►
From YouTube: OpenSSF TAC (December 13, 2022)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
A
C
D
E
D
All
right,
we
are
three
minutes
in
we'll
go
ahead
and
get
started
right
from
the
outset.
I
guess:
first
things:
first,
there
is
no
tech
meeting
on
the
28th
of
December,
so
two
weeks
or
27th,
whatever
20
minutes,
maybe
it's
the
27th
that
I
I
missed
out
the
date
here,
but
two
weeks
from
today
we
do
not
have
attack,
meaning,
given
that
many
folks
are
going
to
be
on
PCO.
So
just
an
FYI
I
believe
the
community
calendar
has
been
updated
already.
F
The
other
thing
that
we've
been
discussing
quite
a
bit
is
what
to
do
with
cves.
So
you
know
ecosystems
have
varying
support
for
like
Audits
and
integration
with
CPE
repositories
and
yeah.
We
just
sort
of
had
some
discussion
recently
about
you
know:
should
we
surface
them
on
the
public
web
pages
for
the
repositories
and
that
kind
of
thing
so
yeah
some
discussion
on
that
again,
like
no
exact
outcomes
there.
F
Some
ongoing
discussion
about
the
shared
repository
help
desk,
although
I
think
that
went
to
attack
and
there
were
some
questions
and
they
haven't
been
resolved.
Yet
so
there's
still
some
work
to
do
there
and
then
the
last
thing
is
some
folks
from
GitHub
are
working
with
us
to
put
together
this
sort
of
mini
Manifesto
about
like
how
repositories
should
be
stewards
in
a
safe
ecosystem,
and
it's
some
pretty
high
level
objectives
that
we're
trying
to
get
around
to
essentially
sign
off
on
and
support
and
say
yeah.
F
We're
like
we're
on
board
with
this
I
think
the
ultimate
goal
here
would
be
to
do
a
coordinated
like
publish
of
these
principles,
maybe
via
open
ssf
and
just
have
all
the
permanent
repositories
sign
off
on
this
and
sort
of
say
that
we
all
agree
with
sort
of
as
a
gesture
of
Goodwill,
but
also
to
you
know,
sort
of
hold
us
accountable
and
future
to
actually
do
some
of
these
things
yeah.
That's
my
update.
C
D
H
D
I
D
I
E
I
I
The
key
pieces
here
for
us
is:
we've
established
a
Services
working
group
which
is
to
understand,
enumerate
and
produce
an
initial
analysis
of
the
services
that
the
tool
chain
components
are
using
because
in
many
cases
we
didn't
know
exactly
what
services
the
tool
chain
components
needed,
what
they
were
using,
how
those
Services
impacted
the
sources.
We
were
delivering,
how
those
sources
were
being
delivered,
how
those
tar
balls
were
being
delivered
and
we
needed
to
really
understand
the
all
the
services
in
detail
for
a
number
of
those
components.
I
As
many
of
you
know,
the
new
tool
team
has
been
around
for
35
years,
so
we've
grown
a
lot
of
hair
on
the
kinds
of
services
that
we
needed
and
that
we're
using.
So
it's
not
just
like
a
fresh
project
that
shows
up
inside
of
some
kind
of
forage
and
it's
hosted
so
so
for
this
right
now,
we've
gotten
three
out
of
the
four
core
projects
kind
of
gone
through
this
initial
analysis
of
services.
It
include
things
like
do.
We
need
GitHub
commit
hooks.
What
do
those
hooks
look
like?
I
G
Not
so
much
about
that
as
exactly
as
Carlos
said,
that
we've
been
enabling
all
of
this
and
talking
I
mean
lots
of
presentations
with
the
community
about
this
to
get
all
the
details
so
that
we
can
go
to
the
lfit
with
a
specific
list
and
we'll
say
the
next
steps
in
future
size,
but
but
basically
to
be
able
to
enumerate
all
of
this.
So
we
know
exactly
what
we
need
to
ask
for
a
proposal
from
the
lfi
T4.
G
The
other
great
thing
is:
is
that
also
because
of
the
requirements
of
the
the
new
tool
chain,
the
new
project,
FSF
communities,
to
use
a
free
software-based
meeting
platform?
We
worked
with
the
lfit
to
create
a
BBB,
which
is
a
big
blue
button
service
for
this,
so
This
is
actually
stood
up
now
available
for
not
just
the
Google
tool
chain,
but
for
any
of
the
projects
within
the
LF
and
open
ssf
umbrella.
So
that's
now
available
and
Carlos
did
some.
G
Some
great
testing
great
works
was
now
with
the
the
G
libc
Community
for
patch
review.
We're
also
going
to
plan
to
start
using
that
for
office
hours
for
the
new
tool
chain.
For
a
greater
more
frequent
communication
with
the
community,
so
we're
working
on
that.
That
was
a
great
great
resource
from
and
great
help
from
the
lfit
for
that
already
to
be
able
to
provide
that
sort
of
infrastructure
for
the
good
news
full
chain
to
use
to
be
compliant
with
the
expectations
of
the
goodoo
community.
G
Second,
is
that
we're
also
starting
discussions
with
the
openssf
and
Leadership
about
and
I
mean
part
of
this
conversation
with
attack
we'll
get
to
that
again
later,
I
have
a
question
for
you
guys
about
the
the
funding
and
what
the
the
interim
funding
is
going
to
be
for
next
year
to
bootstrap
the
GTI
project,
as
well
as
the
the
future
of
funding.
So
I
don't
know,
because
you
want
to
talk
about
the
key
objectives.
H
I
So
cy22
is
about
enumerating
the
services
we
use
and
looking
at
them
from
a
security
perspective
and
from
from
the
perspective
that
we
take
with,
with
kind
of
you
know,
open
ssf
and
some
of
the
other
proposals
here.
So
we
want
to
complete
that
analysis
and
then
we
want
to
begin
working
through
the
process
of
what
would
it
take
for
lfit
to
provide
services
in
transitioning,
Services,
the,
and
that
that
involves
a
couple
of
steps
here
that
we
would
like
to
happen
and
see
happen
in
cy23.
I
The
the
deeper
goal
behind
a
lot
of
these
key
objectives
is
about
separating
services
that
the
key
infrastructure
parts
of
the
secure
supply
chain
are
using.
So
the
services
aren't
co-located
on
one
machine
so
that
we
have
distinct
machine
for
the
services,
so
the
services
are
hardened,
so
the
services
we're
providing
our
developers
are
something
that
that
they
can
know
are
being
run
in
a
very
specific
way
or
that
we
have
paths
for
people
who
are
responsible
for
those
services
to
be
able
to
go
and
talk
to
them
and
I.
I
These
patches
is
going
to
take
a
lot
of
like
just
discussing
in
the
community
so
but
for
us
key
objectives
here:
review
the
Finish,
reviewing
the
services
and
move
forward
on
service
migration
to
services
that
we
have
that's
going
to
require
funding
approval
by
the
GTI
board,
and
it's
going
to
require
funding
approval
by
our
supporting
backing
sponsors.
So
David.
You
want
to
go
to
the
next
slide,
which
is
I,
guess.
G
G
You
know
sandbox
for
every
single
experiment,
in
of
security
and
and
tooling,
but
we
do
want
the
to
be
able
to
implement,
deploy
the
best
practices
for
security
to
ensure
that
the
GTI
that
the
gnu
tool
chain
has
a
a
foundational
layer
in
the
ecosystem
for
for
Linux
and
the
cloud
everything
is
able
to.
You
know,
provide
that
highest
quality
and
is
able
to
to
remain
a
trustworthy
component
in
this
entire
stack.
G
So
the
the
question
that
we
actually
have
for
the
tech
is,
you
know,
as
Carlos
mentioned
at
the
beginning,
the
GTI
is
an
Associated
directed
fund,
which
is
it
has
its
own,
will
have
its
own
board
and
its
own
funding
and
we're
trying
to
understand
and
we're
working
with
Brian
and
the
Open
ssf
Leadership
as
well,
but
wanted
to
get
some
feedback.
I
mean
addition
to
any
other
questions.
J
G
Well,
I
mean
we
know
what
the
the
basic
infrastructure
is
and
previously
had
conversations
with
lfit
about
that
in
a
presentation
about
the
infrastructure
that
lfit
already
provides
for
the
Linux
kernel.
So
many
of
those
are
similar
and
that's
also
why
we
think
that
lfit
is
a
great
partner
for
this
is
things
like
get
a
live
mailboxes
other.
You
know
basic
infrastructure
that,
for
you
know
mailing
list,
you
know
bugzilla
and
how
bugzilla
is
going
to
be
maintained
in
the
future
and
and
what
sort
of
services
GTI
indicative
tool
chain
will
utilize.
G
But
what
we're
going
to
is
now
this
next
level
and
understanding
exactly
how
the
pieces
are
hooked
together.
You
know
the
mainly
not
just
the
hooks
forget,
but
the
hooks
of
okay
and
mailing
list
mentioned
automatically
triggers
this
and
bugzilla
mentioned
for
groups
that
how
are
the
pieces
connected
together?
Oh
we've
got
this
moin
moin
Wiki
we
got
you
know
we
got
a
bunch
of
pieces
sort
of
through.
Oh,
we
didn't
know
that
this
link
still
exists.
G
This
was
still
running
in
the
background,
so
we're
trying
to
enumerate
exactly
what
we
currently
have
in
terms
of
How
It's
implemented
the
technology
that
we're
currently
using
to
then
extract
out.
What
are
the
services
that
we
need
and
then
decide?
Okay,
not
we're
going
to.
We
aren't
planning
to
just
do
a
you
know:
a
lift
and
shift
we're
not
just
going
to
run
the
existing
infrastructure
on
LF,
but,
okay,
here's
how
things
are
working
now.
These
are
the
services
it
requires
and
how
they're
connected
together.
G
I
I
I,
we
have
not
yet
enumerated
the
security
outcomes
because
we're
doing
service
enumeration,
but
as
soon
as
you
do
service
enumeration,
some
things
become
immediately
clear.
So
I'll
give
a
concrete
example:
we
have
to
stop
running,
get
commit
hooks.
We
run
a
ton
of
python
and
a
git
commit
hook,
for
example,
and
it
has
access
to
the
entire
repository
and
to
audit.
That
is
incredibly
difficult.
I
I
B
Just
a
small
one,
I
think
Justin's
question
was
great.
Building
from
that,
the
one
of
the
the
cognitive
gaps
I
often
see
folks
have
that
have
come
into
doing
open
source
in
just
the
past.
Five
or
ten
years
is
they've
only
used
fortunes
they're
not
familiar
with
the
distributed
model
that
I
grew
up
with
that
y'all
are
using.
Is
there
a
I?
B
Would
love
to
see
the
knowledge
you
are
gaining
as
you
go
through
and
enumerate
these
service
security
issues
and
service
Transformations
you're
doing
I
would
love
to
see
that
knowledge
shared
out
to
several
of
the
working
groups
in
the
open
ssf,
and
it
reminds
me
a
bit
of
the
white
paper
we
talked
about
eight
months
ago,
so
the
penumbra
of
Open
Source,
all
the
open
source
projects
that
are
outside
of
forges.
How
can
we
take
this
knowledge
and
incorporate
it
into
the
recommendations?
Other
working
groups
are
producing
for
projects
that
aren't
on
forges.
G
G
I
mean
this
is
definitely
something
that
we
can
work
on
as
a
group
to,
as
you
said,
you
know
summarize
this
experience
and
have
that
as
a
you
know
how
what
what
Lessons
Learned
or
what
you
know,
how
what
what
we
determine
as,
as
you
said,
there
are
other
than
Linux
kernel,
which
is
almost
as
old
as
the
gnu
tool
chain.
There
are,
you
know,
not
a
huge
number
of
projects.
You
know
from
a
you
know
that
this
this
our
era
I.
G
Yes-
and
you
know,
as
we've
discussed
before
and
part
of
the
delicacy
of
this
transition,
is
that
I
mean
lots
of
projects,
but,
in
addition,
the
getting
tool
chain
also
has
this.
You
know
responsibility
to
the
FSF
and
free
software
and
the
gnu
projects.
So
that's
yet
another
as
a
delicate
negotiation
that
we're
doing
about
how
you
know
that
transition
to
be
compliant
with
the
the
expectations
of
the
free
software
communities,
but
I
completely
agree.
It
would
definitely
we'll
we'll
have
a
a
very
good
debriefing
at
the
end
of
this
great.
B
G
It's
just
the
the
main
thing
that
we
wanted
to
reach
out
to
the
open.
Ssf
tag
was
about
funding,
I
mean
there
still
is
a
lot
of
Evolution
about
how
adfs
use
associate
directed
funds
are
actually
going
to
operate
and,
as
you
know,
with
within
the
open,
ssf
and
but
with
their
own
boards
and
their
own
funding.
G
What
we're
considering
or
strategizing
that
is
to
utilize
the
existing
open,
ssf
members
and
the
funding
contacts
for
the
creating
this
ADF
subset,
as
opposed
to
starting
from
scratch
or
going
with
our
own
context,
because
there's
a
lot
of
overlap
in
the
purpose
I
mean
that's.
One
of
the
reasons
that
we
are
an
ADF
within
the
open,
ssf
are
associated
with
the
openssf,
and
that
there
already
are
is
a
a
very
large
esteemed
governing
board,
and
you
know
with
major
membership
and
funding
that
already
exists
for
the
open,
ssf
and
existing.
You
know.
D
Yeah
I
guess
to
quickly
throw
in
my
comments
and
then
we'll
we'll
see.
Brian's
got
his
hand
up
as
well,
so
we'll
try
to
I
want
to
make
sure
the
ricotta
is
at
a
time
for
the
meeting
to
I
would
kind
of
echo
to
Justin's
comment.
I.
Think
a
lot
of
the
work
that
you're
doing
is
certainly
worthy
and
good
to
to
you
know
to
the
cause.
D
This
is
this
is
good
for
this
ecosystem,
where
we
don't
see
a
lot
of
that
cross-pollination
I
guess
makes
that
a
little
bit
hard
for
to
either
externally
sell
a
narrative
that
aligns
with
the
rest
of
the
asks
that
we're
making
of
our
members
around
funding
and
operations
and
support
and
I
guess.
That's,
that's
the
part.
That's
not
coming
through
to
me
here.
D
Carlos
yeah,
happy
yeah.
We
can
certainly
you
know,
take
that
onto
a
mailing
list
or
or
whatnot,
but
I
guess
that's
it's
that
Essence
that
I
guess
I'm
missing
in
order
to
give
give
meaningful
feedback
around
a
strategy
here
around
how
best
to
approach
that,
because
we
are
as
we'll
talk
about
a
little
bit
later
in
the
meeting.
You
know
ramping
up.
D
I
I
When
so,
when
it
comes
to
things
like
salsa,
like
I,
was
heavily
influenced
by
Google's
approaches.
Also,
when
I
started,
doing
trying
to
get
reviewed,
buys,
which
is
a
hundred
percent
coverage
of
core
runtime
patches
reviewed
by
at
least
one
other
human,
it
is
a
huge
social
problem
that
also
needs
some
level
of
automation.
I
would
love
to
move
in
a
Direction,
Where
We
had
two
humans
reviewing
patches
and
doing
those
kinds
of
things
and
attaining
like
I.
Think
that
that's
like
salsa
is
always
in
the
back
of
my
mind
as
something
like.
I
I
I
could
say:
hey
we
need
infra
and
we
need
like
Patchwork
to
be
the
only
thing
that
pushes
patches
and
we
need
to
see
plus
two
reviewed
by
tags
before
a
patch
can
be
pushed
kind
of
thing,
a
la
Garrett
for
people
that
that
know
Garrett
or
may
not
want
to
use
Garrett
or
we
need
some
other
process.
We
need
attestation
and
the
attestation
tooling,
needs
to
say
there's
at
least
two
reviewed
buys
before
before
you
know
it
says
that
it's
okay
to
you
know
push
that
patch
locally.
D
D
The
open
ssf
is
alongside
you
focused
on
these
other
things
like
how
do
we
drive
a
better
convergence
story
going
forward
such
that?
It's
not
just?
Oh,
this
is
the
team
that
wants
money
to
go
off
and
do
things
versus
we're.
A
good
Community
member
there's
brand
alignment,
there's
kind
of
convergence
across
the
entirety
of
what
we're
doing
I
guess.
That's
also
just
an
example
of
that.
D
But
what
I
would
love
to
kind
of
see
more
holistically
is
kind
of
a
if
we're
doing
things
that
aren't
aligned,
for
whatever
reason,
that's
fine,
but
it's
making
sure
that
we,
we
are
doing
the
diligence
to
say.
Is
there
opportunity
for
us
to
be
supporting
even
more
so
that
yeah,
the
funding
proposals
don't
come
across
as
Death
By
A
Thousand
Cuts
to
all
of
our
members
that
we
have
a
coherent
plan
that
we're
pulling
out
together
sounds.
E
I
So
a
one-page
leave
behind
for
you
even
today
would
be
we're
going
to
improve
infra
with
the
improved
infra.
We
can
pick
up
improved
security,
best
practices,
and
so
it's
so
it
I
guess
the
the
open
question
here
still
stands
on
this.
This
page
of
the
slide
deck,
which
is
like
your
the
comment
and
suggestion,
then,
is
our
one
page
leave
behind,
especially
if
we're
going
to
approach
open,
ssf
members
and
funding
context
should
be.
How
are
we
aligned
or
improving
alignment.
D
Yeah
I
think
so
I
mean
that's
the
tone,
I
think
I'm
getting
from
governing
board
conversations
and
Community
conversations
is,
you
know,
obviously
a
wide
problem
space.
But
how
do
we
drive?
You
know
leverage
out
of
the
things
that
we
do
build
and
that
we
have
if
we
have
true
Community
consensus,
that
they
are
worthy
and
beneficial
to
improving
the
state
of
security.
Great,
let's
make
sure
that
we're
getting
as
much
leverage
out
of
those
things
as
possible
and
not
just
death
by
a
thousand
cuts.
G
No,
no
I
think
that's
excellent.
As
you
said,
there's
a
lot
of
great
technology.
This
is
being
developed
throughout
the
open
ssf
and
we
definitely
want
to
utilize
it.
You
know
the
gnu
tool
chain
is
a
very
important
fundamental
piece
of
the
ecosystem.
That
is,
you
know
it's
like
this.
This
you
know,
I,
don't
I
mean
it's.
You
know.
Egypt
I
mean
it's
a
playlist
in
flight
and
we
need
to
ensure
that
it's
still
able
to
operate
and
provide
that
to
all
the
Linux
distros
that
use
it
and
everybody
else
while
we're
making
these
transitions.
G
So
it's
it's
it's
it's
not
not
I,
don't
mean
it
negative
way,
but
it's
a
tension
between
how
we
ensure
that
we're
cooperating
utilizing
all
this
great
technology
without
disrupting
the
workflow
or
or
becoming
this
images.
Sort
of
a
you
know
not
just
I
mean
again,
not
a
negative,
but
you
know
not
to
be
a
poster
child
of
every
single
experiment.
G
So
we
need
to,
you
know,
try
to
find
out
how
we
can
utilize
all
of
this
best
practices
and
again
with
the
infrastructure,
to
utilize
that,
but
not
you
know,
add
the
you
know
too
much
of
an
experimental
leverage
to
to
test
out.
You
know
and
every
in
any
and
all
potential
security
tooling
with
the
canoe
tool
chain.
G
But
you
can
do
that
on
the
side
or
you
know,
I
mean
you
know,
create
a
in
another
Branch
or
you
know,
but
it's
it
there's
a
limit
to
the
bandwidth
that
the
tool
chain
Community
itself
has.
So
we
just
need
to
continue
to
collaborate
and
find
how
to
how
to
find
that
that
balance,
because
we
definitely
want
to
ensure
you
know,
continue
that
that
the
close
infrastructure
that
that
the
new
tool
chain
remains
a
you
know,
respected
and
robust,
and
you
know
secure
environment.
G
D
C
I
may
I
will
be
brief.
I
may
need
to
step
away.
I
have
two
topics:
I
require
the
tax
feedback
on
first
topic
is
a
funding
request
back
in
days
of
your
at
the
dawn
of
the
internet
after
the
dinosaurs
died
and
turned
to
oil.
There
were
these
things
called
mailing
lists
and
that's
how
open
source
communities
communicated
fun
fact.
C
Those
services
are
currently
housed
in
a
country
that
is
in
a
little
bit
of
a
geopolitical
kerfuffle
and
the
requests
that
I've
been
working
on
since
April
is
for
the
open
ssf
to
provide
funding
and
assistance
in
migrating.
These
lists
to
more
neutral
locations
in
the
world,
either
the
EU
or
potentially
Canada.
C
So
I
would
like
to
have
some
time
with
the
TAC
members
and
a
Gentleman
by
the
handle
solar
designer
to
talk
through
his
proposal
around
re-housing.
These
lists
on
new
infrastructure
in
a
more
neutral
location
and
for
the
open
ssf
to
provide
support
for
that.
The
PDF
I
provided
in
the
issue
has
the
initial
plan
and
I
would
love
for
the
attack
again
to
have
a
dialogue
with
solar,
to
ask
him
questions
and
to
refine
that
and
ultimately
make
a
decision
on
if
the
foundation
is
interested
in
helping
this
critical
resource
continue
on.
C
I
will
not
be
taking
questions
at
this
time,
but
you
may
put
comments
in
the
issue
or
the
email
I
sent
to
the
tag
list.
My
second
topic
is
the
OSS
cert
Sig
has
finished
our
first
draft
of
revisions
to
the
foundation's
mobilization
plan
stream.
Five
I
have
put
out
numerous
calls
for
comments,
and
my
position
is
before
any
funding
is
requested
by
the
governing
board.
C
So
again,
I
will
not
be
taking
comments,
but
there
is
an
issue
where
you
can
provide
your
feedback
either
in
the
TAC
repo
or
in
the
OSS
cert
Sig
repo
directly
PR's,
welcome,
or
comments
on
the
issue
and
I
look
forward
to
Mr
bellendorf
and
the
TAC
to
provide
us
feedback
on
how
the
sigs
plan
proposal
can
move
forward
with
potential
funding
consideration.
Thank
you.
I
yield
the
balance
of
my
time.
C
D
Are
you
would
it
be
appropriate
to
I
guess?
Are
you
looking
for
a
formal
vote
of
support
from
the
attack?
Well,
we
can
certainly
do
that
electronically.
I,
just
want
like
a
call
for
go,
go,
look
at
it
versus.
Are
we
calling
for
a
vote
that
actually
signals
the
tax
level
of
support
for
this
initiative?
So
I
want
to
make
sure
I'm
clear
on
what
you're
asking
for.
C
Well,
the
framework
of
how
mobilization
plan
projects
to
move
forward
is
unclear,
so
I
look
forward
to
the
advice
of
this
esteem
body
of
procedurally.
How
we
do
that
okay,
I
first
off,
would
like
people
to
read
it
and
provide
us
feedback
and
then
I
do
want
the
tag
to
either
recommend
that
it
gets
moved
upwards
to
whatever
funding
body
that
is
or
they
you
know,
Knack
with
comments.
A
D
So
all
right,
thanks
for
that
crib
next
on
the
agenda,
and
if
I
can
do
this
without
muting
myself,
I
will
consider
this
a
huge
win
and
for
those
that
have
been
on
Zoom
calls
with
me
lately
know
that
this
I
struggle
with
this.
Apparently,
let's
see
if
we
can
do
this,
do
folks
see
my
screen
and
still
hear
me.
Yes,
awesome.
C
D
Did
it
right
this
time
awesome
so
I
threw
together
a
couple,
slides
I,
put
a
link
in
the
the
meeting
notes
for
this.
There
there's
been
a
variety
of
dialogue
going
on
in
the
context
of
you
know,
you're
in
planning
for
the
foundation,
as
well
as
amongst
tack,
members
in
various
working
groups
and
other
other
forums
around
kind
of
the
State
of
the
State
of
the
State.
D
What's
working,
what's
not
working
things,
we
need
to
accelerate
things
we
need
to
maybe
change
and
I
wanted
to
provide,
maybe
a
synopsis
of
many
of
those
conversations
here
and
open
it
up
for
for
time
period
of
getting
thoughts
and
perspectives
from
from
this.
This
audience,
as
we
think
about
kind
of
how
the
group
is
going
to
you
know,
wants
to
evolve.
I
think
there's
a
general
attitude
of
a
lot
of
great
work
has
been
going
on
within
the
foundation
there's.
Obviously,
a
the
looming.
D
Enemy
of
of
threats
are
at
the
door
and,
unfortunately,
if
you
look
out
the
window,
there
are
more
and
more
threats
day
by
day,
so
I
think
there's
a
broader
notion
of
we
need
more
from
the
open
ssf.
Not
in
the
sense
that
we're
not
doing
the
right
things,
but
frankly,
the
velocity
needs
to
improve
in
the
coverage
needs
to
improve,
and
so,
as
we
think
about
the
body
of
the
attack,
we're
chartered
to
to
oversee
projects
and
working
groups
and
the
what
the
the
formal
Charter
defines
as
technical
initiatives.
D
I
think
that
there's
been
a
we've
even
talked
about
it
here
in
the
context
of
defining
a
technical
Vision
for
the
foundation
and
I
think
we
have
published
a
you
know,
a
draft
PR
that
many
of
us
have
collaborated
on
that
helps
to
kind
of
crystallize
much
of
the
activity
and
and
the
grouping
around
it,
but
I
think
there's
an
opportunity
for
the
attack
to
get
more
opinionated
and
to
actually
publish
documents.
That
say
what
our
opinion
is
around.
How
can
we
take
the
ecosystem
in
a
in
a
stronger
Direction?
D
Now
that
being
said,
documents
don't
solve
security
challenges,
it's
actual
implementation,
it's
actual
adoption
in
communities
and
the
open
ssf
has
to
stand
ready
and
actually
put,
you
know,
resources
both.
You
know
people
money
tools
all
to
Bear
to
ultimately
drive
this
outcome,
but
I
think
from
where
all
of
the
feedback
sources
that
we're
seeing
I
think
we
are
we're
missing
what
I'll
characterize
as
a
North
star,
in
a
sense
that
we
have
many
different
efforts,
many
of
them
document
kind
of
what
are
the
best
practices
at
a
very
technical
level.
D
But
how
do
we
assemble
these
pieces
together
into
more
of
a
unifying
view
as
to
what
Excellence
fundamentally
does
look
like
for
upstream
and
so
in
2023?
What
I
would
like
to
propose
is
that
the
attack
helped
to
curate
and
publish
a
more
strongly
set
a
strongly
opinionated
set
of
documents.
The
first
one
would
be
kind
of
a
more
abstract,
overarching
and
again.
D
Terminology
here
is,
is
somewhat
of
a
challenge,
but
for
the
sake
of
discussion,
I'll
call
it
a
reference
architecture
that
really
helps
to
pull
together
some
of
the
work
that's
being
done
under
the
diagram
of
society.
Some
of
the
work
that's
being
done
within
the
various
working
groups
pulling
this
together
into
a
cohesive
narrative
that
says
this,
and
the
entirety
is
what
the
open
ssf
is
delivering
on,
and
there
will
certainly
be
gaps
of
things
that
we
may
be
ambitiously
would
like
to
work
on,
but
we
don't
necessarily
have
the
right
project.
A
D
So
if
we
have
this
vague,
abstract
reference
architecture
that
helps
us
kind
of
say
we're
all
going
in
this
particular
direction,
there
is
the
the
fundamental
question
that
I
tease
out
a
little
bit
earlier
around
oh
cool.
How
does
that
really
help?
Anybody
I
think
I
anticipate
that
we
will
create
a
set
of
derivative
documents
that
come
from
that
North
Star
document
that,
frankly,
are
more
tactical
in
nature
that
maybe
apply
to
the
intricacies
of
the
Java
ecosystem
or
the
rust
ecosystem,
or
the
eclipse,
Foundation
or
pure
other
pure
foundations
I'm.
D
Just
using
these
all
these
examples.
But
how
do
we
turn
that
abstract
into
something
that's
concrete,
internalize
and
really
truly
understand
the
Nuance
of
where
that
particular
body,
or
that
particular
project
or
ecosystem
is
at
in
its
overall
security
journey
and
then
help
to
push
that
forward
in
a
more
of
a
tactical
plan,
so
I
think
we're
going
to
end
up
with
a
set
of
n
of
those
kind
of
derivative
documents
and
then
I
think.
Finally,
taking
a
step
back,
we
will
also
be
able
to
then
generate
what
I'm
characterizing
as
a
gap.
D
D
You
know,
transparency,
log
thing,
maybe
it's
a
new
widget
for
something
else.
I
don't
know
but
like
when
we
do
this
Gap
analysis
I
think
we'll
be
able
to
point
out
the
things
that
don't
exist,
that
we
think
should
exist
and
then
also
the
things
that
maybe
it
do
exist
in
the
world,
but
frankly
lack
the
care
and
feeding
to
actually
drive
them
at
the
scale
that
we
think
that
they
fundamentally
should
operate.
D
D
So
in
doing
so,
obviously,
that's
a
pretty
broad,
Mission
and
I
think
one
of
the
other
things
that
has
come
out
of
many
of
these
conversations,
both
in
in
our
attack
meetings
here
as
well
as
in
other
places,
is
that
the
attack
itself
needs
more
help,
and-
and
so
some
of
that
help
needs
to
come
in.
You
know
more
engaged
community
members
and
more
engaged
conversations,
as
we
kind
of
alluded
to
in
the
in
the
gnu
conversation
earlier,
but
some
of
it
frankly
is
also
about
being
honest
with
ourselves.
D
The
attack
is
a
volunteer
body
of
appointed
and
elected
community
members.
We
all
have
day
jobs
in
order
to
do
this.
This
you
know
to
address
this
problem.
Space
in
Earnest
I
think
it's
our
Collective
view
that
we
need
dedicated
staff
from
the
foundation
to
help,
support
and
and
drive
the
curation
of
the
strategy
going
forward.
D
Our
existential
threat
of
security
vulnerabilities
exists,
but
frankly
we
also
are
are
a
threat
of
just
dying
by
a
thousand
paper
cuts.
There's
no
shortage
of
problems
out
there
and,
as
an
old
boss
of
mine,
used
to
say,
you'll
die
of
indigestion
before
you'll
overdie
at
starvation.
I
think
that's
a
very
apt
kind
of
summary
as
to
where
we
are
right
now,
so
having
full-time
resources
that
are
employees
of
the
foundation
that
really
can
help
to
Steward.
These
things
drive
a
poor
programmatic
approach
to
how
we
engage
I
think
is
well
overdue.
D
D
Having
that
document
that
helps
to
articulate
what
our
current
Viewpoint
is.
I
think
is
a
is
a
key
asset
that
we
want
to
continue
to
have
and
use
going
forward,
and
then
finally,
I'll
say
that
you
know
again.
The
attack
needs
to
continue
its
its
oversight
of
the
existing
projects
and
working
groups
and
sakes,
but
I
think
there's
also
in
some
dialogue.
I
think,
there's
an
opportunity
for
us,
as
we've
been
going
through
the
diagram
or
Society.
D
D
There
may
be
opportunities
to
converge
efforts
and
to
consolidate
things.
That's
not
meant
to
say
that
any
of
the
work
that's
going
on
is
is
not
welcome
within
the
open
ssf.
This
is
more
about
leverage
and
impact
and
making
sure
that
we
are
focused
on
the
things
that
do
matter
and
we're
not
causing
more
confusion
and
more
disarray
in
the
in
the
in
the
consumers
of
our
content,
rather
than
you
know,
being
focused
and
clear
going
forward.
D
So
this
is
my
last
chart.
You
know
our
goal
here
is
to
drive
an
outcome:
it's
not
to
publish
an
opinion
piece.
So,
while
these
documents
I
think
will
help
to
frame
and
guide
our
work,
the
documents
themselves
will
not
solve
the
problem
at
hand.
We
have
to
continue
to
serve
as
a
foundation
that
hosts
and
support
projects,
working
groups
and
sigs
that
helps
to
make
the
impact
and
to
drive
kind
of
a
you
know
across
ecosystem
and
cross-programming
language
perspective,
I
think
you've
heard
from
the
securing
working
groups
call
earlier.
D
J
Is
the
organization
I
guess
prepared
to
shut
down
any
work
streams,
because
we
have
a
lot
I
would
even
suggest
we
probably
have
too
many
for
the
size
of
the
organization
we
have
to
make
the
type
of
progress
we
want
to
on
the
most
important
things.
Are
we
ready
and
willing
to
shut
things
down
that
don't
align
with
the
most
important
priorities.
D
I
mean
I'll
speak
on
my
behalf,
I
think
getting
back
to
my
point,
around
convergence
and
shutting
things
down.
Yes,
I
think
those
things
are
on
the
table
in
general,
we
we
were.
The
attack
has
the
authority
to
Archive
efforts
if
we
view
them
to
be
not
aligned
and
so
I
think
in
the
interest
of
focus
and
scale,
I
think,
yes,
that
has
to
be
a
an
option
that
exists.
D
You
know.
I
I
will
say,
though,
that
I
think
part
of
the
this
is
a
fundamentally
complex
space.
We
are
approaching
it
from
a
very
unique
vantage
point,
and
so
there
is
a
tendency
again
to
die
by
indigestion
rather
than
starvation,
so
I
think
making
sure
that
we
have
focus
and
being
critical
about
where
we
spend
our
time
is,
is
absolutely
a
part
of
this,
but
I
don't
want
to
I.
Don't
want
there
to
be
a
perception
of
oh
we're
going
to
go
just
our
archiving
things
left
and
right.
That's
not
necessarily
the
desire.
D
Here
we
want
to
be
measured.
We
want
to
be
reasoned
and
ensure
that
we
are
a
place
where
we
are
clear
about
what
we're
doing
and
that
we're
clear
about
how
we're
supporting
that
work
in
a
meaningful
way.
So,
if
we're
doing
things
not
particularly
well
or
without
particular
impact,
that's
not
to
say
that
those
work,
those
pieces
of
work
aren't
necessarily
beneficial
to
the
outcome.
But
we're
going
to
deliberately
choose
to
try
to
drive
impact
and
scale
over
breadth
as
a
just
a
fundamental
principle.
C
I'll
State,
as
the
small
group
of
us
have
been
together
looking
at
the
foundation
all
the
efforts
there
there's
a
lot
going
on
and
I
think
this
is
a
great
inflection
point
for
us
to
sit
down
and
kind
of
look
at.
We
do
have
some
duplicative
efforts.
We
have
some
opportunity
to
combine
or
potentially
prioritize
things
based
off
of
kind
of
where
we
are,
and
if
that
may
optimize,
the
time
of
some
contributors,
we
may
find
that
the
where
people
are
contributing
their
efforts.
There
isn't
a
lot
of
overlap.
C
E
D
Thanks
Ryan
yeah,
thank
you
brother,
so
I
guess
the
the
closing
comment
in
Amir
I
apologize
that
we'll
probably
have
to
shift
to
the
the
Austin
conversation
to
either
offline
or
or
next
meeting.
You
know
this
is
also
a
call
for
increasing
engagement.
I
think
I
see
many
names
on
the
on
the
invite
list
here
and
maybe
folks
that
are
going
to
watch
offline.
D
We
need
help
and
we
want
to
do
this
in
a
community-centric
way.
It's
very
important
that
we
get
a
wide
perspective
to
this
overall
strategy.
So
if
this
is
very
much
a
you
know,
a
call
for,
as
this
organization
continues
to
ramp,
there's
going
to
be
more
time
required
and
I
think
we're
trying
to
augment
that
with
with
some
staffing
from
the
foundation.
D
I
think
we
want
to
continue
to
enhance
that
and
to
scale
the
impact
that
we
have
and
but
it's
obviously
comes
with
a
you-
know:
critical
dependence
on
the
community
itself
and
making
sure
that
we're
not
it's
not
one
person's
agenda,
one
person's
idea
that
it
truly
represents
the
spirit
of
many
of
the
folks
that
are
that
are
involved
here.
So
with
that,
I
will
note
that
we
got
about
a
minute
left.
Any
other
final
comments
on
this
topic.
Otherwise
we
can
go
ahead.