►
From YouTube: OpenSSF TAC (May 30, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
B
E
D
We
will
be
started
in
just
one
moment.
D
And
I
see
Jacques
and
John.
Are
you
prepared
with
your
amazing
presentation.
D
D
All
right,
ladies
and
gentlemen,
welcome
to
the
May
30th
edition
of
the
open,
ssf
Tech
call.
It
looks
as
if
we
absolutely
have
Quorum
yay
us
do
we
have
anyone
that
is
interested
in
helping
us
take
notes
and
subscribe
today.
C
D
I'll
help
awesome
Tim.
Are
you
also
volunteering?
Yes,
oh.
Thank
you,
sir
one
of
the
most
important
things,
people
that
don't
make
the
calls
absolutely
look
at
the
videos
and
read
the
notes.
So
it's
a
critical
service
and
we
appreciate
your
help
with
that.
D
Let
us
quickly
we're
gonna
spend
two
minutes
if
there
are
any
updates
for
any
of
the
issues
listed
in
the
agenda.
Let's
talk
about
tech
issue
163,
which
was
comments
about
the
CRA
and
pld.
There
was
a
bunch
of
activity
on
this.
How
do
we
feel
about
this?
Are
you
ready
to
turn
this
over
to
the
public
policy
committee.
I
D
C
D
Yeah,
a
lot
of
good
collaboration,
any
additional
thoughts
or
comments
on
it.
I
Yeah
I,
like
it
I
like:
what's
there
definitely
feels
ready
to
send
to
them
it's
just
like
a
peek
and
see
if
they
like
it.
If
they
have
other
concerns
or
want
more,
we
could
keep
going.
D
D
Let's
move
on
to
issue
151
the
project
formally
known
as
the
Sterling
tool
chain,
the
doodle
poll
closed,
and
we
determined
that
in
54
minutes
we
will
be
meeting
weekly
Tuesdays
at
noon
eastern
time.
So
there
will
be
a
group
of
folks
that
will
continue
to
work
on
and
refine
the
Sterling
tool
chain
idea.
J
Would
just
like
to
point
out
that
that
time
conflicts
with
one
of
these
sisa
s,
bomb
public,
calls
and
one
of
the
ones
that
I
and
some
are
obligated
to
regularly
attend,
so
I
will
not
be
able
to
join
in
54
minutes.
D
And
it
also
conflicts
I
think
with
a
salsa
call
and
another
internal
working
group
call
that's
what
you
get
with
a
group
vote
I'm.
Sorry,
we
will
do
our
best
to
take
excellent
notes
and
there
will
be
it
will
be
recorded
and
we
were
always
open
for
additional
conversations
and
we'll
try
to
keep
everybody
up
to
date.
D
Any
additional
thoughts
about
the
security,
tube
security
tool,
chain
tool
belt
thing.
D
E
Sure
so
Jordan
ran
a
scrape
or
ran
a
scraper
to
see
anyone
that
was
an
individual
contributor
to
any
of
our
repos,
and
he
gave
me
an
audit
of
that
list.
I
went
through
and
moved
people
that
were
individual
contributors
to
a
team
and
invited
them
to
the
team
and
removed
their
individual
access,
and
so
there
might
be
some
breakage
with
their
collaboration
if
they
don't
accept
the
team
invite,
but
I
wanted
to
make
the
switch
sooner
rather
than
having
it
over
our
heads
for
months
to
come.
D
E
K
This
is
apparently
really
popular
discussion.
Discussion
topic
mine
is
very
parochial
and
selfish,
which
is
that
any
way
you
see,
Jay
Chester
Shopify.
You
should
just
use
Joe
Chester
I
create
accounts
tied
to
my
job
so
that
I
separate
what
is
personal.
What
is
public?
K
That's
great
until
they
sack
you
and
you
can't
log
in
oh
sorry,
I
beg
your
pardon
layoff
that
was
insect.
I
was
laid
off.
That's
all
I
have
to
say.
J
May
I
suggest
sending
out
one
or
two
blast
notifications
on
mailing
lists
slack
in
the
general
channels.
Things
like
that.
Just
to
let
folks
know
that
hey
the
attack
did
this
update.
If
you
have
any
trouble,
here's
what
you
should
do.
J
H
H
Should
anyone
be
able
to
have
membership
in
the
open,
ssf
organization
which
I
believe
in
the
last
tech
meeting?
We
thought
was
a
interesting
idea,
but
had
a
few
questions
about
the
invitation
around
and
that
will
be
landing
as
a
separate
request.
So
the.
F
G
L
I
added
this
is
a
bullet
point
on
the
end
of
the
list
of
items,
but
I
figure
I
should
introduce
this
now
because
it's
relevant
to
the
permissions
model
thing
a
few
months
ago.
I
don't
remember
exactly
I
was
rooting
around
through
this
plug-in
GitHub
app
settings
that
was
applied
to
the
open,
ssf
organization
and
so
you'll
notice
that
a
lot
of
our
attack,
you
know
a
lot
of
our
working
groups,
have
the
settings.yaml
file.
L
The
downside
is
that
collaborators
can
set
their
own
permissions,
and
so,
if
you
look
down
here
security
implications,
this
app
makes
it
so
that
anybody
who
is
push
permission
to
the
repository
has
can
give
themselves
admin
permissions
on
the
repository.
So
as
a
result
of
this,
all
of
the
all
of
the
open,
ssf
org
repositories
that
have
actually
any
repository
across
the
open
SF,
because
you
could
add
this
file
and
then
give
yourself
permissions,
even
if
the
file
didn't
exist
previously.
L
So
as
an
implication
several
months
ago,
Brian
yanked
this
app
off
of
the
org
so
and
it's
still
not
there,
but
those
files
are
still
present.
So
I
just
wanted
to
give
everybody
a
heads
up,
saw
this
said
security
implications
and
then
said
we
should
get
rid
of
that.
So
yeah
questions.
C
L
Yeah
I
actually
meant
to
talk
to
Jory
about
it,
because
she
was
one
of
the
people
that
helped
set
it
up.
It's
no
longer
part
of
the
opennessf
actively,
but
this
is
part
of
I
mean
Jordan's
doing
some
work
in
this
area
around
reorgan.
You
know
stuff
and
Amanda's
kind
of
a
part
of
this
too
I
just
I,
just
I
think
that
we
did
this
and
it
was
part
of
the
operations
conversation,
but
the
tack
never
got
notified
of
this
decision
and
that
this
happened.
L
L
I
I
mean
I
think
that
giving
people
an
ability
to
manage
their
own
permissions
over
their
working
groups
is
a
good
idea,
but
I
don't
know
if
this
is
the
right
one,
but
some
something
like
this
should
you
know
I
see
the
value
in
what
we
were
trying
to
do
with
this
at
the
time
Ava.
J
Yeah
I
think
John
I
think
that's
good.
The
one
question
I
have
just
as
I'm
I'm
reading
issue
155
as
I'm
skimming
quickly.
Maybe
it's
called
out
someone
I'm
just
overlooking
it,
but
the
discussion
point
about
the
org
itself.
Having
open
membership
was
raised
in
two
weeks,
ago's
meeting
on
the
GitHub
issue.
Is
it
how?
How
is
how
did
that
decision
land
and
where
is
that
decision
captured.
H
Yeah
I
think
I
can
answer
that.
We
decided
that
that
was
an
interesting
idea.
H
We
decided
to
remove
it
from
pull
requests
155
so
that
we
could
land
it
and
move
forward
with
the
more
urgent
work
around
organizing
folks
around
teams,
and
then,
when
that
lands,
Jordan
has
said
that
he
will
open
up
a
new
pull
request,
reintroducing
it
for
us
to
discuss.
Okay.
L
Amanda
I'm,
seeing
that
as
omsf
staff,
I
am
unable
to
create
repositories
under
the
openssf
org.
Is
that
something
that
what
what
is
the
current?
Creating
a
repository
process?
Should
staff
be
able
to
create
repositories?
Should
tack
members
be
able
to
create
repositories?
Who
should
be
able
to
create
repositories
and
who
shouldn't.
E
Right
now,
I
have
it
just
for
owners,
because
that's
the
setting
that
was
easiest,
but
I
am
open
for
anyone
that
the
tech
wants
to
create
repositories
to
give
that
permission.
I.
J
I
believe
the
status
of
this
PR
says,
staff
and
tax
should
have
it,
which
is
I,
believe
also
what
the
tack
would
like.
L
Yeah
I
just
because
Alpha
Omega
I
end
up
creating
repositories
for
projects
as
I'm
working.
So
you
know
would
be
helpful
to
keep
that
and
not
have
to
ask
someone
for
permissions
to
do
so.
D
Excellent,
so
let's
deal
with
that
offline,
please
moving
along
Tac
issue,
162
any
updates
around
our
foundation
groups,
documentation,
audit.
K
Jock
I
can't
speak
for
anyone
else.
I
have
done
literally
zero,
zero
tip,
Neil
NADA,
that's
probably
because
I've
been
flat
out
with
you
know
other
considerations,
but
it
is
something
I
would
like
to
get
some
time
to
do.
Maybe
this
week
all.
L
So
the
question
that
I
have
here
is
there's
just
an
it's.
It's
a
standing
question
of.
Where
should
this
document
live?
There
was
a
an
opinion
there's
a
couple
of
opinions.
One
is
that
the
policy
should
live
with
the
vulnerabilities
closure
working
group
open
repository,
because
it's
something
it's
a
it's
an
item
delivered
by
them.
L
There's
some
feedback
that
maybe
it
should
go
with
the
open,
SF
Foundation
Foundation,
because
it's
a
it's
an
organizational
level
policy
and
then
there's
another
conversation
about
maybe
it
being
dot
GitHub,
because
dot
GitHub
reflect
is
like
not
the
foundation
repository,
but
it
is
github's
way
of
having
like
a
top
level
repository
for
your
entire
org.
L
There's
a
couple
of
different
opinions
here.
One
of
them
I
mean
one
of
the
things
that
I
post
is.
Maybe
foundationism
is
mirrored2.github,
because
then
Foundation
is
the
top
level
one,
but
then
all
the
stuff
there
gets
reflected
into
the
dot
GitHub,
even
though
we
don't
have
it
like
just
so
that
the
name
can
be
Foundation
which
Maybe
symbolic
in
some
way
to
some
people.
I,
don't
know,
there's
it's
a
it's
a
rather
long
thread,
it's
most.
So
this
the
thing
has
been
voted
upon.
It's
been
ratified
by
the
attack.
D
So
I'd
like
to
assign
homework
to
the
tech
this
week.
Please
review
that
issue
and
provide
your
opinion
on
where
we
think
that
needs
to
live,
and
we
will
come
back
with
a
decision
our
next
call
and
get
that
moving
forward.
Please.
L
D
L
D
Are
pros
and
cons
to
all
the
choices?
So
let's
have
that
conversation
this
week.
Please
all
right.
Moving
along
I
would
love
to
share
with
you
an
update
on
the
best
working
group.
Can't
everybody
see
my
screen.
D
Great
I
will
not
take
my
allotted
time.
I
only
have
a
few
short
things
to
discuss
just
to
give
everyone
an
update.
We
have
two
current
best
practices
guides
that
the
group
is
working
on
source
code
management,
best
practices
guide
and
a
C
and
C
plus
plus
compiler
option
hardening
best
practices
guide.
Both
of
those
are
progressing
very
well.
A
lots
of
multi-organization
multi-contributor
feedback
I
feel
we
are
close
to
having
the
beta
for
the
source
code
management
guide,
ready,
probably
within
the
next
month,
that's
pretty
well
baked.
D
We
have
a
great
review
of
good
settings
that
should
be
in
place
for
both
GitHub
and
gitlab,
and
then
there's
been
some
conversation
about.
Could
people
put
in
suggestions
for
alternate
repositories
like
a
subversion
or
other
types
of
things?
And
yes,
we
absolutely
will
take
those
patches
if
someone
must
put
the
effort
in
so
you
should
see
those
guides
finishing
up
the
summer
and
we
will
definitely
share
with
the
tack
once
they
are
ready
to
go
and
we'll
work
with
Jennifer
and
everyone
for
a
Blog
and
whatnot.
D
So
I
would
anticipate
sometime
later
this
summer.
Those
will
be
ready.
We
have
a
new
Sig,
the
memory
safety
Sig,
which
I
will
jump
to
very
quickly.
This
is
picking
up
mobilization
plan
stream.
Four
there's
been
a
group
of
folks
working
on
rewriting
that
that
text
and
we
are
close
to
moving
it
into
a
GitHub
repository.
That's
our
pr4
I
anticipate
we'll
probably
make
that
decision
this
week,
so
that
the
plan
will
be
available
in
an
open
source
way
that
anyone
that
has
additional
feedback
or
suggestions
can
contribute.
D
D
If
there
was
good
guidance
from
the
compiler
hardening
space,
we
wanted
to
ingest
that
as
part
of
the
advocacy
that'll
be
part
of
the
memory
safety
rewrite
and
those
were
the
two
big
things
that
the
group
is
working
on
and
the
working
group
would
ask
this
presentation
is
available
for
everybody.
It
should
be
in
the
link.
I
will
get
it
posted
up
to
the
the
working
groups
repository,
but
is
this
a
type
of
information?
Do
we
like
this
format
and
template,
and
is
there
any
specific
information
someone
was
curious
about
like?
D
D
F
So,
okay,
let's
give
you
a
quick
update
on
the
end
user.
Working
group
I
think
it's
going
to
be
fairly
quick
as
well,
but
just
in
general
at
the
moment
the
main
focus
of
the
group
is
on
threat,
modeling
and
trying
to
build
out
an
Enterprise
architecture,
a
sample,
Enterprise
architecture
and
then
looking
at
how
the
supply
chain
threats
would
apply
to
that
and
building
out
a
formal
threat,
modeling
architecture.
F
We
have
recently
spun
up
a
dedicated
series
of
meetings
on
Tuesdays
at
9.
00
a.m,
East
to
go
through
in
more
detail
on
that
and
it
is
hosted
by
Enrique
plate
who
is
leading
out
that
work
and
that's
progressing
really
well.
Additional
chunk
of
work,
we're
doing
is,
is
trying
to
recruit
additional
end
users
to
actively
participate
in
the
group.
F
Now,
there's
something
that
we
have
Andrew
Aitkin
focusing
on
and
we
are
talking
to
a
lot
of
different
end
users,
a
lot
of
different
people
reaching
in
to
get
additional
Insight,
but
we
are
not
getting
people
directly
into
the
meeting
as
yet,
as
we
can
see
on
here,
we've
got
about
10,
regular
attendees,
which
is
a
fairly
healthy
number
and
about
10
people
intermittently
come
through.
In
addition
to
that,
there
are
tens
of
end
users
that
reach
out
and
read
through
the
material,
look
at
the
videos
and
reach
out
to
different
people.
F
So
there's
quite
a
few
people
in
the
wing
serve
as
well
in
terms
of
recent
work,
I'll
get
into
more
detail
on
the
threat
model
and
taxonomy
piece,
but
just
a
couple
of
additional
pieces.
We
have
written
effectively
a
software
ingestion
Manifesto
as
a
group
that
we're
reviewing,
which
just
highlights
some
of
the
areas
we
need
to
look
at
if
we're
consuming
open
source
software
and
some
of
the
focus
areas
there.
Additional
recruitment
plan
have
been
putting
together
to
bring
in
additional
users
and
we
as
a
group,
contributed
to
the
CRA
talking
points
in
vanakuba.
K
Nothing
sort
of
particularly
comes
to
mind.
Definitely
recruiting
more
folks
is
a
big
Focus.
Those
of
you
who
are
at
the
open
ssf
day
may
recall
the
incredibly
Awkward
Moment,
where
Andrew
and
I
said,
raise
your
hand
if
you're
an
end
user
and
I
think
two
people
raise
their
hands,
so
we
we
need
some
more
representation
in
that
department.
I
think.
C
So
you
find
me
answer
the
question
now:
it's
actually
regarding
I
mean
who
are
the
people
who
actually
participates?
You
know,
can
you
give
me
like
the
categories
of
people
because
I
mean
we
have
an
issue
later
we'll
talk
about
this?
You
know
the
maintainers,
for
instance,
who
feel
like
okay.
This
is
not.
They
are
not
end
users
and
so
I'm
I'm
wondering
who
the
people
are.
F
Well,
it's
fairly
varied
in
terms
of
industry
but
they're,
large
Industries,
so
large
consultancy
firms,
large
Bank,
large
telecommunications,
those
sort
of
things.
What
we
were
trying
to
do
as
well
was
look
at
the
medium
and
small
companies,
but
those
are
tend
to
be
the
the
people
that
are
suddenly
attending
a
lot
of
the
smaller
companies
are
talking
to
us,
but
on
unnecessarily
joining
that
main
group.
K
I,
don't
know
what
to
remember
is
that
you
know
for
a
large
company,
something
like
the
open
ssf
as
a
participant
has
high
Leverage
and
they
can
afford
to
dedicate
some
time
to
it,
which
is
small
and
medium
firm,
won't
be
able
to
that's
that's
just
in
the
nature
of
the
Beast.
In
terms
of
like
abstractly
answering
a
question.
K
I
know,
I
I
would
say
that
it's
a
fuzzy
function
as
to
who
is
an
end
User,
it's
not
a
crisp
set,
but,
generally
speaking,
the
further
away
you
get
from
writing
open
source
and
contributing
open
source
back
to
the
Upstream,
the
more
of
an
end
user.
You
are
the
more
you're
taking
the
world
as
it
is,
rather
than
changing
the
world.
J
J
On
the
previous
slide,
you
called
out
two
things:
you're
working
on
software
ingestion
Manifesto
and
the
serious
talking
points
of
questions
on
each
of
those
is
the
software
ingestion,
Manifesto,
distinct
from
overlapping
with
the
s2c2fwork.
F
It
is
so
that's
that's.
In
addition,
it
was
raised
by
a
couple
of
the
group
members
specifically
about
focusing
on
ingestion
yeah.
J
My
understanding
of
stc2f
is
it's
focused
on
ingestion
so
and
maybe
in
the
future,
clarifying
how
those
are
distinct
or
working
together
on
it.
K
Yeah
yeah
jjy
participates
in
the
end
users
group
as
well,
so
awesome.
There's
a
mutual
in
US
I
would
I
would
position
the
manifesto
as
more
motivational
than.
J
K
Sort
of
I
don't
know
structural
I.
J
J
That
answers
my
question,
thank
you
and
then
on
the
CRA
talking
points
can
the
attack,
or
would
you
like
the
tax
help
in
any
way
getting
that
over
to
the
policy
committee.
K
So
to
sorry
that
was
that
was
me
who
put
that
there.
What
I
was
driving
at
is
that
we
had
participated
in
that
discussion,
perfect.
F
So
the
idea
behind
this
is
really
to
provide
that
guidance
or
that
architecture
really
so
an
end
user
can
take
a
look
at
it
and
see
where
the
attacks
occur,
within
that
sample
architecture
and
an
understanding
of
the
prevalence
at
a
high
level
to
allow
them
to
prioritize
appropriately
or
at
least
get
some
more
ideas
on
where
to
where
to
do
so,
just
from
an
end
user
guidance
perspective,
and
it
also
helps
us
help.
F
People
orientate
where
they,
where
the
open
ssf
offerings,
are
so
Grobe,
obviously
working
with
crude
in
the
diagram
Society
to
put
a
fantastic
diagram
behind
that
as
well,
which
gives
us
a
bit
of
insight
into
where
to
map
those
different
OSF
programs.
Current
status.
We
do
have
a
draft
architecture
which
is
I'd,
say
in
good
shape.
We
also
have
the
initial
threat
models
that
are
starting
to
come
through
now,
really
a
lot
of
great
work,
getting
spearheaded
from
Henrik,
Abdullah,
Garcia
and
ourselves,
so
I
think.
Really.
F
The
next
step
is
to
continue
that
until
we
get
to
completion
for
that
initial
view,
at
which
point
it'd
be
great,
to
bring
it
back
to
the
tech
to
get
your
sort
of
review
of
that
we're
open,
obviously,
at
any
time
at
that
separate
meeting
for
input
as
well.
So
please
do
come
and
join
us
on
that,
one.
That
is
really
the
main
focus
of
where
we're
at
for
the
end
User
Group.
Oh
no
good
question.
F
That's
really
a
great
point,
so
we
were
part
of
the
studying
tool
chain
lunch.
What
was
the
dinner
at
Vancouver
and
a
couple
of
the
other
conversations
as
well
and
that's
kind
of
where
we're
looking
as
well?
Oh,
no
is
that
look.
This
is
how
consumers
are
set
up.
This
is
the
different
threats.
Now,
if
we
to
look
at
a
still
until
Jane,
how
would
that
be
based
on
that
to
mitigate
those
threats?
It's
almost
looking
at
effectively
the
threats
and
the
requirements
for
that
still
until
change,
so
that
that
is
really
our
view.
F
That's
what
we're
trying
to
work
with
and
we'll
be
sitting
down
in
28
minutes
to
further
that.
Thank
you.
F
So
the
next
one
is
is
another
piece
of
work
we're
working
on.
We
did
present
it
back
to
the
tech
some
time
ago
and
it's
effectively
a
taxonomy
for
supply
chain
attacks
just
so
it
would
allow
us
to
reason
and
discuss
this
amongst
smes
and
end
users.
We
did
have
some
initial
work
from
henrique
and
Pierre
Giorgio,
and
the
feedback
from
the
attack
at
that
point
was
to
reach
out
to
the
cncf
and
additional
smes
for
feedback.
We
did
do
that.
F
We
did
get
additional
feedback
and
that
was
added
to
the
taxonomy.
We
still
do
have
some
additional
work
that
I
think
to
really
reconvene
and
look
at
how
we
push
that
forward.
I
think
one
of
the
big
bits
of
feedback
was
there
may
be
different
views
of
the
taxonomy
in
the
middle
stages
of
that
taxonomy.
If
you've
seen
it,
it's
actually
broken
down
into
what
sort
of
a
tech
tree
and
whilst
the
nodes
are
appropriate,
people
have
different
views
on
the
the
middle
notes,
so
more
work
required
there.
F
That's
going
to
be
some
time
before
we
bring
that
back
and
finally,
really
I
think
if
you
were
highlighting
there's
an
offline
conversation,
I'd
love
to
have
that
about
recruiting
additional
end
users.
We
are
having
lots
of
conversations
as
I
said,
but
we
need
to
translate
that
into
active
participation.
That's
where
we're
heading
and
really
the
other
part
is
contributing
to
the
threat
model.
When
we
get
that
done
so
any
further
questions.
D
Excellent,
thank
you,
gentlemen,
appreciate
the
update
and
if
anyone
has
questions
the
end
user
working
group
has
a
slack
Channel,
a
mailing
list
feel
free
to
reach
out
directly
to
them
reach
out
to
the
best
working
group.
If
you
have
a
feedback
or
questions
for
that
team,
let
us
talk
about
any
foundation
or
staff
updates.
I
see
we
have
securing
software
repos
little
note
here
who
would
like
to
talk
to
that.
K
Jonathan
this
this
seems
like,
like
you,
Jonathan,
like
shoes,.
L
Thank
you,
okay.
So
not
a
item
for
the
attack.
I
just
want
to
make
everybody
aware
of
this
I
under
the
securing
software
repositories.
Working
group
I
have
put
together
a
proposal
called
the
Great
artifact
repository
audit.
L
It's
a
collaboration
that
I'm
doing
with
Amir
from
ostiff.
The
idea
is
predicated
on
the
concept
of
I
believe
that
most
artifact
servers
in
the
industry
have
never
had
a
security
audit
performed
against
them
right,
like
Maven,
Central
Gradle
plug-in
portal
actually
made
it
central
has
an
audit
but,
like
you
know,
Pi
Pi.
L
You
know
all
these
different
services
and
the
proposal
here
is
to
actually
fund
through
Alpha
Omega
and
other
avenues
actually
paying
for
pen
test
and
Red
Team
engagements
against
this
critical
infrastructure
that
supplies
the
entire
open
source
industry
and
actually
paying
you
know,
trying
to
get
resources
allocated
and
actually
having
these
audits
occur.
So,
if
you're
interested
in
in
getting
involved
in
this
conversation
about
this
work,
this
work
leave
a
comment
on
the
on
the
proposal
or
come
join.
The
weekly
Sig
meetings
that
are
on
Thursdays
now
so.
E
L
D
Then
you
have
the
automated
vulnerability
fix
campaign
Jonathan.
Yes,.
L
L
If
there's
a
larger
document
attached
to
it,
we're
going
to
expand
upon
this,
but
the
current
proposal
from
the
vulnerability
closure
working
group
autofix
tag
is
this
proposed
flow
for
how
we
would
do
disclosures
and
I
wanted
to
open
it
up
to
anybody?
You
know
tack.
L
I
jet
posted
in
general,
we're
looking
for
feedback
on
this
flow
of
people
agree
with
this
model
of
how
to
do
automated
disclosures
or
attempt
to
do
automated
disclosures
and
yeah
I
want
to
invite
anybody
to
come
to
the
weekly
meetings,
for
that
those
are
on
we've
just
moved
it
to
Wednesdays
at
2PM
or,
if
you
want
to
just
you
know
at
me
and
in
slack
feel
free
to,
but
I
wanted
to
bring
this
to
a
wider
discussion
before
you
know
we
committed
to
it
and
started
building
things
off
of
it.
L
D
All
right
I
would
invite
everyone
interested
to
please
participate
on
either
the
slack
the
mailing
list
or
come
to
the
meetings
and
help
us
get
those
two
efforts
rolling
for
the
balance
of
our
time.
Together.
I
would
like
to
talk
about
tech
issue,
129
the
technical
Vision.
We
had
some
conversations.
L
M
Oh
I
wondered
if
I
could
jump
in
with
one
thing
from
staff.
Is
that
all
right.
M
So
if
you
are
interested
in
volunteering
to
be
on
the
program
committee,
send
an
email
to
operations
at
openssf.org
and
let
them
know
it's
going
to
be
we're.
Looking
for
about
four
to
five
members
to
staff,
the
the
program
committee.
D
M
Awesome
and
then
I'll
just
throw
in
there
one
other
thing
in
terms
of
blogs.
We
have
a
Blog
coming
out
tomorrow
on
the
supply
chain,
Integrity
working
group
and
then
our
feature
for
next
month
is
going
to
be
the
security
tooling
working
group.
So
we're
also
opening
the
floor
for
guest
blog
submissions
on
s-bombs
and
fuzzings.
So
if
you
or
someone
you
know
might
want
to
contribute
a
post
on
that,
please
feel
free
to
do
so
and
then
one
more
thing.
We
have
a
survey
open
at
the
moment.
M
Our
open
ssf
software
security
awareness
survey
and
it's
held
in
conjunction
with
LF
research
on
how
the
open
ssf
is
perceived
and
initiatives
like
Sig
store,
Alpha,
Mega,
best
practices,
badge
scorecard
salsa,
so
any
help
you
could
throw
in
to
help
share.
That
survey
would
be
great,
there's
a
link
to
it
on
the
home
page
at
the
top.
When
you
go
to
the
site.
Thank
you.
D
Great,
thank
you
any
questions
or
comments.
Please
route,
that
to
Jennifer
and
we'll
be
glad
to
get
both
those
efforts
were
rolling.
So
let's
talk
about
issue
129
around
our
technical
Vision.
We
did.
We
get
all
of
the
outstanding
comments
addressed
and
are
we
to
a
point,
we're
happy
and
would
like
to
merge
this
Tac
go.
N
I
think
I
addressed
I
know
all
the
outstanding
questions
if
I
missed
something,
that's
a
just
a
minor
oversight
on
my
part,
not
a
deliberate,
a
mission,
but
I
will
note
that
we
have
five
of
those
in
approval.
N
If
there
are
any
additional
questions
on
this
I'm
happy
to
happy
to
take
it,
but
with
five
votes,
I
guess
not
sure
what
else
further
discussion
we
need
to
do
on
this.
D
Excellent,
we
Claude
back
some
time.
David
did
you
have
feedback
yeah.
A
A
Okay,
so
you
left
them
open,
but
they
have
been
resolved
great.
That's
all
I
want
to
know.
Thank
you
very
much
perfect.
I
D
D
Then
let
us
spend
some
time
talking
about
a
new
issue
that
arose
over
the
weekend.
We
had
a
new
contributor
put
forth
a
issue
169
around
a
maintainer
experience
through
the
openssf
we
had
talked
about
the
end
user
perspective,
Jonathan
and
Jacques
just
gave
us
a
recap,
and
this
is
a
another
set,
another
Persona
that
we
actively
work
with,
and
there
was
interest
in
trying
to
see
what
was
available
and
how
we're
addressing
that
set
of
collaborators.
So
any
conversation
we
want
to
have
around
the
maintainer
experience
today.
L
Is
this
the
issue
that
was
opened
in
the
big
conversation
underneath
it
about.
D
Yeah,
how
do
we
make
the
foundation
easy
to
engage
for
maintainers,
and
there
was
some
questions
that.
C
D
Useful
right,
like
literally-
and
there
was
some
conversation
about
some
potential
groups
that
touched
a
little
bit
on
this,
but
there
was
no
specific
group
with
the
Mandate
of
addressing
you
know,
making
it
easy
for
maintainers
to
engage
Mr,
Wheeler,
okay,.
A
So
I
have
I
have
a
proposal
and
krobe
you
can
and
others
you
can
shoot
it
down.
If
you
like,
I,
think
the
closest
working
group
to
this
is
the
best
practices
working
group
and,
in
particular,
I
mean
there's
all
sorts
of
awesome
ideas
in
here.
I
might
I
immediately
went
and
looked.
Oh
man
yeah.
We
do
need
at
least
a
page
that
points
people
you
know
existing
maintainers
and
it's
totally
understandable
when
we
first
started.
We
didn't
have
anything
to
point
to
hooray.
We
have
things
to
point
to
now.
A
We
need
to
point
to
them,
so
so
I
would
propose
that
the
best
practices
working
group
picked
this
up.
As
a
a
you
know,
let's
start
looking
at
it
at
the
very
least,
I
would
suggest
to
them
that
they
create
like
a
little
page
for
the
main
openssf
website
that
points
hey
you're,
a
maintainer.
Where
do
you
go
craft
that
and
then
discuss
the
other
things
and
if
it
eventually
it
turns
out
to
be
there's
another
working
group
that
needs
to
be
created
or
so
on?
D
If
this
is
an
effort,
we
want
to
move
forward
with
think
about
the
other
personas
we're
trying
to
address
as
well
and
have
those
user
Journeys
and
have
the
website
friendly
towards
folks
that
are
looking
for
particular
topics.
Dustin.
G
Hi
folks
I
wanted
to
raise
I,
don't
know
if
everyone's
aware
of
this,
but
there
is
a
like
a
mini
committee
effort
right
now
around
the
open,
SSS
devrel
approach.
This
is
sort
of
maybe
more
like
evangelism
Focus,
but
I
think
a
lot
of
the
points
that
we're
trying
to
address
with
that
overlap
with
the
maintainer
experience
approach
here,
mostly
about
advocating
for
the
maintainer
and
things
like
that,
so
I
dropped
a
link
to
the
doc.
Amanda
has
mostly
been
leading
this
with
some
input
from
other
folks.
D
Agree:
Arno.
C
Yeah
I
mean
in
your
introduction.
You
say
this
is
a
type.
This
is
a
Persona
that
we
are
addressing
and
I
would
say
that,
based
on
this
issue,
we
are
failing
to
address.
At
least
you
know
adequately
and
I,
but
I
agree
that
this
is
the
person
that
we
want
to
address,
and
so
you
know
I
think
we
all
agree.
This
is
great
feedback
and
we
definitely
should
act
on
it.
C
I
think
the
landing
page
should
be
totally
non-controversial,
and
it
makes
me
wonder
whether
you
know
we
shouldn't
learn
from
this
and
think
about
other
type
of
persona
that
we
deserve
having
their
own
landing
page,
so
that
you
know
we
could
have
a
few
pages
on
the
website.
C
Depending
on
who
you
are,
you
say:
hey
go
there,
that's
where
we
gather
all
the
information,
that's
pertinent
to
you
and
and
then
it
reduces
the
the
the
the
pain
point
right
of
finding
and
and
the
importance
of
where
the
actual
work
takes
place,
because
if
it
becomes
easy
to
find
it
doesn't
really
matter,
I
mean
that
was
one
of
the
comments.
C
You
know
they
don't
care
whether
it's
a
project,
a
working
group,
why
you
call
it
where
it's
structured
in
the
you
know
higher
or
governance
tree,
but
so
I
mean,
if
you
again,
if
you
can
get
direct
access
to
the
information,
that's
relevant
to
you,
then
I
think
you're,
all
better
off
so
I
think
and
to
to
follow
up
on
on
David's
proposal.
I'm
fine,
with
starting
with
the
test
working.
It's
looking
into
this
I
I
was
a
bit
concerned
that
you
know.
C
C
Because
to
date
it
has
been
mostly
focusing
on
delivering
material
that
could
be
used
for
the
maintain
by
the
maintainers,
but
it's
not
exactly
the
same,
so
I
I
have
the
feeling
that
eventually,
you
might
want
to
create
a
new
working
group
for
this.
It
does
that's
also
why
I
was
asking
the
question
earlier
about
the
the
the
end
users,
who
are
the
end
users
and
I,
don't
know
how
many
of
those
we
want
to
create,
but
I
don't
want
to
have
too
many
working
groups,
but
you
know
I
think
if
that's
what
it
takes.
D
Before
I
move
to
Jonathan,
it
might
be
a
great
collaboration
between
elements
of
the
best
working
group
kind
of
participating
with
this
new
devrel
committee,
because
again
and
I
agree
with
Dustin.
That
was
an
effort
we
had
recently
been
talking
about
of
trying
to
get
better
evangelism
within
that
community.
So
maybe
we
find
a
way
to
blend
those
efforts.
L
Thought
crosses
my
mind.
Most
of
most
of
the
participants
in
the
open,
SF
and
including
the
people
that
you
know
for
the
attack
and
the
people
who
can
allocate
their
time
and
money
and
effort
right
are
are
funded
by
their
company
to
spend
time
on
this,
because
the
and
and
as
of
as
such
kind
of
have
corporate
interest
backing
there
right
at.
L
Your
company's
in
investing
in
you,
you
are
invested
and
then
that
then
giving
you
the
time
to
invest
in
this
project
right,
especially
if
you're
gonna
be
a
part
of
the
track,
or
something
like
that,
like
you
know,
that's
something
that
you
usually
have
a
conversation
with
your
your
team
and
say,
like
you
know,
we
do
want
to
invest
the
time
to
do
this
sort
of
thing,
because
of
that
right
because
of
all
of
the
vested
interests
that
exist
in
the
corporate
world.
L
Are
we
lacking
somewhere
within
the
sphere
within
the
attack
within
the
maybe
even
within
the
the
governing
board,
from
individuals
that
are
not
given
the
ability
to
be
financed
by
their
companies
to
spend
the
time
focused
on
this
that
we
should
consider
trying
to
pull
in
those
voices.
Potentially
I
know
that
we
all
are
passionate
about
open
source
right
yeah,
but
anyway
you
got
a
pan.
That's
relevant
to
this
exact
yeah.
J
Jonathan,
this
is
a
point
I've
I've
raised
several
times
over
the
past
year,
including
in
in
GD
meetings,
and
here
that
this
body,
when
we
look
at
who's
in
the
room,
it's
almost
exclusively
folks
from
large
companies.
J
There
are
large
amounts
of
Open
Source
that
are
critical,
that
are
maintained
by
people
who
do
so
on
a
volunteer
basis
and
that
we
have
struggled
as
an
organization
to
reach.
I
think
this
is
a
incredibly
Salient
point
and
as
I'm
reading,
the
the
issue
well
articulated
I
would
love
to
see
the
value
to
individual
maintainers,
clearly
expressed
and
captured
as
sort
of
the
front
landing
page,
which
also
echoes
that
the
audience
is
a
bit
different.
The
same
challenge
that
the
end
user
working
group
was
just
presenting
as
well.
J
L
L
J
Not
quite
where
I
was
going
at
least;
rather,
we
have
that
knowledge.
We've
been
building
it,
but
right
now,
a
lot
of
it's
tucked
away
in
working
group
or
Sig
documents.
J
Could
that
be
positioned,
more
forward-facing
on
the
website
in
our
conferences?
Could
members
of
this
body
who
are
paid
by
our
employers
to
do
this?
Go
talk
about
this?
At
other
events,
I'm
thinking
like
b-sides,
we
get
a
lot
of
end
users
and
a
lot
of
individual
maintainers
at
the
smaller
Regional
conferences.
That's
to
me
also
aligned
with
the
whole
devrel
question
going
out
meeting
developers
where
they
are
to
talk
about
the
value
we
give
them
not
just
what
we
want
from
them.
Oh.
D
Excellent
points
Bob,
then
Jacques
and
then
David.
N
You
got
me
right
as
I
was
putting
food
in
my
mouth.
Sorry
I
turned
my
camera
off
to
spare
everybody
the
image
the
point
I
wanted
to
make
other
than
just
plus
wanting
the
the
general
notion
of
the
Persona
of
being
maybe
having
a
lack
of
focus
in
terms
of
external
Outreach.
Is
that
I
think
there's
there's
a
dynamic
of
this?
That
is
one
to
one
in
terms
of
reaching
individual
project,
maintainers
or
Developers.
N
There's
a
dimension
of
this,
which
I
see
is
kind
of
one
to
m,
in
which
I
think
in
the
both
the
vision,
doc
that
was
just
merged
as
well
as
in
some
of
the
conversations
over
the
past
several
months,
we've
kind
of
called
out
the
notion
of
needing
to
have
full-time
staff
dedicated
on
ecosystem,
specific
relationships
and
thinking
of
those
as
ways.
It's
one
thing
for
the
open
ssf
to
say
something:
it's
a
different
thing
for
the
Drupal
Foundation
or
the
psf
to
say
something
to
their
constituent
groups
as
well.
K
Jacques
I
just
wanted
to
amplify
something:
Ava
said
which
was
I
guess
in
a
sense
going
even
further
than
having
a
page
for
maintainers
that
the
first
page
you
get
to
on
the
open,
ssf
should
say
if
you're
a
maintainer
here
are
things
we
do
if
you're
an
end
user.
Here
are
things
we
do
and
if
you're
a
vendor.
This
is
where
you
should
participate.
If.
K
Because
those
those
seem
like
sort
of
major
constituencies-
and
at
the
moment
the
open
ssf
pages
is
generic
and
because
it's
the
one
thing
that
we
all
agree
on,
you
know
we
talk
about
the
governance
structure,
which
doesn't
necessarily
get
you
to
where
you're
trying
to
get
to
so
I.
Think
having
the
page
built
around
that
information
architecture
might
be,
might
be
a
useful
reorganization,
I
think
valuable
and
a
sub
note
to
that
which
is
I,
think
there's,
there's
kind
of
like
two
sub
persona
in
maintainers.
K
One
is
the
surface
only
where
they're,
like
I
am
motivated
to
do
security
things.
What
do
I
do
and
the
other
one
is
I,
don't
have
any
time
or
bandwidth
I'm
already
flat
out.
How
can
you
help
me
and
what
can
you
do
for
me
and
those
those
are
related,
but
distinct,
I.
H
K
D
Excellent
points
David.
D
B
Completely
agree
with
the
interest
to
improve
the
communication
and
to
provide
a
better
landing
page
portal
for
all
these
different
roles.
To
understand
about
the
openssf.
A
couple
of
points
I
wanted
to
make
is
one
to
be
very
careful
that
this
isn't
a
you
know:
hi
we're
from
the
government,
sorry
open,
ssf
and
we're
here
to
help
yeah
another
is
that
I
mean
there?
Is
this
balance
between?
B
As
you
said,
the
large
corporations
and
people
who
have
skin
in
the
game
I'm
not
saying
that
these
maintainers
don't
have
skin
in
the
game,
but
I
want
to
be
careful,
or
at
least
aware
of
who
is
being
included,
who
wants
to
participate
in
the
sense
of
again
sort
of
skin
of
the
game,
understanding
what
their
their
value
is?
B
I
mean
I,
completely
agree
that
for
people
who
want
information
who
want
help
and
exactly
is
the
way
the
jock
mentions
these
two
different
roles,
but
there's
also
just
you
know
not
not
against,
but
just
this
awareness
of
that
people
with
skin
in
the
game
to
corporations.
People
participating
here,
you
know,
have
a
reason
to
participate
and
contribute
both
at
the
governing
board.
B
Tech,
all
these
various
you
know
sigs
and
working
groups
because
of
a
you
know,
a
certain
value
to
them,
and
yes,
we
definitely
should
try
to
open
this
up
and
have
all
the
different
voices
participate.
But
when
trying
to
get
us
to
make
sure
that
there's
a
difference
between
people
who
are
motivated
versus
a
a
forum
for
activists
who
I
mean
the
people
who
are
interested
to
participate,
we
need
to
think
about
what
their
motivations
are.
B
I
mean
some
of
the
people
who
may
not
have
who
may
not
have
so
much
skin
in
the
game,
but
just
want
to
okay.
You
know
here,
I
can
start,
you
know
creating
regulations.
I
can
start
creating.
You
know
different.
You
know
requirements
here.
I
can
just
start.
You
know,
you
know
telling
a
bunch
of
you
know
the
these
awful
capitalist
corporations.
What
to
do
and
I
mean
so
there's
just
you
know
like
careful
of
the
voice
that
we're
participating,
not
that
they
shouldn't
participate.
I
mean
you
know.
B
Clearly,
this
should
be
open
to
everyone,
but
just
to
ensure
that
this
you
know,
has
the
the
right
voice
that
we
understand
the
balance
of
presentation
for
the
people
who
are
going
to
be
impacted
with
some
of
these
different
policy
which
open
SF
is
doing
a
great
job
advocating,
but
but
just
making
sure
that
it's
we
understand
what
the
implications
are
and
that
the
people
are
participating
are
the
ones
who
are
actually
going
to
be
affected
and
have
a
lot
of
the
requirements
and
regulations
placed
upon
them.
Thanks
excellent.
D
Thank
you
and
I
for
one
will
commit
my
time
and
I
will
encourage
my
friends
in
the
best
working
group
and
the
diagram
of
society
to
participate
with
the
devrel
team
as
that
moves
forward.
I
think
this
is
an
important
piece
of
work
to
help
us
have
that
better
Outreach
to
our
different
communities,
so
I
will
commit
myself
and
my
friends
to
help
make
this
successful
and
I
encourage
everyone
else
to
do
the
same
any
last
minute
thoughts
in
our
final
three
minutes.
Together,
we
have
gone
through
our
agenda.