►
From YouTube: OpenSSF TAC (April 4, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
A
All
right,
we're
three
after
so
we'll
go
ahead
and
get
going
thanks.
Everyone
for
joining
today
have
a
couple
items
on
the
agenda.
First
and
perhaps
foremost,
congratulations
and
thanks
to.
A
Hey
Jack,
can
you
go
on
mute?
Please.
Thank
you.
Sorry,
congrats
no
worries
congrats
and
thanks
to
everyone
who
participated
in
the
elections,
for
both
the
attack,
as
well
as
the
security
Community
individual
representative,
the
election
results
were
announced
yesterday
and
so
I
put
the
names
of
of
those
folks
who
did
win
the
elected
seats
there.
In
the
notes.
A
The
there
are
a
couple
governing
board
seats
that
are
denoted
by
appointment,
and
so
the
process
for
the
governing
board
to
select
those
appointees
and
vote
in
on
them
is
underway.
So
by
the
next
attack
meeting
we
should
have
a
full
tack,
seated
and
ready
to
rock
and
roll
for
the
next
the
next
year.
A
A
Some
of
it
will
be
carry
forward
context
for
folks,
but
given
that
we
we're
in
that
kind
of
state
of
transition,
I
think
it's
most
appropriate
to
to
let
Let
It
Be
and
just
have
this
meaning,
be
a
discussion
meeting
any
questions
on
that
before
we
continue
with
the
rest
of
today's
agenda.
A
All
right,
and
then
the
one
last
thing
I
wanted
to
note-
is
that
once
we
do
have
a
fully
seated
tack,
one
of
the
first
order,
orders
of
business
on
the
next
hack
meeting
will
be
to
hold
an
election
for
a
new
chair.
A
So
once
we
have
that
once
we
have
the
full
attack
on
pointed
we'll
we'll
proceed
with
that
process
at
the
next
meeting.
All
right
next
item
we
have
on
the
agenda
is
an
update
from
the
supply
chain.
Integrity
working
group
and
I
see
Isaac
Hepworth
here
on
the
zoom
call
with
us.
So
with
that
Isaac
I'll
hand
it
over
to
you
slotted
it
for
about
10
minutes.
D
That's
great
thanks,
Bob
good
to
see
everyone
here,
so
I'm
Isaac
I
work
at
Google.
Actually,
someone
with
Bob
as
well
and
I,
bring
to
you
updates
from
the
supply
chain,
Integrity
working
group
I,
the
first
update,
which
provides
context
for
why
me
just
recently,
I
was
elected
by
the
group
The.
D
The
new
chair
of
the
supply
chain,
Integrity
working
group,
taking
over
from
from
Dan
and
Kim,
so
I'll,
be
in
the
chair
position
and
then
with
Melba
Lopez
from
IBM
and
JY
from
Microsoft
has
joined.
Co-Chairs
of
the
working
group.
Dan
and
Kim
were
both
supportive
of
that
change.
D
I'm,
given
that
they've
been
spending
their
considerable
open,
ssf
energies
elsewhere
recently
and
not
been
able
to
attend
or
drive
the
working
group,
so
that's
the
first
alien
change,
I
think
the
other
one
which
is
is
top
of
Mind
really
across
the
supply
chain.
Integrity
working
group
is
just
the
impending
Milestone
of
the
1.0
release.
This
also
specification,
and
so
we've
been
working
hard,
getting
the
specification
ready
for
1.0.
D
We
had
a
release
candidate
that
was
published
towards
the
end
of
February,
with
a
set
of
known
issues
which
the
team
has
been
working
through
to
close
today,
we're
going
to
announce
and
the
second
release
candidate
rc2,
which
we
will
be
publishing
without
any
known
issues,
so
this
will
actually
be
something
which
you
know
if
we
have
a
quiet
and
two-week
comment
period
and
nothing
super
substantive
comes
up
and
the
rc2
of
the
salsa
specification
and
we'll
roll
forward
to
a
1.0
stable
in
a
couple
of
weeks,
and
so
you
know,
there's
a
parallel
set
of
efforts
alongside
the
salsa
specification
working
group,
we're
actually
driving
the
the
crystallization
of
the
course
spec
and
working
through
the
issues
list.
D
There's
now
a
separate
thread
of
work
which
Jennifer,
let's
see
here,
Jennifer
has
been
driving
around
the
comms
plan,
first
also
1.0
and
so
making
sure
that
we
land
that
1.0
specification
with
Maximum
Impact
in
a
couple
of
weeks,
time
time
and
so
we're
looking
at.
You
know
what
press
pre-briefings
we
want,
what
quotes
will
we
have
and
how
will
we,
you
know
I,
think
we'll
we'll
be
looking
to
use.
D
You
know
the
openssf.org
blog
and
and
press
release
as
the
center
of
gravity
of
the
launch,
and
then
we
have
a
constellation
of
contributing
companies,
including
Google
chain
guard,
VMware,
GitHub
and
so
on,
I'm
preparing
their
own
blogs
on
their
owned
and
operating
properties
on
an
operated
property.
Sorry
which
will
kind
of
echo
the
announcement
and
provide
you
know
some
additional
organizational
context,
but
pointing
back
to
that
that
center
of
gravity,
which
will
be
the
the
open,
ssf
press,
release
and
announcement.
D
It's
been
gosh
coming
nearly
two
years
since
the
0.1
release
is
also
specification,
and
so
it's
been
a
fairly
long
journey
and
it's
been
an
incredible
labor
of
love
to
to
get
the
source
of
the
specification
from
dot
one
to
one
1.0
and
which
is
where
we're
headed
and
it's
super
exciting
I
think
you
know
we're
seeing
increasing
currency,
and
you
know,
I,
see
salsa
and
mentioned
and
adopted.
D
You
know
in
in
Far,
flowing
corners
of
the
industry,
well
separated
from
the
open
ssf,
which
is
I,
think
Super
encouraging
as
to
you
know
how
it
spread.
So
that's
on
on
salsa,
Fresca
I,
dare
say
slightly
less
encouraging
news.
We
are
we're
trying
to
find
contributors
and
maintainers
to
help
us
push
the
project
forward.
D
I
think
that
you
know
there's
there's
a
couple
of
of
aspects
which
I
think
are
challenging
with
Fresca
I
think
that
we
we
don't
have
a
clear
line
of
sight
into
what
downstreet
Downstream
customers
most
want.
Do
they
want.
You
know
an
educational
example.
D
You
know
a
great,
very
transparent,
very
legible
implementation
of
a
reference
architecture
which
they
can
learn
from
and
then
apply
the
patterns
from
that
to
their
own
build
system,
or
are
they
looking
for
something
which
they
can
migrate?
Their
builds
to
and
actually
deploy
in
production,
as
this
is
a
production
system
which
we
will
adopt.
D
D
Looking
exercise,
then,
that
had
been
imagined
and
I
think
that
we're
what
we've
learned
in
Fresca
land
is
that
you
know
and
there's
there's
a
lot
of
sticking
power
with
people's
existing
build
systems
and
so
trying
to
trying
to
figure
out
how
to
make
Fresco
more
applicable
to
folks
with
existing
infrastructure,
and
so
they
can
lift
and
the
patterns
and
examples
they
see
in
Fresco
land
into
their
own
pipelines,
whatever
they
may
be
based
on,
it
should
probably
should
be
more
of
an
emphasis
on
from
Fresca
going
forward,
but
the
more
pressing
challenges
is
just
you
know
the
the
resources
we
have
to
apply
in
terms
of
Hands-On
keyboards.
D
We've
got
lots
of
ideas,
lots
of
things
with
lots
of
input,
lots
of
things
we
think
we
might
want
to
do,
but
in
terms
of
people
who
can
actually
type
things
into
GitHub,
we
have.
We
have
less
on
that
front
and
so
Michael
Liebman
is
going
to
publicize
that
he's
written
a
one-pager
to
frame
Fresco.
What's
it
for,
what's
it
not
for
what's
his
goals,
what
does
it
need?
D
Where
does
it
need
to
head
as
kind
of
almost
a
call
to
action
or
a
call
to
Arms
to
kind
of
gather
contributors
around
and
rally
the
community?
But
there
is
that
gap
between
knowing
and
doing.
We
know
what
we've
got
to
do,
but
we
don't
have
the
resources
to
actually
put
that
into
action
and
actuate
it
right.
Now.
D
Nothing
okay,
so
a
quick
update
on
on
s2c2f
s2c2f
is
a
more
recent
addition
to
the
SEI
working
group
and
you
know
we're
still
working
through.
You
know
an
initial
set
of
issues.
Just
some
training
material
has
been
developed
and
I.
Think
Jay.
You
maybe
have
a
little
close
to
this
than
I
am,
and
so
please
chime
in
if
I
get
get
any
of
this
wrong.
D
But
we
have
it
and
now
a
90
complete
training
course
around
sdc2f
and
we
have
a
talk
on
S2
c2s
and
which
is
prepped
and
ready
and
accepted
in
RSA,
and
we're
excited
to
to
get
that
done
to
be.
You
know,
continue
the
the
process
of
publicizing
it
and
gaining
momentum
around
SEC,
so
f
as
a
dependency
management
framework
for
supply
chain,
Integrity
and
then
zooming
back
out.
D
One
of
the
things
we're
trying
to
do
at
the
sci
and
the
kind
of
the
umbrella
working
group
level
kind
of
above
south
or
above
Fresco
above
s2c2f,
is
pulled
together
an
overall
vision
for
for
what
does
you
know
what
does
open
SS?
What
does
open,
SSA
open
ssfs?
You
know
Direction
and
vision
constitute
for
for
supply,
chain
integrity
and
so
I've,
Linked
In
the
notes
Here
at
draft
revision,
doc
we've
been
working
through
as
a
team
and
really
thinking
about
you
know.
D
We
have
salsa,
which
initially
you
know
salsa
0.1
talked
about.
You
know,
build
and
provenance
and
and
Source
requirements
for
getting
to
to
various
ulcer
levels,
for
the
1.0
we've
Scopes,
that
down
and
so
much
of
the
focus
is
on
build
and
provenance,
and
we've
moved
out
of
scope
that
the
source
requirements,
and
so
we
have
that
as
something
which
which
stands
now
in
Salsa's
future.
I
would
like
to
add
that
back
to
this,
also
in
a
subsequent
version
and
I
think
looking
at
what
other
pillars
of
concerns.
D
Do
we
want
to
add
to
our
overall
framework
is:
is
what
this
Vision
Doc
is
talking
about,
and
so
laying
out
the
idea
that
you
know
the
sci
working
group
as
a
whole
could
be
looking
at
scalable
standardized
practices
for
supply,
chain
security
and
under
that
umbrella,
and
we're
talking
about
you,
know,
decomposing
the
the
problem
space
ergonomically
into
one
of
these
core
pillars
like
build
and
provenance
and
dependencies
and
source
and
vulnerability
management
and
then
having
a
framework
which
encompasses
and
speaks
to
leveled
requirement
across
all
these
pillars-
and
you
know
the
document
is,
you
know,
is
not
laying
out
what
we
would
call
this
or
what
the
go
to
market
motion
would
be
for
this
thing.
D
But
I
think
that
there
is
gathering
consensus
in
a
supply
chain,
Integrity
working
group
that
you
know
producing
an
Uber
framework
which
which
spans
the
the
problem
space
the
supply
chain
integrity
and
has
you
know
specific
scalable,
best
practices
which
are
a
testable
and
adoptable
and
readily
and
reachable
by
various
players
in
the
industry.
D
You
know
having
that
Uber
framework
feels
like
a
great
vision
for
the
group
and
something
we
can
begin
to
move
things
that
move
towards,
and
so
you
know
we
might
naturally
ask
the
question:
what
do
we
want
to
add
to
salsa
next
or
what
does
salsa
2.0
look
like
or
you
know
what
part
does
s2c2f
play
with
an
SCI
working
group
and
how
do
these
things
come
together
and
how
does
s2c2s,
plus
today,
salsa,
you
know
aggregate
into
a
you
know,
one
plus
one
equals
three
picture:
that's
what
this
Vision
Doc
is
trying
to
get
to
and
thinking
kind
of
Beyond.
D
You
know
the
the
projects
we
have
within
the
working
group
today
and
think
more
expansively
about
the
problem,
space
as
a
whole,
and
we
can
then
look
at
you
know
what
gaps
do
we
have
to
fill
I
am
going
to
pause.
There
I
talked
a
little
bit
about
the
chair,
change
and
salsa
1.0.
The
comms
plan
Fresca
challenges
they're
in
where
we
are
with
s2c2f
and
then
the
supply
chair,
Integrity
working
group
Vision,
which
I've
linked
into
the
notes
as
well
and
I'll,
pause
for
any
feedback
or
comments.
No.
E
A
That
Isaac
I
think
it
was
obviously
quite
a
bit
going
on
I
guess
one
one
quick
question:
any
specific
asks
of
the
attack
the
the
working
group
has
I.
D
Think
I
think
I
I
would
send
to
the
the
asks
on
on
Fresca
that
you
know
if,
if
we
can
have
the
attack,
help
evangelize
or
identify
actual
people
in
actual
organizations
with
use
cases
for
Fresca
and
there's
been
a
little
bit
of
momentum
and
conversation
recently
about
Sterling
tool
chains,
which
I
think
you
know
freshly
has
some
adjacency
to
and
potentially
some
relevance
too,
but
we
we
really
could
do
with
you
know
some
very
specific.
D
You
know
use
cases
what
do
actual
real
people
in
real
organizations
want
to
do
or
how
do
they
see
gaps
in
the
Fresco
problem
space
and
then
the
other
thing
is,
you
know
anything
that
that
can
do
to
help
Rally
or
encourage
folks
to
get
involved
with
Fresca
in
terms
of
in
Hands-On
keyboards
form.
Again.
We
we
have
lots
of
people
with.
You,
know
great
ideas,
and
you
know
suggestions
a
lot.
D
Fresca
may
become
what
we
may
do
next,
but
turning
those
things
into
reality
is
a
gap
that
we
have
so
anything
that
we
can
do
just
in
terms
of
I'm.
Gathering
Hands-On
keyboard
in
the
community
would
be
awesome
and
I
know.
I
see
is,
is
plugging
the
panel
as
well,
which
should
help
with
the
overall
kind
of
awareness
of
where
we
are
Zach.
E
Not
a
question
but
but
a
comment
just
wanted
to
say
how
excited
we
are
about
the
upcoming
salsa,
1.0
release
and
I.
Think
the
focus
on
on
build
integrity
was
exactly
the
right
one,
but
also
excited
to
hear
that
in
2023
you're.
Thinking
about
how
to
add
that
in
Source
controls
and
looking
forward
to
hearing
more.
D
Absolutely
thanks
for
the
feedback,
Zach
and
I
am
I'm
really
excited
too
to
be
to
be
clear,
I
think
it's
a
it's
a
huge
milestone,
but
it
is
a
milestone.
D
It's
not
a
destination,
we're
not
stopping
there
we're
going
to
1.0,
and
we
do
very
much
want
to
have
you
know
not
just
an
internal
sense
of
what
the
future
of
salsa
looks
like,
but
an
externally
articulable
one
where
we
can
actually
talk
to
the
community,
and
you
know
to
to
folks
in
the
space
about
where
this
is
going
and
speak
with
some
consensus
and
continuity
about.
You
know
the
direction
for
for
salsa
and
supply
chain
Integrity
over
the
next
12
to
36
months.
A
All
right,
next
on
the
agenda,
we
have
Jennifer
Bligh,
who
wanted
to
bring
some
updates
and
questions
around
openss
after
APR
and
a
monthly
feature
on
the
Foundation
blog,
so
Jennifer
over
you
yeah.
F
Thanks
Bob
I
wanted
to
discuss
two
things
with
the
attack,
one
as
we're
moving
toward
open
ssf
day,
which
is
going
to
be
held
on
May
10th
we're
starting
to
build
out
our
press
kit.
So
what
kind
of
things
do
we
want
to
announce
there?
What
do
we
have
coming
up?
That's
going
to
kind
of
align
with
that
timing.
Please
be
thinking
about
that
and,
as
you
you
know,
come
across
items
that
would
be
good
to
announce.
F
As
part
of
that,
please
let
me
know
we
will
be
doing
a
press
release
just
in
advance
of
open
ssf
day
welcoming
our
new
members,
and
we
have
an
opportunity
to
include
some
other
things
in
there
as
well,
that
we
want
to
make
sure
that
we
point
to
and
then
the
other
thing
I
wanted
to
bring
up
as
well.
F
We
have
a
new
blog
series
kicking
off
tomorrow,
big
shout
out
to
crobe
for
getting
us
started
with
a
feature
of
the
best
practices
working
group,
but
what
we'd
like
to
do
is
each
month
feature
a
different
working
group
or
project
on
the
blog
kind
of
talk
about
recent
accomplishments.
What
you
have
coming
up
and
then
really
highlight
ways
for
people
to
get
involved?
Where
do
you
need
the
most
help?
Where
can
people
jump
in
and
using
that
as
another
way
to
drum
up
some
participation.
A
Awesome,
do
you
have
maybe
a
quick
jump
on
the
line
here
in
terms
of
questions?
Do
you
already
have
a
second
project
or
working
group
scheduled
for
the
May
one?
Are
you
looking
for
ideas
from
the
tech
so.
F
What
I
was
hoping
is
that
we
can
kind
of
follow
the
sort
of
schedule
set
out
for
when
groups
present
to
the
tech,
so
I
haven't
asked
yet,
but
potentially
the
supply
chain,
Integrity
working
group
I-
can
reach
out
and
we
can
see
if
we
can
schedule
you
for
May.
A
A
I
think
with
the
the
salsa
launch,
that
would
certainly
be
of
Interest,
also
the
the
upcoming
stuff
and
the
call
for
for
Fresca
that
we
just
heard.
That
makes
a
lot
of
sense.
But
okay.
F
And
if
there
is
a
specific
time
for
individuals
that
that
works
especially
well,
just
let
me
know,
and
we
can
create
a
Content
calendar
accordingly,.
F
E
A
G
Hey
everybody,
just
a
quick
update.
The
best
working
group
has
been
approached
by
a
group
of
enthusiastic
community
members
that
have
been
toiling
away
on
the
mobilization
plan.
So
we
are
pleased
to
announce
that
the
working
group
decided
to
adopt
the
memory
safety
Sig,
which
is
part
of
the
mobilization
plan
stream.
Four,
we
had
our
first
official
Sig
call
the
last
week
and
we
are
very
excited
to
continue
to
refine
the
initial
words
from
the
plan
and
put
forth
another
potentially
actionable
proposal
for
the
foundation
to
consider
to
work
with.
A
One's
twice
sold
all
right.
Thank
you
all
right.
We
have
two
final
items
on
the
agenda.
One
is
Brian
I
wanted
to
give
you
a
chance
to
talk
about
one
of
the
topics.
That's
on
the
governing
board
agenda
for
later
this
week,
which
is
a
proposal
to
expand
the
attack,
and
then
we
also
have
representing
Alpha
Omega
Jonathan
lichas,
who
is
one
of
those
security.
A
H
So
we've
talked
both
here
and
on
the
governing
board
about
whether,
given
you
know
a
lot
more
activity
since
our
since
we've
started
the
focus
on
the
Starling
tool
chain,
whether
we
wanted
to
increase
the
size
of
the
attack.
Also
given
the
the
growth
of
the
organization
as
a
whole
and
the
idea
that
we
might
want
to
make
sure
we've
got
the
attack
representing
you
know.
H
Somebody
from
from
you
know
each
of
the
major
projects
or
working
groups
or
the
like
so
I
figured
now
would
be
a
better
time
than
halfway
through
an
attack
term
and
at
the
meeting
on
Thursday
morning,
where
the
governing
board
will
approve
the
three
appointees.
H
I
I
will
also
be
putting
forth
a
a
proposal
to
modify
the
charter
to
expand
the
attack
from
seven
to
nine,
to
increase
the
number
of
elected
by
one
and
the
appointed
by
one,
and
so
as
to
avoid
another
election
cycle
to
in
a
point,
two
more
Representatives,
two
more
attack
members
now,
both
the
three
that
will
we've
recommended
to
the
governing
board
and
we'll
be
voting
on
on
Thursday,
as
well
as
the
two
more
which
I
haven't,
put
forth.
H
Emotion
yet
specifically
who
but
will
after
the
vote,
has
been
made
if
the
vote
is
made
to
expand
the
attack.
Those
will
be
drawn
from
the
folks
who
ran
for
this
tax
election,
so
no
surprises
it'll,
be
people
from
the
community
and,
generally
speaking,
it'll
be
people
who
scored
well
in
the
election
so
I.
You
know.
We
hope
this
will
serve
the
interests
of
all
of
us
and
trying
to
just
have
a
really
powerful
attack,
and
that's
that's
the
parameters
and
the
scope.
H
A
A
I'll
say
that
you
know
similar
to
my
comments
in
the
past.
I
certainly
welcome
participation,
I'm,
not
convinced
that
increasing
a
number
from
seven
to
nine
solves
a
problem.
I
think
making
sure
that
the
attack
is
set
up
for
success
in
terms
of
support
from
the
foundation.
Staffing
I
think
are
are
more
compelling
things
to
be
focused
on
right
now.
A
The
last
thing
I
would
say
is
that
selecting
folks
out
of
the
electorate
certainly
does
make
sense
in
terms
of
picking
from
a
pool
of
folks
that
have
shown
interest
and
willingness
to
to
step
up
and
help
and
I
think
that's.
That's.
A
Certainly
you
know
Noble
and
a
worthy
place
to
go
looking
if
we're
simply
picking
people
out
of
the
electorate,
though
I'm
not
sure
why
we
wouldn't
just
frankly
expand
the
number
of
elected
seats,
because
if
it's
the
same
pool
then
letting
the
community
ultimately
make
that
determination
feels
more
appropriate
but
I'm
still
I
guess
going
back
on
the
broader
question
of
I
know
it's
been
discussed
but
I
think
it's
been,
there's
been
some
mixed
feedback
in
the
past
shock.
I
see
your
hand
is
up.
I
Yes,
I
wouldn't
be
doing
my
job
wearing
my
hat
as
Vice
chair
of
the
end
users
group,
if
I
didn't
bring
up
that,
one
of
the
reasons
Sam
uses
group
came
into
being
was
dissatisfaction
at
the
composition
attack.
I
I
And
often
we
don't
have
the
same
sort
of
Insider
expertise
that
someone
who
comes
from
a
vendomite
so
I
would
leave
that
at
the
feet
of
the
governing
board
that
to
ensure
the
best
representation
and
also
the
best
ability
for
the
openssf
to
serve
the
ultimate
end
users
that
they
should
consider
an
end
user
representative
as
a
as
an
appointment.
If
that's
what
they're
doing
this
year.
H
Okay,
I'll
carry
those
points
forward
into
the
conversation
on
Thursday,
while
you'll
be
a
part
of
that
conversation.
But
we'll
do
this
separate
from
the
session
that
we
do
share
with
the
with
the
full
Tech
sure.
B
Yeah
I
actually
I
mean
green.
You
know
partially
with
jock,
but
I
I
really
think
that
expanding
the
tech
would
be
very
helpful
that
and
maybe
to
address
your
concern.
Bob
is
instead.
Much
is
the
way
a
governing
board.
Most
boards
have
different
subcommittees
that
maybe
what
we
need
is
something
where
we
have
a
attack
that
is
broader
representation
of
both
Community
but
I.
B
That's
you
know
the
main
operations,
but
a
broader
representation
representation
of
the
attack
in
general
for
communication.
So
maybe
that
would
be
I
mean
again
not
trying
to
sort
of
split
the
difference,
but
a
way
of
trying
to
ensure
that
it,
the
tech,
remains
efficient
and
doesn't
become
unwieldy,
but
also
is
representative
of
the
broader
needs
of
the
this
broadening
security
community
and
of
this
broadening
organization.
B
I
mean
which
this
is
great
leadership
and
the
great
investment
and
and
major
corporations
that
are
now
coming
on
board
to
ensure
that
that
there
are
are
more
voices
and
better
communication.
A
No
thanks
thanks
for
the
the
input
David,
maybe
just
a
quick
response,
I'm,
certainly
plus
1
000,
on
more
folks
engaged
in
doing
the
work
I'm.
Just
not
convinced
that,
like
adding,
plus
nine
and
having
the
attack
not
set
up
for
Success
were
frankly
not
engaged,
really
does
move
the
needle
I
think
it's
about
engagement,
and
so
whether
it's
seven
engaged
people
or
nine
engaged
people
I
think
either
of
those
is
a
great
outcome
for
the
foundation.
I
just
want
to
make
sure
that
it's
not
simply
a
quantity
challenge.
Oh.
B
Well,
right,
I
mean
I
mean,
but
just
to
follow
me
I
completely
agree
with
your
your
other
point.
Bob
of
having
staff
I
mean
that
that
the
tech
needs
some
more
support
in
the
organization.
That's
a
it's.
A
large
role
is
a
large
job
of
the
attack
itself,
and
you
know
you
your
great
job
as
chair
of
the
the
past
cycle,
but
it
definitely
needs
you
know
more
support
staff
from
the
open
ssf
to
deal
with
all
the
logistics
that
the
is
required
of
attack
and.
H
To
that
point,
it's
a
good
reminder
to
note
that
we
do
have
additional
job
jobs
open
now
for
Chief
Architect
and
for
the
ecosystem.
Folks
and-
and
we
are
internally
pulling
in
additional
help
from
the
community
management
team
of
the
Linux
Foundation.
So
but
we
are
executing
on
that
as
well
and
and
we'll
be
fulfilling
that
that
ask
from
the
pack
from
back
in
November.
A
All
right,
oh
thanks,
thanks
for
that,
any
final
comments
on
the
proposal.
Otherwise
we
can
move
over
to
Jonathan
I,
don't
see
any
end,
so
all
right,
Jonathan
over
to
you
and
just
as
a
reminder
again.
Unfortunately,
we're
not
going
to
be
able
to
make
a
binding
vote
on
this
today,
but
certainly
you
know.
Hopefully
we
get
some
good
discussion
on
it
and
we
can
see
this
up
to
get
you
some
answers
either
asynchronously,
once
the
full
tack
is
seated
or
at
the
next
meeting
correct.
J
And
that
should
be
the
next
meeting
ish.
Hopefully.
A
J
It
will
be
the
next
meeting-
okay
great,
so
then
so,
okay,
great
awesome,
perfect.
So
the
vulnerability
disclosures
working
group
has
been
chewing
on
this
document,
which
I
will
it's
posted
in
the
meeting
notes?
I
will
also
post
it
into
the
chat
for
everybody.
J
It
is
a
proposal
for
the
open
source,
security,
Foundation,
vulnerability,
disclosure
policy.
So
this
is
not
how
vulnerabilities
are
incoming.
That
is
another
bit
of
work
that
is
being
done
primarily
led
by
Luigi.
This
is
for
outgoing
reports,
primarily
revolving
around
Alpha
Omega,
but
any
other
security
vulnerabilities
that
are
discovered
in
the
course
of
the
work
of
the
open
source
security
foundation
and
dictating
how
those
disclosures
will
occur.
J
What
the
policy
is.
This
is
I,
think,
being
it's
good
to
know
or
good
to
clarify
up
front.
This
is
not
a
process
document.
This
is
a
policy
document,
so
it
defines
the
the
set
of
steps
that
will
occur,
but
not
necessarily
how
they
will
occur
and
at
a
high
level
it
covers
things
like
you
know:
the
90-day
deadline
or
a
disclosure
time
limit
for
for
reports
that
are
coming
out
of
the
open
ssf
and
how
we
will
deal
with
certain
things.
J
Like
you
know,
if
we,
if
we,
this,
is
very
unlikely
because
we're
mostly
looking
at
source
code
but
in
the
rare
event
that
we
run
into
an
a
zero
day,
vulnerability
that
we
uncover
that's
actively
being
exploited,
how
we
will
report
those
and
also
include
some
of
the
rationale
so
has
everybody
had
the
opportunity
to
read
through
this
document?
Do
we
want
to
give
like
five
minutes
to
be
able
to
skim
it.
A
I
guess,
if
maybe
you
just
want
to
talk
through
the
high
points
of
it,
that
would
probably
be
useful.
Yeah.
J
I
can
do
that
so
at
a
high
level,
it
it
basically
communicates
the
open
source.
Security
Foundation,
adheres
to
a
90-day
disclosure
time
limit
and
then
at
90
days,
vulnerabilities
that
are
report
are
reported
by
the
open.
Ssf
will
become
public,
and
this
doesn't
include
major
major
public
holidays
and
not
well,
and
you
know,
doesn't
overlap
on
work
on
weekends.
So
it
will
be
a
work
day,
though,
when
the
vulnerabilities
is
disclosed.
J
We
similar
to
Google's
policy
will
offer
a
90-day
great
or
sorry
a
14-day
grace
period.
If
we
get
told
that
there
will
be
a
release
occurring
within
14
days
post
the
90
days,
there's
an
expectation
that
we
ask
maintainers
to
respond
to
us
within
21
days
and
if
they
do
not,
if
you
do
not
receive
any
engagement
from
the
from
the
maintainer
affirming
the
intention
to
fix
the
vulnerability
within
35
days,
the
open
ssf
reserves
the
right
to
publicly
disclose
the
vulnerability.
J
At
that
point,
there's
the
clause
about
an
O
day
and
then
there's
also
the
rationale
at
the
very
bottom
which
is
about
how
this
is
our.
J
Get
vulnerabilities
fixed
and
disclosed
and
and
and
reduce
the
risk
of
of
vulnerabilities
and
their
exploitation
by
by
enforcing
a
disclosure
deadline.
When
we're
reporting
vulnerabilities,
are
there
any
questions
about
this
document.
I
Just
just
so
I
understand
that
there's
no
sort
of
like
surprises
in
those
those
time
Windows
right
like
there's,
nothing,
that's
out
of
sort
of
Industry
norms.
You
mentioned
a
few
times.
J
90
days
of
actually
on
it's
on
the
longer
length
of
time
for
the
industry,
I
think
the
only
organization
that
I
found
that
has
a
longer
timeline
is
the
zero
day
initiative,
which
is
I,
think
120
days,
but
other
other
industry
groups
have
45
days.
J
I've
talked
to
Katie
maserus,
her
her
line
I
think
she
said,
like
the
original
vulnerability
disclosure
deadline.
That
was
from
one
of
the
first
research
groups
was.
It
was
like
seven
to
14
days,
so
the
Norms
have
shifted
to
be
a
little
bit
longer,
and
this
is
this
is
so
90
days
is
a
pretty
respected
amount
of
time
in
the
industry.
I
My
other,
my
other
question,
I
guess,
is
that
if,
if
I
do
the
sums
in
my
head
90
days
plus
14
days
plus,
say
allow
one
day
if
it
lands
on
a
public
holiday
somewhere,
we
would
be
looking
at
105
days
as
the
maximum
window.
J
Yeah,
okay,
I
think
that
math
worked.
Yes,
oh
yes,
that
math
seems
to
work
out.
I
J
G
And
just
to
provide
everybody
some
context,
the
vulnerability
disclosures
working
group
has
folks
from
many
community
and
vendor
security
teams
that
have
worked
with
Jonathan
on
kind
of
adjusting
the
language.
There
isn't
really
anything
kind
of
out
of
whack
with
the
suggested
timelines
or
practices
they
all
kind
of
align
with
other
communities
and
just
I
think.
The
big
thing
is
that
Jonathan
is
just
trying
to
provide
a
framework
that
is
flexible
enough
to
work
within
a
lot
of
the
existing
Community
norms
and,
ideally
trying
not
to
upset
maintainers.
G
As
you
know,
he's
going
through,
he
and
other
researchers
are
going
through
their
work,
and
this
is
something
you'll
see.
G
Most
organizations
like
a
hacker
one
or
a
bug
crowd
those
types
of
organization
bug
Bounty
folks
will
have
some
type
of
policy
that
sets
the
expectations
as
researchers
are
reporting
things,
and
it
just
helps
that
everybody
I'm
involved
in
the
process
kind
of
can
go
to
a
resource
to
understand
what
the
expectations
are,
as
people
are
going
through
and
disclosing
this
just.
F
K
Yeah,
just
real
quick,
Jonathan
I
know
you
thought
hard
about
it.
You
know
these
are
pretty
cool,
pretty
typical
vulnerability,
disclosure
time
frames,
I
guess
the
one
question
is
you
know.
One
of
the
things
that
is
being
planned
is
releases
of
a
large
number
of
reports
for
basically
essentially
the
same
vulnerability
to
many
projects,
and
that
may
create
complications
for
reporting
and
the
the
easy
way
to
report
is
here's
your
pull
request,
but
if
those
are
public,
that's
kind
of
a
problem.
K
I
know
you've
thought
hard
about
that.
You
want
to
talk
real
briefly
about
your
thoughts
about
how.
J
This
policies
is,
is
narrowly
focused
to
anything
that's
being
manually
disclosed.
There
is
a
separate
document,
that's
being
worked
on
to
describe
a
separate,
but
similar
policy
for
how
vulnerability
is
being
reported
via
automation
will
be
handled.
J
J
The
idea
is
to
Define
what
is
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign,
and
that
document
will
basically
allow
anybody,
who's
bulk
fixing
security
vulnerabilities
at
scale
across
open
source
to
put
a
stamp
on
it
saying
this
is
open
source
security
Foundation
like
best
this
is
this-
is
this
follows
the
specification
that
the
open
ssf
has
put
out,
but
it
again
that
document
is
not
complete
and
it
needs
more
work
and
also
some
features
that
GitHub
is
working
on
to
get
released.
J
Yes
does
that
answer
your
question.
David.
J
C
Hello,
yeah
I,
don't
have
much
to
comment
on
with
the
times,
but
I
do
have
some
questions
around
the
the
zero
day
part.
So
it
would
need
to
be
a
vulnerability
that
you
see
in
the
wild
I
guess.
How
would
that
work?
If
you've
disclosed
this
vulnerability
to
someone
already
and
then
maybe
halfway
through
the
window,
you
find
proof
that
it's
under
active
exploitation
would
it
then
switch
to
the
seven
day
policy.
J
Not
something
I
thought
about,
but
yes
I,
believe
that
makes
sense,
so
it
it.
Yes,
I
think
that
it's
and
to
be
clear,
the
depending
upon
how
widespread
the
implications
of
the
exploitation
is.
The
seven
days
is
an
upper
limit
for
how
long
a
disclosure
will
have
before.
So
if
we
see
active
exploitation
and
it's
very
bad
that
that
is
that
it
may
be
shorter
than
the
seven
days,
but
yes
in
general,
that
policy
would
take
effect
at
that
point.
J
But
again,
I
think
it's
important
to
to
note
that
as
the
open
source
security
Foundation,
we
are
primarily
looking
at
source
code
of
Open
Source
software,
and
we
are
not
you
know,
Google
or
Microsoft,
where
you
have
deep
like
you,
you
have
a
lot
of
data
about
running
systems
because
you
have
logs
coming
back
from
large
numbers
of
machines.
You
can
see
active
exploitation
at
a
more
fine-grained
level,
so
the
likelihood
of
us
running
into
this
case
is
is
far
less
likely
than
other
research
organizations
potentially.
C
Got
it
yeah
and
I
guess
if
it's,
if
it's
clear
to
you
guys
just
looking
at
kind
of
public.
E
C
Then
it's
it's
very
bad.
Yes,
very
obvious.
Yes,
one
other
question
on
this:
is
it
just
that
they
need
to
kind
of
come
back,
say
they're,
dealing
with
it
and
make
a
public
statement?
I
know
it
mentions
like
mitigations,
but
they
wouldn't
necessarily
have
to
have
a
fix
and
I
guess.
The
question
is,
you
know,
there's
not
really
a
way
to
impose
consequences,
I
guess
if
they
don't
do
much
after
seven
days
other
than
just
saying:
hey
everyone
there's
a
problem,
and
we
don't
have
any
mitigations
ourselves
and
the
you
know.
C
People
who
own
the
code
haven't
responded
either
like
with
the
open,
SF
and
and
people
involved,
come
up
with
mitigations
to
to
help
out
or
just
post
it.
J
We
may
come
up
with
mitigations
if
it
seems
like
something
that
is
something
we
we
have
enough
enough
of
a
grasp
to
reasonably
make
that
assertion.
It's
not
a
rule,
but
it
is.
You
know
the
the
the
line
about
mitigations
or
mitigations
may
may
involve
patches.
It
may
involve.
You
know,
documentation
that
gets
published
to
say
this
is
how
to
fix
this
right
so
and
that's
mostly
coming
out
of
the
maintainer.
If
the
maintainer
is
not
responsive,
we
will
do
our
best,
but
it
also
that
I
mean
that's.
J
That's
that's
I'm,
speaking
more
with
my
Alpha
Omega
Hat
on
at
that
point,
not
stating
that
that's
that's
necessarily
the
entire
policy
for
the
entire
organization,
but
Alpha
Mega
is
more
than
happy
to
be
involved
with
anybody
who's
doing
disclosures
from
the
open
SF
to
help
guide
that
practice.
Also,
the
vulnerable
disclosures
work
in
group
two.
So.
C
And
I
guess
it
still
lives
back
to
if
it's
something
that
we
see
publicly
yeah,
it
makes
sense
to
talk
to.
J
K
J
Yeah,
so
I
would
love
to
so
LF
legal
is
currently
reviewing
this
document.
They
will
hopefully
have
a
pass
at
it
and
get
back
to
us
by
hopeful.
Well,
I,
don't
know
how
long
it'll
take
but
I
you
know,
is
the
next
Tech
Community
next
tech
meeting
in
two
weeks,
two
weeks.
J
Okay,
all
right
so
I
will
hopefully
have
a
an
answer
from
them
within
that
time
and
at
that
point
we'll
have
any
updates
we've
made
from
their
feedback,
and
it
would
be
lovely
if
we
could
have
the
attack
vote
on
that
document.
At
that
point
on
the
on
the
the
policy
at
that
point
to
as
to
whether
or
not
to
accept
it
or
not.
So
if
you
could
provide,
if
you
have
any
feedback
that
you
have
not
provided
now,
the
next
vulnerability
disclosures
working
group
meeting
is
tomorrow.
J
So
if
you
could,
what
tomorrow
right
all
right?
So
if
you
could,
if
you,
if
you
want
to
provide
your
feedback
before
that
meeting,
it
would
be
great
if
you
could
get
it
in
before
11
A.M,
tomorrow,
Eastern,
otherwise
yeah.
It
makes
our
life
a
little
more
complicated
to
to
discuss
it
in
that
meeting.
So
that's
it
any
any
final
questions
before
I
yield
the
floor.
H
A
That
doc
approved
by
LF
legal
Jonathan,
it
would
be
great
to
just
go
ahead
and
open
a
an
issue
on
the
on
the
attack
repo.
If
we
can
drive
it
asynchronously
faster
than
the
meaning,
we
certainly
can
try
to
move
faster.
J
Can
do
both
that
comment
on
the
issue
and
send
an
email
to
the
TAC.
A
A
Once
twice
sold
all
right
well,
we
will
go
ahead
and
end
the
meeting
there
thanks
everybody
for
the
participation
today
and
look
forward
to
seeing
the
rest
of
the
tax
he
did
and
we'll
see.
Everybody
in
a
couple
weeks
have
a
good
day.