►
From YouTube: OpenSSF TAC Meeting (June 28, 2022)
A
E
G
H
A
G
I
A
G
All
right
so
we're
just
coming
up
on
four
minutes
after
so
we
will
go
ahead
and
get
started
first
on
today's
agenda
is
a
presentation
and
quick
discussion
on
security
insights.
So
there
there's
an
email
sent
to
the
attack
mailing
list
with
some
detail
about
some
work.
That's
been
going
on
under
the
identifying
security
threats.
Working
group
so
luigi
I'll
hand
the
floor
over
to
you
aim
for
about
15
minutes.
If
you
can.
J
J
J
J
Why?
Because
we
want
to
reducing
the
fragmentation
of
the
information
that
we
are
related
to
the
security
in
the
open
source,
and
we
want
to
offer.
I
mean
it's
important
to
offer,
probably
to
maintainers
and
developers
an
easy
way
to
provide
information
in
a
standard
way
like
for
just
to
give
an
example
like
security.txt.
J
J
In
addition,
this
standard
want
to
be
independent
by
the
hosting
platform.
At
the
moment
there
are
three
or
I
mean
three
or
four
big
platform
to
to
host
open
source
project
like
github
gitlab,
but
every
platform
have
different
api
of
different
features,
so
even
if
they
offer
now
more
security
feature
is
not
so
easy
to
have
a
standard
just
using
the
platform
api.
J
A
similar
aml
file
can
offer
to
scan
a
sort
of
standard
to
the
community
sort
of
standard
to
provide
security
information.
There
are
different
use
cases.
Of
course,
there
are
the
final
user
that
can
find
easily
information.
They
can.
This
file
can
have
them,
so
they
can
help
ctr
cheese
or
just
developing
the
open
source
to
take
decision
about
a
particular
project
to
implement
to
use
or
not
a
particular
party
packages.
J
Scanner
developer
can
add
this
source
to
the
scanner
or
to
they
can
create
a
database
containing
the
information
by
this
file.
Security
researcher
can
easily
find
information
about
security
policy
or
the
right
way
to
report
the
vulnerabilities
or
back
bounty
for
the
open,
surpr
monty
and,
at
the
same
time
also
the
maintainer
can
communicate
better
with
a
security
or
such
a
community,
for
example,
giving
them
a
right
document
or
right
policy
to
help
them
to
be
focused
on
the
right
will,
obviously
that
they
want
to
receive.
J
I
am
not
reading,
that's
active,
so
if
someone
is
writing
the
chat,
I
read
after
the
presentation.
Sorry,
of
course,
a
similar
file
can
like
everything
in
security
can
lead
to
some
bad
scenario
or
critical
scenario.
For
example,
malicious
maintainer
can
try
to
add
false
information
in
the
repo
in
the
security
inside
sniper.
You
can
find
a
threat
model,
but
we
have
identified
this
main
five
malicious
scenario-based
scenario
so
supply
chain.
J
If
there
is
a
link,
the
malicious
the
attacker
can
have
tried
to
have
to
obtain
this
domain.
This
link
false
information
in
the
file
disclosure
of
private
information,
forever
malicious
pull
request
to
edit
these
files.
But
all
these
weeks
seems
to
be
quite
uncheckable.
They
we
already
have
them
in
a
lot
of
standard.
J
The
main
risk
for
this
project
is
my
opinion,
are
related.
I
mean
the
main
risk
of
failure,
for
this
project
is
related
to
the
poor
adoption
I
mean
we
are
technically,
we
are
proposing
a
new
standard,
so
if
the
community
don't
adopt
it,
there
is
no
value
in
this
standard.
We
can
have
the
best
standard,
but
if
no
one
use
it
there
is
no
value,
and
so
we
need
to
be
sure
that
our
pesos
project
is
start
to
adopt
it
and
the
other
risk
of
failure
is
related
to
the
security
concern.
J
J
Convince
maintainer
to
implement
to
adopt
it.
It's
not
easy.
It
can
require
time,
but
if
the
main
open
source
project
start
to
use
it,
probably
other
maintainers
of
the
open
source
community
just
follow
the
main
project,
because
it
is
quite
common
and
we
can
start
to
have
a
good
way
to
collect
information
about
open
source
from
a
security
perspective.
J
J
Okay,
at
the
same
time,
because
the
main
risk
that
I
see
here
from
for
this
project
is
that
the
poor
adoption
and
because
at
the
moment,
open
just
seems
to
be
quite
influential,
but
in
the
community,
but
also
for
security
people
that
work
in
the
company
in
the
enterprise
world,
probably
a
good
way
to
spread.
This
standard
can
be
adopting
our
repo.
So
in
our
organization.
So
my
formal
request
is
if
we
want
to
proceed
with
the
similar
project.
J
J
This
means
that
we
should
create
a
security
insights
file
for
the
scorecard
wrapper
or
for
other
repo
that
we
have
and
at
the
same
time,
we
should
communicate
in
the
right
way
with
the
community
that
we
would
like
to
provide
this
new
standard
just
to
try
to
aggregate
information
about
security,
about
project
security,
so
that
maintainers
developer
scanner,
user
can
read
them
analyze
them
and
take
decision.
Based
on
this
information-
and
that
is
so,
if
there
are
any
question-
I
don't
know-
please.
E
I
J
Oh
yes,
it
would
be
great.
I
think
yes,
because
I
mean
it's
very.
We
know
that
the
community
is
trying
to
find
a
way
to
yes
to
share
all
the
security
information
about
the
project,
but
it
is
not
easy
and
and
convincing
people
to
follow
the
same.
The
same
specification,
the
same
standard,
the
same
approach,
so
that
we
can
at
the
same
time,
have
a
single
way
to
read
the
information
and
collect
information.
It's
not
easy,
so
my
concern
is
that
people
can.
G
J
Okay,
thank
you.
Sorry.
There
is
a
blackout
in
my
in
my
city,
so
I
am
from
mobile
now
and
I
don't
know
if
someone
has
any
question,
because
I
was
asking
to
the
tag
group
if
the
project
seems
to
be
reasonable
and
good
and
if,
in
your
opinion,
we
can
try
to
proceed
to
implement
this
also
in
our
organization
repo
and
what
is
the
best
way
to
communicate
to
the
community.
J
D
J
No
at
the
moment,
github
gitlab
are
not
directly
involved.
The
team
manager
of
the
working
group,
michael,
is
by
microsoft,
so
he
know
quite
well
github,
but
do
you
think
it
would
be
a
good
idea
to
talk
directly
with
github
and
eat
lab
and
order
a
big
bucket?
Probably
also
I
don't
know
now.
What
are
they.
D
I
guess
off
the
top
of
my
head.
I
can't
think
that
they
would
have
objections
or
changes,
but
they
might
they
they
might
have
feedback,
but
also,
similarly,
with
security,
vendors
security
tool,
vendors,
they
might
have
particular
fields
that
they
want
to
look
for
that
they
find
difficult
to
extract
at
the
moment,
so
they
might
have
feedback
too.
It
looks
pretty
complete,
but
my
background
in,
like
agile
software,
consulting
is
talk,
talk
to
the
end
user
as
much
as
you
can.
J
J
Of
course
it
is
this
stuff,
it's
that
I
say
standard,
but
we
can
save
specification
or
but
of
course,
when
we
started
to
work
on
it,
we
have
thoughts
about
the
open,
ssf
scorecard,
so
technically
scorcan
can
be,
can
support
this
file
just
scanning
it,
but
also
other
scanner.
I
think
sneaker
order
can
collect
information
from
the
same
files.
So
technically
it's
not
just
for
a
single
tool,
it's
something
that
can
be
used
from
every
scanner,
also
from
new
scanners
that
open
the
community
can
create.
J
So,
but
yes,
I
will.
I
appreciate
if
people
from
github
gitlab
or
similar
company
can
provide
feedback.
Definitely
so
I
try
to
contact
them
to
continue
to
collect
feedback,
and
I
will
provide
to
a
first
tool
to
to
validate
the
the
yaml
and
if
there
are
no
other
objection-
and
I
can
continue-
we
can
continue
to
work
on
it.
For
me,
it's
perfect
and
yes,
and
definitely
the
communication
will
be
an
important
key
of
the
result
of
the
project.
Probably.
C
Hey
so
again
not
attack
member
so
but
I
do
have
some
feedback.
I
I
do
think
it's
worthwhile
to
at
least
have
a
proof
of
concept
within
the
open
ssf
bubble
to
see
how
this
works
see,
whether
it
works
for
us
and,
most
importantly,
see
what's
required
to
implement
it
and
how
hard
it
is
for
people
to
do
so.
So
I
do
encourage
the
tech
to
support
that,
if
only
in
at
first
a
limited
version
and
then
perhaps
rolling
it
out
more.
C
I
strongly
encourage
the
switch
mental
and
otherwise
from
standard
to
specification.
I
think
that's
rather
important
and
I'm
glad
that
arno
brought
it
up.
I
believe
arnold
brought
it
up.
If
not
apologies
to
whomever
did
I
I
think
that's
going
to
be
very
important
as
a
mindset
to
make
sure
that
going
forward,
we
can
all
kind
of
coalesce
around
that
and
help
support
it
as
a
specification.
C
I
think
that's
going
to
improve
your
messaging
considerably
when
you're
speaking
with
these
other
groups.
So
that's
certainly
worthwhile
and,
as
jacques
mentioned,
they
should
be
run
past
some
end
users
rather
than
simply
the
tech.
Some
of
the
groups
that
will
be
implementing
implement
implementating
no
implementing
this
to
make
sure
it
is
something
that
they
can
support,
because
that
will
gain
adoption
if
you're
able
to
get
a
github
a
git
lab
to
implementify.
Thank
you
jerry.
C
J
I
mean
it
is
a
good
question
and
especially
about
how
many
people
work
on
it.
Technically,
I
am
the
person
that
for
sure
worked
more
on
this
project,
but
it
was
part
of
my
work
group.
So
every
two
weeks
I
collect
feedback
and
there's
help
for
my
parking
group.
If
we
want
to
spread
and
be
sure
that
people
can
adopt
it
for
sure,
we
need
to
define
some
rules,
for
example,
how
we
should
deploy
a
new
version
of
the
standard.
J
How
we
add
the
new
section
of
properties
in
the
schema
and
so
specifications
would
have
a
sort
of
group
of
people
that
can
maintain
it.
I
think
that
openness
is
the
right
group,
especially
because
the
idea
is
that
this
schema.
This
specification
should
be
easy
to
be
maintained
over
time.
We
can
just
add
or
remove
properties
according
to
how
the
open
source
community
and
the
security
world
continue
to
grow.
So
if
there
are
a
new
standard
over
here,
we
can
add
the
property
for
this
standard.
J
For
example,
I
don't
know
a
new
file
markdown
that
contained
practical
information.
This
bomb
file
that
now
is
contained.
That's
a
lot
of
company
and
projects
are
adding
to
their
repo,
and
I
think
that
this
is
a
good
question,
because
at
the
moment
there
is
not
a
document.
I
hope
you
can
listen
to
me
and
there
is
another
document
that
formalized
how
we
should
improve
it.
But
it's
something
that
is
on
the
roadmap
and.
L
Okay,
in
case
you
can
write,
I
don't
have
a
question.
I
just
have
it.
Okay,
sorry
we're
way
out
of
time,
and
that
was
the
first
thing
I
was
gonna
say
and
like
this
is
neat,
but
I
don't
understand
why
we're
necessarily
having
this
discussion
right
now.
I
mean
this
feels
like
something
make
it
a
project,
get
it
in
use
like
you're,
already
part
of
a
working
group.
You
know
like
just
keep,
keep
shepherding
it
along.
That's
how
this
is
supposed
to
work.
L
Yes,
I
agree.
I
mean
yes,
okay,
I
mean
that's
it
like.
We
don't
have
magic
powers
like
if
you
want
to
do
this
like
do
it
and
you
are
and
that's
great,
but
I
think
having
a
working
group
for
it
makes
perfect
sense,
and
I
don't
I
don't
think,
there's
a
lot
for
the
tact
to
do
outside
of
that
at
the
moment,.
G
Summarizing
the
feedback-
I
think
you
know
we-
we
certainly
are
encouraging
on
the
concept
and
and
if
there
are
places
that
we
can
drive
awareness
and
outreach.
I
think
alpha
omega
was
mentioned
as
a
potential
vehicle
to
to
get
additional
feedback
to
this.
I
think
it
makes
sense
to
support
the
project
in
that
way.
G
I
think
we
need
to
make
sure
that
you're,
not
the
only
person
here
and
not
not
just
from
a
you
know,
a
horsepower
perspective,
but
also
to
make
sure
that
we're
pushing
projects
that
have
the
correct
level
of
health
and
diversity
out
and
when
we
do
make
recommendations
that
they
meet
that
bar.
So
I
think
we
can
take
the
rest
of
this
discussion
offline,
but
in
general
you
know
it
sounds
like
great
idea.
G
J
M
A
G
G
In
terms
of
content
and
flow
and
engagement,
but
I
didn't
want
to
have
just
a
brief
section
here
to
call
out,
as
we
think
about
doing
this
more
often
than
the
next
kind
of
event
that
would
be
triggered
here,
would
be
the
oss
summit
in
dublin
coming
up
in
september.
Any
quick
feedback
from
folks
on
on
the
call
around
things
that
we
would
like
to
see
more
of
things
that
we
would
like
to
not
see
repeated
or
anything
that
could
be
any
kind
of
under
yeah.
Can't
talk
to
any.
H
And
really
quick,
we
had
359
people
attend
in
person
at
some
point
specifically
to
open
ssf
day,
because
we
were
badging
people
in
at
the
beginning
of
the
day
and
and
through
some
other
sorry,
some
other
parts
later
and
had
498
people
participate
virtually
just
watching
the
live
stream.
We'll
put
up
the
the
streams
on
youtube
sometime,
the
next
two
weeks
and
there's
a
flicker
stream
of
photos
from
the
whole
of
the
event
here.
F
If
somebody
is
just
showing
up
to
say
what
is
going
on
here,
and
it
felt
so,
it
felt
a
little
bit
squishy
to
some
of
those
people.
For
me
and
they're
like
do
you
all
have
a
plan
and
I'm
like?
Yes,
yes,
we're
working
on
a
plan.
That's
that's
the
plan,
so
I
think
we
should
try
to
tighten
this
up
just
a
little
bit
if
we
can
for
content
to
address
the
audiences
that
we
think
we'll
have,
which
of
course
is
a
random.
I
I
It
didn't
feel
that
way
in
the
room
on
on
monday.
So
looking
at
sort
of
the
the
data
and
the
demographics
of
the
group
is
one
of
the
things.
What
I
think
we'll
do
to
really
inform
how
how
we
shift
the
content
for
next
time,
because,
while
I'm
sure
everyone
here
enjoyed
who
was
there
was,
was
able
to
enjoy
the
sessions
it
probably
much.
It
was
probably
not
new
news
for
for
you
for
you
old-timers
in
the
community,
and
we
want
to
make
sure,
there's
also
useful
materials
for
our
community.
There,
too,.
G
Take
that
as
a
no
all
right
thanks
all
I'm
going
to
switch
the
agenda
items
real,
quick,
the
last
two
here
just
because
I
think
it
will
just
knock
the
short
one
out
first
and
then
go
into
the
broader
discussion.
Just
wanted
to
follow
up
on
a
couple
next
couple:
actions
that
we
had
from
before
one
is
a
continued
call
for
reviews
to
the
outstanding
prs
that
we
have
on
the
working
branch
for
the
proposed
governance
and
project
lifecycle
models.
G
There's
a
couple
that
are
open
here
that
I
think
we're
ready
to
get
additional
feedback
and
then
continue
to
make
progress
on
there.
So
just
a
call
for
attack
members
to
go,
take
an
explicit
look
and
if
others
want
to
chime
in
certainly
welcome,
and
then
lastly,
I
think
whether
it
was
jen
or
joy.
I
don't
quite
recall
apologies
of
pointing
this
at
the
at
the
wrong
person,
but
believe
somebody
took
an
action
item
to
set
up
a
regular
reporting
cadence
from
both
the
projects
and
working
groups
into
the
attack.
M
G
H
I've
been
cautious
about
this
because
I
have
seen
open
source
projects
ruined
by
by
money.
The
the
mo
money
more
problems.
Kind
of
thing
is
very
real.
You
know
when
people
conflate
the
governance
of
a
technology
project
with
the
management
of
a
budget
to
spend
on
things
and
and
things
get
funded,
that
don't
meet
the
quality
standards
and
that
kind
of
thing.
So
it
felt
to
me
like
one
of
the
things
that
did
work
about
the
mobilization
plan
was
the
way
we
pulled
together.
H
Small
teams
around
each
stream
kind
of
gave
them
the
apologies
independence
to
figure
out
the
right
approach
and
you
know
kind
of
orthogonal
to
each
other,
and
so
what
I've
proposed
here-
and
this
is
after
lots
of
conversations
with
some
of
you
with
governing
board
members
with
others
about
the
right
way
to
structure.
This
is
continuing
that
kind
of
per-stream
small
team
structure,
making
it
public.
H
This
time
we
were,
I
only
kind
of
semi-public
before,
because
we
were
trying
to
rush
against
a
deadline
and
and-
and
I
think
we
now
have
the
affordance
to
be
able
to
have
these
public
ongoing
kind
of
you
know
kind
of
persistent.
You
know
as
long
as
there
there's
a
plan
as
long
as
there's
streams
and
and
funding
to
pursue.
I
think
we
can
structure
this
and
these
small
teams.
These
cigs
would
sit
underneath
a
working
group
that
would
adopt
them.
H
H
Each
working
group
should
decide
if
that's
what
they'd
like
to
take
on
in
terms
of
oversight
and
then
that
sig
would
continue
to
evolve
the
stream
and
then
identify
opportunities
for
funding.
Basically,
here's
a
proposal
to
you
know
hire
a
person
as
a
devrel
advocate
for
six
months
or
something
like
that
or
here's
a
you
know.
Another
group
that'll
write
code
or
or
to
set
up
something
larger
right
to
work
with
an
outside
firm
to
work
with
lfx
security,
for
example,
for
stream
number
two.
H
But
it
would
be
the
stream
that
kind
of
teased
these
opportunities
up
and
then
turns
to
what
would
be
created
as
a
subcommittee
of
the
governing
board
focused
on
the
mobilization
plan
bringing
together
those
organizations
that
have
pledged
30
million
dollars
against
that.
You
know
to
tee
up
these
proposals
on
a
kind
of
a
regular
once
every
either
two
week
or
four
week
kind
of
meeting
to
say:
okay
stream
number
three
is
proposing
this,
this
chunk
of
work.
They
need
100k
for
it
or
500k.
H
For
it
it
could
be
big
small
granularity.
I
would
suggest
starting
starting
small
as
as
always
and
then
they
they.
You
know,
and
then
we
kind
of
say,
are
we
ready
to
fund
this
and
and
we
move
forward
and
then
the
lf
staff
kind
of
helped
manage
the
collection
of
the
payments
and
the
dispersion
of
that
out
in
some
cases.
In
other
cases,
we
might
simply
direct
those
funders
directly
to
a
third
party
like
austin
or
whatever.
H
H
Oh
I'm,
also
sharing
this
with
the
governing
board
and
having
some
we'll
have
some
conversations
kind
of
with
them
as
well
about
their
comfort
level,
with
the
approach
and
and
does
that,
give
them
the
right
degree
of
oversight.
But
you
know
repeatedly
they
say
we
really
depend
upon
the
tech
to
tell
us
whether
these
ideas
are
are
good
ideas
or
not.
H
No,
I
think
one
one
one
open
question
that
I
cite
towards
the
end
are
concerns
about
you
know.
What's
the
right
degree
of
bureaucracy
to
have
in
this,
you
know
having
the
sigs
parked
into
the
working
groups.
Is
my
attempt
to
try
to
disaggregate
or
decentralize
it
without
taking
away
anything
from
the
tax
ability
to
kind
of
provide
that
oversight,
but
but
arguably
you
could
also
have
these
things
report
directly
to
the
attack.
I
just
I
feel
like
with
the
one
hour.
D
H
Of
staff
time,
so
I
address
this
in
the
proposal.
I
I
think
it's
very
important
to
distinguish
between
volunteers,
who
you
know
every
stream
should
be
set
up
in
such
a
way
that
the
work
happens
publicly
enough
that
it
can
tap
into
volunteers
who
can
show
up.
Opportunistically
participate
a
lot
a
little.
You
know,
but
in
a
way
that
we're
not
hinging
critical
things
on
them,
distinguishing
between
that
and
committed
resources,
whether
voluntary
or
maybe
we
have
to
pay
partly
for
them.
H
Who
could
say:
okay
for
six
months,
you'll
be
20
hours
a
week
on
an
essential
project,
management
kind
of
function
here
or
domain
expert
kind
of
function
there
or
you'll
build
this
thing
right.
That's
that's
more
committed
resources,
and
certainly,
if
organizations
stepped
up
and
said
we're
willing
to
put
this
person
20
hours
a
week,
40
hours
a
week
whatever
on
this
task,
that
could
be
a
part
of
the
funding
proposal.
It
might
even
be
enough
that
you
don't
need
any
funding
to
get
started
on
something
which
would
be
awesome
right.
H
No
one
has
to
wait
to
make
progress
in
that
somebody
doing.
That,
though,
should
just
work
directly
with
like
if
it's
funding
for
sig
store,
like
don't
even
worry
about,
like
a
proposal
around
that,
just
go
volunteer
on
zig
store
right,
but
but
I
would
lean
on
the
stream
sigs
to
come
up
with
proposals
that
might
be
a
mix
of.
We
need
some
cash.
G
I
guess
I'm
next,
so
I
guess
the
the
part
that
I'm,
I
guess
gets
fuzzy
for
me
is
exactly
where
the
the
line
is
drawn
between
dedicated
funds
for
the
mobilization
plan
versus
generic
foundation,
funds
that
are
available
to
delegation
to
the
individual
working
groups
on
their
normal
operating
basis
and
what
role
the
tax
fundamentally
plays
in
one
set
of
funding
versus
the
other.
So
I
guess
trying
to
minimize
bureaucracy-
and
I'm
certainly
a
fan
of
that,
but
given
the
flexibility
that
fundamentally
exists
here,
I
think
that's
where
it
breeds
a
set
of
confusion.
H
Funding
the
scorecard
work
funding,
further
development
of
the
educational
materials
like
setting
up
scorm
connect
funding
for
other
things
that
are
more
or
more
core,
and
I've
always
seen
a
separate
from
the
mobilization
plan,
but
obviously
can
be
additive
to
open,
ssf
efforts.
In
the
same
way,
the
mobilization
plan
can
be
I'm
putting
together
an
updated
budget
for
the
second
half
of
the
year
to
the
governing
board
to
update
kind
of
levels
and
those
commits
based
on
the
fact.
H
We
have
some
more
members
now
and
we
can
spend
some
more
money,
and
I
see
that
potentially
well
as
as
being
separate
from
these
stream
sigs
and
from
the
funding
process
being
more
about,
say
the
projects
coming
directly
to
working
groups
of
attack
going
hey.
We
could
use
some
funding
for
this
or
that,
but
I
I
I
think
I
get
I
can
get
you
a
better
answer
on
that
and-
and
I
owe
certainly
the
governing
board
a
better
answer
on
that
and
look
at
some
funding.
G
F
H
I
totally
agree
with
that.
That's
why
I
opted
you
know
tried
to
adopt
the
the
sig
structure
under
working
groups
as
like
the
the
vehicle
for,
for
you
know,
developing
the
plans
further
and
developing
proposals.
The
one
new
committee
that's
created
is
as
a
committee
of
the
governing
board,
which
is
what
a
couple
governing
board
members
have
asked
for,
which
is
one
focus
on
the
mobilization
plan.
I
I
had
raised
my
hand
just
to
respond
to
sarah
sarah.
I
had
started
a
document
to
help
internally
the
teams,
legal
finance
project
teams,
kind
of
align
on
language
about
what
is
a
sif
I'd
love
to
work
with
you
and
share
share
that
documentation
with
you,
as
you
kind
of
consider
how
you
want
to
define
it
externally.
I
F
H
I
don't
see
any
other
questions
which
again
I
it's
bringing
this
document
on
you
in
real
time.
I
I
understand,
but
hopefully
we
could
have
some
more
conversation
about
this
over
the
next
few
weeks
and
a
conversation
at
the
next
tack
call
potentially
about.
Are
we
close?
Is
it?
Is
it
something
that
we're
all
comfortable
with
here
and
in
parallel,
as
well,
with
the
governing
board
kind
of
on
the
same
time
frame
so
totally
open
to
comments?
H
I
will
monitor
the
hashtag
tack
on
slack
for
for
comments
on
this
as
well
and
and
yeah,
and
I
do
think
it's
important
for
us
to
clarify
kind
of
where
we're
thinking
now
that
how
this
sits
operationally
both
back
end
and
front
end
relate
to
the
open,
ssf
attack
and
governing
board.
As
a
part
of
answering
this
question,
I
don't
mean
to
overly
kind
of
segment,
but
but
yeah.
I
feel
like
it's
an
important
issue
to
also
make
progress
on.
G
Hey
brian
just
one
last
rule
for
me
in
terms
of
the
next
step,
so
I
know
you
said
that
you're
going
to
take
this
to
the
gb
meeting,
which
I
believe
is
next
thursday.
If
I've
got
my
calendar
right
in
my
head,
so
the
question
I
have
is:
are
you
going
to
socialize
that
for
feedback
from
the
gb?
Are
you
asking
for
an
approval
from
the
gb
on
on
this
concept?
To
have
this
be
the
action
plan?
H
G
Got
it
all
right?
Well,
then,
at
our
next
tac
call
in
two
weeks
I'll
commit
to
bringing
back
kind
of
a
current
state
of
the
feedback
that
I've
seen
from
the
governing
board
members
and
brian
I'm
sure.
If
you're
here,
you
can
certainly
weigh
in
as
well
just
kind
of
give
an
update,
but
that
certainly
sounds
good
to
me
all
right.