►
From YouTube: OpenSSF TAC (November 1, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Sorry
about
the
late
start,
I
see
a
few
people
joining
now,
so
I
I
see
Bob
just
entered
the
room.
Maybe
we
can
do
a
quick
check
of
Quorum
for
the
for
the
attack
and
and
begin.
B
Yeah
sure
thing
oh
see:
Bob
Eva,
probe
Josh
Luke,
which
means
we're
missing
object
and
Dan,
but
that
five
is
sufficient
for
Quorum
and
given
that
we're
late,
let's
go
ahead
and
get
started.
We
got
a
package
out
of
this
today,
all
right.
First
up
we
have
an
update
from
the
security
or
securing
critical
projects.
B
Working
group
and
I
see
Amir
on
I,
don't
know
whether
Mir
I
guess
you're
taking
the
leader,
Jeff
I,
don't
know
which
one
of
you
is
just
taking
the
taking
the
mic,
but
either
one
of
you
go
ahead.
Please.
C
Awesome,
thank
you.
Bob
yeah,
I
believe
Jeff
is
going
to
share
a
slide
that
has
our
updates.
B
D
D
Great
yeah,
so
I'll
try
to
keep
this
short
and
sweet
less
than
five
minutes.
Unless
there's
questions
happy
to
answer
questions,
so
our
main
effort
identify
the
set
of
about
100,
most
critical
projects,
and
we
have
about
100
there
in
your
quotes,
because
it's
not
a
magic
number.
It's
just
an
order
of
magnitude.
So
a
lot
of
times
people
get
hung
up
on
on
the
number
like
how
much
we're
going
for,
but
that's
about
the
size
that
we're
going
for
with
this
process.
D
That's
somewhat
manual,
so
we
can't
do
like
thousands
and
we
can't
do
and
we
can
do
more
than
like
10..
So,
let's,
let's
do
around
there.
So
we
have
a
process
for
coming
up
with
a
new
list
that
the
community
has
decided
on
or
that
the
working
group
has
decided
on,
and
this
is
a
little
bit
different
than
our
previous.
D
You
know
method
in
that
we're
going
to
be
trying
to
get
more
and
more
suggestions
from
outside
the
working
group,
for
you
know,
project
packages
or
projects
that
we
we
want
to
consider
and
in
order
to
to
handle
all
these
suggestions,
we're
going
to
build
a
little
bit
of
automation.
D
So
this
is
going
to
be
a
instead
of
like
a
Google
Forum
we're
going
to
actually
use
a
GitHub
PR
action,
PR,
GitHub,
PR
and
then
an
action
is
going
to
run
when
that's
that's
merged,
which
will
automate
the
data
collection
so
that
we
can
end
up
with
a
big,
essentially
spreadsheet
or
CSV.
That
shows
all
of
the
data
that,
as
a
working
group
we're
going
to
want
to
look
at
when
we
want
to
make
it
the
determination
and
as
humans.
D
We
when
we
look
at
the
data
we
we
know
kind
of,
like
the
nuances
there,
like
we
don't
put
our
full
our
full
determination
on
criticality
score
versus
download
count.
We
kind
of
we
want
to
be
able
to
see
it
and
make
a
determination
as
a
working
group
on
what
what,
whether
we
we
think
that
project
is
critical
or
not
and
it
gets
included
into
the
set.
D
So
this
is
the
main.
This
is
the
main
process
right
now.
The
status
is
we're
kind
of
blocked
on
getting
this
automation
done.
So
this
is
something
that's
kind
of
came
up
after
you
know,
maybe
in
the
late
late
summer
that
we
wanted
to
instead
that
we
wanted
to
to
use.
D
So
that's
that's
being
worked
on
the
criticality
score
tool
itself
under
the
other
efforts
that
needed
to
be
updated
to
be
run
as
a
one-off,
instead
of
being
run
like
as
a
Cron
job
on
on
a
large
set.
So
that's
so
on
the
status
on
the
identify,
we're
working
on
automation.
D
Once
it's
ready
we're
going
to
be
able
to
open
it
up
and
start
getting
these
suggestions,
the
again
the
criticality
scores
it
has
a
brand
new
algorithm
that
already
is
in
and
then
more
recently,
it's
been
updated
to
be
integrated
into
the
automation
and
other
projects
that
have
had
updates
is
All-Star.
D
Currently
we're
working
on
getting
a
Blog
out,
but
we've
we've
talked
to
some
of
our
users
and
have
found
the
one
that
we're
going
to
talk
to
to
be
a
co-author
on
a
Blog,
so
those
are
kind
of
the
main
updates
on
the
working
group.
Emir.
Do
you
have
anything
you
want
to
add
first,
or
do
you
want
to
open
up
to
questions.
C
I
would
just
throw
in
one
quick
little
tidbit
I,
definitely
plan
on
going
into
it
in
more
detail
with
the
tech
and
openssf
we
went
ahead
and
using
that
first
round
of
that
first
iteration
of
identifying
projects
we
at
ostiff
went
through
that
and
basically
created
a
short
list
of
around
50
projects
that
we
would
recommend
for
security
audit
because
they
have
never
been
audited
and
factoring
in.
You
know
all
the
things
that
we've
been
working
on
as
a
work
group
just
to
serve
as
another
data
point.
C
For
you
know,
helping
kind
of
hone
in
on
the
focus
on
on
certain
projects
that
that
need
help.
So
I
definitely
do
plan
on
having
more
information
on
that
soon
for
everyone,
but
just
wanted
to
give
a
little
preview
on
that
that
there
is
another
data
point
there
of
projects
that
we
are
recommending
for
security
audit
moving
forward.
C
But
besides
that
that
I
don't
have
any
other
updates
and
would
love
to
take
I.
Think
we
have
a
couple
of
minutes
for
questions
if
there
are
any.
B
Great
thanks
well
to
you
any
questions
for
Amir
or
Jeff.
F
G
D
So
we'll
take
the
dependency
account.
Data
information
from
the
the
Harvard
census
results
as
well,
so
I
think
we're
looking
at
how
to
get
that
on
at
scale
for
the
suggestions,
but
otherwise
we'll
be
it'll,
be
more
of
a
a
need
to
like
manually.
Look
at
it
as
well.
B
E
Two
questions:
I'll
start
with
one
closest
to
what
Josh
said
for
the
criticality
score:
maybe
I
missed
it
and
I'm.
Sorry,
if
I
did
I
had
to
deal
with
the
contractor
real
quick.
Could
you
give
a
quick
idea,
a
quick
summary
of
what's
different
in
the
updated
algorithm,
then
the
second
question
you
mentioned
reaching
out
to
other
communities.
E
D
Sorry
I'm
gonna
kind
of
Punt
on
both
of
those
but
I
will
get
the
link.
There's
the
the
the
criticality
score.
Algorithm
update
is
pretty
pretty
long
but
I'll
post.
The
link
in
the
notes
and
the
for
the
reaching
out
Jacques
is
Jacques
Chester's,
mostly
kind
of
spearheading.
That
and
he's
not
here.
Do
you
have
any
question
answers
Amir
there.
C
No
I
just
know
that
the
criticality
score
is
definitely
has
undergone
some
updates
and
Caleb
and
and
everyone
there
has
done
a
fine
job
kind
of
fine-tuning
and
updating
it.
But
I
don't
know
exactly
what
the
changes
are
and
then,
regarding
the
second
question,
yeah
Jacques
has
definitely
been
helping
with
that
and
we're
just
trying
to
leverage
the
work
group
to
to
to
engage.
You
know
the
greater
open
source
community
and
and
folks
who
are
interested
in
collaborating
I.
D
C
D
B
Awesome
all
right
great,
if
there's
a
number
of
questions.
Thank
you
both
next
on
the
agenda,
we
have
Michael
scavetta
with
the
discussion
around
Alpha
Omega,
like
how
the
year-end
report
and
some
specific
questions
you
have
for
the
back,
so
that
might
help
you.
F
Can
you
hear
me
I
am
like
problems
I'm.
This
is
Michael
wins
here,
but
I
don't
hear
Michael
Scott
yet
so
there
you
go.
Are.
F
Hi
everyone
we're
Michael
Michael,
we've
been
partnering
on
the
alpha
omega
project,
pretty
excited
about
today's
sort
of
news
and
non-news.
F
If
you
will
so
Michael,
why
don't
you
have
to
move
us
forward
and
figure
out
what
slides
you
put
together
right
exactly
so
we
had
planned
to
be
sharing
the
annual
report
with
the
the
broader
audience
today,
but
we
had
the
delay
there's
a
few
things
that
we're
still
putting
together
I
believe
all
the
members
of
the
tax
should
have
a
copy
of
that
and
we'd
love
to
hear
any
feedback
you
have
on
it.
F
We
will
pushing
out
Diana
report
once
a
few
sort
of
checks
have
cleared
and
signatures
have
been
achieved
in
certain
things
are
working
on
so
should
be
soon,
we'll
give
you
an
update
next
slide.
Oh,
this
is
the
best
news
Michael.
You
should
take
this
one.
H
Yeah,
so
so
14,
so
we've
been
trying
to
hire
for
quite
a
while
I'm
super
happy
to
to
announce
that
we
we
got
a
an
accept
for
the
security
engineer.
I
am
keeping
my
fingers
crossed.
That
will
also
have
an
except
soon
for
the
security
researcher
I'm.
The
engineer
should
start
Mid
mid
november-ish,
which
means
particularly
on
the
Omega
side,
we'll
be
able
to
move
faster.
H
What
this
means
is,
you
know
core
engineering
and
security
research
to
find
critical
vulnerabilities
and
critical,
open
source
at
scale.
H
So,
on
the
alpha
side,
you
know
so
we
have
five
well
engagements
with
five
different
organizations.
All
these
are
are
public
now,
so
node
has
been
going
on
for
a
while.
Russ
got
their
money,
you
know
August
I,
think
they've
had
their
money
for
a
bit.
Eclipse,
psf
and
jQuery
are
all
awaiting
the
funds
that
is
I
mean,
while
we've
announced
that
publicly
that
we're
doing
it.
H
H
The
thing
psf
is
just
waiting
on
on
Final
contract
signatures,
but
but
what
this
really
means
is
that
by
the
end
of
the
calendar
year,
we
will
have
spent
roughly
2
million
on
these
Alpha
engagements,
so
I'm
pretty
happy
and
we're
really
optimistic
to
see
the
results
of
that
start
to
trickle
in
month
by
month,
with
annual
reports
from
each
of
these
organizations,
node's
been
doing
it
since
may
I,
believe
and,
and
eclipse
made
some
early
progress.
H
On
the
Omega
side,
I
talked
about
this
last
time,
but
we
we
released
the
tool
chain,
we
found
I,
think
11
vulnerabilities,
so
far,
I
think
eight
of
them
are
fixed
already
we're.
We
want
that
to
be
an
order
of
magnitude
or
more
larger,
once
the
engineer
and
researcher
are
are
on
board.
So.
F
And
I
think
with
the
the
tool
chain
being
released,
it's
open
source,
it's
in
the
repo.
We
would
love
to
see
people
a
trying
it
out
and
then
B
contributing
to
it.
If
you
have
other
thoughts
and
things
like
you
know,
it's
very
much
intended
to
be
an
open
source
thing
and
you
know
we
would
like
to
see
the
tool
chain
start
getting
used
in
more
places,
even
sort
of
as
a
pre-check
or
whatever
to
see
how
things
happen
so
anyway,
for
a
keen
to
have
people
taking
a
look
at
it.
H
Okay,
so
we
made
some
process
improvements
or
we're
planning
to
make
some
process
improvements
and
pretty
much
the
rest
of
the
deck
is
about,
like
our
future
leaning.
What
we
want
to
do
so
real
quick
on
the-
and
this
is
specifically
about
how
alpha
projects
are
chosen,
because
we
realize
it's
a
little
bit
opaque
and
not
a
lot
of
connective
tissue
between
Tac
and
and
us.
So
we
want
to
we're
making
four,
let's
say:
process
changes
here.
H
First,
we're
going
to
be
super
explicit
about
no
self-healing
we're
not
going
to
invest
we're
not
going
to
do
vs
code,
we're
not
going
to
do
tensorflow
we're
not
going
to
do
any
project
that
is
essentially
governed
or
has
a
strong
perception
of
governance
by
a
funder
for
Alpha,
Omega
I
think
it
could
be
obvious
that
has
been
Our
intention
all
along.
We
haven't
done
it,
but
we're
going
to
make
that
crystal
clear.
Second,
we
are
going
to
inform
tack
a
few
weeks
before
any
Alpha
engagements
going
forward.
H
So
that
way
we
don't
want.
Youtube
surprises,
learn
about
it
yeah.
H
We
also
want
to
have
strategic
discussions
with
y'all
to
see.
What's
on
your
mind,
in
terms
of
you
know,
if,
if
iot
was
like
super
important
to
you,
guys
were
seeing
Trends
or
or
whatever
that
would
suggest
that
we
should
be
thinking
about
iot
as
part
of
as
part
of
alpha.
H
In
particular,
we
would
like
to
have
that
in
a
you
know,
more
in
a
Less
ad
hoc,
no
and
then
finally,
transparency
on
funding,
rationale
like
when
we
invest
in
you
know
so
of
all
the
Investments
that
we've
had
you
know
so
so
so
rest
Eclipse
psf
are
kind
of
in
the
same
bucket.
H
Node
is
kind
of
its
own
bucket
and
then
jQuery
is
definitely
a
different
bucket
in
terms
of
like
a
in
a
web
framework,
as
opposed
to
like
a
platformy
kind
of
thing,
and
we
we
think
it
would
be
value
and
being
more
transparent
in
why
we
chose
those
number
one
to
hold
us
accountable,
so
that
we're
not
making
really
silly
Investments,
but
also
to
to
explain
that
there
is
somewhat
of
a
method
to
the
madness
in
in
the
types
of
projects
that
we
choose.
H
H
F
Over
to
you
perfect
yeah,
so
one
of
the
things
that's
been
great
about
the
process.
So
far
is
we've
been.
You
know,
making
interesting
mistakes,
learning
along
the
way
and
starting
to
figure
out
what
works
and
what?
What
can
work
better,
and
you
know
we
start
out
very
much
out
of
talk
and
I've
learned
that
we
need
to
operationalize
things
again.
F
Kudos
and
thanks
to
Anna
from
City
who's,
been
a
tremendous
age
sort
of
operationalizing
our
processities
around
how
we
give
money,
how
we
accept
money,
how
we
report
it,
and
so
we
really
want
to
go
from
doing
this
by
hand
to
having
a
little
bit
more
process
in
place
around
how
we
do
it
and
to
document
that
process
for
ourselves
again
so
the
to
what
we
do
can
scale
without
sort
of
hand-to-hand
combat
at
every
stage,
and
so
that's
normal
I
think
going
from
sort
of
you
know
early
stage
started
up
mindset
to
slightly
more
operationalized,
pretty
normal
stuff.
F
The
other
thing
is
that
we're
sort
of
thinking
about
you
know
as
we're
entering
into
sort
of
a
second
year
of
like
well.
What
does
it
mean
when
we
fund
a
particular
organization
towards
a
security
outcome,
and
we
really
wanted
to
be
sort
of
a
process
of
seeding
security,
culture,
security,
priorities
within
an
organization
helping
it
grow
and
then
helping
become
a
part
of
the
normal
business
operations
right,
if
you
think
about
it,
a
lot
of
these
organizations
have
historically
had
so.
F
So
it's
not
that
we
don't
want
to
keep
sort
of
bootstrapping
and
starting
these
things,
but
when,
at
this
point
not
thinking
that
AO
becomes
a
sort
of
permanent
endowment
of
security
work
across
all
these
foundations,
we
think
of
this
sort
of
helping
bootstrap
culture
change
and
process
change
and
security
change
across
the
organization.
B
Yeah
I
guess
looking
for
maybe
a
little
projection
and
not
trying
to
hold
you
to
any
certain
duration
here
but
like
when
we
say
like
shifting
that
over
time,
I
think
how
long
do
you
anticipate
that
being
like?
Are
we
talking
a
year
two
years
five
years
like
have
you
in
in
your
conversations
with
the
various
foundations,
I'm
just
kind
of
curious
as
to
what
their?
When
do,
they
need
to
see
value
and
ultimately
raise
that
priority
in
terms
of
their
overall.
F
About
the
timelines,
I,
don't
think
we
know
I
mean
like
we're
still
at
the
stage
of
like.
We
should
do
something
like
that.
Let's
see
how
it
goes,
we
certainly
haven't
had
any
of
those
sort
of
deeper
conversations
were
just
being
very
open
with
how
we
think
about
it.
F
I
I,
imagine
that
you
know
it's
probably
measured
in
years,
but
not
five.
You
know,
like
you
know,
I'm
gonna
be
like
again
I,
don't
want
to
hold
anybody
to
any
sort
of
expectations
here.
I
saw
ourselves
or
the
other
organizations
who
are
about
to
go
to
you
know
talk
to,
but,
like
you
know
year
one
we
come
in
with
seed
Capital.
It
basically
makes
it
possible
to
even
start
doing
things
in
security
like
that
year,
two
we're
here
again
supporting
it,
but
we're
hoping
that
other.
You
know.
F
Other
organizations
that
have
a
vested
interest
in
the
outcome
of
the
I
think
the
funding
sources
they
already
rely
on
are
like
yep.
We
should
help
that
too,
and
essentially
more
of
a
matching
model
and
then
possibly
layer,
three
we'd
love
to
reach
a
state
of
Independence,
but
maybe
it
takes
longer
than
that.
So
really
that's
that's
about.
As
far
as
we've
thought
through
and
I
want
to
emphasize
to
everybody
who
we
are
working
with
today
and
will
work
in
the
future
we're
very
much
open-minded
here.
F
We
want
to
try
and
figure
out
what
the
right
model
is,
and
it
may
well
be
that
that's
not
the
right
model.
Maybe
that
AO
is
a
right
funding
channel
for
these
types
of
things.
I,
don't
think
it
is.
G
F
Now
but
we'll
see
so
again
the
spirit
of
experimentation,
which
is
that
see
which
works,
let's
see
how
we
can
effectively
create
you
know
more
secure,
you
know,
projects
and
Foundations
and
processes
across
the
thing
through
money.
So
that's
what
we're
trying
to
do.
Yeah.
H
I
think
just
to
add
to
that
you
know,
I
think
the
the
goal
for
for
this
in
next
year
is
like
show
value,
show
the
impact
like
if
we're.
If,
if
we're
not
having
the
outcomes
that
we
really
desire,
then
it
doesn't
matter
who's
paying
for
it.
It's
the
wrong
approach
right,
you
are
having
amazing
results,
then,
and.
F
E
B
I
guess
the
reason
why
I'm
asking
the
question
kind
of
gets
back
to
the
conversation
around
identity
of
the
foundation
value
proposition
of
what
we
offer
to
various
other
entities
within
the
broader
ecosystem,
and
you
know
kind
of
distilling
your
work
after
maybe
next
year
and
kind
of
saying
like
these
are.
These
are
the
patterns
that
we've
seen
work
really
well,
and
these
are
the
ones
that
we've
seen
face
and
net
that
out.
I
think
would
be.
You
know,
definitely
of
interest
when
we
get
to
you
know.
F
We
we've
we've
talked
about
this
in
some
other
contexts
too.
It's
like
you
know,
is
this
a
franchiseable
model
right.
Can
we
work
with
other
industry,
vertical
sections
and
since
foundations
and
organizations
and
say
Here's,
you
know
you
may
have
a
community
of
things
that
you
care
about.
Here's
a
pattern,
for
you
know,
starting
from
nothing,
bring
some
money
into
the
conversation
and
then
bootstrapping
up
across
a
different
set
of
stakeholders.
F
You
know
to
achieve
that
security
outcome,
so
you
know,
like
we
said,
experiments
we'll
see
what
happens.
Thank
you
Michael.
You
want
to
grab.
H
Your
tunnel,
so
so
other
things
that
are
top
of
mind
is
particularly
more
in
the
Omega
side.
At
least
some
of
these
you
know.
So
there
are
commercial
tools
and
vendors
out
there
that
do
really
good
work
and
and
that
you
know
we
should
leverage
those
as
well,
where
possible.
H
So
you
know
obviously
we're
using
Code
ql.
Thank
you
to
GitHub
we're
using
snack.
Thank
you
to
Snick.
You
know
we
want
to
and
we
leverage
open,
refactory
and
open
refractory.
We
want
to
kind
of
make
that
more
more
operationalized
and
and
have
a
have
a
Playbook
there
that
works
it's
going
to
take
a
little
while
because
we
actually
need
to
get
the
folks.
H
You
know
on
the
ground
to
to
be
doing
this
stuff
kind
of
day
to
day,
but
we
think
there's
there's
opportunity
there
assertions
for
validation
activities,
so
we
so
somebody
mentioned
in
the
chat.
Like
you
know.
Where
are
we
posting
the
vulnerabilities
we
find?
Well,
the
vulnerabilities
we
find
are
just
one
end
of
the
value.
I
think
that
we
provide.
H
H
The
problem
of
Security
reviews
themselves
aren't
their
their
human
readable,
not
really
machine
readable
too
much
want
to
play
around
with
the
space
and
see
see
what
makes
sense
to
to
provide
a
and
we
think,
like
the
assertion
model,
might
work
where
someone
can
just
pick
up
and
say
what
do
you
know
about
component
X?
H
H
If
we
wanted
to
go
after
a
single
developer
project
which
was
really
critical
to
the
community,
what
does
that
even
look
like
we
can't
just
show
up
with
a
bag
of
money
and
say,
go
hire.
Somebody
I
I,
probably
wouldn't
work
yeah.
F
So,
like
we're
super
happy
that
the
SOS
to
the
dev
project,
it
was
become
part
of
the
Alpha
Omega
family,
but
we've
been
very
light
touch
right
now,
it's
really
operating
site
that
we
was
before,
but
I
think
to
Michael's
previous
question
about
how
can
we
engage
effectively
smoke
tiny
projects?
Sos.Dev
is
doing
that
today.
It's
allowing
individuals
to
come
in
and
connect
to
any
particular
project
they
want
to
make
and
performance
on
either
finding
and
or
fixing
vulnerabilities.
F
We
want
to
do
more
of
that,
so
we'll
work
with
the
current
sos.dev
stakeholders
to
really
bring
them
into
the
family
and
then
see
how
we
can
sort
of
expand
that
impact
and
even
just
increase
the
awareness.
It's
not
something
that
very
many
people
are
aware
of
right
now.
Yeah.
H
So
question
for
TAC:
what's
on
top
of
your
minds
and
not
putting
anybody
on
the
spot,
we
probably
don't
have
time
to
have
a
big
discussion
on
this,
but
we
do
want
to
we
do.
We
would
like
an
answer
to
this
question
like
what
are
the
things
that
you're
worried
about
what
areas?
What
things
are
we
not
looking
at
that
we
should
et
cetera,
et
cetera,
okay,.
H
So
coming
soon,
so
the
annual
report
will
be
out
as
soon
as
it's
out
we're
hoping
sooner.
Rather
than
later.
We
are
starting
to
think
about
our
2023
plan,
we're
going
to
continue
to
experiment
and
we
have
a
community
meeting
tomorrow.
Michael,
we
have
a
community
meeting
tomorrow
morning.
We.
H
Welcome
you
you,
there
we'll
be
chatting
more
about
this
stuff
and
thanks
everybody
for
the
time
any.
H
B
Right
thanks
Eva
all
right.
Next
on
the
agenda,
we
have
a
discussion
around
a
proposal
coming
from
the
securing
software
repositories
working
group
around
potentially
making
a
recommendation
to
the
governing
board
to
fund
a
help
desk
for
MFA
resets,
and
we
have
Ashley
Ellis
Pierce
from
Shopify
who's,
going
to
be
giving
a
presentation
on
this
so
Ashley
over
here.
I
So
sorry,
let
me
go
back
so
I
sent
out
an
email
last
week
with
a
proposal
doc
that
has
the
full
details
for
this
proposal.
But
here
I'll
summarize,
the
proposal
for
you
and
I've
also
included
some
extra
details
in
the
presentation
to
address
some
of
the
feedback
and
questions
that
were
raised
in
this
proposal,
and
this
is
an
initiative
that
Jacques
Chester,
who
many
of
you
may
know,
has
been
working
on
and
it
was
worked
through
and
approved
by
the
securing
software
repositories
working
group.
I
But
since
Jacques
is
out
of
office
for
the
next
month,
getting
married
I'm
presenting
this
and
instead,
as
I
said,
my
name
is
Ashley
Pierce
I'm,
a
Staff
developer
at
Shopify
on
the
redependency
security
team,
where
I
work
with
Jacques
on
things
like
increasing
MFA
adoption
and
Ruby
dependencies
and
I'm,
also
a
maintainer
of
ruby,
gems,
Ruby
software
repositories.
I
So
to
start
out,
I
want
to
give
you
a
little
background
on
the.
Why?
What
problem
are
we
trying
to
solve?
Well
I
believe
David
wheeler
actually
set
out
the
most
recent
sonotype
stated
the
software
supply
chain
report
to
the
mailing
list.
Last
week,
where
sonotype
mentions
that
over
the
last
few
years,
the
rate
of
attacks
on
software
Supply
chains
have
been
increasing
on
average
742
percent
year
over
year,
and
it
calls
the
recent
edition
of
MFA
to
some
of
these
repositories.
I
A
key
Improvement
in
this
area,
so
MFA
is
essential
to
software
repository
security,
npm,
Pi,
Pi
and
ruby
gems
have
all
recently
made
MFA
mandatory
for
small
cohorts
of
package
authors,
but
MFA
requires
complex
and
risky
account
reset
support.
This
is
a
choke
point
for
expanding
MFA
policy
coverage.
If
we
require
all
maintainers
of
all,
packages
to
have
MFA
enabled
then
we'll
be
increasing.
The
number
of
support
requests
on
an
already
overworked
small
group
of
volunteers
who
maintain
these
software
repositories
So.
I
There
would,
of
course,
be
some
risks
with
creating
a
shared
help
desk.
It
would
need
to
be
well
defended
and
carefully
staffed
with
MFA
in
general.
Social
engineering
of
account
resets
is
a
key
risk.
Currently,
each
ecosystem
has
their
own
processes
for
dealing
with
this,
with
varying
levels
of
formality.
I
So,
with
a
full-time
professional
on
board,
we
can
invest
in
formalizing
the
reset
process,
with
higher
effort
checksability
to
make
sure
it's
robust
for
every
ecosystem
and
then
just
the
fact
that
this
helped
this
person
has
access
to
multiple
systems
would,
of
course
make
them
a
high
value
Target
for
attack.
We
can
mitigate
this
by
making
their
access
extremely
limited,
requiring
MFA
on
their
account
restricting
access
to
particular
Hardware
audit,
logs
and
other
countermeasures
to
ensure
that
their
access
is
not
abused.
I
I
believe
that,
given
the
countermeasures
I've
just
listed
and
the
added
security
of
having
one
firmly
highly
vetted
reset
policy,
as
opposed
to
different
ecosystems
having
their
own
informal,
possibly
less,
secure
policies
that
it
is
possible
to
do
a
shared
help
desk
securely,
for
instance,
by
limiting
the
access
to
the
help
desk
staff.
It
could
limit
the
impact
of
a
compromise,
helped
us
to
just
the
help
desk
itself,
not
being
able
to
reset
passwords,
in
which
case
we'd
fall
back
to
the
same
system.
We
use
now
repositories.
I
Volunteers
would
step
up
and
resume
their
roles
during
the
outage.
So
there
are
more
details
on
the
security
risks
and
considerations
within
the
dock.
I
know,
based
on
the
conversations
already
happening
there,
that
how
best
to
secure
the
help
desk
will
be
a
topic
of
a
lot
of
discussion.
But
I
want
to
focus
here
on
the
fact
that
at
this
stage,
we're
discussing
whether
creating
the
help
desk
would
be
beneficial
and
should
be
funded,
not
necessarily
unpacking
all
the
details
on
how
best
to
implement
it.
I
So
I
mentioned
funding,
so
let's
get
into
some
of
the
numbers
for
consistency.
These
numbers
were
generated
using
the
same
figures
that
some
other
working
groups
have
used
when
deciding
how
much
it
costs
open
ssf
to
hire.
One
person
I
think
it's
very
likely
that
a
support
person
will
not
actually
have
a
300K
salary,
but
we
thought
it
best
to
be
consistent
with
other
similar
budget
proposals.
We
also
included
some
overhead
and
salary
increases
here,
and
the
budget
is
done
for
four
years.
I
Since
those
salary
numbers
are
for
one
person.
We
then
need
to
consider
when
we
might
need
to
hire
more
people.
The
two
factors
that
would
determine
that
are
how
many
requests
can
one
person
handle
each
week
or
each
month
and
how
much
will
the
rate
of
requests
grow
as
MFA
requirements
are
increased
since
I?
Don't
have
a
crystal
ball?
I
can't
know
anything
for
sure,
but
I've
used
information
from
Shopify
and
ruby
gems
to
get
some
ballpark
estimates
I
reached
out
to
shopify's
account.
I
Neither
of
these
ecosystems
currently
require
all
of
their
users
to
have
MFA
enabled
so
costs
will
grow
as
they
increase
their
MFA
requirements
for
rubygems
about
15
of
the
user
base
currently
has
MFA
enabled
if
one
day
50
were
required
to
have
MFA
enabled
and
the
number
of
support
tickets
grew
linearly
to
the
number
of
users
with
MFA
enabled
that
would
be
about
70
requests
per
month.
I
If
we
apply
that
same
logic
to
Pi
Pi,
then
it
then
at
the
50
of
accounts
enabled
we
might
expect
140
requests
per
month,
and
then
you
can
see
those
numbers
for
100
as
well.
So
what
we
can
take
away
from
this
is
at
current
state.
We
have
a
lot
of
room
to
add
additional
ecosystems
or
increase
MFA
requirements
without
increasing
costs.
If
we
want
to
both
add
ecosystems
and
up
MFA
requirements,
we'll
need
to
be
aware
that
our
costs
will
increase.
I
As
well
as
we
might
need
to
add
additional
help
desk
support
again,
these
numbers
are
estimates
based
on
the
limited
data
that
I
have
available,
so
we
can't
say
for
sure,
but
the
takeaway
here
is
that
to
keep
our
costs
stable,
we
just
need
to
take
those
two
factors
into
account:
ecosystem,
size
and
MFA
requirements
before
determining.
If
we
have
room
in
the
budget
to
add
another
ecosystem.
I
All
right,
so
that
was
the
Personnel
cost
and
then
now
on
to
the
project
costs
there
are
costs
for
the
contract
to
create
the
help
desk
and
then
to
get
each
ecosystem
onboarded.
This
would
vary
depending
on
the
ecosystem,
as
they're
all
going
to
have
different
difficulty
levels
depending
on
their
apis.
What
tools
they
use
Etc,
but
these
are
some
of
the
rough
costs.
I
So
if
we
add
up
the
projected
Personnel
costs
and
then
the
max
estimate
for
one
boarding,
five
different
software
repositories
and
that
will
give
us
a
total
of
2.1
million
to
be
spent
over
four
years
and
so
to
summarize
we're
hoping
to
create
a
shared
help
desk
to
be
able
to
unlock
an
increase
in
MFA
adoption
for
software
ecosystems,
which
is
a
necessary
step
to
increasing
the
security
of
the
software
supply
chain.
I
So
with
that
lens,
are
there
any
questions
or
feedback?
We
want
to
discuss
I'll
open
it
up.
B
Yeah
there's
been
several
comments
in
the
chat,
but
before
we
jump
into
there,
just
in
one
note
that
if
we
do
get
to
the
point
of
a
vote,
we
have
had
two
Tech
members
drop
off,
so
Dan
and
chrome
have
have
had
to
leave
so
with
that.
Any
folks
that
want
to
ask
a
Live
question.
Otherwise,
actually
I
guess
I
would
point
you
at
some
of
the
chat
dialogue,
maybe
to
start.
E
I
guess
my
precursor
question
will
be
where's
the
best
place
to
take
the
longer
discussion
that
this
chat
suggests
we're
likely
to
need.
I
That's
a
good
question:
I
think
the
securing
software
repositories
working
group
is
a
is
a
good
place
to
take
them,
and
then
we
can
also,
you
know,
follow
up
over
email
as
well.
If
that
works
great.
G
I
Jumping
into
I'm
just
gonna
go
through
some
of
the
questions
that
I
see
in
chat,
so
one
of
the
most
recent
ones.
How
is
this
done
today?
What
does
ruby
gems
do
to
verify
that
I'm,
not
evil
Mike,
when
I
try
to
reset
my
MFA
and
I
believe
I've
seen
some
other
questions
about
yeah,
how
we,
how
we
do
the
resets
without
requiring
like
government
data
and
stuff
like
that
I
know,
every
ecosystem
is
going
to
require
something
different.
I
Some
of
the
checks
that
ruby
gems
do
are
a
lot
of
making
sure
that
they
have
access
to
certain
types
of
accounts.
Like
emails,
GitHub
accounts,
some
of
them
may
have
their
API
keys
for
their
rubygems
account
still
stored
on
their
local
machines.
So
it
is
not
checking
a
government
ID.
It's
not
how
it's
done
correctly.
F
I
think
my
hand
is
up,
and
nobody
else
seems
to
be
ahead
of
me.
So
I'll
just
jump
in
I
I'm,
very
supportive
of
the
goal
here
and
the
intent
I
think
it's
a
like
I
think
there's
a
real
problem
of
operational
security
done
in
a
sort
of
artisanal
way
that
doesn't
scale
well.
F
I
I
feel
like
trying
to
do
this
with
one
person
on
one
dimension
of
the
problem
is
a
great
way
to
start,
but
it's
going
to
be
really
like
it's
not
enough
in
some
ways.
I
think
that
I
would
actually
encourage
you
to
think
about
this
from
a
sort
of
slightly
bigger
perspective,
because
the
overhead
of
having
people
you
need
to
get
to
more
people,
then
there's
more
stuff
to
do
great.
But
actually
you
need
an
operation
here.
F
It's
not
a
I
I,
don't
think
it'd
be
great
to
have
a
single
person
doing
this
I
think
it
needs
to
be
part
of
an
operation
and
then
there's
a
whole
bunch
of
process,
and
you
know
like
that.
Person's
security
needs
to
be
well
managed
and
so
forth.
So
there's
a
whole
bunch
of
stuff
to
fence
out
from
here
that
you
can
look
at
how
you
know.
F
Large
organizations
like
Google
manage
their
identity
and
their
two-factor,
all
the
multi-factor
off,
and
even
their
onboarding,
with
a
new
person
with
identity
and
that
those
are
all
important
jobs
and
I
feel
like
that's
sort
of
all
the
under
the
water
stuff
that
you're
talking
about
on
this
very
large
Iceberg
of
a
problem.
So.
I
Yeah
I
think
that's
a
really
good
call
out
Michael
yeah,
as
we
I
mentioned
a
bit
with
like
the
contract
budgets
as
well.
I
A
large
part
of
this
project
is
going
to
be
creating
a
process,
a
system
for
how
to
manage
these
and
again
and
making
that
a
secure
system
that
takes
into
account
how
best
to
secure
these
repositories,
as
opposed
to
you
know
each
one
doing
their
own
one-off,
so
I
definitely
agree
that
it
needs
to
be
a
full
operation,
a
system,
as
opposed
to
just
like
giving
the
work
to
one
person
and
saying
go
for
it.
We
definitely
need
like
operations
and
playbooks
that
will
guide
that
person's
work
and
I.
I
Think
that
also
addresses
a
bit
of
some
of
the
questions
as
well
about
if
that
person
goes
on
like
holiday
leave
and
things
like
that
I've
seen
in
the
chat.
I'm,
not
sure
you
know,
if
we,
if
we,
how
like
what
it'll
work
with
having
a
backup
person
on
the
help
desk,
but
we
can
definitely
say
for
sure
that
we
won't
be
relying
on
one
person's
knowledge
that
the
knowledge
would
be
operationalized.
A
Yeah
two
big
questions
on
this
or
or
comments.
First
is
I
I.
You
know
I'm
a
bit
naive
on
kind
of
reset
processes,
I'll
admit,
but
I'm
really
Keen
to
see
how
much
can
be
automated
as
possible
as
a
way
to
drive
down
kind
of
this,
both
the
sport
burden
and
and
costs
and
everything.
A
You
know
the
way
that,
let's
encrypt
automated
the
validation,
you
know
at
a
perhaps
lower
bar
than
perhaps
other
processes,
but
but
automated
the
validation
of
ownership
of
domains
to
the
degree
that
it
became
acceptable
for
everyone
to
accept
their
certificates.
It
was
truly
remarkable
right.
They
brought
the
cost
of
issuing
a
certificate
basically
down
to
zero,
so
it
would
be
really
Keen
to
see.
Are
there
process
ways
to
validate
identity
or
to
to
you
know,
have
folks
pre-register
a
third
Factor
off.
A
You
know
which
I
see
happen
in
some
places
where
MFA
tokens
are
used
and
with
that
investment,
then
of
you
know,
a
million
and
a
half
over
four
years
be
perhaps
better
spent
on
tools
to
help
that
automation.
That
could
then
be
pushed
to
all
the
repos
to
run
in
a
more
decentralized
way,
rather
than
depending
upon
you
know,
kind
of
a
fragile
set
of
humans
at
the
center,
and
my
second
comment
is
as
the
GM
for
openssf
is
the
person
who'd
be
responsible
for
hiring
and
then
delivering
a
service
like
this?
A
It
makes
me
nervous
right,
I
I
feel
like
I'd
rather
structure
this,
rather
than
looking
at
this
as
somebody
that
we
hire
or
two
people,
we
hire
one
to
be
support
or
and
want
to
be
back
up
or
working
on
tools
or
whatever
I'd
really
like
to
find
a
you
know,
a
contractor
who
would
deliver
to
a
set
of
expectations
or
a
set
of
of
objectives,
a
set
of
deliverables.
A
You
know
even
on
an
ongoing
basis,
which
is
kind
of
like
what
let's
encrypt
has
with
isrg
right
isrg,
the
the
the
group
that
manages,
let's
encrypt
service,
who
Sig
store,
is
talking
about
managing
the
key
server.
You
know
those
sorts
of
things
that
are
perhaps
better
to
sub
out
to
an
organization
that
has
an
Ops
Team
and
an
operational.
You
know
kind
of
muscle
and
and
operational
kind
of
setup,
in
a
way
that
you
know
we
just
don't
have
out
of
the
box,
that
the
team
at
open,
ssf.
B
B
So
I
think,
as
Brian
and
Michael
both
indicated
I
think
the
I'm
supportive
of
getting
the
resets
done
so
that
we
we
see
communities
able
to
adopt
more
of
this,
whether
it's
a
single
person
to
be
hired
on
openssf
staff
versus
funding
that
could
flow
to
the
requisite
kind
of
parent
foundations.
I,
guess
there's!
My
questions
are
more
in
the.
B
How,
rather
than
the
like,
does
this
make
sense
for
the
open
ssf
to
support
in
some
way
so
I
think
the
the
governing
board
in
my
in
my
guess
and
I
would
look
to
to
any
other
GD
members
that
are
on
the
line
here
to
comment
here
as
well.
I
suspect
that
the
GB
would
want
to
have
a
little
bit
more
detail
on
Alternatives.
A
B
A
B
Say
in
my
view,
if
we
can
get
a
concrete
list
of
questions
both
from
this
chat,
as
in
this
discussion,
as
well
as
from
a
set
of
you
know,
follow-up
discussions
to
be
had
I
think
trying
to
drive
that
the
list
of
Alternatives
back
to
the
governing
board
so
that
we
have
a
preferred
option.
B
But
we
consider
these
other
Alternatives
I
think
probably
is
the
most
expeditious,
Way
Forward,
but
looking
at
Brian,
Fox
or
Brian
bellendor,
for
apologies
for
any
other
GB
members
from
not
seeing
on
the
line
here
as
I
scan
through
quickly.
I
Okay,
great
yeah,
I,
think
that
makes
sense
for
me
we'll
take
some
of
these
questions
about
more
specifics
on
how
we
can
how
we
can
get
this
implemented,
possibly
with
either
with
one
person
or
with
a
more
operationalized
approach
and
we'll
take
that
back
to
the
working
group
and
follow
up
with
that
right.
B
B
All
right
last
on
the
agenda
today
is,
as
you
guys
are
all
the
folks
are
hopefully
aware.
We
have
a
an
upcoming
meeting
next
Friday
in
person
at
the
LF.
At
the
end
of
the
LF
member
Summit,
a
joint
meeting
between
the
attack
and
the
governing
board.
B
We
have
Sam
romji
who's
on
the
line
with
us
today
who
I
asked
if
he
would
be
willing
to
maybe
give
kind
of
some
framing
thoughts,
as
we
kind
of
prepare
for
that
discussion
to
help
us
all
kind
of
Orient
ourselves
in
terms
of
what
the
objectives
are,
as
well
as
things
that
are
in
scope
or
out
of
scope,
a
meeting
with
a
as
I'm
sure
he
will
say
a
meeting
with
that.
Many
people
in
it
is
probably
not
really
even
a
meeting.
B
J
Great,
thank
you.
Can
you
see
these
slides
yep?
My
computer
seems
to
be
having
something
of
a
conniption
on
the
video,
so
I'm
gonna
I'm
gonna
try
to
get
the
video
functioning,
but
I.
Don't
wanna
use
that
as
a
as
a
blocker
for
communicating.
Okay,
there
we
go
h.
A
these
days
means
having
two
video
cameras.
So
this
is
my
backup,
camera
Happy,
Tuesday
everybody,
as
some
of
you
may
celebrate
it's
the
first
day
of
the
month,
so
happy
rabbit.
J
If
you
do
that,
we
have
a
strategy
coming
up
on
November
11th,
so
it's
two
Fridays
from
now
so
T
minus
ten,
that's
kind
of
exciting
and
kind
of
terrifying,
but
I
think
it
could
be
really
great
for
all
of
us,
because
we
have
huge
Ambitions
I've
had
the
opportunity
to
interview
some
tech
members,
some
GB
members,
I'm
making
my
way
through
several
more
this
week.
J
If
you
have
an
email
thread
open
with
me,
be
convinced
that
I
will
get
back
to
you
by
about
11
o'clock
this
morning
to
get
your
voice
as
a
stakeholder
into
our
pre-reads
and
into
the
agenda,
but
more
broadly.
What
are
we
going
to
do
we're
going
to
have
a
bunch
of
decisions,
we're
going
to
try
to
think
together
and
we're
going
to
try
to
come
through
this
with
a
lot
of
convergence,
so
that
2023
looks
good
I'll?
Let
you
read
this
slide,
but
to
Define
what
we're
trying
to
do
on
strategy
day.
J
We
are
going
to
collectively
make
decisions
that
make
success
in
the
mission
likely
and
we're
going
to
collectively
defer
the
decisions
that
we
don't
absolutely
need
to
make.
Yet
so,
hopefully,
these
bolts
are
relatively
clear.
We
want
to
make
sure
we
have
clear
agreement
on
strategic
intent
for
2023,
clear
priorities
for
execution
in
2023.
We
have
a
lot
of
things
that
we
can
do
and
I
think
everybody
have
spoken
with
is
excited
and
also
a
little
bit
nervous
about
our
ability
to
execute
everything
that
all
of
us
have
imagined
over
the
last
couple
years.
J
So
priority
for
23
will
let
us
build
the
right
organization
to
make
sure
that
this
all
happens.
So
what
are
our
non-priorities
and
non-goals
for
2023?
Again,
some
things
we
may
have
to
explicitly
defer
and
say:
let's
get
those
done
in
24.,
it's
going
to
be
really
helpful
for
people
in
this
group.
You
have
the
expertise
of
what
this
work
actually
takes.
The
tack
is
close
to
the
close
to
the
metal,
as
opposed
to
close
to
the
management
by
this
by
Design.
J
So
what
is
a
rough
scope
and
scale
of
effort
required
from
openssf
staff
needed
to
support,
in
2023
great
example,
from
the
Michaels
earlier,
it's
taken
the
months
to
hire
high
quality
security
program
managers,
researchers
still
TBD.
This
is
a
hopefully
going
to
be
easier
with
the
current
macro
environment
and
with
companies
bringing
up
staff
putting
them
back
on
the
market.
We
may
have
a
good
opportunity
to
do
some
hiring,
but
this
is
going
to
be
very
challenging.
J
We
want
to
make
sure
that
we're
designing
a
great
organization
that
supports
everybody
here,
no
matter
who
leaves
and
joins
their
job
in
the
member
companies.
What
is
it
the
open
ssf
needs
to
have
at
the
core
and
then,
finally,
after
by
the
end
of
the
day
on
November
11th,
we
want
to
know
that,
where
more
detailed
plans
are
needed
to
approve
2023
budget,
that
there's
a
committed
owner
for
each
plan,
so
deferring
I
think
is
probably
not
a
fairly
self-explanatory.
But
that's
going
to
be
a
lot
of
the
discipline
in
order
to
make
progress.
J
Second
topic:
I've
done
I've
had
the
privilege
to
do
a
lot
of
work
with
with
large
groups
and,
as
Bob
said
you
know,
a
lot
of
people
looks
more
like
a
mob
than
it
does
look
like
a
a
great
brain
so
to
create
distributed
cognition.
You
need
to
decide
on
a
decision
style
so
for
those
of
you
who
are
attending
or
for
those
of
you
who
are
preparing
other
folks
who
are
going
to
be
in
attendance.
J
Please
take
a
moment
to
kind
of
settle
on
this
and
we'll
send
the
slides
out.
I'll
link
them
in
the
doc
Collective
cognition
is
difficult.
Just
like
a
distributed
database
is
difficult.
It
lives
and
dies
on
the
protocol
that
you
use
to
come
to
cons
to
come
to
agreement
in
distributed
computing
would
call
it
consensus,
but
in
cognitive
decision,
Styles
consensus
is
absolutely
the
worst
form
of
agreement,
so
generally
there's
a
Continuum
where
teams
either
work
and
tell
a
single,
authoritative
decision
maker,
stating
their
decision
and
all
people
follow.
J
This
is
also
seen
as
dictatorship,
not
great
for
collaboration
but
good.
If
you
need
to
have
a
fast
motion,
consult
one
authoritative
decision
maker
consults
with
three
or
four
experts
to
make
a
great
decision.
This
is
generally
a
really
powerful
place
and
you'll
see
most
high
performing
organizations
function
primarily
around
consult
delegate,
which
is
kind
of
recursive.
J
It
kicks
this
whole
Continuum
off
to
somebody
else
to
make
their
decision
about
how
they're
gonna,
how
they're
going
to
do
this
consent,
something
along
the
lines
of
a
majority
rule,
but
with
room
for
for
not
having
the
tyranny
of
the
majority
but
being
able
to
have
committed
people
say,
like
you
know,
I
absolutely
can't
agree
with
this,
so
the
bar
for
withholding
consent
generally
should
be
high.
Consent
is
withholdable,
but
if
we
don't
withhold
our
consent,
we
act
as
if
we
absolutely
vehemently
agreed
with
the
decision.
J
So
when
a
conditions
of
consent
is,
if
you
are
part
of
a
consent
decision,
you
will
not
be
the
cause
of
failure,
you
will
act
as
a
as
a
as
a
driver
of
successful
decision
and,
finally,
consensus
and
again
the
sorry
I
see
that
Dan
applequest
disagrees
with
the
family.
It's
fine
right,
you
can.
You
can
put
in
different
words
that
that
point
at
the
same
meaning
Vector,
but
the
framing
here
of
of
the
concept
is
no
authoritative
decision
maker.
Everyone
must
agree
and
any
new
member
can
prevent
a
decision.
J
You've
all
seen
this
in
your
companies.
When
you
see
consensus,
driven
teams,
often
people
get
really
frustrated,
they
say.
Oh,
my
god,
we
can't
seem
to
get
started.
We
just
decided
this
last
month
somebody
new
joined
this
month
and
now
we're
starting
the
entire
process.
Over
again,
sometimes
those
kinds
of
systems
can
run
for
a
long
time.
So
somehow
we
need
to
agree
on
what
is
our
decision-making
Style
figure
out
the
labels
that
we
want
to
use?
J
But
if
we
don't
use
the
same
protocol,
much
like
a
distributed
database
using
different
methods
of
coming
to
agreement,
we
will
we
will
never
progress.
So
please
be
thoughtful
about
decision
style.
We'll
discussed
this
in
the
beginning
of
the
strategy
day.
If
you
have
things
to
contribute
in
terms
of
things
that
you
can
see
and
work
really
really
well
in
large
groups,
please
do
so
and
again
the
words
are
less
important
to
me
than
the
than
the
actual
behaviors.
J
Thanks
for
the
commentary,
the
second
last
design,
so
we
don't
want
to
mob
right
we're
likely
to
have
20
to
40
people.
In
this
strategy
day
we
may
have
more.
We
need
to
use
Technologies
good
decision
making
distributed
cognition
Technologies
to
make
everybody's
time
awesome
right.
So
we
want
everyone
to
feel
energetic,
engaged
and
satisfied
by
the
end,
so
we're
doing
thoughtful
design.
Obviously
we're
under
the
gun.
J
We've
got
about
10
days
to
go
so
anybody
who
is
good
at
this
passionate
about
this
consider
yourself
invited
to
help
me
and
others
design
the
game.
The
day,
small
team
working,
breakouts
important
work,
urgent
timelines,
making
sure
that
we're
not
single
threaded
like
we're
running
a
United
Nations
session,
where
everybody
waits
in
turn
to
speak,
but
we
can
actually
get
done
hard
work
with
incredibly
intelligent
people
that
we
have
in
this
group.
Making
everyone
smarter
and
leading
to
faster
convergence
pre-reads
are
going
to
be
key.
J
Many
of
you
have
worked
in
in
pre-read
models.
Our
ideas
are
complicated.
They
don't
come
out
of
our
Mouse
super.
Well,
labels
don't
always
work,
but,
as
we
start
to
sit
with
people's
thoughts
that
have
been
written,
that
long
form
we
get
a
little
smarter.
One
thing
that's
been
useful
for
me
in
the
past
is
to
see
where,
where
generally
people
already
agree,
that
way,
we
can
save
a
lot
of
time
and
just
feel
good,
hey.
We
can
agree
to
agree.
J
J
J
Do
you
have
a
strong
perspective
on
where
there
are
mutually
exclusive
needs
for
research
for
resources?
Ideally,
it
pre-reads
only
a
one
page.
If
we
have
an
abundance
of
these,
we
can
work
on.
I
can
work
on
condensing
them,
but
one
of
the
beauties
of
a
one-pager
is
it
forces
us
to
get
our
ideas
out
very
crisply
and
they're
fairly
easy
to
consume,
even
if
we
need
to
consume
them
on
the
Fly
day
of
right
before
we
have
an
important
meeting.
So
that's
my
invitation,
I
hope.
J
B
Great
thanks:
Sam
we've
got
about
50
seconds
left
unless
folks
want
to
run
long,
so
don't
see
any
hands
up,
but
I
would
also
just
Echo
Sam's
call
for
volunteers.
B
I
think
this
is
this
Foundation
is
you
know
a
community
right,
it's
what
we
we
ultimately
make
of
it,
and
so
your
engagement
on
the
11th,
as
well
as
your
preparation
for
that
day,
is
certainly
a
way
that
we
can
all
provide
our
our
perspective
and
talents
in
a
way,
that's
constructive
towards
the
end
of
improving
the
state
of
the
open
source
ecosystem.
B
To
that
end,
one
of
the
pre-reads
I
guess
I
would
propose.
Is
the
technical,
Vision
PR
that
we've
been
having
some
small
amount
of
dialogue
back
and
forth
on,
but
I
think
that's
one
document
that
we
could
certainly
take.
A
B
That
seems
like
we
have
either
folks
not
looking
at
it
or
we
have
consensus.
I.
Remember
several
attack.
Members
have
already
chimed
in
in.
B
I
would
also
encourage
you
to
go.
Take
a
look
at
that
PR
again
on
the
build
up
to
next
week
in
person.
So
one
last
reminder:
the
LF
member
Summit
is
the
few
days
ahead
of
the
GV
attack
meeting.
Many
of
the
tack
members
will
be
physically
present
for
the
LF
member
Summit.
So
there's
certainly
some
opportunity
for
some
preparation
in
the
days
that
build
up
to
to
next
Friday.
So
I
want
to
encourage
you
if
you're
in.
A
B
You
know
take
advantage
of
that
more
broadly
and
then
finally,
a
reminder
this
meeting
on
next
Friday
is
a
closed
session
for
GB
members
and
Tech
members.
It's
not
open
to
anyone
in
the
community.
So
just
a
reminder
on
that.
B
All
right
with
that
I
appreciate
everyone's
time
today.
Look
forward
to
your
collaboration
on
preparing
for
next
Friday
and
look
forward
to
seeing
everybody
in
person
take
care.