►
From YouTube: OpenSSF TAC (May 16, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
E
B
D
All
right
well
with
us
having
quorum.
Let
us
get
started.
Welcome
to
the
May
16th
edition
of
the
openssf
tack
call
can
I.
Please
ask
someone
to
help
us
scribe
meeting
notes
today.
D
Thank
you,
sir
appreciate
it.
We
do
have
Quorum
Dustin
told
me
ahead
of
time.
He
would
not
be
here
in
the
future.
I'd
like
to
start
off
the
meeting
with
report
outs
of
any
homework
or
action
items
we
had.
We
didn't
have
any
last
time,
so
we
will
move
along.
E
Gdp
yeah
I'll
share
a
slot.
Let
me
grab
screen
share.
E
I
will
there
share
waiting.
Slideshow
looks
good
yeah,
it's
a
quick
update,
we're
gonna
leave
less
than
10
minutes
unless,
and
that
leaves
time
to
talk
about
any
next
step.
If
people
have
any
thoughts
or
comments
about
how
we're
doing
yes,
core
tool
chain
infrastructure
project,
the
current
status
is
that
the
services
working
group,
which
had
been
looking
at
all
of
the
services
that
each
of
the
projects
needs,
has
completed.
E
So
the
last
service
was
actually
the
compiler
which
had
probably
the
most
complicated
list
of
services
and
interdependencies
between
bug,
tracking
and
other
things.
That
kind
of
complicate
the
developer
workflow,
but
we've
taken
all
of
those
things,
we've
enumerated
them
all
and
we've
actually
started
working
on
cost
estimates
with
lfit.
For
that.
E
In
those
discussions,
the
CTI
attack
realized
that
it's
probably
easiest
to
start
moving
one
project
at
a
time,
and
so
as
one
of
the
stewards
for
the
Upstream
glibc
project,
which
is
a
course
C
library,
I
volunteered
our
project
to
move
first
So.
The
plan
was
to
look
at
what
would
be
the
service
migration
for
one
project
to
security
infrastructure
infrastructure
that
has
paid
I.T
staff.
E
Supporting
that
infrastructure
and
and
any
builds
and
things
we
might
do
with
that
infra
so
still
ongoing-
is
the
something
we
raised
last
time
when
we
had
the
the
previous
presentation,
which
is
cy23
funding
discussions
ongoing
with
openssf
and
the
LF
membership,
so
that
kills.
One
of
the
key
objectives
kills
one
that
strikes
off
one
of
our
key
objectives
for
cy23,
which
was
the
services
working
group,
completing
that
lfit
doing
cost
estimates
is
ongoing
and
I.
E
Think
the
one
of
the
suggestions
from
the
attack
last
time
was
to
put
together
a
one-page
leaflet
for
the
infrastructure
project
itself,
to
highlight:
what's
the
value
of
the
project,
to
sponsors,
to
the
corporate
backers,
I
think
companies
like
red,
hat
and
IBM
kind
of
know
and
understand
the
value,
because
David
and
I
really
talk
a
lot
about
it,
but
we
need
that
leaflet
to
talk
to
everybody
else.
I
think
that's
one
of
the
things
that
I
need
to
work
on
next,
with
David's
help
and
the
community
help
to
put
together.
E
You
know
why
we
want
this
secured
infrastructure
and
the
supported
infrastructure
for
the
for
the
projects
and
so
yeah
we're
just
going
to
keep
taking
on
the
key
objectives
for
cy23
for
the
core
tool
chain
infrastructure
project.
E
Again,
the
goal
of
the
project
is
to
support
the
the
new
tool
chain
and
other
projects
core
tool
chain
projects,
as
in
GCC
as
a
core
compiler
that
comes
with
lib
standard,
C
plus
plus,
which
is
of
course
C
plus
plus
run
times
glib
C,
so
core
c
runtime,
which
contains
C,
posix,
BSD
apis
and
a
static
Linker
and
assembler
with
bin
utils
and
debugger
with
GDB
David.
Let
me
hand
over
to
you
and
say:
is
there
anything
else
that
you
want
to
add
here.
F
Yeah,
that's
excellent
I
mean
just,
of
course,
the
math
library
and
the
the
great
performance
there
and,
as
you
said,
this
is
the
you
know,
foundation
of
the
Linux
and
internet
ecosystem,
and
you
know
the
the
plan
here
and
I
mean
why
we're
doing
this
just
to
to
remind
everybody
is
I
mean
that
to
improve
and
strengthen
the
infrastructure
so
that
we
can
provide
the
sort
of
open
ssfs.
E
Yeah
for
sure,
I
I
work
with
Josh
Stone
who's
on
the
rust
Foundation
board,
because
some
people
say
well
like
it
sounds
like
you're
talking
just
about
C
and
C
plus
plus.
But
the
reality
is
that
even
the
rust
tool
chain
at
a
runtime
level
has
to
call
into
the
host
C
library
for
certain
things,
and
the
same
goes
for
go
and
the
same.
Go
for
a
number
of
other
language
runtimes
that
rely
on
core
runtimes
themselves
to
provide
services
and
features
for
the
languages.
E
So
I
I
still
think
it's
critically
important
that
we
keep
moving
this
work
forward
to
provide
a
foundational
infrastructure
for
these
projects
and
I'm
gonna
pop
to
the
end.
So
any
comments
and
suggestions
from
the
from
the
tack
on
what
we're
doing
and
where
we're
going.
D
G
I
just
wanted
to
add
for
anybody
who's
either
new
to
this.
The
cool
core
tool
chain
infrastructure
project
is
designed
to
be
set
up
like
an
Associated
project
like
Alpha
Omega,
where
it'll
report
and
kind
of,
and
provide
updates
to
this
tack
on
its
technology
approach
and
the
like,
but
it'll,
be
funded
from
us,
a
separate
pool
of
funds
than
than
core
open
ssf
budget,
potentially
many
familiar
names,
potentially
other
names
as
well.
G
G
The
it
was
renamed
from
GTI
the
gnu
tool
chain
initiative
to
CTI,
partly
on
the
some
requests
we
got
from
some
of
the
free
software
folks
that
we
avoid
using
the
term
gnu
in
the
name
of
a
project
which
is
a
little
ironic
given
with
the
U
and
gnu
stands
for,
but
we
decided
to
respect
their
wishes
and
it
was
an
easy
change
to
make.
So
that's
why
this
is
now
called
CTI
rather
than
GTI.
F
Exactly
as
Brian
said,
thanks
very
much
for
for
clarifying
that
and,
as
Brian
said,
we're
avoiding
the
letter
G
as
well,
at
the
request
of
the
FSA
and
with
with
all
due
respect
to
Sesame
Street.
H
Zach,
please,
if,
if
there
are
interested
parties
who
would
like
to
follow
along
this
work,
where
should
we
point
them
at
slack,
Channel
repositories,
mailing
lists,
Etc,
yeah,.
E
So
we
have
a
mailing
list
with
the
lfit
on
Subspace,
so
lord.cernal.org
I
can
add
those
links
to
the
end
of
my
slide
deck
and
then
I'll
give
the
slide
deck
over
to
to
the
to
the
list
and
then
then
you'll
be
able
to
access
that
so
yeah
you
can
have.
We
can
absolutely
have
observers
sign
up
to
the
attack
mailing
list
and
talk
with
us
and
and
engage
yeah.
F
Yeah
also
I
mean
just
to
follow
along
I
mean
clarify
it
specifically
at
the
request
of
the
broader
neutral
chain,
gnu
and
FSF
community,
that
all
the
meetings
are
both
the
when
we
eventually
have
a
governing
board,
but
attack
are
fully
open
to
everyone
as
an
observer,
and
you
know
other
than
any.
You
know
confidential,
you
know,
sort
of
personnel
or
other
sorts
of
things.
F
We
would
need
to
discuss
and
some
sort
of
executive
committee-
and
we
also
are
planning
to
work
with
the
Linux,
Foundation,
I.T
and
then
marketing
team,
and
we
have
domains
to
be
able
to
set
up
a
a
website,
and
you
know
a
better
sort
of
landing
page
for
this.
This
infrastructure
and
to
also
hopefully
help
the
the
new
tool
chain
in
general,
with
its
it's
as
a
as
a
supplemental
communication
and
marketing
for
the
that
organization.
D
D
All
right
last
call
for
questions
comments.
D
Groovy
I
had
noticed
that
Jennifer
had
put
out
a
link
to
a
survey,
so
another
part
new
part
of
our
meetings.
We
want
to
share
information
and
requests
or
projects
that
are
going
on
throughout
the
foundation,
and
there
is
currently
a
openssf
software
security
awareness
survey
is
Jennifer
here.
I,
don't
see
her.
G
Oh
I'm,
sorry
she's,
not
here,
because
I
we're
attending
I'm
here
in
Boston,
with
her
on
the
sideline
of
an
event
where
we're
talking
about
what
we're
doing
so
I
can
just
quickly
provide
an
update,
which
is
we
are
conducting
a
self-selected
survey,
so
it
will
depend
upon
people
showing
up
to
the
survey
to
fill
out
some
questions
to
try
to
assess
just
the
market
awareness
amongst
the
technology
management.
Community.
G
You
know,
awareness
of
the
open,
ssf
awareness
of
some
of
our
key
projects
ask
a
few
questions
about
what
people
know
just
to
try
to
assess
again
awareness
in
like
are
we
are
we
getting
the
right
word
out
in
the
right
way,
so
we'll
put
a
blog
post
out
tomorrow,
we'll
push
it
heavily
on
social?
We
would
really
love
amplification
from
others
to
that.
We
did
work
with
a
number
of
the
projects
to
develop
the
questions
as
well
so
I.
G
When
you
see
this
hit
the
blog
or
we'll
post
about
it
to
Tech
as
well
you're
helping
getting
the
word
out
would
be
appreciated.
Thanks.
I
A
G
Know
as
well
as
everyone
else
here,
other
people
in
your
in
your
in
your
companies
could
be
helpful,
but
also
Beyond,
so
yeah
we're
hoping
to
just
get
that
next
tier
out
and
there's
some
qualifying
questions
in
the
survey
as
well
to
try
to
filter
out.
You
know
people
who
aren't
the
tar
the
survey
isn't
targeted
for,
but
but
yeah.
That's
why
I
was
saying
Help
on
social
will
be
helpful.
G
D
D
Nine
okay,
so
let's
get
into
the
section
where
we
have
new
work
so
in
the
future,
I
would
love
for
us
to
have
issues
filed
in
the
TAC.
D
Repo
I
would
like
for
us
to
comment
and
have
a
dialogue
publicly
via
that
mechanism,
and
I
would
love
for
the
TAC
members
to
review
these
PRS
and
issues
before
the
meeting,
and
then
we
can
come
into
this
call
and
have
a
educated
conversation
close
off
any
final
commentary
or
debate
and
I
will
commit
to
sending
out
a
message
to
the
tack
mailing
list
ahead
of
time
to
remind
us
of
kind
of
what
is
on
the
docket
coming
up
this
week.
Let's
start
off
with
attack
issue
129..
D
This
is
something
our
former
esteemed
leader,
Mr
Callaway
had
started
in
the
fall
or
earlier
last
year,
so
I'd
like
to
try
to
close
off
we've
had
several
of
the
folks
from
the
TAC
review
and
approve
the
PR,
but
essentially
we
want
to
update
the
the
vision
and
I
have
posted
the
text
here
in
the
agenda.
D
You
also
are
welcome
to
look
at
the
text
in
the
pr,
so
let's
spend
five
minutes
or
so
or
less
and
let's
does
anyone
have
any
comments,
suggestions
or
feedback
before
we
I
push
the
magic
button
or
not.
J
D
I
will
refresh
anything
to
discuss
more
in
depth
Ava
and
it
does
it
change
the
text.
D
So
any
additional
feedback.
D
A
H
J
I
agree
with
Zach's
question
my
comment:
attempts
to
answer
that.
K
A
C
To
tell
the
room
to
raise
my
hand
on
Zoom
I'm,
using
some
sort
of
hybrid
Google
meet
Zoom
Bridge
here,
so
apologies
for
not
following
protocol,
but
as
the
author
of
the
line,
I
guess,
I
can
kind
of
give
you
some
context:
The
View
key
stakeholders,
as
not
only
the
governing
board,
but
also
peer,
open
source
foundations
that
are
working
with
us
around
adoption
and
ultimately
improving
their
security.
C
Posture
I
view
individual
projects
as
stakeholders,
perhaps
sorted
by
criticality
measures
in
terms
of
just
size
and
impact
and
kind
of
relevance
within
the
broader
dependency
graph
of
the
ecosystem.
C
So
when
I
think
of
key
stakeholders,
it's
folks
that
are
using
our
the
products
and
services
or
products.
But
you
know
projects
and
services
that
we
are
producing
as
well
as
folks
that
are
interested
in
aligning
and
supporting
with
the
work.
As
so,
both.
C
As
well
as
maintainers
that
maybe
adopting
techniques
or
or
services
that
the
foundation
fundamentally
offers
so
I
would
say,
certainly
the
governing
board
in
Our
member
constituent
entities,
but
also
kind
of
the
broader
folks.
That
would
be
interacting
with
the
outputs
of
the
organization.
J
So
I'd
love
to
respond
to
that
right.
Now
we
don't
have
any
mechanism
for
the
stakeholders
you're
identifying
Bob.
J
We
have
governing
board
obviously,
and
our
own
members
are
people
who
are
participating
here,
but
there's
no
formal
way
for
what
I
will
coin
the
phrase
here:
Affiliated
foundations
or
other
foundations
in
the
broader
open
source
ecosystem,
there's
no
clear
way
for
them
to
participate
and
have
a
voice.
So
if
we're
saying
they
are
stakeholders,
we
must
create
a
way
for
them
to
have
a
state
and
I
think
that
is
a
really
good
way
to
visualize
our
mission.
C
I
guess
I
would
say:
I
think
that
our
even
folks
from
the
eclipse,
Foundation
folks
from
other
foundations,
have
joined
like
this
call,
for
example
in
the
past,
maybe
not
with
regular
consistency,
but
I
would
say
like
the
Forum
is
open.
But
that
being
said,
I
would
also
Echo
your
your
sentiment.
That
I
heard,
which
is
I,
think
we
should
be
more
proactive
about
Outreach
and
engagement
and
ensuring
the
things
that
we
are
doing
are
actually
heard
and
delivered.
So
in.
J
If
I
view
the
openssf
as
a
service
org,
we
are
providing
valuable
services
to
all
of
Open,
Source
and
other
stakeholders.
Policy
makers
sure
they
they
could
show
up.
They
could
choose
to
spend
time
to
come
here
to
say
things
to
us,
the
TAC
or
to
the
governing
board
or
to
projects
or
working
groups,
but
there
is
no
structural
means
for
them
to
have
a
stake,
a
table,
a
vote
and
that
dynamic
means.
J
C
C
A
C
I
was
going
after
more
of
of
this
being
kind
of
the
vision
of
having
a
a
relationship
with
those
stakeholders
where
the
value
that
we
are
trying
to
create
and
the
outcomes
that
we
are
trying
to
create
are
clearly
communicated,
and
there
are
feedback
mechanisms
in
place
to
where
active
dialogue
can
take
place
so
that
in,
if
we're
building
things
that
nobody's
using
that's
a
problem
so
after
in
that
kind
of
text
here
is
that
we've
identified
those
stakeholders.
We
have
effective
communication
channels
to
those
stakeholders
and
there
is
that
bi-directional
feedback.
C
That's
occurring,
that's
what
I'm
envisioning
in
terms
of
the.
If
we're
working
well
as
a
foundation,
those
sorts
of
relationships
and
the
friction
would
be
removed
in
that.
So.
C
That
needs
to
happen
today,
but
the
the
vision
which
was
the
goal
of
the
pr
is
to
say
like
getting
into
a
world
where
we
have
dedicated
resources
that
own
the
Outreach
and
only
you
know
Gathering
that
feedback
bringing
it
back
to
the
various
working
groups
or
the
attack.
That's
ultimately,
what
I
was
agitating.
D
Okay,
thank
you
great
conversation.
I
would
ask
specifically
the
TAC,
but
anyone
else
that
is
interested,
please
provide
us
feedback.
I
would
like
to
potentially
see
if
we
can
gain
consensus
by
our
next
meeting
and
approve
this
or
not.
So,
please,
tack
specifically
continue
to
iterate
reflect
on
Ava's
comments
and
see
what
we
might
be
interested
in.
Adjusting
and
I'll
bring
this
back
up
in
our
next
meeting
to
potentially
push
the
magic
button
on
or
not
that
sound
fair.
I
A
J
Improv
I
did
have
one
other
comment
on
there.
That's,
hopefully
a
brief
one.
I
would
love
to
see
an
inclusion
somewhere,
there's
a
couple
spots
where
it
could
be
merged
in
that
all
of
the
the
tools
improvements
Etc,
that
the
open
ssf
is
building
and
providing
are
intended
to
meet
it
made
available
at
zero
cost.
J
I
think
that's
a
key
part
of
our
vision
that
we're
providing
this
at
zero
cost
to
the
rest
of
Open
Source
communities,
and
that
just
wasn't
enumerated
in
this.
D
Okay,
I
think
that's
excellent
feedback,
and
let
us
consider
that
this
week,
please
tack,
spend
a
few
minutes
reviewing
and
think
pondering
that
how
we
might
be
able
to
incorporate
such
things
all
right,
scrolling
down
I
would
like
to
spend
a
few
minutes
on
Tac
issue.
161.
D
I
do
not
wish
to
bike
shed
this
here.
I
would
like
to
get
interest
from
this
group.
If
there
are
some
excited
contributors
that
are
interested
in
talking
about
and
helping
refine
and
develop
a
making
sure
that
our
processes
are
consistent
for
sigs
Sif,
slash
associated
funded
projects
things,
so,
let's
spend
a
little
bit
less
than
five
minutes
on
this.
Please
is
there
interest
amongst
the
group
to
spend
some
time
working
on
this.
A
D
All
right
well,
then,
I
would
encourage
us
again,
specifically
tack,
but
anyone
else
any
Observer,
any
other
participant
in
the
foundation
feel
feel
free
to
comment.
But
I
would
like
to
see
if
we
can
get
a
small
group
of
us
sit
down
and
collaborate
on
that
and
come
back
and
present
a
suggestion
for
how
that
language
might
be
updated
so
that
we
can
review
and
potentially
adopt
in
the
future.
Does
that
sound
like
a
good
path
forward
for
us
any
counter
opinion
Ava.
J
Just
a
small
note
that
changes
to
some
of
those
may
need
governing
board
approval
as
they
are
in
the
charter,
so
some
of
them
refining
things
may
not
entirely
well
within
the
tax
preview.
Just
keep
that
in
mind
as
planning
out
that
process
absolutely.
D
And
we
would
also,
after
the
group
has
created
their
suggestion.
We
would
review
here
more
thoroughly
at
the
attack
and
then
make
that
decision
you
know.
Do
we
need
to
up
to
the
governing
board
is
something
we
need
to
share
with
the
broader
membership,
so
that
would
that
is
still
TBD.
Damn.
K
All
right
is
it
acceptable
for
non-talk
members
to
be
involved
in
the
discussion.
D
If
you
are
interested
and
excited
I
would
not
turn
away
any
engage
participants.
D
B
I
was
just
going
to
say
include
me,
I'll,
be
happy
to
participate
in
that
awesome.
D
Well,
there
is
the
pr
if
you,
let's
see,
if
somebody's
interested
in
either
setting
up
a
call
or
if
we
can
do
this
asynchronously,
let's
see
if
we
can
get
some
progress
on
this
and
when
the
group
is
ready.
Just
let
me
know
and
we'll
get
you
put
back
on
to
the
TAC
agenda.
D
All
right
moving
along
to
issue
162.,
there
is
an
interest
to
potentially
go
through
and
do
a
review
of
all
the
foundation.
Documentation,
readme's,
Charters
membership
lists
to
make
sure
that
everyone
within
the
foundation
is
doing
things
consistently
that
outside
viewers
or
members
could
be
able
to
quickly
understand
what
each
group
is
about
and
how
to
engage
with
them.
So
we
are
looking
at
trying
to
solicit
some
volunteers
and
participants
to
help
us
go
through
this
review.
So
let's
talk
about
this
for
a
few
minutes,
any
comments,
suggestions
or
hands
raised
to
participate.
A
D
H
I
would
suggest
to
that
group
is,
is
kind
of
bucketing
things
into
like
things
we
can
get
done
in
a
short
time
frame
and
then
maybe
things
that
are
on
a
medium
and
more
long-term
time
frame.
I
think
we
could
probably
do
a
a
quick
iteration
of
quick
wins
here.
That
would
not
get
us
to
meet
all
of
these
bullet
points
outlined
on
the
issue,
but
what
could
kind
of
help
us
move
forward
without
trying
to
have
everything
figured
out
in
order
to
make
any
forward
progress?.
K
D
Right
next
issue
is
issue:
163.,
let's
spend
about
10
minutes
talking
about
this.
There
was
a
request
from
the
public
policy
committee
as
they
were
reflecting
upon
the
eu's
Cyber
resiliency
Act
and
the
pld,
the
product
liability
liability
directive
liability
directive.
So
there
are
two
P
there's
a
update
to
the
pld
and
the
cra's
new
legislation.
That's
working
through
the
eu's
Parliamentary
process
and
the
public
policy
committee
asked
specifically
for
the
attack
to
provide
them
a
technical
review
of
what
the
impacts
when
this
legislation
is
put
into
effect.
D
J
And
if
I
may
add
a
little
more
color
to
this
as
I
was
the
one
who
brought
that
request
across
it
is
public
policy
committee
has
already
done
a
lot
of
analysis
and
engaged
with
other
partner
orgs
on
the
policy
impact.
The
business
impact
things
like
that,
what
they
have
not
done
and
are
asking
the
TAC
to
look
at
is
if
these
two
pieces
of
legislation
go
into
effect
unaltered
technically,
is
this
achievable?
J
Are
there
technical
controls
that
that
we
can
look
at
and
review
and
say
yes,
regardless
of
how
much
it
costs
or
what
the
economic
impact
would
be?
That's
actually
a
good
technical
thing
or
that's
actually
a
bad
technical
thing
right
and
so
to
to
separate
in
our
review
the
financial
policy,
political
business
impacts
and
only
look
at
the
technical
impacts.
D
They
give
those
excellent
clarification,
and
so
a
group
of
enthusiastic
members
mugged
me
at
the
OSS
North
America,
and
so
we
had
a
nice
pretty
substantial
conversation
and
we
started
to
hammer
out
some
of
what
those
talking
points
might
be
and
then
to
collect
some
of
the
very
good
resources
that
again,
we
could
share
with
the
membership
as
they,
their
organizations
or
projects,
decide
what
they
might
want
to
do.
And
so.
D
It
was
pretty
close,
but
yes,
so
Brooklyn
was
got
together
and
started
this
Google
document
that
we
are
looking
for
participation
to
help
provide
that
back
to
the
public
policy
committee
and
Mr
bellendorf.
G
You
know
all
that
so
there's
a
bunch
of
amendments
that
are
still
floating
out
there
to
the
CRA
that
are
in
the
process
of
being
worked,
and
it's
a
highly
political
and,
to
me
at
least
really
opaque
process,
but
there's
some
really
dedicated
people
trying
to
trying
to
bend
how
this,
how
this
turns
out
that's.
This
is
something
separate
from
that.
You
know
it
requires
thinking
about
what,
depending
on
where
those
amendments
line
up.
G
You
know
my
my
let's,
let's
assume
it'll
somewhere,
be
somewhere
between
slightly
positive,
possibly
to
to
very
negative
for
for
for
open
source
and
and
the,
but
the
question
is
really:
is
it
worth
it?
Is
it
worth
the
security,
the
value
of
the
security
ramifications
that
might
come
out
of
this?
G
It
would
be
a
good
thing
if
everyone
was
adopting
s-bonds,
for
example,
but
if
they
do
it
too
quickly,
we
end
up
with
a
lot
of
Legacy
out
there
that
will
that
actually
work
against
the
interests
of
of
security
and-
and
it
is
going
to
be
tough,
to
separate
this
completely
from
the
your
business
and
financial
questions,
because
some
of
it
will
be,
you
know,
what's
the
option
of
of
approach
a
versus
B,
because
it's
it's
it's
a
lot
of
cost
right
to
implement
something,
and
it's
there
a
faster
way
to
have
more
or
a
way
to
have
more
impact.
G
Given
the
same
amount
of
resources
applied,
then,
actually,
this
is
bad
policy
right,
good
policy,
so
so
the
place
for
the
open
ssf
as
a
collective
could
really
stand
out
is
by
saying
in
the
collective
wisdom
of
the
folks
who
have
been
immersed
in
the
technical
issues.
We
think
you
know
this
approach
of
that
approach,
has
Merit
or
or
is
uncertain
or
clearly
does
not
compare
it,
and-
and
that
will
depend
a
bit
on
how
these
amendments
play
out
over
the
next.
I
Arno
yeah,
so
I'm
very
interested
by
what's
being
talked
about
the
idea,
because
it
kind
of
brought
a
new
dimension
that
I
not
thought
about.
To
be
honest,
when
I
looked
at
this
first,
which
is
you
know,
it
seemed
to
be
initially
framed
as
merely
merely
being
the
impact
is
you
know
what
kind
of
and
I
think
it's
expected?
The
impact
is
negative
and
we
need
to
discuss.
I
You
know
describe
how
negative
it
is,
but
I
I
like
the
way
Eva
mentioned
the
feasibility
aspect,
right,
which
is
a
bit
of
a
different
take
to
this,
because
it
could
be
visible
but
still
have
a
bad
impact
or
vice
versa.
Right.
Well,
the
opposite.
I
guess
doesn't
make
much
sense,
but
you
know
what
I
mean.
J
Well,
we
could
desire
a
good
impact,
but
it's
infeasible
to
get
there
or
you
know
the
the
cost
to
having
the
desired
outcome
might
be
astronomical,
which
is
a
choice
that
governments
can
make
that
that
is
outside
of
my
scope
to
really
have
comment
on.
D
D
So
as
I
wait
for
additional
comments,
the
public
policy
committee
meets
again.
D
June
first
they'll
meet
this
week,
but
they
will
meet
again
June
1st
and
we
should
have
our
analysis
and
thoughts
put
together,
probably
by
the
last
couple
days
of
may
please.
So
if
anyone
is
interested,
we
have
the
Google
Document.
We
have
the
issue
in
the
TAC
repo.
Please
make
comments,
put
suggestions
directly
into
the
doc.
I
Yeah
I
have
one
which
is
you
know
it
occurred
to
me,
I
mean
I,
don't
know
if
it's
a
real
problem
or
not,
but
secretly
people
and
open
a
system
in
particular
already
provided
the
feedback
as
part
of
the
public
consultation.
Where
we
essentially
said
you
know,
we
talked
about
the
bad
impact
on
Liberty
liability
aspect
to
open
source
developers,
but
but
we
we
formally
started
I
mean
I,
think
wrote
it
and
it
is
a
good
paper,
but
it
basically
says:
yes,
we
Embrace
this.
I
D
The
the
outcome
of
this
task
from
my
perspective
is
we
are
not
going
to
use
this
to
talk
to
parliamentarians.
This
is
kind
of
a
a
fact
Gathering
session,
to
provide
information
to
our
the
membership
into
the
public
policy
community
in
the
government
board.
We're
not
trying
to
make
a
policy
stance
here,
we're
very
late
in
the
game
for
that
in
the
future
CRA
2.0.
D
Maybe
we
get
to
do
this
months
ahead
and
we're
prepared
like
the
OSI
and
eclipse
and
everybody,
but
yeah
I,
don't
know
that
we're
gonna
be
able
to
influence
anybody
outside
of
our
membership.
Saying
these
are
things
you
need
to
be
aware
of
and
educate
yourselves
on.
G
Brian
yeah
and
just
understand,
even
after
these
amendments
are
adopted,
there's
still
going
to
be
a
lot
of
differences
in
how
these
things
and
how
that
act
gets
interpreted
and
implemented
and
likely
still
some
time,
and
that
might
be
the
phase
that
this
this
data
we're
collecting
could
be
most
impactful
upon,
which
is
you
know,
the
actual
implementation
details,
bending
those
to
be
more
positive
for
security
and
away
from
being
the
ones
that
we
don't
think
will
will
be
helpful,
and
it
is
a
nuanced
message
and
it
does
look
weird
for
an
organization-
that's
all
about
increasing
security,
to
be
arguing
against
a
security
bill,
but
it
makes
sense
if
the
security
bill
doesn't
actually
have
the
impact
that
it
claims
it
will
have.
G
So
so
we
just
want
to
be
a
bit
of
a
reality
check
on
that
and
help
inform
really
the
next
stage,
and
one
outcome
of
that
also
might
be.
Maybe
this
current
legislation
is
too
early
to
really
be
fully
adopted
by
by
the
full,
full
European
Union.
That's
that,
but
that's
only
a
substantive
case
if,
if
the,
if
we
can
show
that
its
goals,
it's
technical
goals,
security
goals,
all
right,
they're,
you
know
questionable
or
not,
achievable
or
or
that
it's
simply
too
early
for
for
folks
to
vote
on.
I
Yeah
no.
This
is
a
good
point
that
you
know
the
the
aspect
that
I
don't
know
that
many
people
are
aware
is
that
you
know
this
process
is
two
steps.
The
first
one
is
the
CRA
which
is
really
setting
up
requirements.
Then
it
goes
through
a
technical
process
where,
basically,
the
urban
commission
turns
to
the
standards
community
and
say:
please
define
how
we
implement
this.
Unfortunately,
to
be
completely
honest,
the
problem
is
I,
don't
know
that
we
can
rely
on.
You
know
typical
European
standards
bodies
to
defend
the
open
source
angle.
D
And
one
other
point,
as
we
wrap
up
on
this,
many
of
us
here
work
for
very
large
organizations
that
have
public
policy
teams
and
lawyers
that
are
acted,
taking
steps
today
to
work
with
the
commission
and
this
process.
D
Many
of
the
members
do
not
have
that
capability,
so
this
again
could
be
this
a
resource
for
the
membership
to
educate
themselves
and
give
them
resources
where
they
can
learn
more
and
do
their
own
evaluation
and
understand
how
those
individual
members
might
wish
to
react.
D
Any
final
thoughts
before
we
move
on.
So
it
sounds.
Please
comment
on
the
issue
comment
on
the
doc
and
if
there
is
enough
energy,
if
we
want
to
have
a
kind
of
a
a
collaboration
session
again,
let's
see
if
we
can
get
that
on
the
books
here.
But
I
would
like
to
get
this
back
to
the
public
policy
committee
by
June
1st.
D
We
had
a
similar
group
of
enthusiasts
at
the
in
Vancouver
that
we're
very
excited
to
talk
more
about
the
concept
of
the
Sterling
tool
chain.
So
a
group
of
us
met
and
talked
through
and
shared
our
opinions
and
ideas
on
what
it
might
be
and
we
agreed.
We
would
like
to
set
up
again
that
High
Velocity
collaboration
session.
So,
first
and
foremost,
there
is
a
doodle
poll.
Please,
if
you
are
interested
in
participating,
click
on
the
link
and
we
will
get
a
formal
meeting
set
up
very
soon.
D
This
will
be
weekly
calls
where
a
group
we
can
get
together
for
anyone
interested
and
try
to
help
refine
the
idea,
put
some
meat
on
it
and
make
some
plans
and
next
steps
and
then
come
back
to
this
group
and
other
groups
and
kind
of
present.
What
we're
looking
for
I
have
an
exciting
our
napkin
diagram
and
a
physio
diagram,
which
was
part
of
the
conversation
that
I
will
get
uploaded
shortly,
and
so
let
us
to
spend
a
few
minutes
and
talk
about
this
thoughts.
People
are
interested
in
participating
feelings.
H
I
guess
I
guess
maybe
I
should
fill
out
the
doodle
pool,
but
what
I
was
going
to
say
from
from
reading
the
doc
that
came
out
of
the
meeting
in
Vancouver
is
that
I
really
love
the
idea
of
thinking
about
either
existing
security
capabilities
or
emerging
security
capabilities
and
how
to
apply
this
across
open
source
ecosystem?
Maybe
through
the
lens
of
you,
know,
open
source
programming,
language
package
managers.
H
One
thing
I've
learned
from
successful
and
unsuccessful
collaborations
with
npm
and
IPI.
Is
that
often
these
organizations
already
have
like
a
security
roadmap
and
I've
never
I'm,
never
sure
how
aware
folks
are
of
these
things,
but
I'll
post
in
the
zoom
chat
a
link
to
the
python
software,
Foundation,
fundable,
packaging
improvements
and
I.
H
Think
if
Dustin
was
here,
he
would
tell
us
that
pipei
has
seen
a
lot
of
success
with
this
approach
of
taking
security
capabilities,
putting
them
into
bite-sized
chunks
that
a
finite
amount
of
resources
working
over
a
finite
amount
of
time
can
deliver
the
capability
and
then
getting
funding
to
fund
people
who
are
already
sort
of
like
domain
experts
in
that
language
ecosystem
or
that
security
capability
to
deliver
them.
H
I
know
in
in
some
of
the
Sterling
toolshing
conversations.
There's
been
this,
maybe
back
and
forth
about
how
top
down
our
weed
versus
bottom
up
and
I
I
would
encourage
us
to
think
about
how
we
could
either
help
existing
ecosystems
put
together
a
fundable
security
Improvement
list,
if
they
don't
already
have
one
and
then
and
then
work
through
this
mechanism
to
ensure
that
we're
helping
them
deliver
these
capabilities
in
the
in
the
way
that
they
want.
D
Excellent
feedback.
Thank
you.
Zach
I'm,
sharing
the
Vizio
diagram
that
was
kind
of
the
basis
of
the
conversation
we
had.
This
is
a
suggestion
on
the
approach.
The
group
generally
thought
was
okay
and
again,
I
would
like
to
spend
a
lot
more
time
talking
through
this
incorporating
feedback
like
Zach
just
gave
us
approaching
the
packaging
package
manager,
ecosystems
I
think
that's
excellent
feedback
thinking
how
we
might
be
able
to
attain
achieve
these
goals,
any
other
thoughts
or
feedback.
A
K
Yeah
I
think
probably
I'll
I'm
going
to
be
a
broken
record.
I
did
respond
to
the
digital
pollen
at
the
big
part
of
it.
The
discussion,
the
yeah,
the
thing
that
I'm
that
I'm
hoping
to
input
is
the
concept
of
tool
chain
as
platform,
so
that
we
see
as
enabling
and
empowering
others
to
deliver
great
stuff,
so
that,
basically,
so
that
openness
is
happening
competing
when
it's
one's
numbers.
I
mean
grace.
K
Thank
you
to
make
sure
it's
not
happening.
Okay
and.
D
If
we
take
the
security
architecture,
pattern-based
approach
and
we
put
forth
the
requirement,
for
example,
we
have
secure
IDE,
for
example,
as
a
pattern.
We
would
not
necessarily
go
out
and
write.
One
we
might
identify
here
are
some
great
examples,
but
we
would
document
requirements
of
what
we'd
like
to
see
and
that
would
allow
any
project
to
start
and
maybe
work
on
that
mission
or
if
there
was
a
commercial
entity
that
had
an
offering
they
could
align
saying.
This
is
how
we
help
support
that
secure,
IDE
pattern.
D
Any
addition
again
where
I
I
do
not
wish
us
to
compete
against
ourselves,
but
I
want
to
try
to
be
sensitive
to
everyone's
thoughts
on
what
they're
interested
in
participating
in
and
working
to
achieve.
I.
K
Mean
I,
I
I
would
also
encourage
us
to
think
about
things
like
scorecard
and
other
opportunities
for
the
foundation.
To
you
know
who
knows
I
mean
the
infrastructure
or
code
that
helps.
You
know
a
skill
that
I
think
that's
what
is
happening
anyway.
So
it's
a
matter
of
kind
of
keeping
that
measurements.
D
Exactly
so
again,
anyone
interested
in
participating,
we
will
be
setting
this
up
very
soon.
Patches
and
collaboration
are
always
welcome,
as
we
move
forward
on
this
any
closing
thoughts
on
that
potential
idea.
I
G
Would
think
we
do?
We
have
been
looking
at
the
candidates
and
and
starting
to
talk
with
some
of
them,
so
we
will
update
you
when
that
person's
hired,
but
I,
don't
think
any
any
of
the
work
that
we're
doing
here
should
be
held
up
to
wait
for
that
role.
D
H
H
Jordan
has
written
a
proposal
for
how
we
should
manage
permissions
inside
the
openssf
GitHub
organization.
Today.
What
that
looks
like
is
that
there
are
individuals
who
are
added
to
specific
repositories,
as
as
they
need
permissions,
but
there's
there's
no
sort
of
like
second
half
of
the
life
cycle,
so
people
just
keep
getting
added
and
accruing,
even
as
their
relationship
with
open
ssf
changes
over
time,
and
so
there's
two
parts
to
Jordan's
proposal.
H
One
is
to
more
formalize
membership
and
have
teams,
so
there
would
be
a
specific
team
for
the
attack,
one
for
a
Linux
Foundation
staff
Etc,
and
then
that
would
make
it
a
little
bit
easier
for
us
to
reason
about
which
permissions
individuals
would
have,
especially
as
their
role
in
relation
to
the
open
ssf
changes
over
time.
H
H
And
then
there
are
some
Downstream
consequences
of
that
that
we
need
to
figure
out
like
what.
What
does
that
process
look
like?
How
is
that
managed
that
sort
of
thing,
and
so
yeah,
essentially
I,
wanted
to
make
sure
that
Jordan's
work
was
visible
to
this
group?
I
think
that
this
is
something
that
the
the
attack
should
decide
on
and
if
you
haven't
already,
please
take
a
look
at
the
pull
requests
that
you
put
together
and
give
feedback.
D
Yeah,
thank
you.
Excellent
contact,
Zach
and
I'll
State.
My
two
working
groups
best
the
best
working
group
and
vulnerable
disclosures
were
a
bit
of
a
guinea
pig
because
we
actually
have
a
members
file
that
he
was
basing
off.
Some
of
these
changes
and
I
I
personally
feel
role-based
access
control
is
great.
D
That's
how
I
started
off
my
career
in
the
cybers,
so
I
would
endorse
this,
and
I
would
encourage
everyone
to
participate
and
figure
out
a
way
we
can
Implement.
Some
of
this
I
agree
that
the
the
overtime
collection
of
entitlements
is
a
challenge.
Then
I
think
we
need
to
think
through
some
of
that.
K
J
One
of
the
the
open
questions
I've
had
since
beginning
PR
112
last
year
was
how
do
we
Define
our
electorate,
who
can
vote
in
these
elections
and
at
the
moment,
working
most
working
groups?
As
far
as
I'm
aware,
don't
have
a
defined
electorate,
the
open,
sslip
itself.
I
know
staff
goes
through
a
process,
they've
done
twice
now
for
the
TAC
election
of
excuse
me,
sort
of
reviewing
all
of
our
reviewing
all
of
our
activity
channels,
Google
Docs,
slack
Etc,
to
determine
who's
been
active.
It
would
be
I.
J
Imagine
very
helpful
to
the
staff
to
have
that
process
be
easier.
If
there
was
a
simple
membership
list,
they
could
pull
from
somewhere.
But
how
do
we
make
sure
that
membership
list
is
accurate?
Automated
over
time
would
become
the
the
next
question
or
challenge
so
that
we
don't
have
thousands
of
people
just
clicking
join
for
the
little
happy
badge
right.
So
all
of
that
has
to
be
worked
out.
J
I
think
before
we
can
open
up
membership,
but
in
general
I
like
the
idea
of
having
a
a
publicly
visible
recognition
for
members
and
publicly
trackable
list
of
who's
active
in
the
whole
orb
and
in
subgroups
of
the
org.
That
really
enables
a
lot
better
representation
in
the
Democratic
process.
For
us.
I
Yeah
I
I,
you
know
I
think,
if
articulated
very
well
that
the
second
part
of
The
Proposal
is
definitely
a
bit
more
difficult,
I
think
and
maybe
for
that
reason,
I
would
suggest
to
separate
the
two,
because
on
the
first
one
I
like
what
I
said
in
the
issue
earlier
today,
when
I
was
looking
at
it,
it's
like,
is
there
any
downsides
other
than
the
cost
of
actually
implementing
the
role-based
as
his
control
I
mean,
it
seems
to
me
that
this
is
you
know,
I
I,
don't
know.
I
J
D
G
Just
to
avoid
future
semantic
confusion
can
I
plead
plea,
plead
that
we
reserve
the
term
member
for
the
sponsoring
members
as
companies
of
the
open
ssf,
since
we
used
that
term
pervasively
for
that
purpose
and
focus
on
contributors
being
anybody,
who's
who's
participated
in
helping
improve
something:
that's
under
the
open,
ssf
banner
and
maintainers
being
the
people
who
are
responsible
as
a
team
at
the
working
group
level
at
the
project
or
initiative
level
or
the
sick
level
that
that
sort
of
thing.
Thank
you.
That's.
D
An
excellent
comment:
I
would
suggest
you
put
that
into
PR
162,
so
we
get
that
captured
forever,
and
we
can
remember
that
going.
D
I
D
Are
any
additional
thoughts
or
feedback
on
it
sounds
like
gen
in
general,
we
are
very
positive
towards
the
idea.
We
would
probably
like
to
split
up
the
two
components.
Maybe
do
one
today
wait
for
issue
162,
maybe
to
get
resolved
and
come
back
and
reconsider.
The
second
part
of
George.
D
Is
it
164.?
No,
no
well,
the
162
is
the
audit.
164
is
the
actual
doing
the
group,
the
actual
access
control
work,
but
so
it
sounds
like
we
are
generally
positive.
Do
we
have
people
that
are
interested
in
participating
and
would
like
to
potentially
help
facilitate
this
for
us
to
keep
make
sure
we
have
velocity.
J
D
D
All
right:
well,
please
express
yourself
in
comments
on
all
the
issues
listed
today,
we'll
see
if
we
can
get
a
collect,
a
group
of
participants
that
are
interested
in
collaborating
on
this
to
see
if
we
can
get
some
Speedy
resolution
on
these
in
our
last
several
minutes
together.
Is
there
anything
of
any
other
thoughts
that
people
are
interested
in
or
points
they
wanted
to
bring
up
before
we
adjourn.
D
In
the
future,
I
would
love
to
flag
issues
that
the
attack
will
be
voting
on,
making
sure
that
it's
prominently
noted
here
that
we
will
be
conducting
a
vote
so
that
in
future
attack
people
can
go
back
and
see.
This
information
is
clearly
designated
today.
We
don't
have
anything,
but
in
the
future
we
we
may
and
I'll
put
stage
it
there
on
the
agenda.
So
everyone's
aware,
ahead
of
time,.
D
All
right,
well
I!
Thank
you
all
for
your
time
and
participation,
some
excellent
conversations,
I'm
looking
forward
to
collaborating
with
everybody
on
all
of
these
topics
in
the
near
future
and
as
you
have
items
you
wish
to
put
onto
future
agendas,
please
stage
those
as
issues
in
the
TAC
repo
and
we'll
get
those
collected
and
I
think.
Next
time
we
will
be
getting
readouts
from
the
best
working
group
and
the
end
user
working
group.
So
we'll
make
sure
we
get
that
material
circulated
to
this
group
beforehand.