►
From YouTube: OSSF TAC Meeting (February 8, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
B
C
Scrolling
through
the
list
here-
let's
see
so,
let's
see
luke
dan
myself,
you
phil
jennifer
yeah.
I
think
we
are
good
to
go
all
right.
So
the
first
thing
on
today's
agenda,
as
everybody
is
very
well
aware-
and
I'm
sure
excited
about-
is
the
tac
election
results.
So
actually
I
didn't
see
is
brian
on
the
call.
Okay,
he
is
good.
I
am
here
for
future
records.
F
Yeah,
so
as
I
as
I
wrote
into
the
the
meeting
notes
congrats
to
returning
members,
dan
lawrence
and
luke
hines,
and
welcome
new
members,
abhishek
arya
and
bob
callaway,
I
think
all
four
of
you
are
here.
So
congratulations,
yes
or
whatever
folks
want
to
do,
plus
one
thumbs
up
and
as
per
the
charter,
the
other
three
will
be
appointed
soon
by
the
governing
board.
F
I
wanted
to
wait
until
this
election
was
done
before
proposing
a
slate
to
the
governing
board
of
three,
so
so
we'll
be
following
up
on
that.
The
next
governing
board
meeting
isn't
for
another
month.
We
just
had
ours
at
the
beginning
at
the
end
of
last
week,
so
I'm
going
to
try
to
do
this
over
email,
which
requires
universal
written
consent.
That's
the
only
chance
of
getting
it
done
in
between
meetings,
so
I'll
propose
it
I'll
see.
If
I
can
get
to
uwc
with
so
many
board
members,
it
might
be
hard.
F
It
might
mean
that
it
has
to
happen
by
voice
vote
at
the
next
governing
board
meeting,
so
it
might
be
until
next
month.
That
would
be
the
worst
case,
but
the
best
case
is
that
we
get
agreement
and
and
name
three
in
time
for
the
meeting
the
next
tac
meeting
in
two
weeks.
C
Perfect,
thank
you,
brian
yeah.
That
was
exactly
my
question
was
what
is
the
timeline
and
yeah
if
it's
going
to
roll
over
to
the
next
meeting?
So
if
all
things
go
well,
the
next
tac
will
take
over
this
meeting,
which
then
kind
of
leads
into
the
transition
now,
given
that
dan
and
luke
are
are
returning-
and
I
think
that'll
certainly
make
this
a
lot
easier,
and
I
know
abhishek
has
been
involved
already
as
well.
C
F
H
F
Yeah,
it
would
be,
it
would
be
nice
to
find,
I
mean
if
we
were
in
a
normal
mode
where
we
were
traveling
again.
I
think
we'd
try
to
find
like
the
next
suitable
security
conference,
that
most
of
us
were
going
to
try
to
be
at
or
we're
likely
to
be
out
and
try
to
see.
Could
we
do
like
a
you
know,
a
couple
hour
kind
of
off-site
so
to
speak,
but
failing
failing
a
physical
conference,
you
know
or
not
wanting
to
wait
until
june
when
supply
chain
security
con
takes
place.
F
Maybe
we
can
get
a
get
a
zoom
call
together.
You
know
of
the
tech
it
it
should
be
open,
since
all
of
our
meetings
should
be
open,
anyways,
but
but
really
focused
on.
How
does
the
tech
want
to
work
together
over
the
next
year
and
what
are
what
is
its
ambitions?
What
are
its
goals,
because
it's
you
know
it
should
be.
You
should
have
more
ambition
than
just
you
know,
having
a
call
every
two
weeks
where
or
anybody
can
show
up
with
whatever
ideas
they
have.
F
It
should
be
here's
what
we'd
like
to
work
together
to
to
do
so.
Happy
to
convene
that
I'm
happy
to
facilitate
that
on
from
open
ssf,
but
I
think
I
think
it'd
just
be
a
good
way
for
us
to
to
congeal
as
a
team.
B
If
I
may
interrupt
real
quick,
I
just
want
to
note
that
we
had
an
incredible
slate
of
candidates
and
if
you
were
a
nominee
but
didn't
at
work,
voted
in
it
is
no
slight.
There
isn't
just
an
incredible
number
of
awesome
folks
who
were
out
who
were
put
their
hat
in
the
ring.
So
my
thanks
to
every
single
one
of
you.
Yes,.
B
In
fact,
we
had
talked
earlier
about
adding
making
the
tax
slightly
larger.
B
C
Yes,
absolutely
yeah.
Thank
you
for
everybody
for
participating.
I
had
the
exact
same
thought.
Maybe
this
could
be
a
good
a
good
time
to
have
that
discussion
again,
but
yeah
there's
definitely
a
lot
of
good
folks
so
and
yeah
and
I'll
just
say,
as
sort
of
outgoing
tact
chair
like
future
attack.
Things
definitely
agree
with
dan
and
getting
together
with
the
governing
board
and
sorting
that
out.
C
Oh
great,
all
right
so
the
next
thing
so
david
wheeler,
I
think
we
talked
about
this
in
the
last
meeting
as
well
around
proposing
asking
the
new
tac
to
assign
sponsors
to
each
working
group
initiative
thing.
I
think
this
is.
I
don't
know
if
we
want
to
take
this
up
now
or
if
we
want
the
next
attack
when
they
convene
to
actually
discuss
this
or
if
you
want
to
hash
out
some
of
these
ideas
and
then
let
the
the
new
tax
sort
of
take
it
from
there.
B
C
Sounds
good
we'll
move
on
to
the
the
meat
of
the
topic,
then
so
also
david,
the
the
new
tool
chain
infrastructure
project.
Would
you
like
to
take
it
from
here
and
give
us.
B
Absolutely
so
I
I
don't
know
if
david
ellison,
carlos
sedano
or
kate
stewart
are
here
any
of
you
I
I
am.
B
We're
here
excellent
yep,
oh
good,
okay,
all
right,
so
I
no
doubt
will
will
say
all
the
wrong
things
and
then
they'll
have
to
correct
me.
But
but
since
my
name's
stuck
on
this,
let
me
at
least
kick
this
off
and
quickly
break
it
to
a
rounder
discussion.
So
the
gnu
tool
chain
for
project
proposals
actually
been
around
for
a
long
time.
I'm
I
I
think.
B
Procedurally,
it
got
stuck
and
I'm
not
sure
what
happens
so
I'm
trying
to
get
this
unstuck,
but
in
my
mind
this
is
a
really
straightforward
proposal.
B
It's
a
proposed
project
to
provide
the
gnu
tool
chain
with
basically
better
info,
secure
infrastructure
to
make
it
much
more
secure
the
there's
more
details
in
the
various
links
there,
but
the
gnu
tool
chain
components
are
widely
widely
depended
on,
and
I
I
guess
perhaps
it's
a
little
appropriate
for
me
to
make
this
proposal
here
to
the
tac
because
years
ago,
when
I
did
a
phd
dissertation,
I
actually
wrote
about
the
problems
if
you
subvert
the
compilers
or
other
key
tool
chain
items
and
it
turns
out
to
be
bad.
I
B
Surprises
exactly
zero
people
here,
I'm
sure
so
I
mean
the
good
news
is
that
there
are
actually
organizations
who've
already
stepped
up,
who
are
interested
in
doing
this,
but
and
the
governing
board
was
presented
to
this
a
while
back,
but
their
immediate
comment
was
that
you
know
what
it's
always
been,
that
we
asked
the
tax
to
review
a
process,
a
proposal
before
we
make
a
decision
on
it
and
I
think
that's
entirely
appropriate.
Just
you
know.
Procedurally,
let's
make
sure
we
have
you
know
reviewed
by
this.
B
B
B
D
David
david
and
I
had
put
together
some
slides
just
to
like
run
through
things
quickly
with
attack,
so
the
tech
can
have
something
to
look
at
while
you're
talking
do
you
want
me
to
share
my
screen
and
I
can-
and
I
can
run
through
this-
please
it's
only
eight
slides.
It
should
be
relatively
quick
to
go
through
these,
and
then
we
can
make
the
slides
available
after
the
meeting
with
a
with
a
direct
link.
So
here
I
go
this
one.
I
even
used
an
lf
background
for
this
one
slideshow.
D
About
it
sure
so
I'll
start
off
with
the
first
slide
saying,
thanks
to
the
tac
for
agreeing
to
listen
to
our
proposal,
it's
about
establishing
the
gnu
tool
chain
infrastructure
project,
it's
really
about
improving
that
foundational,
secure
cyber
security
that
we
have
with
the
system
tool
chain
and
just
to
introduce
ourselves
david.
Do
you
want
to
go
ahead
and
introduce
yourself
to
the
tac.
I
Yeah,
certainly
thanks.
My
name
is
david
edelson.
I
work
at
ibm
research,
I'm
a
member
of
the
gcc
steering
committee,
which
is
the
oversight
organization
for
the
compiler
itself
and
been
working
with
the
carlos
for
over
a
decade
now
with
the
the
leadership
of
the
entire
new
tool
chain
and
how
to
bring
these
this
process
forward.
D
D
So
what
we
want
to
start
with
is
establishing
so
the
new
tool
chain
infrastructure
project
is
about
implementing
state-of-the-art,
robust
and
secure
infrastructure
and
processes
for
the
canoe
tool
chain.
Community,
as
david
said,
you
know,
we've
been
trying,
we've
been
working
with
the
lf
to
get
the
project
started.
We
even
have
a
nice
logo
here
that
we
can
show,
because
we've
already
been
looking
at
logos,
and
you
know
for
those
of
you
who
are
thinking
well.
D
What
do
we
include
in
the
new
tool
chain
when
we
see
the
new
tool
chain?
We're
really
talking
about
the
you
know
that
world-class
optimizing,
compiler
for
c
and
c,
plus
plus
for
trango
and
other
languages,
bin
utils
static,
linker,
the
debugger,
the
c
library-
and
we
also
consider
in
here
build
tooling,
make
autocomp
automatic
there's
an
enormous
amount
of
software,
that's
still
being
built
with
with
auto
conf
and
and
auto,
make
and
there's
always
considerations
to
be
made
across
the
entirety
of
build
tooling,
compiler,
debugger
c
library
and
bing
utils.
D
And
you
know
this
is
a
system
tool
chain.
That's
used
on
many
distributions,
we're
talking,
debian
ubuntu,
everything
from
you
know:
amazon,
linux,
2022
to
the
latest
red
hat
enterprise.
Linux
9.
this
tool
chain
is
the
as
a
foundational
system
tool
chain
for
the
for
the
distribution.
D
So
the
you
know
a
question
comes
up.
Is
you
know?
Why
establish
a
new
project
now
and
I'm
gonna
pass
this
over
to
david
and
I'll?
Let
david
talk
a
little
bit
about
this.
I
Well,
I
said
the
this
is
really
critical
to
the
infrastructure
of
linux
itself
and
we've
been
very,
very
grateful
to
utilize
the
infrastructure
that
red
hat
has
been
provided
very
professional
and
volunteers
in
the
community,
but
that
infrastructure
is
is
showing
its
limitations,
especially
with
the
increasing
demands
that
are
coming
about
for
cyber
security.
I
With
the
you
know,
executive
orders
from
the
white
house,
you
know
the
various
supply
chain
requirements
coming
on,
and
this
allows
us
now
to
follow
on
with
the
conversations
we've
been
having
with
the
linux
foundation.
I
For
I
don't
know,
four
or
five
years
now
about
and
and
and
communication
is
just
how
to
establish
a
a
better
relationship
and
a
a
new
sort
of
infrastructure
for
the
new
tool
chain
itself,
and
to
use
this
to
update
the
infrastructure
that
we're
going
to
use
in
the
hardware
and
the
services
to
be
able
to
address
with
state-of-the-art
infrastructure.
I
D
Absolutely
so
you
know
to
expand
on
the
like
one
sentence.
Mission
is
just
you
know
a
little
bit
more
verbose
here,
which
is
really
you
know
to
provide
that
secure
and
state-of-the-art
infrastructure
required
to
implement
these
cyber
security
best
practices
and
really
make
the
canoe
tool
chain
this,
like
kind
of
foundational
tool
chain
in
a
secure
supply
chain,
and-
and
I
think
that,
like
you
know,
when
you
expand
this
mission
in
this
way,
we're
then
able
to
come
up
with
goals
and
okrs
against.
D
I
Well,
as
kraus
is
saying
it's
it's
a
matter
of
updating
the
infrastructure
so
that
we
can
really
provide
and
ensure
this
continued
excellent
infrastructure.
This
excellent
software
base
that
builds-
you
know
linux
distributions
and
then
the
cloud-
and
you
know
the
infrastructure
for
the
world.
So
we
want
to
update
this
to
ensure
that
the
the
project
will
provide
these
secure,
robust
environment
for
the
tool
chain
and
the
tooling.
As
carlos
mentioned,
there
are
many
many
dependencies
and
we're
incorporating
those
dependencies
as
direct
dependencies
as
under
the
umbrella
of
this.
I
So
we
want
to
be
able
to
provide
these
verifiable
sources
for
distributions
be
able
to
attest
to
the
the
all
the
infrastructure
that
we
have
and
all
of
the
sources
being
able
to
provide
a
modern
infrastructure,
improved
ci
and
cd
to
really
check
off
all
the
boxes
that
are
in
in
current
and
upcoming
requirements.
I
Best
practices
for
secure
development,
secure
releases,
secure
maintenance
of
those
being
able
to
again
make
it
more
robust.
Our
our
cb
maintenance
that
we're
already
doing
to
be
able
to
provide
you
know
truly
signed
and
and
utilize
the
the
the
best
practices
that
the
linux
foundation
has
created
for
the
linux
kernel
itself
and
to
be
able
to
adopt
that
same
style.
I
We
want
to
improve
the
advocacy
for
the
project
itself,
with
focus
on
trust
and
cyber
security,
as
we
say
on
the
slide,
because
we
need
a
vibrant,
robust
project
to
have
the
enough
developers
to
provide
this,
not
just
develop
the
software
itself,
but
able
to
have
multiple
reviewers
to
be
able
to
trust
the
identity
of
people
working
on
the
projects.
So
we
need
to
ensure
that
this
project
continues
and
through
the
advocacy
efforts
to
ensure
that
we
have
are
able
to
in
the
human
side,
address
all
of
the
security
requirements
as
well.
I
D
And
so
I
I
mean
that
that
brings
us
to
kind
of
cy
22
okrs,
which
is
the
things
that
david
and
I
are
pushing
to
look
at
in
cy.
22
things
we're
trying
to
accomplish.
You
know
transitioning
source
ware
services.
D
Sourceware.Org
is
the
systems
that
are
currently
provided
by
the
the
infrastructure
are
provided
by
red
hat
but
maintained
by
volunteers
and
a
lot
of
those
things
we
need
to
scale
up,
especially
as
we
look
at
ci
cd,
dj
delorean
myself,
for
example,
even
in
upstream
for
glibc,
have
been
looking
at
patchwork,
layered
on
top
of
mailing
list
driving
ci
cd
and
it's
getting
good
traction
with
the
existing
community
of
developers
simply
because
it's
a
nice
layered
workflow.
But
we
need
more
than
that
right.
We
need
artifact
distribution.
D
We
need
to
evaluate
sig
store,
I'm
already
looking
at
salsa
models.
You
know
glib
c.
We
try
to
do
at
least
one
reviewed
by
from
another
reviewer
if
you're
committing
into
the
repo,
just
because
of
the
importance
of
the
repository
for
the
for
the
runtime,
and
so
these
are
the
kinds
of
things
that
we're
looking
at
for
cy
22..
D
Now
you
know
in
this
process
we
are
collaborating
heavily
with
lf's
existing
I.t
staff
and
learning
from
their
experiences
in
the
support
that
they've
had
for
the
linux
kernel,
and
so
there
has
been
some
already
work
done
with
the
lfit
staff
on
scoping
costs
and
services
sized
with
lfit
staff
and
management.
So
we
kind
of
know
what
what
it
would
take
to
transition
some
of
the
services,
what
new
services
we're
talking
about,
how
we
would
spin
them
up.
D
So,
as
some
people
say,
it's
kind
of
a
you
know,
a
shovel
ready
project
in
in.
In
that
sense,
right,
david.
I
Exactly
exactly
thanks
carlos
and
exactly
as
you
said,
I
mean
this
is
something
where
we've
been
very
effective
with
volunteers
and
the
great
services
from
red
hat
for
the
past
more
than
two
decades,
which
we
greatly
appreciate,
but
their
new
challenges
on
the
horizon,
and
we
want
to
make
sure
that
the
new
tool
chain
remains
viable,
and
so
this
also
isn't,
as
carlos
said,
a
plan
to
okay,
you
know,
give
us
money
and
now
we're
going
to
start.
You
know
up
for
bids
and
we're
gonna
figure
out.
What
to
do.
I
I
mean
we've
been
working
with
the
lf
for
a
number
of
years
now
have
a
very
detailed
plan
about
how
to
proceed.
We've
been
working
with
the
it
staff
at
lf.
This
is
a
matter
of
also
just
going
off.
You
know,
give
us
money
and
we'll
go
to
whatever
other
provider.
This
is
specifically
to
work
with
the
existing
lf
infrastructure.
That
is
a
very
competent
team
that
already
exists
there
and
to
expand
that
current
support
for
the
linux
kernel
to
cover
the
gnu
tool
chain,
which
you
know
historically,
has
been
sort
of
in
this.
I
This
this
intermediate
placement.
It's
not
it's
not.
It's
been
part
of
the
new
project,
but
it
wasn't,
you
know.
Truly,
it
had
already
expanded,
had
more
technical
demands
than
the
the
new
project
and
the
fsf
are
really
able
to
support,
which
is
why
we're
so
appreciative
of
red
hat
stepping
up
it's
not
a
separate
organization.
I
It's
not
you
know
it's
not
hosted
by
red
hat,
or
you
know,
amazon
or
google
or
anybody
else,
and
so
it
you
know
we're
seeing
given
these
new
requirements
and
the
the
the
core
place
that
it
exists
in
the
entire
linux
ecosystem
to
be
able
to
take
this,
the
sizing
that
we've
done
and
go
work
with
the
open
ssf
to
ensure
the
funding
for
this,
so
that
linux
foundation
can
provide
and
and
implement
this.
I
This
plan
that
I
said
carlos
said,
is
you
know,
shovel
ready
and
that
we
have
going
forward,
and
hopefully,
with
the
approval,
support
of
the
the
attack
and
the
board
to
be
able
to
to
accomplish
this.
D
Yeah
thanks
david,
I
yeah.
D
We've
got
one
more
slide
here,
which
is
kind
of
looking
briefly
at
what
is
what
does
this
mean
in
terms
of
a
governance
model
like
how
do
the
communities
tie
into
this
distinct
project,
which
would
be
you
know,
I,
if
there's
a
there's
a
bit
of
a
question
for
the
open
ssf
board
to
decide
the
exact
collaborate
and
decide
the
exact
structure,
but
the
way
that
david
and
I
have
been
have
been
discussing
this
is
you
know
you
have
these
new
children,
communities
and
they're
the
ones
who
have
these
requirements
and
we're
putting
together
how
we're
going
to
deliver
the
the
secure
supply
chain,
and
we
we
create
an
infrastructure
engineering
committee,
which
is
that
focal
point
collects
those
requirements,
and
then
we
work
with
lfit
staff
to
prioritize
and
decide
okay
and
see
why
22,
which
of
these
okrs
is
first,
which,
which
is
priority,
which
one
do
we
want
to
tackle
first
and
then
keep
moving
like
that
from
from
year
to
year,
making
forward
progress
on
on
on
the
project
right,
you.
I
Know
and
again,
as
as
david
said,
this
isn't
the
lf
or
an
open
ssf
taking
over
the
new
tool
chain
project
itself.
That
will
still
be
the
project
as
it
exists,
and
this
isn't
the
matter
of
you
know
having
a
flag
day
and
coming
to
the
community
and
just
saying,
okay,
you
know
over
this
weekend
we're
just
going
to
shift
everything
over
and
it's
all
going
to
be
run
by
the
yellow.
I
I
think
this
is
going
to
be
an
evolution
of
this,
but
also
as
as
we
said
at
the
very
beginning,
carlos
is
the
steward
of
glibc.
I'm
a
member
of
the
gcc
steering
committee.
We've
been
discussing
this
with
the
the
leadership
of
the
canoe
tool
chain
for
years
as
well.
So
we're
coming
to
you.
You
know,
you
know,
representing
the
the
canoe
told
me
that
this
is
a
direction
that
the
new
tool
chain
wants
to
go
in.
D
And
david,
I
think
it
it'll
go
back
to
you
if
you
have
any
wheeler,
if
there's
any
questions
from
the
tac
where
david
and
david
and
it.
D
Two
and
back
to
david,
if
you
haven't,
that,
won't
be
confusing
at
all
yeah.
J
J
Is
this
about
securing
and
sort
of
fixing
vulnerabilities
and
or
preventing
tampering
in
the
tool
chain
itself
and
or-
and
I'm
hoping
it's
all
of
the
above-
is
this
about
also
having
your
tooling
be
a
more
like
integrated
component
of
a
secure
supply
chain
where
you're
starting
to
produce
bills
and
materials
and
manifests
and
other
things
like
that
along
the
way,
I'm
like
there's
a
lot
of
potential
across
this
whole
space?
Maybe
it's
all
of
the
above,
but
I'm
I'm
trying
to
figure
out
where
you
are
leaning
in
right
now
or
what
your
thoughts
are.
D
Yes,
I
think
it
does
absolutely
make
sense,
michael,
I
would
say
the
okr's
if
you,
if
I
were
to
prioritize
them,
it's
securing
and
transitioning
some
of
our
infrastructure.
First
and
foremost,
we
probably
have
too
much
access
to
get
internals.
We
should
be
switching
to
c
git.
We
should
be
switching
to
a
different
model
for
control
of
access
of
those
sources
with
keys
and
then,
after
that,
absolutely
I
think
glibc
should
have
spd-x
identifiers
for
all
of
the
files.
I
I
You
know
the
security
issues
in
the
software
itself
as
best
we
know,
but
we
want
to
get
to
best
practices
for
how
that
is
actually
deployed,
how
the
services
themselves,
the
the
hardware,
the
the
communication
channels,
that
we
have
the
signing
of
all
the
patches
itself,
the
email
communication
and
and
how
you
know,
as
carlos
was
saying
the
git
itself,
how
we
actually
upload.
You
know
the
artifacts
making
sure
that
all
of
those
pieces
are
following
best
practices
as
well.
I
I
mean
we
won't
go
into
details,
but
you
know,
let's
just
say
that
that
if
you
know
some,
some
of
the
current
practices
aren't
aren't
best
practices.
We.
J
We
we
know
all
too
well.
None
of
us
have
any
shame
here,
because
if
we
don't
open
about
it,
we
want
to
get
it
fixed.
I'm
I'm
very
curious,
so
that
all
makes
sense.
I'm
very
curious
about
the
opportunity
in
so
much
as
as
the
tooling
starts
to
you
know,
fulfill
some
of
those,
not
just
how
you
guys
build
the
tooling
itself,
but
also
the
tooling,
so
that
anybody
using
your
tooling
is
now
automatically
getting.
You
know
a
better
inventory
of
all
the
things.
I
Oh
yes,
oh
yes,
I
mean
definitely
we've
been
working
with
with
kate,
I
mean
as
well.
I
mean
with
all
this
s,
pdx
stuff,
for
having
the
new
make
and
gcc
being
able
to
generate
the
build
of
materials
as
well.
I
mean
yes,
we
definitely
want
yeah.
We
definitely
want
our
tooling
to
be
able
to
simplify
and
automate
the
ability
for
all
of
the
software
generated
by
the
tools
to
fulfill
the
software.
I
D
Yeah
yeah,
I
would
say
the
the
red
hatters
on
this
call
know
that
I
also
wear
a
blue
hat,
which
is
like
my
fedora
hat.
So
I
have
this
requirement
with
my
blue
hat
on,
which
is
like
how
can
I
consume
these
things
in
fedora,
because
today,
for
example,
we're
often
taking
snapshots
of
upstream
git
at
a
particular
commit
and
like?
I
really
want
that
to
be
way
way
better
than
what
we
do
today
in
fedora
and
the
way
that
those
binary
artifacts
and
the
source
level
artifacts
progress
into
fedora.
D
So
I
I
see
with
my
blue
hat
on
that.
I
want
to
make
this
a
generic
thing
that
allows
fedora
to
then
consume
the
updates.
My
team
currently
does
a
rolling
every
seven
day
update
from
upstream
into
one
of
our
rolling
releases.
I
would
love
for
that
process
to
roll
in
such
a
way
that
you
could
verify
all
the
way
from
upstream
where
those
sources
came
from,
and
then
that
just
leads
naturally
into
fedora
releases,
and
then
those
things
lead
into
rail
releases
so
having
a
particular
use
case.
D
B
B
K
Get
around
that
lot
yeah.
I
did
zero
in
on
one
thing
because
of
my
particular
interest
at
the
moment,
which
was
looking
at
six
store.
We've
been
doing
some
pretty
heavy
lifting
in
that
department
focused
on
ruby
gems,
but
I
expect
that
a
lot
of
the
work
we've
done
is
repurposable
for
other
ecosystems.
D
How
it
works
and
how
it
could
be
used,
that
is
super
interesting
jocks
and
even
like
I'm
also
thinking
to
myself,
like
I'm
heavily
involved
in
the
python
community,
because
python
wheels
basically
end
up
being
binary
artifacts.
You
distribute,
and
I
have
so
many
questions,
I'm
just
like.
How
are
we
uploading
python
wheels
to?
Oh,
my
god,
it
makes
me
cry,
but
I
we
will.
We
will
look
you
up
and
we
will
ask
for
your
feedback
shock.
Thank
you
very
much
for
that.
Well,.
I
And
that's
again,
you
know
yeah!
Thank
you
very
much,
jacques,
but
that
you
know
this
is
part
of
exactly
why
we
want
to
integrate
with
the
open
ssf,
I
mean
to
be
able
to
leverage
all
the
skill
again
for
something
like
gcc,
which
is
the
foundations
and
utilize.
All
of
this.
You
know
this
great
infrastructure
that
that
open
ssf
is
at
the
tip
of
the
spear
to
to
improve
this
entire
environment
and.
K
We've
been,
we've
been
like:
we've,
we've
had
help
from
python
folks
as
well,
so
we've
had
been
swapping
notes
between
communities
about
what
we're
doing
and
what
we're
thinking.
So
I
think
python
folks
are
also
definitely
worth
tapping
into
as
well.
D
E
Hey-
and
this
is
stephen
so
just
as
another
idea
for
collaboration-
we're
proposing
a
project
called
persia,
which
is
focused
on
distribution
of
artifacts,
and
there
may
be
some
opportunities
for
us
to
collaborate
on
how
you're
actually
getting
some
of
your
your
downstream
binaries
and
outputs
from
the
new
mutual
chain
out
to
different
projects.
D
Thanks
steve,
if
you
could
expand
on
that
in
like
a
once
one
one
minute
summary,
because
I'm
just
gonna
take
a
note
here
and
I'll
reach
out
to
you
again,
but
is
it
persia
so
distribution
of
artifacts
any
artifacts
right
like
they
source
artifacts,
binary
artifacts?
Do
you
make
the
distinction?
Does
the
distinction
matter
etc?.
E
Yeah
yeah,
so
the
the
project
call
is
to
be
pretty
much
artifact
type
independent,
although
we
are
targeting
some
specific
communities
to
begin
with,
like
distributing
docker
images
and
the
the
high
level
idea
is
to
to
make
it
much
more
resilient
and
robust
to
distribute
packages
by
using
some
peer-to-peer
infrastructure
so
that
we
can
get
it
to
a
wider
set
of
folks
to
tie
into
projects
like
like
six
store
for
security
and
signatures
to
make
sure
that
you
actually
have
information
about
the
binaries
you're
downloading
and
to
make
sure
that
it's
done
in
a
vendor
neutral
way,
so
that
we
have
multiple
companies
and
entities
running
instances.
E
B
L
H
H
J
B
Yeah,
michael,
I
think
the
first
step
is
a
member
of
the
attack
needs
to
move
to
approve
with
a
second
vote,
to
approve,
and
I
think
that
next
step
is
to
go
to
the
governing
board.
While
this
doesn't
technically,
you
know,
because
the
question
is:
is
this
appropriate
and
then
the
next
question
which
the
governing
board
will
have
to
deal
with
is
do
they
want
to
pour
put
in
additional
funding?
This
actually
already
has
some
funding.
We
haven't
focused
on
the
funding,
because
this
is
a
technical
discussion.
B
There's
actually
already
some
funding,
but
I
think
there's
an
expectation
that
more
is
would
be
appropriate,
but
that's
a
governing
board
discussion,
not
a
tax
discussion.
J
And
and
david,
I
totally
agree
what
I'm
actually
trying
to
think
about
is
ignoring
that
for
a
moment,
because
we're
not
a
chat
with
conversation
right,
you
know,
how
can
we
in
go
from
a
presentation
and
a
bunch
of
enthusiasm
to
another
level
of
understanding
like?
Is
there
a
working
group?
Is
there
another
longer
meeting
and
conversation?
J
How
do
we
figure
out
which
various
parts
of
patients
we
can
sort
of
throw
into
this
pile
and
start
to
sort
of
go
from?
This
sounds
great
and
my
boss
asked
me:
what
are
they
doing
like
yeah?
It
sounds
great
and
I'd
like
to
go
from
it
sounds
great
to
I
have
a
clear
understanding
and
we
can
say
well,
we
want
to
engage
here,
or
this
is
going
to
happen
there
or
whatever.
A
I
I
You
know
once
we
get
the
approval
with
the
boards
to
then
work
with
with
brian
the
executive
committee
and
to
work
with
the
lf
is
to
basically
because
I
think
there
are
some
resources,
as
david
wheeler
mentioned,
we've
been,
you
know,
having
this
discussion
for
a
while
and
they're
sort
of
you
know,
waiting
to
be
able
to
give
the
lfit
organization
the
green
light
to
go
ahead,
and
then
we
will
start
as
carlos
was
saying,
with
the
governance,
to
set
up
the
leadership
from
the
new
tool
chain:
community,
the
leadership
from
the
premier,
you
know
so
platinum,
sponsors
and
and
set
up
this
advisory
board
and
start
being
able
to
prioritize
the
actions
and
work
with
the
lf
to
actually
start
doing
that
and
then
also
coordinate
that
with
the
current
volunteers
in
the
new
tool
chain,
community
in
red
hat,
who
are
running
the
current,
you
know
hardware,
services,
infrastructure
and
develop.
I
I
You
know
this
isn't
the
flag
day.
This
is
going
to
be
a
an
evolution
and
to
work
with
that.
You
know
to,
and
I
mean
both
with
taking
the
source
where
gcc.org
infrastructure
and
moving
that
over
and
but
also
coordinating
with
the
broader
tool
chain
community.
These
are
gonna,
be
the
new
requirements
for
you
know
how
to
sign.
You
know
patches
how
we're
gonna,
you
know,
authenticate
email,
how
we're
gonna
do
this,
and
you
know
you
know
bootstrapping
the
community
up
into
that,
that
greater
level
of
security
so.
G
D
Yeah,
it
does
make
sense,
though
I
guess,
for
the
gnu
tool
chain
infrastructure
project
to
you
know.
I
think
many
of
the
members
who
end
up
on
the
searing
committee,
in
terms
of
as
they're,
looking
to
prioritize
the
project
having
us
be
invited
to
other
working
groups
to
look
at
at
how
these
ideas
are
evolving
in
order
to
actually
be
capable
of
properly
prioritizing.
What
projects
we
think
we
can
work
on
is
also
a
good
idea
right.
D
So
I
think
that
may
be
saying
tap
like
I
mean,
we've
already
got
jacques
here
tapping
tapping
us
on
the
shoulder
saying:
hey,
look:
we've
already
looked
at
ruby
gems
and
we've
got
some
notes
that
we
can
share.
We've
talked
to
the
python
community.
We've
got
notes.
We
can
share
so
all
those
things
and
steve
as
well
for
for
persia
for
distributing
artifacts.
Those
are
things
that
we're
going
to
have
to
look
at
discussing
prioritizing
like
the
concrete
nuts
and
bolts
implementation
of.
How
do
we
do
this
right?
D
G
This
is
a
perfect
fit
for
us
technically,
I
believe
when
I'm
hearing
that
code,
so
you
know
I
reck
I'm
going
to
propose
that
that
we
vote
on
this
okay
and
then
these
folks
can
go
forward
to
the
board,
and
then
you
know
that
the
kind
of
the
details
of
how
they
engage
with
different
working
groups
and
so
forth.
We
can
then
start
to
explore
that.
L
Yeah,
I
second
that
luke
and
I
also
think
it's
premature
to
align
it
with
any
single
working
group.
I
think
there's
also
likelihood
that,
with
a
new
tac
election
completed,
there's
going
to
be
a
brisk
review
of
the
working
groups
to
make
sure
you
know
that
they're
still
aligned
with
the
going
forward
efforts
of
the
ossf.
So
second,
the
motion
to
bring
this
to
a
vote.
B
F
Great
okay,
the
next
step
will
be
on
our
shoulders
to
take
this
to
the
governing
board.
It's
probably
something
we
can
combine
with
the
the
other
ask
about
tech
board.
Members
hopefully
make
progress
on
this
before
the
next
governing
board
meeting.
I
I
J
C
All
right,
any
any
other
topics
that
folks
want
to
discuss.
I
apologize
my
my
zoom
crashed
and
I
had
trouble
getting
back
on
there
for
a
little
bit.
So
if
I
missed
anything,
are
there
any
other
topics,
though,
that
folks
want
to
discuss.
E
Yeah
I
a
quick
topic
as
a
follow-up
from
the
the
previous
meeting
and
didn't
didn't
want
to
put
anyone
on
the
spot
as
well.
So
I
I'm
just
looking
for
kind
of
a
status
update,
so
I
know
last
week
we
discussed
that
we
were
going
to
like
as
attack,
try
to
define
kind
of
how
projects
get
go
through
different
stages
to
become
an
official
project,
and
I
think
luke
was
the
one
who
suggested
that
you
know
the
open
ssf
should
define
such
a
process
and
formalize
it.
E
So
what
were
the
thoughts
on
time
frame
kind
of
like
looking
into
that
and
like
next
steps.
C
C
E
C
Okay,
we
can
wrap
up
15
minutes
already
early.
I
just
want
to
say
thank
you.
L
Question
again,
maybe
for
david
or
for
the
community,
the
tac
community,
will
there
be
a
plan
to
revisit
the
working
groups
or
has
that
already
been
accomplished
by
the
attack?
I'm
sorry.
If
that's
already
been
discussed.
C
No,
that
is
something
that
is
on
the
agenda
for
the
future
attack
to
take
care
of.
So
one
of
the
I
we
discussed
it
last
week
is
that
to
get
all
the
working
group
leads
to
come
in
and
start
giving
presentations
about,
where
they're
at
their
status,
where
they
envision
going
and
then
they'll
kind
of
coordinate
that
with
the
governing
board
and
their
okrs
and
kind
of
bring
everybody
into
alignment.
G
I
just
wanted
to
say
as
well
ryan
thank
you
for
your
service.
You've
been
a
wonderful
chair.
You've
been
great
at
sort
of
bringing
a
level
head
to
matters
and
and
resolving
areas
that
needed
a
resolution,
and
so
you
just
done
a
wonderful
job,
so
very
grateful
for
your
service.
C
Thank
you
luke.
I
very
much
appreciate
that
it
has
been
an
absolute
pleasure
working
with
all
of
you
guys
and
I
fully
intend
to
still
participate
in
this
as
a
more
casual
member,
of
course,
but
but
I
will
definitely
still
be
involved
and
I
just
want
to
say
thank
you
to
everybody.
That's
participated.
C
It's
been
really
great
to
see
the
increase
in
participation,
especially
over
the
last
couple
of
months.
You
know,
I
think
there
was
a
time
where
some
of
our
attack
meetings
had
about
five
people.
You
know
at
most
and
now
we're
hovering
around
30..
So
that's
it's
really
great
to
see
and
it's
great
to
see
everything
that's
been
accomplished
so
looking
forward
to
seeing
the
new
year
and
what
what
continues
to
happen.
So.
Thank
you
all
very,
very
much.