►
From YouTube: OpenSSF TAC (May 16, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
E
B
D
D
E
I
will
there
share
waiting.
Slideshow
looks
good
yeah,
it's
a
quick
update,
we're
gonna
leave
less
than
10
minutes
unless,
and
that
leaves
time
to
talk
about
any
next
step.
If
people
have
any
thoughts
or
comments
about
how
we're
doing
yes,
core
tool
chain
infrastructure
project,
the
current
status
is
that
the
services
working
group,
which
had
been
looking
at
all
of
the
services
that
each
of
the
projects
needs,
has
completed.
E
So
the
last
service
was
actually
the
compiler
which
had
probably
the
most
complicated
list
of
services
and
interdependencies
between
bug,
tracking
and
other
things.
That
kind
of
complicate
the
developer
workflow,
but
we've
taken
all
of
those
things,
we've
enumerated
them
all
and
we've
actually
started
working
on
cost
estimates
with
lfit.
For
that.
E
In
those
discussions,
the
CTI
attack
realized
that
it's
probably
easiest
to
start
moving
one
project
at
a
time,
and
so
as
one
of
the
stewards
for
the
Upstream
glibc
project,
which
is
a
course
C
library,
I
volunteered
our
project
to
move
first
So.
The
plan
was
to
look
at
what
would
be
the
service
migration
for
one
project
to
security
infrastructure
infrastructure
that
has
paid
I.T
staff.
E
Supporting
that
infrastructure
and
and
any
builds
and
things
we
might
do
with
that
infra
so
still
ongoing-
is
the
something
we
raised
last
time
when
we
had
the
the
previous
presentation,
which
is
cy23
funding
discussions
ongoing
with
openssf
and
the
LF
membership,
so
that
kills.
One
of
the
key
objectives
kills
one
that
strikes
off
one
of
our
key
objectives
for
cy23,
which
was
the
services
working
group,
completing
that
lfit
doing
cost
estimates
is
ongoing
and
I.
E
Think
the
one
of
the
suggestions
from
the
attack
last
time
was
to
put
together
a
one-page
leaflet
for
the
infrastructure
project
itself,
to
highlight:
what's
the
value
of
the
project,
to
sponsors,
to
the
corporate
backers,
I
think
companies
like
red,
hat
and
IBM
kind
of
know
and
understand
the
value,
because
David
and
I
really
talk
a
lot
about
it,
but
we
need
that
leaflet
to
talk
to
everybody
else.
I
think
that's
one
of
the
things
that
I
need
to
work
on
next,
with
David's
help
and
the
community
help
to
put
together.
E
Again,
the
goal
of
the
project
is
to
support
the
the
new
tool
chain
and
other
projects
core
tool
chain
projects,
as
in
GCC
as
a
core
compiler
that
comes
with
lib
standard,
C
plus
plus,
which
is
of
course
C
plus
plus
run
times
glib
C,
so
core
c
runtime,
which
contains
C,
posix,
BSD
apis
and
a
static
Linker
and
assembler
with
bin
utils
and
debugger
with
GDB
David.
Let
me
hand
over
to
you
and
say:
is
there
anything
else
that
you
want
to
add
here.
E
Yeah
for
sure,
I
I
work
with
Josh
Stone
who's
on
the
rust
Foundation
board,
because
some
people
say
well
like
it
sounds
like
you're
talking
just
about
C
and
C
plus
plus.
But
the
reality
is
that
even
the
rust
tool
chain
at
a
runtime
level
has
to
call
into
the
host
C
library
for
certain
things,
and
the
same
goes
for
go
and
the
same.
Go
for
a
number
of
other
language
runtimes
that
rely
on
core
runtimes
themselves
to
provide
services
and
features
for
the
languages.
E
G
I
just
wanted
to
add
for
anybody
who's
either
new
to
this.
The
cool
core
tool
chain
infrastructure
project
is
designed
to
be
set
up
like
an
Associated
project
like
Alpha
Omega,
where
it'll
report
and
kind
of,
and
provide
updates
to
this
tack
on
its
technology
approach
and
the
like,
but
it'll,
be
funded
from
us,
a
separate
pool
of
funds
than
than
core
open
ssf
budget,
potentially
many
familiar
names,
potentially
other
names
as
well.
G
The
it
was
renamed
from
GTI
the
gnu
tool
chain
initiative
to
CTI,
partly
on
the
some
requests
we
got
from
some
of
the
free
software
folks
that
we
avoid
using
the
term
gnu
in
the
name
of
a
project
which
is
a
little
ironic
given
with
the
U
and
gnu
stands
for,
but
we
decided
to
respect
their
wishes
and
it
was
an
easy
change
to
make.
So
that's
why
this
is
now
called
CTI
rather
than
GTI.
E
So
we
have
a
mailing
list
with
the
lfit
on
Subspace,
so
lord.cernal.org
I
can
add
those
links
to
the
end
of
my
slide
deck
and
then
I'll
give
the
slide
deck
over
to
to
the
to
the
list
and
then
then
you'll
be
able
to
access
that
so
yeah
you
can
have.
We
can
absolutely
have
observers
sign
up
to
the
attack
mailing
list
and
talk
with
us
and
and
engage
yeah.
F
Yeah
also
I
mean
just
to
follow
along
I
mean
clarify
it
specifically
at
the
request
of
the
broader
neutral
chain,
gnu
and
FSF
community,
that
all
the
meetings
are
both
the
when
we
eventually
have
a
governing
board,
but
attack
are
fully
open
to
everyone
as
an
observer,
and
you
know
other
than
any.
You
know
confidential,
you
know,
sort
of
personnel
or
other
sorts
of
things.
F
We
would
need
to
discuss
and
some
sort
of
executive
committee-
and
we
also
are
planning
to
work
with
the
Linux,
Foundation,
I.T
and
then
marketing
team,
and
we
have
domains
to
be
able
to
set
up
a
a
website,
and
you
know
a
better
sort
of
landing
page
for
this.
This
infrastructure
and
to
also
hopefully
help
the
the
new
tool
chain
in
general,
with
its
it's
as
a
as
a
supplemental
communication
and
marketing
for
the
that
organization.
D
D
Groovy
I
had
noticed
that
Jennifer
had
put
out
a
link
to
a
survey,
so
another
part
new
part
of
our
meetings.
We
want
to
share
information
and
requests
or
projects
that
are
going
on
throughout
the
foundation,
and
there
is
currently
a
openssf
software
security
awareness
survey
is
Jennifer
here.
I,
don't
see
her.
G
Oh
I'm,
sorry
she's,
not
here,
because
I
we're
attending
I'm
here
in
Boston,
with
her
on
the
sideline
of
an
event
where
we're
talking
about
what
we're
doing
so
I
can
just
quickly
provide
an
update,
which
is
we
are
conducting
a
self-selected
survey,
so
it
will
depend
upon
people
showing
up
to
the
survey
to
fill
out
some
questions
to
try
to
assess
just
the
market
awareness
amongst
the
technology
management.
Community.
G
You
know,
awareness
of
the
open,
ssf
awareness
of
some
of
our
key
projects
ask
a
few
questions
about
what
people
know
just
to
try
to
assess
again
awareness
in
like
are
we
are
we
getting
the
right
word
out
in
the
right
way,
so
we'll
put
a
blog
post
out
tomorrow,
we'll
push
it
heavily
on
social?
We
would
really
love
amplification
from
others
to
that.
We
did
work
with
a
number
of
the
projects
to
develop
the
questions
as
well
so
I.
G
I
A
G
Know
as
well
as
everyone
else
here,
other
people
in
your
in
your
in
your
companies
could
be
helpful,
but
also
Beyond,
so
yeah
we're
hoping
to
just
get
that
next
tier
out
and
there's
some
qualifying
questions
in
the
survey
as
well
to
try
to
filter
out.
You
know
people
who
aren't
the
tar
the
survey
isn't
targeted
for,
but
but
yeah.
That's
why
I
was
saying
Help
on
social
will
be
helpful.
G
D
D
Repo
I
would
like
for
us
to
comment
and
have
a
dialogue
publicly
via
that
mechanism,
and
I
would
love
for
the
TAC
members
to
review
these
PRS
and
issues
before
the
meeting,
and
then
we
can
come
into
this
call
and
have
a
educated
conversation
close
off
any
final
commentary
or
debate
and
I
will
commit
to
sending
out
a
message
to
the
tack
mailing
list
ahead
of
time
to
remind
us
of
kind
of
what
is
on
the
docket
coming
up
this
week.
Let's
start
off
with
attack
issue
129..
J
D
A
K
A
C
C
J
J
We
have
governing
board
obviously,
and
our
own
members
are
people
who
are
participating
here,
but
there's
no
formal
way
for
what
I
will
coin
the
phrase
here:
Affiliated
foundations
or
other
foundations
in
the
broader
open
source
ecosystem,
there's
no
clear
way
for
them
to
participate
and
have
a
voice.
So
if
we're
saying
they
are
stakeholders,
we
must
create
a
way
for
them
to
have
a
state
and
I
think
that
is
a
really
good
way
to
visualize
our
mission.
C
I
guess
I
would
say:
I
think
that
our
even
folks
from
the
eclipse,
Foundation
folks
from
other
foundations,
have
joined
like
this
call,
for
example
in
the
past,
maybe
not
with
regular
consistency,
but
I
would
say
like
the
Forum
is
open.
But
that
being
said,
I
would
also
Echo
your
your
sentiment.
That
I
heard,
which
is
I,
think
we
should
be
more
proactive
about
Outreach
and
engagement
and
ensuring
the
things
that
we
are
doing
are
actually
heard
and
delivered.
So
in.
J
If
I
view
the
openssf
as
a
service
org,
we
are
providing
valuable
services
to
all
of
Open,
Source
and
other
stakeholders.
Policy
makers
sure
they
they
could
show
up.
They
could
choose
to
spend
time
to
come
here
to
say
things
to
us,
the
TAC
or
to
the
governing
board
or
to
projects
or
working
groups,
but
there
is
no
structural
means
for
them
to
have
a
stake,
a
table,
a
vote
and
that
dynamic
means.
J
C
C
A
C
I
was
going
after
more
of
of
this
being
kind
of
the
vision
of
having
a
a
relationship
with
those
stakeholders
where
the
value
that
we
are
trying
to
create
and
the
outcomes
that
we
are
trying
to
create
are
clearly
communicated,
and
there
are
feedback
mechanisms
in
place
to
where
active
dialogue
can
take
place
so
that
in,
if
we're
building
things
that
nobody's
using
that's
a
problem
so
after
in
that
kind
of
text
here
is
that
we've
identified
those
stakeholders.
We
have
effective
communication
channels
to
those
stakeholders
and
there
is
that
bi-directional
feedback.
C
C
That
needs
to
happen
today,
but
the
the
vision
which
was
the
goal
of
the
pr
is
to
say
like
getting
into
a
world
where
we
have
dedicated
resources
that
own
the
Outreach
and
only
you
know
Gathering
that
feedback
bringing
it
back
to
the
various
working
groups
or
the
attack.
That's
ultimately,
what
I
was
agitating.
D
Okay,
thank
you
great
conversation.
I
would
ask
specifically
the
TAC,
but
anyone
else
that
is
interested,
please
provide
us
feedback.
I
would
like
to
potentially
see
if
we
can
gain
consensus
by
our
next
meeting
and
approve
this
or
not.
So,
please,
tack
specifically
continue
to
iterate
reflect
on
Ava's
comments
and
see
what
we
might
be
interested
in.
Adjusting
and
I'll
bring
this
back
up
in
our
next
meeting
to
potentially
push
the
magic
button
on
or
not
that
sound
fair.
I
A
J
Improv
I
did
have
one
other
comment
on
there.
That's,
hopefully
a
brief
one.
I
would
love
to
see
an
inclusion
somewhere,
there's
a
couple
spots
where
it
could
be
merged
in
that
all
of
the
the
tools
improvements
Etc,
that
the
open
ssf
is
building
and
providing
are
intended
to
meet
it
made
available
at
zero
cost.
D
D
I
do
not
wish
to
bike
shed
this
here.
I
would
like
to
get
interest
from
this
group.
If
there
are
some
excited
contributors
that
are
interested
in
talking
about
and
helping
refine
and
develop
a
making
sure
that
our
processes
are
consistent
for
sigs
Sif,
slash
associated
funded
projects
things,
so,
let's
spend
a
little
bit
less
than
five
minutes
on
this.
Please
is
there
interest
amongst
the
group
to
spend
some
time
working
on
this.
A
D
All
right
well,
then,
I
would
encourage
us
again,
specifically
tack,
but
anyone
else
any
Observer,
any
other
participant
in
the
foundation
feel
feel
free
to
comment.
But
I
would
like
to
see
if
we
can
get
a
small
group
of
us
sit
down
and
collaborate
on
that
and
come
back
and
present
a
suggestion
for
how
that
language
might
be
updated
so
that
we
can
review
and
potentially
adopt
in
the
future.
Does
that
sound
like
a
good
path
forward
for
us
any
counter
opinion
Ava.
J
D
D
D
D
All
right
moving
along
to
issue
162.,
there
is
an
interest
to
potentially
go
through
and
do
a
review
of
all
the
foundation.
Documentation,
readme's,
Charters
membership
lists
to
make
sure
that
everyone
within
the
foundation
is
doing
things
consistently
that
outside
viewers
or
members
could
be
able
to
quickly
understand
what
each
group
is
about
and
how
to
engage
with
them.
So
we
are
looking
at
trying
to
solicit
some
volunteers
and
participants
to
help
us
go
through
this
review.
So
let's
talk
about
this
for
a
few
minutes,
any
comments,
suggestions
or
hands
raised
to
participate.
A
D
H
I
would
suggest
to
that
group
is,
is
kind
of
bucketing
things
into
like
things
we
can
get
done
in
a
short
time
frame
and
then
maybe
things
that
are
on
a
medium
and
more
long-term
time
frame.
I
think
we
could
probably
do
a
a
quick
iteration
of
quick
wins
here.
That
would
not
get
us
to
meet
all
of
these
bullet
points
outlined
on
the
issue,
but
what
could
kind
of
help
us
move
forward
without
trying
to
have
everything
figured
out
in
order
to
make
any
forward
progress?.
K
D
Right
next
issue
is
issue:
163.,
let's
spend
about
10
minutes
talking
about
this.
There
was
a
request
from
the
public
policy
committee
as
they
were
reflecting
upon
the
eu's
Cyber
resiliency
Act
and
the
pld,
the
product
liability
liability
directive
liability
directive.
So
there
are
two
P
there's
a
update
to
the
pld
and
the
cra's
new
legislation.
That's
working
through
the
eu's
Parliamentary
process
and
the
public
policy
committee
asked
specifically
for
the
attack
to
provide
them
a
technical
review
of
what
the
impacts
when
this
legislation
is
put
into
effect.
D
J
And
if
I
may
add
a
little
more
color
to
this
as
I
was
the
one
who
brought
that
request
across
it
is
public
policy
committee
has
already
done
a
lot
of
analysis
and
engaged
with
other
partner
orgs
on
the
policy
impact.
The
business
impact
things
like
that,
what
they
have
not
done
and
are
asking
the
TAC
to
look
at
is
if
these
two
pieces
of
legislation
go
into
effect
unaltered
technically,
is
this
achievable?
J
Are
there
technical
controls
that
that
we
can
look
at
and
review
and
say
yes,
regardless
of
how
much
it
costs
or
what
the
economic
impact
would
be?
That's
actually
a
good
technical
thing
or
that's
actually
a
bad
technical
thing
right
and
so
to
to
separate
in
our
review
the
financial
policy,
political
business
impacts
and
only
look
at
the
technical
impacts.
D
They
give
those
excellent
clarification,
and
so
a
group
of
enthusiastic
members
mugged
me
at
the
OSS
North
America,
and
so
we
had
a
nice
pretty
substantial
conversation
and
we
started
to
hammer
out
some
of
what
those
talking
points
might
be
and
then
to
collect
some
of
the
very
good
resources
that
again,
we
could
share
with
the
membership
as
they,
their
organizations
or
projects,
decide
what
they
might
want
to
do.
And
so.
G
You
know
all
that
so
there's
a
bunch
of
amendments
that
are
still
floating
out
there
to
the
CRA
that
are
in
the
process
of
being
worked,
and
it's
a
highly
political
and,
to
me
at
least
really
opaque
process,
but
there's
some
really
dedicated
people
trying
to
trying
to
bend
how
this,
how
this
turns
out
that's.
This
is
something
separate
from
that.
You
know
it
requires
thinking
about
what,
depending
on
where
those
amendments
line
up.
G
G
Given
the
same
amount
of
resources
applied,
then,
actually,
this
is
bad
policy
right,
good
policy,
so
so
the
place
for
the
open
ssf
as
a
collective
could
really
stand
out
is
by
saying
in
the
collective
wisdom
of
the
folks
who
have
been
immersed
in
the
technical
issues.
We
think
you
know
this
approach
of
that
approach,
has
Merit
or
or
is
uncertain
or
clearly
does
not
compare
it,
and-
and
that
will
depend
a
bit
on
how
these
amendments
play
out
over
the
next.
I
Arno
yeah,
so
I'm
very
interested
by
what's
being
talked
about
the
idea,
because
it
kind
of
brought
a
new
dimension
that
I
not
thought
about.
To
be
honest,
when
I
looked
at
this
first,
which
is
you
know,
it
seemed
to
be
initially
framed
as
merely
merely
being
the
impact
is
you
know
what
kind
of
and
I
think
it's
expected?
The
impact
is
negative
and
we
need
to
discuss.
I
You
know
describe
how
negative
it
is,
but
I
I
like
the
way
Eva
mentioned
the
feasibility
aspect,
right,
which
is
a
bit
of
a
different
take
to
this,
because
it
could
be
visible
but
still
have
a
bad
impact
or
vice
versa.
Right.
Well,
the
opposite.
I
guess
doesn't
make
much
sense,
but
you
know
what
I
mean.
D
D
June
first
they'll
meet
this
week,
but
they
will
meet
again
June
1st
and
we
should
have
our
analysis
and
thoughts
put
together,
probably
by
the
last
couple
days
of
may
please.
So
if
anyone
is
interested,
we
have
the
Google
Document.
We
have
the
issue
in
the
TAC
repo.
Please
make
comments,
put
suggestions
directly
into
the
doc.
I
Yeah
I
have
one
which
is
you
know
it
occurred
to
me,
I
mean
I,
don't
know
if
it's
a
real
problem
or
not,
but
secretly
people
and
open
a
system
in
particular
already
provided
the
feedback
as
part
of
the
public
consultation.
Where
we
essentially
said
you
know,
we
talked
about
the
bad
impact
on
Liberty
liability
aspect
to
open
source
developers,
but
but
we
we
formally
started
I
mean
I,
think
wrote
it
and
it
is
a
good
paper,
but
it
basically
says:
yes,
we
Embrace
this.
I
D
The
the
outcome
of
this
task
from
my
perspective
is
we
are
not
going
to
use
this
to
talk
to
parliamentarians.
This
is
kind
of
a
a
fact
Gathering
session,
to
provide
information
to
our
the
membership
into
the
public
policy
community
in
the
government
board.
We're
not
trying
to
make
a
policy
stance
here,
we're
very
late
in
the
game
for
that
in
the
future
CRA
2.0.
D
G
So
so
we
just
want
to
be
a
bit
of
a
reality
check
on
that
and
help
inform
really
the
next
stage,
and
one
outcome
of
that
also
might
be.
Maybe
this
current
legislation
is
too
early
to
really
be
fully
adopted
by
by
the
full,
full
European
Union.
That's
that,
but
that's
only
a
substantive
case
if,
if
the,
if
we
can
show
that
its
goals,
it's
technical
goals,
security
goals,
all
right,
they're,
you
know
questionable
or
not,
achievable
or
or
that
it's
simply
too
early
for
for
folks
to
vote
on.
I
Yeah
no.
This
is
a
good
point
that
you
know
the
the
aspect
that
I
don't
know
that
many
people
are
aware
is
that
you
know
this
process
is
two
steps.
The
first
one
is
the
CRA
which
is
really
setting
up
requirements.
Then
it
goes
through
a
technical
process
where,
basically,
the
urban
commission
turns
to
the
standards
community
and
say:
please
define
how
we
implement
this.
Unfortunately,
to
be
completely
honest,
the
problem
is
I,
don't
know
that
we
can
rely
on.
You
know
typical
European
standards
bodies
to
defend
the
open
source
angle.
D
Any
final
thoughts
before
we
move
on.
So
it
sounds.
Please
comment
on
the
issue
comment
on
the
doc
and
if
there
is
enough
energy,
if
we
want
to
have
a
kind
of
a
a
collaboration
session
again,
let's
see
if
we
can
get
that
on
the
books
here.
But
I
would
like
to
get
this
back
to
the
public
policy
committee
by
June
1st.
D
We
had
a
similar
group
of
enthusiasts
at
the
in
Vancouver
that
we're
very
excited
to
talk
more
about
the
concept
of
the
Sterling
tool
chain.
So
a
group
of
us
met
and
talked
through
and
shared
our
opinions
and
ideas
on
what
it
might
be
and
we
agreed.
We
would
like
to
set
up
again
that
High
Velocity
collaboration
session.
So,
first
and
foremost,
there
is
a
doodle
poll.
Please,
if
you
are
interested
in
participating,
click
on
the
link
and
we
will
get
a
formal
meeting
set
up
very
soon.
D
This
will
be
weekly
calls
where
a
group
we
can
get
together
for
anyone
interested
and
try
to
help
refine
the
idea,
put
some
meat
on
it
and
make
some
plans
and
next
steps
and
then
come
back
to
this
group
and
other
groups
and
kind
of
present.
What
we're
looking
for
I
have
an
exciting
our
napkin
diagram
and
a
physio
diagram,
which
was
part
of
the
conversation
that
I
will
get
uploaded
shortly,
and
so
let
us
to
spend
a
few
minutes
and
talk
about
this
thoughts.
People
are
interested
in
participating
feelings.
H
I
guess
I
guess
maybe
I
should
fill
out
the
doodle
pool,
but
what
I
was
going
to
say
from
from
reading
the
doc
that
came
out
of
the
meeting
in
Vancouver
is
that
I
really
love
the
idea
of
thinking
about
either
existing
security
capabilities
or
emerging
security
capabilities
and
how
to
apply
this
across
open
source
ecosystem?
Maybe
through
the
lens
of
you,
know,
open
source
programming,
language
package
managers.
H
One
thing
I've
learned
from
successful
and
unsuccessful
collaborations
with
npm
and
IPI.
Is
that
often
these
organizations
already
have
like
a
security
roadmap
and
I've
never
I'm,
never
sure
how
aware
folks
are
of
these
things,
but
I'll
post
in
the
zoom
chat
a
link
to
the
python
software,
Foundation,
fundable,
packaging
improvements
and
I.
H
I
know
in
in
some
of
the
Sterling
toolshing
conversations.
There's
been
this,
maybe
back
and
forth
about
how
top
down
our
weed
versus
bottom
up
and
I
I
would
encourage
us
to
think
about
how
we
could
either
help
existing
ecosystems
put
together
a
fundable
security
Improvement
list,
if
they
don't
already
have
one
and
then
and
then
work
through
this
mechanism
to
ensure
that
we're
helping
them
deliver
these
capabilities
in
the
in
the
way
that
they
want.
D
Excellent
feedback.
Thank
you.
Zach
I'm,
sharing
the
Vizio
diagram
that
was
kind
of
the
basis
of
the
conversation
we
had.
This
is
a
suggestion
on
the
approach.
The
group
generally
thought
was
okay
and
again,
I
would
like
to
spend
a
lot
more
time
talking
through
this
incorporating
feedback
like
Zach
just
gave
us
approaching
the
packaging
package
manager,
ecosystems
I
think
that's
excellent
feedback
thinking
how
we
might
be
able
to
attain
achieve
these
goals,
any
other
thoughts
or
feedback.
A
K
Yeah
I
think
probably
I'll
I'm
going
to
be
a
broken
record.
I
did
respond
to
the
digital
pollen
at
the
big
part
of
it.
The
discussion,
the
yeah,
the
thing
that
I'm
that
I'm
hoping
to
input
is
the
concept
of
tool
chain
as
platform,
so
that
we
see
as
enabling
and
empowering
others
to
deliver
great
stuff,
so
that,
basically,
so
that
openness
is
happening
competing
when
it's
one's
numbers.
I
mean
grace.
D
If
we
take
the
security
architecture,
pattern-based
approach
and
we
put
forth
the
requirement,
for
example,
we
have
secure
IDE,
for
example,
as
a
pattern.
We
would
not
necessarily
go
out
and
write.
One
we
might
identify
here
are
some
great
examples,
but
we
would
document
requirements
of
what
we'd
like
to
see
and
that
would
allow
any
project
to
start
and
maybe
work
on
that
mission
or
if
there
was
a
commercial
entity
that
had
an
offering
they
could
align
saying.
This
is
how
we
help
support
that
secure,
IDE
pattern.
D
K
Mean
I,
I
I
would
also
encourage
us
to
think
about
things
like
scorecard
and
other
opportunities
for
the
foundation.
To
you
know
who
knows
I
mean
the
infrastructure
or
code
that
helps.
You
know
a
skill
that
I
think
that's
what
is
happening
anyway.
So
it's
a
matter
of
kind
of
keeping
that
measurements.
D
I
G
D
H
Jordan
has
written
a
proposal
for
how
we
should
manage
permissions
inside
the
openssf
GitHub
organization.
Today.
What
that
looks
like
is
that
there
are
individuals
who
are
added
to
specific
repositories,
as
as
they
need
permissions,
but
there's
there's
no
sort
of
like
second
half
of
the
life
cycle,
so
people
just
keep
getting
added
and
accruing,
even
as
their
relationship
with
open
ssf
changes
over
time,
and
so
there's
two
parts
to
Jordan's
proposal.
H
And
then
there
are
some
Downstream
consequences
of
that
that
we
need
to
figure
out
like
what.
What
does
that
process
look
like?
How
is
that
managed
that
sort
of
thing,
and
so
yeah,
essentially
I,
wanted
to
make
sure
that
Jordan's
work
was
visible
to
this
group?
I
think
that
this
is
something
that
the
the
attack
should
decide
on
and
if
you
haven't
already,
please
take
a
look
at
the
pull
requests
that
you
put
together
and
give
feedback.
D
Yeah,
thank
you.
Excellent
contact,
Zach
and
I'll
State.
My
two
working
groups
best
the
best
working
group
and
vulnerable
disclosures
were
a
bit
of
a
guinea
pig
because
we
actually
have
a
members
file
that
he
was
basing
off.
Some
of
these
changes
and
I
I
personally
feel
role-based
access
control
is
great.
D
K
J
One
of
the
the
open
questions
I've
had
since
beginning
PR
112
last
year
was
how
do
we
Define
our
electorate,
who
can
vote
in
these
elections
and
at
the
moment,
working
most
working
groups?
As
far
as
I'm
aware,
don't
have
a
defined
electorate,
the
open,
sslip
itself.
I
know
staff
goes
through
a
process,
they've
done
twice
now
for
the
TAC
election
of
excuse
me,
sort
of
reviewing
all
of
our
reviewing
all
of
our
activity
channels,
Google
Docs,
slack
Etc,
to
determine
who's
been
active.
It
would
be
I.
J
Imagine
very
helpful
to
the
staff
to
have
that
process
be
easier.
If
there
was
a
simple
membership
list,
they
could
pull
from
somewhere.
But
how
do
we
make
sure
that
membership
list
is
accurate?
Automated
over
time
would
become
the
the
next
question
or
challenge
so
that
we
don't
have
thousands
of
people
just
clicking
join
for
the
little
happy
badge
right.
So
all
of
that
has
to
be
worked
out.
J
I
think
before
we
can
open
up
membership,
but
in
general
I
like
the
idea
of
having
a
a
publicly
visible
recognition
for
members
and
publicly
trackable
list
of
who's
active
in
the
whole
orb
and
in
subgroups
of
the
org.
That
really
enables
a
lot
better
representation
in
the
Democratic
process.
For
us.
I
J
G
Just
to
avoid
future
semantic
confusion
can
I
plead
plea,
plead
that
we
reserve
the
term
member
for
the
sponsoring
members
as
companies
of
the
open
ssf,
since
we
used
that
term
pervasively
for
that
purpose
and
focus
on
contributors
being
anybody,
who's
who's
participated
in
helping
improve
something:
that's
under
the
open,
ssf
banner
and
maintainers
being
the
people
who
are
responsible
as
a
team
at
the
working
group
level
at
the
project
or
initiative
level
or
the
sick
level
that
that
sort
of
thing.
Thank
you.
That's.
D
I
D
D
Is
it
164.?
No,
no
well,
the
162
is
the
audit.
164
is
the
actual
doing
the
group,
the
actual
access
control
work,
but
so
it
sounds
like
we
are
generally
positive.
Do
we
have
people
that
are
interested
in
participating
and
would
like
to
potentially
help
facilitate
this
for
us
to
keep
make
sure
we
have
velocity.
J
D
D
All
right:
well,
please
express
yourself
in
comments
on
all
the
issues
listed
today,
we'll
see
if
we
can
get
a
collect,
a
group
of
participants
that
are
interested
in
collaborating
on
this
to
see
if
we
can
get
some
Speedy
resolution
on
these
in
our
last
several
minutes
together.
Is
there
anything
of
any
other
thoughts
that
people
are
interested
in
or
points
they
wanted
to
bring
up
before
we
adjourn.
D
In
the
future,
I
would
love
to
flag
issues
that
the
attack
will
be
voting
on,
making
sure
that
it's
prominently
noted
here
that
we
will
be
conducting
a
vote
so
that
in
future
attack
people
can
go
back
and
see.
This
information
is
clearly
designated
today.
We
don't
have
anything,
but
in
the
future
we
we
may
and
I'll
put
stage
it
there
on
the
agenda.
So
everyone's
aware,
ahead
of
time,.
D
All
right,
well
I!
Thank
you
all
for
your
time
and
participation,
some
excellent
conversations,
I'm
looking
forward
to
collaborating
with
everybody
on
all
of
these
topics
in
the
near
future
and
as
you
have
items
you
wish
to
put
onto
future
agendas,
please
stage
those
as
issues
in
the
TAC
repo
and
we'll
get
those
collected
and
I
think.
Next
time
we
will
be
getting
readouts
from
the
best
working
group
and
the
end
user
working
group.
So
we'll
make
sure
we
get
that
material
circulated
to
this
group
beforehand.