►
From YouTube: OpenSSF TAC Meeting (June 15, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
It
yes
yeah.
We
should
probably
share
that
around
a
little
bit,
especially
now
that
carly's
gone
as
I
was
joining
like
wait.
A
minute.
Does
anybody
else
have
the
authority
to
start
this
meeting?
I
realized,
as
I
was
in
here,
waiting
for
it
to
start.
A
Yeah,
I
just
had
chrome
remembered
that
I
used
the
lastpass
to
jump
into
this
last
time.
A
minute
that
surprise
I
owned
the
call
today.
A
B
C
D
C
C
B
B
F
F
C
Yeah,
it's
been
a
long
time,
a
long
long
time
back
when
it
was
like
downloadable
with
firefox
right.
It
all
came
together,
bundled.
D
C
All
right,
so,
let's
get
started
kate
mentioned
to
me
that
she's
not
able
to
make
it
today.
She
she
has
a
conflict.
So
a
couple
of
things
on
the
agenda,
so
dan
middleton,
I
don't
know
if
you're
actually
on
there.
C
I
cannot
see
you,
but
he
put
on
here
clean
up
the
future
agenda
topics
on
this
document.
I
have
done
that,
so
I
went
through
the
top.
There
are
a
few
things
on
there,
real
quick
that
I
wanted
to
to
touch
that,
like
dan
lawrence,
you
have
on
here
the
public
versus
private
communication.
I
think
that
stemmed
from
a
email
discussion
that
happened
on
one
of
the
aliases,
did
you
still
want
to
talk
about
that
and
we
can
put
it
on
for
later
today
or
has
that.
E
C
All
right,
let's
we'll
get
to
the
rest
of
this
and
then
I'm
pretty
sure
we'll
have
time
we'll
go
ahead
and
we'll
talk
about
that
as
well.
C
So
then,
mr
wheeler
put
you
on
the
spot
again
regarding
executive
orders.
I
know
I
was
in
the
meeting
yesterday.
I
know
there's
not
a
lot
to
share,
but
I
thought
maybe
you
could
kind
of
just
give
everybody
an
update
about
where
you're
at
in
the
process
just
so
that
we're
kind
of
all
on
the
same
page.
B
F
We'll
take
it
you're
part
of
this
group.
David
carry.
B
On
oh,
thank
you.
Thank
you.
That's
very
kind,
so
there's
there's
a
crazy
amount
of
things
that
are
happening
as
a
response
to
this
u.s
executive
order.
There
was
a
recent
nist
workshop.
I
pitched
a
little
bit
about.
B
First
of
all,
they
had
five
questions.
I
wrote
five
papers
and
the
open
ssf
was
prominently,
I
believe
in
all
of
them.
I
was
actually
invited
back
to
speak
at
the
critical
projects
panel
and
because
I
had
made
some
suggestions
about
how
to
define
critical
projects.
B
I
actually
have
some
concerns.
Just
kind
of
fyi
they're
still
trying
to
figure
out
how
they
define
critical
projects.
They
really
don't
want
to
define
them
in
terms
of
how
they're
of
how
the
software
is
used,
which
I
think
to
me
and
many
other
people
is
not
really
a
good
plan.
B
The
reason
they
want
to
do
that
is
because
it's
very
hard
for
government
acquisition
officers
to
know
how
it's
going
to
be
used,
to
which
I
would
say.
Well,
that's
a
problem.
You
need
to
fix,
as
opposed
to
accepting
the
problem,
but
for
whatever
reason
they
they
have
not
made
a
final
decision.
B
I
think
it
is
the
good
news
is
that
they
are
aware
about
open
source
software.
I
think
the
concern
would
be
once
you
identify
critical
software.
What
are
you
going
to
do
about
that?
It's
not
clear
right
now.
What
that,
what
what
that
will
mean.
C
So,
are
they
basing
that
just
purely
based
on
usage,
not
like
you
said
like
not
how
it's
used,
but
just
like
quantity,
is
that
no.
C
B
A
network
monitoring
system-
I
think
I've
convinced
them
that
a
you
know.
Well,
I
I
I
think
it
didn't
take
that
much
convincing
because
they
were
already
aware
of
this-
that
hey,
if
it's
at
least
in
research
that
doesn't
really
make
much
sense,
and
I
tried
to
convince
them
yeah,
I
I
I
tried
to
convince
them
that
at
least
if
something
else
is
managing
its
security.
Maybe
you
don't
need
to
worry
about
that
yeah.
They
were
very
unprepared
to
have
a
real
answer
when
they
met
by
critical
software.
B
I
mean
to
be
fair.
That
was
the
point
of
the
meeting.
Was
they
wanted
to
hear
from
others
what
they
thought
critical
software
meant.
So
I
have
some.
I
have
concerns
about
how
they'll
define
it
and
probably,
more
importantly,
once
you
define
it
and
once
you
identify
it,
then
what
do
you
do
and
that's
to
be
determined?
I
have
a
lot
of
concerns
about
either
they
can
create
requirements
and
so
on
that
are
useless.
B
Well,
that
does
no
harm,
but
it
also
does
no
good
or
they
can
create
requirements.
That
are
ridiculous,
and
it's
going
to
be
all
too
easy.
I
I
don't
have
a
simple
solution
for
that,
but
hopefully
that'll
get
better
lots
of
activity.
Lots
of
questions.
People
are
absolutely
just
pinging
me
to
death
with
questions,
and
it's
all
good,
I'm
a
little
tired.
B
I
am
trying
to
create
a
l.
Jim
zemlin
asked
me
to
create
a
list
of
what
things
should
be
done
to
improve
open
source
security
in
other
activities.
B
He
he
wants
it,
whether
or
not
it
falls
in
open,
ssf's
umbrella
or
not,
and
I
think
basically
he's
looking
for
kind
of
a
you
know
a
list
so
that
he
can
go
and
try
to
get
sums
of
money.
I
think
we
have
to
I
I
cautioned
another
open
ssf
group
yesterday,
don't
assume
that
it
will
necessarily
be
funding
funded,
but
we're
going
to
try
and
I
I
think
we're
actually
going
to
be
trying
to
see
if
we
can
pull
tens
of
millions.
B
That
doesn't
mean
any
that
will
actually
happen.
So
don't
schedule
on
it
happening,
but
we're
gonna
we're
gonna,
make
a
push.
Okay,.
B
Thank
you
david,
so
I'm
I'm
hoping
to
be
able
to
share
more.
I
love
it's
from
the
wish
list,
but
jim
wanted
a
review
before
he
shared
it
further,
so
he's
my
boss's
boss.
So
I
do
what
he
says.
C
We
all
understand
awesome
now
I
think
there's
some
there's
some
interesting
things
happening
there
in
those
those
in
this
workshops.
I
know
microsoft's
been
pretty
heavily
involved
in
them
as
well
that
actually
one
of
the
reasons
kay
is
not
here
this
morning
and
she's
dealing
with
some
of
the
stuff
from
the
video.
So,
as
I
know,
many
of
you
are
as
well.
C
So
then
the
next
thing
is
the
budget
vote.
So
I
know
we
talked
about
this
in
the
previous
attack
meeting,
where
we
all
kind
of
approved.
Yes,
we
should
fund
these
various
initiatives,
but
the
governing
board
came
back
after
the
budgeting
committee
met
and
the
governing
board
met
and
said
that
they
would
like
us
in
detail
to
officially
vote
as
a
attack
group
and
approve
these
very
specific
numbers.
There
is
one
that
is
still
kind
of
up
in
the
air,
the
ost
one.
C
Openssf
clearly
does
not
have
those
funds
at
the
moment
specifically
since
we're
not
collecting
membership
dues
just
yet
so
the
governing
board
said
hey.
We
can
give
60
000
towards
that
project,
which
I
think
is
helpful,
but
we
need
them
to
now
go
and
revise
the
proposal
of
what
they
would
do
exactly
with
60
000
versus
2.3
million.
C
Imagine
it's
a
slightly
different
scope
of
work
and
we
should
know
what
that
is,
and
so
I've
reached
out
to
them
they're
going
to
get
a
proposal
to
us
so
once
they
have
that
revision,
we
can
see
what
that
looks
like
and
then
we
can
actually
vote
on
that.
One.
B
Ryan,
I
have
a
question.
We
don't
need
to
wait
for
another
meeting
once
they
make
the
proposal
that
can
just
go
out
immediately
for
an
electronic
vote
right.
C
Oh
yes,
absolutely,
and
so
actually,
that
kind
of
gets
my
next
point
of
how
we're
going
to
vote
on
these
things
to
make
it
official
record.
So
what
we've
done
in
the
past
right
is:
we've
created
the
the
github
issues
and
then
we've
approved
them.
Once
we
reach
a
certain
threshold
we
can
consider
it
approved.
I
propose
that
we
do
that
again
because
it
can
happen
asynchronously
exactly
as
you
said
david,
so
once
we
have
that
proposal
we
can
just
kind
of
get
rolling
with
it
is
everybody?
Okay,
with
that
anybody
opposed.
C
Coming
once
going
to
twice
sold
github
issues,
it
is
all
right,
so
the
identifying
security
threats
working
group
they
have
asked
for
forty
one
thousand
six
hundred
dollars.
Sixteen
hundred
of
those
is
coming
from
the
azure
credits
to
do
the
hosting
for
the
service
that
they're
building
and
then
forty
thousand
of
that
is
going
to
go
towards
development
of
actually
creating
more
code
for
their
services
and
things
like
that,
so
that's
41.6
and
then
the
developer
best
practices
group
is
631.
C
That's
30,
000
of
operational
as
far
as
like
hosting
and
all
that
kind
of
stuff,
and
then
actually
I
did
have
a
question
about
that.
If
they
were
going
to
use
azure
credits
as
well,
because
there
are
still
some
available
and
then
it
also
includes
development
of
their
single
sign
on
web
hooks
and
their
skf
labs.
C
So
those
are
the
the
two.
Does
anybody
have
questions
on
those
as
far
as
budget
goes.
C
Cool,
so
any
any
other
questions
on
that
all
right,
I'll
get
those
issues
put
out
on
github
today
and
then
send
out
an
email
link
to
those
guys.
So
just
vote
approve,
if
you,
if
you
approve
them,
we'll
get
that
sent
over
to
the
governing
board
and
then
funds
can
be
dispersed.
Then
we
can
continue
making
making
progress
here
so
and
then
so
then.
The
last
thing-
I
guess
so
now
that
we
do
have
time,
for
you
know
we're
just
flying
through
this
this
morning.
E
Oh
yeah,
so
there's
a
thread
maybe
a
month
or
so
ago.
Now
I
forget
about
just
getting
rid
of
the
open,
ssf
private
tech
mailing
list.
I
think
we
set
it
up
originally
to
be
used
for,
like
discussing
private
security,
disclosures
that
kind
of
thing
in
case
it
came
up
that
use
case
never
came
up,
but
I
think
people
keep
accidentally
sending
thanks
to
that
one
instead
of
the
public
one.
So
I'm
proposing
we
just
get
rid
of
that.
One.
C
So
I
do
see
the
advantage
of
having
it
for
certain
situations,
but
I
could
definitely
see
that
the
concern
of
people
are
saying
to
it
when
they
really
shouldn't
be
and
hiding
communication
that
maybe
should
be
public
intentional
or
not.
I
guess
what
would
if
we
did
get
rid
of
it.
What
would
be
the
alternative
for?
Should
we
have
one
of
these
scenarios
pop
up
just
email
directly,
not
use
not
use
the.
B
E
C
This
is
interesting.
The
other
way
yeah,
because
I
haven't
even
noticed
that
people
are
using
that
because
it
just
comes
through
my
mail
right.
I
see
tap
and
I
read
it,
but
were
there
a
lot
of
conversations
on
there
because
I,
like
I
said
I
haven't
really
noticed-
I've
been
paying
attention,
yeah,
there's
quite
a
few
on
there.
If
you
take
a
look,
okay
I'll,
go
back
and
check
that
out.
C
B
C
All
right:
well,
we
can
contact
somebody.
I
don't
know
if
that
has
maybe
some
knowledge
of
that
and
see
what
our
options
are.
I
would
be
in
favor
of
disabling
for
now,
if
disabling's
an
option,
I
think
the
net
result's
the
same.
If
we
need
it,
we
bring
it
back
somehow.
Well.
B
The
minor
advantage
of
disabling
is
that
the
I
think
I
don't
know
if
just
deleting
eliminate
the
conversations.
B
So
I
would
say:
vote
now,
you
know
if,
if
you
want
to
disable,
if
it's
possible
otherwise
delete
you
know
and
then,
if
we
find
out
like
if
it
can't
be
disabled
well,
when
you
have
the
answer,
you
don't
need
to
bring
it
back.
C
Right
and
if
we
have
to
delete,
then
we
need
to
see
if
we
can
archive
those
those
messages.
Okay,
so
dan.
D
If
we
were,
if
we
were
dealing
with
like
we
use
the
use
case
of
like
a
sensitive
disclosure,
it
might
make
sense
to
have
that
be
pretty
group
limited
anyway,
and
we
know
that
everyone's
on
that's
on
the
genius
is
current
and
all
that
kind
of
thing.
B
D
I
guess
I'm
opening
it
as
a
question
to
the
group
really
is
like
we
had.
I
guess
put
this
in
at
some
point.
Thinking
like
we
might
as
attack
need
to
have
sensitive
conversations.
Dan
has
raised
the
valid
point
of
like
what
are
those
sensitive
conversations,
so
I
guess
what
I'm
saying
is.
If
we
are
thinking
that
it's
for
something
like
disclosure,
does
this
even
still
fit?
That
purpose.
C
C
I
know
these
were
created
in
the
beginning
of
the
like
we
sat
down
with
carlos
said.
Okay,
what
do
we
need
mailing
lists
for
okay?
Each
working
group
needs
one.
Okay,
the
tac
needs
one.
The
governing
board
needs
one
well,
we
might
have
sensitive
conversations,
let's
create
a
private
one
for
each
of
those
as
well
so
yeah
like
jennifer.
You
just
said
dan
great
point
like
maybe
we
don't.
We
haven't
had
this
situation,
maybe
there's
alternatives,
so
I
would
given
that
I
mean.
C
I
think
it's
definitely
on
the
table
that
maybe
we
don't
need
this,
and
if
people
are
using
it
inappropriately,
let's,
you
know,
crawl
walk
run
into
this
thing
and
say,
let's
start
with
disabling
and
just
make
sure
that
we
don't
lose
some
of
those
conversations
and
also,
if
something
pops
up,
it's
easy
to
turn
back
on.
But
then,
if
we
decide
in
two
months
it's
useless,
let's
kill
it.
G
You
know,
like
my
comment,
is
the
paradigm
for
a
private
mailing
list
is
established,
apache
foundation,
for
example,
but
they
clearly
have
rules
you
know
put
out
for
when
you
use
it
or
not
publicly
available
rules
which
what
it's
used
for,
and
it's
typically
done
for
vulnerabilities.
So
once
we
have
more
software
projects,
you
don't
want
people
to
post
into
public
mailing
lists.
You
have
a
vulnerability
in
smear
software,
so
that's
one
of
the
reasons
they
apache
keys.
Private
mailing
lists.
C
Yeah,
I
know
that
was
definitely
the
intention
or
one
of
the
intentions
of
creating
these
things.
It
was
that,
and
there
was
also
like
if
there
were
sensitive
kind
of,
like
quote
hr
type
conversations
that
were
happening.
You
know
personal
things
that
needed
to
be
discussed
that
was
kind
of
the
intention
of
it.
We
just
haven't
actually
had
that
scenario
yet,
but
certainly
can
see
it
in
the
future.
But
you
know
dan's
whole
point
here:
people
are
using
it
incorrectly
right
now.
So
how
do
we
fix
that?
C
C
Comfortable
regardless
yeah,
I
totally
agree
with
that.
I
think
the
the
issue
here
what's
happening
is
actually
not
from
like
external
folks
that
don't
know
you
know
better.
It's
more
like
within
the
active,
open,
ssf
groups
of
attack
and
governing
board
people
are
just
accidentally
using
the
wrong
one.
F
C
B
G
So,
but
if
there
are
issues
that
are
sensitive,
do
you
know,
is
there
create
a
different
one?
This
one's
been
abused,
so
is
there
a
new
one
that
could
be
created
not
having
a
private
one
or
not?
Having
a
road
map,
I
think
is,
is
a
larger
issue
in
terms
of
if
there
is
a
problem,
because
I
know
we
have
more
products
that
are
being
sponsored
and
code
coming
in.
C
Yeah,
that's
a
really
good
question.
I
mean
I
would
say
that
again.
I
think
there
is
a
need
for
something
like
this
and
I
think
you're
right
this
one
most
likely
due
to
naming
right
people
just
accidentally
using
the
wrong
one.
Maybe
we
do
create
a
new
one
that
is
very
specific
and
when
we
create
that
put
these
lists
of
requirements
as
a
roadmap
and
we'll
put
it
publicly
excuse
me
publicly
on
me:
you.
G
B
C
Well,
that's
what
I
think
is
the
problem
right
is
that
right
now
internally,
I
think
folks
that
have
used
it
before.
If
you
start
to
type
open
sf-tac
and
then
it
tries
to
auto-complete
like
oh
yep,
that's
it
because
it's
some
long
mailing
listing,
but
they're
they're,
getting
the
private
one
they've
sent
to
before
because
of
auto
completion
like
it's
too
similar,
I
think,
is
the
problem.
B
G
Well,
if
it
doesn't
name
tac
private
that
that's
that's
a
problem,
because
you
know
people,
people
think
that's
a
private
conversation
amongst
the
tech
members
or
to
to
the
tac
members.
So
the
labeling
sounds
like
a
problem.
C
Well,
the
idea:
well,
it's
because
this
is
a
private,
alias
intended
for
just
the
tac
members,
so
whereas
the
tech
mailing
list
is
public
to
anybody
who
wants
to
join,
anybody
can
attend
the
tax
meetings,
whether
they're
attack
representatives
right
like
so
then
there
was
this
private
ones
like
okay,
just
amongst
the
vote
voting
members,
there
was
an
ability
for
us
to
discuss
sensitive
topics.
G
C
C
B
So
I
I
I,
I
think,
tech
private's,
okay,
I
think
you're
right
though
the
problem
is
once
people
start
using
it
as
a
default,
it
keeps
going
and
that's
why
I
was
proposing
to
just
suspend
it
because
once
people
stop
doing
that,
it
can
start
being.
It
could
be
used
later
for
its
actual
intended
purpose.
C
B
C
H
C
Cool
all
right.
Well,
that
is
all
I
had
on
the
agenda
for
today.
Is
there
anything
that
folks
would
like
to
bring
up,
but
we
got
30
more
minutes.
Otherwise,
you
guys
get
30
minutes
back
and
I'll
use
it
to
create
these
github
issues.
A
C
As
far
as
approving
the
budget,
yes,
so
I'm
going
to
send
these
out
these
issues
out
within
the
hour
and
then
I
would
like
to
put
a
time
constraint
of
by
wednesday
to
have
folks
vote
on
this.
If
we
have
this
extra
30
minutes,
please
go
do
it
now,
but
yes,
the
governing
board
didn't
put
a
time
frame
on
it.
We
just
need
to
approve
it,
but
so
I'm
saying
wednesday
is
at
the
latest.
C
C
All
right,
I
will
give
you
30
minutes
back
and
I'll
go
create
these
issues,
so
please
I'll
send
that
mail
out,
please
go
vote
on
them
and
then
that
way,
krog
can
get
his
funding
and
continue
on
his
great
work
all
right.
Thank
you
all
we'll.
Thank
you
see
you
in
two
weeks,
thanks.