►
From YouTube: OpenSSF TAC (November 15, 2022)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
A
Good
morning,
good
afternoon,
folks
Bob
is
going
to
run
a
little
bit
late
today,
he's
driving
home
right
now,
so
he'll
join
us
in
a
bit.
C
In
Tahoe.
D
C
How
many
people
were
there?
I
I
haven't
seen
too
many
tweets
about
it.
A
D
A
F
A
A
E
A
I
think
we
can
get
started
pretty
soon.
Bob
asked
me
to
just
like
get
the
meeting
going.
We've
got
a
couple,
I
think
two
groups
presenting
this
morning
and
he
should
be
online
in
about
10
minutes
or
so.
D
A
B
A
I
will
copy
and
paste
it
in
Bob's
up
Bob's
chatting
with
me
on
the
side
while
driving,
which
is
definitely
a
safe
thing,
to
do.
Chris,
if
you
want
to
give
your
update,
I
will
just
paste
in
the
update
here
from
from
Kim
sure.
E
A
F
D
A
F
F
We
have
a
vulnerability
report,
standard
metadata,
set
of
metadata
that
we
curate
every
once
in
a
while.
We
primarily
have
been
working
on
coordinated
vulnerability,
disclosure
guides.
We
have
a
developer
maintainer
guide.
We
also
have
a
guide
for
security,
researchers,
slash
finders
and
we
have
a
future
project.
We
will
focus
on
open
source
consumers.
F
F
Right
now,
we
are
in
between
projects.
We
published
the
CBD
guide
for
finders
this
summer
and
the
group
is
still
deciding
on
what
we
would
like
to
work
on.
Next,
we
have
a
couple
projects
in
the
hopper,
potentially
we'll
work
on
that
CBD
guy
with
OSS
consumers,
which
we
got
a
lot
of
interest
from
the
end
user
working
group
they
might
like
to
collaborate
on.
F
We
also
are
potentially
going
to
create
some
plugins
or
tooling
to
support
the
CBD
guides
actually
have
ways
to
add
some
automation
to
some
of
the
recommendations
we
have
on
our
documentation
and
then
there
was
a
request
for
potentially
making
a
playbook
for
maintainers
to
help
them
handle
incidents,
so
something
that
could
be
a
quick
check
set
of
checklists
that
people
could
walk
through
to
help
them
make
incidents
a
little
smoother
so
that
we're
kind
of
tinkering
with
those
ideas.
Right
now
predominantly,
we
have
been
focused
on
the
open
source
security
incident
response.
F
F
I
would
like
that
to
be
the
end
of
November,
but
we'll
see
if
my
friends
enable
us
to
hit
that
deadline,
and
then
we
will
once
the
TAC
provides
notes.
We
will
pass
the
plan
on
to
the
governing
board
for
review
and
potential
funding
approval,
and
that
was
that
for
our
update
any
questions.
I
can
answer
for
the
group
The
working
group
or
the
Sig.
H
I
had
a
question,
so
are
we
planning
to
publish
any
of
the
other
guides
soon
like
I
know,
the
one
that
is
for
the
researchers
is
expected
to
go
in
the
project
repository
right.
F
H
F
In
the
project
repository
right
now,
everything
we've
written
is
publicly
available.
We've
only
written
two
guides
so
far.
Okay,
let
me
do
the
consumer
one.
If
that's
one
of
the
projects
we
work
on
next
that'll,
be
also
in
our
get
repo.
H
H
F
Basically,
it's
instructions
or
training
on
good
practices
around
how
to
intake
and
manage
vulnerabilities
and
then
for
the
finders.
It's
advice
on
how
they
can
most
effectively
collaborate
with
the
projects
they're
reporting
to
so
we
do
have
templates
so
like
we
do
have
an
example:
security
MD
file.
In
our
repository,
it's
a
resource
that
people
can
use
I
think
we
also
have
a
playbook
for
maintainers,
but
again
we're
looking
at
potentially
making
more
prescriptive
guidance
like
when
a
reporter
comes
to
a
maintainer.
Here's,
a
checklist
you
can
follow
to.
F
A
Right,
thank
you.
Two
questions
coming
up
from
the
chat
you
sort
of
answered
the
first
one,
but
not
sure,
does
the
researcher
guide
include
etiquette
on
how
to
report
or
how
to
mass
report
vulnerabilities
when
working
with
maintainers?
So
it's
not
to
you,
know,
flood
them
or
come
across
poorly.
F
I,
don't
know
if
we
have
specifics
to
that.
The
wonderful
thing
about
the
guides
is
they're
all
in
delightful
markdown
file
and
patches
are
always
welcome.
So
if
somebody
had
a
suggestion
or
wanted
to
file
an
issue
against
it,
we
definitely
could
work
on
that.
F
But
I
don't
know
if
we
we
talk
about
in
general,
here's
how
Upstream
there's
a
couple
different
models,
how
Upstream
ingests
vulnerabilities-
and
we
provide
advice
to
the
researchers-
to
basically
set
your
expectations
on
what
you're
looking
for
out
of
this
disclosure
up
front
and
for
both
parties
to
kind
of
listen
to
each
other
as
we're
going
as
things
are
being
triaged
I,
don't
know
if
I
specifically
addressed
that,
but
is
she
file
an
issue
for
us
we'll
be
glad
to
make
sure
that
gets
addressed.
F
Have
shared
all
of
our
mock-up
logos
with
the
openssf
marketing
team
for
potential
handing
over
to
the
creative
team
I'm
working
on
a
new
one
right
now,
A
murgus.
I
Besides
waterfowl
I
was
just
wondering
in
a
a
proper
serious
question.
You
mentioned
funding,
support
funding,
request
for
cert
and
I
was
just
wondering
if
you
could
be
clarify
for
me.
What's
the
funding
gonna
fund
when
it
comes
to
this
thing,
is
it?
Is
it
like
permanently
Staffing
up
an
emergency
response
team
with
like
jumpsuits
and
backpacks
and
stuff
like
that
or
or
is
it
that'd
be
pretty
cool?
What's
it
funding.
F
The
group
voted
that
we
will
be
proposing
a
volunteer-based
team,
so
we
would
ask
the
membership
to
donate
resources
to
helping
with
these
coordinations.
There
are
some
a
couple
staff
positions.
We
are
requesting,
like
a
full-time
program
manager,
to
help
manage
implementation
of
the
plan,
but
then
help
with
facilitation
with
the
volunteers.
F
It's
predominantly
for
this
particular
stream.
We
will
be
asking
for
money
for
a
couple:
ftes,
potentially
tooling,
or
Cloud
credits
for
infrastructure,
because
we'll
need
of
a
a
bug,
intake
tool
potentially
and
then
there'll
be
a
metric
butt
ton
of
volunteer
hours
that
we
will
be
asking
for
the
foundation
to
pay.
F
So
we
will
need
this.
Many
people
for
incident
handling
this
many
people
for
advisory
reporting
advisory.
Writing
that
type
of
thing
it's
all
broken
down
in
the
plan.
You
could,
you
feel,
free
to
look
at
it.
If
you
have
any
notes
today
great,
but
we
will
officially
be
sending
to
the
tech
hey,
we
are
ready,
we're
done
and
we
think
this
is
our
final
proposal.
Please
give
us
final
notes
before
we
ask
for
funding.
A
You
know
I
look
forward
to
seeing
that
and
understanding
a
little
bit
more
yes,
I
should
dive
in
before
then
to
understand
what
sort
of
the
the
function
and
you're
envisioning
there
is.
D
F
I
can
answer,
I
will
work
on
adding
a
license
to
the
image,
and
people
are
free
to
use
it
and
again,
I
I
am
working
with
Jennifer
to
help
to
see
if
we
can
get
in
the
queue
for
the
creative
team
to
actually
make
it
an
official.
That's
just
you
know
me
doodling,
not
quite
as
clean
as
what
a
professional
artist
is.
I
only
want
artists
in
my
spare
time.
J
They
are
currently
with
our
creative
Services
team
and
they
are
currently
inventorying
all
of
the
the
designs
and
styles
that
we
have
so
far
and
and
working
on
the
digestions
of
moving
forward
and
getting
some
some
good
graphics
for
these
different
groups.
C
Apologies
for
being
late,
I,
don't
know
where
we
are
on
the
agenda
so
happy
to
just
let
you
let
you
run
with
it
for
another
sure.
A
Short
version
is
Kim,
wasn't
here
so
I
shared
into
in
the
update
that
you'd
copied
in
and
see
Rob
just.
D
A
Yes,
update
on
the
vulnerability
disclosure
working
group
went
through
some
q.
A
on
that
I
think
we
just
finished
with
that,
and
next
one
would
be
the
diagrammer
society
proposal.
F
So
I
sent
an
email
to
the
TAC
mailing
list,
a
couple
months
back
and
received
a
lot
of
interest
about
trying
to
find
some
way
to
graphically
represent
what
the
foundation
is,
what
we
do,
how
our
parts
connect.
So
from
that
we
spun
up
a
small
group
of
folks
that
have
been
providing
feedback
on
a
series
of
mock-up
diagrams
we've
gradually
been
adding
more
and
more
people
and
I
felt
that
we
were
to
the
point
where
we
might
want
to
make
this
kind
of
official
instead
of
a
part-time
job.
F
So
I'm
asking
the
tech
if
they
are
interested
in
kind
of
formally
adopting
the
diagram
or
society
as
a
Sig
that
we
would
report
in
and
take
direction
from,
as
we
try
to
find
ways
to
graphically
embellish
how
we
all
snap
in
together,
I
I've,
got
us
provisioned
a
GitHub
repo
I
have
a
mailing
list
for
us.
We
have
a
slack
Channel
and
it's
again
we
have
a
fairly
steady
engagement
from
the
group
and
I
thought.
F
It
might
be
interesting
to
actually
get
like
I've
been
talking
with
Bob
around
his
proposed
proposal
for
the
vision
which
I
think
we're
going
to
talk
about
in
a
couple
items,
and
that
might
be
a
great
task
for
this
to
kind
of
task.
This
group
for
hey.
How
do
we
connect
the
vision
to
our
existing
layout
as
we
continue
to
doodle.
C
Got
it
so
I
guess
any
any
points
of
discussion
or
I
guess
or
any
questions
I
have
one
but
I'll
just
refer
to
others.
First,
foreign.
F
I
my
opinion
is
I
think
it
would
be
best
aligned
directly
under
the
tack,
since
we
are
again
trying
to
report
the
found
about
Foundation
level
things
and
how
all
of
our
parts
work
together
and
I
fear.
If
it
was
buried
underneath
another
working
group,
it
might
not
have
the
ability
to
have
the
the
breadth
of
connection
and
again
I,
don't
anticipate
a
lot
of
a
burden
on
the
attack.
F
We
would
do
periodic
report
outs
like
we
just
did,
and
you
know
did
directly
from
you
get
feedback
provided
to
us
about
how
what
the
tech
needed
to
be
able
to
articulate
the
foundation.
C
Presumed
but
I
want
to
just
to
make
sure.
A
Hi
everyone
support
our
new
diagramming
overlords.
C
So,
just
looking
here,
based
on
when
you
sent
that
email
probe,
I
guess
what
I
would
do
then
is
I
would
make
a
motion
to
call
a
formal
vote
to
admit
this.
As
a
news
before.
A
That
so
it
looks
like
the
charter
is
not
yet
filled
out,
and
so
before
we
do,
a
formal
vote.
I
think
we
should
have
a
charter
in
place
that
defines
the
scope,
especially
to
put
this
directly
under
the
tack
probe.
How
would
you
feel
I've
not
thought
this
through
more
for
more
than
five
seconds
of
having
the
scope
be
sort
of
goal
oriented
so
that
once
it
is
done,
the
attack
approves
the
output.
A
F
I'd
be
fine
with
that
that
feels
appropriate,
and
we
would.
That
is
an
item.
We're
talking
about.
Thursday
is
trying
to
get
goals
defined
on
what
we
want
on
our
initial
deliverables.
So
I
think
that
would
be
I.
E
C
So
I
guess
what
I
would
do
that
I'd
move
that
once
you're
ready
Chrome
just
please
open
a
PR
against
attack
proposal
and
then
link
to
the
Charter
document.
We
can
just
do
it
via
a
GitHub
on
yeah.
A
And
I
also,
don't
is
anything
actually
blocked
in
in
your
work
probe
by
us
voting.
No
there's,
no
there's
no
rush
either
way,
then
cool.
F
If
anyone's
interested
in
helping,
we
are
always
looking
for
assistance
and
I,
just
I
am
stubbed
myself
in
as
the
leader
of
this
group.
If
someone
has
a
big
passion
and
wants
to
take
hold
of
The
reigns
to
steer
our
diagramming
future
I
would
be
glad
to
step
back
and
just
be
a
participant.
C
Awesome
thanks
for
that
Chrome.
Looking
next!
Oh
sorry
did
you
have
something
you
wanted
to
say.
David.
C
Okay,
guess
not
all
right
so
moving
on
to
the
agenda
I
think.
Obviously
the
attack
is
well
aware,
but
I
don't
know
if
other
participants
are
are
aware.
The
governing
board
and
Tac
had
a
meeting
last
Friday
at
the
end
of
the
Linux
Foundation
member
Summit.
We
had
a
few
of
the
attack
members
that
were
able
to
join
in
person
and
the
rest
joined
via.
K
D
K
C
A
sense
of
what
they
took
away
from
the
meeting
any
any
outstanding
questions
that
they
might
have
any
objections
or
things
that
they'd
like
to
emphasize
that
they
heard
that
they
loved
and
really
just
use
this,
as
maybe
a
an
opportunity
to
kind
of
brief.
Briefly
recap:
I
do
have
a
specific
point
around
the
technical
Vision
that
I
want
to
come
to,
but
before
we
jump
to
that
I
guess,
I've
just
opened
the
floor
for
any
any
thoughts
or
feedback.
C
Please
not
all
at
once:
I'll
I'll
go
first,
then
I
thought
it
was
first
off.
It
was
great
just
to
have
the
governing
board
all
together
for
a
longer
period
of
time.
I
thought
the
the
con
about
the
content
and
the
the
the
fluidity
of
conversation,
I
think
was
a
much
higher
bandwidth
than
we've
had
in
the
past,
which
was
amazing,
I
think
there
was
kind
of
a
general
consensus
in
the
room
that
we
needed
to
do
it
more
often,
obviously
in
person.
C
If
we
can,
if
we
can
make
it
make
it
happen,
you
know,
I
think
the
there
were
some
pros
and
cons.
I
would
say
the
pros.
Were
we
I
think
we
had
a
great
dialogue
around
the
identity
of
the
foundation
kind
of
framed
underneath
a
lot
of
the
interview
feedback
that
Sam
ramji
had
had
gathered,
which
was
characterized
as
kind
of
like.
There
are
four
different
ideas
around
what
the
open
ssf
could
become.
C
They
aren't
necessarily
mutually
exclusive,
but
in
really
going
through
and
talking
about
kind
of
where,
where
we
focused
today
and
where
do
we
want
to
be
in
the
long
term,
I
think
there
was
at
least
in
a
lot
of
the
hallway
conversation
afterwards.
I
think
there
was
a
greater
appreciation
for
the
breadth
of
the
activity
that
we
are
trying
to
undertake,
and
much
of
it
obviously
is
is
being
done
right
now
within
the
projects
and
working
groups.
So.
C
Definitely
a
raise
level
awareness
of
both
the
complexity
and
the
challenges
that
exist
and
how
much
new
ground
we
are
fundamentally
breaking
with
this
Foundation
as
compared
to
other
other
open
source
entities
that
that
have
or
or
currently
exist,
I
think
cons,
I
think
it
you
know
it
was.
C
We
did
Drive
some
some
good
discussion
around
kind
of
general
direction,
around
resource
allocation
as
well
as
kind
of
some
high
level
objectives
for
for
next
year,
I
I
would
have
loved
to
have
seen
that
conversation
evolve
even
further
I
think
in
general
We
There
was
those
of
us
are
deeply
involved
in
the
planning
was
a
sense
of
like
if
we'd
all
come
out
and
say
we
want
to
be
everything
to
everyone,
then
that's
not
necessarily
a
great
outcome,
having
some
level
of
focus
and
and
mine's
drawn,
not
to
exclude
things
that
aren't
necessarily
worthy,
but
just
making
sure
that
we
do
invest
that
we
have
impact
I,
think
is
important
and
I
and
I
think
there
was
again.
C
Do
everything,
but
not
necessarily
A
vehement,
like
we're
going
to
stop
doing
X
so
that
we
can
really
focus
to
do
why
I
didn't
get
a
sense
that
there
was
that
level
of
conviction,
but
you
know
overall
I
think
like
an
intent
looking
for
opportunities
to
make
calls
for
Action,
you
know
as
well
as
calls
for
you
know,
assistance
for
the
attack
in
terms
of
doing
their
job
I
think
was
another
area
that
it
took
me,
leaving
the
room
and
re-entering
for
those
of
you
that
weren't
there,
but
the
the
general
consensus
from
the
board
was
that
you
know
they
want
a
stronger,
a
portfolio
view
of
what
is
it
that
the
foundation
is
doing
and
they
want
the
TAC
to
be.
C
You
know,
have
a
stronger
voice,
but
my
response
to
that
was:
we
all
want
that
too.
We
need
staff
and
time
and
energy
and,
frankly,
we're
all
volunteers
doing
a
million
different
things.
If
we
want
a
dedicated
outcome,
we
need
to
put
dedicated
people
who
are
accountable
to
those
outcomes
and
use
the
talk
as
a
as
an
advisory
in
a
subject
matter
expert
group
to
make
sure
that
it's
directly
accurate
for
where
we
want
to
go.
C
But
we
need
more
support
in
order
to
make
that
happen,
and
I
I
definitely
heard
an
acknowledgment
of
that
from
the
governing
board
in
in
so
much
as
the
budget
that
will
be
coming
forward
in
December.
We'll
have
have
some
hiring
allocated
to
specifically
that
making
sure
that
we
are
unable
to
have
a
stronger
voice,
be
able
to
articulate
that
portfolio
view
of
what
the
foundation
is
doing
and
make
sure
that
people
really
do
understand
how
that
maps
to
our
identity
and
where
we
want
to
go
so
I
think
those
are
all
positives.
C
But
again,
I
want
to
open
the
floor
for
others
to
to
weigh
in
on
things
they
liked
things
they
didn't
like.
Anyway.
You
know
any
just
general
feedback
around.
How
we
can
make
the
meeting
better
next
go
round
would
be,
would
be
welcome,
so
Crow
saw
your
hand
first.
F
F
I
think
some
of
the
wording
through
member
participants
off
I
also
think
the
fact
that
we
had
now
four
foundations
and
seven
working
groups
and
ten
mobilization
plans.
Streams
was
confusing
to
many
of
the
people
in
the
room
and
I
I
think
we'd
be
more
successful
next
time.
F
If
we
focus
we
found
a
way
to
if
we're
going
to
work
that,
through
that
methodology
to
tie
all
that
together
in
the
front
so
people
had,
it
was
clearly
articulated
to
people
how
those
different
ideas
how
they
relate
and
intersect
so
I,
think
terminology,
and
then
just
the
fact
that
you
know
are
we
going
with
four
streams
now,
instead
of
the
ten
mobilization,
things
I
think
that
was
just
that
caused
a
little
confusion
for
some
folks,
but
I
thought
the
content
was
worthwhile.
I
I
liked
kind
of
how
his
thought
process
there.
E
E
It
was
interesting
to
see
the
large
amount
of
debate
on
on
how
people
viewed
the
importance
of
those
different
four
areas,
and
there
was
definitely
not
complete
consensus
on
anything
so
but
I
think
to
overstate
what
I
heard
as
a
general,
though,
with
with
exceptions,
because
as
I
said,
there's
no
total
agreement
yeah,
the
discussion
was
definitely
interesting.
E
I
think
we
came
away
with
you
know
number
one
tool
chain,
number
two
education,
slash
uplift,
and
that
includes
standards
and
guides,
and
so
on
and
the
funder
First
Resort
and
rapid
response,
Force,
I,
I,
don't
think
I
came
away
with
everybody
thought
that
was
a
horrible
idea.
It
was
just
that
they
wanted
to
emphasize
tool
chain
and
education,
slash,
you
know,
guidance
and
so
on
and
I
I
think
there
was
a
little
disagreement
also
on
what
on
what
the
scope
of
this.
E
This
decision
would
be,
at
least
for
some
folks
in
the
room.
I
think
they
were
thinking
2023.
Other
people
are
thinking
hey.
This
is
what
openness
SF
wants
me
grow
up
when
they
grow
up,
but
at
least
within
the
discussion
groups
on
this
they
were
really
only
focused
on
2023.,
and
this
is
a
decision.
You
know
that
can
be
read
like
all
decisions.
We
can
reinvent
recheck
it
next
year,
because
you
know
things
can
change
so
I
I
I
would
come
away
with.
This
was
a
emphasis
for
2023.
E
C
David
David
Edelson,
if
I
mispronounce
that
go
ahead.
L
That's
good
yeah
thanks
very
much
I
mean
I'm,
just
curious,
okay,
I
didn't
attend,
but
even
the
the
comment
about
Sterling
tool
chain
and
that
I'm
coming
from
GCC
and
related
to
all
the
discussions
about
the
tool
chain
infrastructure
initiative.
I
was
curious.
If
any
for
clarification-
or
you
know,
exposition.
C
Yeah
I'll
take
a
stab
and
encourage
others
to
to
speak
up
as
well.
I
think
if
you
look
across
the
various
projects
and
working
groups
that
we
have
right
now,
there's
already
an
emergence
of
a
collection
of
maybe
horizontally
applicable
tools
and
when
I
say
horizontal,
meaning
across
different
language
ecosystems,
different
open
source
communities,
different
Frameworks,
really
trying
to
address.
How
do
we
do
a
more
systemic
job
at
raising
out
signals
to
Consumers
of
Open
Source
that
make
it
very
clear?
C
The
security
posture,
maintainer
intent
and
current
status
of
the
artifacts
that
they
publish,
and
so
while
we're
not,
we
want
things
to
get
more
secure.
We
also
want
to
re
respect
and
enable
consumers
to
make
more
informed
decisions,
and
so,
while
we
will
certainly
invest
our
effort
and
energy
against
a
prioritization
ranking
of
projects
to
try
to
make
sure
that
we
are
having
the
most
impact,
we
also
kind
of
Envision
a
world
where
again,
consumer
consumers
are
very
informed
and
the
market
can
ultimately
dictate
where
you
know
which
projects
are
the
most
popular
versus.
C
Not
we
don't
necessarily
want
to
take
a
you
know,
have
an
extremely
opinionated
view
in
so
much
as
you
know,
make
sure
that
just
the
fundamentals
are
covered.
People
have
the
actual
tools
to
do
the
right
things
that
the
industry
generally
agrees
on
and
then
that
that
can
be
sustained
going
forward.
So
when
we
talk
about
a
tool
chain,
I
think
from
you
know
whether
it's
like
a
new
perspective
or
just
in
general,
like
how
do
we
make
sure
that
we're
generating
build
provenance
correctly?
C
How
do
we
make
sure
this
digital
signatures
are
being
applied
correctly?
How
do
we
make
sure
that
package
repositories
and
package
managers
have
the
right
tools
to
be
to
be
able
to
distribute
content
into
secure
and
meaningful
way?
You
know
also
looking
at,
like
the
toolkit.
That's
coming
out
of
the
alpha
omega
effort
as
well
as
package
analysis.
The
osv
service
I
mean
there's,
there's,
there's
already
examples
of
kind
of
common
capabilities
that
we're
building
out
within
the
open
ssf,
and
it's
more
of
a
notion
of.
C
Are
we
going
to
continue
to
be
a
bag
of
parts,
or
are
we
going
to
have
a
more
of
an
integrated
portfolio
to
use
kind
of
more
of
a
corporate
phrasing
around
it?
You
know
set
of
capabilities
so
with
that
I'll
pause
and
let
others
weigh
in
as
just
my
own
personal
characterization,
but
Pro.
Maybe.
F
I
I
think
your
characterization
was
right
and
I'm,
not
sure
everyone
did
the
homework
or
took
it
with
the
the
I
took
Sam's
document
as
an
aspirational
statement.
This
is
a
theater
of
the
possible.
These
are
things
we
could
do
and
it
could
help
us
drive.
F
Behavior
I
didn't
see
it
as
we're
going
this
route
and
we're
only
going
to
do
tooling
because,
like
even
the
million
developer
uplift,
while
education
is
an
aspect
of
that
developers
need
tools
to
help
them,
they
need
the
forums
to
be
able
to
collaborate
and
learn
and
try
out
new
ideas.
F
But
I
I
took
Sam's
statements
and
maybe
I'm
wrong,
but
I
took
those
as
these
are
things
you
know
where
we
could
take
the
foundation.
Not
necessarily
this
is
our
shopping
list
for
2023
and
I
thought
the
X
the
exercise
where
we
had
a
couple
Goose
bucks
to
spend
on
each
of
the
pillars.
I
think
that
might
have
helped
I,
don't
know
if
it's
at
the
right
tone.
F
For
more
of
that,
we
didn't
really
settle
on
what
our
identity
is
and
I
felt,
that
that
would
be
if
we
kind
of
can
confirm
like
where
we
want
to
be
what
we
want
to
do
as
a
group,
a
foundation
I
think
that
would
help.
Logically,
things
will
start
to
fall
into
place
after
that.
I
would
have
liked
to
focus
a
little
more
time
on
that
than
having
breastser
spend
57
cents
on
something.
C
L
L
You
know
tools
of
okay,
we
want
to
create
this,
you
know
and
obviously
choose
but
but
help
to
ensure
that
there
is
this
kind
of
not
idealized,
but
a
more
secure,
more
robust
set
of
tools
and
all
of
these
different
ecosystems,
which
is
sort
of
Sterling
tool
chain,
at
least
that
that
little
you
know,
two-word
phrase
can
be
interpreted
both
ways
and
so
trying
to
clarify
that.
L
I
didn't
mean
that
I
just
meant
in
terms
of
you
know
a
idealized
version
of
whether
it's
Russ,
no
JS,
you
know
Java
I
mean
not
a
single
one,
but
that
you
want
to
ensure
that
those
Upstream
ecosystems
are
as
secure
as
possible
versus
we
want
to
create.
We,
the
the
attack
and
the
open
ssf,
want
to
create
the
tools,
the
capabilities
that
those
communities
can
choose
to
use
or
not,
and
those
are
two
I
mean
I
mean
another.
Maybe
it's
another
definite.
K
C
Providing
value,
then
that
does
says
a
lot
about
the
where
we're
spending
our
time
right,
but
but
to
your
point,
we're
not
trying
to
force
or
or
obligate
anyone
in
the
industry
to
go
do
anything,
but
we
hope
that
by
raising
awareness
and
actually
making
specific,
Investments
and
co-creating
it
with
these,
you
know
whether
it's
eclipse
or
canoe
or
others
like
like
helping
the
co-create
it
and
making
sure
that
we
have
best
practices
codified
in
the
tools
that
people
are
using.
I,
think
that
is
our
vision.
You.
L
Know
and
any
images
very
briefly,
I
want
to
again
thank
the
tech.
Very
you
know
graciously
and
thank
the
governing
board
for
the
backstop
you
provided
and
what
what
you
know
I
and
Carlos
O'donnell-
also
thank
you
and
we'll
report
next
month,
but
you
know
we're
very
grateful
for
the
efforts
to
help
spin
up
the
the
tool
chain
infrastructure
initiative
so
that
we
can
actually
create
you
know
Implement
best
practices
for
the
gnu
tool
chain.
So
thank
you
very
much
again.
L
C
Sure
thing:
David,
wheeler.
E
Yeah
two
two
quick
additional
notes:
I
I
I
did
look
over
the
you
know
the
four
pillars
text
and
it
could
be
interpreted
as
you
know,
there's
one
chain,
one
one
tool
chain
to
rule
them
all
and
I:
don't
actually
think
that
was
intended.
If
anything
I
think
it
was
more
of
a
the
openness
of
willing
to
focus
its
resources
on
funding
areas
so
that
we
get
completely
completion
good
things
that
are
useful,
as
opposed
to
10
things
that
aren't
much
more
of
a
resource
Focus
than
I.
E
You
know,
I,
don't
think
anybody
actually
believes
that
there's
going
to
be,
you
know
one
programming,
language
and
one
tool
and
we'll
all
use
that
singular
one
I
I.
Don't
think
anybody
believes
that
so
I
I
you,
you
could
interpret
the
text
that
way,
but
I
don't
think
that
was
what
was
intended.
One
of
the
exercises
that
was
mentioned
earlier
was
we
had
a
bunch
of
groups,
go
out
and
said:
hey,
you
know,
let's
imagine
these
four
pillars,
you
know
assigned
dollars
and
the
goal
was
to
try
to
make
those
uneven.
E
In
other
words,
not
25,
25
25..
You
know
basically
to
try
to
prioritize
at
least
for
the
coming
year.
E
There
were
I
think
two
people
who
had
a
hundred
dollars
on
one
single
item:
I,
don't
even
think
it
was
the
same
item
so
but
I
think
for
most
it
was
I
think
it
was
more
an
exercise
of
prioritization.
In
other
words,
you
know
not
that
it
was
1
100
and
all
the
other
zero.
But
you
know
given
limited
resources
and
we
have
some
resources,
but
the
job
is
huge.
So
what
do
we
focus
on
for
the
next
year?
You
know
and
I
think
that
was
really
the
point
of
the
exercise.
E
I
said,
I
I
came
away.
Thinking
tooling
number
one
education
number,
two,
the
others
are
not
forbidden,
it's
just
not
what
we're
going
to
emphasize
for
the
next
year
and
if
that's
that's
a
misunderstanding,
let
me
know.
C
So
just
again,
trying
to
be
cognizant
of
time
when
we
do
have
other
things
on
the
agenda.
I
will
I'll
say
specifically
around
the
the
pre-read
that
I
sent
out
both
around
the
updated
technical
Vision,
as
well
as
the
role
of
the
attack.
C
I
would
like
to
take
some
of
the
feedback,
as
well
as
the
content
of
the
pre-read
that
all
tack
members
have
and
make
an
update
to
PR
129,
which
was
basically
the
project
to
update
our
technical
Vision.
So
I
guess,
based
on
the
meeting
last
week
and
some
of
the
other
conversations
that
we've
had
I'd
like
to
update
that
that
PR
and
give
it
to
the
attack
members
to
ultimately
take
one
last
final
noodle
on
and
if
we
need
more
conversation,
that's
great.
C
But
if
we
feel
like
we
do
have
consensus
around
the
vision
now,
given
all
of
this
context,
I
think
we
can
we,
we
may
be
able
to
move
to
to
get
that
merged
and
have
that
be
another
feather
in
our.
C
Year
on
a
high
note
and
and
shift
into
more
of
an
execution
mode
next
year,
so
I'll
be
pushing
up
those
Updates
this
week
and
would
encourage
feedback
and
discussion
in
the
in
that
PR
oud
last
point
I
will
make
on
last
week's
meeting
is
we
do
have
a
governing
board
meeting
coming
up
on
December
1st?
All
Tac
members
should
already
have
an
invite
on
their
calendar
to
participate.
C
Imagining
that's
going
to
be
a
fairly
lengthy
discussion,
given
the
budget
and
again
give
it
other
things
but
we'll
as
soon
as
we
have
the
agenda
lined
up
with
Brian,
we
will
send
that
out
last
call
for
any
questions
on
on
last
week's
meeting.
Otherwise
we'll
go
ahead
and
move
on
to
other
topics
on
today's
agenda.
C
Cool
next
on
the
agenda
was
more
of
a
reminder
for
me,
but
to
bring
up
with
all
of
you
as
well
I
think
we
had
the
the
good
work
done
earlier
this
year
around.
C
It's
going
off
of
PR
numbers
project,
PR
112,
but
essentially
was
a
Project
Life
Cycle
associated
with
the
foundation.
I
think
it
is
another
lofty
goal
for
the
end
of
this
year.
That's
worth
doing
is
going
through
and
making
sure
that
we
have
appropriate
characterizations
of
the
existing
projects
within
the
foundation
as
to
their
state
of
sandbox.
C
Incubating
graduated
or
archived
I
recently
pushed
up
a
PR
to
update
the
title,
the
table
of
all
of
our
projects
on
the
TAC
repo,
which
all
of
you
plus
one,
and
we
did
merge,
which
I
do
appreciate,
but
I
do
think.
We
need
to
go
back
and
make
sure
that
we
have
that
conversation
with
the
individual
projects
themselves
and
also
raise
up.
C
You
know
the
the
benefits
that
we
attack
would
like
our
projects
to
fundamentally
have,
and
also
take
that
as
input
into
some
of
the
Staffing
and
budget
conversations
for
next
year.
So
maybe
more
of
a
call
to
action
I
will
we'll
be
I,
guess
what
I
would
propose
in
looking
for
tack.
Member
feedback
on
this
I
would
propose
that.
Maybe
we
either
have
an
explicit
conversation
with
working
group
leads
or
ask
them
to
to
to
self-nominate
a
status
of
where
they
believe
the
project
to
currently.
K
C
Or
just
batch
them
up
into
one
one
final
PR
to
where
we
can
have
Clarity
going
out
through
the
end
of
the
year
around.
Where
does
everything
stand
in
the
foundation
so
that
we
start
kind
of
fresh
without
that
that
that
technical
debt
in
in
2023,
so
Chrome
I'll
see
your
hand
up.
F
C
I,
don't
know
that
I
would
call
you
that,
but
but
I
think
time
management
is
certainly
a
critical
component
of
this
I.
Think
having
just
a
table,
that's
all
listed
there
would
be,
would
certainly
be
there.
We
could
certainly
start
with
a
self-nomination,
and
an
attack
essentially
needs
to.
You
know,
go
through
an
evaluation
process
around
where
we
feel
like.
If
those
our
nominations
are.
C
Or
if
we
need
to
make
revisions,
ultimately
I
think
it's
the
tax
role
to
to
make
that
determination.
So.
C
Cj
offering
to
to
help
with
this,
and
so
that
would
certainly
be
appreciated,
but
I
guess
any
any.
Just
starting
an
email
out
to
the
working
group
leads
and
asking
for
them
to
submit
a
nomination.
We
actually
have.
We
don't
have
attack
meeting
in
two
weeks.
We
have
one
a
month
from
now,
so
that
actually
gives
us
a
little
bit
of
buffer
time
to
hopefully
assemble
this
and
we're
not
under
a
lot
of
pressure
to
get
it
done
within
a
week.
C
C
So
yeah
thumbs
up
from
Probe,
see
no
other
emotion,
emojis
or
comments
to
the
negative.
So
a
loop
thumbs
up
all
across
okay.
F
C
So
we'll
look
to
get
that
done.
I
already
spilled
the
beans
on
the
next
meeting
item,
which
is
we
do
not
have
a
tax
meeting
in
two
weeks
due
to
the
holiday
and
availability.
At
that
time.
In
the
US
we
will
have
a
meeting,
as
I
mentioned
the
the
governing
word
meeting
on
the
first,
and
then
we
have
a
Tac
meeting
coming
up
on
four
weeks
from
today,
so
that
will
be
our
last
meeting
for
2022.
C
I
believe
we
do
have
a
meeting
on
the
13th
which,
as
as
David
mentioned,
we
will
have
the
gnu
tool
chain,
infrastructure
or
initiative.
I,
always
forget
which
the
I
stands
for,
whether
it's
the
infrastructure
or
initiative
but
I,
whatever
the
whatever
the
the
letter
stands
for
we'll
have
them
join
and
give
an
update
at
that
point.
C
I've
also
We'll
be
asking
the
end
users
working
group
to
give
an
update,
since
we
have
not
heard
from
them
since
their
creation,
but
we'll
look
to
drive
that
as
well
as
maybe
the
the
formal
votes
on
some
of
the
other
items
if
we
have
not
dealt
with
them
electronically.
So
just
a
heads
up
there,
David
I,
see
your
hand
up.
C
Awesome
all
right,
let's
see
See
Michael
scavetta,
had
added
something
in
here
around
Assurance
assertions
so
Michael
over
to
you.
If
yeah.
M
I
just
threw
this
on
so
this
was
kind
of
unplanned,
but
I
want
to
give
everybody
a
heads
up
that
we
so
through
AO
we're
looking
at
essentially
creating
assertions
that
assertions
that
Assurance
work
has
been
done.
So
we've
done
a
code
review
of
a
thing:
we've
run
a
tool
against
a
thing:
we've
verified:
it's
reproducible,
we've
whatever
we've
we've
done
a
thing.
M
We
want
to
communicate
that
out
in
a
way
that
is
not
a
spreadsheet
or
a
list
or
a
website
that
you
have
to
search
on
assertions
seem
like
a
reasonable
kind
of
way
to
do
it.
The
way
that
I've
internalized
what
else
is
out
there
is
that,
like
things
like
in
total
assertions,
are
the
envelope
that
a
a
statement
could
be
inside
of
what
we're
talking
about
is
the
statement
and
my
video
but
I
hope
you
guys
can
still
hear
me.
M
So
the
the
types
of
assertions
that
we're
looking
for
are,
as
I
said,
you
know
no
critical
vulnerabilities
were
found.
You
know
sorry,
no,
no
critical,
cves
are
known
as
of
this
date
and
it's
time
stamped
because
that's
in
the
assertion
and
it's
signed
and
all
that
stuff.
So
it's
as
it's
a
very
early
experiment.
We
don't
even
have
proof
of
concept,
but
the
API
surface
would
basically
be
you
generate
an
insertion
of
a
of
a
type
against
the
package.
M
You
store
it
someplace
public
and
then
other
folks
can
consume
it
by
saying
I
run
this
policy
against
the
set
of
assertions
for
a
subject.
You
know
the
npm
left
pad
so
that
so
so
the
magic
is
in
the
is
in
the
policy,
so
the
policy
says
all
of
the
projects
that
I
use
must
be
reproducible.
None
of
them
can
have.
You
know
unpacked,
you
know
critical,
cve
or
whatnot,
and
so
we're
we're
working
through
the
conversation
of
what
should
be
in
there.
M
Should
we
embed
evidence,
should
we
not
embed
evidence?
Should
we
include
details
or
not
details?
Are
you
trusting
the?
Is
this
about
transparency,
or
is
it
or
is
this
about
trusting
a
third
party
to
do
a
thing
that's
happening
in
the
in
issue
28
under
under
the
AO
site,
there
was
a
mvsr
that
kind
of
describes.
M
What
we're
trying
to
do
feedback
very
much
appreciated
I
am
so
to
be
super.
Clear,
I
am
not
trying
to
step
on
the
toes
of
in
Toto
or
skit
or
salsa
or
s2c2f,
or
anything
else.
If
I
am,
it
is
accidental
and
please
let
me
know,
I
would
very
much
like
to
align
this
work
with
that
with
many
of
those
and
and
enable
you
know,
for
example,
scorecard
you
know
essentially
running
scorecard
and
then
providing
the
output
of
that
as
an
assertion
so
that
you
have
a
time
stamped.
M
You
know,
as
of
this,
this
date
scorecard
says,
says
you
know,
says
X
and
things
like
that,
but
I
do
I,
would
like
this
wrapped
up
in
a
larger
assertion:
packaging
enveloping
time,
stamping
format
so
that
I
don't
so
that
I
don't
have
to
worry
about
that.
I
can
just
worry
about
the
chocolatey
goo
on
the
inside.
M
C
I
appreciate
the
idea:
I
guess
the
the
one
question,
and
maybe
premature
from
my
side
is:
where
would
you
envision
this
living
still
underneath
Alpha
Omega
or
just
more
generically
within
the
open
ssf
as
a
proper
project
under
a
working
group?
I
guess,
or
is
it
just
too
early
to
talk.
M
I
think
it's
too
early,
but
it
doesn't
feel
like
it
should
live
under
a
oh
long
term.
I
think
in
order
to
you
know
to
incubate
it
to
the
point
that
there's
something
real
or
real-ish
sure
but
I
I
think
it's
it's
it's
more
General
I
mean
the
the
the
itch
that
I'm
trying
to
scratch.
Very
tactically
is
we're
going
to
do
a
lot
of
things
with
particularly
Omega,
and
we
need
to
communicate
that
out.
M
B
Hey
very
interesting
one
just
really
quick
question:
where
can
we
find
out
more
and
get
involved,
and
things
like
this.
M
So
there
is
the
so
there
are
three
links
in
the
in
the
tech
meeting
notes
right
now.
The
best
place
is
just
to
join
that
the
conversation
on
the
on
the
issue
we're
going
to
talk.
M
We
we've
been
talking
about
it
in
the
identifying
security
threats
working
group
meeting,
so
the
next
meeting
of
that
would
be
a
great
way
to
get
involved
or,
if
you
just
want
to
have
a
deeper
conversation,
happy
to
have
that
anytime,
but
I
think
most
of
the
back
and
forth
is
in
is
in
the
issue
right
now,.
A
M
D
C
Okay,
put
it
in
the
chat
as
well.
Thank
you
all
right.
Any
other
topics
from
Tech
members
for
today.
J
Well,
I'm,
not
a
tech
member,
but
I
did
want
to
bring
up
briefly
that
we
are
working
on
our
annual
first
annual
report
for
openssf
as
a
whole
and
so
have
asked
for
contributions
from
each
of
the
co-working
groups.
J
C
I
appreciate
that
that's
my
bad
for
not
not
parsing
through
the
emails
and
reminding
folks
I
appreciate
you
keeping
me
honest,
Jennifer
all
right,
any
any
other
points
of
discussion
otherwise
and
we'll
end
with
a
thank
you
to
all
the
tech
members.
C
I
know
it's
been
a
very
busy
last
several
months
of
getting
things
done,
culminating
with
a
fair
bit
of
the
discussion
last
week,
so
appreciate
everyone's
engagement
and
help
and
look
forward
to
getting
a
little
bit
of
a
break
next
week
and
also
then
reconvening
ahead
of
the
governor.
We're
meeting
on
the
first.
D
K
Yeah,
just
just
a
quick
reminder:
we
posted
a
our
Jennifer
was
kind
enough
to
send
the
blog
post
for
the
s2c2f
contribution
to
the
openness
itself
to
the
tech.
Private
email
and
Abhishek
was
kind
enough
to
go
in
there
and
throw
some
comments
in.
But
if
anybody
else
has
some
comments
that
you
know
today
today
would
be
the
day
to
do
it
as
we
are
planning
to
resolve
some
of
those
and
then
kind
of
kind
of
try
to
get
it
out,
get
it
out
tomorrow.
K
So
if
anyone
else
has
any
more
comments,
that
we'd
greatly
appreciate
them,
go
ahead
and
and
make
your
comments
or
or
give
a
thumbs
up
or
something
just
so
that
we
have
a
consensus
from
the
attack
that
it's
good
to
go.
C
Okay,
all
right
thanks
for
the
reminder.
It's
certainly
a
second.
If
folks
haven't
taken
a
look
at
that,
please
do
all
right
with
that.
We'll
we'll
end
five
minutes
early
thanks
already
as
an
engagement
today,
and
we
will
see
everybody
else
out.
There
take
care.