►
From YouTube: OpenSSF TAC (May 2, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
C
D
D
E
All
right,
we
will
get
going
all
right,
so
yeah,
first
off
I,
know
I
just
briefly
mentioned
it,
but
certainly
a
warm
welcome
to
all
of
our
new
and
returning
Tech
members
for
2023.
So
for
those
of
you
that
weren't
aware
we,
the
governing
board,
did
a
process
to
decide
on
the
appointed
members
and
came
to
those
appointments
for
Zach,
steinler,
krobe
and
Arno.
E
So
welcome
to
the
talk
to
those
new
folks.
The
first
order
of
business
for
the
newly
seated
tack
is
to
call
for
a
nomination
for
a
chair
and
vice
chair.
So
just
as
a
I
know,
I
sent
a
note
out
to
the
private
mailing
list
last
week
to
this
effect,
but
the
role
of
the
chair
is
effectively
to
do
a
couple.
Things
number
one:
they
own
the
agenda
for
this
bi-weekly
meeting.
E
Second
by
the
charter
of
the
open
ssf,
the
chair
of
the
attack,
does
hold
a
voting
seat
on
the
governing
board,
so
you're
expected
to
attend
the
governing
board
meetings
and
participate
in
dialogue
there
and
then
finally
really
serve.
As
you
know,
as
a
key
communication
and
connection
Point
within
the
working
groups,
the
projects,
the
other
Tac
members,
as
well
as
the
the
governing
board
and
subcommittees
that
do
exist.
E
B
E
But
as
I
see
here
on
the
email
thread
as
well
as
in
the
notes,
it
does
seem
that
we
have
multiple
tack
members
that
are
interested
in
assuming
that
role.
So
what
I
would
like
to
propose
and
ask
for
perhaps
some
support
for
Kurt
or
some
of
the
other
operations
folks
on
the
attack
is
to
like
to
run
a
quick
open
vote
for
the
seven
attack
members
to
ultimately
nominate
folks
as
chair
or
vice
chair,
going
forward.
E
D
E
D
I
would
I
would
I
think
last
year
we
only
had
the
two
of
us
running,
so
it
was
pretty
easy
to
say
or
didn't
get
chair
got
Vice
chair.
We
have
multiple
this
time.
It
might
be
better
to
do
a
separate
vote
for
vice
chair
or
a
separate
run
for
vice
chair
I
want
to
put
that
idea
forward
and
I
know
other
organizations
I'm
part
of
do
those
separately,
because
the
responsibilities
are
also
different
and
the
the
time
commitment
is
different.
D
So,
for
example,
for
myself
this
year,
while
I
would
love
to
step
into
the
chair
role.
Having
worked
with
Bob
for
the
past
past
year,
I
have
a
pretty
good
sense
of
it.
It
would
if
the
time
commitment
is
as
much
as
it
has
been
for
Bob
in
the
past
year
in
the
next
year.
I
would
not
be
able
to
to
fill
the
same
issues.
I
have
two
other
foundations.
I'm
also
involved
in
and
I
feel
like
being.
A
E
G
E
All
right
any
objections
to
that.
As
the
plan
of
record
all
right,
we
will
proceed
with
that
thanks
Kurt
and
thanks
for
all
the
throwing
your
names
into
the
proverbial
hat
and
look
forward
to
handing
over
the
reins
all
right.
Next
on
the
agenda.
For
today
we
have
I,
know
I,
want
to
pause
and
maybe
do
a
quick
reorder,
because
I
don't
see
Mike
Dolan
on
the
attendee
list,
yeah.
E
B
C
I
I
Actually,
some
of
the
faces
on
this
call
have
seen
the
the
secure
software
guiding
principles
or
secure
software
Covenant
already
and
I
think
we
sent
around
the
link.
So
hopefully
people
have
had
an
opportunity
to
preview
and
digest
it's
not
terribly
long.
Honestly,
it's
just
a
couple
minutes
worth
of
reading,
but
basically
the
idea
that
we
had
back
around
the
time
of
the
open
source.
Leadership
Summit
was
wow.
I
But
then
we
did
some
research
on
the
origin
of
the
word,
covenant
and
realized
that
that
one
wasn't
so
great
at
the
moment,
I'm
calling
it
guiding
principles
but
I
think
pledge.
Actually
it
sounds
like
a
good
thing.
You
can
take
a
pledge
or
make
a
pledge
and
I
wanted
to
share
it
with
the
larger
openssf
tack,
because
what
I'd
really
like
to
have
happen
is
that
this
becomes
something
that
openssf
adopts
and
promotes.
I
H
Yeah,
thanks
for
sharing
I
I'm,
very
much
on
board
with
the
idea
I
like
this.
A
lot
I
wanted
to
share
that.
I
am
aware
that
some
folks
from
GitHub
are
working
on
something
very
similar
and
he
even
presented
us
at
the
securing
software.
Repos
work
group
kind
of
with
a
plan
to
ask
major
software
repository
providers
to
sign
off
on
it.
I
I
Thank
you,
yeah
I
I,
can't
imagine
that
I'm.
You
know
the
Intel
is
the
only
group
that
has
had
this
idea.
So
maybe
it's
a
good
opportunity
to
to
get
back
with
them
and
then
realign,
although
well
I,
guess
I
can
get
more
details
from
them.
But
that
sounds
like
it's
a
GitHub
specific
proposal
they're
not
seeking
like
an
open,
ssf
or
a
broader
industry.
I
A
Dan
yeah,
thanks
for
thanks
for
sharing
this
again
Jessica
I
know
we
chatted
a
while
ago,
and
I
saw
a
draft
of
this
a
few
months
ago
back
when
it
was
still
called
The.
Covenant
I
shared
this
internally
I
got
a
bunch
of
feedback
from
our
team
and
with
some
other
folks
and
the
initial
reaction
everyone
had
was.
Oh,
this
could
go
over
really
poorly,
because
people
might
assume
that
its
companies
are
asking
open
source
maintainers
to
follow
these
principles
and
as
soon
as
I
explain
no,
no,
it's
the
opposite.
A
It's
a
pledge.
Companies
will
take
for
their
own
stuff,
the
reacting
completely
flipped
the
exact
opposite
way
and
everyone
loved
it
so
just
kind
of
surfacing
that
is
a
potential
I,
don't
want
to
say
risk
or
just
something.
We
have
to
be
very
clear
about
with
the
messaging
here
that
this
is
not
a
like
an
unfunded
mandate.
Large
companies
are
placing
on
open
source
maintainers,
just
more
the
reverse.
I
think
people
are
just
so
worried
about
that
they're
assuming
bad
intentions
here,
but
it's
better
to
be
safe
than
sorry
with
it.
I
J
Brian,
apologies
for
my
camera,
not
working
I
I.
Think
attaching
this
to
companies
is
very
interesting
from
a
PR
point
of
view.
It'd
be
great
to
get
a
critical
mass
of
the
organizations
involved
in
in
or
in
groups
like
openssf
or
whatever,
to
be
able
to
save
as
a
company
Intel
chain
guard.
Whoever
you
know
attaches
their
name
to
this
I
wonder
if
there
might
also
be
some
value
and
I
don't
know
if
it's
the
same
pledge
or
a
separate
one
to
attaching
this
to
projects.
J
You
know
basically
the
maintainers
on
the
project
saying
this
is
this
is
a
CREDO.
We
will
live
by
as
maintainers
and
you
can
hold
us
accountable
to
and
it
becomes
a
relatively
standardized
document
kind
of
like
security.md
that
you
find
at
the
top
of
the
repo
and
then
the
interesting
thing
about
that
is
then
the
different
tools,
security
score
cards
and
the
like
that.
Try
to
compute
you
know
trust
scores
for
for
projects
can
incorporate
this
as
one
signal
among
many
in
you
know
whether
a
project
could
be
more
trustworthy
or
not.
B
Hey
I'm,
sorry
to
interrupt
Mike
Dolan
just
joined
the
call.
Oh,
is
that
yeah
can
we
take
a
ticket?
Ava?
Can
I
jump
in
front
of
you?
Sorry,
thank
you.
Hi,
so
I
have
been
working
with
the
open
source,
Securities
Foundation
vulnerability,
disclosure
working
group
to
establish
a
two
documents.
There
is
the
the
model,
outbound
vulnerability,
exposure
policy
version
0.1
and
then
also
the
open
source,
outbound
form
of
really
disclosure
policy,
which
is
basically
stating
hey.
We
are
adopting
the
model
policy.
B
I
am
I've
centered
the
attack
a
couple
times.
I
hope
that
you
all
have
taken
an
opportunity
to
take
a
look
at
this
and
I
was
hoping
to
call
for
a
vote
on
adopting
this
policy
as
well
as
the
plan
for
the
the
the
is
that
Alpha
Omega
will
probably
be
the
predominant
user
of
this
policy
and
I
mean
basically
we
will.
B
We
will
work
with
it
and
use
it
and
basically
like
in
you
know,
experience
how
it
actually
works
and
if
we
have
any
problems,
maybe
make
some
modifications
down
this
down
down
the
road,
but
as
it
stands.
This
is
a
policy
that
we
would
be
moving
forward
with
at
this
exact
at
this
exact
moment
and-
and
you
know,
continue
discussions
with
the
vulnerability
disclosures
working
group
if
we
run
into
problems
with
it.
So
the
the
the
ask
at
this
point
is
hey
tack
or
you
will
would.
E
So,
as
I
noted
in
the
doc,
I
wanted
to
to
note
that
Jonathan's
correct
we
have.
We
have
discussed
this
at
at
prior
meeting.
So
from
the
point
of
view
of
awareness,
I
think
this
has
been
a
an
open
issue
and
an
open
dialogue
for
a
bit
I
also
want
to
recognize
that
we
did
not
get
a
full
tax
seated
until
last
week.
E
So
I
believe
I
wanted
to
make
sure
to
give
the
new
tech
members
that
maybe
had
either
not
been
in
attendance
in
the
past
or
not
had
been
aware
of
this
to
not
have
a
perception
that
we
were
trying
to
rush
to
a
vote
immediately
on
the
first
meeting
of
the
after
being
seated.
But
that
being
said,
if,
if
you
know
I
guess
explicitly,
Zach
and
Arno,
if
both
of
you
feel
comfortable
with
the
content
here
and
ultimately
making
a
vote
right
now,
I
wanted
to
make
sure
that
you
had
a
chance
to.
E
If
you
wanted
more
time
to
just
say,
hey
I
would
like
another
a
couple
days
to
look
at
this
and
we
can
drive
that
vote
on
this
electronically.
If
there's
no
need
to
delay,
we
can
certainly
I
think
move
on
now,
but
wanted
to
make
sure
that
we
were
being
included
to
those
that
are
newly
appointed
to
the
tag.
K
B
I
also
want
to
give
the
opportunity
Mike
Dolan
is
only
here
for
the
next
10
minutes,
because
he's
got
a
meeting
at
the
top
at
the
top
of
the
half
hour.
So
if
there
are
any
Tech
members
here
that
that
Mike
Dolan
is
the
legal
counsel
for
the
LF.
So
if
anybody
here
has
any
questions
for
Mike
about
this
or
any
other
documents,
I
wanted
to
give
that
opportunity
to
you
all
to
to
ask
him
anything.
While
he's
here
I
see,
Dustin
has
their.
H
Hand
up
yeah,
I,
think
I'm.
Okay,
with
the
structure
of
this
and
I,
have
had
a
chance
to
review
it
as
well
I'm
a
little
curious
about
I
wanted
to
raise
it.
Some
of
the
pros
from
this
seems
identical
to
Pros
in
Google's,
app
security
policy
or
availability
disclosure
policy.
I
just
want
to
make
sure
that
we're
okay
with
that
so
I
mean
some
of
the
wording
is
exactly
the
same.
So
I
I
do
see
that
it
sort
of
credits,
several
policies
at
the
end,
but
it
seems
very
similar
to
that
policy.
B
B
Heavy
heavy
modifications,
but
there
is
some
verbiage
that
is,
is
directly
Google's
policy
does
explicitly
state
that
they
welcome
you
to
use
their
policy
as
a
basis
for
other
policies,
so
that
just
is
a
like
a
firm
of
Licensing
or
permission
perspective.
There
I,
don't
believe,
is
any
issue
there,
but
I
I
do
yes
that
I
just
wanted
to
offer
that
context.
H
It
just
looks
very
similar,
and
you
know,
and
being
from
Google
I'm
a
little
concerned
that,
like
it,
could
be
perceived
as
us.
You
know
Google
forcing
the
same
policy
onto
openss
there's
some
things
in
like
some.
It's
just
prose
right.
The
structure
I
think
is
okay
to
be
the
same,
but
some
of
the
some
of
the
sentences
like
what
we
believe
as
open
ssfr
are
the
same
thing
that
will
come
from.
B
I
can
offer
context
on
why
I
chose
to
go
that
route.
If
that
helps
I've
used
Google's
policies,
my
own
disclosure
policy
for
many
years
and
I
have
liked
it
I've
liked
the
rationale
that
Google
has
especially
involving
the
project:
zero
FAQ,
that
that
is
published,
describing
not
just
the
policy,
but
also
why
the
policy
is
implemented.
The
way
it
is
I
found
the
the
rationale
quite
compelling
and
the
the
data
that
they
use
in
their
FAQ
to
back
that
up
also
very
compelling,
so
it
it
wasn't.
B
B
D
I
thought
I
had
all
my
questions
already
answered
and
I
hope
this
one
just
came
to
me.
I
hope,
I
worded
correctly,
understanding
that
this,
the
primary
intent
is
for
this
to
cover
activities
under
Alpha
Omega,
have
has
considerations
a
bit
of
a
question
for
for
Mike
and
others
has
consideration
been
made
for
the
the
if
this
policy
is
adopted
and
used
by
other
groups
within
openss
that
are
not
Alpha
Omega
recognizing
it
has
a
different
sort
of
financial
foundational
structure
than
other
projects
to
do
the
same.
B
Well,
so
the
design
of
the
policy
is
two
parts:
there
is
the
open
source.
Security
Foundation
is
adopting
the
model
policy
and
the
model
policy
itself
is
written
in
such
a
way
that
it
does
not
include
the
open
source
security,
Foundation
name
in
it
at
all,
and
the
idea
behind
that
is
that
any
individual
organization,
you
know
research
or
can
say
we
follow
the
model
open
source,
the
model,
disclosure
policy
and
I.
So,
for
example,
I
send
it
to
a
research
organization.
This
morning
saying
hey,
we
are
going
to
publish
this
and
they
were
like.
D
B
M
N
B
O
O
Client,
so
I
want
to
be
clear
about
that.
Second
of
all,
there's
there's
no
way.
I
can
conceive
of
that.
You
could
provide
legal
protection
to
anybody
who
adopts
anything,
including
the
code
that
you're
producing
or
any
other
things
that
you're
producing
so
I
wouldn't
set
that
expectation,
I
I
when
I
did
go
through
it
Ava
to
be
clear.
O
O
D
O
D
O
P
Very
quickly,
I
am
not
a
lawyer,
and
this
is
not
legal
advice.
But
I
was
curious
about
whether
in
publishing
this
document
we
just
have
a
little
blur.
That
says
this
does
not
mean
that
the
open
ssf
proposes
to
indemnify
you
in
any
way
blah
blah
blah
blah
blah.
Get
your
own
lawyer
who
you
pay,
someone
on
those
lines,
just
just
a
little
blurb
on
the
page,
where
the
model
can
be
downloaded
or
copied
from
might
be
a
possibility
to
to
offset
that
risk.
I.
D
Would
I
would
suggest
doing
something
like
that
and
making
clear
which
projects
are
following
this
and
which
ones
are
not?
And
so
if
openss
follows
this,
but
sixth
door
does
not,
for
example,
I'm
just
spitballing
here
then
just
making
that
clear
or
if
you
know
if
this
is
an
open,
ssf
wide.
All
projects
in
the
openssf
are
agreeing
to
abide
by
this.
That's
the
the
Nuance
I'm
looking
for
that
wasn't
clear
to
me
in
the
proposal.
The.
B
Intention
behind
this
is
any
any
reports,
outgoing
from
the
open
source
security
Foundation
that
are
using
the
open
source
security,
Foundation
Banner,
as
the
as
the
source
of
that
vulnerability
report
going
out
to
some
other
organization,
will
use
this
policy.
Now,
if
you
happen
to
be
a
member
of
the
open
source
security
foundation
and
you
work
for
another
organization,
you
don't
have
to
use
this
policy.
You
can
choose
to
use
the
banner
of
open
source
security
Foundation
as
the
place
where
you're
disclosing
from
and
use
this
policy,
but
you
do
not
have
to.
B
Right,
that's
an
individual
decision.
Now.
If
the
project
is
saying
we're
disclosing,
then
probably
they
should
follow
his
policy
right.
Alpha
Omega
is
a
project
under
the
open
source
security
Foundation.
We
will
be
using
this
policy
I'm.
Also
an
employee
of
the
LF,
but
under
the
open
source
security
foundation,
so
I
will
dictate
my
work,
but
yeah.
O
I,
don't
know
if
that
Jonathan
and
that's
implicit
in
the
conversation
is
that
there's
a
communication
that
needs
to
be
made
out
to
the
projects.
That
is
now
the
expectation
that,
if
they're,
making
a
disclosure
under
the
banner,
the
open
and
source
security
Foundation
that
they
follow
this
policy
and
make
sure
that
they
are
aware
of
that.
Yes,.
D
B
D
B
O
Yeah
they
would
have
to
choose
to
adopt
it,
but
Jeff.
That's
why
I
spent
some
time
with
Jonathan
to
turn
this
into
a
model
policy,
because
I
do
think,
there's
other
projects
that
would
be
interested
in
adopting
this
either
the
ones
that
exist
currently
or
new
ones
that
we
are
going
to
be
hosting
yeah.
B
Just
another
bit
of
context,
I
did
submit
I
mean
I
know
it
has
not
been
ratified.
I
did
submit
this.
Defcon
cfp
closes
closed
yesterday,
so
I
submitted
it
to
the
policy
track
for
Defcon
to
talk
about
and
also
announced
to
the
world.
Just
you
know
hey.
You
can
adopt
this
as
well.
It's
not
necessarily
contingent
on
this
being,
except
you
know
this
doesn't
get
accepted.
It's
fine.
The
talking
always
get
dropped,
but
you
know
I
did
submit
it
to
Defcon
so
and
just
around
announcement
they
they
tend
to.
Like
things
to
be.
K
B
K
B
I
don't
mind
being
the
vehicle
for
yeah,
making
sure
that
that
gets
articulated
and
that's
basically
just
emailing
all
the
working
groups
and
then
maybe
also
joining
some
of
the
working
group
calls
and
communicating.
Muchlessly
and
I
also
know
someone
who
attends
a
majority
of
all
the
working
group
tall
calls
to
maybe
part
of
the
here's.
D
Why
here's
why
I
was
asking
to
put
a
very
fine
point
on
it?
We
have
a
number
of
projects
that
are
not
working
groups
not
hosted
in
working
groups
right
Alpha
Omega
is
one
of
three
things
that
go
by
at
various
names:
the
new
tool
chain
Initiative,
for
example.
They
are
largely
an
independent
entity
in
terms
of
functioning
and
self-governance.
However,
they
are
under
the
open,
ssf
Banner.
Are
they
subject
to
this
policy
as
well
and
have
they
been
consulted.
O
D
J
Important
I'm
not
aware
of
other
parts
of
the
openness
and
stuff
that
are
conducting
outbound
vulnerability,
research,
so
I
think.
That
was
why
perhaps
that
skipped
our
mind
to
try
to
do
a
broad
canvassing
of
the
community.
But
we
could
be
wrong
and
maybe
there's
one
more
two-week
hop
of
a
broadcast
out
in
some
way
to
the
broader,
broader
openness
of
community.
As
like
a
last
call
for
comments,
you
know
we
could
also
just
adopt
this
for
for
Alpha
Omega,
but
I.
J
J
N
Right
if
the
TAC
sees
value
and
votes
to
approve,
this
I
know
someone
that
has
Communications
in
their
title
and
is
a
specialist
in
com's
plans
and
has
very
good
relationships
with
both
Jonathan
and
Jennifer.
That
we
would
be
I
could
probably
persuade
that
person
to
develop
a
formal
Communications
plan
and
bring
back
to
the
tech
to
show
how
we
would
manage
the
comms
out
to
the
working
groups,
members
and
Affiliated
projects,
and
then
we
could
include
such
things
as
the
potential
Defcon
talk.
E
B
E
Publishing
both
I
think
is
effectively
what
we're
voting
on
right.
Yes,
yes,
yes,
yes,
working
group
wants
to
take
on
evangelization.
That's
not
something
that
attack
needs
to
yeah
to
GDK
here,
all
right,
so
to
call
for
a
vote.
I
guess
what
I'd
like
to
do
is
just
go
ahead
and
call
for
either
plus
one
hands
up
or
verbal.
Yes
in
the
zoom
tool
and
we'll
go
ahead
and
count
those
and
then
have
the
record
show
that
if
you
use
the
reaction
button
in
Zoom,
that
would
be
great.
E
B
I
dove
a
quick
question
for
the
TAC.
We
are
adopting
this
version
at
this
point
if,
as
the
open
source
security
Foundation
operation,
as
as
the
alpha
Mega
team,
operationalizes,
this
policy,
we
run
into
problems
where
we
need
to
modify
it
slightly.
At
what
point
would
the
attack
like
to
be
re-addressed
and
re-asked?
The
question
of
do
you
want
to
adopt
this
before
we
move
forward
with
minor
modifications
of
it.
E
I
would
say
if
there's
a
meaningful
change
in
in
content.
If
it's
a
spelling
error,
we
don't
need
to
be
in
the
middle
of
it.
If
it's
a
hey,
we
think,
like
we're
going
to
say,
there's
no
obligation
to
do
any
reporting
going
forward.
Obviously,
that's
a
substantive
context,
change
that
would
be
reviewed
here.
So
I
would
say
you
know,
use
your
best
judgment.
If
it's
anything
beyond
trivial
I
would
say
tag
Us
in
GitHub
on
the
pr
and
we
can
drive
along
there.
Yeah.
B
D
E
I
D
I
think
my
my
comment
that
I
tried
to
just
quickly
count
for
there.
It
sounds
like
a
couple
different
words
at
least
two
have
the
same
idea
as
so
often
as
the
case,
we
all
are
looking
at
the
same
problem
want
to
solve
it
together.
So
I
would
like
to
I
didn't
hear
a
request
for
any
action
from
the
tag
today.
D
And
I
would
suggest
moving
it
into
a
working
group
to
gather
interested
parties
refine
the
wording
around
it.
It
sounds
like
you
got
some
good
feedback
on
that
today
and
then
come
back
to
the
tack
after
there
are,
let's
say,
a
some
sort
of
a
critical
mass
of
companies
and
maybe
other
projects
outside
the
open
ssf
that
are
ready
to
agree
to
it.
I
F
It's
just
maybe
I
I
kind
of
feel
like
this
guy
I
mean
sorry.
You
know,
I
kind
of
feel
like
the
scope
is,
is
wider
than
what's
covered
in
securing
software
repos
and
I
I
feel
like
the
discussion
that
we've
had
about
it
already
has
been
substantive
in
the
end
user
working
group.
So
I
would
like
to
encourage
from
a
server
standpoint
that
that
we,
that
the
work
continue
There.
E
L
L
Some
of
these
some
of
these
seemed
more
clear
to
me
than
others
as
to
how
I
would
implement
or
sort
of
like
be
able
to
live
up
to
these
principles.
Like
you
know,
having
a
vulnerability
disclosure
program,
great,
that's
pretty
easy
to
thumbs
up
or
thumbs
down
to
say
that
you
know
you
mean
this
or
not
things
like
employing
developer
practices
that
are,
in
conformance
with
modern
industry,
accepted
methods.
The
challenge
there
is
that,
of
course,
they'll
evolve
over
time
and
so
I
know.
L
I
Okay,
so
I
see
again
gotta
work
on
my
messaging
here,
but
taking
a
step
back,
I
tried
to
write
the
principles
as
being
sort
of
constitutional
so
that
they
wouldn't
change
very
often
and
then
I'm
envisioning
that
there
would
be
like
an
implementation
guide,
something
that
gets
updated
regularly.
That
goes
into
specifics,
like
hey
and
if
you're
looking
at
number
four,
you
know
this
could
be
satisfied
by
using
open,
SSS,
scorecards
or
see
the
store,
or
that
would
be
a
separate
thing.
A
separate
supplement
that
would
provide
implementation
details.
I
C
I
I
M
And
Bob
and
Jonathan
and
Brian
feel
free
to
jump
in
if
I've
missed
anything
or
got
anything
wrong.
So
again,
IO
Mission
protective
Society
by
improve
the
security
of
Open
Source
software
through
direct
maintainer
engagement
and
expert
analysis.
That
is
our
grounding.
Our
vision
is
that
these
critical,
open
source
projects
are
secure
and
that
vulnerability
is
bound
and
fixed
quickly.
M
Overall
updates,
so
first
Microsoft
will
be
providing
an
additional
two
and
a
half
million
to
support.
Ao
PO
is
in
progress,
we're
expecting
to
press
release
it
along
with
open,
ssf
day
announcements
next
week.
So
please
do
not
tweet
this
before.
It
is
fully
public,
but
we
that'll
that'll,
keep
us
going
for
you
know
through
definitely
through
the
end
of
the
calendar
year
and
into
2024.
M
we're
planning
an
updated
member
agreement.
This
new
up
would
be
an
updated
member
agreement
for
for
AO
contributors.
This
will
allow
organizations
to
come
in
at
a
250k
tier
level.
They
do
not
get
governance
rights
at
that
level.
They
we
will
meet
with
them.
There's
a
couple.
You
know:
logo,
trades
and
and
we'll
I'll
meet
with
them
once
a
month.
We
certainly
want
to
hear
their
input
and
and
have
that
dialogue,
but
they
do
not
get
a
control
any
control
in
how
the
AO
funds
are
spent.
M
At
that
level,
we
have
a
summer
mentorship,
which
I
think
you
all
should
be
should
be
aware
of.
We
got
about
180
applications.
We
have
four
fourth
boss.
These
are
paid
mentorships
for
12
weeks,
starting
in
June.
We
expect
to
have
the
the
the
final
four
selected
in
a
few
weeks
and
I
realized
that
it's
mail
ready,
it'll
it'll,
be
fine.
M
We
also
have
an
AO
website
a
little
bit
of
Swag,
which
should
be
available
at
open
ssf
day,
so
come
take
a
look,
and
we
continue
to
do
speaking
engagements
there's
a
panel
that
Yesenia
is
leading
at
open
ssf
day,
as
you
heard
Jonathan's
your
submitted.
A
talk
for
Defcon,
both
of
them
have
been,
have
been
great
in
getting
the
word
out
and
having
you
know,
kind
of
consistent
public
dialogues
about
what
we're
doing
and
what
we're
trying
to
do
on
the
office
side.
M
We
continue
to
get
monthly
updates
from
each
of
our
partners.
All
of
the
the
updates
I'm
not
going
to
go
into
any
detail
they're
on
the
AO
GitHub
page
under
engagements.
You
can
read
about
them.
They
I
believe
everybody's,
giving
something
once
a
month,
I
think
we're
waiting
for
for
one
one
engagement
to
submit.
Recently.
M
M
M
We
have
have
some
other
early
discussions.
Four
four
or
five
of
these
to
number
one
help
us
kind
of
better
achieve
our
mission.
So
things
like
you
know,
out
of
band,
you
know
vulnerability,
detection
and
essentially
I,
don't
say
franchise
out
the
Omega
Model,
but
it's
kind
of
what
I
mean
we
pay
an
organization
to
find
vulnerabilities
and
fix
them.
According
to
our,
you
know,
policies
to
just
kind
of
get
separate
streams
and
and
getting
getting
more
stuff
done.
M
M
M
We
do
have
a
proof
of
concept,
automated
tool
to
find
appropriate
disclosure
mechanisms
so
given
left
pad,
how
should
I
do
it?
Do
they
have
private
vulnerability
reporting
enabled
do
they
use
tide,
lift?
Is
there
just
an
email
address?
Is
there
a
form
you
got
to
fill
out,
there's
a
jira
trying
to
figure
that
out
in
an
automated
way,
so
that
you
can
point
at
a
project
and
like
send
it
that
way.
Ultimately,
this
project
is
just
about
the
the
discovery
of
those
things
done.
M
M
I'm
thinking
about
you
know
how
do
I
align
this
better
with
guac,
with
in
Toto,
attestations
and
and
things
like
that,
but
conceptually
you
know
what
what's
the
larger
larger
view
on
this
and
and
how
does
what
what
facts
are
relevant
so
that
a
consumer
can
make
policy
decisions
based
off
of
that
on
what
open
source
to
use
so
I
only
want
to
use
open
source
that,
when
scanned
by
one
of
these
static
analysis
tools
doesn't
have
any
critical
vulnerabilities.
That
would
be
an
interesting
like
gate
to
have.
M
So
this
is
not
about
like
cves.
This
is
you
know,
underlying
software
quality
based
off
of
based
off
of
analysis
in
the
trash
portal,
we're
finalizing
it
we're
just
hitting
hitting
some
bugs
we're
hoping
to
get
that
out
in
public
soon
as
a
proof
of
concept,
we'll
iterate
on
that,
and
we
have
lots
of
stuff
to
do
there.
M
M
D
P
F
M
Oh
yeah,
so
so
Ava
to
the
to
the
security
MD
thing.
Yes,
so
the
way
that
we've
been
approaching
this
is
security.
Insights
already
provides
us
in
a
very
structured
way.
Parsing
text
in
security
MD
is
terrible,
but
it's
you
know
it's
going
to
fall
back
to
that.
Like
that's
one
of
the
places
we
look
but
security
insights.
It's
you
know
it's
right.
There.
It's
yeah.
D
Let
me
be
a
little
more
specific
here.
I
would
love
to
see
a
normalized
formalized
format
for
that
much
like
a
decade
ago,
in
the
early
days
of
spdx,
we
had
we
sort
of
the
industry,
invented
licensed
short
codes
to
create
machine,
readable,
easily
parsable
way
to
figure
this
out
for
licensing.
Some
folks
might
are
interested
in
either
doing
or
seeing
us
do
something
similar
for
security
disclosure
processes
in
projects.
Could
you
this
might
be
a
thing
that
gets
picked
up
by
a
working
group,
I'm
happy
to
to
connect
the
dots.
D
E
D
Great
so
I'll
be
I'll.
Be
brief?
There's
no
ask
here
for
discussion.
Sorry,
there's
no
time
here
for
discussion.
Justin
ask
for
doing
a
little
bit
of
discussion
on
your
own
time,
foreign.
Hopefully
by
now
everyone
has
heard
a
little
bit
about
the
Cyber
resiliency
Act
and
the
product
liability
directive
in
Europe.
These
are
two
pieces
of
very
large
regulation
coming
down
the
pipe
they
have
been
I'm
making
these
words
a
little
bit
off.
They
have
passed
sort
of
the
European
equivalent
of
out
of
committee.
D
They've
been
approved
they're
now
in
trialogue
with
three
different
parts
of
European
government
are
collectively
debating
and
fine-tuning
these
there's
not
a
lot
of
chances
left
before
public
feedback.
The
open
ssf
did
submit
our
comments.
That's
the
third
link,
I
added
here,
Eclipse
Foundation,
published
what
I
I
find
to
be
one
of
the
best
write-ups
out
there
of
the
potential
impact.
D
A
lot
of
other
organizations
in
open
source
foundations,
also
published
impact
statements,
I
think
the
python
software
Foundation
did
the
most
recent
one
and
then
the
OSI
collated
a
lot
of
that
feedback,
including
actual
submissions
given
to
European
Commission
on
a
blog
post.
That's
sort
of
that
second
link.
I
put,
there
is
sort
of
just
a
Clearinghouse
of
everyone's
responses:
they're
not
everyone's
over
a
hundred.
D
The
in
the
policy
public
policy
committee,
which
is
part
of
the
open
ssf
yesterday
is
discussion.
The
question
was
raised:
has
there
been
a
technical
review
of
the
the
likely
impact
long
term
of
the
regulation
as
it's
currently
written
since
most
of
the
policy
discussions
have
centered
around
Financial
impact
feasibility?
Is
the
tooling
ready?
What's
the
impact
on
businesses?
What's
the
impact
on
trade?
D
I
am
not
aware
of
anyone
having
done
a
review
of
it
from
the
very
narrow
lens
of
if
there
is
infinite
money
in
time,
and
we
do
build
all
this
magical
tooling,
that
The
Regulators
are
proposing.
What's
the
end
result
and
since
I
didn't
have
the
answer
and
I
thought
well,
that's
kind
of
a
good
technical
question:
why
don't
we
discuss
that
amongst
ourselves
as
the
technical
expertise
in
in
the
in
the
open
ssf?
D
We
obviously
don't
have
time
to
do
that
today
and
I'm,
not
assuming
that
everyone
has
gone
and
read
all
of
these
things.
If
you
happen
to
have
a
deeply
involved
in
policy,
but
what
I
would
love
to
ask
is
that
next
week,
those
of
us
that
are
in
Vancouver
for
open
ssf
day
or
vet
or
not
spend
a
little
time?
Thinking
about
this
go
read
some
of
the
the
commentary
and
then
let's
have
a
discussion
when
we
come
back
together
in
two
weeks.
A
D
At
a
minimum,
I
think
my
my
the
request
from
the
public
policy
committee
was:
can
the
tax
tell
us
what
they
think
so
to
minimum
I
love
the
tact
to
have
an
opinion
on
this
and
say
Here's?
What's
great
or
here's
what's
terrible
or
here's
what
we'd
like
to
change
just
looking
at
the
technology
aspect
of
it
and
take
that
back
to
the
public
policy
committee
who
then
they
might
say
a
great
pack,
please
publish
a
blog
post
about
that.
Maybe
you
know
David
or
or
whoever
the
next
tax
areas
would
do
that.
P
Very
quickly,
don't
be
afraid
to
read
The
Proposal
itself,
the
the
in
terms
of
reading
guidance,
there's,
one
citation
which
mentions
open
source
software
in
about
110,
I,
think
citations.
So
you
can
skip
all
the
others
and
not
that
interesting,
and
they
also
have
three
sections
that
look
very
similar
because
they
are
basically
the
same,
which
is
manufacturer,
distributor
and
importer.
They
have
the
same
requirements
for
each.
You
only
need
to
read
one
of
them
and
it's
pretty
straightforward.
It's
not
very
legalistic.
D
Q
Thanks
plus
one
Ava
to
the
observation,
the
eclipse
Foundation
write-up
was
really
well
done
and
to
also
very
much
agree
that
the
attack
has
an
important
role
to
play
in
helping
to
inform
the
public
policy
committee.
The
quite
often
public
policy
Representatives
struggle
with
these
issues
as
Technologies
become
increasingly
more
complex
and
they
don't
have
the
skills
or
bandwidth
to
be
able
to
address
that.
Q
So
if
the
tax
able
to
support
the
open,
ssf
public
policy
committee
requests
for
support
and
then
lastly,
if
your
own
organization
hasn't
responded
to
the
CRA
initiative,
encourage
your
own
company
to
do
sing,
because
the
policy
makers
over
in
the
EU
will
inadvertently
have
some
negative
impacts.
If
they
don't
fine-tune.
What
they're
trying
to
accomplish
thanks.
J
With
that
disincent
research,
security,
research
work
and
lead
to
less
less
patches
being
issued.
You
know
more
bug
reports
but
fewer
fewer
bug,
fewer
fixes
and
fewer
actual
distributions
and
updates,
and
that
kind
of
thing
or
if
there
are
other
unintended
consequences
of
this,
that
lead
to
less
security
rather
than
more
that's
the
kind
of
evidence.
We'd
like
to
collect
or
or
positive
I
mean
an
organization
is
happier
than
when
a
government
mandate
for
the
products
and
services
it
offers
is
established
So.
In
theory.