►
From YouTube: OpenSSF TAC Meeting (March 8, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
All
right,
we'll
just
wait
another
minute
or
so
for
quorum
and
then
we'll
get
started.
D
B
All
right,
I
guess
we
will
go
ahead
and
kick
off
here.
So
welcome
to
today's
meeting
got
a
few
bullets
in
the
agenda
for
today.
If
folks
have
any
other
topics
feel
free
to
add
them
to
the
top
of
the
section
right
ahead
of
the
meeting
and
we'll
add
them
in.
If
we
have
time
just
looking
at
the
attendance,
it
looks
like
we
have
quorum
from
all
tac
members
present,
so
I
think
we're
okay
to
move
on
to
the
first
item
on
the
agenda.
B
B
Ava
to
serve
as
vice
chair
or
whoever.
D
B
Totally
welcome
all
right.
Next
on
the
agenda,
we
got
krobe
with
a
question
around
grooming,
the
issues
on
the
attack
repo,
so
cro
over
yeah.
I.
A
Had
stumbled
across
the
issue
tracker,
I
was
looking
up
the
election
issue
and
I
noticed
we
had
a
lot
of
outstanding
issues
and
would
that
be
of
interest
to
the
tac
to
go
through
and
groom
those
at
some
point.
So
we
can
start
fresh,
either
add
items
to
the
future
agenda
or
close
things
out
that
are
done
like
I
had
one
for
my
working
groups
that
was
closed
out
months
ago,
but
still
open
as
an
issue.
B
D
A
There
are
25
issues
and
seven
of
us,
maybe
each
tac
member
takes
seven.
Things
tries
to
figure
out
what
the
state
of
it
is
and
either
closes
it
or
adds
it
in
as
part
of
our
docket
of
stuff
to
address
that
be
acceptable
to
kind
of
ease
the
burden.
G
Probably
be
easier
for
just
to
one
to
blitz
through
it,
I'd
recommend,
just
in
your
in
your
copy
cache.
Just
have
a
message
saying:
hey
this
issue:
let's
say
issues
that
are
more
than
three
months
old
sort
by
greater
than
three
months
and
then
just
paste
in
there's
been
no
activity
on
this
issue
recently,
if
you're
still
interested
in
keeping
this
open,
please
reply.
If
not,
I
will
close
by
lazy
consensus
in
seven
days,
something
like
that.
H
Brian
wrote
in
the
chat
I
would
suggest
all
tac
members
make
sure
you
are
getting
notifications
and
following
this
repo
as
a
new
tech
member,
I'm
going
to
go
double
check
that
I
have
that
turned
on
right
now.
B
H
F
B
All
right
any
other
comments
on
the
approach
there
to
quickly
triage
things.
I
think,
just
on
a
very
quick
scan.
It
looks
like
some
of
the
issues
I
think
in
terms
of
election
process
and
whatnot,
maybe
moot
but
yeah
to
go
through,
and
I
would
say
if
there's
an
issue
that
somebody
on
the
attack
feels
particularly
passionate
about
that
they
would
like
to
step
up
and
like
to
drive
to
closure,
then
feel
free
to
to
jump
in
and
get
engaged
on
on
those
issues
and
we'll
just
try
to
stay.
B
All
right
on
the
next
topic,
I
know
in
prior
meetings,
kind
of
the
status
of
you
know:
formalizing
the
project,
donation
and
kind
of
the
progression
and
life
cycle
around
specific
projects,
as
well
as
working
groups,
has
been
previously
discussed.
I'd
like
to
kick
it
over
to
ava,
to
give
a
brief
update,
but
with
the
following
preface
of
I'd,
rather
not
use
this
form
as
a
working
session
to
try
to
solve
those
issues,
but
more
just
to
try
to
understand.
B
Are
we
making
progress
if
there
are
any
blockers
that
we
need
to
bring
to
folks
attention?
This
would
be
a
great
forum
for
that,
but
we're
not
looking
to
solve
and
ratify
anything
today
on
this
particular
topic.
H
Thank
you
for
the
context
bob.
The
quick
update
is
anna
and
I
have
been
chatting
taking
a
look
at
what
worked
for
us
and
other
foundations
in
the
past.
Don't
have
anything
you
know,
shiny
and
new,
to
share
here,
and
some
of
our
discussion
has
also
had
to
sort
of
partition
off
talking
about
alpha
omega
and
I'm
anticipating
other
projects.
I
see
persia
on
the
agenda
today
as
well.
H
You
know,
as
other
projects
are
coming
in
or
recently
added,
but
it's
unclear
what
to
do
with
them
in
terms
of
structuring
the
relationships
between
governing
board
tack
and
project.
Those
discussions
are
all
kind
of
happening
in
parallel,
so
part
of
this
is
also
is
unmuddying
the
high
level.
How
do
we
want
to
look
at
existing
projects
or
working
groups
that
have
been
here
for
a
year
or
two
versus
new
projects?
H
There
is
some
discussion
happening
on
github
issue
number
83..
I
added
a
comment
just
last
night.
I
see
three
more
comments
since
then.
I
haven't
seen
this
morning.
So
I'd
love
to
point
folks
towards
that
issue.
I
will
copy
it
into
the
chat
here
for
feedback
and
discussion
there,
and
if
you
have
other
examples
that
that
has
have
worked
well
or
you've
seen
work.
Well,
please
link
them.
There
love
more
input.
C
I'll
just
make
a
quick
comment,
so
this
is
steve
chan
and
I'm
also
one
of
the
folks
working
on
the
bursia
project.
So
we
are
we're
interested
to
have
a
good
process
and
way
of
doing
intake
of
projects.
C
I
I'd
also
mentioned
that
it'd
be
great
to
talk
about
the
project
and
what
we're
doing
on
it
and
followed
up
and
said
that
you
know,
obviously,
if
there's
time
we're
happy
to
do
it,
but
it
might
make
sense
to
wait
until
the
the
project
process
is
a
little
bit
more
formalized
as
well.
So.
H
B
B
I
think
it's
just
a
matter
of
sequencing
to
make
sure
that
we
do
the
right
thing
to
write
down
what
our
intended
process
to
be
get
socialize,
that
get
feedback
on
that
and
then,
ultimately,
assuming
that
we
can
drive
the
consensus
around
ratifying
that.
I
think
then
it's
I'd
love
to
have
your
your
input
and
perspective
stephen
and
others
around
that
as
we
try
to
actually
ratify
the
the
intended
donation.
C
Yeah
that
sounds
good,
we'll
contribute
to
the
issue
that
that
eva
mentions-
and,
I
think,
have
some
experience
from
doing
donations
to
other
foundations.
Where
I
think
we
can.
We
can
give
some
insights
into
things
which
have
worked
or
best
practices
we've
seen.
B
B
All
right,
if
not
we'll,
I
think,
kind
of
a
segue
over
to
con
topics
that
I
think
believe
jory
added
around
kind
of
a
playbook
or
support
re
resources.
Not
me
not
specifically
around
project.
B
But
for
working
groups
and
specific
initiative
funds
so
jory
over
to
you.
E
Jory's
not
here
right
now,
so
I'll
I'll.
Take
it
on
her
behalf,
because
we
talked
about
it
recently,
so
we'd
like
to
try
to
find
a
way
to
bring
a
little
bit
more
reproducibility
process,
consistency
across
the
way
that
the
working
groups,
work
and
part
of
it
is
purely
operational
from
scheduling
and
calendaring,
and
that
kind
of
thing
to
thinking
about
how
they
they
kind
of
conduct
meetings,
but
also
how
they
report
up
to
the
tac
and
how
they
manage
their
their
processes.
E
So
we
thought
one
of
the
really
most
constructive
ways
to
go
about
this.
Really.
This
is
story's
idea
was
to
to
work
with
the
working
group
leads,
and
anybody
for
here
in
the
tech
interested
on
a
playbook
to
kind
of
describe
current
practices,
and
I
kind
of
look
for
opportunities
to
at
least
harmonize
across
what
most
people
are
doing
and
then
from
there
think
about
ways
to
to
to
build
on
that
and
and
do
more
and
and
so
it
was
really
just
to
kind
of
float.
E
The
idea,
I'm
not
sure
if
jerry
had
a
specific
like
next
step
other
than
she
I
think
or
has
already
reached
either
already
sent
a
mail
or
about
to
send
them
out
to
the
working
group
leads
suggesting
this.
E
H
Brian,
have
you
seen
my
comment
on
issue
83
that
I
was
just
talking
about.
H
The
I
added
it
yesterday
so
I
asked
because
what
you
just
described
sounds
very
similar
when
I
mentioned
a
few
minutes
ago,
working
on
the
project
progression,
I'm
I
should
have
been
more
precise.
I
meant
taking
a
look
at
all
technical
initiatives
using
the
terminology
from
our
charter,
which
includes
working
groups
and
sifs,
and
I
proposed
in
there
that
we
attack
approaches
the
the
same.
H
Task
you
just
described
by
creating
a
set
of
questions
for
each
technical
initiative,
working
group
or
project
to
complete,
since
I
I
couldn't
find
documentation
on
even
who
the
points
of
contact
for
all
the
working
groups
are
in
github
right
now.
So
that's
one
of
the
many
starting
points
is
just
who
are
the
points
of
contact,
then
getting
a
status
report
back
from
them
collecting
all
the
responses
up,
putting
that
in
github,
I
would
propose.
H
E
Sounds
great,
no
regular,
reporting
to
the
tech
and
is,
is,
I
think,
a
key
element
of
what
I've
seen
work
at
other
other
projects.
So
yeah
sounds
good.
Did
you
have
a
draft
of
those
kinds
of
questions
already
started
in
that.
H
I
I
laid
out
the
sort
of
proposed
approach
in
that
issue
and
I'd
love
to
gather
more
questions
in
that
issue.
Before
maybe
you
know
two
weeks
from
now
the
next
tac
meeting,
we
can
as
a
group
review
that
set
of
questions
finalize
it
and
then
send
it
off
to
all
the
technical
initiatives
for
getting
answers
back.
E
I
see
jory
has
joined
jerry.
I
just
introduced
the
idea
that
we
talked
about
yesterday
and
and
and
set
up
a
conversation.
Ava
suggests
the
first
step
being
a
kind
of
I
guess,
a
survey
of
the
you
know.
The
working
group
leads
and
answering
some
some
basic
questions
just
to
get
started
on
that
understanding.
What
we
have
and
and
where
there's
opportunities
to
to
do
more.
I
Great
sorry,
for
being
a
little
late,
I
was
like
in
the
zone
and
my
calendar
didn't
notify
me
that
it
was
afternoon
so
so
I
did
send
an
email
out
to
the
wg
leads
list
yesterday.
If
you
aren't
on
that
list-
and
you
think
you
ought
to
be-
please
let
me
know
so
I
can
add
you
ava.
I
think
I
need
to
add
you
and
bob.
I
B
And
I
guess
the
sorry
sorry,
I
did
see
your
email.
I
guess
that
what
I
took
away
from
it
was
more
of
a
and,
if
I'm
mischaracterizing
it,
please
correct
me
more
of
an
operational
consistency
of
let's
use
the
same
zoom
tooling.
Let's
have
meeting
notes
put
in
the
same
spot.
Let's
follow
the
same
slack
channel
constructs
versus,
and
I
think
it's
certainly
related
in
how
I
interpret
it,
but
also
to
how
does
that
extend
into
the
overall
working
group
structure
and
and.
G
B
B
If,
for
somebody
to
come
along
and
say,
I
want
to
create
a
new
project
or
I
want
to
donate
this
project,
or
I
want
to
create
a
new
working
group
to
show
up
to
attack
and
give
that
update,
is,
is
awesome,
but
I
think
to
what
you
were
describing
it's
that
support
from
the
open
ssf
that
I
ultimately
get
as
part
of
doing
doing,
that
so
kind
of
teasing
out.
What
are
what
are
the
support,
constructs
and
the
consistency
in
leveraging
those?
What
benefits
does
that
bring
to
a
working
group
rate
project
versus
you
know?
B
I
I
I
think,
that's
a
great
kind
of
disambiguation
of
like
the
two
concerns.
Definitely.
I
My
message
yesterday
was
focused
on
that
operational
piece,
because
we
were
talking
about
those
little
paper
cuts
so
to
speak
of
what
happens
when
a
new
person
kind
of
comes
to
the
community
and
they
oh,
you
know
that
meeting
was
cancelled
and
they
didn't
know,
or
they
had
an
out
of
date,
zoom
link-
or
you
know
things
like
that,
which
are
things
that
we
should
be
caretaking
so
that
we
make
like
onboarding
into
this
community
like
a
dream
experience,
which
is
something
that
I'd
like
for
us
to
have
and
working
with.
I
And
how
we
want
that
to
feel
that
should
come
from
you
all,
and
you
know
you
you,
you
tell
you
tell
me
so
to
speak.
What
what
best
looks
like
best
in
class
looks
like
and
and
then
let's
then
me
and
jen
and
open
ssf
staff
will,
will
work
really
hard
to
make
that
reality.
B
H
Yeah,
I
think
one
of
the
things
to
start
from
is
defining
and
writing
down
in
our
github
docs
or
docs
on
github.
The
difference
between
working
group
committee,
project,
sig
or
sif
special
interest
group
special
interest
fund.
H
I
encountered
the
term
sith
yesterday.
I
think
joy
might
correct
me
on
what
that
means.
Sig
is
the
terminology
in
other
foundations,
for
a
special
interest
group
and
so,
for
example,
in
the
cncf
and
ccc
each
of
these
three
different
types
of
entities.
H
Committee
working
group
and
sig
have
different
life
cycles.
Different
goals,
different
gives
and
gets
to
bob's
term
and
in
kubernetes
there
is
no
project
because
kubernetes
is
a
project,
so
cncf
has
projects.
So
all
these
definitions,
we
all
need
to
write
them
down
and
agree
on
them.
I'm
happy
to
take
a
first
pass.
If
note,
would
anybody
be
concerned
if
I
wholesale
copy
the
definitions
of
those
four
terms
from
the
cncf
make
a
pr
with
that,
and
then
we
can
discuss
nuances
that
might
need
to
change
here,
but
is
that
a
good
starting
point.
C
Yeah,
actually
I
like
that
as
a
starting
point,
just
because
it
also
makes
it
easier
for
folks
coming
in
to
potentially
have
a
model,
that's
more
aligned
with
other
foundations,
they're
also
participating
in.
H
Great,
then,
I
will
take
that
action
item
to
copy
that
open
a
pr
with
those
base
definitions,
and
we
can
you
know,
debate
the
final
points
from
there.
H
B
The
chat
comments
yeah,
we
should
open
source
it.
We
should
reuse
and
try
to
be
as
consistent
as
possible
and
if
it
makes
sense
to
to
deviate,
we
should
deviate,
but
in
general
I
don't.
I
think,
for
that
onboarding
experience
and
being
very
clear
and
upfront
around
when
we
say
project.
What
do
we
mean
when
we
say
working
group?
What
do
we
mean
it?
B
It
may
sound
trivial
and
we
all
have
our
our
own
definitions,
our
head
around
it,
but
it's
really
important
for
for
folks
who
are
engaging
in
the
community
for
the
first
time
to
really
understand
the
structure,
and
so
I
think
this
is
a.
You
know,
a
great,
a
great
effort
to
try
to
bring
bring
the
house
in
order.
J
J
Yeah
there
was
a
fun
conversation
earlier
this
week
between
two
groups,
where
we
just
didn't
have
the
same
expectations
of
even
the
meeting,
and
it
went
sideways.
It's
like
that's
a
waste
of
a
half
hour.
So
let's
get
the
terms
right.
B
All
right
next
item
on
the
agenda
I
added
in
and
just
marked
it
as
all
it
was
more
of
just
a
chance.
I
know
there
was
a
obviously
always
working
group
meetings
going
on,
but
one
topic
in
particular
was
that
the
proposed
package
manager-
I
forget,
the
official
name
shock
you'll-
have
to
correct
me
on
that.
But
we
had
our
first
meeting
post
the
last
hack
discussion.
So
I
don't
know
if
you
wanted
to
share
any
update
on
that
here
or
any
other,
just
quick
updates.
K
I
can
give
a
quick
update
very
preliminary
meeting.
The
topics
that
have
come
up
so
far
have
been
comparing
some
of
the
work.
That's
been
done
in
ruby,
gems
and
is
being
done
in
python
or
python.
I
guess
is
american
pronunciation.
K
K
The
other
thing
is
outreach,
making
sure
that
we're
not
sort
of
completely
inside
our
own
little
bubble
of
just
a
few
different
ecosystems,
but
ensuring
that
ecosystems
in
general
who
want
to
participate
can
participate.
K
The
final
thing
that's
happening
is
that
bob
and
I
are
collaborating
on
defining
the
goals
for
that
group
or
defining
a
goals
document
based
on
discussions
that
have
already
happened
and
feedback
we've
already
heard
from
folks.
I
think
it's
coming
together
pretty
well
to
give
you
some
idea
of
this.
This
originally
started
as
a
casual
conversation
between
two
of
us
working
on
rubygems
and
three
people
working
in
python.
K
So
there
was
five
in
the
original
invite,
18
people
showed
up
and
the
last
one
I
think's
had
something
like
30
people
when
when
we
were
sort
of
looking
at
us,
as
you
know,
coming
in
under
the
open
ssf,
so
it's
it's
growing
fast.
There's
a
lot
of
interest.
L
B
From
vulnerability
groups,
I
know
there
was
that
came
up
in
the
last
discussion
around
around
the
osv
project.
I
didn't
know
if
there's
anything
you
want
to.
A
So
I
think
there's
definitely
collaboration
opportunities
there
between
the
volume
disclosure
group
and
the
osv
group,
and
I
think
that
they
are
potentially
looking
to
donate
certain
parts
of
their
project
or
infrastructure
to
the
foundation.
So
we
want
to
wait.
We
have
a
repeatable
process
to
kind
of
introduce
them
to
that,
and
then
we
picked
up
our
next
project
for
the
vault
disclosures
working
group.
H
I
hope
you,
you
scared
me
briefly.
I
didn't
think
I
volunteered
for
something
yesterday,
no.
A
G
A
B
B
If
not,
I
don't
see
anything
else
added
to
the
agenda.
So
stephen,
I
don't
know
if
you're
in
a
spot
where
you
wanted
to
give
a
brief
update
on
persia
for
the
email
discussion.
C
Yeah,
so
I
I
mean
I
think
given
given
where
we
are
on
the
process
for
for
project
ingestion,
it's
probably
easier
to
digest
for
the
attack.
If,
if
we
wait
until
that's
farther
along
and
then
I
can
go
over
the
project
in
detail,
but
I
mean
just
in
a
few
words-
I
think
we,
you
know
in
general
we're
trying
to
solve
the
distribution
issue
for
for
secure,
open
source
software.
G
C
Public
repo
in
github,
in
a
collaboration
with
several
companies,
including
several
open,
ssf
members-
I
I
think
we've
also
been
trying
to
keep
an
open
process.
So
we
have
community
meetings,
architecture,
meetings
and
other
public
meetings
on
the
calendar
and
I'm
getting
good
participation
in
those
again
from
for
multiple
companies
and
open
ssf
members,
and
even
some
community
members
and
interested
parties
have
come
in
through
there,
which
is
great
and
I'd,
be
happy
to
go
into
more
detail
at
a
future
call.
Once
we
have
the
project
process
more
more
fleshed
out.
B
I
We
have
one
general
member
representative
for
every
10
seats,
so
that
means
we're
going
to
be
kicking
off
an
election
soon
for
two
new
general
members
and
be
thinking
if
there
are
folks
from
your
if
your
member
company,
if
there's
folks
from
your
organization
that
would
make
a
great
candidate
for
that
spot,
encourage
them
to
nominate
by
emailing
us
at
operations.openssf.org
I'll,
send
all
of
this
information
to
the
general
member's
email
list,
and
that
goes
out
to
your
orgs
and
voting
and
technical
representatives.
I
So
so
you
have
that
coverage,
but
be
on
the
lookout
for
that
very
soon.
If,
if
that's,
if
that's
you
and
congrats,
because
that's
awesome
to
grow
20
plus
members
in
two
months
three
months,
it's
wild.
B
Yeah
awesome
an
apology.
I
just
looked
over
and
realized.
I
had
missed
a
couple
hands
in
the
in
the
zoom
chat.
So
again
my
apologies.
I
don't
know
whether
folks
are
clapping
or
looking
to
make
comments.
So
I'll
just
pause
here.
K
I
can
I
can
give
a
late
update
on
securing
critical
projects.
I
I
know
you've
already
missed
my
voice
in
the
last
few
minutes.
Yeah
so
generally,
I
think
two
things
that
are
emerging
in
securing
critical
projects
at
the
moment
is,
first
of
all,
working
out
how
to
rank
different
projects
in
terms
of
the
risk
they
represent,
that
we're
trying
to
retire
and,
second
of
all,
how
to
create
outreach
to
experts.
We
need
to
help
perform
that
ranking.
Those
have
been
the
two
major
topics
that
we've
been
pursuing
julia
her
last
name.
K
Excuse
me,
just
in
a
second
sorry
from
twitter
has
been
working
on
average
and
I
worked
a
bit
on
the
ranking
question.
So
that's
still
a
work
in
progress,
but
a
really
promising.
Yes,
thank
you.
Thank
you,
sarah.
K
So
that's
that's
currently
ongoing.
B
Awesome
all
right
with
that
we
were
at
the
end
of
the
list
of
items
on
the
agenda.
I
guess
I'll
make
one
call
for
any
other
topics.
Folks
want
to
discuss.