►
From YouTube: OpenSSF TAC Meeting (December 14, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
F
F
Let's
get
the
notes
here.
G
F
Thank
you
crow
for
the
enthusiastic
guess.
It
never
hurts
to
help
appreciate
it.
Okay,
all
right
so
yeah.
I
think
we
got
pretty
much
quite
the
crowd
this
morning.
So
let's
go
ahead
and
get
started
main
thing
for
election
process
update.
F
E
E
A
Okay,
I
don't
know
exactly
what
what
the
role
we've
talked
about
it,
but
I've
never
done
the
role,
but
I'm
happy
to
help.
So
there's
two:
if,
if
that's
acceptable.
A
F
No,
absolutely
no,
I
appreciate
it.
Do
we
have
a
third
anybody
that
would
care
to
volunteer?
I
think
the
the
effort
required
is
actually
quite
minimal.
It's
mostly
vetting
of
the
candidates
to
make
sure
that
they've
actually
participated
in
an
open
ssf,
but
I
think
it's
gonna
be
fairly
straightforward,
but.
G
Yeah,
this
is
steve
from
jfrog
I'd,
be
happy
to
volunteer
and
help
out
with
that.
F
I
I
am
and
hi
hi
everyone,
so
we
had
talked
about
getting
these
forms
together,
but
then
also
maybe
pushing
the
process
to
january
in
order
to
make
sure
that
nobody
missed
opportunities
over
the
holidays,
as
as
everyone
is
aware,
we're
gonna,
be
lots
of
folks
will
be
stepping
out
over
the
next
couple
of
weeks.
So
I
think
you
know
timeline
and
forms
are
tightly
connected.
I
I
do
need
to
say
out
loud
that
in
january
I
will
not
be
here
due
to
delivery
of
a
baby,
so
that
will
be
jen
bonner,
who
will
be
taking
over
for
for
me
on
the
on
the
forms
front,
but
we'll
make
sure
she's
got
everything
she
needs.
F
Absolutely
congratulations
so
in
terms
of
of
forums,
I
think
we
talked
about
like
everything
said,
absolutely
agree,
yeah,
that's
what
we
were
talking
about
as
far
as
not
wanting
anyone
to
miss
out,
we
did
say
we
want
to
go
ahead
and
initiate
it
now,
so
that
we
could
have
this
timeline
for
people
to
go
ahead
and
prepare
if
they're
available,
but
then
also
have
the
timeline
be
in
january.
So
is
that
something
we
could
get
kind
of
up
and
running
currently
yeah.
F
Well,
so
once
you
have
that
ready,
can
you
guys
also
send
the
mail,
or
do
you
want
me
to
send
the
mail
with
the
link
to
the
to
the
forums
or
how
would
you
like
to
process
that.
I
I
F
I
think
that
wraps
up
our
election
process
update
most
folks
have
any
questions.
C
What
was
I
wanted
to
add,
which
was
you
know?
There
was
some
question
as
to
whether
we
wanted
to
revisit
the
the
number
of
candidates
or
not
sorry,
the
size
of
the
tsc
and
how
are
elected
by
the
public
contributors.
I
should
say
versus
the
governing
board.
I
did
not
get
a
strong
sentiment
on
the
side
of
the
governing
board.
C
That
they
wanted
to
change
what
had
been
agreed
to
previously,
which
was
three
elected
by
contributors
and
four
appointed
by
the
governing
board.
So
I
think
at
this
point
we
should
probably
stick
with
that.
C
That
balance
that
was
struck
before
rather
than
revisit
that
at
this
time,
and
we
can
revisit
that
at
the
next
election
cycle
or
or
some
other
point
is
that
that
comport
with
everyone
else's
kind
of
understanding
or
or
thinking
and
and
if,
if
that's
the
case,
then
we'll
follow
up
the
contributor-based
election
with
a
governing
board
election
for
the
for
those
four
appointed
by
the
governing
board.
F
Okay,
so,
given
that
there
was
a
concern,
I
think
around,
we
had
a
typo
around
how
many
seats
were
the
governing
board
and
how
many
were
community
note
specified
that
there
was
four
community
three
governing
board,
but
what
got
into
the
official
documentation
was
the
inverse
of
that.
So
do
we
need
to
update
that
with
the
governing
board,
or
you
know
how
should
we
perceive
that
as
far
as
that
goes
right,.
C
Well,
you
know
what
was
pointed
out
was
that
what
was
in
the
charter
that
that
everyone
had
signed
up
to
was
four
from
the
governing
board
and
three
from
the
community?
Is
that
different
than
how
people
who
were
here
before
most
of
us
showed
up?
Who
were
part
of
the
discussions
earlier,
which
I
want
to
respect
the
where
those
where
those
went
was?
Was
the
sentiment
then
that
the
majority
before
were
elected
by
the
contributors.
F
Yeah,
I
think
when
we
went
back
and
looked
at
the
notes,
the
actual
intent
was
for
community
three
governing
board,
but
what
ended
up
in
the
charter
was
the
inverse
of
that
okay
yeah.
It
was
complicated,
well.
C
Right
and
I
was
trying
to
close
that
issue
by
getting
to
agree
with.
Obviously
we
want
to
honor
what
what
would
have
been
agreed
to
previously
so
we'll
take
this
and
come
back
then
my
my
understanding
was
that
for
for
governing
board,
three
community
was
what
both
was
in
the
charter
and
would
have
been
agreed
to
earlier
so
and
that
the
I
know
there
was
some
question
about
that
in
verse,
but
I
thought
those
folks
misremembering
the
compromise.
So,
okay,
let
us
go
back.
C
Look
at
notes,
try
to
reconstruct
this
and
then
come
back
as
soon
as
we
can
with
it.
E
F
Far
as
having
four
from
community
and
three
governing
board,
so
it
in
either
case
there's
a
split,
so
we
need
to
figure
out
how
we
actually
want
to
run
that
process
from
the
governing
board
side.
I
think
from
the
community.
J
F
G
Just
just
for
for
my
two
cents-
and
this
is
by
no
means
a
reflection
of
the
overall
governing
board,
my
my
recollection
at
least
the
last
meeting
was
I
thought
we
were
talking
about
for
elected
community
and
three
governing
board.
G
The
the
inverse
sounds
heavily
weighted
in
the
wrong
direction,
in
my
humble
opinion,
but
that's
by
no
means
a
a
general
governing
board
sentiment.
Just
my
personal
opinion.
F
C
Yeah
that
that
let
us
go
back
and
look
at
that.
The
second
question,
though,
which
was
about
the
process,
you
know
it
seems
logical
that
the
governing
board
would
appoint
after
the
the
community
elects,
rather
than
having
them
happen.
At
the
same
time,
it
also
seems
logical
that
it'd
be
the
same
pool
of
candidates
that
the
governing
board
picks
from,
but
let
us
go
back
to
the
proposal.
F
Okay
sounds
good,
so
in
the
meantime,
we'll
just
go
ahead
and
work
through
the
process
as
far
as
self-nomination
for
the
seats
that
we
believe
to
be
available,
whether
it's
three
or
four,
but
we
can
get
the
candidates
going,
at
least
in
the
meantime,
and
then
we
can
sort
that
out.
F
Awesome,
okay,
so
the
next
items
on
the
agenda
today
is:
we
have
two
presentations,
I'm
totally
gonna
mispronounce.
This
one
is,
I
believe,
is
it
piersia
pirate.
F
G
Yeah
yeah,
so
let
me
let
me
just
talk
through
it
quickly.
I
think
that's
probably
better
than
going
through
a
presentation
with
the
folks
on
here
and
I'm
also
I'm
going
to
put
in
chat
in
case
you
missed
it
in
the
in
the
email,
a
link
to
the
the
the
document.
G
So
we
did
a.
We
did
a
short
presentation
at
linux
foundation,
member
summit
on
the
on
the
project
at
a
at
a
very
high
level.
G
What
we're
proposing
is
building
a
distributed
package
repository
that
would
allow
you
to
get
artifacts,
whether
they're
docker
images
or
npm
modules,
or
go
modules
or
java
jars
or
other
things
in
a
highly
reliable
way,
and
also
in
a
with
with
the
with
the
confidence
that
what
you're
downloading
is
of
high
security
as
well,
either
as
pure,
verified
or
certified
by
partners
in
the
network,
and
I
think
some
of
the
some
of
the
goals,
the
project
and
the
reason
why
we're
discussing
it
here
is
we
we
want
this
project
to
be
very
transparent
in
how
how
it's
both
conducted
and
also
in
the
visibility
of
folks
in
the
community
to
what's
going
on
in
the
project.
G
The
second
thing
is
we:
we
want
the
project
to
be
neutral,
both
in
terms
of
the
the
vendors
participating
in
it
and
the
the
infrastructure
and
the
ownership
of
the
project
so
having
it
be
part
of
a
neutral
body
like
open
ssf
is
important
to
us.
We
believe
in
both
the
the
success
of
the
project
and
also
keeping
it
keeping
it
to
a
high
standard
and
the
last
one
is
we,
we
highly
value
inclusion.
G
The
companies
which
are
are
jointly
proposing
this
right
now
and
we're
of
course
welcome.
Welcome
to
others
are
jfrog
so
we're
you
know
we're
committed
to
to
both
developing
the
solution
and
and
helping
to
to
see
it
be
a
success,
our
friends
at
docker.
G
G
and
our
friends
at
deploy
hub,
so
steve
and
tracy
are
both
are
both
on
the
call
as
well
and
they're
they're,
both
helping
us
out
in
the
project
and
also
they're
soon
to
become
open,
ssf
members.
So
I
believe,
for
maybe
maybe
even
like
this
week.
I
think
they're
slated
to
to
be
officially
joining
open
ssf
as
a
as
a.
G
And
I
think
what
we
kind
of
what
we're
looking
at
is
you
know
we're
we're
in
the
early
stages
of
the
project.
We
have
a
public
git
repo,
where
we
have
a
bunch
of
developments
and
are
have
done
some
initial
prototypes
with
docker
integration,
with
the
help
of
the
folks
at
docker.
G
But
we
we
would
like
to
to
have
this
be
done
in
the
open
to
have
this
be
done
under
as
an
incubating
project
at
open,
ssf
and
as
we
grow
the
network
and
actually
have
an
mvp
which
companies
like
us
and
other
folks
can
run.
G
We
also
think
it's
important
to
to
have
some
support
from
openssf
in
the
form
of
a
of
a
funds
where
we
can
both
run
some
of
the
infrastructure
within
the
linux
foundation,
to
make
sure
that
there
is
a
kind
of
a
neutral
instance
of
it
running
as
well.
Besides,
the
the
vendor
run
instances
but
also
provide
the
right
sort
of
funding
to
to
support
the
the
growth
of
the
ecosystem
yeah.
G
So
any
first
of
all,
any
kind
of
I
give
a
super
high
level
description
of
the
the
project
and
kind
of
what
our
goals
are,
but
any
any
questions
from
the
the
tac
members
that
you
have
about
kind
of
the
project
or
we're
also
we're
looking
for
an
open
to
guidance
on
the
project
as
well.
So
we
we
want
this
to
be
something
which
fits
in
with
the
overall
goals
of
the
open,
ssf
ecosystem
and
is
something
which
we
can
kind
of
have
interoperate
with
other
projects
and
ongoing
work
happening
within
this
group.
H
G
Basically,
we
want
to
take
the
project
which
we've
kicked
off
and
have
it
be
an
incubating
project
under
the
open,
ssf
banner
contributed
by
a
couple
of
the
us
member
companies,
and
then
I
think,
the
the
second
level.
I
ask
this:
isn't
an
ask
for
the
attack,
but
in
the
future
I
think
this
is
something
we'd
be
looking
at
from
the
governing
board
is
once
we
have
a
project
and
we
have
an
mvp
which
we
can
actually
run
an
infrastructure.
G
It
would
be
to
get
a
a
directed
funds
that
we
could
use
to
to
support
the
expansion
of
infrastructure,
so
we'd
want
companies
such
as
ourself.
You
know
docker,
maybe
some
of
the
cloud
providers
to
run
instances
of
their
own,
but
in
addition
to
that,
we
think
it's
important
to
to
have
open
ssf
running
an
official
instance
as
well
and
supporting
maybe
smaller
players
who
want
to
run
instances
and
don't
have
the
financial
means
to
to
do
so.
H
Does
yeah
so
so
would
these
be
so
I
had
a
quick
look
at
the
code.
Would
these
be
ipfs
modes?
Is
that
right.
G
So
we
have
a
hybrid
yeah
yeah,
currently
we're
using
p2p
lib,
which,
which
is
the
underlying
infrastructure
for
ipfs,
we're
not
directly
using
ipfs
for
the
for
the
metadata
layer
right
now,
and
I
think
the
way
of
thinking
about
this
is
there's
some
specific
attributes
to
package
systems
and
like
interoperability
with
package
management
systems
which
we're
focused
on
solving,
which
those
that's
kind
of
the
layer
we're
building
on
top
of
this-
and
this
is
kind
of
you-
can
think
of
it
as
a
content.
G
Delivery
network
for
packages
of
different
types,
with
the
goal
being
that
we
would
have
first
class
integrations
with
over
time
with
the
majority
of
languages
and
tools
that
developers
and
folks
are
using
to
to
build
an
ecosystem.
And
I
I
saw
someone
with
their
hand
up.
Was
it
jen?
I
think
it
was
jennifer
yeah
jennifer.
L
Yes,
I
took
my
hand
back
down
because
I
think
I'd
need
to
read
the
proposal
more.
I
I'm
just
trying
to
understand
kind
of
the
threat
model
assumptions
for
this
and
just
kind
of
to
do
my
own
due
diligence
around
understanding,
exactly
how
we
ensure
integrity
of
the
packages
and-
and
I
don't
know
the
overall
security
of
the
ecosystem.
But
then
I
realized-
maybe
I
need
to
do
some
reading
and
come
back
to
you
so
yeah.
G
Yeah,
no
thanks
jennifer.
Actually,
that's
that's
a
good
kind
of
like
discussion
of
what
kind
of
what
we're
expecting.
G
So
we
wanted
to
introduce
it
to
the
tac
at
the
meeting
today,
just
to
get
the
idea
out
there
and
start
the
conversation
we
didn't
actually
want
to
get
this
to
it
to
a
decision
and
what
we're
looking
for
is
feedback
comments,
kind
of
like,
like
the
some
help,
with
the
path
forward
to
navigate
how
we
best
turn
this
into
a
project
which
would
align
well
with
the
open
ssf
calls.
L
All
right,
thank
you
for
that
clarification.
So
are
you
intending
to
present
this
anywhere
or
is
there
somewhere?
We
can
get
more
information
and
again
it
might
all
be
in
the
document,
and
I
just
have
to
do
my
homework.
G
Yeah,
so
the
the
document
covers
a
lot
of
information,
although
if
they're
areas
which
aren't
clear,
feel
free
to
comment
and
we're
willing
to
clarify,
we
did
a
presentation
at
the
linux
foundation.
Member
summit,
I
believe,
there's
a
link
in
the
document
to
that
as
well.
G
G
If
folks
are
interested
to
to
kind
of
geek
out
with
us,
so
I
think
it's,
I
think
it's
exciting,
but
you
know
again
we
I,
the
reason
why
we're
proposing
it
at
such
an
early
stage
is
we
we
want
to
be
transparent
about
where
we're
going
with
it.
We
want
to
be
inclusive
and
make
sure
that
we're
also
considering
other
efforts
in
the
ecosystem,
and
you
know,
helping
out
to
secure
open
source.
While
not
we
don't
want
to
compete
with
other
efforts
we
want
to.
G
Rather,
you
reuse,
existing
authentication
systems
make
sure
we're
integrating
with
other
efforts
for
reproducible
builds
and
make
sure
that
we're
kind
of
aligning
with
where
things
are
going.
G
Okay
cool,
so
if,
if
there
are
any
other
questions,
I
think
that's.
The
main
thing
we
want
to
do
is
just
kind
of
introduce
the
project
and
start
getting
some
feedback.
If
folks
can
give
us
comments
and
feedback
feel
free
to
reach
out
to
myself
directly
as
well-
and
I
think
what
we
look
for
is
maybe
in
in
a
january
meeting
to
after
we've,
gotten
more
feedback
from
members
and
more
input
to
see
if
we
could
move
towards
becoming
an
official
openss
project.
F
Yeah,
so
I
think,
there's
a
there's
two
questions
here,
really,
there's
the
what
do
tap
members
think
about
the
general
alignment
with
of
this
project
with
open
ssf
and
if
we
all
agree
that
yeah
this
kind
of
fits
with
the
the
overall
technical
vision
and
which
it
seems
like
this
kind
of
fits
within
the
general
supply
chain
security
type
space
you
know,
is
one
element
of
that,
but
definitely
want
to
hear
others
thoughts
on
that,
but
if
it
does
fit,
then
there's
the
question
of
the
formality
of
making
it
a
project
of.
F
Do
you
have
multiple
companies?
Are
you
holding
that
are
interested
in
participating?
Are
you
holding
regular
meetings
right?
We
have
this
official
process
for
for
making
it
an
incubating
project
within
openssf.
So
we'll
need
to.
You
know,
go
through
that,
but
before
we
do
that,
you
know.
Do
folks,
have
any
objections
to
this
being
within
openssf.
Are
there
questions
concerns
to,
I
think
in?
F
In
the
meantime,
you
know
asynchronously,
you
should
start
holding
these
meetings
and
that
sort
of
thing
so
that
you
know
a
lot
of
this
can
get
clarified,
but
justin.
D
I
see
your
hand
raised
yeah,
I
was
just
gonna
say
you
know:
I've
spoken
to
a
bunch
of
customers
and
I've
never
had
someone
ask
for
distributed
package
management.
Usually,
when
I
talk
to
folks
they
say
they
want
control
over
it.
D
They'll
say
I
want
my
private
registry,
where
I
know
every
bit
that's
on
there
and
how
they
got
there.
I've
never
had
someone
ask
for
less
control
or
less
visibility
over
like
where
the
stuff
lives,
and
so
I
just
kind
of
wonder,
are
people
going
to
be
comfortable
with
this?
Even
if
there's
crypto
and
you
know
verifiability,
and
all
that
I
know
a
lot
of
enterprises
that
still
aren't
comfortable
with
the
cloud
like
I'm
not
sure
how
comfy
folks
are
going
to
be
with
this.
G
Yeah,
so
I
I
think
part
of
part
of
what
you're
probably
getting
too
justin,
and
let
me
answer
it
partially,
but
it
may
be
a
longer
discussion
than
we
want
to
do
here.
Is
it's
a
it's
a
question
of
kind
of
the
audience
and
who
the?
Who
the
consumer
of
this
is
so
I
think
it
at
jfrog
as
a
company.
We
we
both
deal
a
lot
with.
G
You
know
large
enterprises,
devops
teams
and
kind
of
what
they
need
to
secure
the
pipeline,
and
we
also
because
we
run
a
bunch
of
historically
around
a
bunch
of
central
repositories,
we're
still
running
conan
center,
which
supports
the
the
cnc
plus
plus
community,
we're
also
very
familiar
with
developer
needs
and
kind
of
like
how
individual
developers
look
at
the
supply
chain
and
the
tooling
which
connects
to
it.
G
And
I
think
this.
The
goal
of
this
project
is
really
to
address
targets
specifically
developers,
folks,
who
are
building
software,
which
relies
on
open
source
projects
and
making
the
the
tooling
the
accessibility,
the
uptime
and
the
security
of
the
network
as
high
as
possible,
and
also
to
make
it
sustainable.
G
I
think
one
of
one
of
the
challenges
in
in
the
developer
ecosystem
is:
we
have
a
lot
of
different
tools,
package
management
systems,
central
repositories
and
there
there
are
varying
levels
of
maturity,
reliability
and
you
know
simple
things
like
malware
or
a
ddos
on,
for
example,
pi
pi,
not
picking
on
python
as
a
language,
but
that
that
disrupts
a
huge
portion
of
the
developer
ecosystem
and
a
surprising
number
of
commercial
ci
cd
systems
which
shouldn't
be
reliant
on
central
repositories,
but
often
are
so.
H
Yeah,
just
a
quick
one,
so
you
don't
have
to
answer
this
now.
I
realize
you're
in
the
early
stages
of
developing
the
project.
I've
worked
with
lib
ptp
before
played
around
with
this,
with
a
sort
of
a
similar
use
case
in
mind.
H
One
of
the
hurdles
that
was
a
real
challenge
to
overcome
and
something
you
might
want
to
explore
at
some
point
is
with
lib
p2p.
You
can't
delete
content,
so
if
you're
using
it
as
a
cdn,
then
there's
no
means
to
actually
remove
content
and
you
can
sometimes
implement
some
sort
of
gateway
effectively,
but
then
it's
no
longer
decentralized.
So
this
was
just
one
of
the
issues
that
I
I
ran
into
that
that
might
actually
be
resolvable.
Now
there
might
be
approach
for
that,
but
it's
probably
something
to
be
mindful
of.
If.
G
Yeah
this,
this
is
one
of
the
conversations
that
came
up
in
architecture
and
design
because
for
the
for
the
reasons
you
mentioned
like
either
folks
accidentally
publishing
proprietary
code
or
artifacts,
or
simply
government
regulations
around
the
the
ability
to
redact
the
code
or.
G
Exactly
you
do
need
a
way
to
remove
items
from
the
network
for
for
legal
reasons,
and
so,
even
though
we
we
were
proposing
a
a
distributed
and
mostly
decentralized
network
you'll
notice
in
the
proposal,
there's
there's
a
concept
of
certified
nodes
and
part
of
the
reason
for
that
is
we
we
do
need
a
way
to
both
handle
cases
like
that
where
we
need
to
have,
we
need
to
either
remove
things
from
the
network
or
we
need
to
to
verify
things
which
are
not
reproducible
or
we
need
to
prevent
things
like
attempts
to
do
a
majority
take
over
the
network.
G
So
there's
there's
different
scenarios
which
we're
we're
not
trying
to
solve
everything
in
a
pure
decentralized
approach.
We're
kind
of
recognizing
that
we
want
to
make
this
as
secure
as
possible
with
the
support
of
of
companies
who
are
basically
good-natured
who
who
want
to
see
this
be
successful.
G
G
Okay,
so
yeah
those
were
excellent
questions.
I
think
we
we'd
appreciate
you
know
the
feedback
comments
on
the
document
and
I
think
you
know,
rather
than
rather
than
trying
to
push
it
in
this
meeting.
I
I'd
like
to
if
you're
fine
with
it
ryan,
take
it
up
in
the
future
open
ssf
meeting
once
we've
gotten
some
more
feedback
on
the
proposal
to
look
at
next
steps.
F
Yeah,
absolutely,
I
think
the
the
next
approach
is
to
just
go
ahead
start
hosting
meetings.
Try
to
get
some
involvement
resolve
some
of
these
questions
that
we
have
and
then
once
you've
kind
of
reached.
The
quote
definition
of
incubating
then
resubmit
to
the
attack
and
we'll
kind
of
vet
it
from
there
but
yeah.
It
sounds
like.
M
G
I
can
work
with
the
old
guesses
have
guys
to
kick
it
off
as
well,
we'll
get
an
official
mailing
list
and
a
cadence
of
meetings
which
are
open
to
all
the
members
and
start
having
those
discussions
with
with
an
open
group
here.
So
we
can.
We
can
kick
that
off
over
the
next
couple
weeks
and
then
I
think
we
would
get
it
also
be
a
great
forum
for
folks
who
are
interested
to
to
join
us
and
answer.
We
can
talk
about
additional
things
related
to
design
yep.
Thank
you.
Thank
you.
F
Yep,
that
sounds
good
awesome.
Thank
you
guys
for
presenting.
That
was
definitely
informative.
So
we
we
have
another
proposal
this
time
from
jamie
around
component
detection
similar.
So
jimmy
are
you
do
you
have
something
you
want
to
present
or
you
want
to
talk
through
it
as
well.
N
Yeah
yeah
I've
got
a
short
presentation.
If,
if
I
can
share
my
screen
absolutely
I
will
stop
sharing
and.
N
N
N
N
N
N
Right
now
we
support
a
wide
range
of
ecosystems
and
that
equals
broad
user
coverage
by
supporting
engineers
with
their
existing
tools.
We
can
integrate
into
their
workflows
and
writing
a
new
detector
is
easy
as
well.
N
N
N
N
N
N
N
Just
run
list
detectors
to
show
you
you
know
at
the
minute.
We
have
16
detectors
across
a
lot
of
different
ecosystems,
and
we
can
also
import
your
own
custom
detectors
at
runtime.
If
you
were
to
drop
them
into
this
plugins
folder.
N
N
So
I've
started
that
running
and
it's
already
completed.
I've
got
a
summary
of
the
output
here,
so
you
can
see
it
took
about
1.6
seconds
in
total
and
we
detected
around
one
and
a
half
thousand
npm
components
but,
like
I
said,
the
output
is
in
a
graph
format
and
if
I
want
to
view
the
full
output,
I
can
view
this
json
file.
N
N
So
let
me
go
ahead
and
start
that
we
get
a
lot
more
information
about
the
javascript
project
and
the
docker
takes
a
little
bit
longer
to
run,
but
we
should
get
the
same
output
of
a
similar
output.
So
you
can
see
we
detected
96
linux
components
and
the
total
time
was
around
11
seconds.
N
N
N
And
yeah
that
was
component
detection
in
a
nutshell,
do
you
have
any
questions
that
laura
or
ri
can
answer.
B
This
is
steve
from
the
deploy
hub.
Does
it
record
any
of
this
source
code
that
you're
dependent
upon
or
is
only
looking
at,
the
packages
and
libraries.
N
It
only
looks
at
the
packages
and
libraries,
but
it
also
notes
where,
in
your
code
base,
those
are
found,
so
you
know
tell
you
exactly
which
package
json
or
which
pom.xml,
for
example,
if
you've
got
like
a
large
project
with
multiple,
you
know,
multiple
references
got.
It.
O
Yes,
I
have
some
questions,
so
this
is
really
great
work.
So
one
question
on
that,
or
maybe
probably
three
questions
on
that
front
first,
is:
how
is
your
transitive
dependency
coverage
across
these
ecosystems,
like
I
saw
some
of
the
code
and
saw
it
covered,
but
just
want
to
recheck
like?
Is
that
good
across
all
the
ecosystems
you
targeted.
N
I
don't
think
it's
across
all
ecosystems.
We
have
perfect
transitive
dependency
support,
but
I
feel
confident,
saying
most
you
know
laura
or
anyone
else
in
the
call
for
free
to
correct
me.
If
I'm
wrong.
P
Yeah
I'll
I'll
jump
in
and
just
kind
of
confirm
what
jamie
said
is
that
it's
largely
dependent
on
what
the
ecosystem
supports
because
again
we're
using
like
the
package
manager
in
a
lot
of
cases.
So
there
are
cases
where
transit
dependencies
are
not
supported.
P
Can
you
give
an
example
like
richard?
I
think
tia
is
on
the
call.
Tio,
if
I
say
go,
is
that
a
wrong
answer.
J
O
Okay,
can
this
system-
I
think
you
mentioned
this,
but
this
can
plug
into
any
of
the
s
form
generation
tools
easily
like
using
this
information
right.
P
So
I
don't
think
that
we've
tried
using
it
with
sbom
tools
directly,
but
I
can
tell
you
that
the
their
microsoft
is
working
on.
I
don't
know
what
I
want
to
say
it
can
be.
Inputs
can
be
shared
with
an
s-bomb
tool
in
some
cases.
P
O
D
I
was
just
gonna
say,
like
I
really
appreciate
y'all
bringing
this
in.
I
think
this
is
a
common
problem
that
we
all
sort
of
have
is
that
just
determining
software
inventory
is
becoming
a
lot
of
work
across
all
the
different
package
managers.
And
what
have
you
I
for
one
would
love
to
have
us,
have
a
project
in
the
open
ssf
that
we
can
all
kind
of
party
on
to
go
and
have
something
we
share
for
that.
N
Yeah,
thank
you,
yeah.
That
was
the
intention
to
find
out
if
it's
something
that
fits
within
the
wheelhouse
of
the
open,
ssf
and
then
to
get
an
idea
of
what
the
requirements
are
for
becoming
a
project.
You
know
under
the
umbrella
of
the
open
ssf.
So
I
hope
this
is
the
first
step.
B
Yeah
just
a
another
comment:
this
is
gonna.
This
would
pair
up
perfectly
with
persia,
because
persia
will
be
able
to
give
us
the
what
we
call
the
trust
factor
of
each
one
of
those
packages
so
being
able
to
look
through
all
the
dependencies
and
come
up
with
a
a
trust.
Score
for
your
application
will
be
key
and
very
beneficial
to
everybody.
N
Yeah,
I
I
do
see
you
know
a
lot
of
synergy
between
existing
open
ssf
projects
as
well,
like
I
haven't,
had
a
chance
to
read
through
your
your
architecture,
documentation.
But
someone
mentioned
to
me
about
scorecards,
which
seems
like
it
would
work
well.
N
Q
Yeah
this
looks
like
a
pretty
complete
tool.
Do
you
have
any
like
future
development
plans
or
things
that
you'd
be
looking
for
getting
community
involvement
in,
for
you
know,
being
part
of
open
ssf.
N
Yeah,
I
think
I'll,
maybe
defer
that
question
to
laura.
If
that's
okay.
P
Yeah
yeah
and
hey
jam,
so
jamie
already
mentioned
detectors.
We
know
like
we
have
a
set.
The
the
tool
supports
a
set
of
detectors
today.
I
think
that's
an
area
where,
if
there's
interest
in
other
ecosystems,
that
would
be
there'd,
be
an
awesome
opportunity
there
to
explore
that
more
I'll,
fully
admit
that
you
know
the
context
that
we're
aware
of
with
this
tool
today
has
been
largely
microsoft.
P
Centric
in
that
ecosystem
learning
about
other
ecosystems
partnering,
you
know
in
ways
to
make
it
it
can
be
helpful
in
different
tools,
different
places.
I
think
there's
a
lot
of
opportunities
there
as
well.
I
guess
I'm
mostly
just
echoing
jamie
is
like
we
just
wanted
to
see
how
we
can
help
and
what
sort
of
opportunities
exist
and-
and
you
know
be
part
of
discussions
from
there.
N
I
was
just
gonna
say
you
know,
I
can
tell
you
today.
We
have
a
contribution
to
add
support
for
the
python
package
manager,
poetry.
N
N
Okay,
abstract,
I'm
just
gonna
check
in.
Do
you
remember
what
the
the
third
question
was?
I
don't
wanna
miss
you.
O
I
think
I
remember
at
least
some
of
them.
One
was
actually
do
you
also
capture
source
hashes,
like
I
saw
you
capture
the
versions
as
part
of
transitive
dependencies.
N
I
don't,
I
don't
think
so.
I
again,
I
think
we
rely
you
know
very
heavily
on
package
manager
information
so
just
to
take
an
example.
I
know
npm
doesn't
provide
this
sort
of
information,
but
I
I
can't
speak
for
other
detectors.
I
don't
know
tio.
Do
you
have
any
more.
J
Yeah,
I
was,
I
was
just
about
to
jump
in
some
of
them.
Do
support
commit
level
references,
for
example,
go
and
pip
as
well,
both
support,
detecting
components
and
saying
you
know
it
came
from
this
git
repository
with
this
commit
tag.
So,
yes,
we
do.
We
do
support
that.
J
F
Awesome,
thank
you.
Jamie
sounds
like
there's
general
support
from
the
comments
from
everyone.
It
seems
like
this
is
a
good
fit
within
openssf
and
now
it's
just
kind
of
the
like
the
the
other
presentation
now
going
through
the
formality
of
you
know,
hosting
the
meetings
getting
people
involved,
all
that
and
they'll
kind
of
circle
back
and
and
talk
with
attack
when
you
guys
are
ready,
but
any
other
questions
or
comments
for
for
jamie.
Regarding
component
detection.
F
Sweet
all
right
yeah,
thank
you
both
for
that
today
definitely
cool
to
see
all
this.
This
work
happening.
So
I
think
david,
you
had
a
agenda
item
that
you
added
regarding
the
great
mfa
distribution.
A
Yes,
and
thanks
for
letting
me
slip
that
in
so
I
just
want
to
give
people
a
quick
heads
up
the
that
you
know,
google
github
had
contributed
some
some
mfa
tokens.
Thank
you.
Both.
We
found
out
that
the
google
tokens,
in
particular
the
the
for
various
reasons
that
expires
the
end
of
december,
so
we've
been
rushing
to
get
those
distributed
out
there,
and
you
know
it's
it's
good
to
give
us
a
kick
to
hurry
up
anyway
and
get
some
specific
things
accomplished.
A
So
we've
gotten
most
of
the
projects
who
are
we
identified
a
critical
list,
we've
gotten
most
of
them
notified.
We
are
currently
in
the
process
of
finding
out
which
projects
that
want
them,
which
ones
don't
how
many
and
trying
to
get
that
information
out.
It's
it's
kind
of
been
a
rush.
A
It's
all
you
know
trying
to
get
this
done
at
the
end
of
the
year,
but
but
I
actually
hope
that
this
is
going
to
actually
work
out
and
it's
it's
going
to
be
a
good,
quick,
quick
win,
which
I
think
is
a
helpful
thing.
F
Absolutely
yeah.
Thank
you,
david
looking
forward
to
seeing
those
go
out
so
brian
you
mentioned,
you
have
a
couple.
C
C
I
did,
while
we
were
sitting
here
quickly,
go
through
the
minutes
from
previous
governing
boards
and
found
from
march
of
this
year,
agreement
on
the
governing
board
to
three
being
appointed
by
the
governing
board
and
four
elected
by
the
contributors.
So
have
that
in
writing
now
and
we'll
fix
the
charter
to
to
conform
with
that
and
all
will
be
hunky
during
that
front.
It
did
also
say,
though,
that
terms
would
be
for
two
years
seems
different
from
from
people's
recollection.
C
Perhaps
there
were
alternating
things
we'll
get
clarity
on
that,
but
I
think
the
the
the
clear
consensus
is
that
all
seven
will
be
appointed
elected.
I'm
sorry
over.
You
know
in
the
next
in
the
next
election
process,
three
by
the
governing
board
for
by
the
tsc
any
questions
or
comments.
B
C
B
F
That
actually
was
the
initial
intent,
so
we
did
have
that.
I
think
back
in
january.
If
memory
serves
correctly,
that
we
were
going
to
do
this
rotation
and
then,
over
the
past
few
weeks
month
or
two
that
we've
been
discussing
this,
it's
basically
been.
The
consensus
has
been
we're
just
going
to
elect
everybody
this
time
and
that
the
need
for
overlap
is
actually
less
of
a
concern
than
we
thought
it
was
folks
have
basically
gave
their
opinions
that
they've
never
really
seen
an
issue,
especially
with
the
attack.
The
way
it
is
right.
F
C
Okay-
and
the
second
item
was
on
the
log
for
jfront-
I'm
sure
many
of
you
are
in
fire
drills
now
or
looking
at
ways
to
affect
that.
C
Clearly,
there's
lots
of
things
that
we
have
going
on
at
the
open
ssf,
which
you
know
our
hope
is
that
they
mitigate
the
chances
of
a
future
vulnerability
like
this
or
when
one
is
discovered
through
things
like
the
the
vulnerability
disclosure
process,
we
could
have
even
a
more
orderly
rollout
of
fixes,
and
that
kind
of
thing
we've
chosen
not
to
do
anything
kind
of
big
or
whatever,
from
the
open,
ssf,
social
or
website
point
of
view,
just
for
fear
of
being
seen
as
ambulance
chasing
on
this
front.
C
To
be
frank,
but
we're
looking
at
putting
together
something
for
january
for,
like
the
beginning,
when
we
all
come
back
that
might
talk
about
here's,
how
projects
like
ours
can
help
mitigate
and
efforts
like
ours
can
help
mitigate
the
chances
of
future
exploits
so
future
situations
like
this.
So
if
you're
wondering
why
we're
being
a
little
quiet
now,
it's
just
you
know
we
don't
we're,
not
sure
that
there's
much,
we
have
to
add
to
the
fray
and
distract
people
from
the
update
work
that
I've.
C
G
I
mean
I
just
say:
one
thing
in
general:
is
the
the
the
huge
crisis
and
situation
kind
of
underscores
the
need
for
the
work
which
we're
doing
as
a
foundation.
So,
if
nothing
else,
it's
validating
the
work
that
we're
already
doing.
F
Cool,
thank
you
brad,
so
we
have
three
minutes
left.
I
just
want
to
mention
really
quick,
the
28th
the
meeting
on
the
28th.
We
are
going
to
go
ahead
and
cancel
unless
there's
an
objection
from
anyone
here,
but
I
think
everybody's
gonna
be
out
during
that
time.
So
we'll
go
ahead
and
cancel
that
meeting.
F
So
then,
the
next
meeting
that
we'll
have
here,
I
believe,
is
on
the
11th
of
january,
but
we'll
definitely
have
emails
going
out
before
then
asynchronously
working
on
the
election,
so
we'll
get
that
self
nomination
going
out
for
candidates
for
the
attack
and
then
we'll
start
working
on
the
election
before
that
meeting
happens,
but
with
three
minutes
left
anybody
have
other
items
they
want
to
bring
up.
F
All
right,
well
with
that,
I
hope
everyone
has
a
wonderful
holiday
and
those
of
you
that
are
taking
breaks
please
enjoy,
and
we
will
see
you
after
the
first
year.