►
From YouTube: OpenSSF TAC (March 21, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
B
D
Jeff,
will
you
be
speaking
for
the
securing
critical
projects
we're
here
today,
yeah,
okay,
great
and.
D
Imagining
we
will
see
a
mirror
or
Michael
scopetta
for
the
threats
working
through.
D
So
Jeff,
would
you
be
actually
up
for
swapping
order
here?
If
we
don't
have
a
mirror,
Michael
yeah,
absolutely
okay,
we'll
give
it
another
minute
all
right
and
then
for
Tech
members.
We
have
myself
Dan
probe
Josh.
D
All
right,
we
will
we'll
go
ahead
and
get
started.
Welcome
everybody
to
the
March
21st
Tech
Hall
before
we
jump
into
the
agenda.
D
I
did
want
to
remind
the
broader
community
that
we
started
the
election
process
for
both
the
attack,
as
well
as
the
security
Community
individual
representative
that
started
yesterday
and
we'll
end
at
the
midnight
11
59
Eastern
Time
on
April,
2nd.
So
the
next
meeting
of
the
attack.
Well,
we
should
have
at
least
the
new
the
election
results
available
ahead
of
that
meeting.
D
E
Thanks
Bob,
let
me
select
the
right
window
to
share
I
think
this
is
the
right
one.
E
Yeah,
so
just
wanted
to
do
a
quick
update,
I
didn't
have
like
slides,
prepared
or
anything,
but
here
is
our
our
working
group
page
on
GitHub
and
our
current
projects.
The
main
project
I
want
to
give
an
update
on
is
a
kind
of
the
main
project
of
our
working
group,
which
is
the
list
of
critical
projects.
E
This
is
let's
discussed
in
more
detail
here,
so
the
main
thing
that
we've
been
working
on
is
actually
two
things
in
parallel,
where
what
the
the
list
that
we
put
out
about
a
year
ago
were
retroactively.
Calling
you
know,
version
one.
E
So
we
have
a
a
new
process,
that's
under
development,
for
something
would
that
we
would
call
version
two
which
is
pulling
in
suggestions
from
you
know
a
broader
set
of
people.
You
know
engaging
communities
outside
the
open
ssf
to
suggest
which
projects
are
critical
and
then
collecting
that
data
and
pulling
in
automatically
pulling
in
metrics
and
all
that
data.
So
what
is
the
criticality
score?
What
is
the
the
download
count?
What
is
the
census
data
on
that?
E
So
that's
been
going
on
on
the
side
and
what
we've
decided
in
the
meantime
is.
We
need
to
make
an
updated
list
from
our
version
one
list.
So
that's
actually
what
we've
been
doing?
You
can
see
our
kind
of
tracking
table
here.
That's
what
we've
been
doing
for
most
of
this
year
is
getting
an
updated
version
of
our
olds
using
the
old
style,
while
in
parallel
working
on
that
that
new
style
collection
of
data,
so
right
now
we're
in
between
our
our
last
our
our
two
voting
and
discussion
meetings.
E
E
You
know
our
old
list
here
on
version
one,
and
then
our
candidates
here
and
we've
been
going
through
in
our
meetings
and
deciding
what
is
and
isn't
critical
and
what's
going
to
go
on
to
the
version
1.1
list,
so
yeah
go
ahead
and
and
join
us
if
you'd
like
as
far
as
the
other
projects
right
now
under
our
working
group,
no
major
announcements,
there
they've,
you
know
been
doing
development
and
releases
and
and
things
have
been
going
well
and
then
another
thing
that's
kind
of
happening
right
now
is
we
have
a
new
proposal
or
a
project
to
join
the
working
group,
The
10K
vertical
list,
which
is
different
than
our
you
know.
E
Current
list
is
around
100
or
100
to
200,
so
looks
logical
but
interested
to
see
the
discussion
later
in
this
meeting
about
the
project
governance
model
that
affects
this
make
sure
we're
doing
things
the
right
way,
so
yeah
feel
free
to
weigh
on
on
this
as
well.
E
D
I
had
one
quick
question:
looking
across
the
room,
I
don't
see
any
hands,
so
I'll
just
jump
to
queue
with
the.
If
you
were
to
move
forward
with
the
AO
list,
would
you
would
you
envision
maintaining
both
your
top
100
spreadsheet
and
this
or
with
the
they
become
unified?
In
simply
the
top
100
is
the
top
100
of
a
unified
list.
I.
E
Think
they
would
be
separate,
separate
projects
and-
and
one
thing
to
call
out
here-
I
mean
this-
is
we're
updating
the
name
of
this
from
this
is
our
version
one
erupting
the
name
of
this
to
set
because
we're
not
really
ranking
these
projects,
so
I
think
we
just
will
have
two
separate
tiers,
a
tier
that
of
projects
that
that
come
into
this
list
or
set,
and
then
a
second
tier.
So
those
are
going
to
have
different.
E
You
know,
goals
and
design
problems,
and
you
know
different
scope.
I
see
Dan,
you
have
your
hand
up.
F
Yeah
I
just
sorry
Brett
who
have
possibly
questioned,
but
what
happens
after
the
list?
How
you
know
where?
Where
does
the
list
go
right
now
you
mentioned
Alpha
and
Omega?
Are
they?
Are
they
the
group
that
you're
feeding
into
or
is
this
being
kind
of
like
our.
E
Somebody
asked
to
repeat
the
question:
the
question
is:
what
do
we
do
at
the
list
and
the
short
answer
is
that's
outside
the
scope
of
the
working
group,
but
the
longer
answer
is
yeah.
It's
it's
picked
up
by
anybody
who
who
wants
to
engage.
You
know
like
needs
to
know
like
what
are
the
top
projects.
I
want
to
engage.
E
E
Him
you
know
some
noise
yeah
there
thanks
yeah,
we
did
the
the
great
MFA,
but
not
we,
but
you
know
this.
This
list
fed
into
the
great
MFA
project
a
couple
years
ago.
E
F
E
I,
don't
think
so,
I
think
the
main
again
the
main
thing
is
I,
do
want
to
make
sure
that
you
know
when
we,
when
we
get
project
proposals,
that
we
are
following
the
right
process,
so
yeah
we'd
have
happy
to
see
communication
on
that
flow
out.
I,
don't
see
a
lot
of
like
emails
and
when
we,
when
we
have
like
changes
and
procedures
or
new
procedures
where
there
wasn't
one
on
the
working
group
chair
list,
so
maybe
some
more
some
more
emails.
E
Propose
projects
for
this
great
question
yeah,
so
on
the
on
the
current
list,
we're
pretty
much
taking
when
we
published
list
1-0,
we
got
a
bunch
of
feedback
in
different
ways
and
we
weren't
really
ready
for
all
that
feedback
or
like
we
didn't
have
a
official
way
for
people
to
provide
it
so
for
the
current
list,
we're
essentially
just
taking
all
that
feedback
that
we
got
on
the
various
methods
from
the
first
list
and
considering
those
projects
before
we
publish
this
list,
we're
going
to
have
a
more
official
way
for
people
to
propose
projects
to
go
into
the
next
version
of
the
list
1.3.
E
So
we
haven't.
As
a
working
group,
we
haven't
figured
out
how
we
want
that.
If
we
want
GitHub
issues,
we
have
on
a
doc
or
a
Google
form,
or
something
like
that
and
again
that's
on
our
version.
One
of
the
list
version
two
of
the
list.
The
whole
point
of
that
is
to
have
this
more
automated.
As
far
as
both
proposals
and
kind
of
giving
thumbs
up
and
things
like
that.
D
Cool
awesome
well,
thank
you.
Jeff
appreciate
the
appreciate
the
update.
D
All
right,
a
quick
look
over
the
participants.
I,
don't
see
any
representatives
of
the
identifying
security
threats
working
group.
Please
correct
me:
if
that
isn't,
if
I'm
wrong
there,
otherwise
we'll
have
to
defer
that
update
to
a
later
meeting.
D
Once
twice
sold
all
right,
then
we'll
go
ahead
and
continue
on.
The
next
item
on
the
agenda
is
a
procedural
vote,
so
I
guess
for
for
mainly
targeted
attack
members.
Hopefully
you
recall
that
at
the
last
governing
board
meeting
I
believe
it
was
the
last
one
might
have
been.
Two
ago
the
governing
board
approved
the
creation
of
What's
called
the
governance
subcommittee,
which
is
aimed
to
provide
high
bandwidth
communication
between
the
governing
board,
the
attack
and
Foundation
staff,
as
we
work
through
building
out
business
processes.
D
Looking
at
proposals
for
funding
and
trying
to
make
sure
that
we,
you
know,
have
the.
D
Repo
and
do
file
issues
against
that
repo
for
basically
tasks
for
that
subcommittee
to
ultimately
work
through
in
previous
tax
meetings.
We
have
discussed
issues
or
PR's
131,
132
and
133,
which
represent
the
cert
proposal.
D
The
edu
Sig
proposal,
as
well
as
the
funding
for
the
OSF
security
mailing
list
infrastructure
I,
believe
the
discussion
on
that
essentially
has
been
sent
up
to
the
GB,
but
from
a
procedural
point
of
view,
I
wanted
to
call
for
any
any
final
comments
before
we
open
those
issues
at
that
committee
for
discussion
later
this
week.
So.
I
D
Already
started
talking
about
them,
this
is
a
bit
of
kind
of
doing
process
in
Reverse,
but
again
in
the
interest
of
just
full
disclosure
wanted
to
raise
this
as
a
topic
and
rather
than
call
for
a
vote.
I
guess
I'll
just
ask
if
there
are
any
objections
to
proceeding
on
those
dialogues
at
the
GB
level.
D
Right
all
right,
then,
we'll
consider
that
an
abode
of
approval
all
right.
So
then
the
I
guess
the
more
meaty
topic
for
today's
discussion
is
kind
of
revisiting
the
last
some
of
the
dialogue
at
the
last
hack,
meaning
I
know.
This
has
come
up
in
a
couple
different
conversations,
even
in
Jeff's
dialogue
this
morning
around
the
current
state
of
project
governance
at
the
open
ssf.
D
D
That
was
a
you
know,
a
discussion
back
and
forth
amongst
a
number
of
different
dimensions.
Some
of
those
were
around
just
hey.
We
need
minimally
viable
process
and
let's
get
something
written
down
that
can
help
kind
of
guide
the
foundation
from
an
operational
point
of
view.
Some
of
that
was
a
more
strategic
conversation
around
you
know.
Where
did
we
see
the
foundation
ultimately
being?
Did
we
want
to
take
a
a
large,
larger
foundation
and
and
maybe
to
use
the
adage?
D
Let's
plant
a
thousand
flowers
and
see
what
blooms
you
know
other
terms
that
have
been
used
in
parallels
or
you
know,
do
we
want
a
big
tent?
Do
we
want
a
very
small
number
of
projects?
How
do
we
want
to
relate
the
brand
of
the
foundation
to
the
projects
that
exist
within
the
foundation
and.
D
Active
dialogue
that
occurred
last
year
on
this
front,
we
eventually
did
call
for
a
vote
and
did
merge
PR
112,
which
established
a
governance
process
for
us,
but
in
the
closing
months
of
last
year
we
didn't
have
a
ton
of
projects
that
applied
to
join
the
open
ssf.
D
So
so
we
haven't
had
a
whole
lot
of
opportunity
to
test
out
that
mechanism
understand
where
it's
strong,
maybe
where
it
needs
some
tweaks,
but
at
last
week's
Tac
meeting
we
did
bring
a
proposal
forward
for
the
RS
tough
project
that
was
being
sponsored
by
the
supplying
software
repositories.
Working
group
and
I'll
just
say
from
my
own
personal
opinion.
Some
of
the
feedback
from
my
fellow
Tech
members
on
that
discussion,
I
found
a
little
bit
puzzling
I
think
there
was
a
general
sentiment
of
a.
D
Why
is
this
at
the
TAC
meeting?
Is
this
just
being
presented
for
awareness,
or
do
we
actually
have
to
vote
on
the
inclusion
of
a
new
project
into
the
foundation?
There
was
a
discussion
around
how
much
of
this
is
actually
delegated
down
to
the
working
group
level
versus
you
know.
Is
it
simply
the
sponsoring
body
which
can
either
be
a
working
group
or
the
attack
itself,
because
we
do
have
the
concept
of
a
top
level
project
in
the
in
the
governance
that
was
voted
on
and
merged?
D
That
there
is
a
a
bit
of
a
I
guess,
difference
of
opinion.
Maybe
is
the
nicest
way
to
put
it
around
kind
of
where
do
we
sit?
I
would
remind
folks
that
again,
where
we
sit
is
the
document
that
is
published
in
GitHub
under
the
attack
repo,
and
if
we
want
to
make
changes
as
a
body,
we
can
certainly
pursue
those
dialogues,
but
in
general,
part
of
our
role
of
a
foundation
is
not
operating
by
the
the
whims
of
opinion.
D
Frankly,
it's
to
operate
by
documented
processes
that
any
working
group
lead
or
any
Community
member
or
potential
Community
member,
can
inspect,
understand
and
ultimately
follow,
and
so
that's
it's
really
important
that
we
as
attack,
in
my
view,
execute
against
the
published
processes
and
make
changes
if
we
feel
like
they
are
not
serving
the
interests
of
the
foundation.
D
I
think
that's
the
best
way
to
operate
from
a
position
of
transparency,
from
a
position
of
fairness
and
from
a
position
of
just
efficiency.
If
we're
all
working
off
of
the
same
source
of
truth,
it's
a
lot
easier
to
operate
than
having
to
have
a
multitude
of
conversations
to
figure
out
what
what
is
it
kind
of
the
the
norm
within
the
organization
pointing.
I
D
To
a
written
document
a
certainly
you
know
the
way
to
go,
I
think
it's
the
established
standard
from
this
Josh.
Is
he
your
hand
up.
D
Josh,
were
you
just
waving
at
me
all
right,
we'll
keep
going
so
I
think
the
conversation
that
that
kind
of
ended
at
last
week's
tech
meeting
was
a
dialogue
that
David
wheeler
opened
a
a
pull
request
on,
which
was.
Do
we
want
to
make
changes
to
the
process?
I
D
Changes
at
this
point
around
the
project,
governance
model,
I
think
it's
a
discussion
that
we
can
have.
Certainly
today.
I
will
say,
though,
that
we
will
not
be
holding
a
vote
today
on
any
changes
that
exist,
that
we
would
be
proposed
to
the
model
in
the
charter.
D
We're
required
to
have
a
seven
at
least
a
seven
day
window
for
those
changes
to
exist
and
be
publicly
read,
and
you
know
ultimately,
we
also
we
need
to
be
wrecked
with
you
know,
just
cognizant
of
the
fact
that
we
are
in
the
middle
of
an
election
cycle
and
the
next
time
this
meeting
this
body
is
adjourned.
We
may
have
different
members.
D
Actually,
we
will
have
different
members
because
we
don't
have
everyone
running
for
for
re-election,
so
I
guess
the
tldr
is:
let's
have
a
discussion
today
around
the
nuance
and
some
of
the
guidance
here,
but
I
want
to
preface
this
whole
dialogue
with
the
output
of
this
conversation
may
be
additional
PRS
or
it
may
be
additional
issues.
We
should
not
take
any
marching
orders
from
the
discussion
today.
We
need
to
operate
off
of
GitHub
as
the
source
of.
F
D
I
D
D
F
D
J
Yeah
I
mean
you
know
it's
an
interesting
thing:
whether
or
not
the
tax
should
make
a
decision
about
the
inclusion
of
a
you
know,
new
project
or
work
group,
because
today
the
only
thing
that
confers
is
you
know
you
get
a
place
in
the
organization
in
the
slack,
repo,
sorry
slack
and
the
repos,
and
all
that
doesn't
imply
any
real
organizational
support.
J
J
Go
figure
out
how
to
make
this
work
across
all
of
your
working
groups
so
that
they
are
successful
because
otherwise
we're
just
sort
of
a
loose
Confederation
of
committees
that
happen
to
exist
that
are
entirely
driven
grounds
up
ground
up,
there's
no
direction
that
the
attack
can
provide.
If
there's
no
funding
or
you
know
other
resources
to
direct,
because
every
every
member
is
going
to
direct
their
own
energy
in
the
way
they
see
fit.
There's
nothing.
J
This
committee
can
do
about
it
short
of
spending,
money
and
so
I
think,
as
we
think
about
you,
know:
governance
in
the
future.
If
there's
no
money
attached,
we
should
just
assume
that
this
committee
will
be
advisory
only
and
not
have
any
direction.
Setting.
D
So
thanks
for
that
Justin
jock
you're
next
on
my
list,
so
please
go
ahead.
L
That
money
is,
you
know
where
the
the
the
actual
control
is,
but
I
also
politely
say
that
that's
not
what
the
tax
job
is,
that
the
governing
board
specifically
set
up,
that
they
control
the
funds,
that's
the
funding
organizations
and
that
they
have
the
ultimate
say,
and
they
should
not
give
the
tech
a
free
hand
or
a
blank
check
that
it
is
the
responsibility
of
the
attack
to
make
recommendations
and
to
perform
the
technical
advice,
which
is
in
the
name
of
what
the
governing
board
should
do
and
recommend
to
the
governing
board.
K
Chuck
yeah,
so
a
difficulty
I
think
I
would
reframe
it
as
the
availability
of
people
to
work
on
things.
So,
at
the
moment,
as
Justin
pointed
out,
we
have
a
lot
of
grass
roots
activity.
Folks
turn
up.
They
volunteer
time
which
is
sort
of
sliced
out
of
their
day,
jobs
or
hopefully
their
day
jobs.
K
K
K
You
know
the
governing
board:
I'm
I'm
fine,
with
the
governing
board
having
sort
of
dollar
Authority
but
I,
don't
know
what
they're
doing
like
I've
I've
to
my
knowledge,
never
been
in
a
working
group
where
somebody
said
hi
I'm
here
from
the
governing
board
and
I'm
here
to
help
right
like
that.
That
just
hasn't
happened.
K
There
hasn't
been
sort
of
a
connective
tissue
between
the
dollars
and
the
volunteers
that
concerns
me
more,
like
I'm
I'm,
fine,
with
the
original
existing
arrangements,
as
long
as
they
were
sort
of
like
massaged
to
make
that
connection
more
explicit
and
more
active,
because
every
you
know
everything
I
hear
about
governing
board
I
hear
by
way
of
rumor
or
third
hand
by
the
Grapevine
and
I'll,
usually
be
surprised
because
it's
it's
all
news
to
me
so
that
that
concerns
me.
D
So
I'm
I'm
next
in
the
queue
the
I
guess,
a
couple
responses
I
wanted
to
make
to
that
and
I
do
recognize.
We
have
other
hands
up
as
well.
First,
do
your
last
Point
chalk
around
transparency
to
the
governing
board
I?
Would
we
could
certainly
put
the
the
link
to
this
in
the
the
minutes?
The
governing
board
meeting
minutes
are
publicly
posted.
D
So
if
you
are
curious
in
terms
of
what
happens
at
those
meetings,
we
certainly
can
make
sure
that
the
folks
have
ready
access
to
that.
That
was
a
change
that
we
we
discussed
at
the
governing
board
and
then
implemented.
Brian
can
keep
me
honest
roughly
the
second
half
of
last
year.
I
believe
don't
hold
me
to
the
exact
date,
but
that's
what
my
memory
gives
me
so
in.
D
Outputs
of
that
to
be
able
to
independently
introspect
that
is
available
to
Justin's
Point
around
money,
I
guess
I
would
phrase
it
slightly
differently,
but
I
agree
with
the
sentiment.
I
think
it's
a
sense
of
what
I
think
at
the
even
last
year,
I
talked
about
the
notion
of
gives
and
gets
and
Gibbs
not
being
as
strong
on
the
hey
I
want
to
donate
a
project
to
the
foundation.
It's
really
a
roar
around
what.
I
D
Support
is
there
Operational
Support?
Is
it
Cloud
hosting
and
money?
Is
it
added?
You
know
you
know
added.
You
know,
calls
to
the
member
companies
of
the
foundation
to
say
hey,
we
have
a
new
project
and
we're
looking
for
volunteers
or
we're
looking
for
contributors
in
these
specific
areas,
things
that
the
foundation
staff
can
ultimately
do
to
help
bring
resources
to
Bear.
D
Some
of
those
may
be
Financial
in
nature,
but
some
of
it
may
be
more
of
an
orchestration
or
supporting
role
to
help
make
sure
that
those
projects
are
successful,
as
as
they
can
be,
I
wouldn't
limit
it
simply
to
just
money.
Money
is
obviously
an
important
dynamic
in
the
context
of
resources,
but
honestly
to
some
of
the
other
comments.
Contributors
are
are
often
more
valuable
than
necessarily
just
pure
cash
that
can
that
can
be
thrown
into
things.
So
with
that
I
believe
Kroger,
your
hand
was
up.
Next.
Apologies,
if
that's
not
the
case.
M
Yes,
thank
you.
As
a
member
of
the
community
and
a
leader
of
some
of
the
working
groups,
I
have
had
the
great
opportunity
to
live
through
the
current
process
and
there
are
some
gaps.
I
think
we
need
to
better
refine
I,
think
we're
missing
some
type
of
pre
incubation
free,
sandbox
stage
that
allows
for
work
of
the
community
to
come
to
a
working
group
to
get
that
additional
collaboration
and
resources.
M
As
long
as
it's
aligned
with
our
mission
and
vision
and
kind
of
kicking
the
tires
and
experimenting
prior
to
a
full-on
commitment
of
anything,
whether
it's
Cloud
hosting
it's
somebody
to
help
with
minutes,
it's
money
for
whatever
and
then
I
think
we
also
need
to
Define.
There
appears
to
be
a
weighted
value
on
software
over
other
forms
of
contribution,
and
that
needs
to
be
I
think
laid
out
as
to
what
the
decisioning
criteria
are.
M
Why
are
some
things
required
to
go
through
a
formal
process,
and
why
are
others
exempt
from
that,
even
though
they
potentially
have,
at
the
end
of
the
day,
the
same,
if
not
greater
value
it
depending
so
that
those
are
my
two
points.
I'd
love
to
get
those
ironed
out,
so
we
can
move
together
positively.
D
Thanks
crew,
David,
wheeler
I
believe
is
next.
N
Right,
unmute,
myself,
first
yeah
to
hopefully
just
a
few
real
quick
points,
I
hope.
Clearly,
yes,
money
can
be
very
very
helpful
for
projects
and
sigs
I.
Think
Waze,
arguing
against
that.
But
I
think
there
is
a
perceived
value
and
I
guess:
I'm,
I'm,
Bob,
I'm
kind
of
I.
Guess
emphasizing
a
point
you
made
earlier,
you
know
simply
being
part
of
the
open.
Ssf
does
have
perceived
value
for
a
lot
of
folks.
N
People
are
trying
to
start
projects
and
sigs
and
join
because
if
nothing
else,
it
gets
that
visibility
increases
the
odds
of
collaboration
and
so
on.
As
far
as
the
lack
of
visibility
of
governing
board
decisions,
I
think
that's
a
fair
concern.
I'm
not
entirely
sure
how
to
fix
that.
But
that
sounds
like
something
that
would
be
of
value
as
I'll
I'll,
probably
I'll.
Take
that
somewhere
and
try
to
see
if
we
can't
I
mean
obviously
governing
more
decisions
that
involve
things
like
Personnel
and
stuff.
N
There's
some
sensitivities,
but
that
said,
I
I
think
that
we
can
certainly
do
more
to
make
more
information
available.
So
that
sounds
like
a
good
good
thing
to
work
on.
D
O
Hi
folks,
I'm
from
the
governing
board
and
I'm
here
to
help
so
yeah
Shaq
just
getting
started
on
that
from
last
month,
but
it
would
love
to
be
a
bridge
to
to
try
and
help
with
some
of
these
things
to
the
project
things
and
Justin's
Point
I
did
want
to
highlight,
like
they
are
various
Services.
O
That
openssf
can
offer
projects
at
the
moment.
So
I
would
love
to
maybe
help
raise
awareness
of
those
like
with
sigster.
G
I
Lowered
my
hand
instead
of
unmuting
a
few
things,
I
wanted
to
bring
out.
First,
we
have
a
Sandbox
stage
and
you
know
there
are
some
requirements
attached
to
that,
but
we
have
sandbox
before
incubation
it.
It
has
a
certain
you
know
set
of
criteria
for
entry
in
sandbox,
but
it's
there.
We
could
decide
to
revise
those
criteria
if
we
feel
like
they
are
not.
You
know,
meeting
the
needs,
but
I
just
want
to
point
that
out.
I
I
also
wanted
to
point
out
that,
as
part
of
the
Project
Life
Cycle,
we
Define
for
each
stage
a
set
of
benefits,
and
that
was
one
thing
we
actually
specifically
worked
on.
Is
you
know
we
wanted
to
give
some
kind
of
motivation
for
projects
to
try
to
graduate
from
one
stage
to
the
next
and
the
idea
is
well.
The
bigger
you
are
the
the
the
more
advanced
you
are
in
your
Project
Life
Cycle,
the
more
resources
you
get
I,
don't
think
we
have
implemented
any
of
this
today
and
I.
I
I
We
approved
this
process,
like
you
know
not
quite
a
year
ago,
but
many
months
over
six
months
ago,
and
this
is
the
first
time
we
have
an
opportunity
to
to
experience
it
and
I
I
wish
we
could
actually
get
through
this,
and
maybe
you
know,
go
back
to
some
of
the
other
projects
and
try
to
get
them
through
an
advent
in
a
faster
way
to
expedite
it.
To
see
where
things
are.
I
One
thing
I
wanted
to
point
out
is
I
think
we
should
not
lose
sight
of
the
fact
that
one
of
the
goals
of
the
process
we
designed
was
to
also
provide
us
with
the
a
central
repository
for
the
list
of
things
that
are
going
on
in
the
in
the
organization.
You
know
we
keep
hearing
this
for
any
newcomers
into
openssf,
they
always
say
invariably,
I
don't
know.
What's
going
on,
Warrior
is
the
least
of
all
the
working
groups,
all
the
projects,
the
sigs
and
the
activities,
and
so
the
Project
Life
Cycle.
I
The
way
it
is
designed
in
the
documentation
actually
provides
for
a
way
to
basically
maintain
this
list
at
all
times,
and
so,
if
we,
if
we
were
to
decide
the
control,
the
the
approval
should
be
changed.
I
wish
we
could
do
that
without
losing
that
you
know
mechanism.
So
practically
speaking,
we
might
still
want
people
to
have
a
pull
request
against
the
tech
repo
for
that
purpose,
and
then
say
hey,
but
the
tag
doesn't
actually
need
to
approve
it
in
a
formal
way.
K
So
I
can
I
can
sort
of
tie
together
two
two
points
or
two
different
threads
here
then
one
was
curb's
point
that
we
overweight
software,
or
we
over
sort
of
over
sense
software
compared
to
other
things.
K
So
like
something
like
the
idea
of
a
Sandbox
and
a
graduation,
and
and
this
whole
process
makes
really
good
sense
for
a
software
product
that
has
a
long
life
and
different
levels
of
maturity
and
integration
with
the
open,
ssf
makes
less
sense
for
something
like
we
want
to
support
a
mailing
list
or
we
want
to
support
a
shared
help
desk.
K
K
So
maybe
it's
all
covered
in
there.
But
you
know
the
the
process
of
obtaining
funding
is
a
little
opaque
at
the
moment,
and
that
goes
back
to
my
complaint.
That
I
haven't
felt
like
I've,
had
much
visibility
into
governing
board
or
much
communication
from
the
governing
board.
I
didn't
know
that
Tracy
was
a
governing
board
member,
for
example.
That
was
news
to
me,
but
yeah.
To
summarize
those
two
things
I
think
one
the
whole
concept
of
like
a
project
that
graduates
is
very
software
Centric
and
two.
D
No
thanks,
Jack
I,
think
I'll
try
to
respond
to
a
few
of
the
comments
along
the
way
to
your
question
around
the
funding
vehicles.
Again,
the
attack
does
not
have,
as
today
does
not
have
fiscal
Authority
over
budget.
D
We
do.
The
governing
board
has
tried
to
take
a
pragmatic
view
of
saying
hey
if
we're
asking
for
a
hundred
dollars.
Let's
be
cognizant
of
relative
to
the
budget.
That's
not
a
lot
of
money.
Let's
you
know
try
to
move
expeditiously
and
make
those
things
be
as
streamlined
as
possible.
If
we're
asking
for
100.
D
It's
a
very
different
story
in
terms
of
awareness
buy-in.
You
know
Clarity
and
things
like
that,
but.
D
D
D
Yet
sit
in
the
account
coffers
of
the
open
ssf
there
may
have
to
be
recruiting
and
pledging
and
work
that
the
foundation
goes
and
does
in
order
to
raise.
You
know
such
a
sum
of
money,
but
they
are
looking
to
the
tax
to
provide
a
filtering
mechanism
and
an
opinion
around
whether
we
think
that
is
good
or
bad.
D
So
even
the
three
issues
I
mentioned
earlier
around
you
know
edu
Sig,
the
cert
proposal,
as
well
as
the
mailing
list
proposal,
all
of
those
come
with
Associated
price
tags
in
terms
of
either
hiring
people
or
asking
for
resources
that
helped
us
proposal,
another
one
right
that
we've
talked
about
in
the
past.
So
in
that
view
the
governing
board
and
the
attack
have
essentially
said.
F
D
That
the
attack
has
a
chance
to
formally
evaluate
and
weigh
in
whether
or
not
like
yeah
it
doesn't
seem
like
it
would
hurt
sure,
go
do
it
if
all
things
are
equal
to.
No,
we
don't
see
it
as
a
priority
or
yes,
this
is
the
most
important
thing
we
should.
We
should
cause
a
a
re-prioritization
discussion,
because
we
think
this
is
timely
and
Urgent.
You
know
they're
looking
for
that
sort
of
feedback
from
from
an
attack
as
we
evaluate
things.
So,
while
we
don't
necessarily
control
budget
and
hand
out
money
to
individual
projects,.
G
D
Working
groups,
they
are
looking
us
to
provide
an
opinion
to
help
guide
their
decision-making
process
today.
So,
in
terms
of
that
overall
flow
bring
the
proposal
to
the
attack,
the
tack
will
evaluate
it.
It
will
take
a
vote.
We
will
then
forward
that
on
to
this
governance
committee
that
I
mentioned
earlier
in
this
call,
that
is
really
meant
to
be
the
let's
crystallize
the
ask.
Let's
make
sure
that
all
of
the
obvious
questions
are
ready
to
go
and
Tee
It
Up
for
an
appropriate
dialogue
at
the
governing
board.
D
That's
the
current
operating
model
that
we
have
well.
Of
course,
we
operating
models
can
be
changed
or
tweaked
if
we
find
them
to
be
frustrating
or
too
bureaucratic
or
too
low
bandwidth.
But
at
the
moment
that's
the
process
that
we
have
established
Dan
go
ahead.
C
Thanks
kind
of
circling
back
to
the
original
topic
of
project
acceptance
and
governance
process
and
all
that
stuff
I,
don't
think
anybody
is
saying,
skip
the
process,
I
think
a
lot
of
reasonable
people.
Everyone
here
is
a
reasonable
person,
can
read
that
process
and
interpret
it
a
whole
bunch
of
different
ways.
I
was
equally
as
confused
when
I
thought
last
week,
when
other
attack
members
thought
that
we
did
need
to
vote
to
accept
things
inside
of
working
groups.
C
That's
not
my
interpretation
of
what
the
policy
says
and
based
on
the
activities
of
the
last
six
months
and
no
one
raising
any
questions.
I
think,
like
we've,
seen
working
groups
acting
in
that
way
or
and
projects.
In
the
last
six
months,
the
Microsoft
sc2cf
Project
was
accepted
by
the
securing
the
supply
chain.
Integrity
working
group.
There
was
no
tax
vote
there.
The
Sig
store
project
is
just
accepted.
Two
or
three
donations,
as
well
with
just
say,
store
TSC
votes
with
nothing
coming
to
the
openssf.
C
There
are
quite
a
few
examples
of
this
where
working
groups
kind
of
assumed
that
that
was
the
intention
and
that
this
Tech
process
was
really
only
for
top
level.
Things
last
week
was
the
first
time
that
I
thought
that
it
had
come
up
and
I
think
a
lot
of
tech
members
thought
that
that
was
just
an
FYI
myself
included.
So
it's
kind
of
confusing
at
the
end
of
that
meeting.
When
we
rushed
the
vote,
I,
don't
think
it's
a
people
skipping
the
process,
thing
I,
think
it's
just.
C
That
was
the
way
the
process
was
written.
That
was
the
way
I
understood
it
at
the
time,
and
people
have
been
operating
that
way
with
no
complaints,
oh
I
think
that's
that's
sort
of
where
I
sit
in
my
interpretation
of
everything
and
based
on
what's
been
going
on.
That
seems
to
be
the
broader
interpretation
too.
G
B
Maybe
to
Echo
some
of
that
this
is
a
constructive
and
normal
place
to
be
as
a
project
grows.
Its
documented
processes
get
operationalized
more
and,
as
we
work
more
things
through
the
process,
we
start
to
discover
where
there's
a
need
for
clarity.
So
I
think
it's
great
that
we're
having
this
conversation
I
feel
like
one
of
the
aspects
of
this
that
it's
easy
to
infer
too
much
into
what's
written
just
in
GitHub
versus
a
conversation.
But
some
of
the
comments
are
out
well,
we
need
to
do
what's
in
the
document.
B
Of
course
we
need
to
do
that,
but
we
shouldn't
be
govern
solely
by
the
document
as
it
was
in
the
past.
What
was
sufficient
before
might
not
be
for
the
future,
so
we
do
need
leadership
and
I.
Think
Tac
is
a
great
place
for
that
to
Center,
because
it's
across
it
has
visibility
across
the
the
broader
organization
so
to
have
talk
leading
on
discussions
like
this
or
the
issue
that
was
open
to
say,
hey
what
is
our
next
level
of
iteration?
We
started
a
certain
process
like
a
year
ago,
it's
been
operating.
B
What's
the
next
level
iteration
it's
great
to
have
leadership
on
that,
so
I
I
want
to
make
sure
that
we
we
build
momentum
and
that
it
actually
turns
into
PR
is
that
we
do
add
some
refinements
and
of
course,
that
needs
to
go
through
its
own
process.
It
can't
just
be
arbitrary
and
quick,
but
there
is
there
also
isn't
a
rush
like
if,
if
we
iteratively
improve
a
bit
over
the
year,
that's
fantastic.
D
D
Of
your
your
comments
as
well
I
think
again,
this
is,
you
know,
iteration
is
critical,
and
so
certainly
you
know
I'm
not
I'm.
D
D
Sorry
about
that,
my
zoom
drops
every
20
minutes.
Do
we
have
sufficient
data
to
Warrant,
hey
we've,
we've
we've
been
operating
for
several
months.
It
does.
The
attack
feel
like
we
have.
You
know
desire
to
make
some
tweaks
in
One
Direction
or
not.
So
that's
really
the
point
of
the
dialogue
today.
Kirk
go
ahead.
M
M
If
there
are
things
we
wish
to
empower
the
working
groups
to
manage
on
themselves
with
their
attack
Liaisons
or
does
everything
need
to
come
be
run
by
the
attack?
It'd
be
nice
to
have
that
bar
that
bug
bar
kind
of
documented.
I
To
add
to
this
I
mean
we
don't
really
have
some
kind
of
definition
of
how
decisions
are
made
for
that
matter.
Right
I
mean
it's
fairly
common
in
organization
to
say:
oh,
we
make
decisions
about
consensus
and
they
you
have
to
kind
of
Define
what
that
means.
But
you
know,
because
different
organizations
have
different
ways.
33C
is
a
very
extreme
view
on
what
consensus
means
you
know
it
doesn't
have
to
be
that,
but
that
extreme,
but
you
know
it
has
its
value,
but
it
takes
time,
but
you
know,
is
it
simple
majority
does?
I
Is
that
enough
to
create
a
new
activity
or
what
I
mean?
This
is
a
kind
of
situations
we're
facing
now
where
we
haven't
defined
it
beforehand.
So
we
start
having
votes,
it
becomes
controversial
and
you
don't
even
know
okay.
What
kind
of
work
are
we
having
what
the
role,
how
we
need
to
decide?
It's
a
bit
embarrassing
to
try
to
figure
that
out
after
the
fact.
H
H
Don't
want
to
call
it
a
safety
net
just
a
place
to
catch
some
of
these
gaps
in
the
way
the
organization
works
as
it
grows,
and
it's
certainly
grown
tremendously
over
the
last
12
months
and
so
I
just
offering
assistance
as
a
newly
elected
chair
of
the
governance
committee,
if
the
tax
wants
some
assistance
from
that
Committee
just
kind
of
work
on
some
of
these
issues,
we'd
be
having
to
try
and
assist
with
that.
D
I
appreciate
the
appreciate
the
offer
and
I
think
that
is
the
spirit
of
of
that
subcommittee
as
well
as
I.
Think
there's,
you
know
the
conclusion.
If
you
go
back
and
look
at
the
annual
report
from
last
year
is
there's
a
lot
of
great
work
going
on
within
the
projects
and
working
groups,
I
think
the
role
of
the
attack
going
forward
in
the
next
year-
and
you
know,
look
look
forward
to
seeing
the
results
of
the
election,
but
I
think
my
personal
feedback
would
be
the
tax
opportunity
years
to
serve.
G
D
Groups
that
again
to
even
Justin
and
David's
points
around
making
sure
that
they
are
reasonably,
you
know
as
reasonably
as
they
can
be
resourced
from
a
financial
or
Personnel
perspective,
whatever
the
definition
of
resource
is
for
that.
For
that
context,
and
also
just
to
be
clear
on
mission
and
vision,
right,
I
think
the
other
thing
that
the
governing
board
has
spent
a
ton
of
time
talking
about
over
the
last
nine
months
is
the
identity
of
the
foundation.
D
You
know
again,
there's
lots
of
great
work
going
on,
but
crystallizing
that,
down
to
you,
know
an
opinionated
organization,
that's
focused
on
efficacy
of
outcomes
and
making
sure
that
we
are
being
as
beneficial
as
possible
to
other
foundations,
individual
contributors
to
projects
and
individual
maintainers,
and
everything
on
that
Spectrum.
In
between
from
the
largest
of
projects
to
the
smallest,
you
know,
are
we
catalyzing
the
right
outcomes
to
help
move
along
the
industry
in
this
space,
and
so
some
of
that
is
through
software?
Some
of
that
is
through
education.
D
Some
of
that
is
through
establishing
new
things.
We
have
a
lot.
This
is
a
very
daunting
space
and
there's
a
lot
of
problems
that
are
going
on
right
now,
but
ultimately
our
opportunity
is
to
rise
to
that.
So
I
think
you
know
iterating
on
this
again
in
the
spirit
of
continuous
Improvement
is
I
think
where
we
need
to
be
focused
as
a
group
want
to
be
cognizant
if
we
have
10
minutes
left
in
today's
call.
D
So
any
kind
of
final
discussion
points
before
we
kind
of
try
to
move
this
to
a
set
of
action
items
for
further
discussion.
K
I
just
wanted
to
say,
I've
been
trying
to
keep
running
notes
on
the
discussion,
but
if
anyone
feels
I've
been
misrepresented,
please
please
correct
it.
D
All
right
so
I
guess
it
would
call
make
a
call
for
topics
that
we
would
like
to
either
pursue
and
get
up
issues
or
in
topics
for
future
governing
or
future
techniques.
Rather
so
I
heard
a
point
raised
around
or
what's
up
Brian
go
ahead.
Sorry
I'll
defer
to.
A
You,
oh
I,
I'm,
sorry,
it
was
the
conclusion
of
the
conversation,
though,
like
to
that
we
should
vote
at
some
point
soon
over
because
it
feels
like
there's
two
paths.
A
One
is
interpret
the
current
Charter
as
requiring
Tech
approval
of
all
other
project
proposals
or
all
technical
initiative,
technical
initiatives,
even
at
the
working
group
level,
or
to
delegate
it
out
I
feel
like
there's
issues
such
as
the
open,
Vex
submission
where
this
is
kind
of
a
a
topic
that
needs
some
resolution
and
if
you
want
us
staff
to
try
to
enforce
some
of
the
process-
and
you
know
blow
whistles
when
we
see
things
approved
to
the
working
group
levels
without
being
elevated
to
the
attack.
We
need
some
clarity
too.
A
D
Some
tweaks
might
need
some
clarification,
so
really
was
aiming
just
to
try
to
catalyze
those
and
get
them
documented
so
that
we
could
pick
up
that
work
going
forward,
but
I
don't
think
we
have
necessarily
something
that
we
need
to
imminently
call
for
a
vote
on
unless
other
Tech
members
disagree
with
that.
D
Off
a
couple
things
and
again
not
trying
to
be
my
memory
I'm
going
off
of
memory
here,
so
I
apologies.
D
If
I
forget
something,
I
heard
a
comment
around
clarifying
the
process
for
requesting
resources
from
projects
or
working
groups,
making
sure
that
we
have
that
clearly
documented
on
the
website
or
on
the
GitHub
repo,
rather
to
a
clarification
around
whether
the
current
process
applies
to
top
level
projects
reporting
to
the
tech
or
whether
what
Authority
is
delegated
to
the
working
group,
that
that
seemed
to
be
another
discussion
to
be
had
and
crowd
to
your
point
around
there's
also
a
comment
around
ensuring
that
we
do
have
tax
representation
at
working
groups
today.
D
I
think
we
do
that,
doesn't
necessarily
a
given
a
post-election
right
so
making
sure
that
we're
clear
around
that
as
a
responsibility
of
TAC
members
to
ultimately
help
to
guide
and
steer
working
groups.
I
know
we're
all
busy
people
and
some
of
us
make
meetings
more
often
than
not
I'm
sitting
in
the
camp
of
not
making
meetings
as
often
as
I'd
like,
but
in
the
interest
of
again
trying
to
make
sure
that
we
have
accurate
representation
and
context.
D
You
know
being
clear
with
the
new
tech
members
coming
in
I.
Think
it's
a
good,
a
good
point
for
us
to
discuss,
discuss
what
else
am
I
missing
again
I'm
not
trying
to
be
comprehensive
here
or
admit
anything
just
trying
to
go
off
of
memory.
M
Better
documentation
on
what
triggers
escalation,
if
somebody's
asking
for
simple
collaboration
or
if
they're,
actually
asking
for
things
like
money,.
I
Kind
of
you
know:
how
do
we
make
decisions?
Do?
Is
it
majority
vote
the
consensus,
meaning
like
you
know,
no,
sustained
objection
that
kind
of
stuff?
At
least
it
should
be
I
mean
one
possibility?
Is
we
don't
Define
it,
but
we
say
each
group
needs
to
Define
it
as
part
of
the
charter
or
you
know,
but
this
should
be
documented
somewhere
and
we
could
have
one
by
default,
at
least
that
we
Define.
D
H
Well
and
I
was
just
going
to
Lobby
for
consistency
to
not
leave
it
up
to
the
individual
working
groups,
but
to
provide
some
general
overall
guidance,
because
that
way
it
gives
the
community
a
better
sense
that
oh,
this
is
how
we
work
together
and
that
way
we
can
fly
in
formation
and
you
don't
have
a
lot
of
variety
in
how
that
happens
again,
not
not
to
set
up
huge
barriers
or
hurdles
but
to
Simply.
Have
consistency
in
open
governance.
M
M
M
It
starts
off
saying
we
try
to
work
with
consensus,
but
then
there
are
as
words
around
majority
vote,
so
I
I
think
it
would
be
very
helpful
to
have
that
Master
template
updated
to
better
clarify
like
the
membership
ladder
or
whatever
kind
of
Eligibility
criteria,
and
then
specifically
how
the
votes
are
conducted
and
recorded.
I
think
that
would
be
very
useful
and
then
get
that
filtered
out
again
to
each
of
the
groups.
D
P
This
might
already
be
implied,
but
one
of
the
one
of
the
action
items,
I
think
should
be
bringing
the
existing
Tech
issue
on
updating
the
documentation
project
creation
process
to
its
conclusion.
And
then
we
were
also
discussing
if
it
should
include
like
a
Sandbox
Concept
in
it
as
well.
M
M
D
Certainly
appreciate
that
all
right
we
have
two
minutes
remaining,
so
any
other
final
topics,
Jeff
good.
M
Several
of
us
have
been
working
in
collaboration
with
a
few
different
industry
groups.
I
put
a
note
at
the
top
of
the
tag
agenda.
We
are
looking
at
starting
a
w3c
workshop,
calling
called
secure
the
web
forward.
It's
focused
on
helping
talk
with
web
developers
and
having
them
improve
their
security
and
secure
supply
chain
practices.
M
So
there
is
a
call
for
papers
and
I
would
love
to
get
elements
of
this
community
looped
in
to
potentially
submit
papers
for
that
Workshop
to
discuss
and
improve
the
security
of
the
webs.
H
With
only
a
minute
left
and
another
Collective
hour
of
our
valuable
lives
just
spent
on
this
talk,
I
wanted
to
take
a
moment
at
the
end
here
to
thank
and
congratulate
the
tech
fearless
leader
for
the
last
12
months.
Bob
has
done
a
yeoman's
job
of
helping
to
evolve
the
attack
from
the
0.0
to
the
1.0
phase
successfully
and
I
just
want
to
say
heartfelt
thanks
and
nice
work.
Thank
you.
D
No
thank
you
Jeff
and,
like
all
good
efforts,
can't
do
it
alone.
So
certainly
thanks
to
many
of
our,
my
fellow
Tech
members,
as
well
as
many
of
the
contributors
that
have
helped
to
to
steer
us
through
the
last
year,
I
think
it's
been
a
an
interesting
sequence
of
times
in
the
world,
much
less
within
the
foundation,
but
I
think
we
all
have
a
positive
intent.
D
We
all
have
a
desire
to
leave
the
world
in
the
ecosystem
a
better
place
than
how
we
found
it
and
I
that
makes
the
work
worthwhile
and
and
gives
it
its
meaning
and
purpose.
So,
thanks
all
to
to
your
help,
good
all,
right
with
that,
we
will
close
today's
meeting
again
a
call
for
you.
If
you
have
not
had
a
chance
to
vote,
please
do
vote.