►
From YouTube: OpenSSF TAC Meeting (June 28, 2022)
A
E
A
Yeah
you,
you
missed
the
the
the
toot
of
the
of
the
train
nearby.
G
Briefly,
exchanged
chats
with
ava
this
morning.
They
send
their
regrets.
They're
not
gonna,
be
able
to
make
it
today
we'll
wait.
Another
minute
to
see
the
rest
of
the
tech
hopefully
show
up
here.
H
A
All
right
so
there
so
vicky
has
posted
the
the
url
if
everyone
can
add
their
name.
That
would
be
awesome.
Thank
you.
G
I
Yeah
well,
well,
I
personally
don't
count
for
quorum,
but
we
are
keeping
track
of
yes.
Yes,.
I
A
G
All
right
so
we're
just
coming
up
on
four
minutes
after
so
we
will
go
ahead
and
get
started
first
on
today's
agenda
is
a
presentation
and
quick
discussion
on
security
insights.
So
there
there's
an
email
sent
to
the
attack
mailing
list
with
some
detail
about
some
work.
That's
been
going
on
under
the
identifying
security
threats.
Working
group
so
luigi
I'll
hand
the
floor
over
to
you
aim
for
about
15
minutes.
If
you
can.
J
Thank
you,
hi.
I
can
share
the
presentation
with
one.
Second.
Security
site
is
a
project
by
the
working
group.
We
identify
security
sites
in
our
pesos
project.
We
start
to
work
on
it
some
months
ago
now
and
what
is
it?
Security
site
want
to
be
a
standard
for
project,
not
just
open
source.
J
J
There
is
the
security
policy
that
you
can
add
in
github.
There
are
other
organizations
that
prefer
to
adjust
link,
but
we
don't
have
a
standard
securities.
I
want
to
try
to
be
this
standard,
providing
a
different
information
regarding
security
of
an
open
source
project.
J
Why?
Because
we
want
to
reducing
the
fragmentation
of
the
information
that
we
are
related
to
the
security
in
the
open
source,
and
we
want
to
offer.
I
mean
it's
important
to
offer,
probably
to
maintainers
and
developers
an
easy
way
to
provide
information
in
a
standard
way
like
for
just
to
give
an
example
like
security.txt.
J
We
have
seen
that
scanner
sometimes
can
generate
false
positives
is
quite
common,
because
there
is
it's
difficult
to
have
standard,
and
this
file
can
help
to
reduce
false
positive.
Of
course,
it's
something
that
maintainers
can
create,
and
everyone
can.
J
In
addition,
this
standard
want
to
be
independent
by
the
hosting
platform.
At
the
moment
there
are
three
or
I
mean
three
or
four
big
platform
to
to
host
open
source
project
like
github
gitlab,
but
every
platform
have
different
api
of
different
features,
so
even
if
they
offer
now
more
security
feature
is
not
so
easy
to
have
a
standard
just
using
the
platform
api.
J
A
similar
aml
file
can
offer
to
scan
a
sort
of
standard
to
the
community
sort
of
standard
to
provide
security
information.
There
are
different
use
cases.
Of
course,
there
are
the
final
user
that
can
find
easily
information.
They
can.
This
file
can
have
them,
so
they
can
help
ctr
cheese
or
just
developing
the
open
source
to
take
decision
about
a
particular
project
to
implement
to
use
or
not
a
particular
party
packages.
J
Scanner
developer
can
add
this
source
to
the
scanner
or
to
they
can
create
a
database
containing
the
information
by
this
file.
Security
researcher
can
easily
find
information
about
security
policy
or
the
right
way
to
report
the
vulnerabilities
or
back
bounty
for
the
open,
surpr
monty
and,
at
the
same
time
also
the
maintainer
can
communicate
better
with
a
security
or
such
a
community,
for
example,
giving
them
a
right
document
or
right
policy
to
help
them
to
be
focused
on
the
right
will,
obviously
that
they
want
to
receive.
J
I
am
not
reading,
that's
active,
so
if
someone
is
writing
the
chat,
I
read
after
the
presentation.
Sorry,
of
course,
a
similar
file
can
like
everything
in
security
can
lead
to
some
bad
scenario
or
critical
scenario.
For
example,
malicious
maintainer
can
try
to
add
false
information
in
the
repo
in
the
security
inside
sniper.
You
can
find
a
threat
model,
but
we
have
identified
this
main
five
malicious
scenario-based
scenario
so
supply
chain.
J
If
there
is
a
link,
the
malicious
the
attacker
can
have
tried
to
have
to
obtain
this
domain.
This
link
false
information
in
the
file
disclosure
of
private
information,
forever
malicious
pull
request
to
edit
these
files.
But
all
these
weeks
seems
to
be
quite
uncheckable.
They
we
already
have
them
in
a
lot
of
standard.
J
The
main
risk
for
this
project
is
my
opinion,
are
related.
I
mean
the
main
risk
of
failure,
for
this
project
is
related
to
the
poor
adoption
I
mean
we
are
technically,
we
are
proposing
a
new
standard,
so
if
the
community
don't
adopt
it,
there
is
no
value
in
this
standard.
We
can
have
the
best
standard,
but
if
no
one
use
it
there
is
no
value,
and
so
we
need
to
be
sure
that
our
pesos
project
is
start
to
adopt
it
and
the
other
risk
of
failure
is
related
to
the
security
concern.
J
J
Convince
maintainer
to
implement
to
adopt
it.
It's
not
easy.
It
can
require
time,
but
if
the
main
open
source
project
start
to
use
it,
probably
other
maintainers
of
the
open
source
community
just
follow
the
main
project,
because
it
is
quite
common
and
we
can
start
to
have
a
good
way
to
collect
information
about
open
source
from
a
security
perspective.
J
So
what
I
want
to
ask
to
the
tag
group
to
the
attack
group?
Well,
I
want
to
present
this
project
and,
at
the
same
time,
because
a
lot
of
chat.
J
Okay,
at
the
same
time,
because
the
main
risk
that
I
see
here
from
for
this
project
is
that
the
poor
adoption
and
because
at
the
moment,
open
just
seems
to
be
quite
influential,
but
in
the
community,
but
also
for
security
people
that
work
in
the
company
in
the
enterprise
world,
probably
a
good
way
to
spread.
This
standard
can
be
adopting
our
repo.
So
in
our
organization.
So
my
formal
request
is
if
we
want
to
proceed
with
the
similar
project.
J
That
can
be
a
good
idea,
because
it
is
just
a
sort
of
security
txt,
but
for
open
source
projects.
So,
with
more
information
and
in
a
format
that
is
more
machine
reliable
than
just
the
txt,
we
should
adapt
in
our
organization.
J
This
means
that
we
should
create
a
security
insights
file
for
the
scorecard
wrapper
or
for
other
repo
that
we
have
and
at
the
same
time,
we
should
communicate
in
the
right
way
with
the
community
that
we
would
like
to
provide
this
new
standard
just
to
try
to
aggregate
information
about
security,
about
project
security,
so
that
maintainers
developer
scanner,
user
can
read
them
analyze
them
and
take
decision.
Based
on
this
information-
and
that
is
so,
if
there
are
any
question-
I
don't
know-
please.
E
Thanks
for
this
overview
today,
just
helping
my
colleague
arno
who's
in
a
loud
location,
he's
asking
to
refer
to
this
as
a
specification,
not
a
standard
just
so
we
keep
folks
clear
and
the
community
specification
license
would
be
a
good
thing
to
pivot
to
in
terms
of
alignment.
E
I
I
think
I
was
going
to
echo
our
node
and
just
encourage
more
of
a
if
this
is
a
community
driven
project
that
desires
to
one
day
be
a
standard.
I
Adopting
the
the
community
spec
framework
would
be
a
great
first
step
and,
and
I
would
be
happy
to
help
you
get
get
started
with
that-
that
process
luigi.
If
you
would
like.
J
Oh
yes,
it
would
be
great.
I
think
yes,
because
I
mean
it's
very.
We
know
that
the
community
is
trying
to
find
a
way
to
yes
to
share
all
the
security
information
about
the
project,
but
it
is
not
easy
and
and
convincing
people
to
follow
the
same.
The
same
specification,
the
same
standard,
the
same
approach,
so
that
we
can
at
the
same
time,
have
a
single
way
to
read
the
information
and
collect
information.
It's
not
easy,
so
my
concern
is
that
people
can.
G
The
the
broader
question
here,
I
think,
was
one
around
you
know:
does
the
tech
feel
comfortable
effectively
making
an
ask
of
all
projects
within
the
open
ssf
to
adopt
this
as
a
almost
a
dog
fooding
exercise
to
to
not
only
demonstrate
that
that
we're
willing
to
hold
ourselves
to
to
our
own
the
standards
that
we're
recommending
for
the
broader
set
of
ecosystems,
but
also
to
help
to
kind
of
see
that
that
flywheel
effect
that
that
looks
like
luigi
and
the
team
is
looking
to
drive
here?
G
So
maybe
a
call
for
any
input
from
from
folks
on
whether
that's
a
a
good
idea,
a
bad
idea.
K
So
you
know
if
the
community
was
approached
and
said,
would
you
adopt
this
standard
and
if
they
were
of
the
mind
that
yes,
this
is
useful
would
like
to
implement
this?
G
J
Okay,
thank
you.
Sorry.
There
is
a
blackout
in
my
in
my
city,
so
I
am
from
mobile
now
and
I
don't
know
if
someone
has
any
question,
because
I
was
asking
to
the
tag
group
if
the
project
seems
to
be
reasonable
and
good
and
if,
in
your
opinion,
we
can
try
to
proceed
to
implement
this
also
in
our
organization
repo
and
what
is
the
best
way
to
communicate
to
the
community.
J
About
this
I
mean,
for
example,
I'm
working
to
a
common
light
tool
to
validate
and
create
this
file
in
easy
way,
so
we
can
offer
also
this
this
ruled
to
the
community.
And
yes,
I
wanted
just
to
know
your
opinion
and
sorry
for
this
for
the
interruption
it
was
not
planned.
Definitely.
D
I
mean
you,
don't
you
don't
control
blackouts?
I
assume
I'm
not
a
member
of
the
tack,
I'm
in
favor
of
using
it
on
open,
ssf
repos
to
dog
food.
I
did
have
a
question.
Have
you
got
like
contacts
from
companies
like
gitlab
and
github,
as
well
as
security
tool,
vendors
involved
at
this
stage.
J
No
at
the
moment,
github
gitlab
are
not
directly
involved.
The
team
manager
of
the
working
group,
michael,
is
by
microsoft,
so
he
know
quite
well
github,
but
do
you
think
it
would
be
a
good
idea
to
talk
directly
with
github
and
eat
lab
and
order
a
big
bucket?
Probably
also
I
don't
know
now.
What
are
they.
D
I
guess
off
the
top
of
my
head.
I
can't
think
that
they
would
have
objections
or
changes,
but
they
might
they
they
might
have
feedback,
but
also,
similarly,
with
security,
vendors
security
tool,
vendors,
they
might
have
particular
fields
that
they
want
to
look
for
that
they
find
difficult
to
extract
at
the
moment,
so
they
might
have
feedback
too.
It
looks
pretty
complete,
but
my
background
in,
like
agile
software,
consulting
is
talk,
talk
to
the
end
user
as
much
as
you
can.
J
Okay,
two
quick
question:
I
can
contact,
I
mean,
probably
we
have
people
in
directly
in
our
open,
ssf
slack
that
work
in
this
company,
so
I
can
contact
using
the
open,
ssf
slack
or
I
can
contact
them
as
an
open,
ssf
member
just
to
have
to
try
to
receive
feedback
about
this
standard.
For
example.
J
Of
course
it
is
this
stuff,
it's
that
I
say
standard,
but
we
can
save
specification
or
but
of
course,
when
we
started
to
work
on
it,
we
have
thoughts
about
the
open,
ssf
scorecard,
so
technically
scorcan
can
be,
can
support
this
file
just
scanning
it,
but
also
other
scanner.
I
think
sneaker
order
can
collect
information
from
the
same
files.
So
technically
it's
not
just
for
a
single
tool,
it's
something
that
can
be
used
from
every
scanner,
also
from
new
scanners
that
open
the
community
can
create.
J
So,
but
yes,
I
will.
I
appreciate
if
people
from
github
gitlab
or
similar
company
can
provide
feedback.
Definitely
so
I
try
to
contact
them
to
continue
to
collect
feedback,
and
I
will
provide
to
a
first
tool
to
to
validate
the
the
yaml
and
if
there
are
no
other
objection-
and
I
can
continue-
we
can
continue
to
work
on
it.
For
me,
it's
perfect
and
yes,
and
definitely
the
communication
will
be
an
important
key
of
the
result
of
the
project.
Probably.
G
Yeah,
I
think
we
have
two
other
quick
questions,
one
from
vicki.
First.
C
Hey
so
again
not
attack
member
so
but
I
do
have
some
feedback.
I
I
do
think
it's
worthwhile
to
at
least
have
a
proof
of
concept
within
the
open
ssf
bubble
to
see
how
this
works
see,
whether
it
works
for
us
and,
most
importantly,
see
what's
required
to
implement
it
and
how
hard
it
is
for
people
to
do
so.
So
I
do
encourage
the
tech
to
support
that,
if
only
in
at
first
a
limited
version
and
then
perhaps
rolling
it
out
more.
C
I
strongly
encourage
the
switch
mental
and
otherwise
from
standard
to
specification.
I
think
that's
rather
important
and
I'm
glad
that
arno
brought
it
up.
I
believe
arnold
brought
it
up.
If
not
apologies
to
whomever
did
I
I
think
that's
going
to
be
very
important
as
a
mindset
to
make
sure
that
going
forward,
we
can
all
kind
of
coalesce
around
that
and
help
support
it
as
a
specification.
C
I
think
that's
going
to
improve
your
messaging
considerably
when
you're
speaking
with
these
other
groups.
So
that's
certainly
worthwhile
and,
as
jacques
mentioned,
they
should
be
run
past
some
end
users
rather
than
simply
the
tech.
Some
of
the
groups
that
will
be
implementing
implement
implementating
no
implementing
this
to
make
sure
it
is
something
that
they
can
support,
because
that
will
gain
adoption
if
you're
able
to
get
a
github
a
git
lab
to
implementify.
Thank
you
jerry.
C
If
you're
able
to
get
them
to
get
behind
you
on
this
and
have
blog
posts
and
various
things
like
this
is
now
a
best
practice.
I
think
that
will
be
very,
very
useful,
but
I
want
to
call
attention
to
something
that
josh
mentioned
or
a
question
he
had,
which
is
how
many
people
are
maintaining
this.
J
I
mean
it
is
a
good
question
and
especially
about
how
many
people
work
on
it.
Technically,
I
am
the
person
that
for
sure
worked
more
on
this
project,
but
it
was
part
of
my
work
group.
So
every
two
weeks
I
collect
feedback
and
there's
help
for
my
parking
group.
If
we
want
to
spread
and
be
sure
that
people
can
adopt
it
for
sure,
we
need
to
define
some
rules,
for
example,
how
we
should
deploy
a
new
version
of
the
standard.
J
How
we
add
the
new
section
of
properties
in
the
schema
and
so
specifications
would
have
a
sort
of
group
of
people
that
can
maintain
it.
I
think
that
openness
is
the
right
group,
especially
because
the
idea
is
that
this
schema.
This
specification
should
be
easy
to
be
maintained
over
time.
We
can
just
add
or
remove
properties
according
to
how
the
open
source
community
and
the
security
world
continue
to
grow.
So
if
there
are
a
new
standard
over
here,
we
can
add
the
property
for
this
standard.
J
For
example,
I
don't
know
a
new
file
markdown
that
contained
practical
information.
This
bomb
file
that
now
is
contained.
That's
a
lot
of
company
and
projects
are
adding
to
their
repo,
and
I
think
that
this
is
a
good
question,
because
at
the
moment
there
is
not
a
document.
I
hope
you
can
listen
to
me
and
there
is
another
document
that
formalized
how
we
should
improve
it.
But
it's
something
that
is
on
the
roadmap
and.
L
Okay,
in
case
you
can
write,
I
don't
have
a
question.
I
just
have
it.
Okay,
sorry
we're
way
out
of
time,
and
that
was
the
first
thing
I
was
gonna
say
and
like
this
is
neat,
but
I
don't
understand
why
we're
necessarily
having
this
discussion
right
now.
I
mean
this
feels
like
something
make
it
a
project,
get
it
in
use
like
you're,
already
part
of
a
working
group.
You
know
like
just
keep,
keep
shepherding
it
along.
That's
how
this
is
supposed
to
work.
L
Yes,
I
agree.
I
mean
yes,
okay,
I
mean
that's
it
like.
We
don't
have
magic
powers
like
if
you
want
to
do
this
like
do
it
and
you
are
and
that's
great,
but
I
think
having
a
working
group
for
it
makes
perfect
sense,
and
I
don't
I
don't
think,
there's
a
lot
for
the
tact
to
do
outside
of
that
at
the
moment,.
G
Summarizing
the
feedback-
I
think
you
know
we-
we
certainly
are
encouraging
on
the
concept
and
and
if
there
are
places
that
we
can
drive
awareness
and
outreach.
I
think
alpha
omega
was
mentioned
as
a
potential
vehicle
to
to
get
additional
feedback
to
this.
I
think
it
makes
sense
to
support
the
project
in
that
way.
G
I
think
we
need
to
make
sure
that
you're,
not
the
only
person
here
and
not
not
just
from
a
you
know,
a
horsepower
perspective,
but
also
to
make
sure
that
we're
pushing
projects
that
have
the
correct
level
of
health
and
diversity
out
and
when
we
do
make
recommendations
that
they
meet
that
bar.
So
I
think
we
can
take
the
rest
of
this
discussion
offline,
but
in
general
you
know
it
sounds
like
great
idea.
G
You
know
still
in
its
early
stages,
but
you
know,
as
we
see
more
and
more
adoption,
I
think
it's
a
appropriate
to
to
come
back.
If
you
have
explicit
asks
of
things
that
you
need
help
with,
we
certainly
encourage
that
all
right.
Yes,.
J
Okay,
thank
you.
Yes,
I
wanted
to
present
the
project
and
ask
to
open
ssf
to
adopt
it
in
the
future,
because
I
mean
if
we
want
to
continue
with
this
specification,
I
think
that
opens
us
up
should
adopt
for
their
own
repo.
Otherwise
the
community
cannot
follow
us
for
sure.
M
A
G
Minds
just
a
quick
retrospective,
you
know
from
from
all
attendees
that
that
were
able
to
join
either
in
person
or
virtually
to
the
open
ssf
day
last
week.
You
know,
I
think
in
chatting
with
brian
and
jory
afterwards.
I
think
you
know
not
to
leave
the
witness,
but.
G
In
terms
of
content
and
flow
and
engagement,
but
I
didn't
want
to
have
just
a
brief
section
here
to
call
out,
as
we
think
about
doing
this
more
often
than
the
next
kind
of
event
that
would
be
triggered
here,
would
be
the
oss
summit
in
dublin
coming
up
in
september.
Any
quick
feedback
from
folks
on
on
the
call
around
things
that
we
would
like
to
see
more
of
things
that
we
would
like
to
not
see
repeated
or
anything
that
could
be
any
kind
of
under
yeah.
Can't
talk
to
any.
G
Feedback
that
folks
want
to
offer
would
be
appreciated.
H
And
really
quick,
we
had
359
people
attend
in
person
at
some
point
specifically
to
open
ssf
day,
because
we
were
badging
people
in
at
the
beginning
of
the
day
and
and
through
some
other
sorry,
some
other
parts
later
and
had
498
people
participate
virtually
just
watching
the
live
stream.
We'll
put
up
the
the
streams
on
youtube
sometime,
the
next
two
weeks
and
there's
a
flicker
stream
of
photos
from
the
whole
of
the
event
here.
F
I
think
one
of
the
things
we
should
look
at
is
who
do
we
expect
the
audience
to
be
in
that
room
and
try
to
hit
a
more
breadth
of
content
to
address
more
people
who
might
be
brand
new
to
open,
ssf
or
those
who
are
completely
inside
baseball,
because
I
had
some
feedback
from
people
that
that
felt
it
was
a
little
a
little
bit
more
challenged
to
bring
content
to
clear
points,
because
we
don't
quite
know
what
we're
doing
in
a
lot
of
these
spots
we're
trying
things,
but
we
also
need
to
balance
that
with
how
does
how
does
this
look?
F
If
somebody
is
just
showing
up
to
say
what
is
going
on
here,
and
it
felt
so,
it
felt
a
little
bit
squishy
to
some
of
those
people.
For
me
and
they're
like
do
you
all
have
a
plan
and
I'm
like?
Yes,
yes,
we're
working
on
a
plan.
That's
that's
the
plan,
so
I
think
we
should
try
to
tighten
this
up
just
a
little
bit
if
we
can
for
content
to
address
the
audiences
that
we
think
we'll
have,
which
of
course
is
a
random.
I
I
was
just
going
to
say:
one
of
the
bits
of
analysis
we
want
to
do
is
to
take
that
list
of
attendees
the
folks
we
scanned
in
and
see
okay.
How
many
of
these
folks
are
folks?
I
Who've
already
been
coming
to
our
working
group
sessions,
or
you
know,
they've
been
they're
in
our
slack
channel
they're
in
some
way,
shape
or
form
already
connected
to
the
community
versus
folks
who
have
who
were
seeing
us
for
the
first
time
at
the
summit,
and
one
of
the
hypotheses
we
had
coming
in
was
that
we
would
see
more
of
the
latter
more
people
who
weren't
already
familiar
with
us
anecdotally.
I
It
didn't
feel
that
way
in
the
room
on
on
monday.
So
looking
at
sort
of
the
the
data
and
the
demographics
of
the
group
is
one
of
the
things.
What
I
think
we'll
do
to
really
inform
how
how
we
shift
the
content
for
next
time,
because,
while
I'm
sure
everyone
here
enjoyed
who
was
there
was,
was
able
to
enjoy
the
sessions
it
probably
much.
It
was
probably
not
new
news
for
for
you
for
you
old-timers
in
the
community,
and
we
want
to
make
sure,
there's
also
useful
materials
for
our
community.
There,
too,.
G
Take
that
as
a
no
all
right
thanks
all
I'm
going
to
switch
the
agenda
items
real,
quick,
the
last
two
here
just
because
I
think
it
will
just
knock
the
short
one
out
first
and
then
go
into
the
broader
discussion.
Just
wanted
to
follow
up
on
a
couple
next
couple:
actions
that
we
had
from
before
one
is
a
continued
call
for
reviews
to
the
outstanding
prs
that
we
have
on
the
working
branch
for
the
proposed
governance
and
project
lifecycle
models.
G
There's
a
couple
that
are
open
here
that
I
think
we're
ready
to
get
additional
feedback
and
then
continue
to
make
progress
on
there.
So
just
a
call
for
attack
members
to
go,
take
an
explicit
look
and
if
others
want
to
chime
in
certainly
welcome,
and
then
lastly,
I
think
whether
it
was
jen
or
joy.
I
don't
quite
recall
apologies
of
pointing
this
at
the
at
the
wrong
person,
but
believe
somebody
took
an
action
item
to
set
up
a
regular
reporting
cadence
from
both
the
projects
and
working
groups
into
the
attack.
M
This
is
jen,
I
don't
have
an
update.
I
was
out
the
week
in
between
the
two,
the
the
last
call,
but
I
will
have
an
update
for
y'all
shortly
on
that
and
can
work
on
that
this
week,
great.
G
All
right,
thank
you,
so
brian,
I
know
you
would
send
it
out
to
the
attack
around
the
mobilization
plan
thoughts.
Do
you
want
to.
H
Yeah
and
I
just
dropped
the
link
again
in
the
chat
here
and-
and
I
know
you
all
hate
me-
dropping
a
a
link
to
a
long
document
right
during
a
call.
H
So
I
am
I
apologize
for
that,
and
I
don't
mean
to
you
know,
take
too
much
time
here
and
kind
of
conversation
over
things
that
you
haven't
read,
but
in
following
up
on
the
development
of
the
mobilization
plan,
I
knew
it
was
pretty
important
to
find
an
appropriate
way
to
structure
the
follow-ups,
putting
together
to
to
try
to
direct
the
offers
of
funding
towards
towards
different
targets
that
that
we
set
in
the
mobilization
plan.
H
I've
been
cautious
about
this
because
I
have
seen
open
source
projects
ruined
by
by
money.
The
the
mo
money
more
problems.
Kind
of
thing
is
very
real.
You
know
when
people
conflate
the
governance
of
a
technology
project
with
the
management
of
a
budget
to
spend
on
things
and
and
things
get
funded,
that
don't
meet
the
quality
standards
and
that
kind
of
thing.
So
it
felt
to
me
like
one
of
the
things
that
did
work
about
the
mobilization
plan
was
the
way
we
pulled
together.
H
Small
teams
around
each
stream
kind
of
gave
them
the
apologies
independence
to
figure
out
the
right
approach
and
you
know
kind
of
orthogonal
to
each
other,
and
so
what
I've
proposed
here-
and
this
is
after
lots
of
conversations
with
some
of
you
with
governing
board
members
with
others
about
the
right
way
to
structure.
This
is
continuing
that
kind
of
per-stream
small
team
structure,
making
it
public.
H
This
time
we
were,
I
only
kind
of
semi-public
before,
because
we
were
trying
to
rush
against
a
deadline
and
and-
and
I
think
we
now
have
the
affordance
to
be
able
to
have
these
public
ongoing
kind
of
you
know
kind
of
persistent.
You
know
as
long
as
there
there's
a
plan
as
long
as
there's
streams
and
and
funding
to
pursue.
I
think
we
can
structure
this
and
these
small
teams.
These
cigs
would
sit
underneath
a
working
group
that
would
adopt
them.
H
I
proposed
a
set
of
mappings
there
between
stream
themes
and
working
groups.
That
is
a
proposal.
That's
not
an
assignment!
H
Each
working
group
should
decide
if
that's
what
they'd
like
to
take
on
in
terms
of
oversight
and
then
that
sig
would
continue
to
evolve
the
stream
and
then
identify
opportunities
for
funding.
Basically,
here's
a
proposal
to
you
know
hire
a
person
as
a
devrel
advocate
for
six
months
or
something
like
that
or
here's
a
you
know.
Another
group
that'll
write
code
or
or
to
set
up
something
larger
right
to
work
with
an
outside
firm
to
work
with
lfx
security,
for
example,
for
stream
number
two.
H
But
it
would
be
the
stream
that
kind
of
teased
these
opportunities
up
and
then
turns
to
what
would
be
created
as
a
subcommittee
of
the
governing
board
focused
on
the
mobilization
plan
bringing
together
those
organizations
that
have
pledged
30
million
dollars
against
that.
You
know
to
tee
up
these
proposals
on
a
kind
of
a
regular
once
every
either
two
week
or
four
week
kind
of
meeting
to
say:
okay
stream
number
three
is
proposing
this,
this
chunk
of
work.
They
need
100k
for
it
or
500k.
H
For
it
it
could
be
big
small
granularity.
I
would
suggest
starting
starting
small
as
as
always
and
then
they
they.
You
know,
and
then
we
kind
of
say,
are
we
ready
to
fund
this
and
and
we
move
forward
and
then
the
lf
staff
kind
of
helped
manage
the
collection
of
the
payments
and
the
dispersion
of
that
out
in
some
cases.
In
other
cases,
we
might
simply
direct
those
funders
directly
to
a
third
party
like
austin
or
whatever.
H
So
I
know
it's
a
long
document,
it's
not
that
long,
actually
lots
of
white
space
in
it.
The
ten
pages
I
did
try
to
anticipate
or
or
address
many
of
the
concerns
people
had
shared
with
me
in
that.
So
that's
why
it's
on
the
longish
side,
what
I'm
also
chair?
H
Oh
I'm,
also
sharing
this
with
the
governing
board
and
having
some
we'll
have
some
conversations
kind
of
with
them
as
well
about
their
comfort
level,
with
the
approach
and
and
does
that,
give
them
the
right
degree
of
oversight.
But
you
know
repeatedly
they
say
we
really
depend
upon
the
tech
to
tell
us
whether
these
ideas
are
are
good
ideas
or
not.
H
So
what
I'm
trying
to
avoid
is
necessarily
pushing
everything
through
a
small,
a
small
funnel,
which
is
our
our
once
every
two
week
call
here
and
try
to
figure
out
the
right
balancing
act
between
oversight
and
and
governance
and
simply
agility
anybody
who's
put
together
a
funding
plan
for
things
and
taking
it
that
mile
to
getting
people
to
actually
write
checks
knows
how
sometimes
delegate
that
delicate
that
process
can
be
operating
in
the
public
only
makes
it
more
delicate.
H
But
I
think
I
think
what
I've
we've
got
here
is
a
balance
between
between
all
those
factors
so,
but
certainly
happy
to
take
comment
and
I'd
love
to
see
this
be
something
the
tac
as
an
overall
plan
felt
comfortable
enough
with
to
to
endorse.
H
Not
today,
but
at
some
point
in
the
next
couple
meetings.
H
No,
I
think
one
one
one
open
question
that
I
cite
towards
the
end
are
concerns
about
you
know.
What's
the
right
degree
of
bureaucracy
to
have
in
this,
you
know
having
the
sigs
parked
into
the
working
groups.
Is
my
attempt
to
try
to
disaggregate
or
decentralize
it
without
taking
away
anything
from
the
tax
ability
to
kind
of
provide
that
oversight,
but
but
arguably
you
could
also
have
these
things
report
directly
to
the
attack.
I
just
I
feel
like
with
the
one
hour.
H
Every
two
weeks
we
have
here
is
pretty
precious,
and
so
I
wanted
to
to
just
be
efficient
with
that,
and
some
working
groups
are
more
active
than
others
are,
so
there
might
be
good
reason
for
perhaps
a
mix
of
some
of
these
stream
sigs,
as
I'm
calling
them
reporting
directly
to
attack
versus
others,
but
I,
I
think,
there's
something
really
powerful
and
good
about
the
fact
that
we
have
these
working
groups
as
like
the
main
way
to
fan
out
and
delegate
out
responsibility
in
the
organization,
and
we
put
thematically
related
things
together
and
domain
experts
together,
and
so
this
tries
to
take
advantage
of
that.
D
H
Of
staff
time,
so
I
address
this
in
the
proposal.
I
I
think
it's
very
important
to
distinguish
between
volunteers,
who
you
know
every
stream
should
be
set
up
in
such
a
way
that
the
work
happens
publicly
enough
that
it
can
tap
into
volunteers
who
can
show
up.
Opportunistically
participate
a
lot
a
little.
You
know,
but
in
a
way
that
we're
not
hinging
critical
things
on
them,
distinguishing
between
that
and
committed
resources,
whether
voluntary
or
maybe
we
have
to
pay
partly
for
them.
H
Who
could
say:
okay
for
six
months,
you'll
be
20
hours
a
week
on
an
essential
project,
management
kind
of
function
here
or
domain
expert
kind
of
function
there
or
you'll
build
this
thing
right.
That's
that's
more
committed
resources,
and
certainly,
if
organizations
stepped
up
and
said
we're
willing
to
put
this
person
20
hours
a
week,
40
hours
a
week
whatever
on
this
task,
that
could
be
a
part
of
the
funding
proposal.
It
might
even
be
enough
that
you
don't
need
any
funding
to
get
started
on
something
which
would
be
awesome
right.
H
No
one
has
to
wait
to
make
progress
in
that
somebody
doing.
That,
though,
should
just
work
directly
with
like
if
it's
funding
for
sig
store,
like
don't
even
worry
about,
like
a
proposal
around
that,
just
go
volunteer
on
zig
store
right,
but
but
I
would
lean
on
the
stream
sigs
to
come
up
with
proposals
that
might
be
a
mix
of.
We
need
some
cash.
H
We
need
some
people
and
and
and
we'll
help
them
connect
them
to
the
people
who
might
organizations
might
have
people
to
offer
in
those
capacities,
but
but
it's
delicate
to
do
right.
G
I
guess
I'm
next,
so
I
guess
the
the
part
that
I'm,
I
guess
gets
fuzzy
for
me
is
exactly
where
the
the
line
is
drawn
between
dedicated
funds
for
the
mobilization
plan
versus
generic
foundation,
funds
that
are
available
to
delegation
to
the
individual
working
groups
on
their
normal
operating
basis
and
what
role
the
tax
fundamentally
plays
in
one
set
of
funding
versus
the
other.
So
I
guess
trying
to
minimize
bureaucracy-
and
I'm
certainly
a
fan
of
that,
but
given
the
flexibility
that
fundamentally
exists
here,
I
think
that's
where
it
breeds
a
set
of
confusion.
H
Yeah-
and
I
think
one
of
the
things
that
we
haven't
done
enough
of
this
this
past
year
and
I'll
take
take
some
blame
for
that
is
you
know
we
have
about
a
million
and
a
half
that
has
been
earmarked
from
the
current
open,
ssf
core
budget
for
some
of
the
kinds
of
work
that
we've
done.
H
Funding
the
scorecard
work
funding,
further
development
of
the
educational
materials
like
setting
up
scorm
connect
funding
for
other
things
that
are
more
or
more
core,
and
I've
always
seen
a
separate
from
the
mobilization
plan,
but
obviously
can
be
additive
to
open,
ssf
efforts.
In
the
same
way,
the
mobilization
plan
can
be
I'm
putting
together
an
updated
budget
for
the
second
half
of
the
year
to
the
governing
board
to
update
kind
of
levels
and
those
commits
based
on
the
fact.
H
We
have
some
more
members
now
and
we
can
spend
some
more
money,
and
I
see
that
potentially
well
as
as
being
separate
from
these
stream
sigs
and
from
the
funding
process
being
more
about,
say
the
projects
coming
directly
to
working
groups
of
attack
going
hey.
We
could
use
some
funding
for
this
or
that,
but
I
I
I
think
I
get
I
can
get
you
a
better
answer
on
that
and-
and
I
owe
certainly
the
governing
board
a
better
answer
on
that
and
look
at
some
funding.
G
F
Yeah
mike
my
question
or
general
comment
on
this
as
we
bring
in
both
the
project
level,
governance,
that's
been
being
worked
on
by
the
tactic
as
well
as
this
mobilization
stream
plan
and
there's
a
question
in
the
stream
plan
from
dan
about
is
siftifying.
F
That's
actually
on
me
at
the
moment
I
have
offered
a
dr
or
I
have
planned
to
offer
a
draft
which
I
have
not
yet
offered,
so
I
will
offer
a
draft
in
the
next
week
and
we
will
be
able
to
talk
through
all
of
these
different
structures,
but
I
want
to
be
really
careful
that
we're
not
adding
structures
and
weird
new
ways
to
to
do
work
that
make
this
more
complicated
and
we
end
up
spending
more
time
in
the
governance
and
the
surprising
people
in
the
project,
as
opposed
to
having
a
nice
pattern
and
knowing
how
we
do
this.
F
So
I
just
want
us
to
keep
an
eye
towards
that,
as
opposed
to
rebuilding,
rebuilding
and
building
a
whole
new
set
of
structures
that
are
different
from
other
linux
foundation,
projects,
etc.
So
we
have
some
pretty
common
patterns,
let's
use
them
where
we
can.
H
I
totally
agree
with
that.
That's
why
I
opted
you
know
tried
to
adopt
the
the
sig
structure
under
working
groups
as
like
the
the
vehicle
for,
for
you
know,
developing
the
plans
further
and
developing
proposals.
The
one
new
committee
that's
created
is
as
a
committee
of
the
governing
board,
which
is
what
a
couple
governing
board
members
have
asked
for,
which
is
one
focus
on
the
mobilization
plan.
I
I
had
raised
my
hand
just
to
respond
to
sarah
sarah.
I
had
started
a
document
to
help
internally
the
teams,
legal
finance
project
teams,
kind
of
align
on
language
about
what
is
a
sif
I'd
love
to
work
with
you
and
share
share
that
documentation
with
you,
as
you
kind
of
consider
how
you
want
to
define
it
externally.
I
F
H
I
don't
see
any
other
questions
which
again
I
it's
bringing
this
document
on
you
in
real
time.
I
I
understand,
but
hopefully
we
could
have
some
more
conversation
about
this
over
the
next
few
weeks
and
a
conversation
at
the
next
tack
call
potentially
about.
Are
we
close?
Is
it?
Is
it
something
that
we're
all
comfortable
with
here
and
in
parallel,
as
well,
with
the
governing
board
kind
of
on
the
same
time
frame
so
totally
open
to
comments?
H
I
will
monitor
the
hashtag
tack
on
slack
for
for
comments
on
this
as
well
and
and
yeah,
and
I
do
think
it's
important
for
us
to
clarify
kind
of
where
we're
thinking
now
that
how
this
sits
operationally
both
back
end
and
front
end
relate
to
the
open,
ssf
attack
and
governing
board.
As
a
part
of
answering
this
question,
I
don't
mean
to
overly
kind
of
segment,
but
but
yeah.
I
feel
like
it's
an
important
issue
to
also
make
progress
on.
G
Hey
brian
just
one
last
rule
for
me
in
terms
of
the
next
step,
so
I
know
you
said
that
you're
going
to
take
this
to
the
gb
meeting,
which
I
believe
is
next
thursday.
If
I've
got
my
calendar
right
in
my
head,
so
the
question
I
have
is:
are
you
going
to
socialize
that
for
feedback
from
the
gb?
Are
you
asking
for
an
approval
from
the
gb
on
on
this
concept?
To
have
this
be
the
action
plan?
H
H
So
I
I
will
be
posting
this
proposal
to
them
as
well
for
their
feedback
and
comment
on
the
same
document
and
and
hopefully
not
obviously
not
by
next
week,
getting
a
consent
from
them
or
convergence,
but
hopefully
over
them
over
the
next
few
weeks,
on
the
same
time
frame
as
the
attack
here
getting
agreement,
this
makes
sense
and
then
the
one
action
for
them
to
take,
if
that
makes
sense,
is
setting
up
the
committee
for
the
mobilization
plan
and
that's
really
the
the
what
krobe
was
calling
shark
tank,
which
I
did
not
want
to
commit
to
paper,
but
is
an
interesting
way
of
thinking
about
the
structure
for
those
meetings.
G
Got
it
all
right?
Well,
then,
at
our
next
tac
call
in
two
weeks
I'll
commit
to
bringing
back
kind
of
a
current
state
of
the
feedback
that
I've
seen
from
the
governing
board
members
and
brian
I'm
sure.
If
you're
here,
you
can
certainly
weigh
in
as
well
just
kind
of
give
an
update,
but
that
certainly
sounds
good
to
me
all
right.