►
From YouTube: OpenSSF TAC Meeting (May 18, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
All
right
we're
just
waiting
for
for
keita
to
join
so
for
the
agenda
today
that
we
had,
I
hope,
hopefully
folks,
saw
the
email
step.
One
is
kay
was
going
to
talk
about
the
recently
signed
executive
order
from
the
white
house,
and
then
dan
milton
is
going
to
give
a
presentation
on
dci,
and
then
we
thought
we'd
wrap
up
with
continuing
the
conversation
around
our
wish
list.
A
Slash
backlog,
slash
whatever
it
is,
we're
calling
it
and
then
just
kind
of
continue
on
from
there,
but
kind
of
need
k
here
to
kick
us
off.
A
Okay
I'll
see,
if
she's
on
her
way,
if
not,
we
could
give
it
a
805
and
if
she's
not
able
to
join
by
then
we'll
we'll
have
dan
go
ahead
and
get
started
and
then
we'll
swap
in
when
she
gets
here.
A
B
Right
but
there's
actually
risks
as
well
as
opportunities
here,
how's
it
since
we're
waiting
for
kay.
Just
let
me
let
me
try
to
pitch
to
the
attack
folks
that
we
need
to
move
a
whole
lot
faster.
We
need
to
get
like
here.
Are
the
projects
we're
working
on
right
now
and
if
we
don't,
we,
the
the
train,
is
going
to
leave
the
station
and
go
somewhere
else,
and
I
think
that
would
be
sad.
B
A
Yeah,
I
totally
agree
with
you.
Actually
that's.
I
would
think
about
that
too,
when
I
was
reviewing
last
night,
the
the
wishlist
document.
One
of
the
comments
I
put
in
there
too
is:
can
we
look
at
some
of
this
stuff
through
the
left
of
the
executive
order
and
start
pulling
things
out
that
we
can?
You
know
discreetly
grab
his
chunks
and
and
have
people
actually
start
going
to
work
on,
so
we
can
show
some
momentum
of
like
hey.
A
We
see
this
thing,
we're
going
to
go,
tackle
it
and
drive
towards
it,
and
but
we
can
have
that
discussion
at
the
end
and
I
see
kate
has
joined
us.
C
I
have
I'm
very
sorry
about
that.
I
was
I
I've
been
a
little
swamped
with
things
things
executive
order
lately,
so
anyway,
yeah-
and
maybe
that's-
is
that
what
we
want
to
kick
off
with.
A
C
Sure
let
me
share
my
screen.
I
had
put
together
a
document
earlier
that.
C
I
think
it's
a
good
framework
for
this,
and
so
this
is
what
I
did
the
night
that
the
executive
order
came
out,
which
is
I
sat
down
with
it
and
you
know,
took
all
of
the
so
the
executive
order
is
is
broad.
It
covers
more
than
just
software
supply
chain
security.
C
There
are
many
subsections
where
there
are
time
frames
for
so
a
lot
of
the
executive
order
describes
what
needs
to
be
done
or
really
what
what
information
needs
to
be
provided
or
what
action
needs
to
be
taken
within
what
time
frame.
C
So
I
took
the
subsections
I
converted,
just
for
you
know
in
my
own
head
to
a
calendar
date
for
the
days
of
the
requirement,
and
then
I
listed
the
the
initiatives
in
openssf
or
related
often
their
linux
foundation,
initiatives
that
we
that
apply
to
those
sections.
C
So
I
I
don't
we're
not
gonna
have
time
to
go
through
all
of
these
today
and
we
have
other
important
topics.
So
I
won't
describe
all
of
the
sections,
but
I
think
it
will
be
interesting
for
us,
and
this
might
have
been
what
you
were
discussing
before.
C
I
came
on
to
identify
our
working
groups,
who
have
who,
who
are
doing
work
or
creating
guidelines
or
best
practices
that
fit
within
these
different
sections
and
then
have
those
working
groups
participate
in
providing
feedback
on
behalf
of
the
this
is
something
david
wheeler
and
mike
dolan,
and
I
have
been
discussing
offline.
C
We
think
we
might
want
to
have
there
be
an
linux
foundation
response.
You
know
that
crosses
all
linx
foundation
members
and
then
in
the
open,
ssf
we'll
provide
input
to
that
broader
linux
foundation
response
so-
and
this
is
this-
is
we're
still
working
through
the
details
of
this
so
we'll
provide
more
information.
You
know
back
to
the
tech
and
to
the
working
groups
as
we
think
about
how
we
want
to
organize
and
coordinate
the.
I
guess
the
last
thing
I'll
say,
and
then
let
me
open
for
discussion.
C
The
I
think
the
primary
of
our
working
groups
that
will
be
involved
are
best
practices.
There
are
several
places
where
they
talk
about
best
practices,
so
they'll
be
best
practice.
Actually,
I
think
all
of
our
working
groups
are
involved
at
some
point
in
here.
C
I
went
through
and
identified
some
I
said,
maybe
best
practices
for
this
first
part
about
best
practices,
security,
metrics
might
fit
in
here
as
well.
There's
one
of
our
this
one,
I
also
said,
was
best
practices.
I
think
the
entoto
project
will
be
interesting
to
provide
feedback
and
be
involved
in
these
as
well
as
spdx.
C
There
was
there's
one
of
these
that
deals
specifically
with
identifying
the
most
critical
software,
and
then
the
requirements
that
are
developed
will
apply
to
the
most
critical
software
first,
and
so
that's
an
area
where
our
securing
critical
projects
working
group
can
be
involved
and,
let's
see,
there's
another
one
where
we
talk
about
what
the
levels
for
the
you
know.
C
I'm
forgetting
the
details
of
this,
so
I
won't
go
into
it
anyway,
so
so
that's
kind
of
how
it
how
it
looks.
I
can
drop
this
document
into
the
chat
window.
Folks
can
look
at
it.
We
can,
you
know,
use
it
as
a
reference,
and
we
can
you
know
as
we
go
forward,
we
can
identify
exactly
which
working
groups
are
working
on
which
things
so
so
that's
what
I
have
right
now
on
the
white
house
executive
order.
I
think
it's.
C
I
think
it's
super
exciting
for
us,
as
the
open
ssf
to
think
about
participating
in
this
driving
it
and
as
the
requirements
are
defined,
creating
new
projects
inside
of
the
open,
ssf
or
having
our
communities
inside
of
the
open.
Ssf
drive
some
of
the
requirements
forward
so
that
we
have
a
sort
of
a
consistent
we're
providing
feedback
and
we're
you
know
taking
the
requirements
that
are
that
become
defined
and
we're
moving
the
the
open
source
ecosystem
forward
on
those
requirements.
C
I
I
think
that
those
right
I
was
just
saying
you
know,
as
I
was
looking
through
these,
I
was
just
identifying.
You
know
where,
in
the
really
the
brighter
linux
foundation,
ecosystem,
yeah.
B
C
D
C
Yeah,
don't
please
don't
take
anything.
I
wrote
this
like
set
in
stone.
I
I
I
was
just
you
know.
This
was
me
on
the
night
of
the
executive
order,
saying,
okay,
you
know
of
the
initiatives
that
I
know
of
you
know,
which
ones
do
I
think
are
you
know
play
in
here
so.
A
That
out,
I
think,
is
definitely
a
useful
exercise,
and
I
I
think
this
is
great
and
it
aligned
kind
of
like
what
we
were
talking
about
right
before
you
come
on
k
was
that
when
we
get
to
the
discussion
around
roadmap
and
all
that
stuff
pulling
out
the
new
ideas
that
we
have
as
it
might
pertain
to
the
executive
order
and
areas
of
work
that
we
should
go
focus
on
would
dovetail
nicely
with
this
document
that
you've
created.
So
I
think
that
would
be
a
worthwhile
exercise.
C
I
I
agree
with
that
ryan.
I
I
feel
like
the
executive
order,
can
be
a
great
forcing
function
for
us,
because
there
are
a
bunch
of
dates.
You
know
in
timelines
and
we
can.
We
can
organize
ourselves
around
that
and
that's
that's
good
for
us.
It's
focusing
inside
of
open
ssf,
and
it's
also,
you
know
good
for
the
community
as
a
whole,
especially
when
we
talk
about
supply
chain
security,
we
need
everyone
moving
in
the
same
direction.
C
It's
really
quite
a
challenge
and
if
we're
we're
supporting
government
requirements
and
we're
using
that
to
drive
new
work
internally,
you
know
it's
really
a
a
win-win
situation.
I
believe
yep.
A
Definitely
agree
now
I
kind
of
wish
we'd
save
this
and
done
it
right
before
we're
gonna
talk
about
the
the
road
map,
but,
okay,
everybody
push
push
pause.
A
D
E
E
My
mute,
yep,
okay,
yep
cool,
all
right,
so
ryan,
and
I
were
talking
about
diversity
and
inclusion
and
talking
about
it
from
the
perspective
of
open
source
governance.
So
what
what
I
wanted
to
talk
about
today?
What
we
wanted
to
talk
about
today
was
was
less
about,
like
here's
a
talk
about
why
dni
is
good
or
here's,
some
individual
best
practices
and
more
about
from
the
perspective
of
us
as
a
governance
organization
for
open
source.
E
What
are
approaches
that
we
should
do
with
within
the
the
practices
that
we
have
and,
of
course
the
the
the
overall
goal
of
this
is
that
we
build
a
vibrant
and
and
strong
community,
which
is
really
the
strength
of
any
open
source
project
and
the
way
that
I
like
to
think
about
diversity
and
inclusion
is
kind
of
the
same
with
security
that
a
lot
of
the
things
like
the
good
hygiene
that
you
do
to
arrive
at
a
secure
project
by
like
having
good
quality
assurance,
good
review
practices,
all
those
things
that
don't
directly
go
to
security,
end
up
arriving
at
a
more
secure
project.
E
We
hear,
I
think,
dni
a
lot
with
within
companies,
I'm
starting
to
hear
diversity,
equity
and
inclusion
more
often
too.
So.
I've
got
civility
on
here,
because
that's
the
term
that
I
learned
in
open
source
and
that
just
purely
stems
from
the
kind
of
behaviors
they're
a
little
different
in
an
online
community
versus
what
we
might
experience
within
our
companies,
so
it's
kind
of
necessary
to
highlight
that
that
human
interaction
portion
of
it
that
that
behaves
a
little
differently,
sometimes
in
online
communities.
E
The
idea
of
this,
of
course,
is
that
you
know
somebody
you
can
you
can
kind
of
jump
in
on
this
this
cycle
at
any
point.
So
if
somebody
were
to
show
up
in
one
of
our
working
group
meetings
or
to
show
up
in
a
project
to
make
a
pr
or
even
show
up
in
this
meeting
if
they
feel
like
it's
an
inclusive
environment,
they're
more
likely
to
hang
around
if
they
hang
around-
that
in
turn
improves
the
diversity
of
our
organization
and
then
just
the
way
that
humans
behave.
E
If
you
show
up-
and
you
see
that
there's
a
lot
of
different
kinds
of
people
around-
you
you're-
actually
sort
of
more
inclined
to
behave
in
a
professional
way,
so
you're
going
to
behave
more
civilly
and
then
so
when
the
next
person
shows
up-
and
they
see
that
all
right
everybody
is-
is
being
respectful
of
each
other's
ideas.
E
Then
they
hang
around
and
we
kind
of
go
back
around
the
circle
again
so
from
an
open
source
perspective.
We
want
to.
We
want
this,
this
good
virtuous
cycle
so
that
we
grow
the
community
but
again
from
a
like
a
governance
body
perspective.
What
do
we
do
about
that
and
I
think
in
any
open
source
problem,
one
of
the
best
things
to
do
is
to
go
and
see
what
we
can
steal
from
other
open
source
projects
or
fork
from
other
open
source
projects,
depending
on
which
words
you
like.
E
So
this
is
an
eye
chart
this.
This
one
isn't
meant
to
be
read
through
during
the
meeting.
I've
got
a
slide
after
this
well
I'll
make
some
generalizations,
but
the
idea
of
of
some
of
the
notes
that
I
started
to
take
on
this
slide
were:
let's
go,
look
at
other
successful,
open
source
organizations
and
see
what
they're
doing
for
diversity
and
inclusion
and
see
if
there's
things
or
themes
or
best
practices
that
we
could
bring
into
the
open
ssf.
E
The
ones
that
I
will
pull
out
from
here
that
are
a
little
bit
different.
Are
we've
got
these
sister
organizations
at
the
linux
foundation
so
at
the
foundation
level
itself,
the
the
lf
has
some
well-established
best
practices
like
when,
when,
when
you
run
a
conference
through
the
linux
foundation,
there's
a
lot
of
infrastructure
that
the
lf
brings
to
get
that
going,
including
how
to
get
diverse
speakers.
Good
representation
within
the
conference.
E
A
lot
of
good
practices
around
that
and
then
there's
also
trainings,
that
we
might
want
to
harvest
and
make
use
of
and
more
about
that
in
a
little
bit.
E
The
chaos
project
has
come
up
recently
in
at
least
chatter
and
or
has
the
chat
or
the
mailing
list,
but
that
project
overall
looks
at
metrics
for
open
source
and
one
of
the
first
areas
of
metrics
that
they
looked
at
was
diversity
and
inclusion.
E
So
there's
things
to
be
learned
from
from
what
they
have
researched
and
their
ongoing
practice
of
trying
to
figure
out
how
to
do
some
of
those
metrics
and
that
maybe
is
even
more
important
to
to
intersect
with
them.
Given
this,
this
potential
overlap
with
the
risk
assessments
that
they're
doing
now
that
that
kind
of
overlap
with
with
our
metrics
projects
and
then
at
the
beginning
of
this
year
there
was
a
project
created
called
sddi,
which
I
internalized
as
a
sort
of
a
parent
organization
over
other
dni
efforts
at
the
lf.
E
It's
a
relatively
new
organization
and
when
I
checked
in
with
them
gosh
it's
been
maybe
a
month
now,
they're
still
sort
of
getting
their
legs
underneath
them,
but
I
think
going
forward
that
that,
like
the
chaos
project,
might
be
one
to
intersect
with
to
to
learn
from
and
exchange
ideas
with
now,
if
we
move
along
to
a
subset
of
some
of
those
projects
that
I
had
listed
and
we
look
across
them,
you
know
what
are
what
are
themes
that
we
we
could
apply
in
governance
on
the
left
side
of
the
slide.
E
There
there's
kinds
of
project
kinds
of
projects
that
are
really
governed
by
a
corporation
of
sorts.
You
know
there's
some
sort
of
business
that
can
operate
like
the
hr
bodies
that
we
have
in
in
in
the
companies
that
we
work
for
so
they
can
do
direct
action
on
on
hiring
and
other
processes
and
then,
as
sort
of
a
second
degree
of
that
they've
got
the
the
community
policies
and
then
more
horizontally,
going
through
hyper
ledger
and
cloud
foundry
out
to
python.
E
You've
got
different
degrees
of
more
community
oriented
projects
that
don't
necessarily
have
that
direct
direct
governance
of
a
corporation
behind
them,
and
the
generalization
that
I
make
there
for
us
to
think
about
is
that
on
the
left
side
of
that
you've
got
projects
that
have
sort
of
outsourced.
The
dna
effort
into
a
working
group,
so
you've
got
people
whose
day
job
so
to
speak,
is
to
think
about
what
do
we
do
for
diversity
and
inclusion
in
this
organization
and
the
rest
of
the
open
source
organization
and
out
towards
the
right
side
of
the
spectrum.
E
They've
made
a
different
decision,
which
is
to
say,
like
well
there's
some
portion
of
dni
that
fits
into
every
part
of
the
structure
that
we've
built
and
the
trade-offs
there
are
on
the
positive
side
of
having
a
like
a
working
group
focused
on
it
is
you
have
people
who
are
responsible
for
it?
E
They
feel
like
that's
their
charter,
so
there's
always
somebody
working
on
it
on
the
downside
of
that
is
it
can
be
sort
of
pigeon
holed,
so
it's
happening
over
in
some
other
part
of
the
organization
and
that's
not
well
integrated
with
the
rest
of
what's
going
on
and
then
sort
of
the
opposite.
That
is
true
for
the
other
way
around.
So
it's
good
if
it's
integrated
everywhere,
but
if
it's
nobody's
day
job
then
sometimes
it's
nobody's
job
at
all.
E
If
we
look
at
what
would
that
look
like
what
would
any
of
those
approaches?
Look
like
for
the
openssf,
so
here's
sort
of
a
sketch
of
of
what
we
look
like
so
we've
got
the
tac.
We've
got
the
governing
board,
we've
got
working
groups
and
projects,
and
then
member
companies
kind
of
off
to
the
side.
There
aren't
a
formal
part
of
the
governance
directly,
but
they
you
know
they
plug
into
the
governing
board.
They
plug
into
the
tac.
They
plug
into
the
projects
and
working
groups.
E
Traditional
roles
that
you
would
ascribe
to
each
one
of
those
structures
are
that
the
the
governing
board-
perhaps
most
importantly,
would
be
the
one
responsible
for
for
having
some
sort
of
mandate,
and
this
is
a
good
best
practice
in
in
even
corporate
organizations
that,
if
you've
got
a
top-down,
a
top-down
mandate
for
diversity
and
inclusion,
that's
a
lot
more
likely
to
be
successful
than
sort
of
a
bottoms-up
approach,
and
even
though
I
think
in
our
own
experiences
in
our
companies,
we
know
that
if
we
get
some
edict
that
comes
down
from
on
top
we're
not
necessarily
going
to
we're,
not
necessarily
going
to
do
that.
E
I
think
you
can
still
imagine
that
when,
when
the
leadership
of
an
organization
says
something's
important,
that's
more
likely
to
be
effective
than
otherwise
so
for
our
role
as
the
tech.
Typically,
it's
it's
about
chartering
things
setting
up
certain
evolutionary
rules
for
the
for
the
life
cycle.
You
know
something
we've
already
done.
E
The
the
working
groups
might
be
one
of
the
first
places
that
people
encounter
what
we
do
and
so
for
them
to
be
welcoming
and
inclusive.
That's
sort
of
like
the
the
first
entry
point,
the
first
point
where
something
could
go
good
or
could
go
bad
and
then
the
the
projects
you
know
typical
for
the
projects
is
just
hey.
E
Then
again,
kind
of
off
to
the
side
are
the
member
companies,
and
so
each
of
us
probably
comes
from
a
company,
whether
it's
it's
formerly
a
member
company
or
not,
and
we
bring
in
resources
so
we're
bringing
our
own
time
as
contributors
we're
bringing
our
our
colleagues
over.
So
you
know,
headcount
is
probably
the
most
valuable
resource,
so
thinking
about
what
is
it
that
we
do
for
our
own
companies
for
dni?
What
does
that
bring
into
openssf?
What
are
the
opportunities
there.
E
So,
since
you
know
we
are
the
tack
here,
we
probably
want
to
zoom
in
on
on
that
tack
bubble.
We
want
to
be
cognizant
of
what
what
the
other
things
do.
So
we
we
influence
the
working
groups
and
the
projects
and
there's
there's
some
sort
of
interaction,
then,
with
the
governing
board,
but
zooming
in
on
on
our
role
in
attack.
It's
mostly
about
what
can
we
do
with
the
working
groups
and
the
projects,
and
so
when
I
was
thinking
about
this,
I
think
of
governance.
E
As
as
a
particularly
from
attack
perspective
is
we
maybe
have
three
kinds
of
tools
we
can
make
requirements
of
the
projects?
Hey.
You
have
to
do
this.
This
is
a
policy
we
can
make
recommendations,
so
you
know
pick
one
of
these
things.
Here's
something
that
we
think
is
good
for
you
to
adopt,
or
we
can
provide
resources
to
them.
You
know
here's
funding
to
do
something.
Here's
a
training
course
which
you
can
get
for
free
and
so
on
and
so
forth.
E
E
I
think
the
spirit
of
most
open
source
organizations
and
what
we've
been
doing
so
far,
is
that
we
want
to
be
very
light-handed
on
the
requirements
and,
to
the
degree
possible,
do
facilitation.
So
we
want
to
enable
the
projects
to
be
successful.
The
working
groups
to
be
successful,
so
what
kind
of
resources
can
we
bring
to
them?
E
So
as
we're
thinking
about
what
kind
of
things
that
we
can
bring,
maybe
we
want
to
think
a
little
bit
more
lopsided
on
what
resources
we
provide
versus
what
kind
of
requirements
that
we
want
to
enforce.
E
Okay,
so
it's
been
so.
I
set
this
project
this
presentation
up
for
giving
a
couple
weeks
ago
and
at
that
time,
when
I
went
and
looked
at
the
the
the
code
of
conduct
situation,
these
were
the
some
of
the
observations
that
I
had
made,
but
this
less
about
the
coc
and
more
about
here's
just
some
examples
to
get
us
going.
E
So
we
probably
want
to
require
a
code
of
conduct.
I'm
not
100
sure
if
that
is
something
that
we
require
right
now
of
of
the
projects,
it's
in
the
template
that
we
were
kind
of
using
and
kind
of,
not
using
if
we
were
going
to
require
one
or
if
we
were
going
to
recommend
one.
This
contributor
covenant
2.0
is
pretty
common.
I
found
across
the
the
different
open
source
projects
that
I
surveyed
and
then
an
example
of
a
resource
that
we
would
offer
to
facilitate.
E
That
is
usually
these
code
of
conducts
have
have
some
sort
of
reporting
channel
behind
them.
So
the
main
goal
of
the
coc
is
people
show
up
and
they
say
oh
there's
rules
to
behave
here.
I
need
to
behave
like
a
decent
human
and
then
things
generally
go
well,
but
when
things
don't
go
well,
one
of
the
enforcement
mechanisms
that
you
have
in
a
code
of
conduct
is
that
there
is
some
sort
of
reporting
or
escalation
channel.
E
When
I
looked
at
what
the
projects
had
and
this
again
this
was
two
or
three
weeks
ago.
I
didn't
see
a
way
to
actually
get
help
if
you
needed
help.
So
the
the
like
the
enter
email
address
here
thing
was
was
not
filled
in
for
for
any
of
the
projects
or
working
groups.
C
Hey
dan
yeah,
so
we
did
do
and
you
might
be
aware
of
this.
So
at
the
open
ssf
level
we
did
adopt
a
code
of
conduct
which
is
based
on
the
contributor
covenant
to
version
two
and
we
do
have
for
openssf.
C
C
Yeah
yeah,
so
we
did
and
we
at
the
governing
board
level.
We
voted
on
the
code
of
conduct
and
and
set
these
things
in
place,
but
fairly
recently.
We
just,
I
think
we
just
formalized
it
at
the
end
of
april,
so
so
so
we
have
that
that
we
can
have
the
you
know.
If
we
want
to
do
it
that
way,
we
can
have
recommend
or
require.
C
However,
we
want
to
do
that
that
the
working
groups
adopt
the
community
code
of
conduct
and
follow
what's
listed
there
for
escalations
great.
F
E
And
then
another
follow-on
action,
then
for
the
the
working
groups
or
the
projects
are
to
either
include
that
directly
in
their
repos,
we're
to
provide
a
link.
If
this
is
listed
out
on,
like
our
web
page
or
wherever
it's
listed.
E
But
so
again,
the
main
reason
I
have
this
listed
here
is
just
here's
some
examples
of
how
to
think
about
requirements,
recommendations
and
resources.
So
I
thought
we
could
do
a
little
bit
of
brainstorming
here.
You
know
what
are
some
other
things
that
we
would
want
to
be
able
to
facilitate
for
the
working
groups
and
projects.
A
Maybe
so
I
actually
was
going
to
ask
real
quick,
so
this
conversation
I
thought
was-
is
very
interesting.
First
off,
thank
you
for
putting
this
together
and
then
just
kind
of
going
through
this,
and
you
obviously
like
were
looking
for
this
and
didn't
find
it
and
then
kate
chimes
in
and
says.
Oh,
we
have
this
already.
It's
like!
Okay,
great!
A
So
if
you
know
let's
say
there,
we
do
have
somebody
that's
participating
in
a
working
group
and
that
there
is
a
concern
like
how
do
we
get
this
information
to
them
so
that
it's
obvious
like?
Are
we
gonna,
go
make
them
read
the
charters
and
all
you
know
wherever
to
go
find
this.
I
think,
maybe
step.
One
here
is
to
just
define
common
ways
that
each
repo
each
working
group,
each
whatever
has
this
information
in
a
in
a
common
area.
A
B
I
I
will
quickly
note
that
ci
best
practices
badge
which
does
predate
this
group
does
have
a
code
of
contact
and
it
describes
how
to
ra
how
to
raise
up
issues
if
they
are
if
they
need
to
be
raised.
So
there's
at
least
one
project
that
has
one
that's
great.
We're.
E
So
what
I've
seen
conventionally
is
that
when
you
go
to
most
repos
they've
got
they've
got
a
readme.
They've
got
a
code
of
conduct,
they
might
have
like
a
contributing.md,
but
but
usually
either
within
the
contributing
or
the
or
separately.
There's
a
code
of
conduct
listed
and
then
within
that
code
of
conduct
file
is
the.
E
So
either
either
more
along
those
lines
with
with
the
code
of
conduct
or,
if
you
think,
about
other
open
source
organizations
that
you
participate
in.
You
know
what
are
some
of
the
things
that
have
been
structured
for
you.
It
might
be
something
hey
we
had
to
do
this
in
another
project.
It
was
useful
or
hey.
We
got
access
to
this
kind
of
resource.
We
don't
have
that
in
openssf,
and
that
would
be.
C
C
Yeah,
I
I
think
it
makes
it
a
ton
of
sense
to
maybe
think
about
two
places
where
we
re
request
this
of
the
working
groups
or
projects
inside
of
openssf.
C
One
is,
I
think
it
wouldn't
hurt
to
have
it
be
part
of
our
readme
template,
so
that
it's
right
there
front
and
center
on
the
kind
of
the
landing
page
for
project
center
for
working
groups
and
projects,
and
then,
like
you
were
just
saying
dan,
you
know,
require
certain
documents
be
in
the
repository.
E
E
It's
just
a
little
hint,
so
we'll
just
be
more
overt.
It's
it's
hard
to
think
of
these
things
on
the
spot
and
part
of
the
point
of
this
meeting
is
to
start
thinking
outside
of
outside
of
this
particular
meeting.
As
we
go
out
into
you
know,
back
back
into
what
we're
doing
in
the
projects
be,
you
know
just
sort
of
start
thinking
about
in
the
other
areas
where
you're
working.
What
are
what
other
other
good
things?
Can
you
harvest
from
those
experiences?
E
So
something
else
that
we've
got
noted
here
is
the
the
linux
foundation
has
an
inclusive
speaker
course.
They
also
have
a
inclusive,
open
source.
It's
like
intro
to
inclusive,
open
source.
I've
got
the
exact
title
on
on
one
of
the
following
slides,
but
those
are
just
good
trainings
to
that.
I
think
everybody
benefits
from
to
be
aware
of
oh
hey
when,
when
a
pull
request
comes
in,
there's
actually
been
shown
to
be
a
bias
for
a
look
at
somebody
who
has
a
male
name
instead
of
a
female
name.
E
So
there's
a
lot
of
good
practices
there
that
we
can
get
from
the
training
that's
already
out
there.
So
at
the
cncf
they
require
this
of
certain
positions
same
for
the
ccc,
the
the
confidential
compute
consortium.
Anybody
who's
on
the
board.
Boarder
has
sort
of
an
officer
position
there.
They
they
require
those
trainings.
E
I
would
think
for
for
our
contributors
that
are
part
of
our
community.
It
might
feel
kind
of
heavy-handed
to
require
that
they
take
this
free
training,
but
we
could
think
about.
Do
we
want
to
have
the
leaders
of
our
working
groups
represent
this
behavior?
Do
we
just
want
to
make
them
aware
of
it?
Like
hey?
Here's,
a
link
to
some
training
do
with
it,
as
as
you
will.
C
I
at
least
at
the
governing
board
level,
I
would
say
I
think,
requiring
some
training
is
not
a
is
not
a
bad
thing
and
I
would
I'm
not
on
the
tax.
So
I'm
not
speaking
for
the
tax,
but
you
know
just
as
a
member
of
the
community.
I
I
like
the
idea
of
having
there
be
some
requirements
around
training
for
our
leadership
roles
and
then
recommendations
for,
for
others.
A
Yeah,
I'm
not
opposed
to
that
either.
I
I
can
definitely
see
the
the
use
of
it
for
particularly
for
folks
in
in
a
leadership
role
like
either
the
attack
or
the
governing
board
right.
So
at
least
because
if
we
have
these
escalation
paths,
I
would
hope
that
we're
escalating
to
people
that
know
how
to
properly
handle
it.
E
And
I
think
what
I've
come
across
in
general
is:
most
people
want
to
help
help
with
with
diversity
and
inclusion,
they're
just
kind
of
looking
for
ways,
so
the
more
that
we
can
provide
them
with
hey
here's
things
that
you
can
do
that's
a
lot,
what
better
way
to
empower
them
to
do
what
they
already
want
to
do
as
opposed
to
saying
hey,
you
have
to
do
this
and
then
it's
sort
of
it.
E
So
I've
got
a
bunch
of
other
things
listed
that
I'll
circulate
these
slides
so
that
you
have
them
offline.
I
want
to
read
through
all
of
these,
but
when
it
comes
to
being
somebody
who's,
who's
involved
in
a
project
or
or
to
some
degree
with
a
working
group,
there's
a
lot
of
just
sort
of
this.
Is
this
good
hygiene
about
running
a
project
that
I
let
off
with
it?
So
when
somebody
shows
up
for
the
first
time,
do
they
feel
welcome
they
submitted
a
pr?
E
Are
we
deciding
things
in
in
sort
of
cloistered
environments,
so,
like
dan
lawrence
had
commented
on
the
the
private
tax
list
versus
the
public
tax
list?
So
there's
there's
just
a
list
of
things
here.
This
is
not
a
complete
list,
but
it's
it's
probably
more
than
enough
to
to
chew
on
over
over
a
day
and
then
also
here's
just
a
list
of
of
other
resources.
So
thinking
again
about
those
three
places
where
we
could
require
things
or
recommend
them
or
offer
resources,
here's
just
a
list
of
stuff.
E
So
there's
the
two
training
classes
listed
at
the
top,
something
that
we
didn't
talk
about
yet
is
if
we
have
guest
speakers,
come
in
the
two
examples
that
I
have
listed
there
happen
to
actually
be
guest
speakers
that
focused
on
diversity
topics,
so
we
could
definitely
have
those
come
into
the
attack
or
into
a
working
group
as
appropriate,
but
I
think
there's
also
been
an
interest
in
the
past
about
hey.
E
Can
we
get
a
technical
speaker
on
some
new
topic,
so
david
had
facilitated
in
the
past
discussion
about
securing
the
the
supply
chain,
some
of
the
the
technical
approaches
to
that.
So,
if
we
had
other
technical
speakers
come
in,
can
we
source
people
that
are
representative
of
the
full
diversity
of
the
technical
community?
E
It's
a
way
to
kind
of
you
know,
kill
two
birds
with
one
stone.
E
Other
things
to
think
about
most
a
lot
of
our
companies,
so
you
know
we've
got
great
representation
here
from
microsoft
and
google.
You
both
have
these
inclusive
writing
guides.
I
think
most
projects
have
moved
away
from
having.
E
Like
a
master
branch
to
a
main
branch,
moved
away
from
having
blacklist
whitelist
to
allow
and
deny
lists,
so
those
are
all
good
things
to
do,
and
and
there's
already
guidance
out
there
in
the
community
about
different
ways
to
adopt
those-
and
I
won't
read
the
through
the
the
rest
of
these,
but
again
more
more
resources
for
you
to
to
chew
about
or
to
chew,
on
digest,
running
out
of
useful
words,
and
then
we
can
kind
of
wind
up
on
this
slide.
E
E
Do
we
want
to
set
up
a
separate
set
of
enthusiasts
in
a
working
group
to
do
that?
So
we
could
just
have
maybe
a
couple
minutes
of
discussion
now
with
people's
first
reactions
to
how
we
would
like
to
move
forward
with
with
dni.
A
Yeah
so
I'll
say
first
off
again,
you
know,
thank
you
so
much
for
doing
this,
I'm
just
kind
of
looking
at
the
clock,
real,
quick
and
so
we've
only
got
15
minutes
left.
We
do
have
another
big
topic,
but
I
don't
want
to
cut
this
short.
So
I
think
maybe
what
the
next
step
would
be
is
what
do
folks
think
of
like.
A
Could
we
create
an
issue
on
on
the
repo
that
we
can
actually
have
a
discussion
on
there
that
we
could
then
use
to
then
facilitate
talking
about
this
again
in
the
next
meeting,
because
I
think
there's
some
great
ideas
here
and
I
think
there's
a
lot
of
opportunity
for
us
to
to
do
things
at
the
governing
board
level
at
the
tac
level
and
at
the
working
group
level,
and
how
do
we
want
to
do?
That
was
like
what
you
were
just
saying.
A
If
we
can
kind
of
work
on
those
things
offline
and
then
we
can
come
back
and
discuss
them
and
people
can
present
their
ideas.
I
think
that
might
be
a
efficient
way
for
us
to
help
drive
this
forward,
because
I
do
think
that
this
is
very,
very
important
to
do
so.
C
It
just
quickly
I'll
I'll
agree
and
at
the
governing
board
level
we
had
also
talked
about
maybe
having
a
committee
that
was
focused
on
these
same
things.
So
you
know
and
I'm
not
sure
that
it
matters
whether
it's
the
committees
at
the
tax
level
or
the
gp
level
or
a
joint
committee
with
all
those,
but
that
I
think
it's
interesting
and
I
personally
would
be
happy
to
be
involved.
So.
A
Yeah,
I
agree
that
I
think
that
there
are
different
slices
of
this
across
depending
on
the
governing
border
attack.
It
should,
I
don't
think
it's
one
or
the
other
there's
different
perspectives,
but
yeah
coordinating
across
everything,
I
think,
will
be
key
to
making
this
successful,
but
before
we
wrap
up
and
again
dan,
I
apologize
that
we're
running
tight
on
time.
A
E
Okay,
cool
well
thanks
for
everybody's
attention
on
that,
and
I
think
we
we
did
fit
into
the
30
minutes
that
I
asked
for
so
I
think
we're
doing
good.
A
So
dan,
do
you
want
to
create
a
issue
on
the
on
our
tack,
repo,
just
to
start
a
discussion?
As
you
know,
what
our
ideas
incorporate
within
openssf
or
dci.
E
Yeah,
let
me
think
about
what's
because
there's
there's
there's
multiple
open-ended
questions
in
what
I
had
there.
So
let
me
think
about
what
can
what
makes
sense
to
put
into
an
individual
issue.
A
A
B
But
okay
how's
this:
why
don't
you
try
fight
the
computer
and
and
I'll
I'll
talk
to
and
try
to
stall
for
you?
Okay.
Thank
you.
Thank.
F
B
So
I
I
mean
we've
already
said
that
we
would
start
working
on
this,
but
between
then
and
now
the
eo
came
out.
I'm
getting
a
lot
of
pressure
that
we
really
that,
basically
we
need.
We
open
ssf
need
to
hurry
up,
make
decisions,
declare
what
specific
projects
we're
going
to
work
on
soon
or
because
the
train
is
leaving
the
station
and
if
the
open
ssf
does
not
declare
a
whole
bunch
more
projects
soon.
No
one
will
care,
that's
gone,
so
I
think
this
needs.
B
You
know
this
is
starting
to
become
existential,
where
we
need
to
move
a
number
of
of
projects
that
we
have
before
a
number
of
working
groups
right
now.
I
I
totally
get
it
they're,
they're
working
kind
of
you
know
getting
moving
and
started,
but
I
I
think
you
know
the
open.
Ssf
membership
decides
what
it's
going
to
do,
but
I'm
getting
a
lot
of
indications
that
the
decisions
need
to
be
made.
B
So
that's
have
I
stalled
adequately
for
you,
but
although
it's
still,
although
I
I
stalled,
I
think
it's
it.
This
is
important.
If,
if
we
want
to
get
stuff
done,
we
got
to
declare
and
dan
made
the
very
good
point
about
hey
what
about
funding
and
so
on,
and
we
need
people
all
agreed.
I
think
there's
actually
opportunity
for
some
funding
if
there
was
some
decl
declaration
that
hey
this
is
really
important.
We
need
to
start
this
now,
but
without
without
an
identification
of
what's
important
and
a
request,
nothing
happens.
C
And
to
add
on
to
what
david
said
in
our
budget
committee,
we
are
what
we
need.
So
you
know
a
key
outcome
of
this
discussion.
Is
we
want
the
projects
we
identify
to
go
back
to
our
budget
committee
and
then
that
becomes
what
we
what
we
position
to
our
community
as
we
want
you
to
contribute
funds
to
open,
ssf
and
here's
what
your
money
will
go
towards.
B
You
know
what
I'm
looking
at
the
time:
there's
only
10
minutes,
okay,
so
we
we
we've
run
out
of
time
to
do
any
serious
work
on
this
ryan.
Can
I
you
guys
need
to
decide
what
you're
going
to
do,
but
I
would
propose
that
you
kick
off
another
meeting.
Much
sooner,
I
mean
basically
the
decisions
and
so
on
and
raising
up
and
proposing
that
these
final
calls
need
to
happen
at
least
well
final.
These
initial
set
needs
to
happen
pretty
fast.
B
If
we
wait
for
further
attack
meetings
and
kick
this
can
down
the
road,
there
will
be
no
can.
A
Yeah,
I
agree
with
you
actually
because
we
started
this
or
restarted
this.
I
should
say
over
a
month
ago
now
you
know
and
having
these
every
two
weeks.
You
know
useful
for
some
things,
but
I
agree
in
this.
In
this
sense,
it's
a
little
bit
more
urgent.
So
I
think
what
I'd
like
to
do
is
get
agreement
right
now
about
how
best
to
proceed
on
this.
That
folks
are
comfortable
with,
and
then
yes,
let's
reschedule
another
meeting
to
explicitly,
go
over
it.
A
What
I
was
thinking
you
know
I
mentioned
earlier
as
a
comment
in
this
document
I
put.
Can
we
look
at
this
wish
list
through
the
lens
of
the
executive
order
and
start
pulling
things
out
related
to
the
eo
and
supply
chain,
security
in
general
and
and
really
start
putting
those
into
a
table
of
some
sort?
I
don't
know
if
we
want
to
do
that
in
this
document,
just
to
keep
it
all
together,
like
put
that
table
at
the
top.
A
That
then
links
down
to
the
specific
details
and
we
kind
of
use
that
to
facilitate
the
discussion.
What
are
folks
preferences
as
far
as
you
know
how
we
want
to
actually.
B
C
I
was
going
to
volunteer
at
a
time
that
we
could
use
for
ongoing
meetings.
I
do
have
a
planning
committee
meeting
that
runs
every
monday
at
10
a.m,
and
so-
and
this
is
the
you
know-
a
kind
of
thing
that
I
had
thought
we
might
discuss
there.
So
I'd
be
happy
to
use
that
time
for
it.
But
you
know
just
an
opportunity
back
to
you,
david.
B
I
was
just
to
say
that
so
every
monday
yeah,
I
would
suggest,
not
make
a
separate
table
because
I
think
this
document's
going
to
keep
getting
edited
so
want
to
just
add
as
comments
or
write
in
the
document
itself
and
that
way
as
you
edit
it,
because
if
we,
if
we
have
to
have,
if
we
have
a
separate
table
and
this
they're
gonna
go
out
of
sync,
we
don't
have
time
for
that.
A
B
Well,
I
I
think
the
correct
the
document's
a
working
document,
the
the
correct
result,
would
be
here's
the
new
document,
here's
a
list
of
five
things
we're
going
to
do
or
whatever
the
number
is
and
then
you
can
have
you
can
link
that
to
the
eo
and
so
on.
But
I
think
the
purpose
of
this
document
is
much
more.
The
helping
people
make
decisions
and
then,
when
you
make
a
decision,
you
can
make
a
nice
clean
dock,
but
we
need
decisions
soon.
B
A
B
If
you're
willing
to
do
it
awesome,
but
I
would
I
suggest
that
given
limited
time,
I
mean
seriously,
I
think,
we're
you
know
how
many
days
is
it
before
we
have
decisions
and
announce
it
and
go
on.
I
mean
this
is
gonna,
run
off
and
very
very
soon.
They're
gonna
decide
what
they're
gonna
do
who's
gonna
do
it
and
what
things
will
be
excluded
yeah?
No,
that's
it's
a
really
excellent
point.
So
they're
going
to
unintentionally
exclude
a
lot
of
things.
If
we
don't
declare
and
make
it
clear
to
them.
F
Specific,
like
what
decisions
you
think
we
need
to
make,
is
it
funding
or
is
it
people
or
what
is
it?
We
can't
do
things
so
I
agree.
It's
a
fundamental
problem
to
me.
Well,.
B
B
That's
right,
yeah!
Well,
it's
all
here's
a
project
that
we
intend
to
do
if
you
can
get
some
funding
for
us,
but
we
need
funding
here.
I
think
there
there
is.
I
mean
I
can't
speak
for
the
governing
board
and
although
I
work
for
the
linux
foundation,
I
can't
speak
for
their
funding,
but
I
think
there
is
at
least
some
interest.
F
So
amir's
here
amir,
has
submitted
a
proposal
repeatedly
over
the
last
several
months.
Can
I
suggest
we
start
with
him
yeah.
G
I
thank
you
so
much
dan.
I
was
hoping
to
just
pop
in
for
a
couple
minutes
and
first
off.
Thank
thank
you
all
for
mentioning
the
program
at
the
town
hall,
and
you
know
the
awareness
is
such
a
key
factor,
but
I
just
thought
I
would
check
in
with
everyone
and
see
what's
going
on
in
terms
of
if
there
are
any
updates
on
how
that's
going
I'd
love
to
share
just
a
couple
of
things
that
we've
been
doing.
G
We've
been
doing
a
lot
of
advocating
regarding
funding
this
program
and
telling
other
organizations
we've
worked
with
in
the
past
about
it
and
trying
to
get
them
to
join
open
ssf
to
get
on
board
with
this
program
as
well
as
reaching
out
directly
to
some
folks,
but
I
think
going
through
I
mean
the
tech
and
governing
board
really
makes
the
most
sense.
So
I'm
curious,
if
there's
any
updates
for
me
on
that.
If
there's
anything
I
can
anything
I
can
do
or
any
questions
I
can
answer
to
to
help
make
the
auto
program
happen.
A
I
think
the
big
question
after
the
the
last
after
your
presentation,
which
I
think
we
all
liked
was
it
everybody
supported
it.
It
was
now
a
question
of
funding,
right,
okay
and
so,
and
then
I
see
kay
just
had
to
drop,
but
I
think
he's
the
right
person
she's
working
on
the
part
of
the
excuse
me
the
budgeting
committee
from
the
governing
board.
A
So
once
that
gets
more
solid,
then
I
think
we
can
have
that
next
conversation
about
how
to
fund
it
and
how
much
and
what
and
you
know
that
kind
of
thing,
but
I
think
that's
universal
right.
It's
not
just
your
program,
that's
waiting
on
that,
like
oh
they're,
waiting
for
that
right
now,
but
I
think
in
my
mind,
that's
the
next
step
and
that's
exactly,
I
think
you
know
like
what
what
david's
saying
and
to
dan's
point
as
well.
A
I
think
if
we
go
through
this
document
and
we
identify
all
these
initiatives-
and
yours
is
definitely
one
of
those
as
well
right
and
then
we
put
those
funding
requests
in
there
and
we
kind
of
do
it.
You
know
holistically
altogether.
I
think
that's
that's
sort
of
our
next
steps
and
yours
is
absolutely
included
in
that.
In
my
mind,
let's
see
yeah.
B
I
was
at
the
last
budgeting
committee
and
they
had
they
pulled
out
a
you
know:
hey,
we
got
to
start
with
the
budget,
so
they
pulled
a
very
generic
budget
of
hey
marketing
this
and
that,
but
they
don't
have
the
list
yet
of
what
projects
are
going
to
get
funded
and
I
don't
miss
being
security
audits.
I
mean
in
general,
yeah.
A
B
That's
what
I
mean?
That's
not
quite
true,
they
do
have
some,
but
there
aren't
many.
You
know
the
you
know
the
skf
and
best
and
badging
has
made
some
small
requests.
Some
others
have
made
some
small
requests,
but
we
don't
have
a
here.
The
new
projects
we
want
to
start
up
and
that.
B
To
hurry
up,
because
you
know
very
very
soon,
people
are
are
going
to
create
projects
and
they
will
compete
and
take
the
air
out
of
whatever
you
might
have
done.
This.
H
Is
my
linux
foundation
if
you're
thinking
about
things
like
you
know
putting
fingers
on
keyboards
to
address
issues
in
a
top
100
list
of
open
source
projects,
and
we
need
to
hire
50
contractors
to
go?
Do
that
type
of
work
or
we
need
12
contractors
to
go
help
open
source
projects
that
everybody's
dependent
upon
and
reusing,
create
their
own
s-bombs,
so
that
all
the
vendors
and
downstream
participants
can
take
that
s-bomb
and
put
it
into
what
they
need
to
deliver
in
their
solutions.
You
know
things
like
that.
H
If
there's
budget
requirements
attached
to
that
we'll
go
out
and
try
to
figure
out
how
to
fundraise
and
get
the
money
for
that,
but
right
now
we
need
to
know
is
what
are
the
most
important
things
that
would
help
move
the
needle
in
terms
of
improving
the
state
of
the
situation.
F
Yep
so
so
put
together
a
very
detailed
proposal
on
like
50
projects
or
something
like
this
and
we're
just
kind
of
stuck
at
this
point,
so
we
can
keep
putting
more
of
those
together,
but
I
don't
think
that's
gonna
help
get
things
unstuck.
I
think
amir's
asked
for
more
money
than
we
have
completely
so
without
knowing
what
the
next
steps
are
for
the
proposals
we
already
have,
I'm
hesitant
to
start
throwing
more
proposals
onto
the
fire.
A
Well,
I
would
disagree,
I
believe
we
do
know
the
next
steps
right.
The
budgeting
committee
is
working
on
that
and
once
they
have
the
budget
like
that,
those
are
the
next
steps
right
and
then
they
can
put
a
formal
request
in
that
and
then
some
some
amount
will
get
allocated.
Just
like
all
the
other
projects.
A
B
We're
we're
running
out
of
time
k
had.
I
had
asked
if
you
want
to
use
the
monday
planning
committee
time
to
move
forward
more
quickly.
I
I
I
can't
vote,
but
I
guess
I
can
propose.
I
I
make
a
motion.
Why
don't
we
continue
that
discussion
that
that
planning
committee
dan?
Your
your
point
about
your
points
well
taken,
but
I
think
right
now
what's
needed
is
here's
that
prioritized
list?
B
Okay,
there's
no
funding
great.
What
do
you
want?
Bring
that
to
people
who
can
at
least
say
yes
or
no
right
now?
No
one
has
who
has
money
has
anything
to
fund
against?
There
is
no
list
as
far
as
they're
concerned,
you
have
a
list.
Amir
has
a
list,
no
one
who
controls
money
has
seen
the
list.
As
far
as
I
know,.
B
I
think
that's
a
discussion
from
I
I
think.
Basically
it
gets
to
the
budget
committee
and
then
up
through
the
governing
board.
Maybe
but-
and
then
you
know,
but
that
we're
kind
of
stuck
in
the
there-
I
think,
there's
interest,
but
we
need
to
move
forward.
Let's
see
here.
G
We'll
start
by
sharing
the
public
list.
That's
anyone
can
access
that
document.
Okay,
so
feel
free
to
share
that
with
anyone
who
needs
to
be
it
to
be
shared
with,
and
I'm
more
than
happy
to
do
any
kind
of
speaking
or
presenting
in
any
way
to
talk
more
to
you
know
if
someone
needs
help
with
like
well,
what,
where
is
this
money
going?
What
is
it
going
to
do?
G
I'd
be
happy
to
to
help
to
go
through
that
with
folks
and
so
that
their
member
organizations
feel
comfortable
with
with
participating
in
the
program.
Okay,.
B
Can
I
propose
that
we
continue
this
discussion
on
the
monday
planning
meeting
with,
since
it
looks
like
kay's
open
to
that.
A
Yes,
yeah.
I
was
going
to
suggest
that
as
well,
so
if
people
want
to
participate
in
that,
please
email,
myself
or
david
or
kay
and
we'll
make
sure
that
you
get
the
invite
to
that
and
then,
if
we
feel
like
there's
even
more
urgency
david,
we
can
try
to
schedule
something
even
later
this
week.
If
folks
are
available,
I
know
times
are
hard,
but
but
in
the
in
the
meantime,
yeah,
let's
plan
on
monday
and
we'll
continue
this
conversation,
there
continue
to
do
the
read-throughs
on
these.