►
From YouTube: OpenSSF TAC Meeting (August 21, 2020)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
All
right,
so
I
think
from
here
why
don't
we
start
with
a
quick
round
of
introductions
with
the
tac
representatives
to
get
things
kicked
off.
E
H
This
is
a
phil
estes
distinguished
engineer
at
ibm
working
our
cloud
platform
around
linux,
os
and
container
strategy
and
kind
of
cross
lead
with
with
others
like
chris
ferris
who's
on
the
call.
Our
open
source
strategy
across
ibm.
C
I'm
david
wheeler.
I
work
at
the
institute
for
defense
analyses.
My
title
says:
directors
of
open
source
supply,
chain
security,
but
basically
I'm
here
to
try
to
help
open
ssf
achieve.
G
I'm
lindsay
mays
jendro.
I've
just
come
on
board
to
support
project
management
from
the
linux
foundation.
B
Hey
there
todd
benzies
from
linux
foundation.
I
think
I've
worked
with
a
variety
of
you
on
other
projects.
Just
helping
with
the
bootstrapping
phase
of
openssf,
but
moving
forward
lindsay
will
be
the
primary
point
of
contact
for
project
coordination,
helping
more
broadly
across
open
ssf.
A
Awesome
same
chris
anazic,
I
was
kind
of
the
executive
sponsor
for
this
at
the
lf
looking
forward
to
getting
this
bootstrapped
and
ready
to
go.
C
This
is
a
quick
point
of
order
of
if
you
haven't
already
typed
in
your
name
in
the
attendance
list
on
the
second
page
on
the
google
doc
that'd
be
great.
L
And
I
think
it's
because
I
have
my
gmail
account
on
all
my
googly
things.
M
L
And
I'm
chris
farrison
as
phil
said,
I'm
cto
for
open
tech
at
ibm
and
I'm
also
on
the
government.
N
N
This
is
dan
middleton.
I
work
at
intel's
platform
assurance
and
security
group
and
I'm
not
officially
on
the
tech
but
looking
forward
to
participate
with
you-
and
I
know
a
few
of
you
from
from
other
open
source
projects
so
nice
to
see
you
guys
again.
Looking
forward
to
meeting
the
rest
of
you.
B
O
Sorry
about
that
hey,
so
this
is
rob
I'm
an
application
security
evangelist
for
hcl,
so
very
interested
in
the
open
source
space
and
things
that
are
going
on
there.
As
that
applies
to
you,
know,
intersecting
with
application,
development
and
stuff
like
that.
So
looking
forward
to
seeing
you
guys
and
working
with
you
and
my
your
background
is-
is
fascinating,
so.
O
B
Yep
all
right
well
welcome
everyone
to
the
first
stack
meeting
so
from
here.
Let's
move
into
some
of
the
operational
aspects,
so
the
first
one
is
just
around
meeting
cadence
monthly
bi-weekly
really
just
want
to
get
a
sense
of
preference
for
the
group
here.
How
frequent
you're
looking
to
convene
from
there
we'll
get
the
series
issued
on
the
calendar.
B
All
right,
we'll
we'll
get
that
series
issued
the
next
one
is
around
electing
a
chair
for
the
attack.
Typically,
what
we
would
do
is
open
up
a
nomination
period
for
a
week,
then
do
a
voting
period
for
a
week,
we'll
have
folks
self-nominate
for
this
and
then
we'll
send
out
voting
instructions
once
those
have
all
come
in
and
then
with
this
per
the
charter
of
open
ssf.
The
chair
of
the
attack
would
then
be
the
tac
representative
to
the
governing
board
as
well.
B
L
This
is
chris.
I
just
wanted
to
clarify
one
thing
for
everybody
that
isn't
intimately
familiar
with
the
charter,
but
we
can
only
have
two
representatives
on
the
board
from
any
given
affiliated
company,
so
I'm
just
putting
that
out.
There.
E
A
C
F
C
If
I
understand
that
correctly,
that
means
for
the
next
week
people
are
interested
in
self-dominate
sending
what
an
email
to
who
to
lynch.
How.
A
B
Todd
will
take
care
of
it.
He'll
take
a
different
google
form,
yeah,
we'll
actually
have
it
come
from
lindsay,
but
we'll
get
that
sent
out
first
thing
monday
morning
with
the
timeline
and
instructions,
but
basically
it'll
be
monday
morning,
we'll
let
you
know,
get
yourself
nominations
in
by
friday
at
5
p.m.
Pacific,
the
following
monday,
we'll
send
out
a
link
for
voting
instructions
on
that
and
then
let
you
know
the
results
at
the
end
of
the
week.
B
All
right
and
then
the
final
piece
in
the
operational
section
was
around
doing
an
audit
of
the
working
groups,
making
sure
that
these
groups
are,
you
know,
operating
in
open
source,
best
practices
that
the
minutes
are
public.
The
meeting
times
are
posted,
etc.
So
I'm
not
sure
chris
was
that
one
you
had
dropped
in
or
was
that
dan
or
someone
else
that
put
this?
I.
A
Think
I
dropped
that
in
because
you
know
some
of
these
working
groups
were
operating
in
a
closed
fashion
and
were
kind
of
still
transitioning
to
the
open.
So
I
went
out
and
tried
tried
to
do
it
myself
and
I
got
I
think
most
of
the
meeting
minutes
are
public,
but
I
think
there's
a
couple
that
is
still
missing.
Let
me
go
check
really
quick.
A
I
think
dan.
You
were
also
doing
some
things
yeah.
So
for
like
the
identifying
security
threats
and
security
best
practices,
I
haven't
been
able
to
find
public
public
minutes
yet
so
we'll
have
to
go
work
with
those
folks
to
ensure
that
they're
moving
to
operate
in
the
open.
E
Yeah,
I
added-
I
guess,
the
next
one
which
is
kind
of
similar,
but
somebody
set
up
a
community
calendar
so
just
trying
to
get
all
the
invites
for
the
workers
and
everything
on
that
same
calendar.
So
there's
an
easy
way
for
people
just
to
see
everything
that's
happening.
Yeah
similar
to
the
public,
invites.
L
A
All
them
will
have
a
technical
charter
that
that
will
take
a
little
bit
longer.
I
just
want
them
to
start.
You
know
at
least
publishing
all
the
minutes
and
so
on,
and
then
we'll
have
the
staff
go
work
with
each
working
group
to
lay
out
a
charter
publicly.
D
Yeah,
I
can
work
with
the
identifying
security
threats
group.
I
know
we
had
the
first
meeting
in
the
last
week.
I
believe,
and
they
have
minutes.
I
think
they
just
didn't
put
the
link
up
yet
so
I
can
make
sure
the
mic
does.
B
I
A
You
have
two
options:
you
could
do
github
straight
up
file,
an
issue.
Maya
is
probably
the
best
way
to
do
it
or
just
bring
it
up
on
the
agenda
in
the
meeting
minutes
to
cover
an
attack
meeting
sounds.
A
E
A
Generally,
projects
have
a
private
tack
list
that
people
could
reach
out
and
the
tech
could
use
themselves
generally
it's
sparingly,
but
yeah.
We
could
create
that
so
maybe
as
an
action
item
lindsey,
if
you
want
to
create
a
a
list,
private
list
for
the
attack
for
discussion
and
people
to
reach
out,
if
something
something
happens,
but
the
intention
is
most
most
meetings
and
all
discussions
should
be
public.
That
should
be.
It
should
be
sparingly.
The
private.
A
B
All
right
next
section,
repo
creation
and
maintenance.
Chris-
was
this
one
of
your
topics
as
well,
or
was
this
dan.
E
I
think
we
could
probably
dedupe
that
one.
It
was
the
same
as
kind
of
the
one
we
just
discussed
yeah
just
covering
all
the
issues
chris
opened
untacked
to
go
through
and
get
all
the
repos
up
to
standards.
E
B
A
Yeah,
eventually,
what
you
know
the
attack
is
formed
and
has
to
they're
going
to
have
to
set
up
a
life
cycle
process
for
working
groups
right,
so
you
know
what
it
means
to
be
kind
of
a
incubating
or
graduated.
How?
Whatever
terminology
you
want
to
do?
I
think
that's
the
new
item
you
know
for
for
the
tech,
because
there
will
be
people
that
want
to
propose
new
working
groups.
How
is
that
going
to
work
out?
And
so.
A
A
So
maybe
the
action
item
here
is
I'll,
create
a
github
issue
that
says
come
up
with
lifecycle
for
working
groups
and
then
we'll
go
work
on
that.
F
While
we
were
on
the
working
group
topic,
I
think
one
thing:
we
talked
about
tech
being
providing
oversight
for
all
the
technical
initiatives.
That
also
means
all
the
working
group
representatives
be
part
of
this
meeting
right.
Did
we
decided
like
be
they
be
the
part
of
the
attack
representatives
or
just
be
attending
the
meeting.
A
These
meetings
are
completely
open,
so
they're
welcome
to
show
up,
and
so
so
on.
So
it's
up
to
you
as
attack,
if
you
kind
of
want
to
force
them
to
show
up.
Sometimes
we
have
things
where
maybe
working
groups
could
do
like
a
quarterly
check-in
or
or
something
it's
really
up
to
you
as
an
organization
to
kind
of
decide
how
how
you
want
to
do.
D
D
Quarterly
review
makes
sense,
and
then
you
know
just
sort
of
ad
hoc
as
needed
like
it's.
Certainly
in
the
initial
phases,
where
we're
having
to
review
everything,
make
sure
they've
got
all
the
the
official
process
done
to
be
a
working
group
and
all
that
probably
more
frequently
but
then
yeah
once
again
running
a
quarterly
seems
like
a
good
good
cadence.
E
F
B
Cool,
I
think
next
topic
from
here
k
will
throw
this
over
to
you.
I
know
you
want
to
talk
through
some
technical
vision,
thoughts
on
where
to
head
from
here.
M
Sorry
I
had
to
unmute
so
in
our
governing
board
meetings.
One
of
the
topics
that
came
up
was
the
desire
to
have
a
technical
vision
and
we
in
the
governing
board
we've
created
a
subcommittee
which
is
our
kind
of
our
overall
foundation
strategy,
and
you
know
we
talked
about
technical
vision
as
being
part
of
that,
but
feels
like
the
technical
vision
should
be
driven
by
the
attack,
and
so
I
just
am
adding
a
note
here.
So
a
suggestion
or
a
request
to
create
a
technical
vision
to
help
guide
priorities.
M
I
dropped
in
one
idea
as
a
document
for
a
starting
point.
That
is
a
document
that
microsoft
put
together
and
I've
started
to
make
some
edits
to
it
to
expand
the
scope
of
it
to
be
industry.
But
that's
just
one
idea:
I'm
not
necessarily
proposing
that
that's
where
it
gets
started.
It's
just
maybe
a
helpful
starting
point.
M
Excuse
me
and
then
it
might
be
that
the
attack
would
want
to
create
a
subcommittee
to
work
on
this.
It's
just
an
idea,
but
so
all
of
these
are
just
suggestions,
but
coming
from
the
governing
board,
there
was
an
interest
in
setting
a
technical
vision.
D
I
agree,
I
think
we
definitely
need
to
put
that
together.
I
don't
know
if
we
need
a
subcommittee
to
do
it.
Necessarily
that
is
responsibility
to
attack
right,
so
we
could
start
off
that
way
and
if
a
few
people
need
to
go
off
and
actually
like
work
on
the
document,
I
think
that's
cool,
but
at
least
initially
it
probably
makes
sense
for
the
attack
in
general
to
start
setting
direction
and
making
sure
everybody's
on
the
same
page.
L
K
M
Did
make
the
strategy
subcommittee
open
so
so
we
could,
you
know,
combine
and
just
have
that
effort
run
out
of
there.
M
I
think
we
have
five
or
six
of
us
from
the
governing
board
that
are
on.
I
think.
D
J
That's
fine
with
me,
as
long
as
some
of
the
technical
people
from
attack
show
up
to
the
strategy
meeting
like
from
from
my
from
my
side,
I'm
more
interested
in
setting
like
the
overall
sort
of
values
and
goals
at
the
foundation
level
and
less
about
you
know,
recommending
specific
technical
things
to
follow.
So
it's
only
my
preference.
I
D
Well,
it's
the
responsibility
to
attack
technically
for
the
charter
right
that
they
come
up
with
the
technical
strategy.
So
if
there's
a
subcommittee
happening
in
the
governing
board,
just
combining
whoever
those
people
are
which
sounds
like
maybe
there's
like
two
more
people
additionally
on
to
this
attack
meeting,
then
let's
just
go
that
route.
C
Just
a
quick
clarification:
the
when
the
identity
working
group
met
earlier.
I
think
they
were
the
theory
that
they
were
going
to
suddenly
change,
but
it
sounds
like
really
the
identity
work,
the
identity
folks
are
going
to
work
on
identity,
and
this
is
overall
going
to
be
the
gb
strategy.
Slash
attack
subcommittee
that
takes
overall
view
on
this
right.
L
Right
and
right
just
you
know
just
as
some
context,
I
mean
essentially
what
we
had
was
in
the.
If
you
will,
the
rush
to
get
a
charter
published
and
everything
ready
for
the
for
the
launch
and
so
forth.
You
know
we
had.
We
had
put
in
a
sort
of
a
scope
and
mission,
and
you
know
that
that
made
sense
in
terms
of
bringing
the
different
groups
together
under
a
single
initiative.
M
M
So
I
can
take
an
action
item
to
send
out
to
all
of
the
tech
numbers
a
link
to
the
or
information
about
the
strategy
committee.
We're
we're
meeting
weekly
currently
and
I
can
send
a
link
to
the
meeting
and
also
the
notes
and
agenda
from
the
last
meeting.
C
Well,
is
that
already
on
the
open,
ssf
shared
calendar
or
what
or
could
we
make
it
that
way.
C
I
I
B
Good
quick
question
on
the
shared
calendar
related
is:
does
this
time
work
for
a
bi-weekly
cadence
for
folks,
or
do
you
prefer
that
we
go
to
a
doodle
poll
to
find
something
more
suitable.
N
B
B
K
B
C
C
Yeah
yeah,
I
know
that
some
folks
have
had
like
alternating
hours
or
something
to
try
to
distribute
the
pain,
but
only.
B
We'll
get
a
doodle
distributed
with
some
slightly
earlier
options
and
different
days
than
today
and
see
how
that
all
shakes
out
with.
L
I
had
added
the
issue
about
you
know.
Are
we
going
to
great
mailing
lists
for
all
the
working
groups,
including
the
tac,
or
are
we
going
to
use
some
other?
You
know
slack
or
whatever
you
suggested
using
github
discussions
which
I'm
fine
with,
but
I
do
think
we
should
probably
make
that
choice
and
make
it
clear.
A
It's
up
to
the
attack,
you
could
right
objects,
use
discussions
or
you
know
you
could
take.
The
attitude
of
a
working
group
could
do
whatever
they
they
want.
I
actually
like
github
discussions
and
just
trying
to
keep
everything
on
github.
Just
I'm
biased
that
way.
But
it's
up
to
you
folks.
M
So
I
would,
I
would
prefer,
if
we
try
to
have
a
direction
that
we
common
directions,
that
we
suggest
and
get
all
the
working
groups
and
the
attack
and
the
other
committees
that
we
form
following
that.
My
reason
for
that
is
that
it
makes
it
easier
for
us
to
describe
when
we
have
people
who
come
to
our
website
and
want
to
think
about
how
to
get
involved.
Why
we
have
one
way
to
say:
here's
how
you
get
involved.
M
I
Julian's
discussion,
the
downside
is,
it's
really
meant
to
be.
One
of
the
functionalities
is
really
like
question
and
answer
functionality,
so
you
can
have
many
people
give
the
same
different
answers
to
the
same
question
and
then
vote
for
which
one's
the
correct
one,
but
that
also
means,
if
you
have
multiple
topics
to
discuss,
you
probably
need
multiple
discussions.
If
you
want
to
keep
the
thread.
K
A
C
M
A
E
I
just
haven't:
I
mean
we
already
have
a
google
doc
here
for
the
meeting
notes
that
we're
using
we're
mailing
it.
We
already
have
a
mailing
list
if
I
just
haven't
tried
github
discussions
to
know
enough,
if
it's
really
a
replacement
for
collaborative
doc,
editing
and
what
you
get
from
a
mailing
list.
C
A
G
K
M
I
I
personally
am
a
fan
of
mailing
lists,
but
that's
just
me:
it's
a
convenient
way
to
to
blast
information
that
you
want
to
share
with
everyone
who
who's
expressed
an
interest,
but
you
know
having
said
that,
I'm
not
familiar
with
with
github
discussions.
N
N
D
A
B
All
right
dan
looks
like
you:
dropped
in
the
six
month
timeline
for
determining
the
steady
state,
psc
composition,
her
tap
composition,.
E
B
E
Yeah
I
figured
we
should
at
least
just
let
everybody
know
and
remember
in
the
charter.
You
know
like
what
chris
mentioned
before,
if
you're
not
intimately
familiar
with
it,
there
is
a
section
in
there
that
says
the
where
the
tac
right
now
for
the
first
six
months
after
that,
the
tpa
I'm
trying
to
find
the
exact
wording
it's
in
the
pdf.
So
I
can't
copy
paste.
E
It
says
after
the
initial
six
months,
the
tac
will
be
composed
of
both
open
ssf
member
and
technical
initiative
representatives,
as
determined
by
the
tac.
So
I
don't
know
that
that's
a
strict
deadline
right.
I
don't
really
know
how
to
read
that
exactly,
but
we
are
supposed
to
do
something
for
after
the
first
six
months
to
determine
kind
of
long-term
tac
composition.
E
You
know
and
then,
depending
on
how
you
look
at
the
timeline,
we
might
already
be
a
month
or
a
couple
weeks
into
that
six
month,
timeline
so
something
we
should
probably
come
up
with
a
plan
for
how
to
address
soon
we're.
A
Happy
to
give
you
suggestions,
but
yeah.
That
timeline
is
fairly
strict.
A
I
mean
for
those
who
aren't
familiar.
Usually
you
have
a
tact
that
consists
of
people
that
are
representing
you
know,
projects
or
working
groups,
or
you
hold
an
election
where
certain
you
know,
maintainers
vote
for
folks.
So
you
have
kind
of
different
ways
of
of
doing
this
and
we're
happy
to
walk
through
you
a
bunch
of
options,
but
it's
kind
of
really
up
to
you
to
decide
what
works.
B
And
so
from
a
timing
perspective,
it's
six
months
from
the
public
announcement,
so
we'll
look
what
the
exact
date
is
for
this,
and
then
you
know,
I
think,
maybe
a
month
a
month
or
so
in
advance
of
that
we
can
really
get
firm
on
what
folks
want
to
do.
A
We
could
share
a
lot
of
this.
The
discussions
we
had
dan,
like
you
know,
ideas
were
around
like
each
working
group
could
appoint
someone
and
they
become
attack
representative
combined
with
maybe
governing
board
selection.
So
like
there
were
some
discussions
there
that
we
could
potentially
just
now
make
all
public
right
and
you
folks
can
figure
out
how.
E
B
B
Composition
all
right
dan
and
luke
yep
sound.
I
A
Yeah,
I'm
gonna
create
a
github
issue.
At
least
just
I've
been
creating
good
issues
behind
the
scenes
tracking,
all
this
and
the
tax
repo,
but
I
it's
just
something
that
you'll
probably
have
to
consistently
work
on.
We
could
give
you
options
for
discussions,
but
I
I
think
it
should
be
an
agenda
topic
for
your
next.
Probably
a
few
attack
meetings.
B
All
right,
dan
and
luke
potential
change
to
identity,
working
group
scope.
K
Sure
so
we
had
the
first
meeting
of
the
identity
working
group,
and
one
thing
that
became
apparent
was
a
lot
of
the
folks
that
attended
were
particularly
interested
in
secure
supply
chain.
K
So
it
was
raised
during
the
during
the
meeting
that
could
we
discuss
with
the
tac
the
possibility
to
change
scope,
so
identity
would
likely
be
the
first
key
work
item
that
the
working
group
would
look
at,
but
they
would
have
a
what
it
would
be:
a
larger
scope
to
look
at
secure
supply
chain
as
a
topic,
so
myself
personally,
it
makes
sense.
It
seemed
conducive
with
the
audience
that
were
the
present,
like,
I
said,
a
lot
of
people
actually
sort
of
said.
That
was
a
particular
area.
I
K
That's
a
very
good
point,
so
it
hasn't
specifically
been
defined
as
yet
it's
just
that
with
the
general
topic
area
that
folks
were
interested
exploring.
So
there
is,
of
course
yeah
there
might
be
overlapping
synergy
with
other
working
groups,
so
I
think
I
don't
think
personally.
The
group
is
going
to
be
able
to
cover
secure
supply
chain
in
its
entirety,
because
it
is
such
a
large
area,
but
the
actual
scope
has
not
been
specifically
defined
as
yet.
The
initial
action
was
to
bring
this
to
the
tac
for
for
forts.
M
There
is
say
just
for
clarification,
there's
a
document
that
the
group
is.
Oh
sorry,
let
me
try
to
drop
it
into
the
chat
and
I
can
add
it
to
the
notes
as
well.
So
there's
a
document
that
the
group
is
working
on
to
define
the
scope
for
it.
C
I
I
think
part
of
this
is
because
there
was
the
earlier
document
this
much
wider
scope.
I
think
that
k
williams
put
together,
but
then
kay
wasn't
able
to
attend,
and
so
it
wasn't
clear
to
me
if
that
was
the
intended
scope
of
that
particular
working
group,
or
maybe
that's
the
intended
scope
of
the
entire
attack
or
open
ssf
or
key
part
of
it.
C
So
that
may
be.
One
of
the
key
questions
here
is:
is
that
is
the
intent
to
re-scope
the
developer
working
group?
Is
that
intent
to
make
a
different
group,
or
is
this
a
larger
construct
that
everybody's
working
towards.
M
Yeah,
so
what
what
yeah
and
I
apologize,
I
wasn't
able
to
attend
that
meeting.
What
dan
and
I
had
discussed
is
rescuing
just
the
integrity
working
group
and
making
it
the
way
we
talked
about.
It
is
so
that
we
were,
or
at
least
the
scope
that
I
proposed
is
that
we're
looking
at
supply
chain-
and
I
use
the
term
attestation
and
policy.
So
it's
really
a
way
for,
along
at
every
point,
along
the
supply
chain
for
developers
to
write
out
information.
M
That
says
here
are
the
components
so
at
every
step
in
the
supply
chain
that
gets
written
out
and
then
there's
also
a
policy
that
lets
the
consumers
of
the
software,
regulate
that
so
so
that
was
the
intended
scope
and
then
developer
identity
fits
into
that
because
that's
another
thing
where
there
would
be
an
attestation
that
says
you
know
I'm
a
person,
I'm
a
developer
here
are
some
other
attributes
about
me.
That
can
strongly
identify
me
and
then
other
at
other
points
in
the
chain.
People
can
say.
Do
I
trust
that
developer.
E
So
I
think,
just
to
step
back
a
bit
before
we
get
into
this.
You
know
proposal
too
much.
I
think
this
kind
of
fits
into
the
earlier
topic
of
all
the
working
groups
needing
charters
and
the
tac
needing
to
define
kind
of
life
cycle
and
review
process
for
these
things
so
like
the
tag
is
gonna
have
to
review
this
for
kind
of
more
than
just
this
one
working
group,
and
we
need
a
process
to
do
that.
G
If
I
may
make
a
metapoint,
I
feel
like
that.
We're
talking
about
strategic
things
at
all
different
levels
and
and
making
kind
of
group
wide
decisions
on
many
individual
bases,
so
different
working
group
charters,
different
methods
of
communication,
the
re-scoping
of
individual
working
groups
compared
to
defining
a
technical
strategy
here
compared
to
defining
a
strategy
at
the
governing
board
level.
G
I'm
wondering
if
there's
a
way
of
stepping
back
and
perhaps
amongst
this
group
on
this
call,
so
all
the
folks
in
the
tech
if
we
could
start
to
paint
a
picture
of
what
the
road
map
for
what
we
roughly
want
to
accomplish,
looks
like
try
and
place
the
current
working
groups
on
that
roadmap
and
identify
some
gaps.
And
then,
as
groups,
look
at
re-scoping
or
proposing
something
new,
such
as
a
new
working
group.
I
I
really
like
that
suggestion,
jennifer
of
booking,
doing
sort
of
like
a
gap,
analysis
and
then
trying
to
fill
that
in
specifically
the
on
the
identity
working
group.
I
have
previously
brought
up
this
concern
that
I'm
I'm
worried
about
the
actually
potentially
the
negative
impact
that
it
has
on
open
source
to
focus
on
identity
where
people
might
feel
like
they
don't
want
to
contribute
for
various
reasons.
I
I
like
this
idea
of
focusing
on
supply
chain,
but
I
will
point
out:
there's
certainly
overlap
with
the
project
security
metrics
work
from
the
from
the
the
working
group
identifying
security
threats.
They've
already
done
a
lot
of
work
on
some
of
that
metadata
and
the
integrity
of
some
of
that
metadata.
So
I
don't
know
that
the
scope
is
significantly
different.
I
do
agree
with
jennifer.
Taking
an
outside
an
approach
might
be
the
best
way
to
figure
out
what
we
should
actually
be
covering
where.
I
D
I
was
just
gonna
say
I
was
gonna
mention
kind
of
a
similar
thing.
You
mentioned
jennifer
and
also
maya,
because
I'm
working
on
that
metrics
project
as
well,
and
I
think
supply
chain
can
easily
become
this
really
broadly
scoped
thing
that
just
becomes
everything
right
so
in
terms
of
defining
what
our
strategic
vision
looks
like
for
this
technical
group
and
then
piecing
together,
the
necessary
working
groups
for
that
maybe
supply
chain
just
becomes
a
more
focused
thing.
D
It's
not
actually
called
supply
chain,
maybe
there's
a
broader
technical
strategy
that
is
supply
chain
for
the
next
year
and
then
there's
working
groups
that
identity
is
part
of
it.
The
metrics
is
part
of
it.
You
know
the
tooling
is
part
of
it
right,
then
I'll
accrue
towards
that
larger
vision.
Whatever
that
might
be
or
maybe
supply
chain
is
a
separate
piece
of
it,
but
I
think
in
general
you're
absolutely
right,
like
taking
a
step
back
saying.
D
What's
the
broad
vision,
let's
make
sure
that
makes
sense,
and
then
we
can
kind
of
fill
in
what
those
working
groups
should
be,
and
so
in
terms
of
refocusing
the
developer
identity
working
group
to
be
supply
chain
like
I
have
no
issue
with
that
whatsoever,
but
it
just
might
be
that
when
we
take
everything
into
account,
it
might
be
something
slightly
different
than
what
we're
thinking
today.
So
yeah.
G
Just
add
a
little
bit
of
commentary
on
top
of
that
ryan,
because
that
super
resonates
with
me
when
we
had
the
ossc.
Previously
we
had
come
together
on
our
first
meeting
with,
like
all
of
the
interested
participants
from
the
various
companies
back
in
february.
G
So
I'm
thinking
just
to
learn
from
that
experience
because
it
was
messy
and
we
had
to
retool
and
we
had
to
redefine
the
working
groups
a
few
times,
maybe
doing
like
the
bigger
level
set
and
the
gap
analysis
may
just
help
us
mitigate
that.
So,
in
the
case
of
the
supply
chain
stuff,
there
may
be
folks
that
are
interested
in
that
now
that
actually
are
really
interested
in
the
metrics
of
it
or
actually
are
really
interested
in
the
practices
or
whatever.
So
I'm
just
thinking
that
having
a
map
of
the
territory
can
help.
I
It
might
be
helpful
and
I
I
prefer
to
do
things
async
where
possible,
but
it
might
be
helpful
to
have
the
each
working
group
kind
of
present
what
it's
already
done
and
what
it's
working
on.
Alternatively,
just
if
we
all
read
all
the
things
I
know
all
the
things
are
not
necessarily
written.
You
know,
there's
interpretation
based
on
the
readings
of
course,
so
there
might
be
value
in
discussing
that,
but
just
to
understand
what
each
group
is
already
covering.
D
I
get,
I
think,
that's
a
great
idea
and
I
could
even
share
out
a
slightly
dated,
at
least
within
the
past
few
weeks
around
what
those
working
groups
have
been
doing,
because
I've
given
status
updates
to
too
much
people
around
microsoft
about
exactly
that.
So
it
might
be
at
least
a
conversation
kickoff.
I
And
the
next
bullet
point:
there
was
actually
my
item
on
this
on
the
same
topic,
which
was
kind
of
what's
the
scope
of
that
group.
It
wasn't
clear
and
I
wasn't
able
to
join
the
meeting
this
week.
Apologies!
I
So
maybe
wrapping
up
this
item,
where
I'm
here,
where
I
hear
that
we're
landing
is,
there's
a
need
to
better
understand
what
all
the
groups
are
are
doing
outside
in
and
then
take
that
into
consideration
before
specifically
discussing
this
changes
scope.
Is
that
what
I
heard.
E
Yeah,
I
think,
there's
kind
of
like
a
long
list
of
homework
items
from
kind
of
chris's.
First
item
at
the
top,
all
the
way
down
to
the
scope
of
each
working
group
making
and
it's
public
getting
on
the
calendar.
Getting
repos
all
in
some
kind
of
consistent
shape,
all
the
way
down
to
what
groups
clearly
defining
their
scope
and
presenting
them
to
the
tech.
K
K
Perhaps
it's
a
question.
We
need
to
look
at
sort
of
templates
we
provide
and
so
forth
what
sort
of
medium
is
used.
I'm
just
wondering
how
we're
going
to
make
sure
that
there
is
a
a
clear
single
point
to
see
which
working
group
is
working
on
what
topics
to
assess,
if
there's
overlapping
synergies
and
so
forth,.
D
So
I
think,
as
a
starting
point,
I
can
send
that
mail
to
everybody
on
this
meeting
around
just
the
summaries
that
I
created
within
the
past
two
weeks
or
so
for
my
executives
and
microsoft
to
see
and
then
certainly
within
the
individual
repos.
Those
should
be
getting
updated
by
the
teams.
You
know
with
iterative
updates,
but
I
think
at
least
to
start
the
conversation,
the
email
that
I
can
send.
D
That
will
probably
give
everybody
a
pretty
good
idea
where
things
are
happening
with
the
what
work
those
groups
have
been
doing
and
where
there
might
be
overlap.
G
That
would
be
really
great
from
a
bottom-up
perspective
and
maybe,
from
a
top-down
perspective,
we
could
host
like
a
facilitated
discussion
in
one
of
our
subsequent
tac
meetings,
where
maybe
we're
given
some
questions
in
advance
about
our
overall
vision
and
things
we'd
like
to
achieve,
and
then
we
just
dedicate
an
hour
to
talking
about
it
and
writing
down
the
ideas
put
forth
and
where
people
feel
about
them
and
hopefully
laying
out
a
vision
that
is
more
collective.
D
M
Okay,
so
to
be
to
be
clear
so
earlier
earlier,
we
had
discussed
having
the
discussion
about
the
technical
vision
as
part
of
the
the
governing
board
meetings,
so
those
are
going
on
weekly
currently,
so
so
is
that
where
we
want
to
have
the
kind
of
the
top-down
discussions
or
are
we
are
we
now
deciding?
We
want
that
to
happen
as
part
of
the
tac
meetings
instead,
just.
D
D
M
K
D
K
A
Access
so
I
think,
with
one
minute
left,
we
should
probably
wrap
things
up
and
you
know
there's
action
items
for
getting
the
chair
election.
You
know
kicked
off
getting
the
vote
out,
for
you
know,
preferred
communication
style,
and
then
you
know
my
recommendation
is
just
try
to
do
as
much
as
just
much
work
as
possible
and
attack
github
repo,
so
everything's
in
one
one
place
and
that
work
can
happen.
Asynchronous
asynchronously.
C
And
there's
also
a
doodle
poll
for
a
better
meeting
time
for
this
group.