►
From YouTube: OpenSSF TAC (October 4, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
C
D
B
All
right,
we'll
we're
five
minutes
in
we'll
go
ahead
and
get
started.
I
Know
Dan
will
not
be
able
to
make
it
today.
Looking
at
the
rest
of
TAC
attendance,
we
have
myself
Josh
Ava
Luke
krobe,
which
means
we're
just
missing
Abhishek.
B
First,
on
the
agenda,
we
have
two
project
updates
for
our
normal
Cadence.
The
first
one
comes
from
the
best
practices
working
group
Crow
by
guess
I'll
hand
it
over
to
you
Ruby.
E
Unfortunately,
I
did
not
have
time
to
make
a
delightful
presentation
to
share
with
you
so
I,
just
typed
it
in
the
G
dock
here,
but
the
best
working
group
has
been
very
busy.
You
may
have
noticed
a
press
release
during
open
ssf
day
at
the
open
source,
Summit
Europe,
where
we
officially
unveiled
the
fact.
We
have
created
two
guides
around
best
practices
around
development.
E
So
we're
pretty
happy
with
those
just
before
some
of
our
members
Laurent
and
a
few
others
worked
with
the
npm
community
and
they
had
released
a
npm
best
practices
guide,
and
that
came
a
couple
a
week
or
two
before
the
summit,
but
they
put
this
guy
together,
I'm
in
collaboration
with
the
npm
community,
lots
of
very
good
feedback
on
that.
Actually,
there
was
a
session
that
touched
on
it
at
the
open
ssf
day,
so
we're
pretty
happy
with
that.
So
and
all
in
all,
we've
done
a
lot
of
writing
and
sharing
with
the
community.
E
Turning
our
attention
to
the
education.
Sig
progress
on
the
plan
rewrite
continues,
there's
a
link
to
our
git
repo.
If
you
want
to
read
kind
of
where
we
are,
we
are
working
on
creating
a
matrix
of
all
existing
training
resources
that
we're
aware
of
and
we're
trying
to
understand.
E
You
know
what
we
can
lean
into
and
where
there
are
gaps
in
the
current
common
body
of
knowledge
that
we
need
to
generate
new
content,
for
we
also
have
we're
developing
a
delightful
and
fun
new
little
honk
mascot
that
I'm
going
to
pass
over
to
Jennifer
someday
I
have
a
whole
bunch
of
them
from
all
the
working
groups
and
stigs
I'm
associated
with.
So
we
got
some
great
team
feedback
on
a
non-conventional
learner,
goose
and
then
the
members
of
the
group.
E
We
are
working
on
a
task
that
was
identified
as
part
of
the
cert
Sig
that
we
don't
have
a
definitive
dictionary,
a
glossary
of
terms
on
how,
when
we
use
certain
words
what
they
mean.
So
we
have
a
couple
of
our
members
working
on
that
and
then
I
have
a
proposal.
We'll
talk
about
a
little
bit
later
specific
to
that
item.
Any
questions
or
comments
on
the
best
working
group.
F
B
G
Yes,
so
let
me
work
out
how
to
share.
G
Okay,
maybe
it's
a
mechanical
keyboard,
okay,
so
six
store
so
not
as
much
as
last
time,
but
we've
got
a
few
things
so
this
month
in
fact,
October
the
25th
will
be
six.com,
okay,
so
colloid
co-located
event
with
kubecon,
now
nativecon,
North,
America
and
then
I'm
reading
off
the
Reel
here.
But
it's
focused
on
adoption
stories,
Eco
systems,
engagement
and
road
map,
bite
updates
and
the
the
talks
are
all
settled
now.
Speakers
are
notified
and
we're
just
getting
together
the
logistics
of
of
the
event
itself.
G
So,
looking
forward
to
that,
the
other
item
is
we
have
a
new
time
stamp
service,
so
there's
going
to
be
a
timestamp
service
which
can
be
run
externally
to
to
recall
our
transparency
log
and
this
uses
RFC
3161,
which
we've
used
in
the
past
and
the
I'm
not
sure
the
repo
has
been
transferred
as
yet,
but
that
will
be
its
home
there.
G
The
other
updates
are
on
six
store,
ga,
so
our
staging
and
production
environment
has
been
up
and
running
for
a
while.
It's
been
stability
has
been
good.
We
had
a
small
outage
last
week
from
a
DNS
swap
over,
but
that
was
that
was
resolved
very
quickly.
We
were
speaking
about
sort
of
11
to
12
minutes
there.
So
it's
pretty
impressive
to
see
that
addressed.
We
now
are
up
to
12
Community
sres.
G
We
just
recently
had
three
more
for
the
joint
okay
and
it's
pretty
impressive,
to
see
what
they've
got
together.
There's
pager,
Duty
and
lots
of
folks
shadowing
each
other
supporting
each
other
lots
of
interesting
playbooks
that
have
been
developed.
Recore
unforcio
1.0
are
imminent
for
this
week.
Okay,
so
we
will
hopefully
be
shipping
a
1.0
release
of
both
of
those
which
is
a
kind
of
a
key
signifier
around
RGA,
and
then
RTA
announcements
were
not
in
GA,
yet
will
likely
coincide
with
six
doorcon.
G
F
I'm,
not
a
tack
member,
but
is
it
okay?
If
I
ask
a
question
Bob
sure
so,
I
I
want
to
ask
a
question,
but
I
don't
want
this
to
sound
out
and
attack
because
it's
not
I
I
love,
listening,
believe
it
or
not
to
air
traffic
control
report
after
reports,
so
you
know:
hey
DNS
down
briefly,
you
got
it
back
up
good
job.
What
can
we
do
to
decrease?
Are
you
looking
into
ways
to
decreasing
the
likelihood
of
problems
like
that
in
the
future.
G
I
know
you're
sure
yeah
yeah,
so
the
root
cause
was
actually
the
Linux
Foundation,
oh
yeah,
so
so
there
is
a
requirement
that
projects
have
their
DNS
registrar
with
six
door.dev
I,
don't
want
to
say
it's
entirely
the
LF
problem.
It
was
an
unforeseen
result
of
DNS,
SEC,
okay
and-
and
so
luckily,
I
mean
all
all
dues.
The
engineer
that
picked
up
the
ticket
was
pretty
quick
to
respond.
Okay,
but
I
mean
this
is
probably
not
a
topic
for
now.
G
But
if
we
had
DNS
six
door.dev
sorry
under
our
control,
then
we
would
be
able
to
react
even
more
quickly,
but
there
was
a
every
time.
I
say
every
time
there
hasn't
been
that
many
times,
but
whenever
something
like
this
happens,
we
do
due
diligence
afterwards,
there's
an
RCA
that
we
perform
to
look
at
what
lessons
can
be
learned.
That's.
G
Every
time
there
is
an
event
like
that,
there
will
be
a
a
pull
requests
go
up
to
our
community
repo,
where
somebody
will
initially
stage
what
happened.
What
we
learned,
what
we
could
do
better
next
time,
but
then
there
will
be
some
review
from
other
community
members
that
can
add-
and
you
know,
feedback
and
so
forth.
Yeah.
H
Hey
so
one
of
the
I
did
bring
this
up
to
Luke
in
slack
before,
but
I
was
curious
from
a
tax
perspective.
You
know
six
door
and
and
the
components
I
think
it's
like
three
or
four
components,
underneath
they're
they're
kind
of
getting
adopted
very
rapidly
and
I'm
concerned
that
there's
not
enough
support
from
the
community
to
help
adoption
for
on-prem.
H
So
is
there
a
way
that
you
know?
Maybe
we
can
increase
support
for
those
trying
to
adopt
that
are
having
issues
trying
to
do
this
on-prem?
Maybe
it
could
there
be
funding
allocation
for
this.
I
just
know
that
openness
has
stopped.
From
my
point
of
view,
it
seems
that
they
want
folks
to
use
to
store,
but
if
there
isn't
support
for
that
adoption
I
feel
like.
We
may
not
be
successful.
If
people
want
to
use
this
on-prem.
G
So
I
mean
we
as
a
community.
We
could
always
look
to
to
have
a,
for
example,
a
slack
Channel
or
somewhere
that
people
could
raise.
It'd,
probably
be
issues
specific
to
problems
that
they're
having
it's
yeah.
It's
I
guess
it's
a
little
bit
sticky,
because
we
can't
really
give
commercial
support
as
a
as
a
community,
but
yeah
I
would
certainly
be
open
to.
As
you
know,
I
I
can't
speak
for
the
whole
of
the
six
door
community
and
attack,
but
I'd
certainly
be
receptive
to
looking
at
what
we
could
do.
B
B
All
right
next
on
the
agenda,
we
have
a
governing
board
meeting
coming
up
in
two
days
and
I
know.
Given
a
couple
of
past
meetings,
we've
had
some
changes
in
terms
of
the
folks
that
are
invited
to
that
meeting,
as
well
as
the
format
of
the
overall
meeting.
So
first
off
I
just
wanted
to
remind
folks
that
hey,
you
are
invited.
I
believe
Jory
sent
out
a
note
to
the
mailing
list,
as
well
as
specific
invite
saw
Tac
members
you're
strongly
encouraged
to
attend.
B
I
did
want
to
give
Brian
a
minute
to
talk
about
kind
of
the
meeting
structure
and
what
he's
proposing
as
well
as
part
of
that
structure,
is
the
attack,
giving
an
update
on
the
activity
of
the
foundation,
as
well
as
a
quick
synopsis
of
highlights,
lowlights
and
opportunities
for
improvement.
So
Brian?
Maybe
if
you
just
want
to
quickly
frame
the
meeting
and
then
I
can
jump
into
the
current
bullets
that
I've
pulled
together
for
the
attack
content
that
I'd
like
to
socialize
for
for
feedback.
I
Sure,
let
me
start
with
very
with
one
important
clarification:
it's
the
seven
members
of
the
attack.
We
are
invited
to
the
that
first
portion
of
the
governing
board
meeting
on
Thursday,
not
everyone
on
this
call
just
if
to
for
most
folks
listening
to
hearing
that
they
just
wanted
to
provide
that
Clarity.
I
The
second
is,
you
know,
there's
lots
of
conversation,
lots
of
people
thinking
about
how
do
you
increase
the
the
bandwidth
between
the
governing
board
and
the
tech
and
do
that
in
a
way,
that's
appropriately,
structured
and
and
where
roles
about
how
different
things
work
are
are
clarified
and
that
sort
of
thing
and
to
help
accelerate
that
we
thought
as
a
regular
part
of
governing
board
meetings
going
forward.
I
We
would
have
a
perhaps
overly
structured,
but
let's
try
this
as
we
go
portion
of
Thursday's
meeting
where
for
10
minutes,
we'd
like
the
tech
to
kind
of
say,
not
not
a
comprehensive,
a
review,
obviously
there's
way
too
much
going
on.
But
what
are
some
of
the
interesting
things
that
have
happened
in
the
last
month?
That
are,
they
think
the
governing
board
should
know
about.
I
It
should
be
interested
in
and
and
and
that
sort
of
thing
and
then
be
have
reserve
some
portion
of
those
10
minutes
for
questions
from
members
of
the
governing
board
to
ask
them
and
and
I
suggested,
to
both
or
suggested
in
my
email
actually
to
the
tech
members
that
it'd
be
a
single
slide
worth
of
updates.
I
You
know
here's
a
few
recent
announcements
or
or
some
issues
you're
grappling
with
that
sort
of
thing
that
you'd
love
to
engage
the
governing
board
on
then
a
second
10-minute
section
that
would
be
about
questions.
The
tech
has
for
the
governing
board
open-ended
curated
by
Bob.
Perhaps
to
get
you
know,
perhaps
the
right
set
of
what
you
can.
J
I
10
minutes,
which
is
probably
you
know
two
or
three
questions
at
most,
but
I
I.
You
know
as
a
way
to
not
pipeline
everything
through
either
me
or
through,
like
the
formal
agenda,
but
to
allow
for
a
little
bit
more
more
open-ended
questions
and
conversation
and.
I
Address
a
point
that
had
been
brought
up
in
a
previous
presentation
by
by
Eric
and
Mark
and
Bob
to
the
board,
which
said
that
the
attack
is
blocked
on
a
couple
of
things
for
for
lack
of
guidance
from
the
governing
board.
So
this
is
an
attempt
to
try
to
you
know
start.
B
I
J
I
I
Of
that
we
can,
we
can
optimize
those
20
minutes
together.
B
Foreign
thanks
Brian
and
just
as
an
FYI,
your
your
volume
is
on
11,
so
you
may
want
to
tune
that
down.
It
was
pretty
broken
up
for
me,
so
I
guess
in
that
vein,
I
did
want
to
quickly
before
we
get
into
the
meat
of
the
discussion.
I
did
want
to
pull
the
TAC
members
that
are
here
on
the
call
just
to
get
a
sense
in
terms
of
who
will
be
able
to
attend
the
meeting
on
Thursday.
B
A
B
Got
it
and
just
one
other
clarification
Brian,
you
may
have
said
this
and
I
forgot,
but
it's
an
hour
and
a
half
long
session.
The
first
45
minutes
will
be
in
open
where
the
tack
will
be
invited
and-
and
you
know,
engaged
in
that
conversation.
The
last
half
is
a
closed
session
given
hiring
and
budget
discussions.
So
it
would
only
be
a
45
minute
request
of
tech
members
for
this
meeting.
B
So
it
looks
like
we'll
have
a
handful
of
folks,
but
not
necessarily
Quorum
at
the
meeting
on
Thursday
in
the
interest
of
pulling
together
the
brief
updates,
I
didn't
start
a
doc
and
I
will
share
it.
More
broadly,
I
realized
I
created
under
my
Google
account,
which
I
can't
share
wide
open
to
the
world
against
that,
so
apologies,
but
I
will
switch
that
over
to
something
that
can
be
shared
more
widely
after
this
call.
B
B
B
Whoever
unmuted
me
as
the
host
so
can
folks
see
my
screen.
Yes,
okay
great,
so
the
highlights
here
again
were
meant
to
be
a
quick
data
capture,
apologies
for
any
omissions
that
may
have
occurred.
They
were
not
intentional
by
any
stretch
of
the
imagination.
It
was
more
of
me
trying
to
do
a
quick
breakdown
to
net
this
out.
I
think,
hopefully
the
highlights
are
not
controversial.
I
would
I
would
say
when
I
share
the
stock
out
later.
If
people
see
a
glaring
of
mission
feel
feel
free
to
call
that
out
now.
B
I
think
for
the
bulk
of
the
conversation
today
on
this
meeting
needs
to
focus
around
instead
of
the
things
that
the
great
work
that's
going
on
within
the
foundation
areas
for
Improvement,
as
well
as
the
lights
that
are
listed
here
and
I,
tried
to
to
quickly
capture
some
of
the
feedback
that
I've
heard
in
previous
attack
meetings,
as
well
as
some
of
the
governing
board
dialogue
over
the
past
few
sessions.
B
So
not
I
know
I'm,
essentially
asking
you
to
read
a
Google
doc
live
on
a
meeting
which
is
an
ideal,
but
just
to
quickly
kind
of
touch
on
some
of
the
low
lights
that
are
here.
I.
Think
we've
had
a
fair
bit
of
discussion
around
the
role
of
the
attack
in
terms
of
how
we
are
chartered
currently
under
the
foundation
versus
what
is
the
desired
operating
model
and
I
think
we
have
some
continued
confusion
there
that
we
are
working
to
resolve,
but
again
is
still
present.
B
At
this
moment,
I
would
say
that
part
of
that
is,
in
my
opinion,
rooted
around
the
a
lot
of
the
great
work
that
exists
around
the
foundation
but
being
able
to
collapse
that
into
a
coherent
mission
statement
that
everybody
understands
agrees
with,
and
we
have
an
organizational
structure
that
is
supportive
of
that
work.
I
think
there's
a
lot
of
different
operating
models
and
a
lot
of
great
things
going
on,
but
making
sure
that
we
are
focused
and
set
up
for
success
is
ultimately
something
that
I
think
we're
we're
all
after
in
this.
B
In
this
effort,
other
things
that
I
pointed
out,
we
did
ratify.
Pr
112
and
have
a
project
governance
process
in
place,
which
is
awesome.
I
would
point
out
that
you
know
we
don't
have
a
ton
of
candidates
for
to
include
in
the
foundation
in
terms
of
net
new
projects.
So
calling
out
is
that
okay
is
that
you
know
about
okay
thinking
through.
If
it's
not
what
we
expect,
then,
maybe
doing
some
analysis
around.
How
are
we
positioning
the
foundation
to
the
broader
Community?
B
Do
we
have
a
demand
generation
problem
and
making
sure
folks
are
aware
that
that
is
something
that
the
openssf
offers?
Is
it
a
value
proposition
in
terms
of
gives
and
gets
and
making
sure
that
it?
What
we
can
offer
projects
is
compelling.
B
We
have
a
fair
number
of
best
practices,
documents
and
I
think
you
know,
there's
probably
some
natural
overlap,
just
based
on
where
we
are
with
the
space,
but
I
think
that
there's
probably
an
opportunity
for
us
to
make
sure
that
we're
not
flooding
the
market
with
minor
deviations
of
the
same
document
that
we
we
have
some
isolation
and
consistency
in
terms
of
how
we
message
and
how
we,
how
we
we
drive
that,
through
our
advocacy,
work
with
other
projects
and
Foundations
and
then
finally
I
have
the
the
bullet.
B
We
called
out
here
around
kind
of
communications
between
the
staff,
the
governing
board
and
the
attack
I
think
we
have
taken
some
actions
to
this
I
think
even
this.
This
upcoming
meeting
this
week,
I
think,
is
certainly
a
step
forward
to
driving
a
more
inclusive
and
transparent
narrative,
but
I
would
call
that
out
as
a
low
light.
That's
been
a
challenge
so
before
we
jump
into
the
opportunities
I
guess,
let
me
I
know:
I
threw
a
ton
out
there.
B
Let
me
pause
and
call
for
any
feedback.
Folks
disagree
with
things.
I
would
love
to
hear
it.
If
people
see
omissions
would
love
to
hear
that
so
I'll
pause
and
see.
If
there's
any
comments.
D
I
might
have
opinions
on
the
things
in
the
parentheticals.
That
I
would
change
I'm
happy
to
follow
up
on
those
the
the
non-parenthetical
parts.
I
agree
with.
B
I
just
gave
all
pack
members
edit
access,
so
feel
free
to
jump
in
again.
Apologies
for
others
that
don't
have
it
I'll
clean
that
up
after
the
call
and
again
that
this
was
more
of
a
brain
done
from
my
perspective.
So
again
again,
not
exactly
I
will
clean
this
up
ahead
of
Thursday
and
send
that
out
so
folks,
so
that
they
have
awareness
by
the
end
of
the
day,
but
I'm
not
hearing
any
dissension
from
Tech
members
around
the
low
lights
Sarah.
You
have
your
hand
raised.
H
Just
to
bring
forward
the
moment,
I
spent
or
the
moment
or
the
comment
I
put
in
the
chat
that
I
think
this
group
is
very
different
from
other
LF
organizations.
Where
we
say
come
one
come
all
bring
your
project,
we
will
help
cure.
We
will
help
curate
later
I
think
this
is
more
of
a
curation
first
kind
of
we
want
to
seek
the
projects
where
we
can
drive
consensus
on
a
project
for
the
industry.
I
think
this
is
much
more
opinionated
than
a
lot
of
the
other
open
or
not
other
LF
umbrella
projects.
H
So
I
don't
see
that
having
a
small
number
of
projects
seeking
inclusion
is
a
problem
at
the
moment.
So
that
was
just
my
comment
in
the
chat
and
more
than
anything,
it's
just
kibitzing.
So
I
will
lower
my
hand
and
go
back
to
mute.
F
B
Yeah
I
I
think
that's
fair
feedback
as
the
person
that
wrote
it
I
guess.
Let
me
let
me
posit
this
as
a
response.
B
I
would
have
expected
a
small
number
of
projects
to
want
to
come
along
and
engage
the
effort,
I
think
if
we
had
had
a
thousand,
that's
probably
a
low
light
in
terms
of
positioning
to
your
point.
I
think
you
know
we're
not
intending
to
go
after
that
sort
of
a
strategy,
but
there
are
a
fair
number
of
open
source
security
projects
out
there
that
are
not
part
of
the
foundation.
B
Today
and
I
would
say
you
know
again,
maybe
that's
a
a
question
that
we
need
to
shift
under
the
opportunity,
Banner
versus
calling
it
out
as
a
low
light
to
say
you
know
do,
should
we
be
more
deliberate
around
recruiting?
Should
we
be
more
articulate
about
that
point
in
how
we
talk
about
the
foundation's
activity,
so
I'd
be
totally
open
to
shifting
that
in
maybe
as
an
open
question,
rather
than
calling
it
a
little
light,
but
I
would
have
expected
a
little
bit
more
proposals
coming
in.
H
I
To
Tech
members,
though,
but
just
a
real,
quick
point,
I
think
for
the
purposes
I
was
envisioning,
which
is
that
this
would
spawn
some
conversation
within
that
10
minute
window.
I
think
this
is
a
lot
to
even
present
in
that
10
minutes.
Let
alone
solicit
for
a
comment
back,
and
so
one
thing
I
would
encourage
both
for
highlights
low
life.
That
opportunities
questions
is.
Can
you
drill
it
down
to
the
two
or
three
most
important
things,
presuming
for
highlights
that
they
can
go?
Read
the
blog
presuming
for
low
lights?
I
B
And
again,
the
the
interest
here
is
not
to
present
this
full
list.
It
is
to
to
pull
this
down
but
I
in
the
interest
of
making
sure
that
we
had
Quorum
around
what
what
were
the
critical
points
that
needed
to
get
discussed.
I
wanted
to
start
open
and
then
try
to
narrow
afterwards,
Jeff
I'll
leave
your
next.
A
Thanks
and
I
just
wanted
to
plus
one
from
on
Sarah's
comment
about.
This
is
different
than
many
other
LF
projects
and
looking
to
be
more
opinionated,
and
so
just
simply
moving
that
bullet
to
the
opportunities
questions
section
would
be
another
rational
way
of
handling
it,
which
looks
like
it's
happening.
So
a
nice
write-up.
Thank
you,
Bob
Eva,.
D
Yeah
overall
feedback,
I
I
was
gonna,
go
kind
of
where
Brian
went
and
that
I
think
they
can
pull
a
lot
of
the
highlights
up
to
one
or
two
things
to
say:
hey
the
Machinery
is
working
much
better,
here's
a
list
of,
or
reference
to
all
the
outputs
from
that
Machinery
from
the
Org,
the
blog
posts.
All
these
changes,
the
working
groups
collaborating,
and
we
now
have
the
defined
pipeline
for
projects
to
join.
So
the
opportunity,
then,
is
for
projects
so
use
the
pipeline.
D
We
just
defined
I
would
I
would
sort
of
extract
it
all
to
look
at
the
process
we
have
been
building
and
what
parts
of
the
process
have
accomplished.
What
opportunities
there
are
to
now
engage
in
that
process
and
areas
where
the
process
is
not
yet
defined,
which
you've
got
a
couple
here,
still
that
we
are
working
on.
B
B
Did
move
that
down,
as
Jeff
noted
I
think
that's,
that's,
certainly
appropriate
I
guess
moving
moving
on,
hopefully
folks
can
still
read
everything
underneath
the
opportunities
section
here,
thoughts
that
I
had
pulled
in
here.
One
of
those
and
I
say
I'll
say
this
out
loud
just
so.
It's
totally
clear,
I
I,
don't
I,
don't
raise
term
length
as
a
self-serving
question
in
any
stretch
of
the
imagination
here,
I
do
raise
it
from
the
concern
around
getting
forward
momentum
and
thinking
about
to
Sarah's
earlier
point.
B
We
are
not
the
same
Foundation
as
many
others,
so
actually
having
an
active
conversation
around
is
one
year
long
enough.
Do
we
have
the
right
numbers
of
members
of
TAC
here
to
support
the
activities
of
the
foundation?
B
Through
the
structure,
in
terms
of
how
many
are
elected
from
the
community
versus
how
many
are
appointed
by
the
governing
board,
I
I
do
think
that
that
is
an
interesting
Dynamic
to
talk
through,
as
we
think
about
some
of
the
other
questions
here
on.
What
is
the
responsibility
of
the
attack
in
terms
of
advocacy
and
Outreach?
You
know
managing
Grant
proposals.
You
know
curating
the
overall
technical
strategy.
B
A
B
About
term
length
and
size
are
two
two
Dimensions
here
that
I,
don't
necessarily
want
to
to
take
for
granted.
I
think
are
maybe
useful
things
to
discuss
with
the
governing
board.
B
D
My
hand
was
raised
to
Just
note
the
the
line
I
added,
which
you
were
talking
playing
about
the
attack,
composition,
I'd
also
point
out.
The
the
definition
of
our
electorate
is
a
thing
we
kind
of
hand
waved
quickly
last
year.
We
all
got
some
quick
agreement
on
it.
I
wasn't
on
the
attack,
but
I
was
you
know
behind
the
scenes
chatting
folks
about
how
do
you
define
electrobes
and
Foundations
into
Sarah's
point
this
one
is
structured
quite
differently
than
a
lot
of
others.
D
So
you
know
if
we're
looking
at
attack
composition,
tax
size.
We
should
also
look
at
Tac
electorate
again,
because
York
has
evolved
considerably
in
the
past
12
months.
We
might
arrive
at
the
same
process
as
last
time,
but
it's
a
question
to
put
on
the
table.
B
I
think
it's
a
fair
point
thanks
for
thanks
for
raising
it
in
the
chat,
I
think
staggered
terms
was
raised
by
Vicky
and
I.
I
also
think,
that's
a
a
very
valid
point.
What
I'm
trying
to
avoid
is
the
problem
I
just
described
of
we
lose
context.
We
lose
momentum.
We
have
to
re-establish
trust
and
sense
that
many
of
the
communication
challenges
that
we
have
here
are
all
founded
on
on
human
relationships
and
Trust
I.
B
Think
it's
important
that
we
consider
these
Dynamics
as
we
talk
about
the
future
next
bullet
here
that
I
have
highlighted
I'm.
Sorry
Naveen,
you,
you
have
your
hand
race,.
A
Yeah
all
right,
I'm
gonna
play
The
Devil's
Advocate
on
the
tag
term.
Okay,
there
are
I'm,
not
gonna,
say
which
there
are
countries
who
do
the
same
thing
or
you
know
what
they
say:
I'm
the
elected
official
I
have
my
product,
Bureau
I'm,
gonna
change.
My
terms,
we
shouldn't
become
like
that.
A
My
again,
this
is
my
opinion.
Make
this
open
and
let
everybody
know
and
I
get
a
bit
description
so
that
everybody
is
aware
of
it,
instead
of
it
being
in
a
Google
doc
or
inside
the
meeting,
because
it
helps
everybody,
it
gets
everybody.
A
opportunity
to
do
voice
might
do
Sense
on
that
I'm
going
to
stop
here
thanks.
B
Appreciate
the
input
moving
like
I
said
in
the
framing
like
I'm,
not
saying
this
from
my
own
personal
agenda
or
anything
else,
I
think
it's
just
a
sense
of
for
the
health
of
the
organization.
Thinking
through
this
and
being
deliberate
around
that
making
that
decision
and
then
committing
to
it,
I
think
is
what's
what's
important
here.
B
The
the
next
bullet
I
have
highlighted
here
is
around
asking
the
question:
do
we
have
sufficient
staff
and
sufficient
documented
processes
that
we're
set
up
to
success
around
supporting
the
efforts
of
not
just
the
attack
itself,
because
I
as
I
will
remind
folks?
You
know
we
are
all
individuals
clearly
passionate
about
the
space.
You
know
we
all
have
day
jobs
in
us.
You
know
to
go
along
with
that,
and
so
the
amount
of
time
and
energy
that
we
can
dedicate
to
the
role
of
TAC
member
is
limited.
B
So
thinking
through
again
in
the
in
the
framing
of
we
want
to
make
this
Foundation
successful.
Should
we
be
more
aggressive
in
making
asks
of
of
the
governing
board
and
the
staff
in
terms
of
things
that
we
need
help
with
oversight
that
we
need
that?
Other
administrative
support-
you
know,
I
think
if
we're
gonna
set
this
group
up
to
be
successful.
B
We
need
to
ask
ourselves
that
question
because
I
think
there
there
is
strong
desire
from
the
governing
board,
at
least
from
what
I've
heard
and
would
defer
to
Brian
to
at
color
here,
if
he'd
like,
but
I,
think
they
want
to
see
this
Foundation
be
successful.
That's
why
they're
here?
That's
why
they're
engaged.
So
if
we
have
asks
around
areas
that
we
we
need
more
support
as
attack
or
we
see
working
groups
or
projects
needs
more
support.
I
think
this
is
something
that
we
should.
We
should
be
thinking
about.
I
One
thing
I'll
add
yeah.
Certainly
resourcing
is
a
question
that
is
a
very
big
one
and
kind
of
goes
beyond
just
kind
of
the
needs
of
the
tech
to
to
lots
of
different
things.
And
but
one
thing
that
comes
to
mind
as
well
is
the
question
has
been
raised
a
couple
of
times.
It
was
about
the
size
of
the
token
whether
it's
appropriate
and
one
connection's
been
made
to
the
size
of
the
membership.
I
The
organization
which
I
think
is
perhaps
less
important
than
the
question
of
what
is
the
attack
being
asked
to
do,
and
is
that
a
reasonable
workload
and
would
actually
more
Tech
members
help?
You
know,
divide
and
conquer
that
that
work
a
little
bit
so
that
more
can
be
done.
You
know,
especially
with
the
tech
expected
to
play
a
very
opinionated
role
in
curating
the
best
of
breed
set
of
projects.
I
It's
a
lot
more
work
in
some
ways
than
just
saying
yes
to
everyone
that
looks
mature
enough
right,
so
or
or
being
involved
in
the
mobilization
plan
and
the
role
that
that
people
think
is
appropriate
as
a
vetting.
You
know
kind
of
community,
so
so
I
think
size
attack
should
should
be
either
a
separate
item
or
or
at
least
it's
very
tightly
associated
with
that
question.
I
One
more
Point
as
well
that
came
to
mind
is
the
staff
is
here
to
help
staff
is
here
to
support
the
more
that
these
processes,
kind
of
like
being
blocked
on
staff
time
or
defer
to
staff
as
a
secretarial
function
and
and
be
more
decentralized
or
distributed.
I
think
the
the
better
that
looks
for
the
organization
and
the
more
we'll
be
able
to
do
together.
B
All
right,
the
next
one
I
raised
here
is
something
I've
had
in
the
back
of
my
head
for
a
while.
I
would
be
curious
to
get
people's
Tech
members
and
opinions
on
this
I
think
again
keep
going
back
to
Sarah's
framing
because
I
like
it.
You
know
we
are.
We
are
different
in
the
open
ssf
than
many
other
places,
but
much
of
the
work
that
we
do
does
touch
other
open
source
groups,
individual
projects
Foundations
at
large.
B
We
have
a
lot
of
activity
going
on
with
the
cncf
we
have
activity
going
on
through
Alpha
Omega
to
the
eclipse,
Foundation,
the
rust,
Foundation
and
and
many
others.
I
do
have
a
a
broader
question,
slash
concern
and
I.
Don't
know
that
it's
necessarily
super
data
informed,
but
if
I
project
forward
and
I
think
about
what
does
success?
Look
like
for
this
group,
I
I
do
have
some
concerns
around
you
know.
How
do
we
formalize
the
relationships
with
other
open
source
foundations?
Are
we
collaborating
as
effective
as
effectively
as
possible?
B
Do
we
have
effective
communication
channels
around
what
the
priorities
of
the
board
are?
What
the
priorities
and
around
the
relationships
should?
Ultimately,
look
like:
are
we
competing
in
places
where
we
shouldn't
be
competing?
Are
we
duplicating
efforts
where
we
shouldn't
be
duplicating
efforts
and
are
we?
Are
we
engaging
with
projects
and
Foundations
in
a
way
that
leads
to
death
by
a
thousand
paper
cuts,
as
I
wrote
here?
B
So
thinking
about
the
the
notion
of
you
know,
how
can
we
be
as
clear
as
as
possible
around
what
we
are
doing
and
what
we're
not
doing?
What
we
feel
like
is
in
scope
and
out
of
scope,
as
well
as
things
that
we
expect
and
things
that
we
will
provide
to
those
other
peer
organizations,
I.
Think
in
the
again
we
have
a
lot
of
good
organic
activity
going
on
within
the
foundation.
It's
a
question
around.
B
How
do
we
make
sure
that
we
don't
dilute
the
impact
there
and
cause
more
time
and
attention
to
sorting
out
issues
of
overlap,
rather
than
necessarily
being
as
focused
as
we
can
around
having
an
impact,
so
I
guess
did
that
make
sense
or
any
clarification
I
can
add
there
do
folks,
share
that
same
concern,
or
is
that
me
projecting
too
far
out
into
the
future.
A
Go
ahead,
if
you
want
sure
thanks,
Ava
I
mean
I
agree
with
you,
Bob
I,
don't
know,
I
I
think
about
this.
A
lot
just
because
I
see
things
happening
in
cncf,
I,
see
things
happening
in
OAS,
but
I
see
things
happening
here
and
I
mean
maybe
that's
just
the
nature
of
it.
I
don't
have
a
good
answer
for
it,
but
I
don't
think
you're
wrong.
Seeing
this
but
other
than
I
guess
affirming
your
observation.
I
have
nothing
else
to
add
thanks
Ava.
D
I
also
affirmed
the
observation.
There
are
projects
in
other
foundations,
both
within
the
LF
and
outside
the
LF
that
certainly
overlap
this
space
I'm
gonna
go
back
to
the
comment
made
earlier
that
this
Foundation
openssf
is
fundamentally
different
than
other
open
source
foundations
that
I've
ever
worked
in
and
I'm.
Aware
of
because
our
goal
is
to
enable
other
foundations
other
projects,
other
communities
to
do
what
they're
doing
better.
D
So
we
we
will
I
think
in
time
need
more
I,
don't
know
that
formalization
is
the
right
approach,
but
certainly
more
connections
and
more
clear
ways
for
that
communication
to
flow
bi-directionally,
whether
it's
information
or
guides
knowledge
sharing
or
money
right,
as
as
we
as
we
funnel
grant
money
to
different
projects.
D
So
I
think
it's
too
early
to
formalize.
How
we
do
that
right
now,
we're
still
very
much
figuring
that
out,
for
you
know
how
we
you
know
we
just
landed
PR
112.
D
Let's
get
our
C
legs
about
how
we
run
projects
in
this
Foundation
make
sure
we
get
all
the
interop
between
projects
and
working
groups
to
be
well
oiled,
as
we
start
forming
those
those
deeper
connections
to
other
projects
and
other
communities
over
time,
I
think
the
structure
there
will
either
form
out
of
our
own
good
work
or
become
a
pain
point
we
have
to
address,
but
I
think
it's
too
early
right
now,.
B
All
right
just
checking
time
we
do
have
15
minutes
and
I
believe
Crow
I'm.
Looking
for
your
I
believe
this
is
the
same
as
the
last
agenda
point
that
you
had
put
on
the
I
want
to
make
sure
that
I
don't
assume
incorrectly
there.
So
is
that.
E
B
B
E
I
have
the
opportunity
to
show
up
to
a
lot
of
meetings,
and
there
are
a
lot
of
of
similar
and
related
things
going
on.
So
I
was
curious
if
the
TAC
was
interested
specifically
around
the
dictionary
and
then
things
like
personas.
E
Multiple
groups
have
efforts
in
these
areas
or
have
need
to
input.
So
we
started
a
dictionary
out
of
the
vulnerability
disclosure
working
group
and
then
that
got
passed
to
the
education
group
because
we
saw
it
was
a
bigger
problem
than
just
CBD
terms,
and
then
we
recognized
hey
supply
chain
has
their
own
nomenclature
and
potentially
tooling,
is
going
to
have
special
terms
and
phrases.
C
Yeah
so
I've
been
a
part
of
the
conversations
around
that,
but
I
want
to
point
out
that
this
is
actually
something
that
is
much
larger
than
just
openssf.
C
C
Like
six
eight
nine
months,
however,
pick
a
number
have
had
the
conversation
about
standardizing
terminology,
and
why
are
you
using
the
word
that
way
we
use
it
this
way
and
that
sort
of
stuff
and
so
having
an
effort
where
openssf,
at
the
very
least
can
say
here
are
the
terms
we're
using
here's
what
they
mean.
So
we
can
be
consistent
across
all
of
openssf.
That
will
be
helpful,
but
doing
that
in
such
a
way
that
it
will
also
mesh
very
smoothly
with
external
organizations.
C
I
think
will
help
to
ease
some
of
this
cross-pollination
and
collaboration
not
only
within
openssf
but,
most
importantly,
across
the
entire
ecosystem.
Right
try
and
share
a
single
language
so
reach
across
that
aisle.
So,
to
speak,
to
open
to
oh
wasp,
to
spdx,
to
cisa
and
or
use
the
materials
that
they
in
miter
and
others
already
have
put
together
and
then
gather
a
taxonomy
and
nomenclature.
You
know
standardized
metadata
bike
shed
on
the
name:
I
don't
care,
but
this
is
a
really
valuable
resource
that
I
think
I'm.
D
I
am
going
to
perhaps
regret
saying
this,
but
Vicky
for
once
I
disagree
with
you.
It's
it's
been
my
observation
for
three
years
now
that
we
we
all
as
an
industry,
lack
consistent
terms
around
a
lot
of
us
because
a
lot
of
different
domains,
different
fields
of
work,
are
intersecting,
so
you
have
folks
in
the
TCG
trusted
Computing
group
who
Define
terms
around
trust
and
signing
and
attestation
that
intersects
with
the
work
we're
doing
here
that
intersects
with
other
work
as
well.
There
are
multiple
efforts
across
some
foundations.
D
Very
you
know
separate
from
the
LF
also
to
try
and
create
standardized
lexicons.
So
we
run
the
risk
of
first
not
doing
nothing
and
having
you
know,
churn
and
duplication
and
confusion
amongst
our
working
groups.
I
think
having
consistency
within
the
open
ssf
is
perhaps
valuable,
certainly
on
its
face.
It
seems
valuable,
but
it
would
hamper
us
because
our
goal
is
to
work
with
other
groups
who
have
defined
their
own
lexicon
so
where
we
have
collaboration
with
ietf,
it's
important
to
know
the
ietfs
definition
where
we
have
collaboration
with
TCG.
D
We
need
to
know
their
definition
where
we
have
collaboration
with
eclipse
or
some
other
Foundation.
We
also
need
to
know
their
definition
and
that's
going
to
make
again
this
Foundation
being
unique
as
a
hub
of
connections
to
other
foundations.
If
we
try
to
define
those
terms,
the
bike
setting
will
in
fact
be
endless
because
we're
not
going
to
make
other
foundations
change
their
definitions
to
meet
our
needs.
C
Totally
agree
with
you
and
I
think
that
we
are
I'm
I,
didn't
I,
don't
intend
to
recommend
that
open,
ssf
reinvent
the
wheel.
Oh
my
God,
no
I
didn't
think
you'll,
never
reinvent
the
wheel,
but
collecting
in
one
spot,
be
it
repository
a
document
I,
don't
care
pick.
The
implementation
of
choice
here
is
here
are
all
the
terms
that
we
are
using
hear
the
multiple
different
options
for
them.
This
is
the
one
we
select.
If
that
doesn't
work
for
you.
C
If
you
need
like
your
open
ssf
to
ietf
translation
guide,
you
know
and
have
it
go
both
ways
you
can
do
that.
But
that
is
that's
an
implementation
detail
right
that
can
be
sorted
out.
You
know,
but
do
look
at
how
these
terms
are
being
used
and
what
you
mean
by
them,
because
it
really
does
matter.
You
know
what
do
you
mean
by
attestation
yeah,
that's
a
big
deal
and
making
sure
that
you
can
really
be
clear
on
that
and
everyone
can
communicate
more
effectively
in
that
way,
I
think.
D
Addressing
the
the
confusion
around
words,
I
agree
is
a
critically
important
task.
Yeah,
it's
one
that
I've
in
my
with
with
my
OSI
hat
on
brought
up
inside
the
OSI,
because
even
terms
around
the
definition
of
Open
Source
are
a
bit
wonky.
Sometimes
IEEE
is
picking
up
similar
work
right.
It's
a
it's!
B
I,
don't
know,
I
see
your
hand
raised.
I
do
want
to
also
be
cognizant.
We
have
one
or
two
other
things
on
the
agenda,
so.
A
I'll
ask
yeah
just
just
quickly:
I
just
wanted
to
say:
I
think
the
two
are
not
exclusive
I
mean
you
can
you
know,
adopt
other
terminology
and
recognize
all
the
terminologies
when
necessary
when
you're
dealing
with
other
organizations,
but
I
think
differences
happen
by
accident
just
because
people,
if
they
don't
have
a
reference
already
to
rely
on,
they
will
come
up
with
something
and
having
a
common.
You
know,
terminology
that
can
that's
available.
It
doesn't
have
to
be.
You
know
prescriptive.
B
So
I
think
that's
a
great
point.
I
think
my
two
senses,
yes,
I,
think
having
some
guidance
and
consistency
within
the
openssf,
absolutely
plus,
plus
one
trying
to
reconcile
it
across
different
foundations.
Maybe
aspirational
I,
don't
know
how
much
return
you'll
get
on
that,
but
I
think
in
the
interest
of
even
terminology,
as
we
found
through
112.
When
we
say
Sig
we
mean
say
when
we
say
working
group,
we
mean
working
group
and
we
make
make.
B
All
right
with
that
I
will
I
want
to
go
back
quickly
to
this
list
here.
Looking
at
the
list
of
opportunities,
given
that
you
know
we're
not
going
to
have
a
ton
of
time
on
the
GV
call,
our
just
a
quick
poll,
I
heard
General
consensus
that
term
length
electorate
and
these
bullets
that
I'm
highlighting
here
all
seem
to
resonate
as
things
that
Tech
members
wanted
to
have
discussed.
B
I
Heard
the
interop
point
seem
to
get
some
plus
ones.
Are
there
any
other
omissions
that
we
think
are
useful
to
bring
up
in
the
context
of
the
GB
meeting
or
things
that
folks
do
not
feel
is
appropriate
to
bring
up
as
questions
to
the
board?
Okay,.
E
I
think
zeroing
in
on
those
two
probably
give
you
the
most
value
out
of
the
first
interaction
with
the
GB,
and
we
can
always
add
the
others
in
going
forward.
B
All
right,
great
I,
put
a
line
in
the
dock.
I'll
try
to
again
formalize
this
later
today,
send
it
out
to
the
attack
and
make
sure
that
folks
have
a
public
dock
that
they
can
edit
and
ultimately
will
take
into
the
the
meeting
on
Thursday
again,
your
your
attendance
is
welcome
and
Tech
members
attendance
is
welcome
and
encouraged
at
the
governing
board
meeting
on
Thursday
all
right
last
thing
on
the
agenda.
B
Jay
I
wanted
to
give
you
a
moment
to
quickly
recognize
the
recent
edition
of
a
new
Sig
to
the
supply
chain.
Integrity
working
group.
J
Great
well
yeah,
exciting
times
right,
exciting
times
we're
we
got
both
of
them
yesterday,
so
the
supply
and
integrity
supply
chain,
Integrity
working
group
to
create
a
Sig
or
a
project
as
a
as
a
as
it
were,
I
think
we're
I
think
we
may
end
up
becoming
a
a
project
ought
to
be
discussed
internal
but
exciting
times.
This
has
given
us
a
great
opportunity
to
do
something
that
I
think
is
is
amazing
not
just
for
the
not
just
for
for
the
openness
and
stuff
but
I.
J
Think
for
all
the
organizations
that
are
going
to
put
their
hands
on
this
put
their
hands
on
salsa.
You
know,
I
I
think
we're
going
to
do
some.
Do
some
something
wonderful
here
and
I'm
I'm
very
appreciative
of
everyone's
efforts.
Crow
David,
wheeler
I
mean
I
mentioned
their
names
because
they
they
were
the
first
individuals
that
the
Adrian
Ike,
Adrian
and
I
came
to
and
and
sat
down
with
to
discuss
this
and
they
and
they've
been
great
supporters
and-
and
so
this
is,
this
is
wonderful.
J
I'm
excited
you
know,
I
I,
procedurally
I
wanted
to
bring
it
to
the
to
the
attack.
Okay,
so
and
Bob
just
said,
this
is
a
Sig,
so
it's
so
excellent
doing
this
thing.
J
There
I
wanted
to
bring
this
to
the
attack
as
just
as
a
formality
and
make
sure
that
we
started
our
eyes
and
crossed
our
T's
according
to
the
efforts
that
have
been
been
done
to
get
to
to
to
get
the
proper
governance
in
place
around
how
things
like
this
get
brought
into
the
openness
and
stuff
and
get
Brian
to
working
groups,
I
wanted
to
make
sure
I
covered
all
bases
with
that,
but,
like
I,
said
very
appreciative,
amazing
support
and
let's
get
to
work.
B
Awesome
thanks
Jay
yeah,
as
I
put
in
the
chat
I.
Think
at
the
moment.
There's
no
does
and
correct
me
if
I'm
wrong
Jay,
certainly
here
there's
no
desire
to
ship
a
piece
of
software
as
they
work
underneath
the
working
group.
B
This
is
at
you
know
aimed
at
thinking
about
pulling
together
a
a
specification
under
the
context
of
of
the
supply
chain,
working
group
in
position
with
salsa
and
the
other
efforts
that
are
there.
So,
given
that
we
don't
have
any
software
deliverable
with
IP
review
and
things
like
that
to
to
handle
it's
my
impression
that
this
is
the
essentially
a
Sig
at
this
point,
and
if
there
is
a
desire
to
create
a
project,
we
would
need
to
follow
the
process
in
the
attack
repository
correct,
got
it
all
right.
B
So,
yes
Grove,
you
are
correct.
We
did
have
somebody
new
asking
to
join
so
again
it
was
a
small
number.
It's
not
zero,
but
but
certainly
welcome
glad
to
hear
that
that
you
know,
we've
got
some
forward
momentum
here.
That's
awesome
and
let
us
know
how
we
can
help
all
right.
Last
closing
comment
as
Brian
put
in
the
chat.
B
B
Otherwise
we
will
hopefully
see
some
of
you
on
the
governing
board
call
on
Thursday
and
with
that
I
think
we're
at
time.
So
thanks
everybody
for
your
engagement
today,
I
appreciate
the
dialogue
and
we'll
catch
y'all
later.