►
From YouTube: OpenSSF TAC Meeting (October 5, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
Crop
I
haven't
heard
any
vast
objections
from
my
best
practices
working
group
edition
proposal
from
you,
so.
D
D
Oh,
the
the
actual
training
part
of
it
fully
endorse.
We
can
figure
out
the
rest.
F
B
A
C
Have
to
go
to
participants,
click
on
participants
and
there's:
well,
you
can
go
under
more,
and
one
of
the
options
is
rename.
A
All
right,
let's
share
my
screen
here.
A
C
C
So
basically,
this
is
a
proposed
project
for
making
free
mfa
tokens
available,
distributing
them
out
and
possibly,
most
importantly,
helping
people
actually
use
them
by
giving
them
very
clear,
simple
instructions
for
common
cases
like
how
do
I
use
this
to
on
get
lab?
How
do
I
use
this
on
github
to
commit
to
you
know
whatever
so
there's?
If
you
want
to
follow
more
details,
there's
a
draft
plan.
It's
basically
just
a
google
doc
of
hey.
These
are
the
things
well,
we
want
to
do.
C
This
is
how
we're
going
to
do
them
for
those
of
you
who
would
like
props.
C
Let's
see,
I
don't
know
how
well
the
camera
is
going
to
work
on
this,
but
I'm
going
to
make
a
try
here.
So
google
is
actually
contributing
thousands
of
mfa
tokens,
and
this
is
what
they
look
like
they're,
very,
very
small.
Okay.
C
C
C
How
do
we
make
sure
that
they
get
distributed
in
a
way
that
is
less
likely
to
be
a
subverted
token
and
yeah?
I
see
crow
smiling
the
solution,
for
that
is
basically
google's
going
to
actually
send
them
out.
So
the
plan
right
now
is
to
email
me
basically
contact
the
developer
say:
go
to
this
url.
Here's
your
code
to
get
one
but
they'll
actually
be
contacting
google
directly.
Now,
if
you
don't
it'll,
have
a
google
e-url.
Now,
if
you
don't
trust,
google
well,
then
don't
take
google's
mfa,
tokens,
okay
and
the
goal.
C
Basically,
this
the
whole
goal
of
this
is
to
try
to
deal
with
the
attack
scenario
of
an
attacker
picks
up
an
open
source,
developer's
password
and
uses
that
to
either
submit
you
know,
to
cause
changes
to
the
source
code
or
even
worse,
post
something
on
a
distribution
site
like
pipi
or
npm,
or
some
such
oh
no
or
we
could
just
leave
a
bunch
in
the
parking
lot
outside
yeah.
C
Okay,
we're
all
laughing
and
we're
going
to
beat
you
over
the
head.
Now.
C
All
right,
yeah,
you
know
what,
in
all
honesty
dan
is,
I
don't
know
if
he
is
dan
lawrence
on
the
call
dan
left.
C
Okay,
dan
dan
left
out
a
bunch
of
these
at
the
open
source
summit
at
one
of
the
things,
and
at
least
at
one
time
that
booth
was
unmanned,
so
we
had
a
situation
very
close
to
that
available,
so
we
we
will
beat
dan,
but
in
all
seriousness,
so
basically
we're
trying
to
work
through
a
plan
to
work
through
this,
but
we
want
to
just
create
a
little
project
working
group,
something
to
to
work
on
this.
C
Let's
see
here
where's,
our
john
nolte
has
actually
been
been
willing
to
help
a
lot
he's
on.
The
call
here
also
he's
actually
done.
Some
training
related
to
this
there's
actually
three
different
working
groups
that
this
overlaps
is
this:
the
best
practices
working
group,
because
the
guidance
on
how
to
use
these
things
is
probably
a
best
practices
issue.
Is
this
developer
identity?
Is
this
critical
projects
because
in
fact,
we
want
to
focus
on
the
critical
projects,
at
least
to
start?
C
Is
it
its
own
initiative
which
is
allowed
by
the
charter?
I
think
there's
excellent
arguments
for
any
of
those
any
of
those
actually
make
sense
to
me.
C
I
was
proposing
to
start
with
this
within
the
best
practices
working
group,
because
I'm
anticipating
a
lot
of
the
work
being
just
creating
guidance
or
finding
the
best
guidance
and
pointing
people
to
it
at
least
to
start
with.
If
this
grows
it
can
become
its
own
initiative
or
another
working
group
of
its
own,
but
basically,
I
I
think
I'd
rather
just
start
with
something
existing
and
then
we
can
grow
it
to
its
own
thing
as
it
matures
later.
C
If
that
turns
out
to
be
appropriate,
I
don't
really
care
just
let's,
let's
get
moving,
let's
get
started,
we
have
some
tokens,
let's
get
them
out
and
there's
a
repo
that
already
existed
for
some
of
this
stuff.
Okay,
so
because
it's
under
the
openness
is
that
we're
not
just
not
sure
of
where
and
that's
why
we
came
up
to
the
tag
so
suggestions,
please
what
did
people
think
about
this?
What
did
people
think
about
starting
it
within
this
best
practices
working
group
and
we
don't
care
nearly
so
much
as
let's
get
moving.
D
I'll
start,
while
people
think
david
already
came
and
talked
with
the
best
practices
group,
and
we
had
a
lot
of
interest
within
the
team,
so
at
a
bare
minimum
we
have
a
group
of
people
that
are
willing
to
help
contribute
to
the
educational
materials,
and
you
know
if
need
be.
I
can
help
shepherd
this
along,
but
I
have
no
real.
C
And
I
will
note
that
the
open
ssf
charter
actually
specifically
allows
for
projects
directly
under
the
tac.
You
don't
have
we
don't.
We
only
have
working
groups
right
now.
We
can
create
a
standalone
project
if
we
chose
to
do
that,
I'm
proposing
trying
to
go.
You
know
just
pick
an
existing
working
group
and
then
we
can
use
some
of
its
existing.
C
You
know
mailing
lists
and
so
on
and
if
it
turns
out
to
grow,
to
kind
of
its
own
thing
that
we
can
deal
with
it
at
that
time,
but
I'm
trying
to
minimize
the
number
of
additional
meetings
that
people
show
up
at
and
that
sort
of
thing.
G
Yeah
that
makes
sense
to
me
because
it
seems
like
a
pretty
short-term
thing
once
we
get
it
up
and
going.
I
do
want
to
add,
though,
that
we
do
still
have
a
ton
of
bulk
ones
to
just
kind
of
hand
out
to
people
which
is
kind
of
scary.
There
are
ways
to
prove
the
authenticity
of
these
and
it'd
be
awesome
to
try
to
get
that
in
the
guidance
somehow
so
that
we
can.
We
don't
have
to
waste
all
those
that
aren't
going
to
be
directly
shipped
to
people.
C
I
think
that's
great
yeah,
so
that's
but
but
see,
that's
why
we
want
to
quickly
stand
up
officially
something
and
then
we
can
collect
the
like.
I
actually
didn't
know
that
there
was
a
way
to
authenticate
these.
I
just
grabbed
these
from
the
the
mr
collection
that
dan
was
sending
out
so
yeah.
G
C
H
So,
the
next
week,
yeah
next
week,
a
sig
store,
have
a
booth
at
kukum,
okay
and
they're
gonna
be
giving
some
out
as
well.
Okay,
and
so
various
people
in
the
community
are
gonna,
be
helping
out
on
the
booth
and
the
idea
is
somebody
signed
something
with
six
stop
and
they
get
a
sticker
and
a
key,
and
I'm
just
thinking
if
it's
useful
to
you,
you
could
use
this
as
a
lessons
learned.
What
worked?
What
went
down
really
bad?
H
H
C
Lessons
learned
are
always
welcome
and
I
think
what
we
want
to
do
is
want
to
want
to
try
to
bring
that
into.
You
know
some
sort
of
handy
hey
here.
You
know
if
you're
interested
here's
something
simple
to
you
know:
here's
how
you
do
it
as
as
simple
as
directive
as
possible
because
of
people's
limited
time
and
I'm
actually
fine
with
some
people
saying
you
know,
I
don't
trust
that
that's
great
go.
H
F
On
on
this
note
something
we
talked
about
in
the
kickoff
discussion
for
this,
I
guess
it
was
last
week
a
couple
of
related
things.
So
one
of
them
was
a
communications
plan
so
that,
when
we're
distributing
this,
we
have
like
an
open,
ssf,
blog
post.
That
is
outlining
what
we're
trying
to
do
where
this
stuff
came
from,
etc,
so
that
it's
not,
it
doesn't
feel
as
much
like
a
social
engineering
attack
and
then
another
part
of
that
work.
F
F
Another
aspect
of
this
work
is
probably
looking
at
kind
of
threat
modeling
and
explaining
kind
of
why
we
believe
this
to
be
secure
and
to
end
and
under
what
conditions,
so
that
we
have
documented
that
for
our
own
purposes,
so
that
we
are
not
facilita
unknowingly,
facilitating
the
the
biggest
supply
chain
attack
of
all
time,
but
also
so
that
we
have
it
documented
and
we're
able
to
share
it
with
anyone.
That's
curious
around,
like
dan,
had
mentioned
attestation
of
authenticity
of
the
keys
or
something
like
that
so
documenting.
F
All
of
those
pieces
and
figuring
out
once
we
have
a
distribution
plan
for
actually
moving
the
hardware
from
the
donating
entity
to
the
receiving
entity,
exactly
what
that
looks
like
from
a
security
perspective
as
well.
C
So
chain
attack,
so
I've
added
those
two
major
topics
right
now
onto
the
great
mfa
distribution
plan
as
at
least
topics
that
need
to
be
dealt
with.
C
A
A
C
Okay-
and
I
know
that
john
nolte
is
the
expectations
can
be
involved
and
as
many
other
people
as
we
can
wrangle
into
into
working
on
this.
Since
this
is
a
krobe's
working
group,
cr
grove
that
you're
the
target
is
painted
on
you.
D
C
It's
always
nice
and
it's
in
a
soft
and
it's
mostly
software
world.
It's
always
nice
to
have
actual
props.
You
can
show
too,
and-
and
you
know
we
are,
you
know
and
just
be
clear-
these
little
things
that
we're
currently
planning
to
give
away.
You
know
this
is
not
the
be
all
and
end
all,
for
example,
you'll
notice,
there's
no
button
on
these.
These
are
the
less
expensive
tokens.
I'm
a
fan,
actually
the
ones
that
have
buttons.
I
have
one
that
does.
C
A
A
I
Okay,
neither
yeah
hey
folks,
so
we
there's
a
bunch
of
work
going
on
on
projects
that
are
supply,
chain,
integrity,
oriented
and
so
there's
a
project
that
my
microsoft
initiated.
That's
currently
on
the
microsoft
github
that
we
would
like
to
propose
move
in
to
open
ssf
and
there's
also
some
work
that
we
that
that
project
the
project
is
called
scam.
I've
mentioned
it,
I
think,
in
previous
meetings,
scim
for
supply,
chain,
integrity
management
and
there's
some
work
that
we're
planning
between
that
project
and
the
salsa
project.
I
Where
between
the
two
projects,
we
want
to
have
a
common
data
format
for
supply
chain
metadata,
and
so
we
we
talked
with
so
not
with
the
overall
salsa
group,
but
with
some
of
the
leaders
of
the
salsa
project,
and
they
were
suggesting
that
we
that
we
look
at
this
being
having
this
common
data
format
be
something
it's
a
new
project
inside
of
the
open
ssf.
I
And
so
then
we
were
thinking
all
right.
We
want
to
move
or
start
these
things
inside
of
the
open
ssf.
Do
they
come
as
in
this
individual
projects?
Do
we
want
them
to
be
affiliated
with
a
working
group?
If
so,
which,
which
working
group
would
it
be-
and
there
is
salsa-
is
currently
in
the
digital
identity,
attestation
working
group,
we
one
of
the
things
and
again
this
is
just
a
few
of
us
who
were
talking
but
want
to
get
what
the
board
with
the
tech
things
here
we
were
thinking.
I
One
option
is:
maybe
we
rename
the
digital
identity
attestation
working
group
to
supply
chain
integrity
that
gives
a
little
brighter
scope
and
then
then
we
keep
the
the
projects
that
are
there
in
particular
salsa
and
then
start
to
add
some
some
additional
projects
to
that.
I
A
Yeah,
I
like
the
idea
of
both
of
those
projects
kind
of
living
together
under
under
the
same
working
group,
given
how
closely
related
they
are-
and
I
know
we've
been
talking
a
lot
about
other
supply
chain
projects,
integrity
and
and
others
that
could
fall
under
that
to
be
nice
to
have
kind
of
an
umbrella
working
group
curious.
What
other
folks
think
about
that
and
dan?
I
think
you
were
the
or
are
the
lead
of
the
identity
attestation
working
group
right.
Do
you
have
thoughts
on
this
rename
and
repurposing.
G
Yeah,
I
don't
really
care
about
renaming.
That's
fine
yeah
has
this.
You
mentioned.
You
talked
about
some
people
from
salsa
they're
like
have
you
presented
this
in
the
community
meeting
or
anything
just
to
see
what
kind
of
overlap
there
is
between
the
two
and
just
make
sure
we're
not
completely
duplicating
stuff.
I
don't
know
exactly
who's
in
the
conversations
there's
like
a
group
of
people
like
helping
to
steer
this
awesome
project.
I
I
So
people
in
that
meeting
were
all
microsoft
and
google
people
and
it
hasn't
been
something
that's
been
discussed
with
the
with
the
broader
salsa
working
group.
Yet
I
don't
believe.
H
So
yeah
I'd
say,
should
be
a
community,
not
a
private
discussion,
so
it
makes
sense
to
perhaps
take
this
to
the
to
the
salsa
community
meeting.
I
I
don't
think
it's
really
a
salsa
question.
I
think,
because
what
we're
talking
about
now
is
just
what
you
know
is
the
working
group
inside
of
the
open
ssf.
I
So
you
know:
do
we
rename
the
digital
identity
attestation
working
group
it
wouldn't
change
salsa
at
all,
salsa
would
still
be
part
of
an
open,
ssf
working
group
and
the
second
question,
which
is
the
the
date.
You
know
the
data
shared
data
format
between
both
that
that
is
more
of
a
question
for
the
salsa
working
group.
D
My
opinion
is,
we
have
kind
of
precedent
for
this.
In
the
developer,
best
practices
working
group,
we
actually
have
a
federation
of
five
loosely
aligned,
little
sub
projects
that
are
all
working
towards
that
goal
of
educating
and
empowering
developers.
So
I
I
my
opinion
is,
I
think,
renaming
the
digital
attestation.
Digital
identity
attestation
group
is
great
because
I
think
supply
chain
is
more
resonant
and
you
have
an
affiliation,
not
necessarily
they're,
not
consuming
the
credits
aren't
consuming
each
other
or
replacing,
but
it
gives
you.
D
G
D
G
To
be
clear,
I'm
kind
of
teasing
apart
the
two
things
renaming
is
great.
I
think
we
should
go
ahead
and
do
that,
but
then
kind
of
introducing
the
other
projects
and
data
formats
that
kind
of
are
between
the
two.
I
think
we
should
probably
present
that
work
and
what
those
data
formats
are
and
all
that
stuff
publicly
in
the
salsa.
A
A
Yeah,
I
was
going
to
say
the
exact
same
thing.
I
think
that
there's
value
in
presenting
this
to
salsa,
like
so
that
they're
aware
of
what's
happening
and
we
need
to
let
them
know
that
the
the
name
is
changing.
There's
this
other
group
make
sure
you
guys
talk
to
each
other
right,
coordinate
all
those
good
things.
So
yeah,
it's
not
really
a
permission
thing
like
you're
like
you're,
saying,
okay,
but
it's,
but
a
heads
up
is
definitely
a
good
thing
for
the
community
and
then
dan.
A
Are
there
still
meetings
happening
for
the
digital
identity
attestation
or
have
those
kind
of
dropped
off.
G
Yeah
they're
still
happening,
I
think
we're
probably
gonna
end
up
canceling
next
week,
so
just
because
it
overlaps
with
kubecon
where
most
people
are
gonna
be
at,
but
we
can
do
a
quick
poll.
Obviously
it's
they're
still
wednesdays
at
11
o'clock,
my
time
so
nine
a.m
but
yeah
it's
that's.
The
keynotes
for
kubecon
so
probably
skip
that
one.
H
I
Yeah,
so
the
skim
the
skin
project
is,
it
is
it's
about
supply
chain
integrity
end
to
end,
so
in
foreskim,
there's
a
goal
to
identify
data
formats
that
are,
you
know,
used
in
common
for
people
who
create
artifacts
in
a
supply
chain
and
then
also
the
kind
of
the
bigger
part
of
skin.
Really
is
a
data
store
for
storing
supply
chain
data?
There's
two
parts
to
the
store,
there's
a
ledger,
and
so
actually
there's
some
overlap
here
between
the
skin
proposal
and
the
sig
store
proposal.
I
I
Yeah,
so
that's
a,
I
think,
that's
a
different
topic,
so
we
need
we
do
need
to
look
at.
You
know
we
do
need
to
look
at
how
skim
and
and
six
store.
You
know
what
the
overlap
is
between
those,
but
but
that's
a
separate
topic.
I
mean
there
is
already
a
community
scam,
that's
working
on
this
and
there's
an
implementation.
It
is
a
different
implementation
than
the
than
the
sigs
to
our
implementation.
I
So
we'll
need
to
rationalize
those
things,
but
I
think
it's
a
you
know.
That's
a
separate
question
from
creating
a
working
group
and
and
starting
to
pull
related
projects
into.
I
G
A
Yeah,
I
mean
not
not
even
just
the
working
group
but
in
general
right.
I
think
it's
good
to
try
to
reconcile
these
things
like
there
is
traction
around
six
door.
There's
traction
around
salsa.
I
think
there's
value
in
in
this
other
project
as
well,
but
let's
try
to
figure
out
how
to
best
integrate
them
all
together
right,
so
that
we
have
a
nice
cohesive
solution
rather
than
even
more
disparate
tools
that
that
are
out
there
all
trying
to
solve
various
pieces
of
the
same
problem.
So.
C
Yeah,
I
may
actually
brian's
on
the
call
here
I
I
may
actually
try
to
do
something
of
trying
to.
C
I
I
know
ava
if
a
black
is
also
been
working
on
that
then
she
she'd
probably
love
to
share
her
work
and
and
collaborate
on
that.
The
main
difference
just
for
you
know
to
quickly
describe
the
main
difference
between
six
store
and
skim
is
the
skin
is
intended
to
be
a
a
very
general
supply
chain
solution.
So
it's,
for
you
know
any
any
type
of
metadata
about
artifacts
in
the
supply
chain.
Where
the
artifacts
might
be
software,
they
might
be
cloud
services,
they
might
be
hardware,
devices,
iot
or
or
even.
I
You
know
surface
devices
or
or
components
that
go
into
hardware
or
into
data
centers,
and
this
has
so.
This
is
something
that
we're
within
microsoft,
there's
a
big
drive
to
having
this.
You
know
very
standard
way
of
managing
supply,
chain
information
and
it's
and
so
very
standard,
very
general
six
store
right
now
that
focuses
on
signing
code.
I
You
know,
maybe
the
six
store
project
wants
to
extend
and
become
more
general,
and
in
that
case
you
know,
then
we
would
figure
out
how
the
how
the
two
of
those
fit
together,
but
but
right
now,
there's
a
there's,
a
there's,
a
broader
focus
on
the
in
the
skin
project.
H
So
again,
I
know
six
dollars
not
a
an
open,
ssf
project,
but
it
it
doesn't
sign
code.
It
signs,
artifacts
s
bombs.
It's
got
quite
a
wide
coverage
as
multiple
communities
are
adopted,
sig
still
so
python
foundation,
the
ross
community
are
looking
at
it
there's.
So
it's
not
just
about
sign.
We
don't
actually
sign
code.
As
such,
we
sign
artifacts
just
to
clarify.
A
A
A
I
know
there's
a
lot
of
comments
on
that
and
all
all
very
good
commentary
that
came
out
of
that,
so
just
to
clarify,
so
we
did
have,
I
believe,
four
approved
votes
so
that
did
go
ahead
and
is
moving
towards
the
governing
board
that
will
discuss
budget.
A
So
just
as
kind
of
a
refresh,
we
kind
of
we
did
talk
with
some
folks
at
the
linux
foundation
to
kind
of
clarify
various
things,
but
like
our
role
as
attack
is
not
to
determine
budget,
it's
really
just
to
determine
whether
this
project
or
working
group
falls
in
line
with
the
technical
vision
that
we
have
in
place,
and
if
we
think
that
everything's
in
alignment,
then
we
say
yep,
it
looks
good
and
then
we
put
the
burden
of
money
onto
the
poor
souls
on
the
governing
board.
A
So
we
don't
have
to
actually
deal
with
that
and
then,
as
far
as
you
know,
administration
of
the
project,
if
we
agree
that
it's
something
that
needs
to
move
forward
and
make
it
official,
that's
you
know
that's
great.
We
can
certainly
provide
input.
I
know
there
was
some
comments
around
how
to
kind
of
oversee
the
project
that
was
all
very
useful
and
then
you
know
we
definitely
should
provide
that
feedback.
A
But
ultimately
it's
up
to
that
group
to
run
it
and
that's
our
opportunity
to
jump
into
that
group
and
provide
that
feedback
during
those
meetings.
While
it's
running
and
do
all
that
sort
of
thing,
but
just
to
clarify
you
know
for
future,
should
this
pop
up
again,
hopefully
to
help
streamline
this
process,
we
can
just
decide.
Does
it
fit
within
the
charter
of
open
ssf?
A
Does
it
make
sense
as
part
of
our
overall
technical
strategy
and
that's
kind
of
the
role
that
we
have
on
the
tax,
so
any
questions
or
concerns
about
either
that
or
project
alpha
omega
in
general?
That
folks
want
to
bring
up.
I
know,
luke.
I
think
you
had
added
a
comment
on
the
github
issue
relating
to
another
project,
but
I
haven't
had
a
chance
to
look
at
that.
Yet.
H
I
can't
recall
mentioning
another
product,
a
project
but
yeah.
No,
not
so
I
understand
about
the
budget.
That
makes
sense.
I
think
the
main
point
that
I
tried
to
convey
in
the
fred
was
a
couple
of
three
tac
members
said
that
they
felt
there
should
be
more
due
diligence
donald.
There
should
be
like
a
phase
0,
and
that
was
the
main
point
that
was
made
because
it
was.
It
was
suggested
that
five
projects
be
approached
five
critical
projects
to
at
least
gauge
some
level
of.
H
Is
there
a
desire
for
this
help?
Okay,
we
expect
that
is,
but
you
know
just
just
to
to
get
some
some
communities
on
record,
but
that
obviously
didn't
happen.
I
mean
there
was
a
twitter
fred
and
I
think
somebody
that
maintains
a
python
module,
but
there
was
no
open,
ssls
or
kubernetes
or
any
of
the
big
critical
projects
so
that
that
was
my
main
point
really
was
it.
It
appears
to
be
a
good
idea.
H
H
Really
is,
is
it
just
seemed
to
me?
I
think
it
was
I'm
not
sure
if
I
can't
remember
who
else
on
attack
said
it,
but
they
said
you
know.
I
had
quite
a
really
large
scope,
grandeur
and
without
really
much
preemptive
analysis
into
the
problem.
The
problem
statement.
A
A
Yeah
and
then-
and
I
agree
as
well-
and
I
think
you
and
myself
and
dan
and
jennifer
also
agree
that
having
a
phase
zero
makes
sense
and
due
diligence-
and
I
know
michael,
is
committed
to
that-
and
I'm
he's
not
here,
unfortunately
to
defend
himself.
But
I
know
he
is
planning
on
doing
more
due
diligence.
So
what
he
put
in
the
issue
was
the
responses
that
he's
received
so
far,
and
I
know
he's
continuing
to
do
further
due
diligence
but
yeah
valid
point.
I
H
A
H
E
Think
just
from
hi
hi,
I'm
jory,
I'm
your
new
program
manager,
nice
to
see
you
guys.
So
I
I
believe
the
goal
was
to
do
a
an
email
vote
before
the
end
of
the
month,
so
that
the
the
the
open
ssf
could
take
advantage
of
the
member
summit,
which
is
happening
the
first
couple
of
days
of
november
to
talk
about
the
the
project.
At
that
event.
E
So
targeting
a
vote
by
the
governing
board
1031
is,
I
is
the
was
the
objective,
as
I
recall
it,
and
maybe
and
if
k
rejoined,
she
can
hopefully
confirm.
F
Yeah,
thank
you
I
I
know
there
was
a
desire
to
have
this
nearer
term.
I
think
related
to
what
jorie's
talking
about.
I
don't
have
exact
dates,
but
I
would
propose
maybe
as
attack.
I
think
there
is
something
converging
toward
a
consensus
that
we
need
some
kind
of
phase
zero.
I
understand
that
there
is
a
desire
from
the
open
ssf
and
the
lf
perspective
that
we
approve
or
make
a
decision
on
this
sooner
rather
than
later.
Consequently,
maybe
do
we
want
to
set
the
conditions
under
which
the
attack
approves
it
like?
F
F
Could
we
set
a
benchmark
that
we
expect
to
be
met
in
terms
of
speaking
to
this
many
projects
of
this
specific
size,
and
this
many
of
this
other
size
or
some
other
criteria
under
which
we
feel
like
that
phase?
Zero
exploration
of
the
idea
has
been
satisfied,
because
I
would
amplify
luke's
point
that
I
think
we
do
need
to
go
back
to
that
value
of
being
maintainers
first,
and
we
can
only
do
that
through
validating
that
this
is
valuable
to
maintainers
and
that
they
would
view
it
as
a
positive
thing.
F
But
I
would
also
say
that
we
know
that
the
problem
of
open
source
security
remains
unsolved
and
that
this
project
is
flexible
and
generic
enough
that
it
can
probably
address
all
of
those
things.
But
it's
all
in
our
manner
of
approach.
F
So
I'm
just
wondering
if
we
can
just
for
expediency,
be
able
to
set
some
of
those
criteria
today
as
to
what
we
would
need
from
michael
and
from
whoever's
delivering
this
project
as
phase
zero
for
us
to
be
okay,
to
go
forward
with
it
and
thus
to
maybe
conditionally
recommend
it
to
the
governing
board
under
those
criteria
yeah.
I
would
strongly
support
that.
F
A
So
I
know,
there's
a
there's,
a
list
that
michael's
working
off
of,
which
is
some
criticality
list
right.
I
don't
know
exactly
what
that
list
looks
like,
but
I
know
it's
quite
a
large
list.
It's
certainly
more
than
five
and
I
believe
those
were
the
projects
that
were
identified
partly
by
the
harvard
census,
and
I
think
for
some
other
sources
as
well.
A
H
I
think
so,
yes
yeah
it's
it's!
It
would
be
good
to
actually
get
some
solid
statements
from
some
maintainers,
because
the
the
the
twitter
thread
that
michael
started,
some
of
the
feedback
was
quite
interesting.
H
There
was
somebody
that
I
can't
remember
which
project,
but
they
maintained
a
large
project
and
they
were
saying
that
what
concerned
them
was
the
cognitive
load
that
you
can
get
as
a
maintainer.
H
That's
why
I
think
it's
important
to
hear
from
some
community
maintainers
here
really,
because
those
are
the
folks
that
are
going
to
have
to
be
an
intrinsic
part
of
managing
this
they're,
not
just
going
to
kick
back
and
somebody's
going
to
do
all
the
work
it's
going
to
require
them
to
to
dedicate
time
and
resources
as
well.
If
you
see
what
I
mean
just
because
of
the
nature
of
some
of
these
issues,
are
I
mean
some
of
the
ones
that
we've
seen
in
kubernetes?
H
H
A
Yeah,
absolutely,
I
think
it's
a
good
point
too,
around
the
cognitive
load
that
some
of
these
folks
will
have,
and
I
think
it
might
vary
from
project
to
project
so
defining
what
the
rules
of
engagement
could
be
for.
Various
projects
would
be
helpful
because
some
of
them
may
provide
feedback
to
say
yeah.
This
is
all
great.
I
want
this,
however,
I'd
really
like
it.
A
F
I
So
can
I
jump
in
I
apologize?
It
was
away
for
a
minute,
but
the
the
project
does
have
an
entire.
You
know
four
month
phase.
Where
there's
you
know
a
bunch
of
reaching
out
to
maintainers
to
understand.
You
know
to
answer
exactly
these
questions.
So
the
you
know,
the
real
question
is,
do
you
you
know?
Do
you
approve
the
project
and
let
that
project
go
about
doing
that?
You
know
work
as
they've
laid
out
in
the
project
or
and
and
that's
this
is
where
I
would
get.
I
I
would
harken
back
to
what
ryan
said
earlier.
You
know
the
the
the
role
for
the
attack
is
to
say
you
know.
Is
this
aligned
with
the
the
goals
and
the
vision
of
open
ssf,
and
then
you
know
let
that
project
move
forward
according
to
what's
already
laid
out.
There's
a
I
figure
what
they
call
it.
I
think
at
one
point
he
called
mike
skivetta
called
it
face
one,
but
now
he
calls
it
like
learning
phase
or
something
and
that's
exactly
what
will
be
going
on
in
that
phase
is
reaching
out
to
maintainers.
I
You
know,
according
to
the
way
that
you
know
we
would
break
out.
You
know
what
the
responsibility
of
is
the
tech.
I
don't,
I
don't
think,
there's
a
reason
to
block
that
project
and
tell
something
that
they're
already
planning
to
do
is
accomplished.
A
Yeah
yeah,
I
was
just
gonna
say
that
I
I
don't
believe,
and
please
correct
me
luke,
especially
if
I'm
wrong
here,
but
I
don't
believe
the
plan
here
is
to
block
this
per
se,
such
as.
H
A
As
far
as
how
we
interact
with
the
community-
and
I
think
that's
where
this
is
coming
from-
and
we
just
want
to
make
sure
that
it's
clearly
defined
that
yeah.
I
know
that
michael
has
this
plan
in
here
to
do
this
initial
reaching
out
phase,
and
I
think
what
the
other
tech
reps
are
are
asking
for
is
more
of
just
give
a
very
clean
definition
of
what
that
phase
looks
like.
I
think,
that's
what
we're
after.
I
Yeah
exactly
so,
maybe
you
know
a
way
for
me
to
think
about
is
the
the
the
attack
wants,
and
I
think
you
know
this
is
totally
makes
sense.
It's
you
know.
The
attack
wants
to
provide
more
comments
and
more
structure
into
that
initiation
phase,
and
I'm
sure
michael
would
be,
would
be
open
to
that.
It's
just
you
know
changing
you
know.
Maybe
maybe
the
attack
wants
to
further
structure
the
order
in
which
things
are
done.
Something
like
that
would
make
a
ton.
F
Of
sense,
if
we
wanted
to
take
a
look
at
what
michael
has
right
now,
I've
pasted
it
into
the
open,
ssf
tac
meeting
notes
under
alpha
omega.
He
specified
what
the
preparation
phase
looks
like
for
both
the
alpha
and
the
omega
piece,
so
I've
I've
pasted
them
into
that
document.
A
H
H
And
correct
me
if
I'm
wrong,
so
I'd
be
very
supportive
of
getting
behind
the
the
four-month
due
diligence
phase
but
as
it
stands,
we're
voting
on
the
entirety
of
the
whole
project,
the
later
stages
as
well.
So
perhaps
we
need
to
repurpose
the
document
to
be
specific
about,
what's
being
voted
on.
F
I
guess
we
could,
alternatively,
introduce
a
milestone
based
approach
where
we
approve
phase
one
and
the
rest
of
it
or
phase
zero
or
whatever
we
wanna
call
it.
This
preparation
phase
and
the
project
proceeds
conditionally
upon.
You
know
satisfying
that,
and
maybe
what
we
do
if
we
wanted
to
have
more
to
be
more
in
the
loop
is
we
could
introduce
it
that,
after
the
completion
of
that
preparation
phase,
they
have
to
bring
back
what
they've
found
presented
to
the
attack
and
the
attack
votes
on
whether
to
proceed.
B
Rao
or
dan
or
phil,
that
sounds
like
a
fair
approach.
I
I'm
supporting.
B
A
Perfect,
all
right,
unanimous
cool.
So
let's
do
that
then
we'll
make
that
plan
on
at
the
next
governing
board
meeting.
I
can.
I
can
highlight
that
as
well,
that
that's
that's
the
approach
and
I
think
that's
actually
kind
of
the
approach
already
that
michael's
doing
so
now,
we'll
just
make
it
more
formal,
but
yeah
absolutely
agree
with
that.
A
H
Probably
makes
sense
just
to
repurpose
it
into
a
new
document.
I
mean
a
lot
of
the
text
doesn't
have
to
be,
doesn't
have
to
write
the
whole
thing
again.
There
can
be
some
copy
and
pasting
in
there,
but
to
sort
of
outline
this
is
phase
zero,
which
constitutes
xyz
and
then
michael
can
go
ahead.
Then,
and
it's
not
held
back
in
any
way.
You
can
start
talking
to
the
community
and.
A
Okay,
that
sounds
good,
so
I'll
talk
to
michael
about
creating
that
separate
document,
and
then
we
can
send
that
link
out
and
folks
can
provide
their
their
comments
and
what
they
believe
that
the
criteria
should
be,
and
then
we
can
kind
of
move
forward
with
that.
Does
that
seem
like
a
reasonable
approach
for
everyone.
A
Okay,
so
the
last
thing
that
we
have-
I
don't
actually
put
it
on
the
agenda-
is
this
voting
process,
which
I
had
absolutely
zero
time
to
work
on
in
the
past
two
weeks.
I
do
have
time
this
week,
so
I
am
going
to
I'm
planning
to
work
on
that
for
what
the
tax
vote
process
will
look
like
going
forward.
If
folks
have
any
comments
of
that
or
suggestions
or
ideas,
please
feel
free
to
reach
out,
but
I
will
have
time
this
week,
so
I'm
planning
on
working
that,
but.
E
Brian
I'd
love
to
help
with
that.
If
you
need
it.
A
Hey
any
any
other
topics
that
folks
want
to
discuss:
we've
got
10
minutes
remaining.
A
All
right
that
concludes
this
week's
meeting.
All
right,
we'll
send
out
those
emails,
look
forward
to
defining
that
criteria
for
phase
zero
and
then
we'll
get
moving,
see
yeah.