►
From YouTube: OpenSSF TAC Meeting (September 8, 2020)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Getting
through
some
administrative
items,
just
real,
quick,
first
and
foremost
agenda,
so
the
way
I
kind
of
like
to
drive
this
going
forward.
So
we
have
at
the
top
of
this
document.
There
is
the
future
meetings,
and
so
I
know
we
talked
about
using
github
issues
as
a
way
to
request
agenda
items,
and
we
can
absolutely
do
that.
A
But
I'd
also
like
to
use
this
as
sort
of
a
backlog
of
items
for
for
meeting
topics
going
forward
and
then
each
week
or
if
for
each
meeting
when
we
have
one,
you
know
a
day
before
a
couple
days
before
I'll
go
through
and
add
the
for.
That
meeting
will
be.
You
know,
looking
at
hot
topics
and
what
kind
of
time
we
have
and
how
much
discussion
we'll
have.
So
that
way
we
don't
lose.
A
So
we
can
absolutely
make
requests
using
github
issues
if
folks
are
want
to
use
that
we
should
probably
just
come
up
with
some
sort
of
nomenclature
to
identify
them
easily,
but
otherwise
you
know
I'm
I'm
totally
good
with
just
dropping
them
right
here
in
the
future
meetings
and
then
adjusting
agenda
as
each
meeting
occurs.
Any
questions
or
concerns
about
that
approach
or
recommendations
for
something
else.
B
A
Say
if
we
have
time
we
can
always
pull
stuff
in
right
like
approach
it
just
kind
of
like
a
you
know,
a
sprint.
If
you
will,
like
we've,
got
this
backlog
of
things
to
talk
about
we'll
talk
about
as
much
as
we
can
in
the
hour.
If
we
have
extra
time
we'll
go
pull
those
other
topics
in
but
like
looking
at
today's,
for
example,
there's
quite
a
bit
here,
especially
when
we
drop
into
the
governing
board
updates.
You
know
that
could
take
a
while
and
then
discussions
around
strategy.
A
C
I'm
sorry,
I
made
an
attempt
to
capture
what
you
said
I
don't
on
in
the
google
doc.
I
don't
know
if
I
captured
it
correctly.
Where
are
you
typing
a
project?
First
bullet
under
administrative
updates.
B
Cool
the
only
other
suggestion
I
have
is
then
having
some
instructions
to
like
tell
people
to
add
things
to
the
bottom
of
that
top
list.
Just
so
that,
like
people
don't
come
in
and
keep
adding
things
on
top
and
things
stay
at
the
bottom
forever,
making
it
yeah.
A
A
B
A
Yeah
yeah,
so
we
can
push
these
down
to
I
mean
the
other
option.
If
we
want
to
try
to
eliminate
some
confusion,
is
create
a
separate
document
as
the
backlog
or
only
use
github
issues.
If
we're
worried
about
that.
But
I'd
say:
let's
just
do
this
for
now
and
if
it
becomes
an
issue
we
can,
we
can
move
on
to
something
else.
I
think.
A
F
F
E
A
Yeah,
I
always
think
about
that
as
well,
because
I
would
like
to
use
potentially
the
projects
feature
within
github,
and
then
we
can
lay
things
out
and
sort
of
kanban
boards
as
well
as
we
sort
of
get
into
more
of
a
rhythm.
You
know
if
people
are
comfortable
with
that,
but
yeah
we'll
do
this.
For
now
we
can
kind
of
start
moving
towards
issues
as
things
sort
of
stabilize
okay,
all
right
and
then
the
next
thing
I
had
was
do
we
lindsey.
G
A
That
sounds
good
and
then
also
thank
you
lindsay.
We
have
slack
available
now
for
open
ssf,
so
everybody
should
have
received
a
link
for
that.
It's
listed
there
as
well.
If
you
haven't,
or
you
have
trouble,
let
me
know
we'll
try
to
figure
that
out.
There
are
channels
set
up
for
the
tac
and
also
for
each
working
group.
If
you
need
others,
let
us
know
we
can
set
them
up
or
you
can
create
them
yourselves
in
some
cases.
I
think
the
idea
for
slack,
though,
should
not
be
like
official
communication
channels.
A
This
is
kind
of
like
a
quick,
secondary
casual
conversation.
Type
thing.
So
I
know
a
lot
of
us
in
the
past
have
used
these.
It's
just
sort
of
like
quick
questions.
Answers
type
deal.
Where
do
I
find
this
hey?
Did
you
get
that
you
know
that
type
of
thing,
but
for
official
conversations
we
should
use
meeting
notes
github
issues,
whatever
the
results
of
this
poll
ends
up
being
for
sharing
information,
but
definitely
leverage
slack
to
you
know,
keep
things
moving
forward.
B
Yeah
I
was
asking,
can
we
show
this
publicly
like?
Is
this
for
anybody
in
the
community
that
wants
to
join
the
slack.
A
Yeah
because
I
think
the
you
know
for
the
working
groups
at
least
I
think
attack
is
locked.
I
don't
know.
Tech
is
public
as
well,
but
all
that
communication
should
be
made
public.
So
I
don't
think
there's
any
issue
with
having
people
in
the
public
in
there
we'll
just
kind
of.
H
We
had
a
slack
before
for
the
ossp
and
as
well
as
the
github
org.
I
just
wanted
to
verify
that
someone's
taking
care
of
migrating
users
over
that
kind
of
stuff.
A
Yeah,
so
we've
been
talking
to
I've
been
talking
to
some
of
the
working
group,
leads
about
getting
them
to
move
those
conversations
over.
So
I've
seen
that
some
people
are
starting
to
do
that,
so
if
it
gets
slow,
we'll
have
to
poke
them
a
little
bit
to
try
to
keep
things
moving,
but
that
should
be
happening
now.
Yes,.
A
I
don't
know
if
you'd
want
to
do
it
just
yet
until
everybody's
like
officially
moved
over,
because
it
does
look
like
people
are
moving
a
little
slowly.
I
do
see
some
new
conversations
popping
up
there,
but
yeah.
Eventually
we
should
be
able
to
shut
that
down
and
then
one
of
the
one
of
the
concerns
a
few
people
mentioned
is.
This
is
a
free
account.
So
after
10
000
messages,
things
are
going
to
start
to
get
deleted.
We
have
the
same
thing
with
the
ossc.
A
My
opinion
of
that
is
that's
okay,
because
they're
casual
conversations,
it's
not
official
record
anyway,
but
I
want
to
reach
out
to
the
group
and
see
if
there's
any
concerns
about
that
at
all,
because
I
know
there's
a
significant
cost
increase
to
move
from
the
free
up
to
support
the
organization
of
the
size.
B
J
K
A
A
B
So
we're
basically
telling
each
working
group
to
create
a
mailing
list.
I
don't
think
they
all
have
done
that,
yet
I
think
some
have
them
okay,
so
we
should
make
sure
that
that
gets.
A
G
B
It's
actually
an
old
issue
here,
I'll
paste
it
in
that
chris
ferris
opens,
but
he's
not
here
about
that.
A
Yes,
definitely
one
for
the
tech,
I
believe
there's
one
for
at
least
two
of
the
working
groups.
I
think
one.
A
Okay
and
then
next
item
cadence
attack
meetings
going
forward,
so
I
know
we
had
a
little
bit
of
trouble
scheduling
this
so
first
off
frequency.
For
now,
I
think
two
weeks
makes
a
lot
of
sense
as
we
kind
of
iterate
through
all
these
things
and
keep
things
moving
and
then
the
question
is:
does
this
time
slot
work
for
everybody,
because
I
know
it
was
difficult
or
can
we
do
this
time
slot
temporarily
and
then
find
a
more
permanent
one?
What
are
folks
thoughts
on
that?
B
A
All
right,
the
next
one
dan
you
put
working
group
meetings,
placing
all
invites
on
the
community
calendar
yeah,
absolutely
yeah.
I
think
that
needs
to
happen.
I
know
there's
a
few
on
there
now
like
developer
identity,
identifying
security
threats,
but
I
don't
think
there's
any
others
currently.
H
A
B
Yeah,
the
identifying
security
one
isn't
on
there,
but
I
think
that's
because
it
hasn't
been
scheduled.
Yet
I
think
my
poole
is
still
working
on
that.
H
A
Yeah,
we
have
old
ones
on
there
and
he's
updating
it,
but
I
did
see
the
the
one
for
developer
identity,
but
I
haven't
seen
others
on
the
attack
officer.
F
Is
that
lindsay?
Is
that
something
we
can
you
know?
Can
we
count
on
you
to
take
care
of
you
know
when
any
new
working
group
comes
up,
whether
it's
for
tac
or
governing
board,
whatever
to
automatically
do
two
things,
one
create
to
create
the
meeting
requests
on
the
calendar
and
to
create
the
mailing
lists?
Is
that
a
good
way
to
think
about
how
to
make
sure
that
we're
consistent
about
getting
both.
G
So
for
the
actual
meeting
requests
I
had
already
sent
out
access
for
every
single
working
group
lead
to
create
there
and
edit
their
own
meetings.
So
they
can
go
in
and
do
that
on
their
own.
G
A
Kind
of
a
somewhat
related
topic
as
well
that
we've
seen
there's
a
issue
like
martin
asked
about
adding
numbers
to
the
open,
ssf
organization
on
github.
A
When
we
accept
new
companies,
I
don't
know
if
we
need
to
update
sort
of
the
founding
documents
with
the
form
and
everything,
but
I
think
it
would
be
nice
if,
when
we
get
a
new
member
company
joining,
if
we
could
get
a
list
of
their
github
ids
to
just
go
ahead
and
add
those
automatically
otherwise,
I
think
we
end
up
we're
ending
up
in
the
sort
of
ethereal
state
of
okay.
I've
joined,
but
I
don't
have
access
to
anything.
H
There's
also
I've
noticed
some
groups
are
doing
sort
of
like
issues
to
announce
new
members
and
that
type
of
thing
I
don't
know
how
much
we
want
to
make
that
consistent.
But
right
now
it's
not
really
consistently
clear
which
group
has
which
membership
of
individuals
I
mean
yep.
B
D
B
A
Now
yeah,
when
we
get
to
the
the
working
group
section,
there's
a
few
other
topics
related
to
that
that
we
should
discuss
as
far
as
formalization
and
what
memberships
mean
and
things
like
that.
But.
B
As
far
as
access
chris
set
up
like
a
dot
github
directory
in
a
couple
of
the
working
group-
and
I
think
the
tag
repos
would
which
let
you
manage
permissions
with
pull
requests,
I
don't
know
if
anything
like
that
exists
at
the
org
level.
A
I
haven't
seen
it
at
the
org
level:
we've
been
adding
them
at
each
repo
and
then
yeah,
but
as
far
as
like
adding
members
just
directly
into
the
org,
I
mean
that
would
be
great,
but
I
can
look
into
it
for
sure
and
see
if
it's
an
option.
It
could
be
nice
if
we
could
automate
that.
F
H
D
A
B
A
I
believe
it's
a
yeah,
it's
a
distinction
for
one,
but
also,
I
think,
when
there
becomes
private,
repos
and
things
like
that
in
the
future,
while
things
are
either
incubating,
you
have
access
to
that
stuff.
K
K
A
All
right
cool
all
right,
so
let's
talk
about
governing
board
updates.
So,
okay,
do
you
want
to
walk
through
some
of
these
and
give
us
updates
on
it.
F
F
So
this
is
not
someone
tied
to
a
company
like
so
the
other
governing
the
makeup
of
the
governing
board
is
they'll,
be
10
once
we
have
it.
Full
there'll
be
10
in
10
individuals
who
are
from
member
companies.
F
F
Okay,
so
for
the
the
other
thing
to
note
is
that
the
governing
board
level
we
have
allowed
for
two
members
from
a
what's
the
word.
F
And
so,
for
example,
we
have
one
person
from
github
one
person
from
microsoft,
and
then
we
also
have
one
from
red
hat
and
one
from
ibm
and
but
but
the
limit
is
two,
and
so
if
the
tac
chair
happens
to
be
from
a
related
company,
where
there
are
already
two,
then
we
can't
have
the
attack
chair
also
on
the
governing
board.
F
So
in
that
case,
then,
we'll
need
to
have
the
attack
identify
another
person
to
serve
as
the
governing
board
member.
This
is
all
slightly
preliminary,
we're
we're
clarifying
this
in
the
charter
and
there's
a
vote
at
the
governing
board
and
the
the
end
period
for
them,
for
the
vote
is
the
11th.
F
But
I
think
that
that
I
suspect
the
way
it
will
go
is
that
when
we've
attacked
to
identify
someone
to
be
a
voting
member
of
the
governing
board,
that
in
this
case
is
different
from
the
chair,
because
ryan
is
also
microsoft
and
we
have
have
someone
from
github
and
microsoft
there,
okay,
so
that's
a
just
an
aside,
but
by
certainly
by
the
next
tech
meeting,
we'll
have
a
final
answer
on
that:
okay
and
then
the.
A
Real
quick
sure,
so
on
that
one
thing
that's
kind
of
related.
I
want
to
bring
up
not
to
fully
discuss
it
in
this
meeting,
but
we
do
have
the
charter
of
doing
after
six
months,
finalizing
kind
of
what
this
looks
like
as
far
as
the
attack
reps
go
and
so
right
now,
it's
mostly
governing
board
members
that
are
on
the
deck
anyway.
A
Around
whether
having
a
separate
rep
from
tact,
given
that
we
already
have
representation
from
to
from
microsoft,
companies.
A
F
Dan
is
another
one
and
luke
from
red
hat,
but
it's
not
you
know
in
the
case
of
dan
or
in
the
case
of
so
luke
couldn't
be,
for
example,
dan
could
be
because
there
aren't
two
people
currently
from
google.
Okay,
I
see.
J
A
F
Got
it
I
see
where
you're
going?
Okay,
all
right,
so
we
do,
but
we
do
need
the
the
way
it's
worded
is
that
this
security
community
individual
needs
to
be
elected
by
contributors
to
technical
initiatives,
and
so
that
the
attack
needs
to
figure
out
how
they
want
to
hold
that
election,
and
we
don't
have
to
do
it
today,
maybe
that
this
ends
up
being
something
that
gets
added
to
the
to
the
issues
list
and
gets
discussed
for
for
another
day.
H
Can
can
I
promise
opening
a
good,
hip,
ish
kind
of
issue
about
this,
and
letting
people
suggest
different
things?
It
might
be
better
to
have
a
couple
different
options
to
discuss
live
rather
than
brainstorm
life.
F
D
F
D
H
I
One
thing
I'd
add
kind
of
in
the
spirit
of
when
we
wrote
it.
What
we
were
really
looking
to
do
was
increase
representation,
especially
from
like
security
folks
that
can
make
a
big
contribution
that
may
not
be
from
the
larger
companies
that
tend
to
represent,
tend
to
be
represented
in
the
governing
board
and
attack.
So
I
would
say
just
as
a
as
a
thought
or
a
motivator
as
we're
thinking
about
how
we
want
to
elicit
this
person
from
the
community.
I
We
should
be
mindful
of
like
the
power
structures
of
us
nominating
in-group
people
that
we're
already
friends
with
and
think
about
ways
of
democratizing
access
to
who
can
run
for
this
position.
B
Yeah-
and
I
think
this
is
pretty
high-
I
mean
pretty
urgent
because
you
say
we
want
to
announce
this
on
october
30th.
That
means
we
have
to
come
up
with
a
process
in
the
next
couple
of
weeks,
allow
a
couple
weeks
for
nominations
and
then
a
couple
weeks
for
the
actual
vote
itself.
So
that's
kind
of
like
we
pretty
much
have
to
start
on
this
now,
because
october
30th
is
like
six-ish
weeks
away.
A
Yeah
we
can
start
driving
some
of
that
stuff
sort
of
in
tandem
with
these
other
things,
too.
We
don't
have
to
necessarily
wait
for
the
next
meeting.
That
was
the
big
topic
for
the
next
minute.
Was
the
formalization
of
all
this
stuff
and
sort
of
locking
down
the
process
for
working
groups
and
voting
for
tac
members
and
things,
but
we
can
certainly
you
know,
as
maya
was
saying,
put
some
suggestions
in
there
and
have
that
discussion
and
then
try
to
move
this
along
and
hit
that
three-month
mark.
A
F
Strategy
committee
meetings-
we
we
have
invited
for
sure
all
of
the
governing
board
and
tech
members
and
it
is
open
to
the
public,
so
anyone
can
attend
the
main
thing
that
we're
focusing
on
right
now
is
this
planning
for
the
october
30th
press
release
and
a
little
further
on
in
my
notes
here
I
say
that
we'd
like
to
get
into
a
quarterly
planning
cadence,
where
we're
kind
of
setting
goals
at
the
beginning
of
the
quarter
and
then
having
report
outs
and
press
releases
at
at
the
end
of
the
quarter.
F
So
this
will
be
our
first
time
through
kind
of
that
cadence.
The
things
that
we'd
like
to
cover
in
that
press
release
are
announcing
the
new
ossf
members.
So
we've
talked
about
that
already
announcing
the
governing
board
and
tack
formations
that
the
the
individuals
who
are
on
those
groups
and
the
the
chairs
of
those
groups
announcing
the
working
group.
F
So
in
our
press
release
our
founding
press
release,
we
listed
listed
five
of
the
current
working
groups
and
but
we
didn't
have
any
you
know
more
detailed
information
about
the
charter
of
this
working
groups
and
what
I
would
like
to
do.
F
So
if
we
can
kind
of
get
that
similar
so
that
the
charters
kind
of
look
look
the
same
and
then
I
also
would
like
to
have
a
similar
approach
for
people
to
get
involved
across
all
of
the
working
groups,
and
this
would
be
both
tech
and
the
governing
board
and
related
to
that
on
our
website.
I'd
like
it
to
make
it
clearer
how
people
can
get
involved
right
now.
F
We've
got
a
join
button
on
the
website
and
that
says
how
to
become
a
member,
but
it
doesn't
say
how
to
get
involved
in
any
working
group.
So
I'd
like
to
rework
that
and
then
the
last
thing
that
I
would
like
to
do
and
now
you
know
I'll
kind
of
open
it
up
in
case.
F
Other
people
have
thoughts
here
too,
but
the
last
couple
things
is,
I
would
like
to
see
if
we
can-
and
this
might
be
too
much
but
I'd
like
to
see
if
we
can
consolidate
the
current
open,
ssf
efforts
and
the
cii
efforts.
F
So
when
we
did
announce,
we
said
we
were
joining
these
two
groups,
but
they
still,
you
know,
effectively,
have
two
separate
websites
and
there
are
some
overlapping
activities
across
the
two.
So
I'd
like
to
try
to
get
those
merged,
if
we
can-
or
at
least
you
know,
be
making
progress
on
those.
A
A
A
good
goal-
and
I
know
mike
scaveda,
I
think-
has
been
working
with
david
wheeler
at
least
talking
about
some
of
the
infrastructure
for
that
and
how
to
start
emerging
those
things.
So
I
know
the
conversations
are
happening.
So
that's
definitely
the
goal.
C
Yeah
and
by
the
way,
cii
training
there
really
isn't
any
cii
training.
There
is
a
training
edit
thing
that
I've
been
developing,
but
it's
not
actually
under
the
cii.
C
F
B
C
Different
because
there's
actually
another
group
but
for
this
particular
training
thing
it's
not
under
the
cii.
So
it's
up
to
you
guys,
if
you
want
to
put
it
in
that
banner
or
not.
J
F
You
know
we
did
discuss
this
as
the
governing
board
last
week
and
I
think
we
discussed
it
already
at
one
of
the
strategy
committee
meetings
and
I
I
haven't.
B
C
Well,
I
I
if
it
helps
I've
been
specifically
working
with
the
best
practices
working
group.
A
number
of
them
have.
Actually,
I
I
said
hey,
please,
if
you're
interested,
let
me
know
and
I'll,
let
you
in
on
the
course
materials
a
number
of
taking
me
up
on
that
and
provided
feedback.
C
So
there's
already
that
I
think
the
trick
is-
and
I
think
this
was
discussed
earlier-
if
we
want
to
have
this
course
out
around
november
3rd,
it
has
to
be
basically
frozen
by
the
15th
of
this
month.
If,
if
that
doesn't
matter,
I
mean
that's
a
different
issue,
but
I
haven't
heard
any
negatives
about
about
that.
Even
though
it's
a
quick
timeline,
the
advantage
is,
there's
something
concrete.
You
can
show.
F
Yeah
I
haven't,
I
would
love
to
see
it
in
the
best
practices
working
group
and
I'd
like
to
and
I'd.
I
really
want
that
group
to
be
kind
of
best
practices
overall
and
then
I'd
love
for
that
group
to
be
helping
us
think
about
on
the
website
how
we
expose.
F
You
know
everything
that
we're
doing
about
best
practices
so,
but
we
don't
have
to
dive
deep
into
that
today,
but
but
I
I'd
love
to
have
that
set
on
the
website
by
the
time
we
do.
Our
next
price
release.
A
B
A
E
I
was
about
to
ask
that,
like
so
ryan
like
we
used
to
have
previously
like
working
group,
leads
meeting
right.
Is
that
going
to
be.
A
A
So
yeah
that
came
up
last
week
and
that's
it's
on
my
list.
I
tried
reaching
out
to
a
few
people
to
try
to
get
them
here
today,
but
it
was
short
notice,
and
so,
especially
with
the
holiday,
there
were
conflicts
but
definitely
going
forward.
I
would
like
to
have
the
group
leads
here
and
then
I
think
when
we
start
finalizing
what
our
process
is
for
voting
for
new
members
and
it's
not
just
the
bootstrap
of
governing
board
members.
A
I
think
a
lot
of
those
working
group
leads
will
become
tac
reps
anyway,
but
absolutely
like
having
that
sink,
and
keeping
that
rhythm
and
and
keeping
up
to
date
of
what
everybody's
been
doing
will
definitely
be
necessary
going
forward.
So
now
that
we
have
this
cadence
and
rhythm
I'll
try
to
get
them
more
engaged.
F
A
Yeah,
so
that's
the
one
I
was
referring
to
that
mike
sivat
has
been
talking
to
david
about.
I
think
that
absolutely
makes
sense.
That's
where
there's
two
things
there
that
I
think
we
need
to
tackle.
One
is
technically,
you
know,
I
know,
there's
some
infrastructure
already
on
cii.
That
has
automation,
and
I
think
that's
what
mike's
been
talking
today
about
to
correct
me
if
I'm
wrong,
but
we
want
to
drive
through
those
and
then
there's
the
more
like
administrative.
C
I
I
think
the
the
understanding
that
I
had
was
to
start
simple.
You
know,
because
the
ci
best
practices
badges,
I
think
a
lot
of
you
know-
has
already
been
running
for
60
for
six
seven
years.
So
the
first
step
was,
you
know
the
met.
You
know
they
want
to
develop
a
dashboard
and
we're
working
right
now
to
integrate
the
best
practices
badge
stuff
into
this
larger
dashboard
and
I've
already.
I'm
gonna
have
a
meeting
later
today
to
get
that
going.
C
So
I
I
think,
basically
we're
it's
not
going
to
be
instant,
but
that's
okay,
basically
taking
taking
steps
towards
that.
The
first
step
is
making
sure
that
that
the
cia
best
practices
badge
is
cleanly
integrated
into
the
dashboard
and
we'll
we'll
at
least
get
that
done
by
october.
A
Okay,
that
makes
sense,
and
so
I
think
the
conversations
are
heading
in
the
right
direction.
Are
there
other
things
that
we
need
to
start
now
in
order
to
facilitate
those
next
steps,
or
are
we
good
just
working
through
with
how
we're
doing
it
right
now,.
F
F
Well,
I
was
just
saying
it
sounds
like
we.
Let
me
try
to
summarize
what
I'm
what
I
think,
maybe
I'm
hearing
so
we
get
edx
talking
to
the
or
david
is
talking
already
with
the
best
practices
group.
So
that's
one
piece.
Another
piece
is
the
the
badge
and
we've
already
got
david
talking
with
the
security
threats
group.
So
so
that's
you
know
working
its
way
through
and
it
sounds
like
we'll
we'll
plan
on
those
discussions
happening
in
the
security
threats,
meeting
or
part
of
that
working
group.
F
C
There
are
two
other
main
things
that
the
cii
is
doing
and
not
counting
the
evaluations
of
projects,
and
that
is
the
census,
see
the
and
the
of
the
of
open
source
software
and
there's
also
the
survey
census
of
open
source
of
critical,
open
source
software
and
then
there's
the
survey
of
open
source
developers.
C
I
I
could
see
the
cleanses
and
the
survey
fitting
into
the
threats
group
as
well.
It
need
not
be
that
way,
but
I
could
see
how
that
would
work,
especially
in
the
context
of
like
the
white
paper
that
was
released
by
that
group
being
about
kind
of
overview
and
end-to-end
security
ideas
on
it.
C
Now
wasn't
there
a
group
specifically
on
critical,
open
source
within.
A
C
L
The
yeah,
that's
the
group,
I
thought,
would
be
the
merge
well,
this
is
what
brings.
A
Up
an
interesting
point
right
because
it
works
for
both
right.
So
I
think
the
information
that
comes
from
the
cii
census
could
be
useful
in
what
jennifer
mentioned,
with
the
identifying
security
threats,
but
also
the
superior
critical
projects.
So
that's
where
I
think
the
question
then
becomes:
do
we
really
want
to
merge
them
or
do
we
want
to
just
establish
some
sort
of
formal
relationship
where
there's
information
sharing
that's
happening
or
if
it's
a
coordinated
effort
where.
A
F
Okay,
so
let's,
let's
not
try
to
decide
this
here,
but,
let's
think
about
who
needs
to
be
involved
in
deciding
this
david
who
and
who
else
from
like
who,
from
current
cii,
should
people
from
openssf
be
getting
together
with
to
have
discussions.
C
Because
they've
got
one
of
those
and
you
know
it's
mean
I
think
for
I,
I
there's
always
the
risk
of
speaking
for
other
people,
which
I
probably
just
shouldn't
do,
but
my
guess
would
be
mainly
you
know,
they're
way
more
interested
in
getting
things
done
than
the
governance
structure
thereof.
But
that
said,
it
does
seem
like
there
should
at
least
be
some
sort
of
discussion
with
this
steering
committee.
F
Can
you
help
me
I'd
love
to
sort
of
help
kick
that
off?
So
maybe
you
can
maybe
you
and
I
can
work
together
to.
C
And
and
lindsay
may
be
able
to
help
me
out
with
some
of
these
mechanisms
too.
My
apologies
I'm
from
the
linux
foundation,
but
I
actually
haven't
been
the
linux
foundation
that
long,
so
I
don't
know
of
all
its
internal
mechanisms,
myself.
F
C
D
F
Okay,
all
right,
then,
the
last
thing
that
I'll
mention
is
that
I
had
seen
a
couple
of
groups
were
wanting
to
ask
for
budget,
and
I
think
that
that
strategy
committee
is
a
good
place
to
maybe
bring
those
topics
up.
We
haven't
discussed
budget
much
in
there
and
I
I
that's
that's
gonna.
It's
gonna
be
a
while
before
we
have
a
handle
on
what
budget
we
have
and
how
we
could
allocate
it
to
groups,
probably
for
now,
we
should
assume
there's
not
any
budget,
but
those
are
discussions.
A
D
B
A
So
the
way
we
did
it
in
the
past
is
that
we
sort
of
had
in
these
working
group
lead
meetings.
Everybody
would
provide
their
status
update
for
the
previous
two
to
four
weeks
or
whatever
the
cycles
were.
So
I
want
to
do
something
like
that
again
within
the
tax
and
once
we
get
the
working
group
leads
back
in
here.
We
can
provide
updates
as
part
of
this
meeting,
and
then
we
can
memorialize
those
in
a
document
or
on
you
know,
github,
as
sort
of
a
rolling
dock
like
previously
we
had.
A
I
believe
it
was
an
issue
that
tracked
it,
but
there
was
a
page
on
github
that
got
consistently
updated.
So
we
can
track
that.
However,
you
know
make
sense
for
this
this
group,
but
that's
how
I'd
like
to
drive
it
going
forward.
B
F
Yeah,
let's,
let's,
let's
discuss
that
at
our
next
strategic
planning
meeting:
okay,.
A
So
speaking
of
working
group
updates-
and
thank
you
kay
for
for
all
of
that,
so
as
I
mentioned,
you
know,
we'll
get.
The
working
group
leads
in
here
to
provide
more
specific
updates
on
things,
but
more
pressing
is
right.
Now
we
haven't
formalized
any
of
the
working
groups
as
far
as
the
open
ssf
goes.
So,
in
fact,
if
you
go
to
each
one
of
the
repos
today,
everybody
is
just
putting
a
governance.md
template
in
there.
A
So
there's
no
information,
the
only
the
only
descriptions
that
we
have
are
what
they've
put
on
the
readme
and
as
kay
mentioned,
those
are
not
standard.
A
So
what
I'd
like
to
do
is
for
us
to
come
up
with
what
those
sections
should
be
for
standardizing
both
the
readme
and
then
also
getting
each
working
group
to
formalize
that
governance
md
file
and
then
excuse
me
and
then
we
need
to
go
through
those
as
a
group
and
formally
approve
those
and
make
sure
that
we
are
following
all
the
correct
process
for
that.
But
as
far
as
voting
goes,
I
imagine
this
is
going
to
be
very
non-contentious
for
the
existing
groups.
A
The
four
existing
groups-
I
should
say,
but
we
need
to
get
those
guys
pushed
through
and
filling
all
that
information
out
and
then
at
the
next
meeting
we
can
just
go
through
the
formal
process
of
approving.
How
does
that
sound
to
everyone?.
C
I
I
I
do
have
a
re
request
which
I'm
hoping
is
going
to
be
not
controversial,
I'm
sure
that
scopes
change
and
so
on,
but
you
know
I
I
do
have
a
beg.
Please
make
the
working
group
names
and
the
scopes
have
some
relationship
to
each
other
and
it's
okay.
C
Names
if
it
turns
out
the
scope,
is
now
different.
That's
great
just
rename
the
working
group
or
create
another
one,
but
it
is
confusing
as
heck
for
some
of
these
working
groups
when
I,
when
I
first
showed
up
with
some
of
these,
what
their
scope
would
actually
was
was
not
at
all
what
I
thought
it
was
going
to
be
just
from
the
titles,
and
I
think.
L
C
Yeah
and
and
it's
okay,
I
think
it's
perfectly
reasonable
things
change
just
we
want
to
reduce
confusion
of
everybody.
A
Yeah-
and
this
is
a
great
opportunity
to
do
that,
so
as
we
people
start
filling
out
those
formal
documents,
this
is
a
good
time
to
go.
Hey
look
at
just
go
up.
Look
at
your
name.
Let's
make
sure
this
all
still
makes
sense,
and
certainly,
I
think,
one
of
the
opportunities
that
we
have
as
the
tac
is
to
make
suggestions
to
make
sure
that
everything
looks
coordinated
and
makes
sense.
As
far
as
the
overall
technical
strategy.
B
Yeah,
so
I
think
there's
two
parts
to
what
you
discussed:
there's
the
scope,
slash
charter
and
then
there's
also
the
governance
and
I
think,
like
whatever
we
copied
had
both
and
they
were
kind
of
separate
and.
D
B
There's
also
like
an
issue
that
chris
opened
about
having
a
formal
charter:
do
we
want
to
tackle
those
at
the
same
time.
D
B
A
Yeah,
so
the
template
that
we
have
you're
absolutely
right,
the
template
that
we
have,
though
the
charter.md
file
has
both
of
those
things
in
there.
So
first
is
the
working
group
name,
it's
sort
of
like
here's.
The
formation
of
the
working
group,
so
they've
got
the
name.
They've
got
a
bit
of
a
charter
and
scope
in
the
first
top
part
and
then
there's
sort
of
boilerplate
text
around
formalizing,
like
who's
in
charge
and
how
they
run
things
so
they're
kind
of
both
in
the
same
docs.
A
B
The
ones
I'm
looking
at
have
like
a
readme
that
has
kind
of
more
scope,
stuff
and
then
a
governance
folder,
maybe
we're
just
kind
of
talking
about
slightly
different
things.
I
govern
this
folder
that
doesn't.
B
A
Right
exactly
so,
if
you,
if
you
go
to
most
of
the
readmes
there's
then
like
there's
a
link
to
governance.md
that
doc
and
that's
the
the
template
that
came
from
the
formation
documents
for
openssl
right
and
that's
the
one.
B
A
Yeah
and
almost
everybody
like
I'd,
say
90
of
them
link
to
that
doc,
but
it's
just
the
template.
There's
no
information
filled
out
whatsoever.
That's
right!
That's
that's!
What
we
need
to
do.
Yes,
actually
get
those
completed,
get
them
approved
and
if
we
need
to
make
changes
in
the
template
you
know
we
can
certainly
do
that
as
well.
B
A
A
Do
we
need
to
create
sort
of
a
template
of
that
readme,
that's
more
detailed,
so
that
you
have
like
the
overview,
the
scope,
because
right
now
I
know,
there's
an
inconsistency
across
working
groups
where
the
descriptions
and
the
scopes,
like
some
people,
have
one
sentence.
Some
people
have
like
five
paragraphs
type
thing.
A
So
perhaps
what
we
could
do
is
take
one
of
the
working
groups.
You
know
all
volunteer
the
one
that
I
work
on
this
identifying
security
threats
and
work
through
that
and
then
use
that
as
a
template
that
people
can
leverage
for
the
other
working
groups.
If
that
makes
sense
to
everyone,
I
mean
we
can
use
any
one,
I'm
just
throwing
that
out
there.
B
Me
do
we
have
concerns
about
like
do
we
have
requirements
about
types
of
governance
that
we
want
each
of
these
working
groups
to
use
in
terms
of
like
we
want
there
to
be
leads
that
are
identified.
If
we
want
there
to
be,
you
know
open
meetings
that
kind
of
stuff.
Do
we
care
more?
Is
there
anything
else
we
care
about,
or
do
we
want
to
leave
a
lot
of
that
stuff
up
to
the
working
groups
to
organize?
However,
they
want.
A
I
mean,
I
think
we
want
to
leave
some
autonomy
to
the
working
groups,
but
I
believe
that
even
in
that
that
governance.md
says
like
there's
an
identification
of
a
lead
and
a
co-lead,
I
believe
I
need
to
go
back
and
read
it
more
currently,
but
and
then
they
also
had
other
ways
to
influence
the
working
group,
but
that
also
everything
is
public,
but
certainly,
I
think,
there's
discretion
there.
A
You
know
we've
talked
about
this
in
the
past,
where,
if
something
comes
up
that
needs
to
be
private
initially
for
discussion
and
then
released
publicly.
You
know
that's
okay
to
do
because
there
could
be.
You
know
human
resource
issues
at
times
for
certain
things,
and
you
don't
want
that
just
out
there
in
the
open,
but
in
general
yeah.
A
I
think
it's
follow
the
template
and
then,
if
we
find
that
there's
gaps
in
that,
we
should
update
it,
but
working
groups
definitely
have
autonomy
to
do
what
they
think
makes
the
most
sense
to
operate.
B
A
A
Exactly
so
we're
we're
running
out
of
time
here
there
I
know
there's
a
real
hot
topic
that
people
want
to
talk
about,
and
that
is
the
identity
verification
group.
I
know
we're-
definitely
not
going
to
get
through
this
in
four
minutes,
so
real
quick.
A
What
I
would
like
to
do
is
perhaps
kind
of
have
an
open
conversation
for
a
couple
minutes
about
the
concerns
that
people
have
around
this
and
document
them
here,
and
then
we
can
schedule
a
separate
meeting
to
discuss
this
if
people
that
are
interested
would
like
to
do
that,
because
I
don't
think
we
should
wait
till
the
next
two
weeks,
because
I
know
people
are
definitely
excited
about
this.
F
Yeah
I'll
just
mention
I've.
I've
heard
from
a
couple
of
different
people
and
the
way
that
I
hear
it
is
that
there's
a
there's,
a
feeling
or
a
sense
that
that
group
is
trying
to
the
term
that
I've
heard
used
as
force
developers
to
have
you
know
some
sort
of
strong
verification.
F
I
don't
think
that
that's
what
that
group
is
is
trying
to
do,
but
that's
what
I've
been
hearing
from
people.
So
that's
the
concern
that
I've
been
hearing.
F
M
Yeah,
I
mean,
I
think,
the
just
to
summarize
kind
of
my
concern
is
you
know
this
group
is
relatively
young
and
you
know
it's
essentially
a
coalition
of
large
organizations
at
the
end
of
the
day
that
are
you
know,
motivated
by
you
know,
in
some
ways
an
altruistic
approach,
but
in
other
ways
like
a
kind
of
a
goal
to
solve
some
of
their
own
problems
that
we're
trying
to
mesh
together.
M
I
think
you
know,
even
if
we
do
it
in
a
reasonably
healthy
way,
you
know
the
identity,
the
identification.
One
is
one
that
I
worry
about
where
I've
seen
like
numerous
folks
that
have
been
exposed
to
it
start
to
go
like
oh,
like
you're,
trying
to
like
make
sure
you
can
understand
what
my
identity
is
as
a
maintainer,
and
I
it
doesn't
really
feel
well.
M
It
doesn't
necessarily
feel
good
and
can
take
some
explaining
and
there's
a
lot
of
nuance
in
it,
and
you
know
if
we
get
like
one
kind
of
an
you
know
out
of
the
gate,
bad
post,
that
turns
into
one
of
these
hacker
news
conversations.
This
is
going
to
like
doa
this
whole
effort,
because
it'll
all
just
get
branded
badly.
So
it
just
seems
really
smart
to
like
make
sure
we're
picking
the
ones
that
we
can
have
the
impact
on
that
we
don't
carry
that.
A
Risk
yeah,
I
think
those
are
all
very,
very,
very
valid
concerns,
and
definitely
we
don't
want
to
have
the
wrong
impression.
I
think
some
of
this
could
even
be
mitigated
a
little
bit,
but
simply
by
renaming
this
group,
so
it
doesn't
sound
like
it's
this
hayward.
You
know
this
awesome.
You
know
this
giant
government
entity,
that's
trying
to
identify
you,
because
that
sounds
a
little
scary,
just
right
off
the
bat.
But
certainly
these
are
good
questions,
so
I
think
next,
that's
what
we
should
do
here
is
lindsey.
A
B
So
I
guess
before
we
jump
to
that,
we
just
talked
about
kind
of
coming
up
with
the
process
for
working
groups
to
propose
their
scope
and
everything
and
get
that
reviewed.
Can
we
just
try
to
go
through
that
here,
because
I
think,
like
david,
pointed
out
a
lot
of
the
stuff?
Isn't
you
know
quite
accurate
and
could
be
solved
with
a
rename
and
just
documentation?
And
the
group
already
has
a
lot
of
this
written
we're
just
kind
of
waiting
for
what
format
attack
wants
to
put
that
in.
B
We
could
just
go
ahead
and
do
that
now
instead
of
waiting.
If
that
helps,
or
we
could
kind
of
just
wait
for
the
process.
A
Yeah
I
mean
if
that
makes
sense.
I
think
this
was
sort
of
more
like
a
pre-conversation
to
that
to
just
as
people
were
figuring
out
what
this
group
even
is
to
put
inside
that
doc.
That's
what
this
meeting
would
be,
but
if
it
makes
sense
to
work
through
those
at
the
same
time
while
putting
in
the
doc.
I
have
no
issue
with
that
at
all.
A
C
A
B
A
All
right:
well,
let's,
let's
get
that
meeting
scheduled
or
if
you
guys
want
to
use
the
existing
working
group
meeting
to
do
that.
However,
we
want
to
go
about.
It
administratively
is
cool,
but
I
think
we
have
a
path
forward,
at
least
to
start
filling
that
out
and
identifying.
You
know
those
concerns
kind
of
at
the
same
time
and
we
can
get
through
the
process
and
sort
of
solve
two
things
at
once.
F
B
C
D
A
All
right,
okay,
we're
too
over!
So
thank
you!
Everyone,
if
you
have
topics
for
next
week,
like
I
said,
add
under
the
talk
for
the
doc.
Add
a
github
issue.
Email
me:
whatever
you
want
to
do,
but
thanks
everyone
for
the
time
security.