►
From YouTube: OpenSSF TAC Meeting (October 19, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
D
D
A
Okay,
well,
I
think
we've
got
quite
a
few
folks
now,
most
of
the
actual
pack
reps
are
here
so,
and
I
see
brian
is
here
as
well.
So
let's
go
ahead
and
get
started
so
two
agenda
items
today,
so
brian
I'm
not
even
gonna
attempt
your
last
name
this
early
in
the
morning
and
butcher
it
so
I'll.
Let
you
introduce
yourself
for
those
that
don't
know
brian
has
you
know
recently
come
on
as
our
is
the
title
executive
director
is
that
the
correct.
E
A
Well
with
that,
why
don't
you
go
ahead
and
introduce
yourself
and
then
brian
is
going
to
discuss
the
upcoming
governing
board
in-person
meeting
that's
happening
on
november
5th,
when
all
these
new
fun
changes
are
going
to
start
happening
for
us
so
great,
and
I
think
I've
met.
E
Everyone
here,
although
possibly
not
I'm
brian
balendorf,
you
can
say
bellandorf,
I
I'm
fine
with
that
lena
selena's.
That's
that
kind
of
thing,
and
I've
been
with
the
linux
foundation
for
five
years
today,
leading
something
called
hyperledger,
along
with
something
else
called
the
linux
foundation,
public
health.
And
I,
when
jim
zemlin
said,
there's
this
new
thing
forming
here
that
you
know
we're
pulling
together
some
new
resources
around
it.
I
said
great.
How
can
I
help?
And
so
that's
why?
E
I'm
here
all
right,
and
we
thanks
to
the
hard
work
of
many
of
you
out
there.
I've
pulled
together
an
amazing
set
of
sponsoring
members
now
for
openssf,
which
I
will
change
a
little
bit
kind
of
how
we
operate
and
and
and
take
advantage
of
a
bunch
of
new
financial
resources
that
have
come
in
about
4.4
million
in
membership
revenues
which
we'll
be
able
to
spend
on
a
core
budget
to
go
out
and
and
support.
E
Many
of
the
projects
that
have
been
started
to
date,
as
well
as
things
that
we
haven't
had
budgets
before
like
marketing
and
having
a
presence
at
events
and
and
and
those
sorts
of
things,
and
in
addition
to
that,
we've
also
thanks
to
google
and
microsoft,
raised
five
million
specifically
around
alpha
omega
and
we'll
continue
raising
some
more
for
that,
and,
as
many
of
you
have
been
involved
in
that
process
that
that
is
starting
to
come
together
around
a
picture
of
how
we
appropriately
resource
the
project
and
direct
those
those
funds
to
have
an
impact
as
anticipated
in
that
paper,
I'm
committed
absolutely
as
you've.
E
Perhaps,
hopefully,
all
heard
me
said
to
everything
that
this
project
does
from
a
technical
basis
being
vetted
publicly.
I
don't
believe
in
a
whole
lot
of
private
meetings.
I
don't
believe
in
kind
of
heroes.
You
know
with
with
the
one
right
idea
that
you
know:
there's
I'm
I'm
not
the
chief
architect,
I'm
not
the
cto.
E
In
fact,
we
at
the
linux
foundation
here
are
really
just
here
to
channel
to
to
think
of
it
as
air
traffic
control,
but
even
that
sounds
terribly
top
down
compared
to
what
I
hope
really
is
is
the
the
expertise
of
all
of
you
on
the
tech
coming
in
to
bear
on
on
everything
that
we
do
so
I
want
to
make
sure
we're
also
spending
the
money
that
we've
raised
as
efficiently
and
impactfully
as
possible,
and
so
what
we're
doing
so,
let
me
just
play
the
next
few
months
for
folks,
so
the
linux
foundation
runs
on
kind
of
yearly
budget
cycles
and
we
seek
from
our
governing
board
approval
of
a
budget
every
in
our
typically
in
the
december
meeting
for
the
following
year,
based
only
on
the
money.
E
That's
been
raised
to
date,
so
that
4.4
million-
and
this
is
separate
from
alpha
omega,
but
but
that's
where
we
will
be
getting
approval
from
the
governing
board
is
in
a
meeting
that
happens
on
december
5th.
But
the
next
governing
board
meeting
is
actually
on
november
4th
and
in
that
meeting,
I'd
like
to
preview
the
a
draft
of
a
budget
for
this
new
governing
board.
That
is
stepping.
F
E
And
also
by
the
way,
the
existing
governing
board
will
be
at
that
that
that
meeting
in
november
and
that'll
be
an
opportunity
to
really
help
share
with
the
new
governing
board.
Here's
what
we've
accomplished
as
a
community
today,
here's
what
our
objectives
are.
Here's,
what
we
think
success
looks
like
over
the
next
year.
Sorry,
if
that
terribly
sounds
like
consultancy
kind
of
speak,
but
really
this
new
governing
board.
E
They
were
the
one,
the
ones
who
prove
a
budget
and
in
effect,
kind
of
approve
kind
of
the
broad
brushes
the
priorities
that
you
know,
jory
david
and
myself-
will
go
through
as
we
as
we
spend
through
2022..
E
So
what
I'd
like
to
seek
from
all
of
you
is
guidance
on
that
budget
request
and
I'm
not
saying
specifically
like
100
grand
for
this
500
grand
for
that,
I'm
I'm
saying
both
at
a
tech
level
and
then
working
group
by
working
group
level,
because
we'll
go
to
those
I'd,
really
love
a
sense
from
from
that
that
we
can
share
during
the
governing
board
call
of
what's
the
most
important
things
going
on
today.
What
what
really
can
we
accomplish
in
2022
and
then
just
some
way
of
communicating?
E
What
would
be
the
kind
of
resources
desired
to
be
able
to
tackle
that
in
2022,
and
it
could
be
funding
on
specific
projects?
It
could
simply
be
we'll
just
make
sure
alpha
omega
works.
Well,
and
then
you
know
we'll
be
successful.
It
could
be.
You
know
specifically
writing
some
code.
It
could
be
a
number
of
things,
but
we'd
like
to
harness
that
together.
E
You
know
that
and
and
put
it
into
a
deck
for
the
november
fifth
meeting,
which
means
we
kind
of
have
this
weekend
next
to
get
that
picture
together,
we'll
we
will
be
going
to
each
of
the
working
groups
showing
up.
E
I
know
jory
was
on
the
vulnerability
working
group
call
yesterday
and
shared
this
and
we'll
you
know,
rely
on
us
to
kind
of
do
the
final
assemblage
into
into
a
deck
and
to
try
to
organize
it
and
make
sense,
but
before
then
we're
going
to
seek
for
that
from
each
of
the
working
groups.
E
We'd
like
to
also
understand
if
the
tech
itself
separately
has
a
desire
to
have
either
you
know
some
sort
of,
I
don't
say
budget,
but
some
some
activities
of
its
own
or,
if
really
focusing
the
activities
on
the
working
groups
and
trying
to
to
just
make
sure
those
are
as
effective
as
possible
is
the
is
the
right
thing
to
do
so.
I
come
with
a
little
bit
with
kind
of
an
open
picture,
a
brain
dump
and
hope
that
that
can
generate
some
conversation.
E
A
Thank
you,
brian.
That
was
awesome.
So
a
couple
questions
so
yeah.
Traditionally
the
way
that
we've
been
kind
of
running
this
is
that
it's
very
working
group
focused
and
so
a
lot
of
the.
I
think
the
aspect
that
what
you
just
said,
where
we
would
kind
of
delegate
to
the
working
groups,
but
I
definitely
hear
what
you're
saying
like
is
there
a
need
on
the
tax
side
that
we
want
to
drive
something
so
from
the
overarching
kind
of
technical
vision
that
we
put
together?
A
E
For
one
thing,
I
think
it's
wise
to
to
in
the
budget
that
we
seek
to
get
approval
for
in
december,
keep
a
little
bit
in
reserve
for
opportunities
that
emerge
in
2022,
right
and
so,
and
that
would
be
based
on
the
tech,
maybe
approving
a
proposal
for
a
new
working
group
or
something
like
that
right.
E
So
you
could
consider
that
a
little
bit
of
dry
powder
kept
on
behalf
of
the
tech
to
be
able
to
say
that's
an
interesting
effort,
and
we
know
it's
going
to
take
some
resources
to
do
well.
So
so
we
can
take
that
on
and
spend
into
that
budget.
So
you
know
as
a
hand,
wave
50
or
100k,
or
something
like
that
you
know
is,
is
one
thing
that
we
could
we
could
put
on
the
table
just
brainstorming
here.
It
feels
about
right.
E
The
second
would
be-
and
I
know
it's
always
awkward-
to
ask
parents
which
of
their
children
do
they
like
the
most,
which
are
the
ones
that
they
want
to
actually
send
off
to
college
and
which
are
the
others
to
bricklayer
school
or
something
like
that.
E
I
don't
even
know
if
there
is
a
breakthrough,
but
you
know
what
I'm
talking
about
but
like
if
there's
some
way
of
conferring
yes,
this
is
something
that
we,
as
the
tack,
feel,
should
be
doubled
down
on
in
2022,
perhaps
even
beyond
what
the
working
group
asked
for
or
in
addition
to
that
would
be
helpful
as
well.
I
don't
have
to
get
the
ask
for
the
opposite
of
that,
which
is
no
that's,
that's
something
that
should
stay
volunteer-driven
or
stay.
E
You
know
self-sufficient
by
the
way
I
don't
mean
volunteer,
driven
as
opposed
to
to
funded.
We
will
definitely
need
volunteers
at
every
level.
Continuing
on
this,
in
fact,
that's
one
of
my
big
fears
about
this
process.
A
little
bit
is,
if
we
say,
oh
there's,
money
to
spend
we'll
we'll
kind
of
shut
down
some
of
the
volunteer
energy.
E
So
we
I
just
want
to
put
that
on
the
table
and
say:
let's,
let's
make
sure
we
don't
do
anything
to
inadvertently
cause
folks
to
feel
like
they
don't
have
to
volunteer
or
there's
no
role
for
volunteerism
and
what
we
do.
But
rewinding
back
at
the
tech
level.
Just
wondering
if
there's
a
desire
for
say
a
reserve
to
spend
opportunistically
when
things
pop
up
or
it's
some
sort
of
expression
of
where
they
think
we
should
be
putting
more
resources
from
the
from
what
the
working
groups
ask
for.
A
Yeah
I'd
be
curious
to
hear
from
other
tech
reps
if
they
have
opinions
on
this
I
know.
Certainly
there
are
some
new
things
coming
in
that
we've
discussed
around
supply
chain
security
and
new
working
groups.
But
again
I
think
we
would
sort
of
spin
those
up
as
working
groups
and
fund
them
as
working
groups,
not
necessarily
tax
resources.
But
does
anybody
else
have
like
thoughts
around
tax,
specific
things
that
that
we
might
need
budget
for.
G
E
So
so
travel
budgets
and
travel
stipends
for
especially
for
folks
who
don't
otherwise
have
those
kinds
of
resources.
E
It's
something
lots
of
linux
foundation
projects
do
something
that,
if
you
felt
was
was
I
mean
yeah,
that's
exactly
the
kind
of
thing
that
that
I
I
I
would
look
to
to
you
all
to
come
up
with
so
travel
budget
for
speakers
at
events,
and
I
will
say
we
do
anticipate
asking
for
a
budget
for
a
presence
at
events
where
we'd
be
able
to
bring
our
volunteers
and
and
some
of
our
members
right,
perhaps
even
have
like
an
open,
ssf
branded
booth
at
a
place
like
black
hat,
just
kind
of
throwing
it
out
there.
E
Although
the
black
hat's,
probably
too
soon
to
be
able
to
do
that,
because
it's
february
right
february
march.
E
So
yeah
might
be
able
to
do
that
kind
of
thing,
but
but
regardless
travel
budgets
even
to
like
unaffiliated
events,
we
don't
even
have
a
presence
at
for
folks
from
the
community
who
might
otherwise
not
otherwise
be
able
to
attend
would
be
really
cool,
and
I
think
that
would
also
help
with
representation
with
diversity
as
well.
D
There
may
be
projects
that
we
would
want
to
seed,
and
this
is
not
something
we
need
to
necessarily
do
immediately,
but
I
guess
it's
worth
kind
of
thinking
about,
as
we
think
about
the
the
role
and
structure
of
different
organizations
within
openssf,
including
the
role
of
the
tax.
So
we
have
the
technical
vision
and
technical
wish
list
documents
where
we
talked
about
some
of
the
big
picture
like
how
do
we
actually
secure
the
open
source
ecosystem?
D
What
does
this
look
like,
and
this
is
broader,
but
certainly
some
of
this
is
composed
of
the
kind
of
bottom-up
working
groups
that
we
have
that
have
started
some
of
these
initiatives.
But
I
think,
if
you
look
at
the
the
constellation
of
working
groups,
it
doesn't
cover
yet
the
full
space
of
the
things
we
might
want
to
do
so,
given
that
there
will
be
more
resources
now
than
we've
certainly
had
before
we
may
wish
to
as
attack-
and
I
I
would.
D
I
would
obviously
defer
to
your
view
on
this
brian,
but
we
may
wish
to
as
attack
prioritize
a
few
things
that
are
not
currently
covered
by,
like
extant
working
groups
and
perhaps
to
see
those
efforts
if
we
can
find
either
sufficient
volunteers
and
or
wanted
to
fund
specific,
like
staff,
members
or
contractors,
to
develop
some
of
those
things.
D
I'd
have
to
go
through
the
wish
list
and
think
about
it,
but
I
know
that
the
the
space
of
the
things
that
we
would
ideally
kind
of
wave
magic
wand
want
to
do
to
secure
open
source.
We
probably
haven't
fully
covered
that
space.
I
guess,
is
what
I
was
saying.
A
D
Yeah,
I
guess
all
of
these
things
have
an
origin
but
yeah
good
point.
D
The
idea
came
from
somewhere,
so
it
might,
it
might
come
from
the
tack
given.
I
guess,
like
I
view
the
tech
as
having
a
kind
of
overview
role
right
that
connects
big
picture
kind
of
vision
and
and
ideas
and
understanding
of
the
search
space
to
practical
things
on
the
ground.
So
I
just
view
the
tac
is
kind
of
playing
that
mapping
and
prioritization
function
to
some
degree.
But
again
this
is
probably
a
pedantic
thing
to
talk
about
so.
E
One
time
right,
yeah,
absolutely
one
thing
that
we
anticipate
identifying
funds
for
in
the
general
fund
is:
you
know,
writing
documents
is
hard.
You
know
you
can
take
all
the
great
ideas
out
of
all
of
our
heads
and
the
sketches
that
we
create,
but
turning
that
into
content,
that's
easy
for
audiences.
Well,
beyond
the
self-selected
folks,
you
show
up
to
consume
is
really
a
challenge.
You
guys
have
done
an
amazing
job.
E
The
the
the
presentations
at
last
week's
kubecon,
the
the
stuff
I've
been
able
to
benefit
from
already
done,
has
been
really
really
good,
but
I
also
know
there's
probably
more,
I
imagine,
there's
more
you'd
like
to
be
able
to
do
that.
Having
a
professional
writer
could
help
with
having
some
more
graphic
design
work.
E
You
know
those
like
I'd
love
to
get
a
certain
degree
of
polish
on
the
stuff
that
we
get
out
there
so
that
it
it
gets
to
audiences
we
might
not
otherwise
reach
yet,
and
so
I
think,
aside
from
other
asks
that
we
can
talk
about
here.
I'd
like
to
just
let
you
know,
I
anticipate
having
having
some
help
on
call
it
marketing.
E
If
you
will,
I
mean
I'll,
probably
even
be
under
a
marketing
budget
right,
but
but
content
development
is
is
something
I
think
is
pretty
important
for
for
us
to
resource
and.
H
D
That
makes
a
ton
of
sense.
I
guess
a
natural
question
might
be
what
what
kinds
of
content
are
you
imagining,
especially
like
in
this
first
year
of
of
this
new
wave
of
open
ssf?
Is
there
a
specific
like
white
paper
or
presentation
or
kind
of
base
deck,
or
what
specifically
are
you
thinking
would
be
the
most
useful
things
to
do
in
this
near
term.
Yes,.
E
And
presentation
like
standard
presentations
that
any
of
us,
but
but
more
importantly
like
hopefully,
an
army
of
advocates,
can
go
out
and,
like
present
around
especially
for
internal
presentation
decks.
I
found
that
a
lot
of
our
members
on
hyperledger
like
wanted
to
have
great
overview,
but
then
also
like
specific
example,
slides
to
make
the
internal
case
at
their
own
companies
for
why
their
own
companies
need
to
invest
in
this
stuff
and
the
more
polished
that
looks
the
more
the
better.
E
The
the
actual
examples
in
that,
like
the
easier
it
was
for
them
to
make
the
internal
case.
So
I
I
know
it
sounds
silly
to
spend
open
source
project
money
on
slideware
but
like
I
think
it
actually
would
help
us
grow
the
community.
E
I
think
every
great
open
source
community
does
also
need,
like
a
white
paper,
that
more
or
less
defines
like
the
big
picture,
that
of
everything
trying
to
come
together
and
and
and
there'll,
be
lots
of
other
stuff
to
hang
off
that,
but
that's
something
and
keeping
that
up
to
date,
as
as
new
working
groups
emerge
and
and
and
things
get
better
and
better.
E
So
so
those
two
things
are
pretty
clear:
we
will
have
I'd
like
to
at
least
make
sure
we
have
a
good
stream
of
content
in
a
blog
that
helps
keep
an
audience
beyond
those
who
can
be
on
the
working
group
calls
or
be
on
the
mailing
list
even
up
to
date
on
what's
going
on,
and
then
that
becomes
leverageable
through
twitter
and
linkedin
and
those
kinds
of
things
right
and
and
beyond
that
I
mean
I
we've
toyed
with
the
idea
of
a
podcast.
E
I
know
there's
a
ton
of
cybersecurity
podcasts
out
there
already.
I
I
I
raise
that
and
say:
maybe
it's
worth
our
while
it's
expensive
to
do
that
expensive,
both
in
money
to
have
something
polished
as
well
as
time
to
be
able
to
lead
that.
But
we've
got
an
awful
lot
of
voices
in
our
community.
That
might
be
a
good
way
to
elevate
up
and
it's
it's
again
a
way
to
reach
out
beyond
the
core
group.
E
So
I
that's
that's
just
on
my
mind
is
like
things
to
to
you,
know
and
rough
priorities
of
of
kind
of
content
to
create,
but
but
also,
I
think
we
should.
We
should
really
listen
to
when
somebody
from
the
community
says
you
know,
I'm
I'm
not
a
great
writer,
I'm
not
a
great.
You
know
podcast
or
whatever,
but
I've
got
some
ideas
like
we
should
be
able
to
jump
in
and
help
elevate
that
voice
in
some
way
so
stay
agile.
A
Yeah,
I
actually
really
like
the
idea
of
a
podcast
that
a
long
time
ago,
at
the
in
the
beginnings
of
this
organization,
there
was
discussions
around
having
like
panels
of
attack.
You
know
at
various
conferences
and
things,
but
a
podcast
would
be
a
really
great
way
to
sort
of
amplify
that
and
bring
in
other
voices
from
the
community
that
could
discuss
things
and
bring
some
relevance
to
open
ssf
and
some
of
the
things
that
we're
working
on
bring
some
visibility
and
stuff
like
that
yeah.
I
think
that's
a
really
awesome
idea.
Okay,.
D
We
could
even
consider
having
like
a
one-day
workshop
that
focuses
specifically
on
like
the
wreaths,
like
I
guess,
we'd
have
to
frame
it
appropriately
to
not
have
it
be
too
generic,
but
we
could,
for
example,
do
like.
I
guess
this
is
a
little
more
academic
feeling.
So
not
quite
this,
but
like
the
dog
stool
seminars
in
germany,
where
they
bring
together.
You
know
a
workshop
of
30
people
or
whatever,
to
focus
on
a
very
well-defined
problem
scope.
E
Yeah,
let
me
let's,
let's
talk
a
little
bit
about
what
the
tech
feels
like
might
be
a
good
strategy
for
events
for
the
organization,
because
I
I
I
think
you
know
just
like
with
podcasts
there's
an
awful
lot
of
security
events
out
there
right
very
different
in
tone
very
different,
an
audience,
and
I
think
we
want
to
try
to
reach
a
lot
of
those
and
I
think
it'd
be
worth
looking
at.
E
How
do
we
have
a
presence,
whether
it's
like
a
branded
booth
or
it's
like
a
track
with
some
of
our
speakers
or
even
just
a
few
sessions
that
we
coordinate
and
really
try
to
get
our
our
community
speakers
at
but
embed
ourselves
inside
the
existing
set
of
of
events,
rather
than
doing
our
own
kubecon
kind
of
thing?
Now
I
I
think
we
could
do
developer
get-togethers,
you
know
kind
of
hackathons
or
or
or
hack
fest,
not
competitions.
E
I'm
not
a
huge
fan
of
the
competition
kind
of
thing,
though,
if
one
of
those
popped
up
and
asked
for
a
support,
or
something
like
that,
maybe
but
but
kind
of
smaller
focused
events
bringing
together
our
core
community
or
or
some
sort
of
like
or
supporting
regional
meetups
in
in
some
way
I
mean
those
those
are
interesting,
but
just
kind
of
staying
away
for
now,
at
least
at
least
for
this
first
year
from
the
idea
of,
like
you
know,
a
major
kubecon
style
event,
just
because
those
are
so
expensive
and
I
think
we're
still
still
at
the
beginnings
of
what
we're
doing,
but
I
don't
have
any
more
fleshed
out
than
that.
E
I
think
we
talked
about
what
like
a
budget
for
that
kind
of
thing,
to
have
a
presence
at
you
know
four
or
five
major
events
over
the
course
of
the
year.
Presuming
we
all
do
get
back
to
like
at
least
hybrid
events.
It's
probably
a
budget
in
the
in
the
400
000
range
and
that's
to
be
able
to
sponsor
some
of
these
things,
which
you
kind
of
need,
sometimes
to
get
sessions
in,
but
also
to
have
somebody
actively.
E
Looking
for
opportunities
for
us
to
to
to
get
speakers,
you
know
to
write
pitch
pitches
for
for
speakers
from
our
community
to
go
and
give
talks.
You
know
to
run
almost
like
a
speaker
bureau
kind
of
service
uncompensated,
but
but
wherever
we
can,
we
get
travel
you
know
paid
for
by
the
host
and
that
kind
of
thing
anyways.
Does
that
strategy
sound
about
right
or
does
anyone
have
strong
opinions
on
perhaps
a
different
place
that
we
should
focus.
G
D
I
think
we
can
be
really
thoughtful
as
well
about
our
audience
so
krobe
and
I
had
done
a
talk
at
black
hat
usa
in
the
summer,
because
we
were
really
interested
in
drawing
the
attention
of
security
researchers
to
open
ssf
to
contribute
to
the
various
groups
and
stuff.
We
may
wish
to
think
about
doing
some
more
developer,
oriented
outreach
that
perhaps
leverages
some
of
what
david
has
in
his
edx
course
to
offer
some
of
the
secure
development,
basics
and
things
like
that.
E
Scc
rob's
comments
about
both
working
groups
that
he's
a
part
of
having
open
items,
to
figure
out
how
to
get
people
to
conferences,
to
evangelize
the
work,
okay,
yeah,
absolutely
supporting
advocacy
and
supporting
travel
budgets.
You
know
when
necessary,
but
also
content,
development
and
and
just
pitching
you
know
I
mean
there's
so
many
events
I
think,
having
somebody
on
our
on
our
side.
E
Who
can
be
look,
you
know
keeping
a
calendar
of
upcoming
security
events
and
with
your
help
and
maintaining
that
and
just
understanding,
here's
our
pool
of
people
who
want
to
speak
about
this
stuff,
here's
somebody
local
to
the
event.
You
know
we
can.
You
know
perhaps
pitch
this
person
to
talk
on
this
thing.
You
know
having
a
couple
standard
pitches.
I
think
that
would
really
help
get
our
brand
out
there
in
a
very
cost-effective
way
and.
A
E
A
Yeah,
I
think
the
tac
is,
is
a
great
source
for
that
too
right
to
have
us,
coordinate
and
know
which
ones
are
going
on
and
and
then
that
way,
krobe
and
his
team
doesn't
always
have
to
try
to
track
every
little
thing.
We'd
be
like
hey,
there's
a
conference
coming
up
and
I
think
it's
relevant
for
you
guys
do
you
have
somebody
that
wants
to
go
and
whatever
we're
wanting
to
highlight
at
the
time
different
working
groups
could
have
different
influences
and
the
attack
could
definitely
help
drive
that.
C
E
And
and
a
half
day
workshop,
you
could
even
potentially
charge
for
it
as
a
way
to
make
it
self-sufficient.
You
know,
especially
if
there's
some
form
of
certification
or
credit
accreditation
to
it,
which
you
know
we
have
a
training
department
at
the
lf.
I
know
we've
got
the
edx
courses
up.
I
think,
maybe
that's
that's
something
we
could
look
at
doing
as
well
as
a
way
to
make
those
you
know
so
funding
and
do
more
of
them
right.
E
Let
me
also
ask
one
more
in
one
different
direction,
which
is
you
know,
having
a
great
relationship
with
the
research
community
is
something
I'd
like
to
do.
We
could
easily
spend
all
of
our
budget
in
a
day
funding
research
projects,
so
I
I
I
at
different.
E
You
know
university
teams,
and
that
kind
of
thing-
and
I
don't
think
that
that
is
necessarily
so
high
leverage,
but
are
there
ways
that
we
could
apply
a
little
bit
of
funding
to
help
incentivize
or
recognize
even
just
or
reward
or
something
greater
connections
with
researchers
in
the
field,
particularly
at
the
university
level,
particularly
as
a
way
to
help
encourage
people
down
a
you
know
a
career
path
in
this
domain,
particularly
as
a
so
as
a
a
way
to
increase
the
diversity
in
the
space.
E
D
We
could
do
something
kind
of
like
what
google
does
with
summer
of
code,
where
they
offer
sponsored
student
ships
for
summer
to
work
on
open
source
related
things.
We
could
potentially
do
like
a
sponsored
research,
studentship
or
something
to
work
on
open,
ssf
related
projects.
D
I
imagine
the
success
of
that
would
depend
a
lot
on
having
some
well-defined
deliverables
and
good
mentorship,
but
one
one
thing
I
would
add
when
we're
thinking
about
research
is
especially
from
a
security
perspective,
the
idea
of
academic
research,
academic
security,
research
and
traditional
vulnerability
research.
D
There
is
quite
a
chasm
between
those
two
things,
and
I
think
that,
especially
when
we're
thinking
about
zero
days
in
open
source,
we
might
wanna
also
think
very
carefully
about
how
we
wish
to
engage
with
the
traditional
like
vulnerability,
research
community,
because
if
we
only
think
of
research
as
academic
research,
we're
probably
going
to
not
get
a
lot
of
bones
found
or
build
a
lot
of
relationship
there.
D
E
Yeah
and
on
the
internship
side,
I
know
cncf
has
run
this
on
hyperledger
we've
run
this
where
we
allocated
125k
a
year
to
to
basically
a
set
of
summer
projects
that
are
five
thousand
dollars
each
so
not
as
compelling
to
to
folks
in
the
us,
but
lots
and
lots
of
applicants
from
india
and
china,
one
of
the
biggest
kind
of
limiting
factors
on
that
is
both
projects
and
the
mentors
willing
to
oversee
that
work,
right
willing
to
oversee
the
the
the
mentee
and-
and
that's
that's
where
I
don't
know
yet
what
capacity
we
have
in
the
community
for
that
kind
of
thing
that,
but
we
could
certainly
identify
some
some
some
money
to
get
started
on
that
next
year
and
have
a
start
with
a
modest
program,
and
you
know
if,
if
we
sign
up
a
few
more
members
and
and
it
turns
out,
we
have
a
bumper
crop
of
of
ideas
for
projects
and
willing
mentors.
E
Then
you
know
expanding
that
program
on
a
dime.
Isn't
that
hard
to
do
it's
just
you
want
to
time
it
for
the
summer
break.
If
you
can
so
yeah,
but
it's
it
was
moderately
successful.
I
wouldn't
it's
hard
for
me
to
say:
hey.
We
got
an
amazing
amount
of
output
for
the
125
150k
we
spent
each
year.
There
were
individual
stories
that
were
really
good
and
compelling
on
net.
It's
it's.
It
really
comes
down
to
the
quality
of
the
projects
and
how
motivated
the
mentors
are.
E
So
if
that's
there,
then
I
do
I'll
I'll
put
some
in
the
budget
for
that,
but
that
if
we'd
want
to
do
that,
that's
gonna
take
a
lot
of
work.
E
I
so
obviously
mentioned
foundation.
Grants
and
scholarships,
do
you
mean,
go
and
apply
for
grants
from
other
foundations
for
our
work
and
think
about
ways
to
to
channel
that
into
to
research
projects.
H
No,
so
I
do
a
substantial
amount
of
work
with
isc
squared
the
cissp
people
and
I'm
actually
a
judge
for
several
scholarships
they
offer
so
every
year
they
offer
a
scholarship
for
undergraduate
students
for
graduate
students
and
then
they,
a
couple
years
ago,
added
one
for
women
in
cyber
security,
and
I
see
they've
added
a
couple.
Other
categories
for
more
diverse
things.
H
So
basically
the
open,
ssf
theoretically
could
set
aside
some
money
and
have
a
contest
and
for
have
applicants
submit
their
project
ideas
or
you
know
what
the
area
of
research
they're
going
to
study
to
further
open
source
security,
and
we
could
have
a
panel
of
luminaries
review
that
and
try
to
find
some
research.
Now
that's
been
very
successful
in
kind
of
the
ifc
square
world
and
it
might
be
something
we
can
consider
here.
E
Yeah,
I'm
particularly
fond
of
the
idea
of
looking
at
this
as
a
way
to
to
look
at
enhancing
the
diversity
of
our
environment.
There's
cisco.
Recently,
in
fact,
I'll
drop.
A
link
here
said:
they'll
they'll
dedicate
150
million
towards
cybersecurity
academic
work
in
the
hvcus,
historically,
black
colleges
and
universities,
tremendous
gift
and-
and
they
should
get
some
recognition
for
that,
and
I
wonder
if
there's
ways
to
support
those
kinds
of
efforts.
E
You
know
and
and
and
look
for
folks
in
that
who
might
focus
specifically
on
supply
chain
kinds
of
questions
and-
and
you
know,
trusting
trust
kinds
of
kinds
of
research
or
even
just
you
know,
student
projects.
You
know,
student-led
projects
that
are
kind
of
you
know
very
close
to
kind
of
the
idea
of
intern,
of
the
mentorship
kind
of
work,
but
might
be
more.
You
know
during.
E
Year
or
tied
to
their
their
their
school
assignments
or
something
we
at
hyperledger,
we
tried
some
direct
outreach
to
folks
like
howard,
university
and
others,
and
it
was,
and
that
might
have
been,
that
the
topic
of
blockchain
technology
was
still
either
esoteric
or
very
driven
by
the
cryptocurrency
kind
of
nuts.
So
it
was
sometimes
like
hard
to
find
the
message
that
wove
through
those
kind
of
two
too
big
kind
of
problems,
and
it
could
be
that
this
would
be
much
easier
to
to
engage
with
folks
like
that.
F
E
I
maybe
that's,
maybe
that's
the
right
thing
to
kind
of
put
some
resources
towards
is
relationships
with
that
or
women
in
cyber
security
or
or
you
know,
their
other
similar
efforts
and
and
and
outside
of
the
united
states
and
europe
too,
supporting
sporting
initiatives.
I'm
really
intent
to
see
this
project
be
a
global
effort.
A
So
I
think
we've
we've
hit
on
some
really
interesting
ideas
here.
I
think
yes,
so
my
next
question
is
so
what
what
should
be
the
next
steps
here?
Certainly
we,
the
tac,
has
a
has
a
a
task
at
hand
very
soon
to
come
up
with
this
list
for
the
governing
board,
but
all
these
other
great
ideas
like
how
do
we
want
to
keep
moving
this
momentum
forward?
Should
we
well,
I
know
the
time
or.
E
Something
I
know
the
time
is
pretty
short
and-
and
this
is
not
to
short
circuit
other
processes
that
I
expect
to
happen
over
2022
where
it
comes
to
saying
you
know,
how
do
we
identify
and
reward
promising
ideas
and
other
types
of
prioritization?
This
is
not
the
only
opportunity
to
express
you
know:
here's
a
place
that
could
use
some
resources,
I'm
just
trying
to
get
in
place
for
for
the
december
approval
and
for
2022
rough
parameters.
E
You
know
big
size,
the
breadbox
kinds
of
things,
and
so
I
would
say
for
this
group
I
mean
we've
collected
a
lot
of
good
ideas
here.
If
something
occurs
to
you
over
the
next
week
or
two
say
by
the
end
of
next
week
as
something
that
you
think
should
be
should
be
highlighted
or
resourced
beyond
what
you
think
we
would
otherwise
hear
about.
E
Let
us
know
we
are
going
to
take
just
between
david
and
jory
and
myself,
just
our
swig
at
what
we
think
represents
the
best
balance
of
interest
across
all
this
won't
be
able
to
cover
everybody's
wish
list
and
probably
not
even
most
people's.
You
know
top
three
priorities
or
that
kind
of
thing,
but
we'll
do
our
best
and
we'll,
like
I
said,
we're
going
to
the
individual
working
groups
as
well.
I
think
the
other.
E
The
other
thing
that
we
could
use
would
be
a
sense
from
from
the
tac
and
that
could
be
from
you
individually
to
us
of
what
does
success
look
like
by
the
end
of
2022,
because
one
of
the
things
we'll
develop
with
the
governing
board
is:
what
are
we?
What
are
our
goals
for
2022?
What
do
we
want
to
look
back
and
say,
as
I've
said,
with
the
wind,
at
our
back
with
enough
resources
and
with
you
know,
the
white
house
saying
this
is
an
important
thing.
E
What
will
we
look
back
on
and
at
the
end
of
2022
and
go
yeah?
We
we
appropriately
took
advantage
of
the
opportunity
we
didn't.
We
didn't
whiff
the
ball
on
that,
not
and
and
not
to
say
we're
gonna
solve
all
you
know
exploits
or
anything
like
that,
but
like
what
can
we
be
proud
of
and
the
sense
from
the
tack
on
that?
As
a
big
picture
thing,
I
think,
would
be
really
helpful.
E
As
we
as
we
as
we
work
on
this
so
and
that
I
mean
the
sooner
you
can
get
that
to
us,
the
better
individually
to
us
doesn't
have
to
represent
the
collective
vision
of
the
tech,
but
that
the
sooner
the
better,
because
we
have
to
kind
of
ship
this
deck.
You
know,
if
not
end
of
next
week,
beginning
of
the
week
after
so
that's
going
to
be
something
the
earlier.
We
can
get
that
the
better
okay
cool
yeah.
That
sounds
great,
but
this
has
been
extraordinarily
helpful.
A
No
thank
you
for
for
coming
and
giving
all
the
background
and
sharing
your
vision.
I
know
a
lot
of
us
are
very
excited
to
have
you
on
board
and
and
have
this
more
concrete
direction.
I'm
very
excited
to
see.
You
know
how
open
ssf
is
going
to
progress.
You
know
from
here
on
out.
So
do
folks.
Have
any
other
comments
concerns
questions
before
we
move
on
to
our
next
topic.
A
F
F
Of
you
are
familiar
with
six
store.
If
not,
I
could
always
field
some
questions
afterwards.
Most
of
you
are
experts
already
in
supply
chain
security.
So
I
don't
need
to
tell
you
about
the
big
scary
stuff
that
we
had
this
sona
type
650.
F
That
came
out
it's
very
useful,
coming
out
just
before
coupon,
okay
and
seek
store
if
we
had
to
encapsulate
what
we
do.
Okay,
what's
our
kind
of
our
vision
or
call
to
action,
we've
sort
of
borrowed
from
a
good
idea
of
let's
encrypt
here.
So
there
was
a
time
where
http
was
the
standard
setup
for
most
web
websites
and
so
forth,
and
getting
a
certificate
was
a
kind
of
a
bit
of
a
cumbersome
process.
F
You
had
to
kind
of
contact
a
provider
credit
card,
prove
your
identity,
get
some
sort
of
a
ca
bundle
back
work
out
how
to
get
it
to
work
on
your
web
server
and
then
let
some
crypts
came
along
and
they
disrupted
that
whole
space.
Okay
and
they
made
it
so
that
https
became
the
common
deployment
model.
So
tls
was
was
widely
available
on
most
sites
because
they
provide
simple
to
use
tools
and
they
provided
a
free
service,
and
the
paradigms
are
quite
similar
with
software.
F
At
the
moment,
the
amount
of
software
that's
packaged
that
is
unsigned
is
predominantly
the
larger
model.
That's
out
there.
So
we
want
to
disrupt
that
space
so
that
artifacts,
that
are
part
of
the
supply
chain.
The
the
common
go-to
model
is
that
it's
it's
signed.
There's
provenance,
there's
non-repudiation!
You
can
perform
an
attestation
around
the
source
and
so
forth.
So
that's
our
kind
of
our
kind
of
core
vision
within
six
storm.
The
project
started,
I
guess.
Just
about
a
year
and
a
half
ago
we're
in
the
linux
foundation.
F
F
So
our
contribution
graphs
have
gone
through
the
roof.
We've
got
20
different
organizations
that
are
involved
and
actively
use,
utilizing
sigstor
and
they
plan
to
use
this
in
an
enterprise
context
and-
and
we
also
have
ourselves
our
public
service
as
well.
We
we're
running
a
a
kind
of
like
a
soft
launch
at
the
moment,
so
we
have
a
transparency
log
and
that's,
I
think
it's
just
getting
up
to
800
000
log
entries
that
are
in
there
now
and
people
are
putting
all
sorts
of
stuff
in
there.
F
There's
lots
of
container
signatures
in
there,
there's
other
ecosystems
that
try
and
stuff
out,
such
as
ruby
and
and
some
of
the
rust
communities
starting
to
look
at
six
star.
So
the
community's
blown
up
and
we've
got
a
really
lovely
community.
Now
we've
got
a
slack
channel
with,
I
think
about
800
people
in
there
at
the
moment,
and
so
it's
really
caught
fire
over
the
past
year,
a
bit
hand-wavy
this
one,
but
essentially
what
we
do
is
we
provide
free,
short-lived
certificates.
F
F
Signing
system
we've
got
recall,
which
is
our
transparency
log,
and
then
we
have
multiple
tools,
but
one
of
our
sort
of
killer
application
tools
so
far
is
cosign,
which
has
really
helped
rocket
off
our
ability
to
sign
containers
and
utilize
oci
registries
and
really
this
whole
sort
of
ecosystem
allows
you
to
cryptographically
verify
provenance
of
any
particular
artifact.
Okay,
you
can
you
you
have
this
captured
in
an
immutable,
append
only
transparency,
log,
that's
backed
by
a
ca
authority
and
the
ca
authority
was
actually
bootstrapped
in
the
open.
F
So
it's
a
group
of
people,
it's
a
mix
of
academia
and
corporate,
so
we
had
marina
moore
from
nyu
santiago
who
some
of
you
know
from
podu
and
in
toto,
and
then
there
was
some
of
us
folks
from
google
and
red
hat.
So
it's
a
nice
mix
of
people
that
that
bootstrapped
our
sort
of
root
of
trust,
essentially
and
again,
I'm
going
to
kind
of
skip
over
this.
F
This
is
kind
of
getting
into
our
sort
of
keyless
technology,
but
what
we
do
in
in
six
store,
we
can
cater
to
everybody,
so
you
might
have
somebody
that
has
their
ub
key
or
a
hsm.
They
want
to
manage
their
own
key.
They
can
use
sigstor.
You
might
have
somebody
that
has
a
key
management
service,
so
we
support
azure,
aws,
gcp,
kms,
okay,
so
your
kind
of
enterprise
customer
they
might
want
to
use
like
utilize
that
somebody
that
just
doesn't
want
to
manage
keys,
which
is
predominantly
the
largest
group
in
open
source.
F
At
the
moment,
people
are
just
the
adoption,
is
incredibly
poor
around
people
generating
and
maintaining
their
own
keys.
We
have
this
keyless
technology,
which
is
where
we
have
these
short-lived
keys,
and
we
utilize
the
transparency
log
to
to
snap
a
moment
in
time
around
the
the
sort
of
trust
delegations
that
are
at
play
there.
F
So
again,
I'm
going
to
skip
over
this
a
little
bit
more
in
the
interest
of
time.
We're
getting
a
bit
more
hand
wave
into
the
technology
here
cosine.
As
I
said,
this
is
our
container
signing
tool.
This
has
started
to
be
leveraged
a
lot
in
kubernetes
and
many
projects
starting
to
leverage
this,
as
well
as
part
of
their
creating
their
own
release,
container
images
and
again
we
utilize
either
kms
or
we
have
our
certificate
authority.
F
Forcio
and
all
of
the
trust
is
immutably
pinned
to
our
transparency
log,
and
this
is
all
run
in
public
at
the
moment.
So
you
can
use
this
this
service,
so
kind
of
what
we're
looking
at
doing
next
is
we're
expanding
on
our
container
signing
we're
looking
to
onboard
several
communities,
so
we're
working
with
rubygems
the
python
foundation,
starting
to
speak
to
the
wasm
folks,
starting
to
speak
to
the
russ
community,
because
at
the
moment
russ
are
putting
everything
in
untrusted.
F
There's
a
lots
and
lots
it's.
I
can't
keep
up
with
the
stuff.
That's
happening
around
s-bomb,
there's
a
lot
of
tools
that
generate
s-bomb
that
are
starting
to
integrate
with
six-store
we
have,
we
can
do
in
total
estimations
sorry.
I
was
a
problem
saying
that
in
toto
attestations,
spdx
types,
there's
many
there's
a
lot,
there's
a
whole
hive
of
activity.
F
That's
happening
around
s1
at
the
moment
with
these
policy
bundles,
so
we
can
do
sort
of
offline
type
verification
as
well,
so
we're
looking
to
improve
the
ux
as
well
around
verification,
okay
and
there's
people
that
are
starting
to
leverage
policy
engines.
So
there's
admission
controllers
that
are
being
built
on
top
of
the
sig
store
infrastructure
for
techton
and
various
other
sort
of
ci
type
systems.
Github
is
a
really
interesting
one.
F
We
can
do
this
really
cool
unattended,
signing
within
github
actions
now,
which
is
really
exciting
and
yeah
we're
starting
to
sort
of
improve
the
whole
ux.
Now,
because
we
have
the
infrastructure
starting
to
really
mature.
Now
it's
starting
to
hit
a
lot
of
1.0
releases.
So,
as
you
see
recall,
ga
full
coga
so
recalls
at
1.0
now
we're
starting
to
notch
full
co
towards
1.0,
one
of
our
main
clients.
F
Cosine
is
1.0
okay,
and
we
can
also
provide
a
trust
route
for
our
projects,
which
is
an
interesting
thing,
and
purdue
university
is
starting
to
work
on
some
monitors
that
will
perform
a
kind
of
a
cryptographic
audit
of
the
structure
of
our
transparency
logs,
so
that
they
can
be
sure
that
there's
no
untoward
behavior
any
sort
of
manipulation
of
the
log.
That's
happened
so
with
a
transparency
log.
It's
anybody,
that's
interested,
it's
a
merkle
tree
and
with
a
merkle
tree
you
can
do
something
like
it.
F
That's
called
an
inclusion
proof,
so
you
can
calculate
the
structural
integrity
of
the
tree
and
then
look
for
a
particular
part
of
that
tree,
which
maps
to
perhaps
an
artifact
and
then
compute
an
inclusion
proof
to
make
sure
that
nobody's
tampered
with
it.
F
So
that's
what's
coming
up
next
and
around
the
the
public
service.
So
so
in
six
store
we
have
the
community
who
are
working
on
the
code.
Those
are
the
folks
that
are
maintaining
the
code
and
and
getting
in
touch
with
different
communities
to
look
to
onboard
those
communities.
But
then
we
also
have
the
public
service.
Okay
and
the
plan
is
that
this
will
be
run
under
the
linux
foundation.
F
Okay,
just
a
few
sort
of
you
know
a
few
people
that
have
said
some
nice
things
about
us
so
josh
we
spoke
to
him
quite
early
from
let's
encrypt
he's
always
been
a
big
fan
of
what
we're
doing
and
and
various
other
people,
chris
wright
wide
magazine,
coverdust,
which
was
really
nice
and
but
anyhow,
the
and
kubecon.
So
we
recently
had
fucon
again.
There
was
a
lot
of
really
nice
attention
that
we
got
there.
F
So
at
the
moment
we're
we're
looking
to
to
launch
the
public
service
because,
as
I
said
at
the
moment,
we're
under
a
soft
launch,
so
we
have
two
phases
that
we
have
here
so
phase.
One
is
what
we're
in
at
the
moment.
Okay
and
people
are
starting
to
fund
us
for
this,
and
this
will
be
where
we
have
a
developer
relations
engineer.
F
It
will
help
manage
the
onboarding
of
communities,
okay
and
we
we
need
a
security
audit,
so
a
secure
security
audit
will
be
performed
against
our
thread,
analysis
against
our
architecture
and
our
code,
okay
and
a
marketing
budget,
and
that's
where
we
are
at
the
moment.
So
so
that's
funding,
that's
actively
happening
as
we
speak.
Phase
two
is
where
we
are
fully.
Ga
will
provide
a
full
guaranteed
operational
service,
which
is
what
we'll
be
moving
into
next,
and
this
is
anticipated
to
be
early
2022..
F
So
this
is
where
we
provide
guarantees.
We
have
site
reliability,
engineers,
so
there's
a
service
outage,
somebody's
got
a
pager,
and
then
we
have
hosting
costs
and
again
we've
been
able
to
benefit
from
the
experience
of
let's
encrypt.
Here
we
run
a
similar
sort
of
operation,
so
you
might
be
interested
in.
Why
are
we
talking
to
the
open
ssf?
Obviously
you
know
myself
and
dan
through
the
attack.
F
Essentially,
what
we're
looking
to
do
is
look
at
how
we
can
either
two
possible
routes
closely
more
aligned
with
the
open,
ssf
or
in
some
way
bring
sig
store
into
the
open
ssf,
because
it's
one
of
the
things
that
we
heard
during
the
phase
one
was
a
lot
of
folks
said:
love
seek
store,
really
support
it.
You
know,
have
you
thought
about
being
in
the
open
ssf,
it's
a
common
thing
that
comes
up
quite
a
lot
and
originally
when
we
started
six
store.
F
F
So
it
now
seems
that
the
sort
of
the
good
juncture
to
start
to
make
folks
aware
of
of
what
we're
thinking
and
we've
been
starting
to
discuss
this
with
brian
as
well
who's.
He
seems
quite
excited
about
six
store,
that's
fair
to
say
right
and
yes,
it's
really
to
sort
of.
I
know
time
is
ticking
on
so
I'll
conclude
to
allow
you
to
ask
some
questions.
A
Thank
you,
luke.
That
was
really
awesome
yeah.
I
can
certainly
say
I'm
excited
about
6th
north
I'd
love
to
see
it
in
open
ssf
as
well.
I
think
there's
a
lot
of
compatibility
there
as
we
keep
talking
about
supply
chain
and
these
new
initiatives
and
seeing
those
two
work
together
would
be
really
really
cool.
Curious,
wanna,
hear
others
opinions
as
well
concerns
about
that.
I
mean
anything
at
all.
I
I
mean
luke,
you
kind
of
hinted
at
this
already,
but
you
know
I
know
a
lot
of
us
wrote
big
checks
for
open,
ssf
right
now,
and
so
you
know
I'd
certainly
love
to
see
if
we
can
find
a
way
to
you
know,
leverage
the
funding.
We've
got
an
openssf
to
make
sig
store
work.
I
You
know
having
that
as
a
separate
project,
I
think
made
sense
at
the
time.
We
should
really
evaluate
whether
it
continues
to
make
sense
going
forward,
because
you
know,
I
think,
as
I
I
think
most
of
the
companies
on
the
call
would
love
to
have
this
be
part
of
our
major
supply
chain
attack
mitigation.
I
F
A
So
in
regards
to
that
I
mean,
I
think,
that's
a
very
valid
point
as
well
like
there's
a
lot
of
money
flowing
into
openssf
already
luke.
Have
you
guys
performed
the
task
of
estimating
budget
requirements
of
what
you
might
need,
make
the
assumption
that
you're
in
open
ssf?
What
would
that
ask
look
like,
as
far
as
operational
budget.
F
F
Clouds
yeah,
it
was
a
while
ago
that
we
worked
on
this
so
and
there
there
is
room
to
you
know.
I
don't
want
to
sort
of
put
that
out
there
as
a
definite
figure.
A
E
Sure
yeah
right
and
that
this
is
a
this
is
a
hard
thing
to
answer,
because
I
mean
it
is,
it
is
largely
not
cloud
costs
or
things
that
are
easy
to
get
for
free,
potentially
or
donated
from
other
resources.
It
does
come
down
to
having
a
tier
one.
You
know
a
set
of
site,
reliability,
engineers,
essentially
folks
who
can
dive
in
and
fix
a
problem.
E
E
The
problem
is:
when
you
need
them,
you
need
them
now
and
it
I
don't
know
if
there's
some
opportunity
to
look
at
the
architecture
to
go
to
make
it
resilient
in
the
face
of
central
services
being
down
or
something
like
that,
like
maybe
there's
something
to
think
about
there
to
make
it
a
little
more
cooperative
in
terms
of
the
infrastructure
or
less
less
dependent
upon
you
know.
E
If
it
can
handle
a
six-hour
outage
without
people,
you
know
freaking
out
in
the
world
coming
to
an
end,
then
then
maybe
the
pricing
can
be
different
too.
E
I
think
I
think,
if,
if
the
tac
agrees,
that
this
is
something
that
they
like
something
that's
important
to
support,
the
next
step
for
on
our
side
would
be
talk
to
josh
as
and
the
folks
at
isrg
to
figure
out
what
does
something
like
this
look
like,
but
it
being
an
iterative
process
to
try
to
come
up
with
something
that
both
is
a
a
reasonable
number
and
a
reasonable
set
of
compromises
on
the
service.
E
You
know
to
fit
have
something
that
can
fit
within
within
a
budget
right,
and
I
don't
know
what
that
looks
like
yet,
but
before
we
went
too
far
down
that
path,
I
think
getting
getting
the
nod
from
the
attack
and
is
an
important
thing
to
do
in
terms
of
budgeting
for
december.
You
know
luke,
and
I
and-
and
everyone
should
talk
a
little
bit
more
about
this-
we
could
probably
earmark
a
bit.
I
know.
Luke
has
also
gotten
some
independent
funding
for
this.
E
It
started
to
at
least
so.
I
think
I
think,
there's
enough
there
to
do
something
impactful
getting
a
million
is,
is
a
big
chunk
at
least
of
what
we've
got
committed
already,
but
if
we
tied
it
to
some
fundraising
for
this,
maybe
even
there's
a
way
to
have.
You
know
some
of
the
recipients
of
the
of
the
the
signatures.
Do
a
tip
jar,
kind
of
thing
or
or
some
other
type
of
model
to
help
help
support
the
funding
of
this.
I
don't
know,
but
I.
F
F
Will
be
a
critical
service,
so
you
know
it
does
require.
I
mean
one
of
the
things
that
we've
for
our
1.0
with
the
transparency
log.
B
A
E
And
I
think
there
could
be
a
separation
between
voting
to
have
the
code
and
the
brand
in
open
ssf,
with
still
some
unresolved
questions
about
how
the
service
is
deployed.
E
I
I
you
know
kind
of
splitting
it
out
that
way
might
be
might
be
one
way.
F
E
For
the
tax
express
it's
kind
of
governance
over
the
technical,
what
goes
on
technically
in
the
project
right
and
it's
really
more
down
to
the
code
and
and
the
idea.
A
So
perhaps
next
steps
in
about
we
create
an
issue
as
we've
done
in
the
past,
for
comments
and
voting
within
on
github,
and
then
we
can
kind
of
brainstorm
on
there
and
people
can
show
their
support
and
then
we
can
kind
of
move
on
from
that.
Does
that
seem
reasonable.
A
So,
unfortunately,
we're
out
of
time.
I
know
there
was
one
more
mention
in
the
in
the
agenda
around
the
voting
process,
I'm
working
with
jory
and
brian
on
that
we'll
send
out
details
once
we
have
more
to
explore
there,
but
the
goal
is
to
have
that
process
figured
out
by
the
november
5th
government
board
meeting
as
well.
A
If
folks
have
questions,
concerns
or
advice,
please
feel
free
to
reach
out,
and
I
think
that
is
it
so
with
that
you
know
channels
are
open,
so
we'll,
but
otherwise
we'll
see
you
guys
in
two
weeks
and
thank
you.
Everyone
great
meeting
today.