►
From YouTube: OpenSSF TAC Meeting (September 21, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Are
you
east
coast
or
central
east
we're
in
ohio,
ohio.
A
This
screen,
sharing
and
zoom
always
throws
me
off,
because
I've
got
like
the
browser
open
on
a
different
window,
but
the
like
hidden
zoom
controls
are
over
on
the
other
screen.
It's
like
wait.
Where
is
everything.
B
A
A
C
By
the
way,
unless
there's
some
objections,
particularly
michael
scaveta,
I
intend
to
talk
about
alpha
omega
next
week
and
hey
that
it's
a
proposal
and
likely
to
become
a
real
thing.
So
absolutely
no.
A
And
I
think
jennifer
said
she
was
going
to
try
to
join
too
so
we'll
we'll
do
the
the
classic
microsoft
technique
will
start
at
five
after.
E
I've
got
done
lawrence
on
slack
here
and
he's
looking
like.
He
can't
make
the
meeting.
Oh
okay
and
we
were
just
discussing
so
the
vote.
Will
that
take
place
over
email
or
on
the
meeting.
A
Well,
that
for
the
alpha
omega,
yes,
I
was
anticipating
that
we
would
do
it
in
the
meeting,
but
we
are
missing
a
few
key
folks.
F
A
E
A
For
dan
yeah
no
worries
all
right
with
that
it
is
805.
A
and
so
quick
agenda
today.
So,
as
we've
mentioned,
we're
going
to
talk
about
project
alpha
omega
and
mike
has
some
updates
there
as
far
as
the
funding
and
how
we
want
to
go
about
that.
So
we
want
to
talk
about
the
approval
process
for
that.
So,
if
you
guys
are
as
a
refresher,
you
know
the
tax,
what
that
explicitly
approving
budget,
but
we
have
to
sort
of
make
a
recommendation
to
the
governing
board
and
say
yeah.
A
We
think
this
is
a
good
idea
and
the
governing
board
actually
goes
through
and
approves
the
budget
officially
and
then
we're
going
to
talk
about
the
election
process
that
we
briefly
touched
on
last
week
and
how
we
want
to
do
that.
We
did
all
sort
of
or
sorry,
two
weeks
ago
we
did
discuss
around
postponing
the
elections.
A
That
would
have
been
happening
right
about
now
until
november,
when
the
new
governing
board
is
in
place,
and
so
we
can
go
ahead
and
do
that
and
in
the
meantime
we
need
to
develop
what
exactly
that
official
process
is
going
to
look
like
and
then
finally,
kay
is
going
to
talk
about
a
new
project
called
skim
which
is
part
of
the
supply
chain
integrity,
and
with
that
mike,
do
you
want
to
kick
it
off?
Do
you
have
a
presentation
or.
D
I
do
not.
I
was
just
going
to
kind
of
chat
through
this,
and
I
know
dan
suggested
that
this
meeting
be
used
more
as
a
brainstorming
than
an
actual
like
funding.
Ask
I'm
I'm
okay
with
whatever
you
guys
need.
So
I
think
everybody
here
has
seen
the
has
seen
the
doc,
and
I
think
most
of
you
have
commented
in
the
doc,
and
thank
you
for
for
that,
and
I
guess
what
I'd
like
to
most
use
this
time
for
is
you
know,
are
there
any
fundamental
objections
or
like?
D
Is
there
anything
that
we
can't
work
through?
You
know
in
in
short
order
to
to
align
things.
You
know
to
everyone's
kind
of.
G
Can
I
jump
in
for
a
second
to
set
some
context,
yeah
that
might
be
helpful,
so
the
at
the
governing
board
level?
There
are
two
ways
that
projects
can
be
funded,
and
this
is
something
we've
discussed
a
bunch
of
the
governing
board
level.
G
Those
ways
are,
the
project
can
be
funded
only
from
actually
three
ways,
only
from
open,
ssf
funds
only
from
outside
funds,
but
for
projects
that
are
aligned
with
the
open
ssf
mission,
and
then
the
third
way
is
through
some
combination
of
outside
funding
and
open
ssf
funding
for
the
projects
where
the
funding
is
outside
funding.
G
The
the
the
path
that
we
have
agreed
to
follow
is
to
have
the
tack
indicate
that
the
project
is
in
alignment
with.
You
know
something
that
the
tech
supports,
and
that
is
in
alignment
with
the
the
division,
technical
vision
set
by
the
attack,
and
then
you
know
so
long
as
it's
in
alignment.
G
Then
then
it
would
go
to
the
next
level,
which
is
the
governing
board,
and
the
governing
board
would
approve
the
project
as
something
that
could
be
that
you
know
could
be
requested
for
outside
funding.
G
So
what
the
tac
is
needing
to
do
is
not
to
approve
the
funding
ask,
or
at
this
point
it's
not
even
necessary
that
the
that
the
project
be
fully
buttoned
up.
I
think
that
there
will
probably
be
some
changes
that
that
come
along.
G
Then
the
main
thing
is
for
for
the
tech
to
say
yes,
this
is
something
that
aligns
with
our
vision
and
something
that
we'd
like
to
see
move
forward
to
funding
the.
The
second
thing
that
I
wanted
to
share
kind
of
big
topics
that
I
wanted
to
share
is
that
that
right
now
is
a
really.
There
is
some
time
sensitivity
for
this
right.
Now
is
a
really
great
time
for
us
to
define
a
big
project
like
this
and
showcase
it.
There
will
be
some
upcoming
announcements
about
open,
ssf
and
not
sure.
G
G
Is
that
we're
we
are
switching
to
a
I'll
call
it
a
funded
model,
so
we'll
be
asking
for
member
dues,
and
we
have
two
tier
levels.
We
have
the
premier
level
and
for
those
members
at
that
level,
they'll
be
contributing
250,
000
per
company
and
then
at
the
general
amount
member
level.
G
Those
members
will
be
contributing
between
five
and
twenty
thousand
dollars,
depending
on
the
size
of
the
organization,
so
we'll
be
making
a
public
announce
of
this
change
in
our
open
ssf
structure
and
along
with
that,
we'd
love
to
you
know,
have
some
announcements
about
again
big
big
projects
that
we're
doing
so,
we're
saying:
okay
and
here's,
you
know
here's
what's
happening
and
here's
why
you
want
to
be
a
you
know,
participating
in
this
organization.
G
So
you
know
what
you
might
imagine
is
that
we
make
the
announcement
about
here's,
the
change
in
our
member
dues.
Here's,
the
you
know,
here's
a
big
project
and-
and
maybe
even
I'm
just
throwing
this
out-
we
haven't
decided
this
yet,
but
maybe
we
say
something
like
and
for
any
of
our
members
that
sign
up
to
the
premier
level
ahead
of
the
announcement
of
project
alpha
omega
will
put
their
names
in
the
announce.
G
So
then
that
could
be
used
as
a
way
to
to
to
get
more
enthusiasm
from
potential
new
premier
members
to
to
join
the
organization.
G
So
that's
so
that's
the
context
and
that's
not
to
try
to
you
know
rush
this.
If
you
know
people
feel
like
it
needs
more
time,
but
you
know
if
there's
general
alignment
behind
this
and
the
tech
can
say
yep.
This
is
something
that
we
want
to
move
forward.
That'd
be
fantastic.
The
timing
specifically
would
allow
us
to
you
know
if
a
decision
could
be
made
today
or
soon,
then
that
timing
would
allow
us
to
bring
forth
a
proposal
to
the
governing
board
at
our
next
meeting,
which
is
october
5th.
G
So
I
think
it's
october
5th,
the
first
weekend,
first
thursday,
in
october,
okay.
C
We
I'm
thinking
the
reverse.
If,
if
there's
general
consensus
here
and
the
tax
says
yeah
government,
please
go,
you
know,
I
would
seriously
entertain
you
know,
do
it
electronically
with
the
governing
board
and
get
and
go.
G
E
Yep
agree:
okay.
That
would
be
ideal.
Yes,
so
it's
luke
here.
So
the
main
aspect
for
myself-
and
this
was
discussed
several
parties
chipped
in
on
this
around
in
in
the
document-
is
that
really
we
do
some
due
diligence
to
see
if
the
critical
projects
would
actually
be
receptive
to
this?
In
the
first
place,.
G
E
C
H
E
C
Got
it
and
I'm
coming
at
it
from
the
experience
of
the
cii
where
we
actually
did
it's
not
identical,
but
it's
similar
in
the
sense
of
here's.
You
know:
here's
money,
here's
people,
let's
go
and
work
with.
E
E
A
Yeah,
it's
a
good,
it's
a
really
good
point.
I
mean
I
definitely
agree
with
that
like
and
I
think
the
structure
of
the
project
should
be
that
acknowledging
that
some
projects
are
absolutely
going
to
say
no
or
not
want
to
help.
And
you
know
the
nature
of
the
project
is
not
dependent
on
any
one
specific
open
source
project.
A
You
know
like
there's
a
list
right,
so
we
have
to
be
able
to
iterate
through
that
list,
and
I
think
what
we
want
to
do
here
is
is
just
approve
the
overall
concept,
with
the
acknowledgement
that,
yes,
that
some
folks
are
probably
going
to
say
no
right
but
yeah,
but
I
agree
that
we
should
do
that
due
diligence
and
trying
to
engage
with
them,
seeing
what
the
best
model
might
be,
make
some
recommendations.
You
know
that
sort
of
thing.
D
And
everybody's
experience
here
like
how
often
does
this
does
this
occur
like
if
you
had,
if
you
had
to
guess
out
of
100
projects,
do
you
think
that
95
of
them
are
going
to
say
no
get
out
of
here?
We
don't
want
your
help
or
would
five
do
it
or
somewhere
in
the
like?
You
know,
because
if
it's
95
that
tell
us
to
you
know
that
they
don't
want
anything
to
do
with
us,
then
strategically,
I
think
alpha
is.
Is
mr.
I
find
that
really
hard
to
believe
so
so
95.
E
Is
going
to
be,
obviously
that's
going
to
be
too
high
a
hurdle
to
to
reach,
but
if
you,
if
you
perhaps
shortlisted
your
10
critical
projects,
okay,
like
these
are
the
ones
that
we
are
really
going
to
cause
pain.
Okay,
these
are
the
projects
that
absolutely
have
to
have
help
and
then
spoke
to
them
to
see
how
receptive
the
community
were.
To
this
you
know
yep,
it's
just
makes
sense
to
me.
It's
just
I
mean
you,
you
find
a
a
problem
and
then
a
solution.
It's.
A
D
What
what
kind
of-
and
I
think
I
mentioned
this
in
the
doc
like-
would
a
so
if
we
shortlisted
five
ten
pick
up
pick
a
relatively
small
number
of
projects
reached
out
to
a
representative
for
each
of
them
and
said
hey.
This
is
the
concept
that
we're
proposing
through
openssf.
E
I
mean
if
communities
are
saying
absolutely
we
need
this.
It
would
be
wrong
with
me
to
object
to
that.
Certainly
you
see
what
I
mean
it's
just.
I
just
always
think
that's
the
pragmatic
way
here
really
is
to
to
make
sure
there's
actually
a
demand
here
right
on
paper.
There
appears
to
be,
but
it's
I
mean
I'm
not
sort
of
you
know.
This
is
the
same
barometer.
I
run
from
my
own
projects.
We
take
zig
store.
For
example,
we
spoke
to
kubernetes
colonel
team
node.js.
E
You
know
we
did
a
fair
amount
of,
albeit
stealth,
but
we
spoke
to
various
communities
to
gauge.
Would
you
be
receptive
to
this
or
there's?
Is
there
some
some
objections
that
you
have
or
is
this
you
know
if
we
sort
of,
is
there
aspects
to
this
that
we've
not
foreseen
that
you
know
you
believe
are
important.
So
it's
just
just
due
diligence
really.
D
The
the
current
open
ssf
members
represent
lots
of
large
orgs
you
luke
and
mark,
and
others
represent
large,
or
are
strongly
affiliated
with
what
I
would
call
critical
open
source
projects
anyway.
Can
we
shortcut
this
a
bit
by
having
opensf
members
that
already
have
that?
Have
that
have
that
hat
represent
that
project?
Like?
Could
you
like.
E
E
H
Oh
thanks,
so,
first
off
I
I
love
the
alpha
omega
idea,
so
I'm
a
big
fan
in
general
of
what's
been
proposed
here.
One
question
I
have
for
you:
luke
is
you're
talking
about
something
we
do
have
to
be
very
mindful
of
which
is
a
maintainer's
receptiveness
to
the
project,
especially
the
alpha
piece
of
the
project.
H
I
guess
my
question
would
be
do
we
feel
that
this
would
be
like
a
fundamental
foundational
opposition
that
they
would
have
to
getting
security
help
in
general,
or
is
it
that
we
need
to
just
see
if
they
are
finding
the
specific
way
we
want
to
help
palatable,
because
I
think,
like
the
big
picture
idea
that
michael
is
advancing
here,
is
that
the
critical
projects
that
need
to
become
more
secure,
we
contribute
in
ways
that
help
them
become
more
secure.
H
E
No
specific
scenario
comes
to
mind
here
I
mean
you
might
find
you
get
a
very
much
a
mixed
bag
around
the
reactions.
Some
communities
do
very
much
shun
any
sort
of
what
they
see
is
an
intervention.
They
want
to
manage
it
themselves
and
they
prefer
that
they
prefer
that
instead,
companies
hire
developers
and
get
them
to
work
within
that
technology.
Upstream.
If
you
see
what
I
mean
and
whereas
others
may
be
very
receptive
to
this,
so
so
you
know
there
is
no.
E
G
G
G
You
know
all
of
that
research
work
up
front
or
can
we
you
know,
leave
the
proposal
as
outlined,
which
is
that
you
know
the
proposal
says
we
will
do
that
research
and
we'll
you
know
we'll
get
some
staff
together
to
help
us
do
that
research
and,
at
the
same
time
we
can
make
for
we
can
move
forward
with
the
omega
side.
E
Yeah
that
wouldn't
make
so
much
sense
to
me
is
to
actually
take
on
staff
to
research,
something
that
you
haven't
validated
as
being
a
demand
for.
Don't
get
me
wrong.
I
think
there
may
well
be
you
know,
and
it's
chances.
Certain
communities
will
be
receptive
to
this.
It's
just
some
prudent
due
diligence
really
just
to
you
know,
to
get
the
initial
feedback.
E
E
E
H
Yeah
and
finding
a
way
to
do
that,
where
we're,
where
it's
pretty
transparent
and
where
we're
showing
the
respect
that
we
have
for
maintainers,
because
it's
their
project
and
not
ours,
is
really
important.
H
Now,
on
the
note
of
the
alpha
piece,
I
mean
we
would
be
all
in
a
wonderful
position
if
we
ran
out
of
critical
projects
to
secure
like
if,
if
we
wanted
to
do
a
hundred-
and
maybe
20
turned
it
down
and
we
did
80
and
we
couldn't
find
20
more
things
that
were
important
enough
to
secure
in
the
alpha
phase
like
we
would
be,
the
world
would
be
a
much
better
place.
H
If
that's
the
position
we
were
in
so
like,
I
think
the
validation
is
important
so
that
we
are
respecting
maintainers,
being
community
oriented,
building
trust,
doing
all
the
things
that
we
need
to
do
to
make
meaningful
contributions
that
aren't
just
us
storming
in
and
and
asserting
things.
So
I
agree
on
all
of
that,
but
I
mean
I
think
that,
even
if
a
relatively
high
percentage
were
to
turn
down
the
support
for
one
reason
or
another,
maybe
they're
just
too
busy
right
now.
H
We
could
always
go
a
little
further
down
on
the
list,
because
there
are
still
a
lot
of
important
projects
like
if
we
tried
to
do
50
or
we
tried
to
do
100.
I
think
we
find
that
items
101
to
200
on
the
list
are
also
pretty
important.
H
E
Yeah
and
you
might
find
over
time
they
change
that
position
when
they
see
other
projects.
But
I'd
say
you
know.
If
you
came
up
with,
you
found
a
group
of
five
projects
that
were
absolutely.
When
can
you
start
we
need
your
help.
You've
got
a
solid
case.
Then.
Do
you
see
what
I
mean?
There's
a
there's,
a
there's,
a
demand.
You
have
a
supply,
you
know
it's,
it
makes
sense.
Then
you
know
it
would
yeah.
A
Yeah
as
a
way
to
move
forward,
I
think
maybe
what
the
the
best
approach
would
be.
We
could
kind
of
have
a
vote
on.
Do
we
all
agree
that
this
is
a
good
thing
to
go,
do
and
then
there's
sort
of
a
clause
in
the
vote
that
says,
if
we
find
five
or
more
critical
projects
that
are
amenable
to
having
worked
with,
then
yes,
I
approve
otherwise.
A
We
don't
approve
right.
So
that
way
we
can
say
it
sort
of
hinges
on
the
due
diligence
happening,
and
then
we
don't
have
to
wait
two
to
four
weeks
or,
however
long
it's
going
to
take
before
we
have
to
bring
it
back
and
then
have
another
vote.
So
do
we
want
to
do
something
like
that,
so
that
we
can
kind
of
keep
in
principle
moving.
H
H
So,
on
on
the
elf,
like
in
general,
I'm
a
massive
fan
of
this
proposal
like
to
be
exquisitely
clear.
I
think
this
is
brilliant.
I
love
the
entire
concept
and
I
really
love
how
you've
broken
it
down
michael
and
like
the
pm
support,
so
that
it'll
actually
get
done
and
like
there's
a
lot
of
really
great
things
about
this.
H
One
question
I
did
have
was
around
the
alpha
piece,
so
securing
critical
projects
and
trying
to
get
the
level
of
security
as
high
as
possible,
especially
in
those
alpha
projects,
is
my
view
of
what
the
goal
of
the
alpha
piece
of
this
is.
But
when
we
look
at
the
resourcing
it
looks
like
under
the
execution
piece,
we
talk
about
the
security,
research
and
analysis
being
about
triaging
findings
from
scanning
and
doing
fixes,
based
on
that,
but
there's
going
to
be
stuff
that
wouldn't
necessarily
be
found
through
scanning.
H
D
You
said
that
there
was
a
part
on
on
triaging
vulnerability
reports
like
the
the
intent
of
that
was
that's
minimized
in
alpha,
and
alpha
is
more
about
the
process
and
the
project
and
the
relationships
and
building
the
tissue
and
all
that
stuff,
as
well
as
doing
kind
of
a
let's
say,
a
security
audit,
like
the
kinds
of
things
that
you
know,
ncc
or
trailer
bits
or
off
staff
would
do
omega,
is
more
about
the
throw
all
the
tools
triage.
The
results
and
kind
of
you
know:
assembly
line
it
out
to
a
fix.
D
Okay,
but
there's
there's
it's
a
venn
diagram,
there's
a
bit
of
it
in
the
middle.
We
wouldn't,
for
instance,
like
not
run
automated
tools
on
alpha
projects.
D
Totally
but
but
just
you
know,
there
would
be
fewer.
There
would
be
well
likely
fewer
of
that
for
alpha
projects.
H
Okay,
so
we're
thinking
like
omega
would
be
tooling
driven
and
we
would
have
head
count
actually
remediate
bugs
not
just
find
bugs
and
then
for
alpha.
Is
it
more
about
getting
them
up
to
like
best
practices,
badge
gold
stuff
like
helping
them,
create
security
policies,
and
things
like
that,
but
not
necessarily
like
doing
security
audits
or
anything.
That's
that
in
depth.
D
D
But
we,
the
goal,
is
to
improve
their
security
posture
so
that
it's
sustainable
and
also
have
a
third-party
view.
If,
if
needed
in
in
terms
of
kind
of
the
the
the
audit
part.
H
Yeah,
well,
I
think
this
all
sounds
awesome.
I
guess
the
the
gap
that
I'm
seeing
and
like,
of
course,
full
disclosure.
I
represent
a
security
testing
firm
right,
but
this
is
not
me
advancing
business
interest.
H
This
is
just
me
believing
in
security
testing
the
gap,
the
the
only
real
gap
that
I
see
in
this
proposal
is
that,
if
we're
providing
some
level
of
confidence
or
assurance
around
the
alpha
projects,
I
think
that
at
some
point
for
many
of
those,
it
will
involve
a
security
audit
which
we
haven't
really
accounted
for
in
the
costing
of
this.
D
I
thought
you
did,
I
I
you
know
sorry
the
under
resources
so
under
alpha
on
whatever
it
is
page
seven.
I
guess
five
million
of
the
five
and
a
half
million
yeah
five
of
the
five
and
a
half
million
are
when
I
say
service
providers.
I
mean
the
the
folks
going
in
and
doing
the
work,
so
everything
like
the
other
half
half
a
million
is,
is
overhead
and
stuff
for
that.
The
deliverable,
if
you
look
at.
F
D
G
H
Yeah,
I
think
I
just
missed
that
point
and
it
makes
a
lot
more
sense
now.
I
just
wanted
to
raise
it
around
the
security
audits,
but
if
that's
been
accounted
for
I
mean
this
is
a
very
comprehensive
proposal.
I
really
like
it.
D
If
it,
but
if
it
if
it
didn't,
come
across
to
you,
it
wouldn't
come
across
to
others
so
I'll
go
in
and
tweak.
If
I
need
to
but
yeah
awesome
well
sounds
great.
A
Okay,
so
in
interest
of
time,
and
also
again
moving
this
vote
forward
a
little
bit.
If
we
can,
how
would
we
like
to
best
proceed
with
this?
Do
we
want
to
kind
of
put
that
contingency
clause
in
there
around
approval,
as
far
as
you
know,
ensuring
that
we've
done
due
diligence
and
we're
able
to
identify
at
least
x
number
of
projects
that
we
would
like
to
to
go
work
on
that
are
actually
amenable
to
getting
our
support,
or
do
we
want
to
go
do
that
due
diligence
and
circle
back.
G
I
I
really
encourage
us
to
to
move
forward
with
this,
but
it's
you
know,
I'm
not
attacking
a
full
disclosure,
I'm
not
an
attack
member,
but
it
sounds
to
me
like
everyone
feels
like
the
the
direction
of
this
is
the
right
direction
and-
and
everyone
you
know,
has
the
mind
that
you
know
we
are.
You
know
the
implant.
G
The
plan
is
that
we'll
talk
and
and
we're
not
going
to
force
ourselves
on
any
community
we'll
you
know
talk
with
those
critical
projects
and
if
they
want
help
we'll
help,
if
we
don't
we'll
move
on
to
the
next
one,
so
I
I
you
know
I
would
encourage
just
from
the
governing
board
perspective
and
kind
of
the
momentum
for
the
community
overall
that
we,
you
know,
consider
moving
forward
just
with
an
understanding
that
we
will
do
that
work,
but
not
make
acceptance
of
it
contingent
on
it.
H
I
would
love
to
go
to
a
like.
H
I
would
love
as
governing
board
for
us
to
be
able
to
approve
this
with
like
a
phase
zero,
but
it's
like
a
community
feedback
phase
that
maybe
we
have
you
know
half
a
page
that
defines
really
well
what
we're
going
to
ask
and
find
out
like
how
we're
going
to
validate
that
this
is
a
good
fit
with
project
maintainers
and
that
we
can
publish
that
somewhere
and
make
like
very
transparent
what
our,
what
our
objectives
are
and
how
to
give
feedback,
and
as
long
as
we've
got
that
phase
and
that
that's
a
part
of
the
loop
before
proceeding
to
phase
one.
H
I
guess
I
I
think
it's
a
great
idea
and
I'd
be
happy
to
vote
on
it
anytime.
E
E
A
Okay,
it
sounds
like
we're
all
kind
of
in
agreement,
then
so
I'll
send
out
after
this
meeting
an
email
that
we
can
vote
on,
that
and
I'll
also
link
to
a
github
issue
so
that
we
can
have
it.
You
know
publicly
as
well,
but
we'll
we'll
go
ahead
and
move
forward
with
that
and
that
way
dan
and
anybody
else,
that's
missing
can
go
ahead
and
and
phil
can
can
chime
in
any
other
objections
before
or
questions
concerns
before
we
move
on,
we've
got
a
few
other
topics
to
cover.
Still
today.
D
If
I
could
just
say,
if
anybody
has
opinions
on
what
that
top
five
should
be,
please
just
add
it
to
the
doc.
I
will
go
after
go
go
after
this
doc
and
reach
out
in
as
soon
as
possible
to
have
those
very
initial
discussions,
unless
you
think
we
should
wait
for
until
after
governing
board
to
even
have
that
initial
reach
out.
I'm
not
sure
I
don't
want
to
put
the
cart
before
the
horse,
but
I'm
not
sure
it
seems
like
they're.
We
have
multiple
carts.
I
E
I
mean
kubernetes
is
probably
I
imagine,
there's
more
that
are
higher
priority
than
that,
so
we've
got
there's
eight
vendors
with
people
on
the
security
response.
Team
they've
got
a
bug,
bounty
program
which
is
financed,
and
so
they've
got
quite
a
lot
there
really
and
I'm
just
thinking
there
might
be
some
more
well.
I
G
So
I
see
that
we
had
a
comment
in
the
in
the
chat
about.
Can
we
move
discussion
of
individual
projects
offline.
A
Perfect
yeah,
we
can
create
an
issue
that
people
can
kind
of
party
on
as
well
and
put
their
lists
there
cool
all
right.
So
the
next
thing
that
we
have
that
we
talked
about
is
the
election
process,
and
I
think
this
should
go
fairly
smoothly.
We've
done
this
in
the
past,
you
know
when
we
initially
bootstrapped
attack.
We
basically
did
this
over
email
and
sort
of
self-nominated,
and
I
think
there
was
a
form
that
somebody
created
it
was
pretty
pretty
straightforward.
A
I
am
not
proposing
that
we
do
something
overly
complicated.
I
think
we
can
kind
of
leverage
the
same
idea
where
we
can
create
a
form
either
google
forms
or
something
simple
where
folks
can
nominate.
The
real
question
is:
who
is
eligible
to
make
those
nominations
and
who
is
eligible
eligible
to
be
nominated?
A
So
I
know
we
have
some
specific
requirements
now
around
governing
board
versus
community
elected
positions,
and
so
I
think
for
the
governing
board.
I
don't
know
okay,
if
you
guys
have
any
opinions
about
how
you
would
like
to
go
ahead
and
elect
those,
but
at
least
for
the
community
side
of
things.
You
know
we
have
some
flexibility
here
about
who
can
be
nominated
and
I
believe
it's
pretty
much
open
to
any
open
ssf
member.
So
are
there
any
thoughts
or
opinions
on
how
they'd
like
to
proceed
with
those.
G
I
hadn't
given
much
thought
on
the
governing
board
side.
So
you
know
if
if
this
group
has
recommendations
for
that,
that's
great
otherwise
ryan
and
I
maybe
you
and
I
can
talk
offline
and
and
think
through
that
and
and
just
propose
something
to
the
governing
board.
Okay,
that's.
A
Fair,
so
from
the
community
side,
do
folks
have
opinions
on
on
how
best
to
run
that.
H
Is
it
at
the
nomination
phase
or
the
voting
phase
that
it
splits
off
into
like
community
and
government
covering
board?
Because
if
it's
at
the
nomination
phase,
I
mean,
I
guess,
there's
more
for
us
to
talk
about.
I'm
a
big
fan
of
self
nomination
as
much
as
possible
that,
like
anyone,
that's
interested,
can
raise
their
hand
and
then
we
just
figure
out
who
is
eligible
to
vote
in
which
of
the
two
election
components
for
what
it's
worth.
A
So
the
voting
is
through
those
groups.
Yes,
so
I
would
my
assumption
was
sort
of
that
with
the
community
side
you
could
definitely
self-nominate
the
governing
board
is
kind
of
where
I
was
a
little
less
clear
about
how
we
might
go
about
that,
but
certainly
from
the
community
side
I
anticipated
self-nomination
was
going
to
be
the
way
to
go,
because
I
prefer
that
as
well,
and
certainly
we
don't
want
to
nominate
people
that
don't
want
to
be
here
and
don't
have
an
interest.
A
A
G
The
governing
board
has,
you
know,
nominated
certain
representatives
from
their
from
their
own
communities,
and
so
I
guess
we'll
have
to
talk
we'll
have
to
talk
through
the
governing
board
side
of
it
and
probably
the
right
the
best
time
to
do
that
is
at
the
november
fifth
meeting.
Okay,.
H
I
would
love
to
see
just
because
it
feels
most
democratic
to
me.
I
would
love
to
see
one
self
nomination
list
where
anyone
that
wants
to
run
can
join
that
list
and
write
kind
of
a
candidate
statement
and
that
from
there
based
on
that,
one
centralized
list
of
everybody
that
wants
to
be
on
the
tack
there
is
the
community
driven
voting
and
there's
also
the
governing
board
driven.
H
I
don't
know
if
it's
voting
or
if
it's
like
a
consensus
or
how
that
works,
but
that
maybe
it's
ranked
choice
voting
such
that
the
the
top
four
or
whatever
people
selected
by
the
governing
board,
through
whatever
that
mechanism
is
off
of
that
list,
get
the
seats
and
the
top
three
of
those
remaining
get
the
community
seats
as
as
voted
by
us,
and
I
guess
by
us
I
mean
by
the
community.
H
I
should
be
clear
or
some
other
way
of
having
it
that,
like
there's,
there's
one
list,
there's
two
groups
that
are
weighing
in
on
that
list
and
the
top
x
that
they're
allowed
to
have
are
admitted
to
the
tac
and
if
there's
overlap
between
those
lists,
we
just
go
to
the
next
ranked
choice
person
in
that
list.
According
to
the
vote.
G
Lot
and
I'd,
be,
you
know,
happy
to
you
know
we'll
still
need
to
take
it
to
the
board,
but
I'd
be
happy
to
to
provide
support
for
that.
Thank
you.
A
Yeah,
so
I
think
what
we'll
do
is
how
about
I'll
create
a
github
issue
detailing
exactly
that
jennifer
and
I'll
make
sure
I
have
it
correct
with
you.
First
before
I
publish
it,
and
then
we
can
send
that
out
as
the
proposal
and
then
folks
can
comment
on
that.
If
there's
for
iterations
that
need
to
happen.
G
The
one
potential
issue
with
that
is
that
previously
the
attack
had
discussed
having
on
alternating
years,
the
governing
board
select
and
the
other
alternatives
the
the
community
select.
So
so,
maybe
we
would
want
to
rethink
that
alternation
and
and
just
do
the
same
thing
every
year.
I
I
think,
having
the
same
process
that
we
followed
every
year
might
be,
it
might
be
a
good
thing.
A
Yeah,
I
think
the
idea
behind
the
alternating
was
just
to
ensure
consistency
across
the
council
right
so
that
we
didn't
have
a
complete
turnover,
but
we
can
still
ensure
that
by
saying
okay,
maybe
two
community
seats
and
one
governing
board
seat.
You
know
this
year
and
then
the
next
year
it's
flipped.
You
know
kind
of
thing
so
that
that
way,
we're
not
completely
turning
things
over
and
then
we
can
still
do
the
process
that
jennifer
described.
J
The
process
I
see
used-
oh
sorry,
john.
I
apologize
the
pro
the
approach.
I've
usually
seen
to
deal
with
the
turnover
problem
is
two
year
terms,
so
you
have
half
of
the
approximately
half.
It
has
to
be
odd,
so
it'll
be
like
three
and
five
or
something
like
that.
Three
and
four
half
turns
over
each
year.
That's
a
two
year
term
and
then
that
way,
no
more
than
half
gets
changed
at
a
time
that
seems
to
work.
A
H
Yeah
I
support
the
the
alternation
idea
that
we
don't
have
total
turnover
year
to
year
or
two
years
to
two
years.
My
main
point
was
that
I
really
like
the
idea
of
having
one
central
self-nomination
thing
where
people
can
put
themselves
forward,
and
maybe
we
provide
some
kind
of
template
or
whatever
of
how
we
want
them
to
prepare
a
statement
so
that
it's
not
just.
H
Hopefully
it's
not
just
who
has
the
most
friends
on
twitter
or
whatever,
and
it's
a
lot
more
about
the
position
people
take
and
the
contributions
they've
made
and
yeah
evening
the
playing
field
as
much
as
possible.
A
I
agree:
awesome
yeah
I'll,
go
ahead
and
I'll
get
that
created
and
send
that
out
later
today
and
then
last
thing
that
we
have
is
k
to
talk
about
the
new
skin
project.
G
Okay,
so
there's
a
project
that
the
microsoft
initiated
and
we've
been
holding
discussions
with
a
number
of
community
members
for
several
weeks.
So
we
first
proposed
this
immediately
following
the
white
house
executive
order
and
announcement
of
the
white
house
executive
order
in
cyber
security.
G
The
members
who
have
been
participating
include
miter
in
toto
from
hopper
sit
arm
and
a
couple
of
others,
I'm
forgetting
all
of
them
right
now.
G
The
the
project
is
focused
around
to
skim
is
the
name
it's
which
stands
for
supply
chain
integrity
model.
So
the
basic
idea
for
the
project
is
to
define
standards
around
sharing
metadata
information
about
activities
in
a
supply
chain
with
others
in
end-to-end
supply
chains.
So
it's
really
about
kind
of
visibility
of
supply
chain
activities
to
everyone
in
the
supply
chain.
G
It
includes
defining
a
store
for
for
selecting
metadata
as
a
secure
store
based
on
kind
of
the
highest
level
of
security
policy
practices,
including
a
confidential
ledger
for
transparency
and
or
a
transparency
ledger
for
transparency
and
then
running
in
a
confidential
environment
or
a
trusted
execution
environment,
for
you
know
additional
tamper-proofness
from
the
operators
of
the
service
and
then
it
so.
That's
at
the
store
level
and
then
it
also
defines
a
data
format
for
exchanging
data.
G
G
G
You
know,
working
to
meet
the
the
incubation
requirements
for
new
projects
in
openssf,
including
having
at
least
five
meetings
with
at
least
five
people
representing
at
least
three
companies
and
we've
we've
satisfied
all
of
those
now
so
so
we
would
like
to
propose
that
we
move
into
openssf
there's
one
final
piece
that
that
we're
working
on
so
before
we,
you
know,
actually
ask
for
the
tag
to
to
vote
on
this.
G
The
final
piece
that
we're
working
on
is
there
are
other
projects
that
are
similar
in
the
community
and
in
particular
in
toto
is
one
and
the
salsa
project
which
is
in
openssf
is
another
one,
and
we
are
going
to
be
having
some
meetings
in
the
next
week
or
two
where
we,
those
groups
together,
have
a
look
at
the
parts
of
the
different
projects
and
where
there's
overlap
and
it's
possible,
we
might
decide
that
it
could
make
sense
to
combine
some
of
those
efforts.
G
G
Would
we
be
thinking
about
moving
in
toto
in
and
skim
becomes,
part
of
you
know,
kind
of
an
expansion
of
what
the
in
toto
community
has
currently
been
envisioning,
so
we're
working
through
that
at
this
point,
I
just
you
know,
wanted
to
make
you
aware
of
the
project
and
what
our
status
is
and
that,
eventually
this
is
this
project
or
this
concept.
The
of
you
know,
end-to-end
supply
chain
integrity,
is
something
that
we're
proposing
reside
in
openssf.
A
Well,
this
is
really
really
cool,
exciting.
To
see
one
question:
do
you
anticipate
that
this
would
be
its
own
working
group
or
that
it
would
be
working
with
tooling
or
best
practices
or
any
of
the
other
groups?
I
think
this
is
kind
of
it's
specific
to
this
initiative,
but
I
think
we
have
this
question
kind
of
overarching
that
the
tac
needs
to
address
as
well
particularly
project.
A
Alpha
omega
is
going
to
run
into
this
as
well,
where
we're
starting
to
have
a
lot
of
overlap
across
groups,
and
I
think,
that's
inevitable,
considering
the
nature
of
supply
chain
right,
it
hits
everything,
and
so
we
need
to
as
a
group,
I
think,
figure
out
what
is
a
good
model
for
how
to
coordinate
these
these
efforts
and
ensure
that
you
know
everybody's
kind
of
working
at
the
same
goal,
but
so
with
that,
did
you
have
any
thoughts
about
how
you
wanted
to
handle
this
particular
one.
G
Yeah
good
question:
I
I
see
it
as
a
as
a
separate
project
that
would
come
in
on
its
own
and
you
know
so
we
in
the
open,
ssf
charter.
We
describe
technical
initiatives
which
can
be
projects
where
they
can
be
working
groups
so
and
there's
nothing
in
our
charter.
That
says
every
project
need
be
aligned
with.
You
know
one
one
single
working
group,
so
I
had
been
thinking
in
it
that
it
would
come
in
as
its
own
own
project.
G
And
then
you
know
the
project
would
work
across
other
existing
working
groups,
but
but
I'm,
but
I'm
not
tied
to
that
either.
So.
E
E
G
Yeah,
so
I
think
it's
both,
I
think,
there's
and
you
know
in
total.
I
was
just
suggesting
as
something
that
could
happen
so
that
there
are
discussions,
I'm
not
saying
exactly
that.
That
will
happen,
but
for
skim
we
see
that
there
are
two
pieces
to
it.
One
is
that
there's
a
specification
that
would
eventually
be
an
industry
that
you
know
that
we
would
eventually
promote.
G
As
for
industry,
standard
adoption,
and
we've
been
talking
about
doing
that
through
the
ietf,
there
are
several
members
of
the
existing
working
group
that
are
familiar
with
the
ietf
process,
so
there'd
be
specifications,
but
there
also
would
be
code,
so
the
the
the
data
store
that
we've
been
talking
about
would
be
open
source
code.
G
One
component
of
that
today
is
already
available
as
open
source
code.
So
there's
a
there's
a
there's,
a
core
confidential
compute
implementation,
that's
already
available
as
open
source,
and
then
the
skim
would
be
this.
The
skim
store
would
be
an
application
that
sits
on
top
of
that
and
we
would
look
at
putting
that
skim
store
application
into
open
ssf
so
both
so
that
would
be
both
specification
and
code
and
tooling.
We
imagine
over
time
to
create
to
create
the
claims.
G
We
call
them
that
go
on
to
the
that
go
into
the
confidential
store
and
tooling,
to
support,
evaluating
using
policy
to
tools
to
write
policy
and
then
tools
to
verify
that
the
claims
meet
policy.
J
I
don't
have
a
question.
I
have
a
suffer
grand
nursing
speech
and
reply.
Sure
I
published
yesterday
in
fact
a
little
article
called
some
requirements
for
a
universal
asset
graph
and
you
might
find
that
helpful
to
mine
for
expensive
ideas.
G
Okay,
great
already
just
from
the
universal
asset
graph,
it
sounds
like
there's
synergy
between
still
steal.
That
name.
I
think
it's.
C
G
Know
what
I
I
love
it
and
that's
where
I
was
saying
that
you
know
what
we're
sort
of
the
last
step
before
you
know.
Trying
to
move
this
in
is
to
talk
with
the
salsa
community
and
the
entono
community
and
see
you
know,
have
all
of
us
understand
how
you
know
how
these
things
fit
together
and
you
know
we're
I'm,
not
I'm
not
determined
to
create
in
a
new
community.
Maybe
what
we've
been
thinking.
B
Just
a
question:
we
are
introducing
some
new
things
and
historically,
we
haven't
really
talked
about
or
evangelized
the
old
things
super.
Well,
I
might
suggest
to
the
tech.
It
might
be
an
awesome
idea
to
put
together
kind
of
a
reference
architecture
about
what
the
foundation
is
working
on
and
kind
of,
a
strategic
direction
to
help
articulate
that
to
an
outsider,
because
right
now
we
just
appear
to
be
a
random
confederation
of
open
source
enthusiasts
wandering
around
without
a
lot
of
structure.
B
A
Now
it's
a
really
good
point.
In
fact,
when
we
were
first
coming
up
with
the
technical
vision,
I
believe
that
was
one
of
the
items
that
now
I'm
realizing
got
dropped
is
that
we
wanted
to
sort
of
create
this
road
map
that
showed
here's
the
technical
vision
and
here's
how
each
one
of
these
working
groups
last
project
fits
into
that
model
and.
B
B
A
H
Just
that,
whatever
comes
out
of
it,
we
we
should
publish.
I
know
crow.
Is
this
the
doc
the
diagram
from
the
black
cat
talk
yeah?
It
would
be
super
useful
for
us
to
put
this
either
on
the
website
or
on
github
somewhere
easy
to
reference.
A
Oh
all
right,
we've
got
two
minutes
left
we've
hit
all
the
topics
that
were
in
the
document.
Is
there
anything
that
anyone
else
would
like
to
mention
before
we
go.
A
Yeah
definitely
so
I'm
going
to
create
the
just
a
quick
summary
before
we
go
I'll,
create
the
github
issue
that
defines
the
process
that
you
that
you
mentioned
and
we'll
send
that
out
to
everybody.
I'll
also
create
the
issue
for
voting
on
the
project
alpha
omega
and
then
yeah
folks
have
ideas
around
the
voting.
I'll
try
to
do
some
research
on
that
this
week
as
well,
that
we
can
add
to
that
github
issue,
discussion
and
then
we'll
kind
of
get
that
sorted
out.
Hopefully
soon.