►
From YouTube: OpenSSF TAC - Focus Session (April 6, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
Okay,
so
here's
what
sort
of
a
synthesis
of
a
couple
things
other
folks
have
said
so
far,
plus
my
ideas,
the
governing
board,
has
by
the
charter
empowered
the
attack
with
technical
oversight
for
all
technical
projects
in
the
open
ssf.
B
B
B
The
working
group
must
share
that
information
with
attack,
ideally
an
email
on
the
mailing
list
and
definitely
a
mention
in
their
next
sync
point
with
attack
in
a
tac
meeting
that
is
public
and
recorded.
B
This
creates
the
transparency
you
know
from
projects
to
working
groups
attack
to
the
community
at
large,
and
it
creates
a
clearly
scoped
charter
for
each
entity
and
the
tax
cause
oversight
to
say
to
a
working
group.
Hey
your
scope
is
creeping.
Let's
talk
about
that
or
hey
this
project
is
a
duplicate.
Let's
figure
that
out.
A
C
B
D
With
you
know,
a
large
pool
of
great
innovation,
notifying
the
tax
to
say,
we've
accepted
this
and
each
of
these
projects
matures
is
awesome.
But
it
raises
the
question
again
in
my
mind
as
to
for
the
project
maintainers.
Why
would
they
donate
their
project
to
the
open
ssf
and
for
us
strategically
saying
we're
going
to
bring
all
these
things
together
under
a
single
banner,
an
open
question
to
folks
and
then
I'll
drop
the
mic
and
unfortunately
have
to
go?
D
D
B
I
think
it
would
then
be
worthwhile
to
validate
my
assumption
that
that
is
a
statement
we
want
to
be
able
to
make
with
the
community
at
large
and
with
the
whole
tank.
So
I
do
think
it
is
a
worthwhile
goal,
but
other
voices
may
disagree
with
a
ton
of
hands
up.
So
I
think
I
saw
sudentra
jori
steve
david.
C
C
So
that
is
something
I
would
like
to
understand
and
then
I
have
a
comment
about
the
the
hierarchy
between
openness
of
tac
and
then
working
group
and
then
project
and
the
kind
of
free
flow
of
information,
because
I
I
from
my
observation
it
has
taken
us
a
little
bit
longer
than
then
I
I
I
was
patient
for
to
to
get
projects
moved
to
get
projects.
C
What
you
call
the
the
the
goals
of
the
project
heard
in
at
all
levels
so
is,
is
having
working
group
necessary
and
then
for
projects
that
cross-cut
those
working
groups.
Where
do
they
fall,
especially
persia.
B
So
my
understanding
is
bootstrap
didn't
exist
in
the
cncf.
It
is
something
that
that
the
open
ssf
kind
of
invented
as
a
concept,
and
it
applies
both
to
projects
and
working
groups
and
the
the
phase
of
a
stated
intent
to
join
but
not
yet
accepted.
B
B
Like
I
know,
a
different
team
in
microsoft
spun
something
up
that
they
were
looking
at.
You
know
meeting
the
the
the
five
public
meetings
bar
before
applying
to
join
so
I'd
say
that
was
in
the
bootstrapping
phase.
I
think
persia
is
in
the
same
doing
its
own
thing
for
now
with
the
stated
intent.
So
we
can
call
that
bootstrapping
and
I'd
love
it
if
we
add
that
to
the
docs
as
a
part
of
our
process,
sure
david
steve
I'm
losing
track.
Sorry.
E
I'll
I'll
just
jump
that
and
kind
of
keying
off
something
bob
said
about.
You
know
what
what
does
the
tack
kind
of
want?
One
thing
that
I
think
will
be
very
helpful
to
us
as
we
sort
of
begin
to
manage
influx
of
interest
either
from
people
wanting
to
start
projects.
E
New
projects
under
our
umbrella
or
bring
existing
projects
under
our
umbrella
would
be
for
the
tac
to
possibly
draft
some
kind
of
document
stating
some
like
priority
work
areas
or
something
and
say
you
know,
signaling
to
the
community
that
right
now
we're
looking
for
projects
and
work
to
really
push
forward
in
these
spaces.
E
If
you've
got
you
know,
another
idea,
that's
great,
but
we're
we're
probably
not
going
to
want
to
be
evaluating
that
right
now,
because
our
priorities
are
xyz
and
I
think,
maybe
because
that's
not
100
clear
we're
getting
a
little
bit
more
of
a
smattering
of
different
types
of
projects
that
make
it
feel
more
scattered.
B
That's
a
fantastic
suggestion.
Joy.
I
know
that
I've
seen
more
mature
communities
that
already
have
all
the
process
to
find
do
exactly
that
yeah.
So
I
love
that.
I
hope
we
can
get
there
soon,
because
it
would
definitely
help
steve
david.
F
B
Great
points
and
I've
been
approached
by
a
couple
other
projects
as
well,
that
don't
fit
the
working
group
model
actually
had
one
of
the
developers
in
gedra
approached
me
a
couple
weeks
ago.
A
A
Of
course
bob
ran
away
good,
but
he
asked
questions
and
then
ran,
but
I
wanted
to
respond
to
something
that
he
said,
because
I
think
it's
it's
a
valid
concern
about
working
groups
if
there's
tens
of
working
groups,
each
of
which
only
has
one
project,
there's
kind
of
no
point
to
the
structure.
I
think
so.
A
I
think
the
intent
for
for
creating
working
groups
is
we're
going
to
have
a
number
of
projects,
many
of
them
smaller
that
are
going
to
have
to
work
together
or
coordinate
because
they
have
overlaps
and
goals
and
and
such,
and
so
I
think,
that's
where
the
working
group
construct
starts
to
make
sense
where
things
are
going
to
overlap.
A
Things
need
to
work
together
and
so,
if,
if
there's
a
whole
bunch
of
working
groups
with
only
one
little
project
within
them-
and
there
doesn't
seem
to
be
much
purpose-
maybe
that
needs
to
get
brought
in.
But
I
I
don't
see
that
as
a
problem
right
now.
I
think
people
are.
We've
only
had
one
proposed
new
working
group
since
we've
started,
so
I
don't
think
that's
a
likely
problem.
B
I'll
I'll
point
at
another
example
out
there
in
openstack
or
open
intra
foundation,
they
have
the
concept
of
a
top
level
project
and
some
of
those
have
nested
projects.
B
They
have
a
working
group
and
a
working
group
is
scoped
and
time-bounded.
Usually
it
produces
some
output.
I
might
be
mixing
up
a
working
group
in
a
sig.
B
B
Example,
the
the
openstack
telemetry
working
group
doesn't
directly
own
a
code
deliverable
in
the
sense
of
the
top
of
a
project,
but
they
do
develop
a
couple.
Libraries
and
those
libraries
are
used
by
dozens
of
projects
to
ensure
they
all
have
consistent
telemetry.
A
I
was
thinking
if
I
can
quickly
reply
just
more
of
a
model
similar
to
what
we've
been
doing,
which
doesn't
mean
we
have
by
the
way
we
can't
change
just,
but
I
think
right
now
the
working
groups
own
most
of
the
projects,
which
tend
to
be
smaller
by
the
way
and
by
own
simply
providing
some
oversight
collaborating
between
and
then
the
tac
doesn't
have
quite
as
many
projects
to
to
directly
oversee,
rather
than
what
you
described,
though
hey
you
want
to
change
it
great.
I
don't.
B
G
A
Right,
I've
actually
put
in
a
number
of
github
prs,
because
I
believe
that
every
working
group
should
list
every
project
within
it.
If
every
project
should
list
where
it
lives,
either
what
working
group
or
if
it's
a
top
level
project,
hey
we
report
to
the
attack,
and
you
know
basically,
there
should
be
pointers,
both
directions.
B
And
let's
keep
doing
it!
Thank
you
for
your
service,
david
arnaud
and
steve
yeah.
G
So
I
you
know
I,
when
you
were
describing
the
model
you
had
earlier
on
with
the
projects
underneath
the
working
group.
Like
always
I
you
know
I
was
biting
my
tongue
to
say
well,
it
doesn't
have
to
be
this
way
because
I
thought
maybe
it's
a
simpler
model
and
the
simpler
the
better,
but
I
I
tend
to
agree
with
david
that
maybe
we
need
a
bit
more
flexibility
and
allow
projects
to
be
directly
under
the
attack.
Otherwise,
I
wanted
to
say
you
know
in
lf
land,
it's
a
big
land.
G
Now
there
are
so
many
different
projects,
so
many
variations.
I
think
we
we
need
to
be
careful
not
to
kill
ourselves
with
some.
You
know
too
complicated
a
model
we
need
to
be.
You
know
to
adopt
something
that
works
with
what
we
have
today
and
what
we
can
expect
immediately
to
come
and
then
anticipate
that
okay,
we
may
have
to
evolve
this
model
over
time
and
I
think
every
lf
project
has
been
going
that
way
and
we
shouldn't
buy
too
much
at
once.
G
F
No
worries
so
just
kind
of
coming
full
circle
on
this,
for
what
sahindra
is
working
on,
which
is
more,
which
is
outside
the
scope
of
working
groups,
I
think
we
definitely
need
to
document
what
working
groups
in
that
progression
looks
like,
but
for
persia,
that's
coming
in
that
doesn't
have
a
working
group
and
the
pr
that
he
has
in
in
flight.
F
What
do
we
need
to
do
from
for
next
steps
to
make
this
happen,
and
then
I
have
a
comment
about
the
whole
working
group
hierarchy.
Thing.
B
I,
given
the
discussion
we
just
had
and
what
what
the
consensus
it
feels
like
we're,
reaching,
which
I'm
I'm
comfortable
with
the
I
think
sedundra's.
B
Maybe
split
with
the
the
first
pr
in
this
areas
really
trimmed
down
to
what
are
the
stages,
because
we
all
seem
to
agree
on
that
and
adding
a
little
bit
in
there
that
describes
the
the
relationships
between
projects
and
working
groups
that
we
were
just
discussing.
That's
going
to
be
whole
cloth
new
because
cncf
doesn't
do
it.
B
So
that's
sort
of
a
description
of
the
structure
we
have
today,
along
with
the
description
of
the
tiers
that
the
cncf
has.
That's,
probably
not
that
contentious
to
land.
I
hope
and
then
the
second
pr
might
be
describing
the
gives
and
gets
for
each
of
those
tiers
and
the
reporting,
cadence
and
structure
for
projects
working
groups
in
tech,
that'll,
probably
be
more
contentious.
B
Take
some
refinement
but
be
really
valuable
to
projects
like
persia
coming
in
to
understand
what
are
the
levels
they
should
target?
What
do
they
expect
in
return,
and
then
the
third
one
would
be
the
actual
process
here
is
the
form
to
fill
out
or
the
template
to
fill
out,
because
that
we
don't
know
yet
what
we're
going
to
put
in
there
depends
on
the
first
two.
F
G
G
F
And
then
then
one
comment
on
the
the
the
working
group
hierarchy
with
the
repos
and
stuff
like
that.
I
think
we
need
to
adopt
the
landscape
image
and
currently
likely.
If
you
look
at
the
the
cncf
or
the
cdf
landscapes,
they
don't
include
working
groups
in
the
landscape,
but
I
think
we
could
adopt
that
as
a
possibility.
F
So
you
because
you
can
in
the
landscape
diagram,
you
can
have
a
working
group
and
then
it's
children
underneath
it
that
may
be
easier
for
people
to
understand
and
then
it's
kind
of
self-maintaining
for
those
working
groups
to
kind
of
it's
not
perfect,
but
it's
better
than
nothing.
E
Yeah,
so
I've
been
slamming
my
head
against
the
landscape
tool
and
the
the
landscape
tool.
It
was
not
exactly
invented
for
this
purpose.
We
can
make
it
work,
but
I
had
this.
I
had
a
similar
thought
to
you
steve
like
oh,
wouldn't
it
be
great
if
I
could
just
use
this
thing
that
visualizes
that.
E
E
We
had
a
couple
of
diagrams
that
we
were
using
in
our
sort
of
like
open,
ssf
sort
of
relaunch
pitch
deck,
that
we
want
to
revisit,
because
they're
they're
kind
of
busy
and
they
don't
really
describe
the
hierarchy,
and
so
we
actually
think
this
might
break
down
into
two
or
three
different
visual
pieces,
one
for
the
community
to
understand
what
projects
we
have
and
where
they
fit
in,
like
the
solving
of
the
supply
chain
security
problem,
another
it
would
be
to
help
people
visualize
like
the
the
structure
of
our
organization,
and
yet
another
would
be
to
help
them
understand
the
more
more
of
like
the
detail
of
like
you
know
that
what
the
groups
are
doing
and
how
they
connect
with
each
other.
B
Yeah,
I
would
really
like
to
see
a
diagram
like
the
one
I
just
flashed
on
the
screen
that
just
that
visualizes
the
governance
structure
we
were
just
describing.
I
really
want
to
see
that
for
this
organization.
So
maybe,
if,
if
that's
a
good
starting
point,.
E
Yeah
we've
kind
of
got
one,
but
I
just
don't
feel
like
it's
still.
It's
communicative
enough
I'll
share
what
we
have
so
far
and
with
the
group.
B
E
B
I,
like
ravens
yeah,
I
think,
helping
the
community
visualize
the
governance
structure
as
we're
landing.
That
first
of
three
patches
or
first
three
pr's,
will
be
really
helpful.
B
B
A
very
small
number
of
the
projects
we
have
if,
over
time,
the
openssf
adopts
many
more
projects
that
are
technical
deliverables,
a
service
or
a
scanning
tool
that
hoax
can
run.
Maybe
it
starts
to
form
a
relational
model
between
functions
in
the
security
space.
Maybe
you
know
site
signing
projects
and
storage
projects
and
integrity
scanning.
I
don't
know,
I
don't
know
how
that
looks
yet,
but
a
lot
of
the
products
we
have
today
don't
do
any
of
that.
F
Well
and
remember
that
the
the
landscape
models
that
are
currently
out
there
not
only
include
projects,
but
also
other
software,
that
may
be
commercial
and
it's
designated,
whether
it's
open
source
or
commercial
on
the
landscape.
So
people
know
where
to
find
things,
so
I
think
your
the
the
landscape
is
going
to
be
bigger
than
what
it
is
today
if
we
bring
those
in
as
well.
B
Speaking
of
landscapes-
I
did
draw
this-
I
don't
know
if
folks
have
seen
it
to
try
to
describe
the
overall
landscape
that
software
supply
chain
security
occupies.
B
B
Here
is
metadata
storage
projects,
part
of
sig
store,
and
so
maybe
there
are
other
ways
we
can
describe
the
landscape.
Besides
working
groups
that
do
map
better
to
the
open
ssf
just
putting
that
out
there.
It
is
a
little
bit
orthogonal
by
the
way
to
to
our
focus
here.
So
I'm
going
to
pull
us
back
for
the
last
five
minutes.
G
A
A
I
very
much
liked,
as
you
can
tell
my
earlier
ava's
construct
of
thinking
about
you
know,
you
know
the
the
attack
is
pushing
down
to
working
groups
in
many
cases.
Charters.
Here's
your
scope,
you
create
lots
of
projects,
but
there
has
to
be
reports
back
in
order
to
create
you
know
in
order
to
make
sure
that
there's
no
issues
when
things
are
created,
so,
I
think,
basically
a
process.
B
And,
according
to
the
governance
documents
with
the
open,
ssf
legal
charter
of
attack
must
so
I
tried
to
capture
those
three
phases
in
a
note
in
the
chat
concerns.
Are
things
missing.
A
Yeah,
I
will
quickly
observe
that,
historically,
that's
not
how
the
open
ssf
has
operated.
I
think
that's
a
problem
that
the
working
groups
and
nobody's
trying
to
be
a
bad
thing,
they're
trying
to
get
things
done,
but
just
you
know,
the
working
group
would
say:
yay
go
and
never
and
attack
never
hear
about
it,
and
I
that's
something
I
think
we
want
to
change
without
without
slowing
things
down.
I
think
that's
the
goals
we
don't
want
to.
B
The
tax
seems
all
aligned
on
that
in
the
last
several
calls,
which
is
why
we're
having
this
focus
session
so
sadindra
with
what
I
wrote
down
there
in
the
in
the
chat.
Is
that
is
it
clear
enough
or
do
you
have
any
questions.
C
I
do
have
one
question:
I
was
one
thing
that
we
had
discussed
before
was
creating
a
branch
so
that
we
can
have
a
working
version.
I
will
need
help
creating
a
branch.
I
was
not
able
to
do
that
myself
on
the
open,
stack,
repo,
okay
and-
and
the
second
thing
was
I'll
start
doing
the
work
and
start
posting
progress
on
the
tag
channel,
like
other
thread.
So
let's,
if,
if
you're
active
there,
please
give
me
feedback
there.
B
And
and
feel
free
to
tag
people
you
know
at
me
either
in
slack
or
github.
So
I
get
notifications.
It.
C
B
B
A
C
C
B
Meetings
happening
same
time,
I'd
love
to
just
review
any
status
that
that
sadindra
has
has
by
then,
and
maybe,
if
it's,
if
it's
a
short
meeting,
that's
great.
It's
a
friday.
C
And
after
friday,
I'll
be
out
of
pocket
for
a
week
so
I'll
be
available,
but
I
won't
be
able
to
actively
work.
So
that's
when
I'll
hand
over
to
somebody
who
can
sort
of
take
it
forward.
B
Github
doesn't
make
that
super
easy
to
work
on
someone
else's
pr,
so
jory,
if
you're,
here
or
david.
If
you
can
help
sudandra
get.