►
From YouTube: OpenSSF TAC Meeting (September 7, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
We
go
hold
up,
hopefully
I
can
at
least
rename
so
that
at
least
people
have
an
idea
of
up,
and
we
have
k
also.
C
We
have
two
operations,
but
I'm
gonna
log
out
and
come
back
again
all
right.
A
A
C
C
D
You
know
I
was
actually
going
to
do
the
whole
sign
out
sign
in
thing
this
morning
and
try
to
be
open,
ssf
operations
myself,
but
it
I
had
a
last-minute
meeting
come
up,
so
I
have
to
leave
at
8
30
and
then
I
was
like
well.
If
I
do
that
and
I
exit
it
might
end
the
meeting.
So
I'm
going
to.
D
I
greatly
appreciate
it
all
right.
So,
as
I
mentioned,
I
do
have
to
bail
at
8
30
this
morning.
Unfortunately,
for
another
meeting,
so
let's
go
ahead
and
get
started,
the
the
main
thing
on
the
topic
or
the
main
topic
on
the
agenda
today,
man,
it
just
feels
like
virtual
monday.
Doesn't
it
yeah,
but
krobe
has
a
presentation
around
coordinated
vulnerability,
disclosure
so
kroge?
Would
you
like
to
take
it
away
and
educate
us.
E
B
Why
you
do
that
grover?
I
need
to
drop
a
little
bit
earlier
as
well.
So
I'm
probably
going
to
hear
most
of
what
you
say
group.
So
is
there
any
other
agenda
items
just.
D
If
we
did
have
time
after
groups,
then
again
I
may
not
be
around
for
this.
I
wanted
to
talk
about
the
elections
that
could
be
coming
up
and
how
that
might
coordinate
with
things
that
are
happening
on
the
governing
board
as
well.
A
E
So
the
vulnerability
disclosures
working
group
has
been
toiling
away
for
a
while
now
on
a
coordinated
environment.
Disclosure
guide
for
small
and
medium
open
source
projects
been
a
pretty
good
group
effort
and
we
are
ready
now
to
formally
push
it
out.
I
put
a
link
to
the
repository
in
the
awesome.
E
Zoom
chat
so
first
off
we're
asking
if
anyone
has
any
comments
or
questions
review
the
guide
and
if
you'd
like
to
submit
issues
or
prs
against
it,
we're
about
ready
to
start
to
connect
it
to
our
formal
working
group
page,
and
then
we
thought
this
is
a
pretty
big
thing,
having
a
template
and
an
example
for
small
and
medium
projects
on
how
they
might
want
to
think
about
coordinating
vulnerability
disclosures.
E
So
we
thought
it
might
be
a
great
occasion
for
the
foundation
to
publish
a
blog,
which
is
the
second
link
I
put
in
there.
This
is
our
proposed
blog
and
I
would
love
if
the
tac
could
review
that
and
then,
whatever
the
process
is
to
get
things
published,
I
think
it
has
to
go
to
maybe
the
governing
board,
but
we'd
like
to
formally
submit
the
blog
for
consideration
for
publication,
make
everything
live.
C
Yeah,
so
you
can,
when,
when
you're
ready,
just
let
me
know
I'll
make
sure
that
the
governing
board
has
a
chance
to
review
it.
The
generally
the
process
is,
and
this
will
formalize
as
we
get
some
new
commit
governing
board
committees
set
up
which
will
happen
kind
of
starting
in
the
november
time
frame.
But
for
now
you
can,
let
me
know,
and
my
requirements
are
just
that
other
other
working
group
leads
and
other
tac
members.
C
I've
had
a
chance
to
review
it,
then
I'll
make
sure
that
the
governing
board
also
has
a
chance
to
give
it
a
read
and
we'll
give
it
and
then
we'll
it'll
get
the
green
light
and
we'll
and
we'll
get
it
posted
awesome.
A
If
I
make
robe,
I
would
also
suggest
folks,
you
know
last
minute,
if
you
haven't
looked
over
the
guide
to
please
do
so.
A
I
had
it
proposed
on
the
working
group
to
have
an
lf
person,
an
editor
lf
editor
look
through
because
there's
some
editorial
stuff,
not
content
editorial
stuff,
but
I
don't
think
we
need
to
wait
for
that.
I
think
we
can
talk
blog
posts
and
everything
else.
While
we
work
on
an
editorial
probe.
If
that's
okay
with
you,
I
hadn't
seen
if
that
was
if.
A
A
D
C
D
D
Grove,
I
did
want
to
ask
actually
one
thing
was:
did
you
guys
coordinate
with
or
discuss
with,
I
should
say
the
cert
team
and
their
project
events
and
all
that,
because
they
do
a
lot
of
coordinated
disclosures.
D
E
Yeah
the
we
get
an
update,
every
couple
meetings
on
it,
but
it's
still
kind
of
in
a
undetermined
time
when
it
will
get
open
sourced
and
then
again
I
I
think,
potentially,
if,
if
the
you
know
the
community
likes,
it
sees
value
in
it,
it's
something
we
potentially
could
even
formally
endorse
and
encourage
everyone
hey.
This
is
a
pretty
great
tool
and
then
we
go
through
and
update
things
as
needed
and
hopefully
get
them
more
contributors.
D
C
D
Yeah
there's
a
lot
of
great
content
here,
so
I'm
actually
going
to
run
it
through
or
send
it
to
our
microsoft
security
response
center
and
have
them
take
a
look
at
it
as
well
and
kind
of
get
their
feedback,
because
I
know
they've
got
a
lot
of
interest
and
experience
in
these
types
of
things.
D
E
We
haven't
seen
anyone
for
microsoft
in
a
while.
Okay,
it's
open
to
anybody,
but
this
is
you
know
in
informed
by
a
lot
of
google's
experiences
red
hat's
experiences.
E
We've
had
a
bunch
of
folks
that
actually
are
researchers
and
kind
of
vulnerability
like
bug
bounty
folks
on
on
the
team.
So
it's
had
a
pretty
decent
review
from
different
perspectives.
D
Yeah
I'll
kind
of
forward
it
to
them
just
as
a
fyi
and
let
them
see
if
they
have
any
feedback
as
well,
very
cool.
Now
it's
exciting.
I
think
this
is
definitely
much
needed
long
time
coming.
So
thank
you
for
your
for
your
help
on
that
all
right.
So
the
next
agenda
topic
is
the
elections
to
come.
So
back
in
I
don't
know.
Time
has
no
meaning
anymore.
D
Maybe
january
february
we
had
a
discussion
around
sort
of
what
the
structure
of
the
attack
would
look
like
and
the
elections
and
all
that
and
we
had
decided
that
the
structure
would
be
kind
of
a
4-3
split.
You
know
four
elected
by
the
governing
board
three
elected
by
the
community,
keeping
it
around
at
seven
members
total
and
that
we
would
have
an
election
this,
the
end
of
august,
which
would
be
the
first
sort
of
term,
as
you
may
have
noticed.
D
It
is
now
september,
and
but
there
are
some
kind
of
fluctuations
that
are
happening
on
the
governing
board
side
as
well.
So
I'm
not
sure
if
folks
are
familiar
with
everything,
that's
happening
there,
but
there's
sort
of
an
update
to
charter
and
kind
of
the
structure
of
the
governing
board.
And
some
now
we
have
the
member
dues
that
are
coming
in
and
how
that
affects
things.
So
I
don't
know
if
you
want
to
give
a
quick
overview
of
that.
C
Yeah,
so
the
the
recent
charter
updates
we
we
wanted
to
get
to
a
point.
We
you
know,
we've
made
really
strong
progress
in
the
year
that
we've
been
together
as
the
open
ssf.
C
When
we
formed
we
did,
we
decided
to
you
know
we
were
in
the
midst
of
covet
and
there
was
a
lot
of
financial
uncertainty
for
our
member
companies.
A
lot
of
them
were
kind
of
closing
down
any
you
know.
What's
the
right
word
like
not
critical
expenditures,
and
so
we
decided
not
to
assess
any
member
dues
for
our
first
year.
C
We
have
just
gone
through
the
process
of
updating
our
charter
so
that
we
will
be
assessing
number
dues
and
the
that
is
going
into
place
kind
of
I'll.
Give
you
a
quick
rundown
of
the
member
due
structure,
so
we'll
have
a
tier
for
premium.
Members
and
premium
members
will
reduce,
for
that
will
be
250
000
and
then,
in
addition
to
the
premier,
members
will
have
a
general
membership
class
and
for
general
members
the
dues
will
range
from
5
000
to
20
000
and
that
will
be
based
on
the
size
of
the
organization.
C
So
our
next
steps
for
that
so
we've
the
governing
board-
has
approved
those
charter
changes
and
now
we
will
get
updated
participation
agreements
to
all
of
the
member
companies
and
give
them.
You
know
the
opportunity
to
review
and
decide
at
what
level
they
want
to
continue
participating
in
the
organization
that
will
go
on
for
well,
it'll,
be
it'll,
go
on
for
forever,
but
starting
or
on
the
november
5th
meeting
of
the
governing
board.
C
We'll
do
a
transition
from
the
existing
governing
board
members
to
the
new
governing
board
members
and
the
the
changes
to
the
governing
board
will
be
related
to
those
premier
members.
So
each
premier
member
will
have
a
seat
on
the
governing
board
a
voting
seat
on
the
governing
board
up
to
two
affiliated
companies.
So,
for
example,
microsoft
was
a
number
of
affiliated
companies,
microsoft,
red
hat
linkedin.
C
Let's
say,
for
example,
that
all
three
of
them
decide
to
contribute
the
premier
membership,
but
only
two
of
those
would
have
voting
seeds
so
that
will
make
up
the
the
the
remember
premier,
members
will
have
seats
on
the
governing
board
and
then
for
the
general
members
we'll
have
elections
for
one
representative
per
10
general
member
companies
up
to
a
max
of
three
total
general
member
representatives.
C
So
this
should,
I
think,
there'll
be
a
lot
of
continuity
of
governing
board
members,
but
it
won't
remain
exactly
the
same
so
we'll
I
think,
we'll
be
seeing
some
new
members
and
some
of
the
board
members
will
drop
off
and
not
the
transition
for
all
of
that
will
be
complete
by
by
our
november
meeting
and
then
to
the
attack
elections
and
the
structure
that
was
discussed.
Previously.
C
We
missed-
and
you
know
some
of
this
was
my
fault,
and
you
know
a
bunch
of
us
in
the
governing
board.
Just
you
know,
learning
which
things
we
needed
to
have
elections
for
and
not,
but
we
missed
at
the
time
that
the
tax
you
know
finalized
what
they
wanted
their
election
structure
to
be.
We
missed
having
the
governing
board
review
that
and
we
and
the
governing
board
also
needs
to
vote
to
ratify
that.
C
C
D
Well,
thanks
kay
so
yeah,
that's
kind
of
the
main
question
that
we
have
to
attack
today
is,
I
don't
feel
strongly
one
way
or
the
other
honestly
about
holding
elections
either
now
or
once
the
governing
board
decides.
I
certainly
want
to
hold
true
to
the
decisions
that
we
made
before
and
also
keep
in
mind
that
you
know
things
are
changing,
so
if
it
makes
more
sense
to
have
a
stable
governing
board
and
get
that
you
know
sort
of
solidified
before
we
do
the
next
round
attack
elections,
I'm
totally
good
with
that.
D
But
I
really
want
to
hear
what
others
thoughts
are
on
this
and
what
they
think
if
they
feel
that
we
should
go
ahead
and
do
this
now
cool
or
if
they
want
to
wait
until
the
governing
board
settles
around
november.
B
D
That's
legal
by
the
way,
sorry
yeah!
Thank
you.
Anyone
else,
any
other
comments.
Let's
see,
we
got
dan
rao
phil
on
the
call.
D
Again
any
opinion
on
that:
oh
really
yeah.
This
seems
fine
well,
given
that
I'd
say
it
sounds
like
we
are
good
to
go
ahead
and
just
wait
on
this
election
until
november
and
we'll
continue
carrying
on
business
as
usual.
For
now
and
with
that,
those
are
actually
all
of
our
general
topics
today.
So
we
haven't
had
a
lot
of
things.
Is
there
anything
else
that
folks
want
to
discuss.
C
One
quick
note:
we
can:
we
can
have
an
agenda
item
at
that
november,
11
meeting
to
vote
on
the
tax
election
process
and
it
sounds
like
there
would
be
interest
in
that.
But
I'll
just
need
to
have
the
attack
put.
You
know,
create
a
formal
election
process
proposal
so
that
we
can
get
it
to
the
governing
board
for
review
ahead
of
the
number
november
5th
meeting.
D
Oh
okay,
perfect,
so
we
that
would
be
work
that
we
can
do
here
so
we'll
make
that
the
focus
of
maybe
the
next
meeting.
We
can
maybe
start
a
proposal
in
email
this
week
and
get
folks
discussing
about
that.
Probably
on
github,
like
we've
done
in
the
past,
and
then
once
we
have
that
sort
of
hashed
out.
We
can
send
it
to
the
governing
board
for
for
review
so
november
5th.
F
One
comment:
it's
more
of
a
thought:
actually,
I'm
noticing
there
are
a
couple
of
other
linux
foundation
projects
dealing
with
the
open
source
security
supply
chain
management,
all
that
related
stuff.
We
do
I'm
wondering.
F
D
No,
it's
a
really
good
point
and
I've
been
hearing
some
of
that
as
well
lately,
and
I
know
like
mike
scaveda-
has
been
looking
into
some
of
that
just
because
of
the
nature
of
the
one
of
his
proposals.
Looking
at
some
of
these
security
things
yeah,
I
think
it's
a
really
good
idea.
D
If
you
have
some
specifically
in
mind
that
you
think
are
relevant,
you
know
feel
free
to
forward
those
on
and
we
coordinate
amongst
the
tac
members
to
see
if
certain
people
are
available
at
various
times
to
be
able
to
attend
that
because
yeah,
I
think
it
would
be
good
to
try
to
coordinate
that.
You
know
just
like
within
our
own
working
groups.
We
don't
want
to
be
duplicating
effort
across
the
industry
or,
if
there's
you
know,
efforts
that
we
can
help
align
with
and
support
and
that
sort
of
thing
I
think
that
benefits
everybody.
D
F
D
Yeah,
maybe
we
could
put
together
just
like
a
dock
that
has
a
list
of
them
or
or
even
just
a
page
on
our
repo
that
people
can
go
in
and
live
at
it
and
just
kind
of
keep
track
of
other
organizations
their
meeting
times.
You
know
kind
of
what
they're
about
and
that
sort
of
thing,
and
then
we
can
see
if
we
can
get
a
attack
rep
assigned
to
each
one
of
them.