
a
working
group,
although
if
a
working
group
wants
to
handle
that
work
directly
as
the
security
tools
working
group
under
Josh,
brusher
impressors
has
with
the
s-bomb
everywhere
topic.
E
That's
fine,
too
I
was
just
trying
to
put
containers
around
things
in
a
very
container
driven
kind
of
mentality,
but
but
we
don't
have
to
add
too
many
layers
of
interaction
if
we
don't
want,
but
other
than
that,
you
know,
the
pr112
was
still
kind
of
light
on
discussion
on
funding,
for
example,
and
this
is
really
a
different
kind
of
funding
source
than
than
others
that
we're
talking
about
because
the
pledgers
have
not.
You
know,
written
checks,
yet
they
haven't
parked
their
money
somewhere.
E
So
it's
a
different
kind
of
process
than
how
we
might
spend
otherwise
spend
money
from
the
TAC
which
PR
112
didn't
really
cover
anyways.
So
I'm
just
saying
I
suspect
that
it
doesn't
have
much
other
other
touch
points
in
112,
but
interested
in
that
conversation
too.
D
Do
you
think
we
should
then
look
at
how
this
or
like
what
the?
What
the
different
funding
model
is?
Is
that
summarized
somewhere
quick
for
us
to
pull
up
and
talk
about
today.
E
It's
not
complicated,
it's
the
the
fact
that
the
pleasures,
the
folks
who
put
the
30
million
towards
this
those
it's
that
their
pledges,
they
aren't
money,
that's
already
been
collected
and
is
available
in
the
funding
view
vehicle
like
we
have
with
Alpha
Omega
or
like
Sig,
store
step
with
the
bootstrap
process,
or
it's
also
that's
how
it's
different
from
the
openssf
core
funding,
which
means
they
expect
and
it's
part
of
their
pledge
and
and
this
was
really
taking.
E
E
They
said
we
will
put
it
towards
these
different
streams,
but
we'd
still
like
to
reserve
judgment
on
which
ones
we
put
it
towards
and-
and
we
want
to
see
you
know
when
there's
quality
ideas,
then
we're
willing
to
come
in
and
invest
and
so
really
the
question
is:
how
do
you
put
these
these
high
quality
ideas
in
line
with
these
themes
in
front
of
the
group
of
pledgers
and
and
while
doing
that,
aiming
to
not
have
to
worry
about
getting
everything
funded
by
one
play,
Ledger
or
another,
but
presenting
it
to
them
as
a
group,
so
I
I
believe
this
plan
does
suggest
a
process
for
that,
basically,
a
a
committee
that
meets
initially
monthly.
E
You
know,
maybe
it
has
to
be
bi-weekly
if
things
happen
more
more
quickly,
but
then
these
get
presented
if
they
say
thumbs
up
then-
and
we
raise
the
amount
that's
called
for
by
the
proposal.
Then
the
Linux
Foundation
staff
goes,
and
you
know
the
issues,
the
invoices
and
puts
the
pieces
together
to
make
it
work.
But
then
the
folks
who,
in
the
Sig
who
created
that
proposal
now
connect
connect
the
pieces.
Basically
and
then
oversee
the
work
and
and
report
back,
here's
what's
been
delivered
based
on
that
that
funding.
B
A
My
two
cents,
a
I,
would
say:
let's
see
how
the
conversation
goes
today.
If
we
seem
like,
we
generally
have
consensus
and
moving
that
direction.
That
seems
totally
reasonable.
If
we
don't
have
consensus,
then
I
wouldn't
want
to
necessarily
force
a
vote
too
quickly,
but
I
would
say:
let's
see
how
this
discussion
goes,
go
from
there.
A
There's,
not
an
explicit
I.
Don't
read
an
explicit
like
you're,
looking
for
a
a
an
opinion
or
a
blessing
from
the
attack
around
taking
the
proposal
forward
and
it's
more
of
a
loose.
Yes,
because
these
would
operate
as
cigs
underneath
working
groups
that
that
activity
should
be
reported
up
to
the
attack
in
the
course
of
normal
updates.
But
we're
not
looking
to
necessarily
insert
the
attack
in
the
approval
process
for
things
being
funded
by
the
mobilization
plan.
Is
that
a
fair
summary.
E
That's
a
fair
summary:
you
know,
I
consider
these
sigs
because
they
report
into
working
groups
that
report
into
the
tag
is
still
ultimately
being
accountable
and
if
you
found
one
of
these
sigs
was
was
was
going
clearly
outside
their
amounts
clearly
outside
of
their
remit,
their
scope
or
coming
up
with
bad
ideas
or
something
then
I
think
we'd
treat
it.
You
I
would
suggest
you
treat
it
the
same
way
that
if
they
project
under
a
working
group
was
going
sideways,
you'd
want
to
step
in
and
act
right
long
before
any
explicit.
E
You
know
top-down
action,
there'd
be
lots
of
conversation,
and
lots
of
you
know
fixes
at
the
community
level
right,
but
but
ultimately,
the
the
attack
does
have
the
authority
if
they
said,
if
they
to
even
say
I'd
say
this
is
a
bad
idea.
This
is
just
a
Direction,
that's
not
bearing
any
fruit.
This
is
something
that
doesn't
work.
This
should
be
shut
down.
You
know,
even
if
it
was
shutting
down
one
of
those
10
streams.
E
A
Foreign
I
guess
what
I'm
trying
to
reconcile
in
my
in
my
head
is
the
the
past
conversations
at
the
governing
board
around
making
sure
that
the
attack
is
in
the
in
The
Advisory
role
for
activities
in
the
foundation
and
recognizing
that
there
is
some
diversity
here
in
terms
of
this
might
result
in
the
creation
of
a
project
from
volunteers,
that
land
and
that
project
exists.
Underneath
the
open,
ssf
and
that's
a
good
outcome,
or
it
may
also
lead
us
down
a
path
where
funding
is
directed
towards
an
outside
organization
and
that
activity
I.
A
Trying
to
reconcile
in
my
head
is
is
what
is
the
oversight
of
that
you're
proposing
here
for
the
attack
to
play
it's
clear
to
me
in
the
role
where
it
fits
the
guidelines
of
112.?
In
the
other
case,
I
guess
that's
where
it's
not
as
clear
to
me
in
this
in
the
sense
of
well
it's
under
a
working
group,
but
the
work
is
actually
outsourced,
so
is
attack
really
in
the
decision
flow
or
not
hearing
your
response,
I
guess,
I'm
I
appreciate
it.
I
just
don't
know
that
I've
I've
got
the
clarity.
A
E
I
think
quickly,
look
let's!
Let's
use
like
an
example
right,
the
third-party
audits.
Right
now
we
have
a
really
good
partner
with
Asif,
with
you
know,
and
and
and
they're
the
ones
who
can
do
the
the
legwork
in
terms
of
finding
other
groups
who
can
actually
perform
the
Audits
and
having
a
consistent
structure
to
those
reports
and
and
pulling
those
together
and
vetting
vetting.
The
teams
performing
those
audits
but
I.
E
Imagine
that
the
Sig
that
we
form
here
around
funding
of
third-party
audits
would
be
the
ones
to
say
you
know:
here's
the
based
on
the
work
done
by
the
identifying
critical
projects
working
group,
you
know
to
say
Here's
the
the
right
first
10
to
go
tackle
first
right,
I,
imagine
they'd
also
be
the
ones
to
hold
Austin
to
account
and
if
Austin
did
did
flag
on
on
their
performance
would
have
the
agency
to
go
well.
E
There's
another
group
over
here
we'd
rather
work
with
or
here's
a
different
group
that
knows
openssl
very
closely
and
will
just
directly
contact
with
that
contract
with
them,
like
the
oversight
is
over
that
that
that
element
of
this
of
the
of
the
plan
right
that
stream
in
the
plan
and
there's
a
technical
element
to
that,
there's
the
Judgment
call
as
well
as
you
know,
kind
of
what's
the
most
efficient
use
of
that
money
right,
but
that's
the
group
that
be
holding
positive
to
a
standard
of
performance,
even
if
the
money
ultimately
was
routed
just
kind
of
directly
between
the
pledging
organizations
in
Austin
for
that
first
project.
E
A
It
was
helpful
I'll
defer
to
others
who
have
questions
and
hands
up
before
I
report,
but
let's
see
I
believe
Abhishek
was
next,
but
I
could
be
wrong
next,
but
I
could
be
wrong.
H
I
H
As
we
can
write,
let's
say
five
to
ten
bullet
points
on
where
things
start,
where
they
end
and
who's
involved,
and
what
decisions
that
will
give
Clarity
on
like
the
process
to
everyone-
and
my
second
question
is
around
like:
will
everything
be
a
seg
like?
Do
we
expect
sub-projects
to
come
out
of
those
six?
So
that
is
something
we
should
clear
in
the
document
too,
like
some
things
might
directly
straight
go
away
into
projects
as
well.
So
this
is
a
Clarity.
We
should
probably
mention
in
the
talk
as
well.
E
I
think
I
think
clear,
like
examples
of
the
workflow,
perhaps
even
some
visuals
I'm,
not
a
visuals
kind
of
person,
so
I
would
love
to
collaborate
with
somebody
who
could
help
me
with
on
that
help
me
on
that
happy
to
to
invest
in
that.
H
F
Alrighty
so
since
we
are
attaching
the
wings
to
the
airplane,
as
we
are
screaming
down
the
runway,
what
my
intention
was
with
the
two
sigs
I'm
helping
facilitate
is
that
we're
going?
We
were
reviewing
the
mobilization
plan
as
originally
written
and
all
subsequent
notes.
F
Whatever
the
funding
would
be,
is
that
I
would
share
that
all
those
plans
with
the
attack
first
to
get
the
initial
read,
make
sure
we're
directionally,
correct
and
then
before
it
goes
up
for
formal
proposal
to
the
the
funders,
but
again
whatever
process
we
develop,
and
you
know
finalize
before
we
take
off.
That's
that's
fine,
too.
We're
willing
to
be
able
to
Pivot,
and
at
least
as
the
two
plans
were
developing
we're
going
to
have
a
combination
of
kind
of
ongoing
volunteer
work
that
the
Sig
will
participate
in.
F
We
will
have
a
potential
full-time
employees
that
get
need
to
get
hired.
We
will
have
things
we
will
need
to
contract
with
so
like
the
model
or
engaging
with
hostiff
and
then
we'll
potentially
have
ongoing
costs
for
things
like
infrastructure
that
we'll
need
to
get
figured
out.
So
that's
kind
of
at
least
how
the
plans
are
sussing
out
it's.
What
we're
looking
at
we'll
have
a
couple
different
states
of
being
at
the
end.
D
Thank
you,
Craig
I,
think
that
was
a
super
helpful
set
of
examples
and
I
think
it
was
Abhishek,
but
I
was
thumbs
upping
earlier,
seeing
an
actual,
or
you
know,
having
an
agreement
on
a
process
or
workflow
for
this
that
can
be
used
and
adopted
by
all
of
the
streams.
D
I
think
normalizing.
The
process
they
follow
for
making
these
proposals
up
front
will
be
super
helpful
to
set
expectations
clearly
both
for
everyone
who's
implementing
these
and
for
the
TAC
who's.
Observing
these,
so
big,
plus
one
on
that,
if
I
have
time,
Brian
I'm
happy
to
help
create
visuals
for
it,
I'm
a
visual
thinker
so
happy
to
you
know,
chat
with
trust.
You
or
a
couple
other
folks.
D
Do
some
brainstorming
do
some
whiteboarding
and
then
let
someone
who's
better
making
things
pretty
than
I
am
take
the
the
diagrams
I
build
and
make
them
presentable.
I
do
have
a
concern,
though,
which
maybe
was
a
misunderstanding,
just
as
we're
all
talking
through
this.
D
It
sounded
as
though
part
of
the
process
was
the
sigs
making
proposals
to
the
governing
board
or
board
subcommittee
to
then
potentially
fund
work
in
the
openssf
OR
fund.
Third
parties,
and
then
the
TAC
I
think
Brian
was
you
who
were
describing
the
the
workflows,
possibly
the
attack
then
pulling
back
from
that
it's
much
harder
to
stop
something
after
it
starts
so
I
want
to
just
clarify
that
point.
I
think
that
the
flow
should
have
a
checkpoint
with
attack
before
funds
are
assigned.
E
Yeah
I,
you
know
I
I'm
I'm,
finding
the
calibration
between
oversight
and
Agility
is
is
a
challenge
but
I
think
just
like,
as
we
were
finding
out
with
the
blog
posts,
if
there's
ways
to
notify
the
the
tag.
Here's
something
that's
coming
up,
here's
something
that's
ready
to
be
acted
upon.
You
know
here's
a
time
frame
for
response.
It
might
not
be
two
weeks.
It
might
be
a
few
days.
The
thing
I'm
sensitive
to
is
you
know.
E
Sometimes
when
you
get
a
quote
from
somebody
to
do
work
for
a
price
that
quote,
is
you
know
valid
for
just
a
a
duration
of
time
right,
because
resources
become
available
or
not
so
I
want
to
make
sure
we
can
be
timely
about
the
process
at
that
last
Last
Mile,
where,
like
a
proposal,
is
ready
to
to
get
funded
so.
D
Yeah
I
I
would
counter
that
which
I
acknowledge
the
reality
of
that.
But
if
you,
if,
if
staff
is
approaching
a
contractor
prior
to
having
asked
the
attack
if
the
work
could
be
funded
or
if
it's
the
right
kind
of
work
to
do,
that's
that's
the
wrong
again
order
of
operation,
so
I
think
getting
a
flow
chart
here
would
be
super
important
so
that
the
right
amount
of
buffering
time
can
be
built
in
for
for
what
you
need.
E
I
think
there's
there's
validation
early
on
that
the
plan
is
right.
You
know,
just
like
Chrome
talked
about
bringing
frenzy
over
all
picture
back
to
the
tech
for
feedback
for
for
input.
E
You
could
even
have
checkpoints
where
you
expect
kind
of
approvals
of
that
thing
by
the
attack,
if
you,
if
you'd,
like
I,
I,
think
as
a
natural
part
of
their
work
they're
going
to
be
talking
with
people
about
what's
possible,
what
could
be
done,
what
is
is
efficient
way
to
to
to
to
go
and
Tackle
something
on
a
roadmap
and
a
natural
consequence
of
that
would
be
well.
Let
me
look
at.
Let
me
estimate
this
for
you.
Let
me
let
me
see
what
it
would
take.
E
My
you
know
my
team
that
I've
got
over
here
to
build
this
for
you,
you
know
like,
like
those
kinds
of
conversations,
are
a
natural
part
of
this
sense,
making
I
think
so.
I
think
I
think
just
making
sure
the
attack
has
some.
You
know
that
these
things
feel
comfortable,
bringing
up
to
the
tag,
checkpoints
on
their
work
on
a
regular
basis
and
yeah.
It
makes
a
ton
of
sense.
E
I
I
think
some
will
be
very
self-directed
I.
You
know,
as
was
mentioned,
we
really
do
have
good
leadership
here
in
Crow,
F,
Baron
and
Steve,
urso
and
and
Josh
and
and
some
other
sigs
might
need
more
help.
So
I've
already
anticipated
this
increasing
the
the
the
burden
on
the
pmo
staff
and
and
having
to
they'll
have
to
budget
for
that
for
next
year.
E
I
also
think
having
people
that
we
pay
to
help
with
the
The
Proposal
writing
when
it
comes
time
to
actually
get
down
to
what's
gonna
who's
gonna
do
the
work.
What
is
going
to
be
accomplished
by
when
you
know,
there's
there's
kind
of
an
art
to
that
as
well
or
being
able
to
oversee
other
peoples
who
come
in
so
having
somebody
who's.
E
A
grant
writer
for
lack
of
a
better
term
either
as
part
of
their
other
job
functions
or
the
like,
and
and
that
being
a
role
that
we
pay
for
that's
available
to
the
different
sigs
might
be
a
really
good
idea
as
well,
and
then
you
know
if
a
Sig
does
hit
a
situation
where
you
know
there's
a
couple
of
poor
people
moving
it
and
then
simultaneously
they
all
get
pulled
away
by
their
employers
or
or
otherwise
not
able
to
to
fulfill
things.
E
You
know
it'll
be
on
us
I
think
to
make
sure
any
work
that
was
contracted
out,
gets
completed
and
reported
back
to
the
attack
and
and
that
things
get
wrapped
up
cleanly.
But
if
yeah,
if
it's
Sig,
just
like
any
Sig
or
any
project
at
openssf
or
other
open
source
projects,
you
know
they
can
wind
down
if
they're
stopped
being
people
interested
in
pushing
them
forward,
and
you
just
want
to
wind
those
down
gracefully,
especially
if
you've
spent
money
in
a
certain
direction.
E
So
I
think
that'll
that'll
put
some
burden
on
openss
staff
as
well,
so
this
would
this
would
increase
the
cost
and
it's.
It
is
hard
to
say
ahead
of
time
by
how
much
my
my
swag
was.
You
know,
I'm
thinking
about
re-budgeting
for
the
rest
of
this
year,
probably
an
increase
of
at
least
an
additional
head
count
from
the
program
management
side,
but
plus
somebody
who
could
do
grant
writing
again.
E
A
A
It's
something
we
would
need
to
fund
sufficiently
to
make
sure
that
we're
supporting
the
efforts
not
just
having
a
perception
of
throwing
money
at
the
problem
and
when
things
don't
turn
out
well
who's
to
blame
right,
and
so
these
questions
around
workflow
and
process
and
oversight
I
think
that
is
a
role
that
these
staff
could
play
and
I
think
it's
a
natural
position
to
have
a
pmo
type
organ
place
to
do
that,
but
wanted
to
get
your
your
thoughts
on
that.
So
thank
you.
Josh.
B
Just
those
regular
check-ins
should
mean
that
the
attack
has
complete
visibility
into
strategy
and
even
some
of
the
Tactical
things
going
on
so
I
think
seeing
a
funding
request
appear
on
a
like
unexpectedly,
at
the
tax
level
would
mean
something:
horrible
has
broken
down
elsewhere
and
so
I
mean
I
I
feel
like
it's
a
fine
line
between
being
informed
and
being
meddlesome
I.
Think
in
some
of
these
things,
and
obviously
we
want
to
make
sure
the
tech
isn't.
Meddling
and
I
feel
like
as
long
as
as
long
as
the
machine
is
running
I'm.
D
B
H
I
think,
as
long
as
I
think
sorry
to
chime
in
early
like
as
long
as
things
are
visible,
and
we
can
chime
in
when
needed
that
that
should
be
the
case
like
we
shouldn't
be
like
acting
as
a
choke
point.
As
you
said
totally,
but
visibility
is
important,
like
we
had
the
same
things
with
blog
posts
right,
so
that
is
fixed
now,
so
people
are
aware
of
the
launches.
So
I
think
this
is
another
similar
thing.
A
To
be
fair,
I
guess
I
want
to
reiterate
the
point
I
raised
earlier,
which
is
that
the
feedback
from
the
governing
board,
the
last
couple
meetings
has
been
that
they
do
want
the
attack
to
weigh
in
with
advice,
whether
that's
adhered
to
or
whether
that's
disregarded
and
evaluate
like
again
I
think
there
is
a
desire
that
the
tax
serve
that
role
for
the
foundation.
That's
the
activities
if
this
is
under
the
brand
of
the
foundation.
A
I
think
that's
something
that
we
would
need
to
consider
at
least
making
that
part
of
the
process
very
explicit,
to
make
sure
that
governing
board
Representatives
understand
the
role
that
we
do
play
in
the
context
of
executing
the
plan.
I
see
a
number
of
hands
up,
I
believe
the
annual
next.
G
Yeah
well,
does
anybody
I
don't
want
to
take
things
off
course
about
this
conversation
about
the
the
tax
roll
and
all
this
so
is.
If
anybody's
comment
is
related
to
that,
maybe
you
should
jump
the
line,
because
I
think
you
know
when
we're
talking
about
the
blog
post
is
one
thing,
but
as
I
understand
things
here,
we're
talking
about
multi-million
dollar
contracts
and
staff
and
I
think
it
would
be
very
appropriate
for
the
tax
rule
to
say
no
to
something
like
that
before
it
kicks
off.
G
I
think
that's
a
that's
a
much
different
output
and
gravitas
than
you
know,
other
things
that
we
maybe
were
seeing
as
meddling
or
micromanaging
around
a
blog
post,
for
example,.
D
I'm
in
a
second
Bob's
comments
and
just
point
out
that
the
government
has
been
very
clear
but
they'd
like
to
see
more
involvement
from
the
attack
in
especially
large
strategic
technical
decisions
and
choosing
what
project
to
fund
is
a
technical
decision.
G
D
E
B
D
I
believe
that's
the
the
process
that
I
was
proposing
earlier
to
work
with
Brian
on
is
how
we
Define
a
workflow
for
these
things
to
raise
their
points.
Bring
it
to
the
attendance
attack
before
large
contracts
are
up
for
a
bit
but
I'm
trumping
the
queue
to
clarify
things,
so
I
think
and
your
hand
is
still
up.
G
Yeah
I
guess
my
other
comment
and
throw
this
in
the
pot
with
whatever
the
conversation
wants
to
go
because
I
apologize,
I
was
half
hour
late
and
I've.
Only
briefly
read
the
Sig
mobilization
document.
I
know
crowbe
is
shocked,
I
guess
the
there's
a
larger
question
to
me
here
that
I'm
not
sure
I'd,
fully
understand
which
oh
crop
you
have
it
printed.
That
was
the
poor
trees.
G
You
know
we
are
essentially
as
I
understand
this
proposal,
we're
kind
of
putting
Volunteers
in
charge
of
contract
and
personnel
and
budget
management
for
multi-million
dollar
things,
but
at
the
end
of
the
day,
these
are
volunteer
contributors
on
20
and
10
time
at
best,
what's
sort
of
the
exit
strategy,
if
those
contributors
walk
away,
krobe
suddenly
has
things
at
work.
You
know
the
our
fearless
leaders
have
to
do
other
things.
How
does
this
unwind
or
what
is
the
stop
Gap
to
continue
these
activities
when
we
are
talking
about
this
level
of
investment.
E
Foreign
I
could
answer
now,
but
let's
go
through
the
other
hands
up
and
then
I'll
try
to
add
that
to
my
answer
when
I
my
time,
my
turn
is
called.
C
Yeah
yeah
I'd,
assuming
a
question
to
Annie,
which
is
really
is,
is
does
sick,
have
any
sort
of
life
cycle.
Okay,
so
it
reaches
logical
conclusion
or
is
it
something
that
would
be
continuously
working
and
iterating
over
its
chosen
domain
and
the
second
question
I
had
was
Let's
Escape
me
now.
So
it's
just
one
question.
K
So
I,
you
know
I
kind
of
wanted
to
respond
to
Josh's
comment
on
meddling,
because
my
view
of
the
job
of
the
attack
is
to
provide
Clarity
and
urgency
and
funding
towards
the
right
set
of
priorities,
and
if
that's
meddling,
I
would
I
would
argue,
we
need
more
of
it,
not
less
we're
10
months,
since
we
got
a
ton
of
capital
for
this
organization
and
I
can't
name
major
achievements
that
we've
made
in
the
last
10
months-
and
you
know
I
would
argue
if
that
means
we
need
to
do
fewer
things
so
that
we
can
meet
with
these
tax.
K
More
are
these
working
groups
more
than
once
a
quarter?
We
should
do
so.
This
organization
should
feel
free
to
shut
down
some
of
the
work
streams
so
that
the
limited
resource
of
attention
in
this
group
can
be
put
on
the
right
things,
because
today,
I
think
we
run
the
risk
of
trying
to
dabble
in
all
the
things
and
getting
no
appreciable
con
progress
on
any
of
them.
E
E
So
a
couple
of
thoughts
that
are
responsive
to
some
of
the
things
have
been
said.
One
is
you
know,
the
mobilization
plan
was
labeled
version,
0.9.1,
partly
out
of
a
sense
of
humility
that
didn't
get
across
the
message
that
you
know
this
is
this
is
not
even
a
1.0.
This
is
still
you
know,
a
a
draft
in
progress
and
I.
E
It
could
be
worth
once
we
get
ziggs
spun
up
for
all
or
most
of
these
streams
to
say
right,
we're
going
to
do
a
coordinated
version,
0.10
or
a
1.0
at
some
point
that
we'd,
like
all
these
streams
to
to
you
know,
do
an
update
for
right
and
set
a
date
and
say
this
is
our
Target,
and
that
could
be
an
opportunity
for
the
tag
to
look
at
the
plan
as
a
whole.
E
To
look
at
make
sure
each
stream
is
up
to
a
level
beyond
what
it's
at
now
and
have
that
be
the
approval
step
that
the
tech
says:
okay,
we're
in
lock,
except
with
the
the
plans
the
sigs
have
come
up
with.
There
could
obviously
be
smaller
touch
points
than
that,
but
just
as
a
way
to
harmonize
everything
and
see
the
whole
thing
at
once.
E
I
also
think
project
should
be
crazy
to
start
with
a
multi-million
dollar
proposal
unless
there
was
like
here's,
a
very
clear
well-vetted,
like
obvious
thing,
to
go
and
spend
that
level
of
money
with
I
think
I'm.
Sorry
to
use
the
word
crazy,
whatever,
but
like
I,
think
most
of
these
are
going
to
start
in
the
hundred
thousand
two
hundred
thousand
couple
hundred
thousand
dollar
level
and
grow
over
time
as
the
Sig
gets.
E
Its
kind
of
you
know,
engines
going
as
people
get
more
confident
as
they
find
smarter
things
to
apply
money
to
I.
Don't
see
them
spinning
up
instantly
to
that.
Although
over
the
course
of
a
year,
they
could
be
overseeing
a
million
dollars
worth
of
different
contracts
or
budgets
which
does
bring
up
the
volunteer.
Point,
that
is
a
risk
that
a
Sig
you
know
is
led
by
a
spirited
individual.
E
Who
has
the
time
right
now
to
to
go
in
and
make
something
happen,
and
two
or
three
others
who
plus
one
everything
and
then
and
they
come
up
with
some
compelling
work
and
they
they
get
that
farmed
out
to
a
couple
of
contracts
and
then
that
spirited
individual
has
a
life,
change,
a
priorities,
change
and
yeah,
and
then
there
isn't
somebody
to
come
in
and
backfill
on
that
and
I.
E
Think
that
does
put
things
on
us
as
staff
to
find
a
graceful
Landing
for
I
know
a
little
bit
on
the
tech
to
figure
out.
Do
we
do
you
all
I'm
sorry
recruit
for
somebody
to
lead
that
you
know
to
fill
that
that
Gap
that
was
left
behind
and
and
should
we
actually
make
Sig
recruiting,
and
these
you
know
kind
of
a
function
of
what
we
all
do
together
right,
making
sure
that
the
bus
factor
of
any
one
of
these
efforts
is.
E
Is
you
know,
as
far
away
from
one
as
we
can
make
it?
And
then
the
final
point
is
I.
Do
these
things
have
a
life
cycle?
I
I
would
love
to
mark
one
of
those
10
kind
of
categories
as
completed
as
done
as
finished.
Some
of
them
aren't
going
to
be
Perpetual.
You
know
some
of
them,
such
as
Sig
store.
E
You
know
as
a
part
of
that
that
the
digital
signature
stream,
let
me
just
make
it
that
clear,
some
of
that
is
about
getting
a
rapid
adoption
of
of
a
technology
and
once
it's
in
place
that
sounds
great
part
of
it
might
also
be
continuing
to
to
feed
the
need
for
the
the
key
server
and
and
other
kind
of
operational
ongoing
elements
of
that.
That
might
not
ever
kind
of
completely
close,
but
some
of
them
might
close
and
we
might
be
able
to
declare
Victory
and
wrap
up
a
Sig
at
some
point.
A
Just
recognizing
the
time
left
Jacques
will
give
you
yeah.
C
Very
quickly,
I'll
I'll
give
fair
warning
that
I
propose
to
force
you
to
find
out
what
the
process
is
by
asking
for
money
from
a
work
stream.
C
C
This
doesn't
fill
me
with
confidence,
but
also
there's
nothing
quite
like
somebody
actually
showing
up
and
asking
for
money
to
help.
You
work
out
how
you
dish
it
out.
So
fair
warning.
That's
coming.
A
I
appreciate
the
the
feedback
and
I
generally
agree
with
you
flushing
this
out
with
use
cases
and
I
think
a
lot
of
the
work
that's
going
on
already
in
the
in
the
various
surf
cigs
and
whatnot
in
the
Stream.
Six
that
already
exists,
I
think
is,
is
good
work
that
we
should
be
supporting
I
I
guess
my
my
closing
comment
is
just
one
of
I
feel
like
we're.
A
Without
the
clarity
of
a
workflow
and
drawing
out
some
of
the
things
that
I
think
Ava
you
you
volunteered
to
help
Brian
with
it's
difficult
for
me
to
rationalize
the
incentives
and
the
variability
that
exists
under
this
model
and
to
go,
give
a
confident
resounding
yes
to
the
governing
board
to
say
we
are
on
board
with
this
strategy
because
we
feel
like
we
have
the
right
understanding
of
the
different.
A
A
To
your
point,
should
we
be
recommending
to
use
you
know
Foundation
money
to
go
fund
that
request,
or
should
we
be
recommending
that
you
go
make
a
mobilization
plan
pitch
right,
I
guess
without
that
Clarity
of
the
different
choices
there
I
don't
know
that
I
could
actually
help
you
as
a
working
group
lead
and
to
make
that
determination
right
now
and
that's
what's
causing
me
to
hesitate
here.
It's
not
a
I.
Don't
think
this,
you
know,
there's
good
stream
things
work
going
on!
A
I
want
to
see
that
go,
get
knocked
out
of
the
park
and
to
your
point,
Brian
I
think
I
would
love
to
see
that
work
is
done
totally
a
plus
100
of
that
it's
the
other
cases
here
that
I
think
I
would
need
to
feel
a
little
bit
more
clarity
is
see
a
little
bit
more
clarity
too
in
order
to
get
comfortable
to
say.
Yes,
we
think
this
is
a
vital
operating
model.
A
So,
as
the
next
step
here
to
close
the
meeting,
I
guess
what
I
would
do
is
if
Ava,
if
you're
comfortable
helping
to
collaborate
with
Brian
on
trying
to
pull
some
of
that
together,
we
can
try
to
drive
a
review
async
ahead
of
the
next
meeting,
and
if
we
see
that
there
is
consensus
around
that
model,
make
sense.
A
I
think
we
could
certainly,
you
know,
call
for
at
least
an
informal
consensus
vote
to
say
hey
if
we
see
enough
support
that
this
is
a
viable
model.
To
give
you
the
signal
to
take
back
to
the
governing
board.
Brian
I
think
that's
something
we
could.
We
could
certainly
do
but
I
think
drawing
that
out.
In
my
mind,
is
the
right:
Next
Step.