►
From YouTube: OpenSSF TAC (June 13, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0
https://github.com/ossf/tac
A
B
A
C
C
E
A
C
C
All
right
well,
folks,
we
will
get
started.
Welcome
to
the
June
13th
edition
of
the
open,
ssf's
technical
advisory
committee
call.
We
do
have
Quorum
today
with
five
members
present.
So
far,
a
quick
question
for
the
tack.
We
had
an
email
from
our
friends
over
in
the
supply
chain,
Integrity
working
group
and
they
have
put
together
a
fancy
document
outlining
their
2023
desired
priorities
and
direction.
C
H
C
C
All
right
today
we
have
two
groups
presenting
giving
us
an
update
of
status,
the
identifying
security
threats,
I,
see
Mr
scovetta
here
and
then
we
have
securing
critical
projects
with
Amir
and,
let's
see
if
Jeff
was
on
so
great
gentleman,
Mr
scovato,
why
don't
you
take
it
away?
Your
first
authors,
Jeff.
I
Sounds
good
I
thought
I
was
second
so,
but
we're
just
gonna
make
this
work
so
hi
everybody
maximum
I,
Jennifer
fernick,
is
listed
as
a
CO
-lead.
She
hasn't
been
involved
in
the
working
group
in
a
very
long
time.
She's
awesome
I
would
love
to
have
her
back,
but
I'm
not
sure
where
that
source
is
coming
from.
So
as
a
takeaway,
we
should
update
that
Source
so
identifying
security
threats
again.
I
Our
our
mission
is
to
give
stakeholders
informed
confidence
in
the
security
of
the
open
source
in
the
ecosystem
by
collecting
data
and
providing
it
back
out.
We're
an
active
working
group.
We
meet
twice
a
month
eight
to
ten
people.
Each
month
we
do
have
multiple
active
projects
going
on
the
metrics
dashboard
is
the
one
that
is
currently
moving
the
fastest
with
with
separate
meetings
each
week
going
on
led
by
Jay.
I
So
with
that
the
purpose
metrics
dashboard
is
to
replace
and
be
better
than
the
proof
of
concept.
One
that's
been
out
there
for
an
embarrassingly
long
long
time,
but
this
metrics.open
ssf.org
purposes
to
provide
enough
information
to
Consumers
of
Open
Source
so
that
they
understand
you
know
what
they're
getting
into
both
developers:
engineering
teams
who
need
to
aggregate
the
stuff
and
Engineering
Management.
That
wants
to
look
at
an
org
level
view.
So,
as
I
mentioned,
Jay
and
a
bunch
of
others
are
are
working
on
this
actively.
I
There
is
code.
There
is
a
some
front
end
work.
They
are
scheduled
to
demo
later
next
I
thought
it
was
this
month,
but
it's
either,
but
it's
probably
July
at
this
point
where
we
will
see
a
demo
and
we
don't
actually
need
help
at
this
time.
But
at
some
point
there
will
be
a
funding
question
because
collecting
all
this
data
is
more
than
than
a
trivial
amount
of
compute
needed.
I
So
there's
active
discussions
going
on
with
LFX
and
other
things
to
figure
out.
What's
what's
going
on
there
so
more
to
come?
There.
I
Rights
risk
and
threats,
risks
and
mitigations.
This
is
the
paper
that
we
wrote
back
in
2020
I,
believe
the
world
has
changed
slightly
since
2020,
so
we're
thinking
about
whether
or
not
we
should
update
this
Luigi's
kind
of
taking
the
taking
the
reins
on
this.
I
I
I
Security
insights
is
a
machine,
readable
spec
for
communicating
security
metadata,
for
example.
This
project
is
bug
fixes,
and
you
know
critical
patches.
Only
I
do
static
analysis
myself,
but
there's
nothing
in
the
repo
to
indicate
it.
We've
done
a
threat
model
here
is
a
link
to
it.
Things
that,
like
security,
scorecards,
wouldn't
be
able
to
figure
out
easily
automatically.
J
Thank
you
just
on
the
prior
slide.
You
mentioned
the
paper
and
sorry
for
the
delay,
but
the
follow-up
question
I
had
on
that
is
that
what
is
the
plan
to
get
the
paper
more
noticed
or
promoted
and
or
more
broadly
distributed,
because
one
of
the
things
I
think
we're
continuing
to
struggle
with?
Is
not
just
your
working
group
or
this
organization,
but
the
open
ssf
at
overall
and
security?
It's
a
common
problem
right,
it's
like
if
tree
falls
in
the
forest
and
no
one's
there.
J
Yep
education
is
the
thing
that
I
think
will
do
the
most
to
move
the
needle.
I
I
I
If
you
know
everybody
who
is,
let's
say,
making
decisions
or
meaningfully
like
invested
in
in
openssf
peruse
the
paper
if
we
get
if
we
get
stuff,
you
know,
readers
outside
I
think
that
that
is
amazing,
but
I
wouldn't
count
that,
as
the
the
only
sign
of
success
Ava.
B
Jeff's
question
I
would
imagine
that
the
audience
for
this
includes
everyone
who
leads
a
security
related
effort
in
other
foundations,
folks
who
maintain
hack
repositories
like
Pi,
Pi
and
npm,
and
a
lot
of
large
project
maintainers
again
outside
of
our
immediate
Inner
Circle
of
the
open,
ssf
maintainers
Wow
have
I
missed
something
because
it
seems
like
you're
saying
that's,
not
the
audience.
No.
I
No,
no,
no
sorry,
I'm,
sorry,
I'm
getting
a
pekko
I,
don't
think
that,
like
individual
project,
obviously
I
think
it's
well,
I
wrote
it
so
I
think
it's
like
an
amazing
paper,
but
I
I
think
that
individual
maintainers
I
think
are
going
to
get
less
from
it
than
folks
that
are
responsible
for
either
broadly
the
security
of
an
ecosystem
or
want
to
see
the
full
left
to
right,
View
or
so
so.
Yet,
yes
and
certain
maintainers
at
large
projects
or
foundations
or
Like
Us
in
other.
I
I
I'm,
not
sure
that
a
broad
they're
not
pushing
back
like
we
want
to
make
it
make
it
a
broad
thing,
with
lots
of
readers.
That's
wonderful,
but
but
I
think
that
the
having
a
more
targeted
audience
maybe
and
I
mean
we
just
need
to
think
about
I.
Think
about
that
that
hard
yeah.
B
When
this
comes
back
up,
you're
asking
for
creative
support,
I
would
also
want
to
push
this
in
front
of
marketing
and
Outreach
to
figure
out
not
how
to
get
in
front
of
a
million
eyes,
but
how
to
get
in
front
of
the
right
thousand
dollar
bills.
I
Insights,
so
again,
so
so
this
is
a
spec.
It's
a
yaml,
spec
Luigi
leaves
this
work.
As
I
said,
you
know,
I
I,
do
these
things
out
of
band
that
you
can't
discover
just
from
looking
at
my
repo,
but
they
are
security
relevant.
I
So
this
has
been
out
there
for
a
while
it
has
had
a
ton
of
uptake,
particularly
in
openssf.
So
we
really
would
like
us
to
like
Doug
through
this
ourselves,
and
you
know
push
for
this.
You
know
either
as
an
org
level
security
policy
where
this
gets
pushed
down
to
repos
or
just
pull
requests
and
actually
gather
like
you
know,
you
know
feedback,
and
if
this,
if
this
provides
value,
if
it
doesn't
provide
value,
we'd
like
to
know
either
way,
silence
is
kind
of
the
the
worst.
I
So
that's
where
that
one's
going
Security
reviews
this
has
been
out
there
for
a
couple
years.
This
is
a
repo
of
Security
reviews
conducted
against
open
source
packages,
so
you
know
things
that
we've
done
things
that
other
organizations
have
done.
Usually
we
just
link
to
it,
but
it's
intended
to
be
a
One-Stop
shop
of
you
know.
Hey
does
anybody
know
anything
about
npm
left
pad?
Oh
here's,
a
review,
you
know,
Joe
did
it
and
here's
what
he
said.
I
It
doesn't
there's
a
whole
bunch
of
like
hand,
wavy
caveats
on,
like
you
know,
there's
no
guarantees
and
things
like
that.
We're
looking
to
see
what
you
know,
it's
already
integrated
into
the
current
proof
of
concept.
Dashboard
we
probably
want
to
do.
You
know
continue
that
that
integration
for
the
new
one
one
alpha
omega
as
we
scan
and
review
things.
We
would
like
to
somehow
get
that
into
here.
I
We're
trying
to
think
about
what
makes
sense
there
and-
and
we
actually
just
want
it
to
be
used
more
because
we
think
it's
a
valuable
resource.
We
don't
need
any
particular
help
from
Tac
at
this
point.
It's
just
just
the
amount
of
energy
units
we
have
in
moving
things
forward
and
it's
a
little
slow
going
at
this
point.
I
I
think
it's
the
last
one
disclosure
check
is
a
tool
that
we
wrote
for
to
help
AO
and
we
I'm,
like
I,
wrote
it
so
I'm
not
even
sure
what
what
Circle
I'm
I'm
in
right
now.
But
the
purpose
of
this
is
to
identify
the
best
way
to
privately
disclose
the
vulnerability
to
a
to
a
to
a
package:
maintainer
meaning
it'll
parse
Out,
Security,
MD,
it'll,
look
for
like
emails
and
commits
or
package
metadata
or
Tide,
lift
or
like
whatever
it
can.
I
It
can
find
and
gives
you
a
ranked
list
of
you
know
here's
the
best
way
to
to
report
it
privately.
The
purpose
is
for
AO
to
use
this
when
we
are
doing
automated
disclosure
to
find
the
top
top
ways
of
reporting
and
doing
it.
That
way
we
have
a
little
bit
of
cleanup
stuff.
This
is
moved
into
the
ossf
Slash
disclosure
Dash
check,
repo
bug
fixes
better
docs
I.
Do
this
one
I
do
I
would
like
to
get.
I
I
So
I
probably
won't
come
back
here
for
this
working
group
to
talk
about
this,
and
but
if
there's
anyone
that
would
knows
anyone
that
would
like
to
maintain
this
like
this
is,
like
you
know,
kind
of
a
an
interesting
tool
that
I
would
think
someone
would
would
like
to
drive.
But
if,
if
not,
we
will,
we
will
continue
ourselves.
I
It
okay,
I'm
gonna,
skip
this
one,
because
this
is
really
more
AO.
The
only
question
I
have
for
TAC
are
there
things
that
we
should
be
thinking
about
that
we
are
not.
If
so,
please
engage.
We
really
would
like
feedback
from
outside
of
our
working
group
to
see
the
things
that
are
important
to
us.
Thank
you
all
very
much
appreciate
your
time.
C
As
folks
have
questions,
please
type
them
into
the
chat,
we'll
try
to
address
them
there
and
in
the
meeting
notes
and
let's
move
on
to
Amir
with
his
presentation.
E
Oh,
thank
you.
Everybody
and
I
just
want
to
thank
Jeff
for
also
being
here
today
to
present
to
you,
I
think
I
will
share
my
screen.
Then
I
I
did
receive
that
the
June
2023
attack
update
slideshow,
so
I
will
go
ahead
and
share
that
one.
A
E
A
E
Okay,
sorry
about
that,
okay,
so
I'll
start
us
off
with
our
new
updates.
So
we're
really
excited
to
announce
that,
after
a
couple
months
of
curation
discussion
within
the
working
group,
we
did
finish
our
second
iteration
of
the
set
of
identified
critical
projects.
We
have
a
link
to
the
Roth
document
there
very
happy
about
that.
E
Thank
you
to
everyone
who
participated
in
the
many
Lively
discussions
we
had
about
this,
so
very
excited
to
share
that
with
you
all
next
steps
on
that
are
to
prepare
the
step
for
publishing
or
to
announce
in
some
way
to
promote
this.
This
that
that
we
came
up
with
as
well
as
developing
a
system
for
accepting
feedback
and
suggestions.
E
E
It's
a
more
of
a
Community
Driven
effort
and
another
new
update
from
Associated
efforts,
ostiff
open
source
technology
Improvement
fund
last
month
and
in
late
April,
published
results
or
three
security
audits
of
simple
Json,
lib
cap,
MC
Aries,
and
these
were
funded
or
sponsored
by
Amazon
web
services.
E
Yeah,
so
with
the
set
of
critical
projects,
you
know
this
came
up
a
number
of
times
throughout
the
exercise
of
getting
to
a
v1.1
and
iterating
on
that
first
set
that
we
had
of
you
know
what
is
the
purpose
of
this?
You
know
why.
Why
do
we
care
about
this,
then
I
think
it.
It
came
up
in
a
number
of
times,
as
we
were
doing
it,
so
we
thought
to
kind
of
help
to
be
more
efficient,
just
kind
of
writing
down
what
we
thought.
E
E
The
wording
and
the
messaging
is
certainly
welcome
from
the
attack
and
everyone
else,
and
then
yes,
current
status,
the
finished
version
1.1
and
then
next,
as
a
as
I
mentioned
in
the
last
slide,
preparing
for
for
announcing
and
Publishing
that,
as
well
as
developing
and
implementing
a
system
for
accepting
feedback
and
suggestions
which
brings
me
into
the
you
know
what
help
we
could
use
from
the
talk
is
just
any
thoughts
or
Insight
on
how
to
best
curate
and
further
Analyze
This
set,
as
I
mentioned.
E
We
would
like
to
do
it
in
a
way
that
obviously
require
that
that
does
require
a
manual
element
that
requires
a
Community,
Driven
curation
element,
but
also
in
a
way
where,
again,
it
doesn't
just
fall
on,
for
example,
Jeff
and
myself
to
to
come
up
with
critical
projects
to
to
recommend
for
for
the
work.
So
if
any
thoughts
immediately
come
up
some
contexts,
we
have
talked
about
and
I
think
we
even
have
some
preliminary
work
done.
E
Thoughts
on
from
the
attack
would
be
would
be
greatly
appreciated
here.
If
there
are
other
things
that
we
can
maybe
draw
from.
You
know
other
types
of
similar
structured
efforts
where
we
can
maybe
draw
from
influence
from
that
would
be.
That
would
be
very
helpful.
D
Yeah,
so
no
major
updates
with
All-Star
just
fixing
bugs
with
production,
adding
features.
You
know
cutting
releases
that
kind
of
stuff
it
is.
This
is
a
tool
for
administering
GitHub
organizations.
D
So
I
noticed
that
there's
been
some
recent
efforts
on.
You
know:
formalizing
the
administration
of
the
open,
ssf
org.
So
if
there's
any
help
that
we
could
do
on
automation
there,
let
us
know
happy
to
chat
next
slide.
D
Criticality
score
same
thing,
kind
of
more
more
development
B2
and
then
you
know
struggling
with
GitHub
rate
limits
there
and
yeah.
It's
criticality
score
continues
to
be
a
like
very
useful
metric
for
us
when
we
determine
the
critical
projects
next
slide
and
then
package
analysis
is
no
updates
here,
but
we
wanted
to
include
a
slide.
D
Make
sure
that
you
all
know
all
of
our
projects
continue
on
yeah,
so
jumping
back
on
the
you
know,
wrapping
up
the
update
again
well
yeah,
so
one
that
we've
covered
is
thoughts
on
like
how
to
how
to
you
know
how
to
do
the
the
set,
but
the
main
another
thing
that
we
saw
when
we
were
doing
a
lot
of
the
work
on
the
set.
D
Is
you
know
we
we
come
and
meet
twice
a
week,
I
mean
sorry
twice
a
month
and
a
lot
of
the
the
members
kind
of
don't
know
how
we
fit
into
the
rest
of
the
open
ssf.
So
they
really
want
to
see.
How
is
this
being
used?
D
You
know,
I
I
come
up
with
there's
Alpha
Omega,
there's
the
thing
that
we
did
a
couple
years
ago
with
the
great
MFA
project,
but
we
want
you
know
our
our
community
members
want
to
also
see
how
how
it
fits
in
with
the
greater
open
ssf.
D
So
we're
looking
to
do.
We
have
some
ideas
ourselves
of
doing
like
a
road
show
now
that
we
have
a
new
version
for
all
the
other
working
groups.
Just
you
know
say
here:
it
is.
How
can
this
help
you
out,
but
if
there's
any
kind
of
communication
that
can
help
with
on
letting
everybody
know
that
we
do
have
like
if,
if
they're
hearing
something
about
somebody's
doing,
you
know
wants
to
Target
the
top
projects.
D
Let
them
know
that
we've
got
this
Set
and
that
we
can
use
it
and
that
you
know
connects
the
dots
there
so
that
we
can
get
any
new
requirements
or
feedback
on
the
set
to
help
us
with
the
next
iteration
talk
to
me
or
anything.
You
want
to
add
there.
E
E
I
I
know
for
for
a
fact
that
you
know
we
can
use
this
data
for
determining
which
projects
could
use.
You
know
third-party
help,
independent
security
audit
stuff
like
that
and
then,
as
well
as
the
thought
on,
essentially
continue
how
to
best
manage
and
curate
this
set,
because
you
know
it
because
I
I
think
that
was
that
ties
into
kind
of
the
the
issue
itself
is
that
you
know,
because
this
can
be
used
in
a
lot
of
ways.
E
You
know
I,
think
that
should
be
factored
into
how
we
kind
of
manage
and
curate
this
this
set,
so
I
would
definitely
love
some
feedback.
There.
G
K
Yes,
I
was
thinking,
but
we
we've
also
been
talking
about
the
marketing,
and
you
know
the
open,
ssf
looking
for
blog
posts.
That
could
be
a
really
good
way
to
get
the
word
out
about
this
list
of
critical
projects
and
engage
people
both
inside
and
outside
of
the
open
ssf.
C
H
Yeah
first
I'm
all
for.
C
H
Know
eating
your
own
dog
food
so,
following
up
to
what
Michael
was
saying
earlier
as
well,
I
think
we
should
definitely
try
to
leverage
those
tools
for
ourselves
and
show
Best
in
Class,
because
otherwise
you
know,
if
we
don't
live
by
All
gospel,
then
it's
kind
of
weakens
all
the
whole
premise,
but
on
the
on
the
set
of
critical
projects,
I
wanted
to
know,
have
you
guys
reached
out
to
all
these
different
projects?
Maintainers?
A
D
Yeah
yeah,
we
make
the
list
and
then
again
like
we,
we
don't
say
like
what
to
do
with
it.
It's
it's.
This
is,
you
know
to
fuel
other
efforts.
E
E
Yeah
we
haven't
yeah
as
part
of
this.
There
hasn't
been
an
element
to
actually
contact
the
project.
Maintainers
I
could
definitely
see
that
as
a
maybe
a
potential
logical,
Next
Step,
but
as
far
as
what
we've
currently
done,
yeah,
it's
been
about
more
being
able
to
justify
the
the
the
the
projects
themselves
to
to
Warrant
being
on
this
set
of
projects.
E
Is
it
currently
stands,
it's
just
been
more
about
getting
people
or
getting
projects
identified.
David
E.
L
Yeah,
exactly
again,
you
know
been
participating
on
this
with
mirror
and
Jeff
and
Jacques,
and
so
you
know
thanks
very
much
and
David
wheeler
and
many
others
who've.
You
know
come
in
various
times,
so
so
thanks
very
much
for
this
great
work
in
creating
this,
the
set
I
mean
exactly
I
know,
as
you
were,
you
know
asking
about.
You
know.
One
of
the
issues
is
that
we've
created
this
and
it's
it's.
You
know
it's
been.
L
The
the
initial
list
of
projects
was
proposed
in
multiple
different
ways.
I
mean
some
of
this
was
individuals
nominating
some
of
this
was
sort
of
semi-automated
and
looking
for
large
numbers
of
you
know
stars
and
projects
and
GitHub.
So
there's
been
a
lot
of
different
ways
in
which
we've
tried
to
get
that
initial
list,
which
is
somewhat
arbitrary
against
this
list
of
group
of
people
that
have
been
that
they
mentioned
that.
L
Are
you
know
on
this
list
asking
about
you
know
trying
trying
to
fathom
humanly
about
you
know
what
are
the
critical
projects
and
in
some
consistent
way,
but
exactly
as
I
may
mentioned
this.
The
question
is:
how
do
we
take
this
information
and
include
this
in
a
broader
pipeline
for
open
ssf
and
make
this
consistent
and
okay?
We
have
this
list
and
not
and
I
completely
agree
with
you.
I
know
publicizing
it,
but
additionally,
to
publicizing
to
these
teams.
Part
of
it
could
be
publicized
it,
but
we
don't
have.
You
know
other
than
okay.
L
We
created
this
list
and
it's
a
list.
We
as
the
securing
critical
projects
and
as
the
open
ssf
in
general
attack,
don't
have
a
broader
Arc
or
story
about
what
this
information
is
going
to
be
used
for.
So
yes,
we
can
go
to
a
project
and
say
you're
on
the
list
is
like
okay,
you
know
that,
and
you
know
five
dollars
will
get
you
a
lot
to
add
Starbucks,
or
maybe
it's
10
now
or
whatever
it
was
like.
Okay,
so
look
you're
on
the
list.
Congratulations
next,
so
I
mean
part
of
this
question.
L
I
mean
I.
Think
that
we're
brought
up
is
okay.
How
can
we,
you
know
with
the
tack,
actually
create
a
pipeline
and
be
able
to
utilize
this?
Okay?
We
created
this
information.
You
know,
and
we've
also
were
in
coordination
with
Alpha
Omega.
They
have
their
their
10
000
projects
and
maybe
about
our
our
group
sort
of
owning
that.
But
how
does
this
speak?
You
know
trying
to
create
a
a
broader
you
know
pipeline
for
this
information,
a
consumer
and
also
understanding
better
for
this
group.
L
Who
are
the
potential
Upstream
consumers
of
this
and
what
would
be
more
useful?
How
could
they
consume
what
we've
already
created
and
what
would
be
more
useful
information
for
them
to
consume?
How
can
we
better
curate
this
list
or
create
a
a
you
know
better,
so
that
there's
sort
of
a
holistic
sense
of
all
these
individual
cigs
that
originally
populated
the
open
ssf,
and
now
that
we've
got
this
this
broader
organization?
L
And
how
can
we
have
a
more
consistent
messaging
and
method
for
how
Allison
information
is
going
to
be
consumed
and
utilized
within
the
organization
and
the
various
sigs,
as
opposed
to
our
creating
this
list,
and
then
somebody
else
who
needs
to
again
Alpha
Omega,
you
know
fund
organization,
but
they
create
their
own
lists.
I
mean
there's
right
now.
How
is
this
all
going
to
work,
and
so
are
those
questions
is
really
apropos?
A
C
Want
to
thank
Amir
and
Jeff
for
coming
and
talking,
and
thank
you
to
Michael
to
wrap
this
particular
conversation
up.
I,
see
two
outcomes,
so
we
can
directly
address
the
ask
from
both
groups.
Omkar
is
in
the
is
starting
to
kind
of
document
what
his
vision
and
kind
of
what
our
kind
of
marching
orders
are
going
to
be
for
the
foundation
in
the
next
year.
C
So
I
think
we
definitely
need
to
include
things
like
the
critical
projects
list
and
considering
things
that
need
to
be
done
like
at
a
foundation
level
like
everyone
having
a
security,
MD,
yada,
yada,
so
I
think
there's
definitely
opportunity
for
us
to
work
and
specifically
I
think
we
should
make
an
issue
either
in
the
tech
or
in
you
know
the
critical
list
repo.
C
So
we
don't
lose
track
of
this
and
start
a
dialogue
between
the
attack
and
the
team
working
on
the
list
to
see
kind
of
brainstorming
ideas
of
how
we
might
be
able
to
socialize.
This
get
this
better
penetrated
throughout
the
organization
and
kind
of
start
to
make
some
plans
and
then
eventually,
let's
set
up
a
call
or
a
series
of
calls
to
start
to
formulate
the
plan
to
take
action
on
how
we
can
start
to
leverage
this
great
work
again.
Thank
you
to
our
speakers
today.
I
really
appreciate
that.
E
Yeah,
thank
you.
Corbin.
Everybody
I
just
wanted
to
quickly
also
address
Ava's
question,
so
it
is
currently
public
or
open
the
to
access
this
set
of
projects
in
terms
of
any
external
orgs
relying
on
it
today,
I,
don't
know
of
any
I
would
say
specific
examples,
but
I
do
know.
For
example,
us
at
ostiff
are
using
data
points
like
this
to
when,
when
folks
ask
us,
you
know
hey
what
projects
would
you
or
what
projects
should
we
go
out
and
audit?
E
It's
something
that
people
will
build,
Insight
off
of
or
feed
into
kind
of
their
their
analyzes,
so
yeah
I,
just
I,
don't
want
to
take
up
any
more
time,
but
I
do
see
Jacques,
pandas
up
and
then
I'm
I
think
I'm
done
with
our
updates.
So
thanks
again,
everyone
I'm.
F
Very
quickly,
while
the
US
government
is
probably
not
looking
at
it
now,
this
is
a
legislation
if
it
gets
passed,
requires
cisa
to
build
basically
the
same
thing
and
I
will
not
be
surprised
if
they
show
up
and
do
a
copy
and
paste
to
get
started
so
indirectly,
I
think
we'll
have
an
impact
there.
C
M
I
did
I
dropped
that
in
there.
If
you
would
like
to
speak
at
opennesssf
day
in
Bilbao
later
this
year,
please
submit
to
the
cfp,
that's
open
now,
and
you
know
let
everyone
know
within
your
working
groups
and
colleagues
who
might
want
to
submit
and
then
I'll
just
mention.
One
other
comment
that
we're
here
for
you
in
terms
of
marketing
com
support.
So
whenever
there's
something
that
needs
to
be
shared
broadly
or
to
specific
audiences
I'm
here
to
support.
So
just
let
me
know,
and
I
can
work
with
you
on
that.
C
Awesome
any
questions
about
EU
open
ssf
day
I
encourage
everyone
to
submit
and
I
hear
that
the
city
itself
is
quite
beautiful
to
visit,
not
that
that
goes
into
travel
budgets
at
all.
Let
us
move
on
to
the
issues
we
slated
to
talk
about
today.
Let's
talk
about
Tac
issue,
172.
Michael,
put
together
a
very
well
put
together
a
thing
for
us
to
review
about
guac
and
I
will
yield
the
floor
to
Michael.
You
have
about
10
minutes,
sir.
N
Sure
so
we're
looking
to
and
by
we
I
mean
the
guac
maintainers
are
looking
to
contribute
guac
to
the
open
ssf.
If,
if
you'll
have
us
and
yeah
I,
hopefully
filled
out
the
application
correctly
I
know,
there
was
I
know
that
we
have
some
open
questions
about
what
the
due
diligence
actually
is
on
that
front
and
we'll
we're
prepared
to
run
through
any
process
on
that
end,
but
I
think
beyond
that
we're.
N
You
know,
I
hope
we
fill
out
the
application
correctly
and
yeah
we're
interested
in
contributing
guac.
We
think,
based
on
some
conversations
with
both
the
end
user
group,
as
well
as
the
supply
chain,
Integrity
group
and
some
other
folks
within
the
open,
SF
we've
been
chatting
with
about
guac
and
and
demoing
to
guac.
N
We
believe
it
might
be
a
good
fit
for
for
open,
ssf
and
I
know
at
least
right
now,
according
to
the
governance,
it's
we
come
to
here,
first
to
sort
of
submit
the
application,
and
then
we
go
to
the
actual
individual
working
groups
if
it
fits
under
there.
But
we
have
had
some
conversations
with
the
supply
chain.
N
Integrity
group,
that
did
sort
of
say
you
know
it
sounded
like
there
was
some
interest
on
in
on
that
front,
that
if
we
did
get
accepted
that
they
might
be
interested
in
having
us
fall
under
there,
so
that
for
folks
who
are
not
super
aware,
you
know
so
guac
is
a
and
we've
given
a
couple
of
demos
on
it
and
they're
all
up
on
the
YouTube
and
and
on
the
open,
ssf
YouTube,
but
we've
been
developing
it
for
about
the
past,
give
or
take
so
it
started.
N
Actually
around
this
time.
We
we
sat
down
with
some
folks,
a
bunch
of
us
between
kusari
Google,
Purdue,
University,
City
and
some
other
folks
had
went
and
sat
down
and
sort
of
sketched
out
some
stuff.
We've
been
writing
the
code
more
or
less.
Since
you
know,
summer
of
last
year
and
yeah,
we've
had
a
release
of
like
a
V
0.1
Beta
release.
N
N
Give
folks
a
better
understanding
of
their
supply
chain,
while
also
sort
of
still
associating
that
data
with
the
sort
of
like
where
it
came
from
and
that
sort
of
stuff
so
that
you
have
an
idea
of
you
know
who's,
making
sort
of
claims
about
the
different
pieces
on
your
supply
chain
and
yeah
we're
it's
intended
to
be
a
supply
chain
sort
of
Knowledge
Graph,
and
hopefully
you
know
useful
to
folks
from
the
perspective
of
like
helping
actually
dive
in
and
figure
out.
Okay,
hey
I.
N
Have
all
these
s-bombs
I
have
all
these
Souls
attestations?
What
do
I
do
with
them?
How
can
I
build
a
better
understanding
in
my
supply
chain?
Well,
we
can
ingest
all
that
data
and
you
know
I
can
run
queries,
use
it
as
the
basis
for
you
know,
policy
and
and
all
that
good
stuff,
and
so
on
that
front
as
well,
we've
been
you
know,
working
with
a
lot
of
folks
within
the
community,
so
we
have
folks
like
from
Red,
Hat
and
and
guidewire
and
Yahoo
and
there's
a
hedge
fund.
N
That's
also
been
looking
at
it
and
also
we
have
in
a
couple
of
community
meetings.
There's
actually
a
law
firm
that
seemed
interested
in
guac
because
we're
also
keeping
track
of
license
information
and
they
seemed
interested
in.
You
know,
taking
a
look
at
that
as
well.
N
So
that's
just
the
quick
explanation
of
guac
but
I
wanted
to
open
it
up
to
questions.
C
All
right,
friends,
I'll
start
off,
so
from
your
perspective,
how
it
feels
like
this
would
probably
land
in
the
supply
chain,
Integrity
group
looking
at
the
existing
projects
within
there.
How
do
you
see
guac,
complimenting
or
adding
value
to
things
like
salsa
and
S2
c2f.
N
Sure
yeah,
so
in
a
couple
of
ways
one
is
so
we
ingest
salsa
metadata.
So
one
of
the
things
is
is,
and
we've
we've
sort
of
built
out
a
couple
of
pocs
for
this
as
well,
but
we
can
sort
of
ingest
salsa
metadata
to
help
sort
of
sort
out.
Whether
or
not
you
know
does
this,
like
you
know,
be
able
to
hit
those
high
level
questions
like
does
this?
Does
this
package
have
a
salsa
attestation?
If,
yes,
you
know
like
what
is
the
information
we
can
glean
out
of
that
salsa
attestation?
N
Did
it
come
from?
You
know,
a
source
that
we
trust
and
so
on,
and
then,
in
addition
to
that,
you
know
when
it
comes
to
sort
of
the
s2c2f
stuff,
so
that's
kind
of
more
on
the
consumption
end,
and
so
we
would
sort
of
assume
that,
like
if
you're
trying
to
do
S2
c2f,
you
could
use
salsa
metadata.
Sorry,
not
you
know
you
could
use
the
metadata.
N
That's
coming
out
of
guac-like
s-bombs,
all
this
other
stuff
to
help
you
sort
of
determine,
like
am
I,
doing
the
right
things
from
the
s2c2f
standpoint,
and
then
you
know
when
we
look
at
something
like
Fresca
right,
you
can
have
like
the
you
could
have
like
a
build
and
that
build
is
generating
your
s-bombs
and
salsa
and
and
all
sorts
of
other
metadata
that
can
then
easily
be
ingested
right
into
guac.
N
H
M
N
Yeah,
so
there's
still
discussion
on
what
exactly
that
instance
would
look
like,
but
there
is
some
folks,
especially
on
the
Google
side
that
seem
to
be
interested
in
in
and
and
we're
interested
as
well
as
like,
creating
something
like
a
public
guac
service
for
like
the
top
one
percent
or
so
of
let's
say
you
know,
open
source
packages
to
help
folks
get
a
better
understanding
of
what
relies
on
what
and
and
stuff
that
kind
of
goes
above
and
beyond
the
s-bomb.
N
So
we're
you
know,
there's
some
interest
there
to
kind
of
create
a
public
service
on
on
that
front,
and
it
would
kind
of
you
know,
be
similar
to
something
like
Dev,
stop,
devs,
OSB
and
six
door,
and
that
kind
of
thing,
but
currently
there's
nothing
that
that
exists.
Yet
right.
H
No,
but
that's:
okay,
thanks
and
so
did
my
other
question.
We
heard
from
Michael
earlier
that
they're
working
on
this
dashboard
to
other
developers
that
go
watch
out,
adding
a
dependency
that
they
have,
that
level
of
security.
You
know
posture
and,
and
so
there
seems
to
be
some
kind
of
connection
there.
There
should
be
there
is
there
anybody
who
talks
about
this
is
my.
N
Question
so
so
no
there
there
hasn't
been,
but
I
think
you
know
great
minds,
think
alike,
I
guess
you
know,
I
I,
think
that
you
know
this
sort
of
thing
when
we
look
at
also
stuff,
like
that,
the
thing
formerly
known
as
Sterling
tool
chain
and
everything
else.
You
know
there's
a
lot
of
folks
who
are
are
looking
at
like
hey
now
that
we
are
generating
all
this
supply
chain
metadata.
What
do
we
do
with
it?
How
do
we
analyze
it
and
how
do
we
actually
make
decisions
based
on
it?
N
And
so,
if
there
is
a
dashboard
on
that
front
and
that
we
can
integrate
with?
That
would
be
great,
especially
if
those
folks
are
better
front-end
developers
than
us
back-end
folks,
because
you
know
it's
it's
a
dashboard.
Only
a
mother
can
love
it.
Yeah.
O
Myers
perked
up
when
I
heard
about
running
a
guac
service
similar
to
devs.dev,
one
of
the
things
that
I'm
have
been
talking
to
various
people
in
openness
stuff
about
is
about
data
licensing
and
the
fact
that
so
I
would
just
encourage
you
to
think
about
data
licensing
at
the
beginning
of
that
project,
rather
than
everybody
else
who
seems
to
have
forgotten
about
it
and
isn't
interested
in
talking
about
it,
but
I'm
interested
in
talking
about
it,
yeah
so
I'm
going
to
keep
talking
about
it.
N
Yes,
so
on
that
front
we
are
very
you
know.
Actually
that
was
one
of
the
key
design
things
in
our
design,
doc,
both
from
a
data
licensing
perspective,
as
well
as
a
pii
perspective.
We
want
to
not
have
to
like
get
into
pii
sorts
of
situation
where
we're
ingesting
data.
We
also
don't
like
from
a
safety
perspective.
We
don't
want
to
potentially
be
ingesting
data
that
and
and
doing
analysis
that
could
give
folks
like
unmasked
Anonymous
folks.
N
We
don't
want
to
do
any
of
that
as
well,
and
so
that's
definitely
a
key
thing.
That's.
O
Important
for
us,
but
I
I,
that's
important
I
was
also
talking
about
the
outward
outward
licensing
so
like.
If
you
expose
a
data
set
through
an
API,
make
sure
you
clearly
signpost
what
the
data
license
is,
for
instance,
cc0,
so
that
people
know
that
they
can
use
it
right,
because
this
is
becoming
a
problem.
It's
a
separate
issue,
but
it's
a
it's
something
that
I'm
that
I've
been
talking
to.
Folks,
for
instance,
about
the
scorecard
API
about.
Oh.
K
F
Related
to
that
is
the
license
of
the
incoming
documents
that
only
just
occurred
to
me
as
as
a
potential
nightmare,
I,
I
guess.
One
of
the
things
in
in
guac,
though,
is
the
design
is
that
it
explicitly
has
a
relatively
subjective
like
it
has
a
concept
of
the
subject.
Who
is
testing,
so
we
can
probably
attach
to
that
that
this
person
has
has
granted
a
license.
N
Yeah
and
so
on
that
front
right
now
we're
keeping
track
of
the
source
like
where
it
came
from,
as
well
as
it's
in
the
works
to
use
stuff
like
you
know
who
signed
this
or
what
rather
like,
not
necessarily
like
literally
who
signed
it,
but
more
just
hey,
there's
a
this
is
there's
this
key.
This
key
signed
it
or
this
six
store
and
it
can
be
backed
by
this
oidc
or
or
whatever
I
think
that
there's
stuff
on
that
front,
that
that
we're
interested
in
in
exploring
a
bit
more.
F
N
Yes,
absolutely
yeah
and,
and
that
I
think
is,
is
something
that
we're
interesting
and
actually
that's
something
that
I
know
a
bunch
of
different
groups
have
begun
to
discuss
it's
slightly
tangential
to
this,
but
real
quick
is
just
a
lot
of
folks
are
starting
to
ask
the
question
of
great
distribution
of
supply
chain
metadata
so
like
if
guac
is
ingesting
all
this
stuff.
How
are
folks
actually
still
Distributing
it
from
their
package?
N
Maintain
you
know,
Pi,
Pi,
gem,
you
know,
npm
I
know
different
folks
are
doing
different
things,
but
but
I
think
there's
stuff
on
that
front.
That
I
think
a
lot
of
folks
are
very
interested
in
figuring
out
how
to
help
the
community
solves.
C
So
to
my
friends
on
the
tack,
do
we
have
any
other
questions?
How
do
we
feel
about
the
proposal
to
incubate
guac,
so
we
can
have
some.
You
know
incubate
those
avocados
Ava.
B
As
a
project
and
a
code
base,
I
think
it's
incredibly
useful
I've
been
following
their
work
from
a
distance
for
a
while.
If
it
went
to
a
vote
to
move
to
sandbox
I
would
absolutely
thumbs
up
it.
For
incubation
I
would
discuss
a
little
more.
H
C
And
there's
also
a
part
of
that
is
like
legal
review
like
an
IP
transfer,
type
review
assessment
that
needs
to
be
conducted,
Zach
and
then
Bob.
K
Well,
I
agree
with
Ava
on
the
on
the
delineation,
between
the
the
project
of
the
service
and
also
that
I
think
that
this
is
a
great
candidate
for
sandbox
I
want
to
apologize
on
the
messiness
of
the
process,
we're
working
on
cleaning
it
up
and
in
that
theme
I
was
wondering.
Do
we
need
a
specific
tax
sponsor
for
this
to
move
forward
or
like
what
else
does
this
need
in
order
to
move
forward.
G
Zach
I,
don't
know
I'm
happy
to
be
the
tech
sponsor
as
well.
C
Excellent
I
also
agree:
there's
a
lot
of
value
in
continuing
to
explore
this
any
other
I
think
Dustin.
Any
thoughts
from
you,
sir.
C
Right,
so
let
us
mark
down
that
the
attack
is
agreeable
to
the
idea
of
moving
this
in.
There
are
some
procedural
things
we
need
to
do.
The
pr
and
whatnot
and
Mr
callaways
generously
agreed
to
help
Shepherd
you
and
provide
you
as
Sage
wisdom
as
we
move
forward.
C
So
let's
get
that
documented
in
the
issue
and
get
the
pr
set,
and
we
look
forward
to
continuing
to
explore
this
idea
and
to
Ava's
statement
Let's
see
if
we
can
get
some
more
details
around
the
potential
Public
Service
I
think
that
would
also
be
useful
to
get
described
and
start
to
think
through,
because
there
will
be
a
cost
to
that
any
other
thoughts
or
statements
for
attack
or
The
Observers.
N
A
C
All
right
well,
thank
you,
I'm,
looking
forward
to
seeing
more
good
stuff
from
guac.
Let
us
talk
in
our
last
nine
minutes
about
the
contributor
ladder
we
had
some
dialogue
here
on
the
issue.
Amon
wish
to
kind
of
report
out
status
and
share
with
the
group
where
we
are
with
that.
P
Dustin
yeah
I
think
I
can
do
that.
So
you
know
we
have
some
folks
who
are
interested
in
becoming
maintainers
of
scorecard,
and
there
was
a
request
by
Justin
Augustus
couple
over
a
year
ago
now
for
a
contributor
ladder,
because
the
process
is
somewhat
undefined
of
like
what
do
you
need
to
do
at
what
point?
Do
we
make
someone
a
maintainer
give
them
the
commitment
that
kind
of
thing
in
that
process
contributed
Liars
drafted,
which
is
mostly
derived
from
the
six-door
contributor
ladder
which
already
exists,
and
the
thought
was
well
like.
P
Maybe
it
makes
it
makes
sense
for
all
openssf
projects
to
have
contributor
ladders
in
order
to
make
sure
that
all
projects
have
a
path
towards
maintainership.
P
I.
Think
that
if
I,
if
I,
can
try
to
summarize
the
discussion
is
generally
there's
a
lot
of
detail
in
there
there's
a
lot
of
detail
in
the
six
door
ladder.
It
might
be
too
much
as
a
template
for
kind
of
nascent
projects
to
have
to
adopt.
P
I
think
we
could
mitigate
this
by
making
it
very
clear
that
this
is
just
a
suggestion
or
a
template,
but
we
could
also
tone
it
down
and
we
could
also
not
provide
a
template
and
just
sort
of
say,
here's
some
examples
of
other
projects
and
open
ssf
that
have
ladders.
That's.
C
We
will
open
that
up.
Thank
you
for
that
summary.
What
thoughts
or
questions
do
we
have
I
will
say,
as
a
working
group
lead
having
a
template
would
be
super
useful,
because
we
get
lots
of
questions
from
members
of
how
do
I
participate
and
kind
of.
If
there's
ever
comes
to
a
vote,
it's
nice
to
have
kind
of
that
process
laid
down
so
I
wouldn't
mind
a
template.
Let's
start
with
our
no.
H
So
I
you
know,
I
tested
and
I
had
discussed.
We
did
quite
a
bit
on
the
issue,
but
to
repeat
a
little
bit:
I
mean
where
I
stand
is.
You
know,
I
think
this.
There
is
value
in
doing
this,
but
we
need
to
make
it.
You
know
the
minimal
requirement
needs
to
be
very
minimal
because
you
know
I
mean
you're.
Talking
about
the
template.
I
agree.
H
A
template
is
very
useful,
but,
for
instance,
we
are
the
template
for
working
groups
that
has
a
TSC
when
most
working
groups
don't
need
the
TSC,
but
because
it's
in
the
template
everybody
has
a
TSC
in
the
charter
which
they
don't
really
know
what
to
do
with
and
I
don't
want
to
have
that
situation
here.
I
think
it's
critical
to
document
who
the
maintainers
are
and
how
somebody
becomes
a
maintainer
that
should
definitely
be.
H
We
should
be
transparent
about
this
and
I
think
it
there's
value
in
having
a
standard
policy
across
the
organization,
but
all
the
different
layers
that
are
being
talked
about,
the
different
walls
seem
to
be
a
bit
of
a
well
coming
to
me
and
my
my
concern
is
that
we
make
it
so
complicated
that
you
know
somebody
who
wants
to
contribute
look
into
it
and
they're
like
oh,
my
God.
Forget
it
there's
too
many.
A
G
I
guess
my
short
comment
on
this
is
I.
I
am
in
total
favor
of
mandating
that
projects
within
the
foundation
need
to
have
a
ladder
so
that
it's
very
clear
that
how
a
contributor
can
move
to
a
maintainer
I
would
simply
just
go
to
Dustin's
earlier
point
of
linking
to
some
examples:
I,
don't
I
think
the
template
thing
can
be
overwhelming
and
I
think.
Let's
not
let
perfect
beginning
the
enemy
of
good
enough
here,
but
I
think
it
is
part
of
a
mature
organization.
I.
G
Think
making
sure
that
folks
think
about
that
very
early
on
is
a
very
important
Dynamic
for
inclusive
communities.
C
Excellent
points,
thank
you,
Bob.
Any
additional
comments
on
this
foreign.
C
We
haven't
resolved
this,
so
I
expect
we'll
come
back
at
a
future
date.
Maybe
if
we
can
continue
the
conversation,
if
we
need
to
schedule
any
kind
of
working
group
session
to
kind
of
have
some
real-time
conversation,
but
I
would
ask
that
we
come
back
at
some
point
in
the
future,
with
the
results
and
kind
of
recommendations
from
how
we
want
to
see
this
play
out
and
get
implemented.
Is
that
sound,
fair.
C
All
right,
we
are
out
of
time,
so
we
will
not
be
able
to
get
to
the
taxonomy.
So
maybe
next
time
we
can
do
we'll
start
off
after
our
working
group
update
with
the
taxonomy
and
if
anyone
has
any
updates,
please
communicate
as
part
of
the
issue
there
we're
trying
to
get
these
documents.
We
can
have
that
transparent
dialogue,
Zach.
K
Yeah
my
one
minute
plea
is:
please
read
the
issue.
Please
read
the
link
Google
doc
I
might
try
to
spend
some
time
between
now
and
the
next
tech
meeting,
putting
together
a
more
concrete
proposal.
If
that's
something
you're
interested
in
please
reach
out
to
me
awesome.
Thank
you
appreciate.
C
That
all
right
team
I
appreciate
everyone
that
contributed
weather
presentations
or
conversation
today,
good
talk,
looking
forward
to
seeing
our
newest
potential
adoption
of
guac
watching
that
ripen.
Thank
you
all
enjoy
your
days
and,
if
anyone's
interested
in
the
security
tool
belt,
we
talk
about
that
in
just
a
few
minutes,
cheers
all.