►
From YouTube: OpenSSF TAC Meeting (April 20, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
I
spoke
with
ryan
ware
from
the
tooling
group.
Yesterday
he
was
going
to
try
to
get
something
in
there.
I'm
not
sure
if
he
did
we'll
see,
but
I
guess
his
working
group
meets
quite
literally
right
after
this
meeting
and
he
wanted
to
review
the
content
with
his
working
group
first,
which
is
understandable,
yeah
ryan.
Can
I
jump.
A
Yeah,
no,
that
doesn't
sound
fun
at
all.
Okay,
we'll
figure
that
out
we'll
see,
if
maybe
there's
someone
else
that
can
help
fill
in
in
the
meantime
same
with
probe
I
reached
out
to
him
as
well.
I
haven't
heard
back,
I
know,
he's
kind
of
in
the
middle
of
the
transition,
so
we'll
review
what
we
can
and
then
it
looks
like
some
of
this
stuff
might
get
reviewed
offline
after
this
meeting
today
and
then,
after
that,
we
want
to
talk
about
some
budget
things.
A
The
planning
committee
that
kate's
been
working
with
has
some
updates
there
and
then
jennifer
will
be
talking
about
the
governing
board
off-site
that
they
had
and
some
outreach
conferences,
information,
and
then
we
have
so
this
leftover
thing
around
the
tax
view
on
participant
changes
in
employment.
So
I
think
we've
all
kind
of
superficially
agreed
so
we'll
just
kind
of
make
that
a
little
bit
more
official
and
after
all
that,
if
we
still
have
time,
we
will
talk
about
the
road
map
and
wish
list
that
we
started
some
months
ago
or
at
least
introduce
it.
D
D
All
right,
okay!
Well,
so
the.
B
D
Okay,
so
we'll
you
know
we'll
run
our
town
hall
like
we
have
been
I'm
going
to
skip
through
some
of
these
one
interesting
thing
on
the
agenda
is
we're
gonna
have
mike
scaveta
talk
with
us
about
actually
we're
thinking,
we'll
have
a
regular
session
section
of
our
town
halls.
Where
we
talk
about
in
the
news
and
last
month
we
talked
about
solar
winds
and
not
last
month.
D
B
Mike
scaveta
is
confirmed
for
the
dependency
confusion
thing.
D
Okay,
great,
thank
you.
We'll
talk
about
accomplishments!
How
people
can
get
involved,
then
tack
ryan's
going
to
update
the
tag
items.
So
I
don't.
I
won't
go
through
those
here.
D
A
I
looked
at
this
yesterday.
I
was
thinking
about
what
we
were
going
to
put
in
there
and
I
wanted
to
bring
it
up
to
this
group
because
most
of
what
we've
done
in
the
past
quarter
has
been
reviewing
the
working
groups
and
then
a
couple,
little
odds
and
ends
that
aren't
really
like
big
announcements.
A
A
D
F
Okay,
is
there
a
upcoming
activities
thing
that
they
could
fill
that
out
with
more
stuff.
A
So
that
was
kind
of
the
road
map
thing
that
we're
going
to
start
back,
which
we're
kind
of
touching
on
today,
but
I
don't
know
how
detailed
we
wanted
to
go
into
that.
Certainly
we
could,
if
we
make
it
to
that
part
of
the
discussion
today,
we
can
see
about
maybe
where
we
went
ahead
and
add
some
of
that
in
there.
I
don't
know
if
it's
gonna
add
enough
to
like
really
give
us
a
full.
You
know
five
minutes
worth
of
discussion,
but
we
could
certainly
look
into
it.
A
Okay,
well
folks,
have
other
ideas
that
they
think
should
go
on
there.
Like
you
know
dan.
I
actually
was
thinking
about
what
you're
potentially
gonna
present.
You
know
next
time
for
the
dci
stuff
like,
but
I
don't
know
if
we'll
get
there
in
order
to
have
something
you
know
productive
to
put
in
here.
F
If
this
was
accomplishments,
you
know
if
there
was
something
else
to
add
on
there
like.
Well,
what
are
we
planning
to?
Do?
That's
a
good
thing
to
communicate
right.
C
F
The
dci
stuff,
which
we
haven't
talked
about
yet
could
be
something,
but
it
might
be
premature
to
put
that
on
now.
We
also
what
else
did
we,
I
think
in
the
last
quarter,
we
we
codified
the
the
life
cycle
and
the
like.
The
working
group
abilities
is
really
like
two
issues
that
we
closed.
A
Yeah
we
put
that
in
the
previous
at
the
previous
time,
that
was.
F
A
A
D
A
Yeah,
so
the
next
tac
meeting
dan's
gonna
give
us
a
presentation
on
some
thoughts
that
he
has
or
proposal.
So
really,
oh.
D
That's
great
yeah,
yeah,
very
cool
okay.
We
could
add
somewhere
in
either
in
this
section
or
the
or
the
overview
section.
Another
thing
that
we
have
just
finished
is
deciding
on
a
code
of
conduct.
A
Yeah
because
this
kind
of
dovetails
with
what
I
was
thinking
actually,
because
the
only
other
thing
that
I
thought
that
might
be
interesting
to
put
here
is
the
budget
stuff
and
that's
kind
of
tack
and
kind
of
governing
board.
So
I
almost
wondered
if
what
we
should
do
is
just
have
a
governing
board
and
tack
update.
It's
like
here's.
The
update
from
the
overhead
of
the
group.
D
D
Okay,
great
all
right,
we
have
get
involved
up
earlier,
so
we
might
want
to
not
have
it
again
here.
D
Yeah
that
we
got
feedback
from
the
previous
meeting
that
we
had
a
lot
of
get
involved,
slides
and.
C
D
Would
be
better
to
consolidate
and
have
fewer
of
those
and
talk
more
about
the
the
meat
of
what
groups
are
doing?
Okay,
so
identifying
security
threats?
Michael
scaveta
has
updated
his
we.
You
know
we
thought
about
taking
the
again.
You
know
following
this
feedback
that
there's
repetitive
stuff
we
thought
about
you
know,
should
we
include
the
missions
across
all
the
working
groups
and
then
we
decided
since
so
we
will
have
new
new
people
at
these
town
hall
meetings.
D
It's
useful
to
just
give
a
quick
summary
of
the
mission
not
take
too
much
time,
but
but
do
a
quick
summary
and
then
mike
mentioned
his
accomplishments,
the
accomplishments
for
the
working
group.
The
big
thing
they've
done
is
the
metric
dashboard,
which
I
think,
maybe
you
guys
heard
about
in
the
tech
last
week.
So
they've
got
that
going
and
he's
gonna.
You
know
give
some
overview.
D
He
might
maybe
he'll
even
give
us
a
demo,
but
he's
got
some
slides
that
show
it
and
the
two
things
are
the
metrics
dashboard
and
then
the
security
reviews
project.
So
he'll
talk
about
both
of
those
and
then
he
has
a
quick
get
involved
for
his
project.
What
we
thought
we'd
have
the
working
groups
do
is
focus
on
anything,
that's
unique
in
their,
so
in
their
get
involved,
slides
focus
on
anything,
that's
unique
to
their
project
since
we're
covering
the
overall
how
to
get
involved
earlier
in
the
deck.
D
So
that's
identifying
security
threats
and
security
tooling.
We
need
updates
from
ryan
or
someone
from
that
community,
so
ryan,
hayning
you'll
help
me
find
someone
to
to
update
that
slide.
D
A
D
Perfect
best
practices
you
mentioned
already-
we
haven't
heard
back
from
from
krobe
yet
so
these
aren't
updated.
H
Yes,
hi.
Yes,
I
know
that
so
crop
is
transitioning
right
now
into
europe
and
myself
kind
of
the
same
position
turns
on
inside
organization.
So
it's
been
a
bit
crazy,
but
I
will
take
care
of
reaching
out
to
corbin
dating
this.
This
slide
as
up.
A
A
Yeah
so
I'll
post
to
the
group
and
and
see
if
either
someone
has
contact
for
him
or
if
someone
else
could
sort
of
take
the
lead
on
this.
For
now,
okay,.
D
A
D
Okay
and
kim,
we
don't
have
kim
on
either
okay,
okay.
Well,
we've
got
one
of
six
of
our
working
groups.
That's
that's
something,
but
we
do
have
a
ways
to
go.
We
have
a
little
bit
of
time,
but
we
not
not
much
so
just
to
let
the
group
know
we
are
doing
in
addition
to
the
town
hall
meeting
which
will
be
on
may
3rd.
D
We
have
a
quarterly
newsletter
that
we
send
out
and
we
send
that
on
the
announcements
list
and
we
tweet
about
it,
and
there
is
some
lead
time
that
we
need
to
give
the
the
quarterly
newsletter
is
put
together
by
the
linux
foundation's
pr
agency,
and
we
need
to
let
them
know
they
like
to
have
a
month
of
lead
time
we're
asking
if
they
can
do
something
in
two
weeks,
so
they
would
really
like
to
have
content
by
wednesday
or
what
we've
said
is
we'd
have
content
by
wednesday.
D
So
we
do
need
to
get
something,
but
we
have.
We
have
a
little
time
which
is
a
day
and
then
we
we
need
content
for
our
pr
agency.
A
So
is
that
going
to
be
an
issue
going
forward
because
we're
never
really
going
to
be
a
month
out
by
the
time
this
content
is
created
right.
C
I
mean
I
talked
to
jennifer
yesterday
and
she
was
okay
with
the
two-week
notice
that
I
gave
her
well
if
we
do
need
to
have
content
by
tomorrow.
Just
so,
they
have
enough
time
to
put
everything
together,
but
I
think
moving
forward
two
weeks
is
probably
okay,
but
I
would
suggest
like
being
firm
on
that
two
weeks.
D
Yeah
that
makes
sense-
let's,
let's
do
this
for
the
content,
so
if
we
don't
get
ideally
we'd
have
more
from
other
working
groups.
If,
if
we
don't,
if
we
don't
get
more,
then
we
will
go
ahead
with
we've
got
some
fairly.
We've
got
some
meaty
content
from
the
identifying
security
threads,
so
we
might
just
have
a
shorter
newsletter
and
focus
on
those
two
on
the
the
dashboard
and.
C
B
Kate,
this
is
david
wheeler.
I
may
regret
this,
but
I
have
been
to
some
of
these
other
meetings,
and
so
I
could
try
to
fill
in
some
of
the
others.
I'd
rather
not
do
them
all,
and
I
want
to
make
sure
that
the
working
group
lead
I'm
the
backup
for
the
working
group
leads.
I'm
not
replacing
a
working
group
lead
also.
I
do
think
that
really
the
big
story
for
this
last
three
month
period
is
the
metrics
group.
D
D
D
I
Okay,
did
we
did
we
talk
about
this
polling
in
the
middle
of
the
town
hall
yesterday.
D
What
yeah,
what
we
talked
about
is
having
one
poll
at
the
end,
which
is
you
know,
right
as
we
go
into
q
a
and
then
do
another
wrap
up
about
get
involved,
so
we
will
send
out
a
survey
to
people
afterwards,
but
will
take
time
in
the
me.
This
is
where
we'll
have
the
poll
so
that
people
can
feel
essentially
fill
out
the
survey
questions,
but
just
do
it
interactively
at
the
time
of
the
meeting,
rather
than
afterwards.
I
A
Thank
you,
okay,
yeah.
So
when
we
get
those
updates
I'll,
send
out
a
message
to
the
group
so
that
people
want
to
review
offline,
they
can
and
then
so.
The
next
thing
in
our
agenda
is
back
to
uk.
It's
the
okay
update
and
then
and
then
you
get
a
break.
D
D
D
C
D
Our
our
initial
plan
for
the
member
jews
is
that
it
will
be
on
a
sliding
scale
based
on
the
size
of
the
organization
and
if
the
dollar
amounts
won't
be
huge,
so
for
organization
size,
one,
two,
ninety
nine
we
were
talking
about
five
thousand
dollars
100
to
599
would
be
so.
The
increments
were
five
thousand
dollars
each.
So
I'd
go
5
000
to
10,
000,
15
and
20,
and
then
the
break
points
would
be
at
100.
I
think
100
500,
1,
000
and
5
000.
D
and
that's
that's
still.
We're
still
finalizing
that
and
it'll
have
to
go
to
the
governing
board
for
approval.
But
that's
that's
what
we
were
thinking
and
then,
in
addition
to
that,
we
want
to
make
it
possible
for
organizations
to
contribute
higher
dollar
amounts
and
be
part
of
a.
I
don't
know
what
we'll
call
it
the
security
stars
or
something.
D
You
know
kind
of
group,
some
fun
name
that
if
people
can
contribute
more
and
are
willing
to
contribute,
more
will
have
some
dollar
amounts,
maybe
they're
50,
100,
250
500,
and
then
they
can
be
at
some
other
level,
silver,
gold,
platinum,
etc,
and
then
this
money,
that's
the
above
and
beyond
money-
would
go
towards
dedicated
funding
of
security
projects.
D
So
the
projects
that
that
we've
been
talking
about
in
this
caring
critical
projects
group
so
and
that's
again,
that's
early
thinking
so
we'll
we'll
have
to
finalize
that
and
we're
working
to
do
that.
We
think
we'll
have
this.
We
think
we'll
have
the
budget
finalized.
D
Ideally
it
would
happen
in
our
next
governing
board
meeting,
which
is
may
5th.
I
think,
because
we
want
to
let
members
know
what
the
member
dues
will
be
ahead
of
time
so
that
they
can
plan
for
it
and
get
it
into
their
own
organization
budgets,
so
so
we'll
have
that
finalized
by
this
coming
may
or
by
the
latest
in
our
june
meeting,
and
then
we're
aiming
having
the
dedicated
funding
process
finalized
by
our.
I
think
we
said
our
july
meeting.
D
So
that's
a
couple
more
weeks
out
until
we
work
through
all
the
details
of
that
okay
and
then
the
last
thing
I'll
mention
is
that
we
do
have
funds
for
working
groups
if
there
is
a
need
for
funds.
D
For
example,
if
working
groups
are
need,
funds
for
sea
ice
for
hosting
cicd
infrastructure
or
just
for
hosting
services
web
web
services,
so
cloud
service
provider
or
or
other
needs
in
we
do
have.
We
have
currently
to
just
a
little
under
250
000
in
our
budget,
and
we
want
to
make
sure
that
we
are
funding
the
needs
of
our
community,
so
ryan
had
sent
out
earlier
requests
from
groups
to
identify
what
their
needs
are
and
if
anyone
has
needs
knows
of
needs,
you
can
send
those
to
the
budget
committee.
D
It's
open,
ssf
dash,
gb
dash
budget
at
list.openssf
and
we'll
get
those
in
we'll
get
those
into
our
budget
and
we'll
try
to
get
money
back
out
to
working
groups
as
quickly
as
we
can.
A
Okay,
have
you
received
any
requests
so
far
from
that
from
the
working
groups?
I.
H
D
H
Yes,
for
the
for
the
best
practices
working
group,
we
have
the
the
skf
platform
that
needs
to
be
put
on
a
put
on
a
public
server.
So
definitely
this
one.
I
know
that
we
already
made
this
budget
exercise
a
few
months
ago,
but
I
couldn't
put
my
hand
on
the
on
the
spreadsheet,
so
I
have
to
go
back
to
that
and
and
send
it
to
you.
H
H
A
D
F
Yeah,
since
we
we
hadn't
collected
dues
who
had
generously
provided
that
250k.
D
So
we
did
get
a
donation
from
microsoft
at
the
end
of
the
fiscal
year.
Last
year
it
was
a.
It
was
a
budget
windfall
thing.
There
was
extra
in
the
microsoft
budget.
There
we
had,
we
had
funds
budgeted
for
the
entire
year
for
open
source
projects
in
general
and
we
were
in
a
use
it
or
lose
it
situation
and-
and
I
stepped
up
and
said,
hey,
I
know
a
great
open
source
project
that
can
make
use
of
some
of
that
money.
So
that's.
A
All
right,
thank
you.
Okay,
so
next
up
on
the
agenda,
we
have
jennifer
who's,
going
to
talk
about
the
governing
board
off-site
and
then,
following
that,
with
the
outreach
and
conferences
so
jennifer.
J
Great
thank
you
ryan.
My
update's
super
quick.
The
off-site
we've
done
three
sessions
with
members
of
the
governing
board.
We
will
be
having,
for
the
beginning
of
the
next
governing
board,
meeting
kind
of
laid
out
what
the
different
like
scope
of
decision
making
is
for
different
parts
of
openssf,
so
part
of
this
is
governing
board
and
its
subcommittees.
Part
of
this
is
tac,
and
part
of
this
is
the
working
groups
or
the
linux
foundation.
J
More
broadly,
so,
really,
the
point
in
that
exercise
was
figuring
out
exactly
where
and
how
decisions
are
made
so
that
we
can
make
them
much
faster
and
the
output
of
that
is
forthcoming.
So
when
we
have
that
document
I'll
bring
it
to
the
attack,
it'll
either
be
our
next
meeting
or
the
one.
After
that,
I'm
not
sure
I
will
look
at
a
calendar
and
let
you
all
know,
as
for
outreach
and
conferences,
we
are
organizing
this
kind
of
informally
right
now
reach
out
to
me
at
some
point
soon.
J
I'll
have
a
more
scalable
approach.
There
is
a
repo,
but
it's
equivalent
to
sending
me
an
email.
If
that's
easier
for
you
all,
we
are
doing
some
outreach.
So
of
course
we
want
to
spread
the
good
word
of
securing
the
open
source
ecosystem.
Crowb
myself,
kaye
and
rou
did
a
presentation
at
the
foss
backstage
conference.
Back
in
february,
we've
submitted
a
panel
as
well
to
black
hat
usa.
J
We
don't
know
if
it'll
get
in,
but
we
hope
so
because
we
would
like
to
reach
a
broader
security
community
and
get
them
interested
and
involved
in
openssf.
J
J
So
if
anyone
would
like
to
help
either
give
kind
of
our
canonical
presentation
and
panel
in
different
venues
or
would
like
to
collaborate
or
find
collaborative
collaborators
to
do
research
or
give
presentations
related
to
the
type
of
work
we're
doing
in
openssf,
basically
reach
out
to
me,
I
will
help
coordinate
these
efforts
so
that
we
can
reach
more
people
and
and
speak
more
widely
in
different
venues,
and
this
can
be
both
about
kind
of
general
topics
in
securing
open
source.
It
can
be
about
open
ssf
in
particular,
or
it
can
go
into
very
specific
topics.
J
F
Okay
cool,
so
that
means
you
are
a
a
one-person
outreach
committee.
J
So
part
of
the
thing
that
I
mentioned
about
the
governing
board,
where
we've
been
figuring
out
the
subcommittees
and
the
decision-making
is
laying
out
all
of
this
stuff
in
this
interim
period
until
we
finalized
it
all.
I
am
a
one
person
outreach
committee.
I
think,
in
the
very
near
term,
we'll
have
something
that
scales
better
and
makes
more
sense
and
is
more
formal,
but
for
right
now
I
am
the
stop
gap.
Yes,.
D
Thanks
she's
amazing
at
this
I'll
have
to
say
you
know,
after
having
been
in
the
panels
with
jennifer
and
rao
and
krobe,
but
jennifer
organizes
us
very
well.
F
Yeah,
that's
cool,
I
kind
of
dialed
in
on
that,
because
I
was
comparing
our
structure
versus
some
other
open
source
groups
and
I'd
seen
outreach
committees
and
some
of
them
so
that
it
just
stood
out
to
me
recently
as
something
that
that
we
were
lacking.
Potentially.
J
Yeah
and
as
you
raised
that
it
made
me
think
of
something
that
maybe
I
hadn't
considered
in
the
scope
or
that
we
haven't
done
yet
but
have
been
kind
of
like
implied
in
the
scope,
so
the
outreach
that
we
do
is
typically
reaching.
You
know
our
peers
in
security
or
in
the
open
source
community,
but
we
may
actually
wish
to
reach
more
broadly
than
that.
J
We
may
wish
to
reach
students
or
specific
groups
of
underrepresented
people
and
so
on,
and
that
is
not
something
that
we
have
a
strategy
or
active
cfp
submissions
for
right
now,
but
I
think
that
would
fall
under
the
same
umbrella.
So
if
anyone's
interested
in
that
kind
of
outreach
as
well,
you
know
around
sort
of
first
time
open
source
contributors
and
things
like
that.
That
could
certainly
be
in
scope
as
well.
H
Jennifer
that's
well.
I
was
exactly
about
to
say
that
we
we
realized
in
in
the
in
the
github
security
lab
recently
that
we
were
kind
of
continuously
talking
to
the
same
people,
security,
researchers,
and
it
was
always
securities
interesting
to
security
researchers,
and
we
we
really
had
some
barriers.
You
know
that
we
we
didn't
manage
to
bridge,
to
reach
out
to
to
the
broader
audience,
and
this
is
an
effort
that
we
decided
to
make
this
quarter
and
exporter,
try
to
to
talk
at
open
source
conferences,
developer
conferences
and
students.
H
Indeed,
because
of
course,
if,
if
you
can
manage
to
reach
out
to
students
first,
then
then
it's
and
it's
a
win.
So
yes,
I
totally
agree
with
that.
So
I
I
have
no
concrete
ideas
at
the
moment,
just
just
saying
that
this
is
something
that
we
understand
lab.
We
want
to
focus
on
for
for
this
quarter,
so
so
I
think
that's
a
great
idea
that
you
just
mentioned
that.
J
Maybe
some
other
languages
if
some
of
us
can
bring
that
to
the
table,
any
way
that
we
can
kind
of
globalize
and
diversify
and
reach
our
non-traditional
audience.
I
especially
think
about
david's
fantastic
course
about
secure
development.
I
mean
even
that
is
a
great
message
for
especially
beginner
people
as
to
how
to
begin
to
get
involved.
J
D
Cool
awesome.
Thank
you
I'll,
add
one
other
quick
thing:
we,
we
do
have
another
outreach
activity
going
on
on
thursday.
This
week,
michael
scaveta
kindly
connected
us
with
the
safe
code
organization,
and
they
are
one
of
the
members
of
openssf,
and
the
idea
is
that
we
want
to
share
more
information
with
the
safe
code.
Members
about
openssf
and
think
about.
You
know,
help
think
about
areas
where
the
two
of
us
can
collaborate
more
or
safe
code.
D
Members
can
get
involved
in
openssf,
so
ryan
and
I
will
be
giving
a
presentation
on
thursday
to
the
safe
code.
Folks.
A
Yeah
we
got
some
pretty
cool
stuff
coming
up,
so
thank
you.
Thank
you,
jennifer.
Thank
you
kay.
Definitely
driving
that
stuff
is
pretty
cool,
so
much
appreciated
any
questions
on
that
stuff.
Before
we
move
on
to
the
next
topic,.
A
Cool
all
right,
so
the
next
thing,
like
I
said
it's
a
little
bit
of
a
formality.
We've
had
some
a
couple
of
cases
lately
where
members
of
the
attack
are
have
changed,
job
positions
to
move
companies
and
things
of
that
nature.
So
we
just
wanted
to
confirm
that
in
both
those
cases
we
decided
that
you
know
we're
cool
with
that.
A
As
long
as
you
know,
there's
still
open
ssf
members,
you
know
we're
not
tied
to
company
representation
per
se
currently,
so
I
think
we
just
want
to
formalize
that
if
there's
any
objections
now
is
the
time
to
discuss,
but
otherwise
I
think
we'll
make
it
an
official
thing
that
we're
not
really
concerned
if
somebody
switches
companies
as
long
as
the
interests
you
know
still
is
still
there.
J
A
No,
we
do
have
the
same,
don't
we
have
the
no
two
company
representation
but
other
than
that.
D
B
F
B
Way
or
the
other
yeah,
but
I
but
I
think
in
the
case
that
you're
talking
about
ryan,
we
don't
have
the
more
than
two
number
anyway.
So
we
don't
need
to
resolve
that
right
now,.
A
Yep,
that's
cool
yeah.
So
as
long
as
everybody's
on
board,
with
letting
we
do,
one.
D
That's
it
yeah
yeah
and
there
are
no
restrictions
on
so
the
roles
don't
go
with
the
company.
They
go
with
the
individual.
So
if
an
individual
moves
companies,
then
they
can
continue
in
their
roles
if
they
desire.
B
And
thankfully,
I
don't
think
that
there's
any
problems
with
the
changes
based
on
that
rule.
A
A
So
dude,
do
you
want
to
present
with
that
document
that
you've
had
and
kind
of
walk
through
it
and
start
working
on
a
plan.
B
Whoa,
okay,
yeah
sure,
just
a
second
you're,
probably
the
most.
A
Familiar
with
it,
I
can
pull
it
up,
but
I
just
thought
you
might
be
able
to
speak
to
it
more
more
than
anyone
else.
B
Okay,
yeah,
so
basically,
but
what
ryan
said
is
absolutely
right.
The
basically
I
mean
we
had
a
number
of
different
groups,
the
you
know
the
get
you
know
mike
scaveda
had
done
a
some
work
for
ossc
mike
curfey
had
written
some
things.
There
were
various
documents
that
had
various
ideas:
jossie
had
a
whole
bunch
of
little
white
paper,
one
pagers,
and
so
the
idea
was
well.
B
We
don't
want
to
lose
all
these
good
ideas,
but
we
can't
possibly
do
them
all
so
the
theory
behind
this
now
I
gotta
figure
out,
let's
see,
can
I
do
two
things
at
once.
Okay,
so,
let's
see
here,
I'm
hoping
you
can
see
my
screen.
Maybe
can
you
see
my
screen?
Yes,.
E
B
Okay,
all
right,
so
this
is
the
open,
ssf
technical
initiative
wish
list.
It's
just
a
google
doc.
Everybody
here
should
absolutely
have
access
to
it.
If,
for
some
reason
you
don't
that's
a
problem
and
let
me
know
we'll
get
it
fixed,
but
it
truly
is
just
a
merge
of
the
ideas
and
the,
and
we
actually
discussed
this
with
an
attack
back
on
2020
11
17..
B
Really
some
folks
may
not
have
been
at
that
meeting,
but
basically
it's
a
combo
and
the
goal
next
was
at
some
point.
Hopefully
in
the
not
too
distant
future
from
now,
we
would
walk
through
that
and
pull
out.
Well.
There
are
here's
many
things
we
could
do.
What
are
the
things
that
we
choose
to?
Do
you
know?
And
so,
if
you
look
at
this
document,
it
first
says
this
goal,
which
is
just
what
I've
verbally
described.
B
I
did
be
because
it's
very
very
long,
I
tried
to
pull
out
of
the
bullets
that
I
thought
were,
for
various
reasons,
often
repeated.
So
if
you
can
only
too
long
didn't
read
here's
your
list.
B
Okay,
reproducible
builds
two-factor,
authentication
default
on
security
analysis,
some
specific
security
guidance,
playbooks
key
management,
software
bill
materials,
malware
analysis,
more
verification
about
findings.
That's
not
to
say
that
the
this
group
doesn't
can't
choose
anything
else.
That's
not
what
I'm
saying
it's
just
if
you
don't
have
time
to
read
the
whole
thing.
There
are
some
ideas
that
keep
popping
up
right
after
that.
B
If
you
look
the
at
the
wishlist
doc,
it
says
where
in
the
world
all
the
stuff
came
from,
you
know
this
is
a
long
list
and
then
there
was
a
all
the
various
ideas
with
an
attempt
to
group
them
into
some
reasonable
categories,
and
you
know
basically
there's
bullets
of.
What's
the
idea,
I
guess
about
which
working
group
might
do
it
and
some
quotes
that
give
you
an
idea
and
if
you
want
it
with
citations.
B
So
if
you
want
to
see
more
about
what
those
sources
said,
you
could
find
it,
I'm
not
going
to
walk
through
all,
because
the
rest
of
the
document
basically
looks
like
that.
It's
just
all
these
ideas
and
there's
some
great
ideas
in
here
that
we
don't
want
to
lose
questions.
I
realized
that
was
a
whirlwind.
J
I
love
this.
Oh
sorry,
I
got
excited.
Does
anyone
have
a
raised
hand
that
I'm
talking
over
okay,
great
in
that
case
david?
I
I
I
love
that
we
have
this
and
I
think
it
can
be
very
inspiring.
B
It
depends
on
what
what
you
mean
by
this
direction.
How's
this.
I
I
think
I
I
first
of
all.
I
think
that
the
coming
up
with
the
list
of
ideas
was
the
right
first
step,
but
there's
no
way
we
could
possibly
do
them
all,
and
so
I
think
that,
instead
of
a
a
hey,
a
post
on
here's,
an
endless
number
of
things
that
could
be
done,
I
think
it
will
be
better
for
some
group,
maybe
a
subset
of
the
attack,
maybe
the
attack
itself.
Maybe
you
know
some.
B
You
know
looking
through
this
picking
out
what
the
openssf
wants
to
do
and
then
write
a
blog
post
about.
We
have
decided
that
we
are
going
to
add
to
our
list
of
things
x,
y
and
z.
Explain
why
explain
what
we
intend
to
do
and
that
sort
of
thing,
so
I
I
would
say
a
blog
post
or
something
else
would
be
great,
but
I
think
there's
a
missing
step
between
which
is
pick
first
filtering
yeah.
B
J
Yeah,
fair
in
that
case,
like
you'd,
propose
that
we
decide
and
say
we're
going
to
be
doing
these.
So
I
what
I'm
thinking
falls
a
little
bit
short
of
that,
because
I'm
I'm
kind
of
interested
in
putting
something
out
to
the
world.
To
your
point.
J
That
is
much
more
concise
that
that
maybe
we've
narrowed
it
down
to
a
top
five
or
a
top
ten,
but
putting
something
out
into
the
world
so
that
if
there's
people
that
are
attending
our
town
halls
and
on
our
mailing
lists
and
stuff
and
haven't
quite
found
their
place,
they
might
see
a
project
where
they
go.
J
So
what
I
was
thinking
then,
to
to
take
your
feedback,
might
be
what
if
we
pared
down
the
list
to,
like
you,
know
a
top
five
or
a
top
ten
or
whatever
of
things
we'd
like
to
see,
describe
them
in
kind
of
approachable
language
and
made
that
something
public
facing
with
a
well-defined
step
as
to
like,
and
if
this
interests
you
here's
how
you
can
sign
up
to
do
the
work
and
coordinate
people
who
are
interested.
B
Right
and-
and
although
I
had
the
notion
of
have
a
final
list,
you
know
maybe
what
will
be
sensible,
which
sounds
more
like
what
you're
thinking
is.
You
know
hey.
We
made
this
long
list,
here's
our
early
draft
shorter
list
if
you're
interested
or
maybe
you
think
that
we
should
have
a
different,
shorter
list.
Please
come
and
get
involved.
B
So
how
basically
encouraging
people
to
be
part
of
that
process
of
selecting
the
next
projects
instead
of
just
here's
the
done
deal,
I
I
just
think
that
a
lot
of
people
won't
read
a
long
list
of,
and
you
know,
here's
endless
ideas,
because
I
I
think
for
some.
Some
folks
are
going
to
eat
that
up,
but
I
think
a
lot
of
folks
it'll
be
overwhelming.
J
J
You're
on
to
something-
and
that's
a
really
good
point,
because
I
tend
to
like
the
long
list-
and
I
recognize
that
that's
probably
not
a
good
strategy
in
general.
What
I'm
really
thinking
here
is
like
inspiration
so
for
people
that
are
maybe
intimidated
to
get
involved,
but
people
that
enjoy
starting
their
own
thing
or
kind
of
taking
ownership
of
a
thing
just
showing
them
a
way
like
a
kind
of
nicely
paved
path.
To
doing
that,
I
suppose.
C
B
A
A
If
we
could
get
this
little
subcommittee
wherever
it
is,
maybe
we
could
leverage
the
planning
committee
or
it's
a
subset
of
the
of
the
tech,
whoever
it
is,
but
yeah
smaller
group
kind
of
come
together,
help
start
prioritizing
all
this
content
that
we
have
and
then
put
it
into
a
format
that
is
nicely
digestible.
You
know,
as
jennifer
is
mentioning
that
you
know
we
could
put
out
somewhere.
A
I
can
go
I'd
like
to
work
on
that
I'll
approach,
this
working
group
or
maybe
get
a
couple
of
like-minded
people
together
to
start
one,
but
at
least
we
have
it
out
there,
and
people
can
use
that
as
a
as
a
starting
point
to
to
help
get
involved,
and
then
we
can
publish
something.
That's
the
subset
of
that.
That
is
quote
the
roadmap
for
the
next
year
or
two
year,
whatever
it
is,
it's
kind
of
the
same
exercise
just
grabbing
off
different
chunks
for
different
viewpoints.
B
J
Jennifer
like
correct
me,
if,
if
you
folks
disagree,
but
it
feels
to
me
kind
of
like
the
core
objective
of
the
tack,
I
mean
we
come
here
from
a
technical
perspective
to
advise
so
I
mean
I
feel
like
it's
with
it's
well
under
our
umbrella
to
to
care
about
and
think
about
these
things
so
maybe
like.
If
there
is
sufficient
interest
across
this
group,
we
could
commit
to
having
one
of
our
future
tech
meetings
being
like
going
like.
J
Maybe
we
all
pre-read
the
list
and
then
we
discuss
things
we're
most
interested
in
or
maybe
we
have
an
annotation
or
voting
function
where
we
have
everyone
mark
up
the
dock
and
we
see
which
items
seem
to
be
preferred
across
the
tack
as
like,
most
interesting
or
something
like
that,
where
we
can
get
the
tax
feedback
into
what
that
prioritized
backlog
and
ryan.
I
love
that
as
a
way
of
describing
it
could
look
like,
but
that
that's
one
of
many
ways
we
can
approach
it.
A
Yeah,
I
think
that's
great,
I
I
agree
with
you
as
well.
I
think
that
this
clearly
falls
within
the
scope
of
the
attack.
My
only
suggestion
around
maybe
having
a
subset
is
just
for
efficiency,
but
you
know
sometimes
a
smaller
group
can
be
a
little
bit
more
efficient,
at
least
initially,
but
I'm
more
than
happy.
A
I
think
what
you
just
said
is
great
too,
like
we
can
start
with
set
aside
some
time
in
a
meeting
where
we
all
do
a
pre-read
and
then
we
come
through
and
identify
those
things
and
then,
if
we
want
to
continue
doing
that
in
the
attack
we
can
or
if
it
then
makes
sense
to
have
a
subset
of
us,
go
focus
on
that
for
a
little
bit
and
then
bring
it
back.
However,
it
makes
sense,
but
I
think
initially
what
you
said
is
a
great
idea.
F
F
That
it
does
seem
like
a
core
mission
of
the
tack,
and
then
I
like
to
think
about
how
how
to
build
sustained
contribution,
because
I
get
worried
about
people
getting
excited
to
come
in
and
kind
of
start
something.
And
then
we've
got
a
graveyard
of
half
started
projects.
F
So
one
of
the
other
potential
advantages
of
of
having
the
tack
focus
on
it
is
that,
instead
of
trying
to
get
some,
some
grassroots
contribution
started
that
we
could
also
have
channels
back
to
our
companies
to
say.
Here's
something
that
that
this
open
source
community
has
defined
as
an
important
priority,
and
we
can
actually
allocate
head
counts
that
will
be
sustained
so
that
we
can
get
some
complete
deliverables
out
of
having
started
a
project.
D
I
I
have
a
thought
to
add
to
the
mix,
which
is,
I
think,
just
a
slight
variation
of
what
we've
been
saying.
I
I
I'm
really
excited
for
there
to
be
a
road
map,
for
you
know
a
technical
roadmap
for
the
open
ssf.
I
think
a
lot
of
our
you
know,
people
who
are
looking
at
the
openss
or
open
ssf
or
even
contributing
to
it.
You
know
question
I
hear
a
lot
is
okay,
you
know
what
progress
have
we
made?
D
D
The
the
slight
concern
I
have
is
doing
it
in
a
sort
of
a
bubble
up
manner
from
the
wish
list.
D
D
D
Here's
what
we're
going
to
do
specifically
in
the
next
in
let's
pick
a
time
frame
next
12
months,
to
move
us
toward
our
vision,
so
it
gets
a
little
more.
You
know
it
doesn't
focus
just
on
the
what
we
haven't
done,
yet
it's
the
what
we
haven't
done
yet
and
what
we're
working
on
and
how
all
of
these
fit
into
our
our
vision,
but
still
allows
us
to
have
you
know.
A
Yeah,
I
completely
agree
with
that.
I
think
when
we
talking
about
coming
up
with
a
sort
of
prioritized
backlog,
it's
within
the
context
of
the
vision
right
like
so
the
vision
is
the
guiding
light,
our
guiding
principles,
and
you
know
what
we're
overall,
you
know
generically
targeting
and
then
the
the
road
map
is
the
specific,
concrete
implementations.
A
You
know
that
get
us
to
that
vision,
and
so
we
should
definitely
prioritize
with
the
vision
in
mind.
You
know
and
make
sure
that
makes
sense.
So
I
agree
that
the
roadmap
will
show
what
we're
currently
doing,
but
it's
also
the
stuff
that
we
do
plan
on
doing
and
then
outside
the
roadmap
is
oh
and
then
the
rest
of
the
stuff
is
here's.
This
interesting
prioritized
backlog
that
you
know
future.
If
you
want
to
spin
up-
and
you
know
how
it
kind
of
all
fits
together.
D
A
D
A
Yeah,
so
I
think
what
jennifer
said
I
liked
a
lot,
so
we
can
schedule
so
the
next
hack
meeting
we
kind
of
have
one
big
thing.
I
want
dan
to
be
able
to
present
his
dci
information
and
he
said,
needs
about
30
minutes
for
that,
so
we
could
have
the
second
half
of
that
meeting.
Go
towards
this.
A
If
we'd
like
we
can
start
now
by
saying,
let's
do
a
pre-read
of
this
people,
you
know
make
comments
in
the
document
come
up
with
ideas
of
how
we
might
want
to
present
it
to
the
world
as
far
as
a
roadmap
and
the
prioritizations,
and
then
we
spend
those
next
30
minutes
kind
of
discussing
that
and
then
and
then
we
can
move
on
from
there.
But
what
do
folks
think
about
that.
A
A
B
Right,
I
will
email
to
the
tactless
link
because
it'll
go
away
as
soon
as
zoom
goes
away.
Yes,.
E
A
So
with
two
minutes
left
dan,
I
don't
know:
do
you
want
to
give
a
quick
intro
about
what
you're
planning
to
talk
about
next
week?
Or
do
you
just
want
to
wait
and
jump
in
and
give
us
all
that
great
content.
F
No,
no,
I
can
give
a
I
can
give
a
teaser
now.
So
what
I'm
planning
on
on
talking
about
is
not
presenting
a
solution
for
here's:
how
to
develop
diversity
civility
and
inclusion
in
openssf,
but
give
some
background
on
what
I
see
in
other
open
source
organizations.
So
another
read
ahead
thing
that
you
could
do
is
if
you
have
open
source
organizations
that
you
think
are
influential
to
you
or
that
are
good
good
examples
out
there
in
the
broader
open
source
community.
F
Please
bring
those
to
the
meeting
or
feel
free
to
email.
Those
to
me
ahead
of
time-
and
I
can
also
read
up
on
them
and
see,
see
what
they're
doing
and
then
we're
going
to
talk
about
some
of
the
structural
ways
that
that
we
can
affect
change
within
the
open
ssf
and
then
what
sort
of
resources
that
we
would
want
to
be
able
to
bring
to
it.
So
there's
there's
a
second
read
ahead
item
for
you.
F
If
there's
ideas
about
things
that
can
improve
diversity
and
inclusion
in
open
source
that
you've
seen
in
other
places,
if
you
want
to
bring
those
along
to
and
then
we
can
have
a
little
bit
of
a
working
session
with
with
some
of
that
time.
F
So
that
was,
if
there's
organizations
that
that
you
think
are
good
ones
to
take
a
look
at
and
then
second
is,
if
there's
specific
activities
like
some
of
the
the
outreach
that
jennifer
had
mentioned
for
underrepresented
minorities,
for
different
outreach
activities
or
universities.
That
kind
of
thing.
A
Yeah,
very
cool
yeah.
I'm
really
excited
to
see
how
those
two
kind
of
come
together
too,
because
it's
something
I'm
equally
passionate
about
it.
I
love
this,
so
thank
you
so
much
for
doing
all
that,
then
all
right
we're
out
of
time.
So
thank
you.
Everyone
we'll
be
in
touch
online
when
content
comes
in
for
the
deck
that
needs
to
get
reviewed,
and
after
that
we'll
we'll
see
in
a
couple
weeks.