►
From YouTube: OpenSSF TAC (July 11, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0
https://github.com/ossf/tac
A
B
C
B
E
Yeah
I
guess
I
can
take
a
stab
at
that.
Thank
you.
B
E
E
There
are
a
few
open
questions
under
discussion,
including
should
Sig's
report
to
the
attack
or
working
groups,
or
should
they
just
report
to
working
groups
or
existing
documentation
says
that
they
only
report
to
work
in
groups
but,
for
example,
the
diagram
or
Society
reports.
The
attack
directly
also
under
discussion
is
if
sigs
need
to
have
meetings
and
also
I,
think
Independence
repositories
in
the
openssf
organization.
E
I
should
say
that
I
don't
actually
have
a
very
strong
opinion
about
any
of
these
items.
Other
than
helping
the
the
group
reach
consensus
on
them,
with
the
exception
of
ensuring
that
there's
enough
breadcrumbs
so
that
someone
who
is
not
well
versed
in
the
open,
ssf
or
someone
who
is
coming
at
this
from
outside
of
open
ssf
could
be
able
to
find
and
participate
in
sigs,
even
if
they're
not
already
part
of
the
regular
working
group
and
with
that
I
guess,
I
will
open
it
to
the
floor.
B
F
My
initial
take
is
that,
if
a
single,
already
reports
to
a
working
group,
that's
good
enough,
if
a
Sig
does
not
have
a
working
group
home,
then
the
attack,
which
should
be
the
default
home
I,
don't
think
having
two
bosses
so
to
speak,
lends
itself
to
agility
and,
and
things
like
that,
certainly
tax
should
have
visibility,
but.
G
And
I
would
posit
that
the
diagram
of
society
reporting
to
the
tack
is
an
artifact
of
the
attack.
Having
asked
a
question
and
asked
for
help
rather
than
a
structural
intention,
and
that
it
should
move
under
a
working
group
now
that
it
has
sort
of
matured
and
produced
outputs
that
attack
a
scene
and
the
board
is
seen
and
yeah
that
would
put
all
cigs
under
working
groups
and
I.
Think
that's.
Certainly
the
structure
I
had
in
mind
a
year
ago.
H
Also,
if
I
may
ask,
if
I
mean,
can
you
elaborate
as
to
why
what's
the
downside
of
having
one
or
maybe
you
know,
I,
wouldn't
expect
this
to
be
the
default
per
se,
a
contrary
to
what
Mike
said,
but
I
think
it
makes
sense
to
allow
it.
There
may
be
cases
like
this,
where
we
just
can't
figure
out
which
working
group
is
the
most
natural
place
and
the
tax
is
fine.
We
can
just
dive
it
here.
G
I
can
imagine
future
situations
where
the
taxes
this
you
know,
well-scoped
effort
should
be
spun
up,
there's
not
a
home,
yet,
let's
put
it
under
the
tack
for
now,
but
ideally
it
moves
under
a
working
group
in
my
opinion,
so
that
the
the
number
of
reports
the
TAC
has
virtually
speaking
is
is
bounded
by
the
larger
organizational
artifact
of
a
working
group.
H
Almost
I
mean
for
me
like
the
diagram
of
society.
If
it
stayed
there,
you
know
I
agree
with
you.
We
don't
want
to
overload
the
type
with
too
many
sigs
that
becomes
unmanageable,
but
I
would
think
the
touch
can
can
address
that.
As
do
we
go
and
say
well,
you
know
this
is
getting
out
of
control
really
hard
to
move
those,
but
that
still
means
that
it
becomes
more.
You
know
how
we
manage
it
from
a
governance
point
of
view.
We
still
allow
six
to
be
on
you
know
to
to
report
to
the
attack.
B
All
right,
so,
please
provide
your
feedback
on
that
issue.
We
will
how
close,
barring
this
recent
chat
here
Zach
about
how
close
do
you
feel
we
are
to
getting
consensus,
be
near
far
I.
E
Definitely
have
changes
planned
based
on
the
feedback
I've
received
so
far,
I
will
commit
to
updating
this
pull
request
by
the
end
of
the
week,
and
so,
if
you
want
your
feedback
to
be
included,
please
ensure
that's
in
place
by
let's
say
end
of
Wednesday
or
end
of
Thursday.
B
I
D
D
The
the
way
the
group
works
is
there's
kind
of
two
projects
underneath
it
there's
s-bomb
everywhere,
which
I'm
also
the
lead
of,
and
then
there's
a
fuzzing
collaboration
group
I
have
an
update
from
them,
I
normally
don't
because
they
are
doing
a
marvelous
job
of
being
self-sufficient,
but
I
I
did
talk
to
them,
they're
doing
an
amazing
amount
of
work
which
is
really
cool
and
then
there's
also
some
inactive
projects
that
are
kind
of
remnants
of
the
the
tooling
group
every
now
and
then
someone
shows
up
and
says:
oh,
we
should
start
this
back
up
and
I
say:
yes,
you
should
and
then
they
never
come
back.
D
So
it's
kind
of
one
of
those
situations,
but
I
mean
these.
Are
these
are
cool
ideas,
I'd
love
to
see
them
go
somewhere,
there's
just
kind
of
nobody's
in
charge
of
them,
and
so
they're
gonna
sit
for
the
foreseeable
future.
I'll
start
with
fuzzing.
If
you
go
to
the
presentation,
there's
a
link
in
the
notes
here,
that'll
get
you
to
this.
D
I
asked
the
fuzzing
working
group
for
an
update
and
they
sent
me
this,
which
is
enormous,
so
they've
been
really
busy
but
kind
of
the
the
short
version
of
what
they
do
for
everyone
here
is
they
they
have
a
project.
They
call
fuzz
introspector,
which
is
where
they
take
fuzzing
results,
and
then
they
do
some
analysis
on
those
to
understand
what
are
what
are
they
finding?
What
does
it
mean?
D
What's
going
on
and
I'm
sure
many
of
you
have
heard
of
OSS
fuzz,
which
is
an
open
source
fuzzer,
it's
really
cool,
and
it
does
some
amazing
stuff
and
basically
that's
kind
of
the
foundational
piece
of
this,
and
then
they
take
results
from
OSS
fuzz
and
they
interpret
them
and
look
at
them
and
I'll.
Let
you
follow
the
link,
you
don't
you
don't
need
me
to
kind
of
go
through
that,
but
they've
got
a
their
own
group.
They,
the
meetings
are,
are
listed.
D
If
you
go
to
the
tooling
working
group,
GitHub
page,
there's
a
link
to
these
folks
and
I
mean
they're
they're,
great
people
and
obviously,
if
you
have
any
interest
in
it,
I
know
they'd
love
to
talk
to
you,
but
and
kind
of
the
second
piece,
then,
is
s-bomb
everywhere.
This
is
what
I
lead
and
it's
what
I
find
exciting,
so
I'm
going
to
talk
about
this,
probably
more
than
than
anything.
D
So
we've
had
a
couple
of
projects
ongoing
for
several
months.
I
mean
part
of
these
are.
Is
it
always
amuses
me
that
it
feels
like
we
should
be
able
to
get
a
group
like
this
up
and
running
in
like
a
week,
and
it
takes
literally
months.
I
mean
we've
been
at
this
for
a
year
at
this
point
and
we're
we're
grinding
along
and
one
of
the
Perpetual
challenges
we
have
that
all
the
other
groups
have
is.
D
Is
people
show
up
for
meetings,
but
getting
people
to
do
work
outside
of
the
meetings
is
often
difficult,
and
so
a
lot
of
our
meetings
are
working
sessions
where
we
go
through
the
documentation.
We
go
through
some
of
these
plans
to
get
an
idea
of
what
we
are
trying
to
do.
So
what
we've
done?
The
last
couple
meetings
have
been
asking
some
like
actual
real
world
s-bomb
use
cases
to
come
and
talk
to
us.
This
is
where
we
we
had
these
projects
and
companies
where
these
are
our
folks
doing.
D
S-Bomb
work
like
istio,
evos
and
yakuto
are
an
actual
open
source
projects
and
we
basically
wanted
them
to
come
and
tell
us
what
are
you
doing
with
s-bombs?
How
are
you
using
them
today?
What
were
some
of
your
challenges
what's
going
on
and
the
reason
we
did
that
is.
We
have
this
plan
here.
That
is
a
it's
a
it's
a
p.
D
You
know,
send
them
out
and
then
start
writing
down
what
we
learn,
because
we're
going
to
learn
tons
of
stuff
right
like,
as
we
all
know,
it's
like
in
theory-
that's
brain
practice,
you
know
or
what
is
it
in
practice
that
works
in
theory
and
in
theory
that's
only
working
practice
kind
of
stuff,
and
so
we
want
to
just
like
literally
go
to
them
and
work
with
them
and
understand.
What
does
this
look
like?
What
are
we
going
to
do?
D
How
does
this
work
and
then,
obviously,
at
the
end,
then
we
can
start
asking
for
more
and
saying
to
the
open
ssf.
You
know
if
we
had
these
resources.
This
is
what
we
could
do
with
them,
because
today
anything
I
sent
to
you
would
be
made
of
crap
for
sure,
and
so
this
one's
kind
of
exciting
and
it's
it's
slow
going,
but
we're
putting
it
together
and
we've
been
talking
about
it
and
and
I
feel
like
this.
D
Is
the
plan
that's
going
to
drive
us
forward
and
then
kind
of
building
on
that
there's
a
use
cases
for
security
document
that
Kate
Stewart
started
quite
some
time
ago,
and
we've
been
working
on
it
ignore
the
top
of
this.
If
you
look
at
it,
you
kind
of
got
to
go
down
to
where
the
use
cases
start
and
I
would
say.
Producer
of
software
is
where
it
actually
starts
getting
good,
and
this
is
where
we're
just
trying
to
write
down
some
of
like
what
does
it
mean
to
generate
s-bombs?
What
is
the
value
like?
D
Who
is
the
consumer
of
it?
What
does
it
benefit
to
me
because
I
mean
one
of
the
challenges
we
have
is
if
an
open
source
project
says?
Why
should
I
do
this?
We
don't
have
a
strong
answer
for
them
today
and
some
projects.
We
may
never
have
a
strong
answer
for
and
that's
just
something
we're
going
to
have
to
accept
and
then
the
the
last
piece
is.
We
want
an
s-bomb
landscape,
I'm
sure
you're,
all
familiar
with
the
cncf
landscape,
which
is
massive
and
awesome
and
amazing,
and
we
want
to
do
something
similar
for
s-bombs.
D
There
is
an
spdx
landscape
that
exists
today
and
Kate
has
given
me
permission
to
mangle
it
into
an
overall
s-bomb
landscape.
It's
just.
We
need
time
to
do
it
and
and
it's
stalled
because
I
haven't
had
time.
Kate
hasn't
had
no
entire
time,
but
it's
on
the
list
and
it's
still
I
think
going
to
be
the
best
thing,
because
everyone
loves
a
landscape,
because
you
can
point
and
click
and
it's
it's
awesome
and
I
love
them.
But
anyway,
that's
kind
of
my
update.
You,
you
all
have
any
questions.
Comments,
concerns.
D
E
Yeah
Josh
I
apologize
in
advance,
because
this
is
a
question
about
the
fuzzing
Sig
at
first
I
thought
that
the
Sig
was
fuzzing
to
uncover
issues
and
then
letting
people
know
about
those
issues.
But
upon
further
reading
it
looks
like
they're
providing
tooling
for
people
to
understand
their
fuzzing
coverage
and
increase.
Their
fuzzing
coverage.
Is
that
latter
understanding,
correct
I.
D
F
Just
I
just
posted
in
chat
but
Mikhail
from
eclipse
is
pushing
out
s-bomb
across
all
of
eclipse,
so
he
would
be
a
great
place
of
knowledge
because
they're
they're
doing
it
kind
of
on
their
own.
Like
we're
not
super
involved
in
the
in
the
specifics
there,
but
I
know
I've
been
getting
some
updates,
so
they've
definitely
had
it
rolling
on
some
projects
so
feel
free
to
you
know,
ping.
D
A
G
I
was
going
to
say
the
same
thing
about
Eclipse
and
and
just
remind
Josh
and
everyone
else
that
there
are
some
groups
doing
this
to
to
lean
on
and
learn
from.
My
favorite
eclipse
is
doing
you've
got
istio
and
listed
here,
but
not
kubernetes,
which
has
been
generating
s
bombs
for
a
while
there's
a
couple
other
projects
that
do
that
and
a
couple
other
other
foundations
that
have
been
investing
in
doing
it
as
well.
G
As
far
as
the
s-bomb
use
cases
and
s-bomb
Landscape
you
there
are
there,
there
were
I'd,
say
in
the
past
three
years.
Multiple
efforts,
Kate's
is
an
admirable
one.
There
have
been
several
others
that
are
also
published
around
different
taxonomies
or
approaches
to
mapping
the
landscape
that
if
there
is
a
dedicated
group,
that's
going
to
try
to
pick
this
work
back
up.
You
might
start
by
collecting
three
or
four
different
past
incomplete
surveys
and
building
from
that
collections
that
are
just
one.
If.
D
G
You
on
that,
thank
you
on
the
Islam
use
cases
check
out
the
work
that
the
sisa
s-bomb
working
groups
have
produced,
as
they
have
a
number
of
these
studies
published
around
these
cases
and
yeah
again
prior
work
to
leverage.
So
you
don't
have
to
start
from
scratch.
Yeah
for
sure.
B
My
question
Josh
was:
do
you
have
anyone
participating
in
the
CSA
groups?
I
got
roped
in
because
of
Vex
and
it
there
are
some
interesting
opinions.
B
D
Have
there's
various
overlaps?
There's
not
like
an
official
collaboration,
I
mean
partially,
because
this
is
weird
about
that
they're,
the
government,
so
they
have
to
be
careful,
but
I
mean
a
bunch
of
this.
Is
the
folks
show
up
to
our
meetings?
We
have
a
bunch
of
people
in
their
meetings,
so
there's
contamination,
maybe
might
be
the
best
word
for.
D
I'm
I'm
comfortable
with
contamination
but
yeah
I
I,
think
one
of
one
of
the
things
I
always
say
Chris
is
the
the
intention
of
s-bomb
everywhere
is
to
do
nothing
and
and
what
I
mean
by
that
is
I.
Don't
want
us
to
be.
Like
the
group
that
says.
Oh,
we
have
to
do
the
work
and
all
the
documents
have
to
live
with
us,
but
this
is
where
I
view
the
the
Landscaping
of
value
is.
D
J
Yeah,
just
one
thing
on
the
s-bombs
I
mean
we
can
talk.
A
lot
of
this
is
like
talk
around
the
templates
and
what
should
be
in
them
and
that's
all
a
sponsor
a
template,
but
the
implementation
is
still
very
hard.
I
always
have
to
remind
people
that
when
I
did
the
security
slam
last
year,
one
cncf
project
had
an
s-bomb
there's
more
now,
but
I
think
really
keeping
the
focus,
and
it
is
hygienic
to
me
if
we
consider
scanning
and
really
making
sure
that
there's
a
a
reference
for
projects
in
an
ecosystem.
D
D
K
K
Anything
no
problem
here,
it's
all
needing
all
right.
Do
you
all
see
this
slide.
K
Yes,
awesome:
okay,
so
I've
got
a
fair
amount
of
material
to
cover
I'm
gonna,
try
and
keep
it
in
10
minutes.
I
noticed
that
there's
a
busy
agenda
today,
so
there's
a
bunch
of
kind
of
reference
material
that
are
left
inside
of
this
slide,
I'm
not
proposing
to
go
all
the
way
through
it,
but
you
know
links
to
click
on
and
things
to
follow
there.
If
you're
interested
in
following
up
it's
a
pleasure,
Integrity
working
group
as
subgroups,
the
sci
positioning
I'll
talk
a
little
bit
about
that.
K
As
we
come
to
talk
more
about
salsa.
Obviously
we
have
salsa
and
s2c2f
and
Fresca
as
the
the
major
parts
of
SDI
today
in
terms
of
the
the
headlines
for
this
update,
one
that
the
substantive
things
we've
been
working
on
for
the
last
several
months
has
been
this
shared
Vision
doc
and
you
know
trying
to
figure
out.
K
Don't
think
that
that's
a
necessary
part
I,
don't
think
that's
like
a
necessary
formal
part
of
the
process,
but
I
think
that
that
there's
many
in
the
group
me
included.
Who
would
allowed
to
have
the
tech
review
that
and
go
yeah
that
looks
good
or
provide
comments
on
it,
but
give
it
some
kind
of
signal
as
to
whether
you
know
there's
general
feeling
that
we're
on
the
right
track.
K
So
there's
the
working
group,
Charter,
S2,
c2f
I,
know
Jay
is
here
on
the
call.
He
can
add
more
detail
as
he
has
it,
and
you
know
we
have
the
1.0
of
the
specification.
I
K
Salsa
1.0
launched
a
couple
of
months
ago,
three
months
ago,
now
in
in
April
and
right
about
the
same
time,
we
had
the
announcement
from
npm
and
GitHub
and
that
they
were
adopting
sulfur
and
Sig
store
for
Providence
in
the
npm
ecosystem
and
which
is
super
encouraging
the
largest
language
package
ecosystem
out
there,
and
we
would
love
to
see
adoption
from
from
other
package
ecosystems.
And
you
know
this
is
not
going
to
happen
overnight.
K
At
1.0
and
signifies
stability,
not
completeness
we're,
certainly
not
done
with
the
specification,
there's
more
concerns
we
want
to
add,
and
we
want
to
increase,
also
scope
over
time.
But
it's
also
one
of
those
areas,
at
least
a
stable
specification
that
people
can
build
against
I'm,
going
to
call
briefly
to
guac,
as
many
of
you
know,
go
up,
apply
to
join
the
urban
as
a
staff
and
in
our
hopes,
to
join
the
SEI
working
group.
I
think
it'll
be
a
great
fit
and
we
discussed
that
at
our
most
recent
meeting.
K
No
objections
in
the
group
I
sent
out
a
formal
call
for
comments
on
the
mailing
list
to
see
if
there's
any
more
opinions
or
objections
out
there,
but
absent
objections.
I
would
love
to
welcome
guac
into
the
working
group
and
then
Fresco
we'll
talk
a
little
bit
more
about
later,
but
the
tldr
there
is
that
you
know
it's.
K
It's
pretty
much
stalling
I
think
it's
most
viable
future
is
coalescence
with
I,
am
the
Sterling
tool
chain
or
Sterling
tool
belt
whatever
that
thing
is
called
now,
but
I
think
that
there's
sufficient
overlap
in
the
set
of
concerns
and
the
thinking
there
that
I
think
perhaps
merging
these
two
efforts
gives
against
Russia
a
viable
future
in
terms
of
the
mission
itself.
I
think
you
know
again
to
the
right
hand.
Side
of
the
slide
is
where
to
direct
your
attention.
K
This
statement
here,
scalable
standardized
or
testable
practices
for
supply
chain
security,
I
think
is
you
know
how
we
we
think
about
the
SEI
working
group's
Mission.
Salsa
is,
is
one
of
these
Frameworks?
It's
the
escalable,
it's
standardized
it's
detestable
and
it's
a
set
of
practices.
It's
a
pledge
and
security
S2
c2s.
K
Similarly,
we
don't
have
an
attestation
format
yet,
but
direction
is
very
much
on
Mission
and
then
in
terms
of
the
the
vision
here,
we're
looking
for
you
know
a
pragmatic
supply
chain
security
framework
covering
key
functional
areas,
so
you
think
of
salsa
today
you
know
the
1.0
covers
build
in
provenance.
There's
there's
other
areas
of
concern
that
we
can
expand
salsa
to
or
expand
other
Frameworks
in
the
SEO
working
group
to
cover
we
would
like
to
get
and
these
security
practices
evaluabled
by
Downstream
automation.
K
K
Adoption
upstream
and
so
yes,
it's
about
salsa
is
a
set
of
practices
at
the
end
of
the
day,
but
a
key
part
of
salsa
is
a
standard
attestation
format
which
can
be
trusted
by
Downstream
actors
when
they're
looking
to
actuate
policy
Downstream
and
then
obviously,
you
know
we'd
love
to
drive
ubiquity
of
this
framework
in
open
source
and
I.
K
My
feeling
is
that
driving
ubiquity
an
open
source
and
makes
you
know
this
this
framework
and
inevitability,
and
for
almost
everywhere
else
in
the
software
industry
and
including
Enterprise
and
I,
think
Enterprise
adoption
of
framework
will
be
demand
driven
and
through
necessity,
of
working
with
the
open
source
ecosystem.
K
In
picture
form
I'm,
you
know,
we've
been
thinking
a
little
bit
about
this
idea
of
the
supply
chain
control
plane.
You
know
this
metadata
and
interstation
fabrics
spanning
the
sdlc
and
so
you'll
see
here
this
kind
of
schematic.
This
concept,
diagram
of
you
know
an
sdlc
from
from
left
to
right.
You've
got
Upstream
Supply
entering
your
operational
domain.
You've
got
some
policy
and
I.
Think
a
key
part
here
is
that
you
know
we
see
policy,
as
you
know,
evaluated
and
actuated
at
every
step
of
the
sdlc.
K
There's
a
lot
of
focus
today
on
admission
time.
Obviously,
admission
control
policy
towards
the
right
hand,
side
of
this
diagram,
I,
think
that
you
know
we.
We
have
a
broader
conceptualization
of
policy
where
actually
you
want
to
implement
policy
when
you
first
establish
a
dependency
from
upstream,
and
you
want
to
establish
policy
when
you're
doing
a
bill.
Does
it
does
this?
K
You
know
the
materials
read
the
right
meet
the
right
set
of
checks
when
it
comes
to
Source
management
practices
and
so
on,
and
then
you
know
the
ability
for
each
step
in
the
each
step
in
the
sdlc
see
to
publish
you
know
into
this
into
the
supply
chain,
control
plan,
metadata
and
attestations
to
enable
Downstream
evaluation
and
what
this
looks
like
as
an
example
here
that
you
know
if
a
build
produces
science
also
provenance.
That
Province
can
then
be
verified
and
evaluated
at
Mission
Control
type
here.
K
And
similarly,
if
you
know,
if
there's
parts
of
your
Upstream,
which
produce
also
Providence,
you
can
verify
and
evaluate
this
further
left
here
when
you
establish
those
dependencies
and
I.
Think
that
there's
connections
that
we
want
to
make
and
allow
this.
This
control
plane
to
a
be
a
source
of
in
a
canonical
metadata
about
Upstream
practices.
Upstream
artifacts
and
you
know,
is
valuable
by
policy
left
to
right
through
the
sdlc,
and
this
is
an
emerging
kind
of
set
of
thinking
and
Concepts.
K
But
it
gives
you
a
sense
of
how
these
things
fit
together
and
where
the
groups
go.
Indirectionally
I'm
going
to
pause
here,
I'm
about
eight
minutes
in
and
I've
got
slides
per
work
stream,
but
I
wonder
if
there's
any
areas
that
we
can
focus
on
or
whether
I
should
just
take
questions
and
I'll
have
offline
review
of
of
the
rest
of
the
deck.
B
K
K
Of
the
the
charter
document
provided
some
comments
in
that,
and
that
was
awesome.
It
would
just
be
I'm
renewing
and
reacting.
My
my
desire
and
request
for
the
tech
to
take
a
look
at
this
thing
give
any
comments.
We
would
like
to
have
confidence
that
we're
moving
in
the
right
direction
as
a
working
group
and
I
think
internally.
We
have
that
confidence.
We
look
at
this
on
external
validation
really
and
so
I
mean
anything
the
tech
can
do
it
along.
Those
lines
would
be
great.
K
I
think
you
know
again,
maybe
not
a
topic
for
right
now,
but
in
general
it
would
be
great
to
have
and
some
work
between
Fresca
and
Sterling
tool,
Chain
Looking
At.
What
is
the
possible
Synergy,
Sparkles
and
Sparkle
Synergy
and
with
those
two
groups?
Is
there
an
opportunity
to
merge
the
two
sets
of
concerns
you
got
it
Chrome
you've
got
the
action
there
and
investigate
more
in
terms
of,
and
you
know,
is
there
work
that
we
can
leverage
forward
from
from
Fresca
into
the
Sterling
tool
chain
effort.
K
My
suspicion
is
that
there
is,
but
I
would
love
to
have
that
look
more
closely
at
that.
As
well
and
then
this
third
one
super
technical-
and
we
had
some
of
these
questions
arrive
when
we
added
f2c2f
to
the
working
group
that
there
was
a
general
lack
of
consensus
on
exactly
what
the
process
is
for
adding
anything
to
a
working
group
and
what
that
thing
is
called
when
it's
added
is
it
a
Sig?
Is
it
a
project?
K
Is
it
or
whatever,
and
how
the
process
varies
and
per
the
nature
of
the
things
being
added.
We're
gonna
feel
our
way
through
with
guac
again
and
I.
Don't
think
that
we're
going
to
get
terribly
terribly
stuck,
but
I
would
point
to
generally
I've
not
been
able
to
find
any
clearly
documented
process.
For
what
this
looks
like
anything
comes
to
open,
ssf
has
a
desire
to
land
in
a
working
group.
What
does
that
look
like
end
to
end
we're
feeling
our
way
through
we'll
get
there?
K
The
wheels
aren't
falling
off
by
any
means,
but
if
there
was
tax
idles
and
look
at
documenting
that
process
and
getting
agreement
on
it,
that
would
be
kind
of
awesome.
That.
G
G
K
Guidance
and
in
terms
of
like
in
terms
of
Landing
in
the
SDI
working
groups,
specifically
versus
any
other
working
group,
I
mean,
like
I,
think
what
you've
described.
Yes
in
terms
of
how
something
gets
added
to
open
SSS.
But
how
does
it
land
on
a
specific
working
group?
Is
there
guidance
there.
B
And
that
is
some
of
the
work
that
Zach
is
helping
work
specific
to
sigs
and
I
know
that
omkar
as
he
and
the
staff
go
through
and
do
a
foundation
audit
they're
looking
to
identify
gaps
like
this,
where
we
don't,
we
need
a
little
bit
more
guidance
for
folks,
yeah.
K
And
again,
like
I'm,
not
putting
into
anything
that's
on
fire
or
the
wheels
are
falling
off
we're
going
to
get
this
done
with
you
know,
I
think
for
for
people
who
follow
in
our
footsteps.
More
documentation
would
be
super
helpful
and
maybe
we
can
produce
it
as
part
of
this
process.
Who
knows.
C
David
yeah
just
real
quick.
As
far
as
you
know,
staff
process
mentioned
fundamentally
it's
in
intellectual
rights
kinds
of
things.
We
don't
require
copyright
assignments,
but
we
need
to
make
sure
the
licenses
are.
Okay
and
the
you
know.
If
there's
any
domain
names
or
trademarks
or
patents
involved,
then
there's
then
there's
that
needs
to
be
additional
discussions.
As
far
as
accepting
the
working
groups,
at
least
historically,
it's
been
basically
within
the
working
group
they've
they
vote.
K
B
It
depends
on
what
your
community
accepts
each
working
group's
a
little
different.
B
K
Will
go
back
and
double
check
our
governance
and
and
see
exactly
what's
going
on,
but
I
appreciate.
B
A
K
You
review
offline
or
stuff
that
I
talked
about
here.
Hit
me
up
in
slack
or
come
to
the
working
group
really
glad
to
have
engagements.
B
So
and
mentioned
to
the
Fresca
folks
that
the
tool
belt
meets
weekly
in
30
minutes
from
now.
We
would
love
to.
K
B
You
all
right,
if
you
have
additional
questions
or
comments
for
the
sci
group,
if
we
can
get
a
link
to
that
presentation,
Isaac
that'd
be
groovy,
so
we
can
review
that.
Please
route
them
to
Isaac
or
show
up
to
a
supply
chain
call
sounds
like
some
exciting
progress
in
both
there
and
the
tooling
group.
Thank
you.
Both
groups
for
sharing
today
absolutely.
K
And
if
I
send
you
a
link
to
that,
can
you
distribute
or
pop
in
the
notes
or
something?
Yes,
please
I
can
do
that.
You
got
it
perfect.
Thank
you.
B
Let
us
move
on
to
Tech
issue.
175
Nigel
is
back
to
talk
about
the
proposed
AI
ml
working
group.
We
had
some
conversation
back
and
forth
in
the
issue
and
they
have
gotten
us
a
new
document
to
talk
about
some
of
the
nuanced
differences
between
their
proposal
and
existing
art.
So
Nigel,
why
don't
you
take
away
we'll
give
you
50
up
to
15
minutes
to
have
this
conversation.
L
Yeah
sure
I
I
think
you
said
most
of
it
there.
Actually
we
we
have
this
proposed.
Hopefully
you
can
see
my
screen
now
we
have
this
proposed
AIML
working
group
and
it's
very
popular
they're.
F
L
B
A
L
Yeah,
no,
it's
not
it's
not
growing,
so
yeah!
So
We've
we
have
a.
We
have
regular
meetings,
weekly
meetings,
there's
an
average
of
12
people.
We've
got
a
mission
statement,
that's
been
posted
and
the
we
brought
this
to
the
attack
two
weeks
ago
for
approval
and
the
the
objection
of
it
was
that
there
was
a
potential
oil
gaps
and
overlaps
with
other
groups.
L
So
we
went
away
and
to
several
of
the
members,
wrote
a
gap
document
here.
A
gap,
analysis
document,
I've
linked
this
in
the
in
the
meeting,
notes
and
yeah,
and
this
this
the
main
the
main
the
main
things
that
were
mentioned
were
the
linear,
Linux
Foundation.
There's
a
Linux
donation,
AIML
working
group,
it's
O
wasp
as
well.
L
These
are
this
is
less
relevant,
but
a
cell
purpose
in
well,
she
says,
is
less
relevant
and
we've
got
some
research
groups
which
again
they're
not
really
focused
on
open
source,
so
the
the
other.
The
analysis
is
here,
I
mean
there's,
certainly
some
some
of
that.
But
the
group
we
spend
a
little
long
time
discussing
this
in
meetings
and
we
just
feel
that
we're
different
enough.
We've
discussed
being
six.
L
We've
discussed
being
working
groups,
we've
discussed
that
she's
just
going
to
the
lfai
group
there,
but
in
internally
with
the
group,
we
think
we
think
we're
different
enough.
So
the
proposal
this
week
is
in
the
light
of
this
document.
Does
the
attack
want
to
a
give
us
the
approval
to
carry
on
or
B
give
us
another
Direction
they'd
like
to
take
and
see
it's?
L
B
So
Ava
you're
first
but
other
folks.
If
you
have
questions
or
comments,
please
get
in
queue
either.
G
Nigel,
would
you
pull
up
that
first
slide?
You
showed
again.
L
The
first
slide:
it's
yeah
there's
only
one
slide,
there's
basically.
G
This,
whether
whatever
the
the
opening
the
first
thing,
you
showed
that's
this
one.
Yes
thank
you
I'd
like
to
point
out
that
the
from
the
TAC
process
that
does
require
vendor
diversity.
This
is
specifically
in
regards
to
companies
that
are
committing
to
support
work.
Mere
attendance
at
a
meeting
does
not
equate
vendor
support.
Microsoft
is
not
supporting
this,
so
please
remove
our
name
from
that
list.
L
Oh
okay,
that
was
just
a
list
of
the
people
who
yeah
I
mean
yes,.
F
G
That's
also
the
fair
comment:
Michael
I
can't
speak
for
any
of
the
other
vendors
here,
but
I
I
think
it
is
a
general
thing
that
it
is
misrepresenting
the
attendance
of
meetings
to
assert
that
all
these
vendors
are
interested
in
supporting
the
work.
L
J
Yeah
I,
so
on
the
other
document,
there's
still
gaps
that
we
could
discuss.
There's
like
llms
that
I
haven't
covered.
There's
I
mean
the
s-bomb
stuff.
There's
a
lot
of
work
on
that
we
haven't
covered.
There's
a
lot
of
good
work
out
there.
I
keep
coming
back
to
the
reason:
I,
don't
care
where
this
lives
and
I
don't
care
what
it's
called
I.
Don't
care,
don't
care.
J
We
really
really
are
lacking
very
specifically
clear
communication
that
is
agnostic
to
product
on
AI
security
posture
and
that
is
definitionally.
What
openssf
to
me
as
its
end
user
does.
J
That's
that's
why
I'm
still
arguing
for
this
position
again
if
this
ends
up
a
security
thing
instead
of
LFA
I?
Don't
care
I,
don't
care,
but
getting
this
group
of
people
together
and
understanding
that
that's
the
scope
that
I
think
that
this
is
moving
on
I
think
is
important
because
it's
a
technical
scope.
That's
it.
B
H
So
if
I
misspoke
and
speak
up,
I
mean
I,
you
know,
I
import
generate
provoked
this
I
suppose,
because
I
raised
the
issue
earlier
of
the
positioning
and
so
I
appreciate
the
effort
that
was
put
into
putting
in
writing
a
little
bit.
How
this
gets
positioned,
I
think
it
would
be
good
to
you
know,
see
at
a
high
level.
You
know
my
reading
of
this
was
kind
of
I.
Put
that
in
a
in
a
GitHub
comment
earlier
I,
you
know,
I
see
this
as
being
essentially
at
a
high
level.
H
This
is
meant
to
be
primarily
focusing
on
developers,
as
opposed
to
as
opposed
to
users,
which
it
may
be,
is
more
of
the
focus
of
lfai
security
committee,
for
instance,
and
I
think
that's
a
valid
differentiator.
That's
really
what
it
is.
I
think
this
you
know
I
hope
the
group
doesn't
see
this
as
just
you
know,
mere
administrative
annoyance
from
the
attack,
because
I
do
think
this
exercise
is
useful
and
IBM.
You
know
I
have
to
follow
up
on
whatever
was
saying
earlier.
H
I
also
don't
know
that
IBM
really
supports
this
at
this
this
point,
but
of
course
we
did
participate
to
certain
extent.
We
could,
because
we
also
want
to
know
what
this
is
going
to
be
about.
We
are
involved
in
other
in
other
efforts
and
we
want
to
know.
Is
it
worth
our
our
resources
right?
We
there's
only
so
many
resources.
We
can
throw
at
all
these
these
initiatives,
and
you
know
one
point
that
was
made
by
Nigel
on
the
on
the
GitHub.
Was
you
know?
H
H
Let's
do
this
if
it's
competing
with
anybody
else's,
ultimately
working
in
the
same
space,
we're
just
wasting
everybody's
time,
so
I
think
we
have
to
be
careful
and
again
make
sure
that
we
have
a
focus
area
which
is
understood
by
us,
but
also
we
can
communicate
to
others
so
that
people
say
hey
open.
Ssf
is
looking
in
this
problem.
What
are
they
focusing
on?
It
should
be
very
clear
to
them.
Oh
yeah.
They
are
doing
this
because
it's
different
from
what's
going
on
elsewhere.
Thank
you.
We.
B
Have
David
and
then
Brian.
I
Yeah
I
just
wanted
to
reiterate
exactly
what
our
no
said
and
to
sort
of
encourage,
Sal
and
Nigel
that
that's
exactly
what
we
discussed
at
the
meeting,
which
was
the
differentiation
between
developers
and
users.
I,
think
that's
the
key
message
that
would
be
much
more
effective
for
you
to
communicate
to
the
tech
and
everyone
else.
That's
the
message.
Not
we
need
this
somewhere
and
not
we
don't
care
what
the
name
is
not
that
we
have
users
versus
developers.
M
Focusing
Less
on
the
merits
and
more
on
the
process.
I,
you
know.
One
of
the
things
that
this
process
has
smoke
tested
out
is
the
the
Sig
I'm.
Sorry,
the
working
group
proposal
process
we're
pretty
clear
what
happens
after
some
things
voted
in
as
an
incubating
working
group,
but
not
on
this
pre-incubation
phase.
What
kind
of
support
can
it
expect
from
LF
staff
and
from
the
open,
open,
ssf
staff
and
infrastructure,
but
part
of
it
as
well?
Sounds
like
an
emerging
requirement
for
kind
of
an
explicit
vote
by
this?
M
You
know
still
pre-incubation
working
group
of
either
individuals
willing
to
attach
their
name
to
to
a
proposal
or
vendors.
You
know,
say
you
know,
does
Microsoft
support
this
or
not,
and
so
I
I
just
want
to
flag
that
as
part
of
I
don't
know
if
it's
Zach's
work
related
to
sigs
or
or
the
audit
work.
M
But
somewhere
we
might
need
to
improve
the
the
workflow
document
and
the
the
process
documentation
to
articulate
exactly
what
the
expectations
start
of
the
you
know
with
something
can
enter
incubation
because
I
I
feel
like
Nigel's
done
a
brilliant
job
kind
of
navigating
things
as
amorphous
as
they
are,
but
but
I
hear
a
plea
for
some
clear
process
on
this.
L
B
Yeah
and
thank
you
for
highlighting
that
I'm
sorry
that
it
is
not
as
a
smooth
frictionless
experience
as
we
would
desire.
So
that's
feedback
we'll
take
back.
So
we
have
Sal
with
comments
and
then
Ava.
J
Yeah
my
last
comment:
I
mean
we
are
kind
of
it's
a
vendor
Block.
It's
not
an
individual
block
that
we're
at
right
now,
but
the
problem
is
this
is
open
source
and
the
vendor
block
means
that,
like
it's,
a
one-to-one,
the
vendor
is
represented
by
an
expert.
There
are
certain
experts
that
I
cannot
get
in
the
room
until
this
is
legitimatized,
and
if
it's
not
legitimized,
we
have
to
go.
G
Just
a
minor
comment
on
the
on
the
process:
discussion,
I,
I,
love
the
feedback
here
and
I
hope
that
everyone's
able
to
learn
from
and
capture
some
of
this
in
our
process,
docs
I
know
we
have
multiple
efforts
to
improve
them
underway.
Right
now,
in
the
past,
when
I've
seen
working
groups
reach
the
sort
of
a
critical
mass,
it
was
pretty
clear
that
there
was
a
commitment
from
a
number
of
people
to
sponsor
the
working
group.
G
I
think
seeing
no
hands
go
up
in
the
last
meeting
or
this
one
from
the
TAC
to
sponsor
it
and
and
the
general
hesitation
to
to
to
commit
to
starting
this.
After
some
really
excellent
work
has
been
done
to
explore
the
space
to
write
up
these
sort
of
comparisons.
That
might
be
a
useful
signal.
G
It
does
stand
in
contrast
to
previous
working
group
formations
that
immediately
had
reached
that
critical,
mass
and
signaled
to
the
attack
to
move
forward,
but
we
don't
have
a
process
to
say
no,
we
don't
like
I'm,
not
saying
no
right
now,
I'm
just
pointing
out
that
we've
never
had
to
have
that
discussion
of
how
do
we?
How
do
we
Define
that
process
before.
B
Yeah
yeah,
thank
you
for
that
feedback
and
comment.
Ava
I
will
say
personally
irregardless
of
what
my
feelings
may
or
may
not
be
about
the
effort.
I
donate
10
to
20
plus
hours
a
week
to
the
foundation.
I
cannot
take
on
something
else.
So
I
would
ask
my
other
friends
in
the
tack
if
they
are
interested
and
able
to
consider
working
with
this
group
of
individuals.
E
E
Yeah
and
we've
been
talking
a
lot
about
process
and
then
reviewing
the
process.
It
looks
like
there's,
there's
sort
of
two
votes
that
take
place.
One
is
for
a.
We
don't
really
have
a
word
for
it,
but
but
proposed
or
forming
working
group
to
become
incubating,
which
includes
a
tech
sponsor
and
a
tech
vote,
and
then
once
incubating
for
the
working
group
to
become
active,
there's
another
Attack
Mode
and
that's
that
is
the
process
as
I
understand
it.
Today,.
B
Thank
you
Michael
and
then
Jay
just.
F
A
question
on
on
process
the
the
tax
sponsored
is
that
a
ongoing
commitment
to
doing
anything
in
particular
because
there's
no
tax
sponsor
for
identifying
security
threats,
or
is
it
just
a
kick
off
and
like
make
sure
that
the
working
group
doesn't
completely
go
sideways?.
G
B
Okay,
so
as
a
for
example,
the
end
user
working
group
cornered
me
and
made
me
commit
to
be
their
big
brother
and
help
them
out.
So
I
helped
coach
them
through
things,
so
we
would
and
I
participate
there.
So
that's
the
intention
is
we
have
somebody
from
the
TAC
that
is
active
in
that
community
on
some
level.
B
O
So
I,
you
know
listening
to
this
and
being
heavily
involved
like
I,
am
with
it.
Of
course.
My
Views
here
are
a
very
individual
in
nature,
I'm
interested
in
the
topic
area
and
I'm
involved
with
the
group.
O
You
know
understanding
what
this
groups
first
of
all
the
open
ssfs
mission,
how
this
group
supports
that
mission,
that's
first
and
I
and
I,
and
every
time
we
get
into
these
meetings,
we
discuss
this
Sal
put
together
this
list.
We
formatted
it
so
that
we
could
better
understand
what
other
groups
are
doing,
how
we
differ
from
them
and
then
our
partnership
opportunities.
What
I
guess
what
what
we
would
like
to
know
from
that
point?
O
You
know
whether
or
not
the
work
should
be
done.
We
could
debate
that
all
day,
but
if
the
work
can
be
done,
are
we
headed
in
the
right
direction
towards
supporting
the
openness
success
Mission
and
this
work
in
general
across
the
supply
chain
across
supply
chain
across
open
source
security
supply
chain
security?
Are
we
headed
in
the
right
direction,
so
we
can
continue
to
focus
our
efforts.
O
We
don't
need
to
be,
and
I'm
and
I'm
going
to
say
this
now
and
I
said
this
in
the
working
group
mean,
and
a
few
of
us
have
said
the
same
thing
we
can
do
the
work
you
don't
have
to
be.
We
could
be
a
commit,
a
committee
level,
doing
the
work
and
then
showing
something
later
on
and
proving
our
work
right.
We
can
have
a
proof
of
concept.
O
B
I
need
to
table
this
excellent
conversation.
Zach
is
committed
to
go
to
a
future
call
to
kind
of
get
a
feel
for
things
and
he'll
share
his
feedback,
both
in
the
issue
and
with
the
tack,
and
we
will
hopefully
have
enough
information
for
our
next
call
to
be
able
to
make
a
decision.
Does
that
sound,
fair
folks.
L
B
All
right
so
Nigel
we
will
get
back
with
you
and
you'll
see
Zach
at
a
future.
Call
and
I
would
encourage
anybody
else
to
from
the
tech
to
participate
and
kind
of
help
provide
their
feedback
on
the
merits.
Moving
forward
and
I
I
do
I
think
this
is
something
that
deserves.
She
deserves
our
time
to
help
evaluate
and
provide
good
feedback
too.
B
N
Can
limit
me
to
one
minute?
Basically,
this
is
an
informational
item.
The
end
users
working
group
has
adopted
and
is
continuing
to
iterate
on
a
consumer's
Manifesto,
something
that
folks
can
sign
up
to
say.
We
believe
in
these
principles
and
we
believe
in
these
actions
from
a
mostly
consumption
point
of
view,
we
don't
need
any
action
from
the
tech
other
than
to
inform
you.
We
may
further
down
the
line,
ask
or
inform
you
that
we're
heading
towards
a
blog
post
through
to
talk
about
it,
but
that's
it!
N
That's
all
I
got
the
link
is
in
the
issue.
If
you're
curious,
let
us
know
what
you
think:
that's
it.
B
Any
questions
or
comments
for
Jacques
or
the
end
users.
B
Thanks
all
and
I
will
yield
the
floor
to
Ava
who
had
a
topic
they
wanted
to
talk
about
today.
G
Thank
you
sirab
everybody,
a
little
announcement
to
make
this
is
my
last
week
at
Microsoft
and
so
I'm
going
to
be
taking
a
break
for
a
little
while
you
will
still
see
me
around
security
and
open
source
once
I'm
back
and
so
in
the
interim
I'm
going
to
hand
my
tax
seat
to
Jay,
to
step
in
I.
Think
you
all
know.
G
B
Excellent
well
Ava
I
want
to
say
personally
and
professionally.
Thank
you
for
your
partnership.
It's
been
a
great
couple
years,
collaborating
with
you.
G
And
to
Brian's
comment
here
there
is,
there
is
no
process.
This
is
not
defined
in
our
Charters,
so
I
guess
if
there
is
a,
if
there's
any
objection
from
the
attack,
I'm,
not
sure
what
to
do,
there's
no
process
for
that
either.
Perhaps
the
board
can
discuss
this
in
the
next
board
meeting,
but
rather
than
deprive
the
attack
of
a
seat,
I
would
like
Jay
to
step
in,
in
my
spot.
M
Let's
discuss
and
consider
what
their
options
are:
fair
enough
and
congrats
yeah.
G
I
mean
I,
guess
I
could
just
say
I'm
taking
a
vacation
and
leave
the
seat
empty
for
a
while.
But
that
seems
rude
to
the
all
of
my
peers
and
attack
to
deprive
you
of
of
any
engagement
in
this
role.
So.
B
Yeah
we
will
chat
with
Brian
and
omkar,
and
you
and
Jay,
and
see
what
we
need
to
do
for
the
bylaws
and
what?
If
there's
any?
If
this
is
okay
or
it
is
not.
G
F
I
had
one
just
from
the
I
post,
something
to
the
TAC
mailing
list,
and
you
got
back
so
I
figured
since
we
have
a
few
minutes
on
the
AO
side.
We
would
like
to
have
substantive
discussions
over
Direction
and
thoughts
and
where
we
should
focus-
and
you
know
not
a
status
update
but
more
of
a
you
know.
What
is
what
is
taxi
like?
F
What
are
you
guys,
thinking
like
for
reals
and
we'd
like
this
to
be
someone
regular,
so
10
minutes
not
enough
time
if
an
hour
can't
do
I'll,
take
30
minutes,
but
I
think
you
know
having
this
kind
of
deeper
engagement
and
building
a
little
bit
more
connective
tissue
between
Tac
and
AO
is
good.
F
I
would
posit
that
that
would
also
be
valuable
for
any
of
the
other
Associated
projects,
so
I'm
putting
it
out
there
I'm
on
vacation
for
a
couple
of
weeks,
but
certainly
in
August
and
into
September
I.
Think
as
folks
are
not
on
vacation
as
much
timing
should
work
so
and.
B
B
The
audit
complete
will
have
his
prioritization
PR
finalized
by
the
end
of
this
month,
so
hopefully
we'll
have
a
little
bit
firmer
Direction
on
where
we
will
be
heading
and
I
think
after
that
would
be
a
good
time
to
start
this
more
engaged,
dialogue
and
I
agree
that
this
is
probably
something
we
need
to
implement
for
efforts
of
certain
stature
to
make
sure
that
we
are
directionally
aligned
and
focusing
in
on
the
right
things
periodically.
So.
J
Yeah,
it's
a
note
on
AO
because
you
all
might
be
going
on
vacation,
but
you
know
who's,
not
the
AO
interns
for
the
summer
yeah
they're
around
and
if
you
haven't
been
interacting
with
them,
go,
do
it!
It's
like
the
most
wholesome
thing
in
openssf
right
now,
there's
like
video
office
hours,
you
can
go
and
they
just
want
to
like
learn
about
Security
in,
like
the
broadest
sense,
just
go
and
have
some
fun
and
teach
them
something.
Maybe
they
might
teach
you
something
they're
very
good.
F
They
are
very
good,
I'm,
yeah
and
also
I
mean
we
do
have
like
regular
meetings
and
things.
So
you
know
show
up
chat
if
you
want
to
learn
more
or
just
you
know
whatever
like
come
chat
with
us,
find
us
on
Slack
wherever
just
engage.