►
From YouTube: OpenSSF TAC (November 15, 2022)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
D
A
D
A
F
A
A
E
A
D
B
A
E
A
F
D
F
A
F
F
We
have
a
vulnerability
report,
standard
metadata,
set
of
metadata
that
we
curate
every
once
in
a
while.
We
primarily
have
been
working
on
coordinated
vulnerability,
disclosure
guides.
We
have
a
developer
maintainer
guide.
We
also
have
a
guide
for
security,
researchers,
slash
finders
and
we
have
a
future
project.
We
will
focus
on
open
source
consumers.
F
Right
now,
we
are
in
between
projects.
We
published
the
CBD
guide
for
finders
this
summer
and
the
group
is
still
deciding
on
what
we
would
like
to
work
on.
Next,
we
have
a
couple
projects
in
the
hopper,
potentially
we'll
work
on
that
CBD
guy
with
OSS
consumers,
which
we
got
a
lot
of
interest
from
the
end
user
working
group
they
might
like
to
collaborate
on.
F
We
also
are
potentially
going
to
create
some
plugins
or
tooling
to
support
the
CBD
guides
actually
have
ways
to
add
some
automation
to
some
of
the
recommendations
we
have
on
our
documentation
and
then
there
was
a
request
for
potentially
making
a
playbook
for
maintainers
to
help
them
handle
incidents,
so
something
that
could
be
a
quick
check
set
of
checklists
that
people
could
walk
through
to
help
them
make
incidents
a
little
smoother
so
that
we're
kind
of
tinkering
with
those
ideas.
Right
now
predominantly,
we
have
been
focused
on
the
open
source
security
incident
response.
F
F
I
would
like
that
to
be
the
end
of
November,
but
we'll
see
if
my
friends
enable
us
to
hit
that
deadline,
and
then
we
will
once
the
TAC
provides
notes.
We
will
pass
the
plan
on
to
the
governing
board
for
review
and
potential
funding
approval,
and
that
was
that
for
our
update
any
questions.
I
can
answer
for
the
group
The
working
group
or
the
Sig.
F
H
F
H
H
F
Basically,
it's
instructions
or
training
on
good
practices
around
how
to
intake
and
manage
vulnerabilities
and
then
for
the
finders.
It's
advice
on
how
they
can
most
effectively
collaborate
with
the
projects
they're
reporting
to
so
we
do
have
templates
so
like
we
do
have
an
example:
security
MD
file.
In
our
repository,
it's
a
resource
that
people
can
use
I
think
we
also
have
a
playbook
for
maintainers,
but
again
we're
looking
at
potentially
making
more
prescriptive
guidance
like
when
a
reporter
comes
to
a
maintainer.
Here's,
a
checklist
you
can
follow
to.
F
A
F
I
Besides
waterfowl
I
was
just
wondering
in
a
a
proper
serious
question.
You
mentioned
funding,
support
funding,
request
for
cert
and
I
was
just
wondering
if
you
could
be
clarify
for
me.
What's
the
funding
gonna
fund
when
it
comes
to
this
thing,
is
it?
Is
it
like
permanently
Staffing
up
an
emergency
response
team
with
like
jumpsuits
and
backpacks
and
stuff
like
that
or
or
is
it
that'd
be
pretty
cool?
What's
it
funding.
F
The
group
voted
that
we
will
be
proposing
a
volunteer-based
team,
so
we
would
ask
the
membership
to
donate
resources
to
helping
with
these
coordinations.
There
are
some
a
couple
staff
positions.
We
are
requesting,
like
a
full-time
program
manager,
to
help
manage
implementation
of
the
plan,
but
then
help
with
facilitation
with
the
volunteers.
F
It's
predominantly
for
this
particular
stream.
We
will
be
asking
for
money
for
a
couple:
ftes,
potentially
tooling,
or
Cloud
credits
for
infrastructure,
because
we'll
need
of
a
a
bug,
intake
tool
potentially
and
then
there'll
be
a
metric
butt
ton
of
volunteer
hours
that
we
will
be
asking
for
the
foundation
to
pay.
F
So
we
will
need
this.
Many
people
for
incident
handling
this
many
people
for
advisory
reporting
advisory.
Writing
that
type
of
thing
it's
all
broken
down
in
the
plan.
You
could,
you
feel,
free
to
look
at
it.
If
you
have
any
notes
today
great,
but
we
will
officially
be
sending
to
the
tech
hey,
we
are
ready,
we're
done
and
we
think
this
is
our
final
proposal.
Please
give
us
final
notes
before
we
ask
for
funding.
D
F
I
can
answer,
I
will
work
on
adding
a
license
to
the
image,
and
people
are
free
to
use
it
and
again,
I
I
am
working
with
Jennifer
to
help
to
see
if
we
can
get
in
the
queue
for
the
creative
team
to
actually
make
it
an
official.
That's
just
you
know
me
doodling,
not
quite
as
clean
as
what
a
professional
artist
is.
I
only
want
artists
in
my
spare
time.
D
A
F
So
I
sent
an
email
to
the
TAC
mailing
list,
a
couple
months
back
and
received
a
lot
of
interest
about
trying
to
find
some
way
to
graphically
represent
what
the
foundation
is,
what
we
do,
how
our
parts
connect.
So
from
that
we
spun
up
a
small
group
of
folks
that
have
been
providing
feedback
on
a
series
of
mock-up
diagrams
we've
gradually
been
adding
more
and
more
people
and
I
felt
that
we
were
to
the
point
where
we
might
want
to
make
this
kind
of
official
instead
of
a
part-time
job.
F
So
I'm
asking
the
tech
if
they
are
interested
in
kind
of
formally
adopting
the
diagram
or
society
as
a
Sig
that
we
would
report
in
and
take
direction
from,
as
we
try
to
find
ways
to
graphically
embellish
how
we
all
snap
in
together,
I
I've,
got
us
provisioned
a
GitHub
repo
I
have
a
mailing
list
for
us.
We
have
a
slack
Channel
and
it's
again
we
have
a
fairly
steady
engagement
from
the
group
and
I
thought.
F
It
might
be
interesting
to
actually
get
like
I've
been
talking
with
Bob
around
his
proposed
proposal
for
the
vision
which
I
think
we're
going
to
talk
about
in
a
couple
items,
and
that
might
be
a
great
task
for
this
to
kind
of
task.
This
group
for
hey.
How
do
we
connect
the
vision
to
our
existing
layout
as
we
continue
to
doodle.
C
F
I
my
opinion
is
I
think
it
would
be
best
aligned
directly
under
the
tack,
since
we
are
again
trying
to
report
the
found
about
Foundation
level
things
and
how
all
of
our
parts
work
together
and
I
fear.
If
it
was
buried
underneath
another
working
group,
it
might
not
have
the
ability
to
have
the
the
breadth
of
connection
and
again
I,
don't
anticipate
a
lot
of
a
burden
on
the
attack.
C
A
That
so
it
looks
like
the
charter
is
not
yet
filled
out,
and
so
before
we
do,
a
formal
vote.
I
think
we
should
have
a
charter
in
place
that
defines
the
scope,
especially
to
put
this
directly
under
the
tack
probe.
How
would
you
feel
I've
not
thought
this
through
more
for
more
than
five
seconds
of
having
the
scope
be
sort
of
goal
oriented
so
that
once
it
is
done,
the
attack
approves
the
output.
A
F
E
C
A
F
C
C
Okay,
guess
not
all
right
so
moving
on
to
the
agenda
I
think.
Obviously
the
attack
is
well
aware,
but
I
don't
know
if
other
participants
are
are
aware.
The
governing
board
and
Tac
had
a
meeting
last
Friday
at
the
end
of
the
Linux
Foundation
member
Summit.
We
had
a
few
of
the
attack
members
that
were
able
to
join
in
person
and
the
rest
joined
via.
K
D
K
C
A
sense
of
what
they
took
away
from
the
meeting
any
any
outstanding
questions
that
they
might
have
any
objections
or
things
that
they'd
like
to
emphasize
that
they
heard
that
they
loved
and
really
just
use
this,
as
maybe
a
an
opportunity
to
kind
of
brief.
Briefly
recap:
I
do
have
a
specific
point
around
the
technical
Vision
that
I
want
to
come
to,
but
before
we
jump
to
that
I
guess,
I've
just
opened
the
floor
for
any
any
thoughts
or
feedback.
C
Please
not
all
at
once:
I'll
I'll
go
first,
then
I
thought
it
was
first
off.
It
was
great
just
to
have
the
governing
board
all
together
for
a
longer
period
of
time.
I
thought
the
the
con
about
the
content
and
the
the
the
fluidity
of
conversation,
I
think
was
a
much
higher
bandwidth
than
we've
had
in
the
past,
which
was
amazing,
I
think
there
was
kind
of
a
general
consensus
in
the
room
that
we
needed
to
do
it
more
often,
obviously
in
person.
C
If
we
can,
if
we
can
make
it
make
it
happen,
you
know,
I
think
the
there
were
some
pros
and
cons.
I
would
say
the
pros.
Were
we
I
think
we
had
a
great
dialogue
around
the
identity
of
the
foundation
kind
of
framed
underneath
a
lot
of
the
interview
feedback
that
Sam
ramji
had
had
gathered,
which
was
characterized
as
kind
of
like.
There
are
four
different
ideas
around
what
the
open
ssf
could
become.
C
They
aren't
necessarily
mutually
exclusive,
but
in
really
going
through
and
talking
about
kind
of
where,
where
we
focused
today
and
where
do
we
want
to
be
in
the
long
term,
I
think
there
was
at
least
in
a
lot
of
the
hallway
conversation
afterwards.
I
think
there
was
a
greater
appreciation
for
the
breadth
of
the
activity
that
we
are
trying
to
undertake,
and
much
of
it
obviously
is
is
being
done
right
now
within
the
projects
and
working
groups.
So.
C
You
know,
have
a
stronger
voice,
but
my
response
to
that
was:
we
all
want
that
too.
We
need
staff
and
time
and
energy
and,
frankly,
we're
all
volunteers
doing
a
million
different
things.
If
we
want
a
dedicated
outcome,
we
need
to
put
dedicated
people
who
are
accountable
to
those
outcomes
and
use
the
talk
as
a
as
an
advisory
in
a
subject
matter
expert
group
to
make
sure
that
it's
directly
accurate
for
where
we
want
to
go.
C
But
we
need
more
support
in
order
to
make
that
happen,
and
I
I
definitely
heard
an
acknowledgment
of
that
from
the
governing
board
in
in
so
much
as
the
budget
that
will
be
coming
forward
in
December.
We'll
have
have
some
hiring
allocated
to
specifically
that
making
sure
that
we
are
unable
to
have
a
stronger
voice,
be
able
to
articulate
that
portfolio
view
of
what
the
foundation
is
doing
and
make
sure
that
people
really
do
understand
how
that
maps
to
our
identity
and
where
we
want
to
go
so
I
think
those
are
all
positives.
C
F
F
F
If
we
focus
we
found
a
way
to
if
we're
going
to
work
that,
through
that
methodology
to
tie
all
that
together
in
the
front
so
people
had,
it
was
clearly
articulated
to
people
how
those
different
ideas
how
they
relate
and
intersect
so
I,
think
terminology,
and
then
just
the
fact
that
you
know
are
we
going
with
four
streams
now,
instead
of
the
ten
mobilization,
things
I
think
that
was
just
that
caused
a
little
confusion
for
some
folks,
but
I
thought
the
content
was
worthwhile.
I
I
liked
kind
of
how
his
thought
process
there.
E
E
I
think
we
came
away
with
you
know
number
one
tool
chain,
number
two
education,
slash
uplift,
and
that
includes
standards
and
guides,
and
so
on
and
the
funder
First
Resort
and
rapid
response,
Force,
I,
I,
don't
think
I
came
away
with
everybody
thought
that
was
a
horrible
idea.
It
was
just
that
they
wanted
to
emphasize
tool
chain
and
education,
slash,
you
know,
guidance
and
so
on
and
I
I
think
there
was
a
little
disagreement
also
on
what
on
what
the
scope
of
this.
E
This
decision
would
be,
at
least
for
some
folks
in
the
room.
I
think
they
were
thinking
2023.
Other
people
are
thinking
hey.
This
is
what
openness
SF
wants
me
grow
up
when
they
grow
up,
but
at
least
within
the
discussion
groups
on
this
they
were
really
only
focused
on
2023.,
and
this
is
a
decision.
You
know
that
can
be
read
like
all
decisions.
We
can
reinvent
recheck
it
next
year,
because
you
know
things
can
change
so
I
I
I
would
come
away
with.
This
was
a
emphasis
for
2023.
E
L
That's
good
yeah
thanks
very
much
I
mean
I'm,
just
curious,
okay,
I
didn't
attend,
but
even
the
the
comment
about
Sterling
tool
chain
and
that
I'm
coming
from
GCC
and
related
to
all
the
discussions
about
the
tool
chain
infrastructure
initiative.
I
was
curious.
If
any
for
clarification-
or
you
know,
exposition.
C
Yeah
I'll
take
a
stab
and
encourage
others
to
to
speak
up
as
well.
I
think
if
you
look
across
the
various
projects
and
working
groups
that
we
have
right
now,
there's
already
an
emergence
of
a
collection
of
maybe
horizontally
applicable
tools
and
when
I
say
horizontal,
meaning
across
different
language
ecosystems,
different
open
source
communities,
different
Frameworks,
really
trying
to
address.
How
do
we
do
a
more
systemic
job
at
raising
out
signals
to
Consumers
of
Open
Source
that
make
it
very
clear?
C
The
security
posture,
maintainer
intent
and
current
status
of
the
artifacts
that
they
publish,
and
so
while
we're
not,
we
want
things
to
get
more
secure.
We
also
want
to
re
respect
and
enable
consumers
to
make
more
informed
decisions,
and
so,
while
we
will
certainly
invest
our
effort
and
energy
against
a
prioritization
ranking
of
projects
to
try
to
make
sure
that
we
are
having
the
most
impact,
we
also
kind
of
Envision
a
world
where
again,
consumer
consumers
are
very
informed
and
the
market
can
ultimately
dictate
where
you
know
which
projects
are
the
most
popular
versus.
C
Not
we
don't
necessarily
want
to
take
a
you
know,
have
an
extremely
opinionated
view
in
so
much
as
you
know,
make
sure
that
just
the
fundamentals
are
covered.
People
have
the
actual
tools
to
do
the
right
things
that
the
industry
generally
agrees
on
and
then
that
that
can
be
sustained
going
forward.
So
when
we
talk
about
a
tool
chain,
I
think
from
you
know
whether
it's
like
a
new
perspective
or
just
in
general,
like
how
do
we
make
sure
that
we're
generating
build
provenance
correctly?
C
How
do
we
make
sure
this
digital
signatures
are
being
applied
correctly?
How
do
we
make
sure
that
package
repositories
and
package
managers
have
the
right
tools
to
be
to
be
able
to
distribute
content
into
secure
and
meaningful
way?
You
know
also
looking
at,
like
the
toolkit.
That's
coming
out
of
the
alpha
omega
effort
as
well
as
package
analysis.
The
osv
service
I
mean
there's,
there's,
there's
already
examples
of
kind
of
common
capabilities
that
we're
building
out
within
the
open
ssf,
and
it's
more
of
a
notion
of.
C
F
F
But
I
I
took
Sam's
statements
and
maybe
I'm
wrong,
but
I
took
those
as
these
are
things
you
know
where
we
could
take
the
foundation.
Not
necessarily
this
is
our
shopping
list
for
2023
and
I
thought
the
X
the
exercise
where
we
had
a
couple
Goose
bucks
to
spend
on
each
of
the
pillars.
I
think
that
might
have
helped
I,
don't
know
if
it's
at
the
right
tone.
F
For
more
of
that,
we
didn't
really
settle
on
what
our
identity
is
and
I
felt,
that
that
would
be
if
we
kind
of
can
confirm
like
where
we
want
to
be
what
we
want
to
do
as
a
group,
a
foundation
I
think
that
would
help.
Logically,
things
will
start
to
fall
into
place
after
that.
I
would
have
liked
to
focus
a
little
more
time
on
that
than
having
breastser
spend
57
cents
on
something.
C
L
L
I
didn't
mean
that
I
just
meant
in
terms
of
you
know
a
idealized
version
of
whether
it's
Russ,
no
JS,
you
know
Java
I
mean
not
a
single
one,
but
that
you
want
to
ensure
that
those
Upstream
ecosystems
are
as
secure
as
possible
versus
we
want
to
create.
We,
the
the
attack
and
the
open
ssf,
want
to
create
the
tools,
the
capabilities
that
those
communities
can
choose
to
use
or
not,
and
those
are
two
I
mean
I
mean
another.
Maybe
it's
another
definite.
K
C
Providing
value,
then
that
does
says
a
lot
about
the
where
we're
spending
our
time
right,
but
but
to
your
point,
we're
not
trying
to
force
or
or
obligate
anyone
in
the
industry
to
go
do
anything,
but
we
hope
that
by
raising
awareness
and
actually
making
specific,
Investments
and
co-creating
it
with
these,
you
know
whether
it's
eclipse
or
canoe
or
others
like
like
helping
the
co-create
it
and
making
sure
that
we
have
best
practices
codified
in
the
tools
that
people
are
using.
I,
think
that
is
our
vision.
You.
L
Know
and
any
images
very
briefly,
I
want
to
again
thank
the
tech.
Very
you
know
graciously
and
thank
the
governing
board
for
the
backstop
you
provided
and
what
what
you
know
I
and
Carlos
O'donnell-
also
thank
you
and
we'll
report
next
month,
but
you
know
we're
very
grateful
for
the
efforts
to
help
spin
up
the
the
tool
chain
infrastructure
initiative
so
that
we
can
actually
create
you
know
Implement
best
practices
for
the
gnu
tool
chain.
So
thank
you
very
much
again.
L
E
Yeah
two
two
quick
additional
notes:
I
I
I
did
look
over
the
you
know
the
four
pillars
text
and
it
could
be
interpreted
as
you
know,
there's
one
chain,
one
one
tool
chain
to
rule
them
all
and
I:
don't
actually
think
that
was
intended.
If
anything
I
think
it
was
more
of
a
the
openness
of
willing
to
focus
its
resources
on
funding
areas
so
that
we
get
completely
completion
good
things
that
are
useful,
as
opposed
to
10
things
that
aren't
much
more
of
a
resource
Focus
than
I.
E
You
know,
I,
don't
think
anybody
actually
believes
that
there's
going
to
be,
you
know
one
programming,
language
and
one
tool
and
we'll
all
use
that
singular
one
I
I.
Don't
think
anybody
believes
that
so
I
I
you,
you
could
interpret
the
text
that
way,
but
I
don't
think
that
was
what
was
intended.
One
of
the
exercises
that
was
mentioned
earlier
was
we
had
a
bunch
of
groups,
go
out
and
said:
hey,
you
know,
let's
imagine
these
four
pillars,
you
know
assigned
dollars
and
the
goal
was
to
try
to
make
those
uneven.
E
E
There
were
I
think
two
people
who
had
a
hundred
dollars
on
one
single
item:
I,
don't
even
think
it
was
the
same
item
so
but
I
think
for
most
it
was
I
think
it
was
more
an
exercise
of
prioritization.
In
other
words,
you
know
not
that
it
was
1
100
and
all
the
other
zero.
But
you
know
given
limited
resources
and
we
have
some
resources,
but
the
job
is
huge.
So
what
do
we
focus
on
for
the
next
year?
You
know
and
I
think
that
was
really
the
point
of
the
exercise.
E
C
C
I
would
like
to
take
some
of
the
feedback,
as
well
as
the
content
of
the
pre-read
that
all
tack
members
have
and
make
an
update
to
PR
129,
which
was
basically
the
project
to
update
our
technical
Vision.
So
I
guess,
based
on
the
meeting
last
week
and
some
of
the
other
conversations
that
we've
had
I'd
like
to
update
that
that
PR
and
give
it
to
the
attack
members
to
ultimately
take
one
last
final
noodle
on
and
if
we
need
more
conversation,
that's
great.
C
Year
on
a
high
note
and
and
shift
into
more
of
an
execution
mode
next
year,
so
I'll
be
pushing
up
those
Updates
this
week
and
would
encourage
feedback
and
discussion
in
the
in
that
PR
oud
last
point
I
will
make
on
last
week's
meeting
is
we
do
have
a
governing
board
meeting
coming
up
on
December
1st?
All
Tac
members
should
already
have
an
invite
on
their
calendar
to
participate.
C
Imagining
that's
going
to
be
a
fairly
lengthy
discussion,
given
the
budget
and
again
give
it
other
things
but
we'll
as
soon
as
we
have
the
agenda
lined
up
with
Brian,
we
will
send
that
out
last
call
for
any
questions
on
on
last
week's
meeting.
Otherwise
we'll
go
ahead
and
move
on
to
other
topics
on
today's
agenda.
C
It's
going
off
of
PR
numbers
project,
PR
112,
but
essentially
was
a
Project
Life
Cycle
associated
with
the
foundation.
I
think
it
is
another
lofty
goal
for
the
end
of
this
year.
That's
worth
doing
is
going
through
and
making
sure
that
we
have
appropriate
characterizations
of
the
existing
projects
within
the
foundation
as
to
their
state
of
sandbox.
C
Incubating
graduated
or
archived
I
recently
pushed
up
a
PR
to
update
the
title,
the
table
of
all
of
our
projects
on
the
TAC
repo,
which
all
of
you
plus
one,
and
we
did
merge,
which
I
do
appreciate,
but
I
do
think.
We
need
to
go
back
and
make
sure
that
we
have
that
conversation
with
the
individual
projects
themselves
and
also
raise
up.
C
You
know
the
the
benefits
that
we
attack
would
like
our
projects
to
fundamentally
have,
and
also
take
that
as
input
into
some
of
the
Staffing
and
budget
conversations
for
next
year.
So
maybe
more
of
a
call
to
action
I
will
we'll
be
I,
guess
what
I
would
propose
in
looking
for
tack.
Member
feedback
on
this
I
would
propose
that.
Maybe
we
either
have
an
explicit
conversation
with
working
group
leads
or
ask
them
to
to
to
self-nominate
a
status
of
where
they
believe
the
project
to
currently.
K
C
F
C
I,
don't
know
that
I
would
call
you
that,
but
but
I
think
time
management
is
certainly
a
critical
component
of
this
I.
Think
having
just
a
table,
that's
all
listed
there
would
be,
would
certainly
be
there.
We
could
certainly
start
with
a
self-nomination,
and
an
attack
essentially
needs
to.
You
know,
go
through
an
evaluation
process
around
where
we
feel
like.
If
those
our
nominations
are.
C
C
Cj
offering
to
to
help
with
this,
and
so
that
would
certainly
be
appreciated,
but
I
guess
any
any.
Just
starting
an
email
out
to
the
working
group
leads
and
asking
for
them
to
submit
a
nomination.
We
actually
have.
We
don't
have
attack
meeting
in
two
weeks.
We
have
one
a
month
from
now,
so
that
actually
gives
us
a
little
bit
of
buffer
time
to
hopefully
assemble
this
and
we're
not
under
a
lot
of
pressure
to
get
it
done
within
a
week.
C
F
C
So
we'll
look
to
get
that
done.
I
already
spilled
the
beans
on
the
next
meeting
item,
which
is
we
do
not
have
a
tax
meeting
in
two
weeks
due
to
the
holiday
and
availability.
At
that
time.
In
the
US
we
will
have
a
meeting,
as
I
mentioned
the
the
governing
word
meeting
on
the
first,
and
then
we
have
a
Tac
meeting
coming
up
on
four
weeks
from
today,
so
that
will
be
our
last
meeting
for
2022.
C
I
believe
we
do
have
a
meeting
on
the
13th
which,
as
as
David
mentioned,
we
will
have
the
gnu
tool
chain,
infrastructure
or
initiative.
I,
always
forget
which
the
I
stands
for,
whether
it's
the
infrastructure
or
initiative
but
I,
whatever
the
whatever
the
the
letter
stands
for
we'll
have
them
join
and
give
an
update
at
that
point.
C
I've
also
We'll
be
asking
the
end
users
working
group
to
give
an
update,
since
we
have
not
heard
from
them
since
their
creation,
but
we'll
look
to
drive
that
as
well
as
maybe
the
the
formal
votes
on
some
of
the
other
items
if
we
have
not
dealt
with
them
electronically.
So
just
a
heads
up
there,
David
I,
see
your
hand
up.
C
M
I
just
threw
this
on
so
this
was
kind
of
unplanned,
but
I
want
to
give
everybody
a
heads
up
that
we
so
through
AO
we're
looking
at
essentially
creating
assertions
that
assertions
that
Assurance
work
has
been
done.
So
we've
done
a
code
review
of
a
thing:
we've
run
a
tool
against
a
thing:
we've
verified:
it's
reproducible,
we've
whatever
we've
we've
done
a
thing.
M
We
want
to
communicate
that
out
in
a
way
that
is
not
a
spreadsheet
or
a
list
or
a
website
that
you
have
to
search
on
assertions
seem
like
a
reasonable
kind
of
way
to
do
it.
The
way
that
I've
internalized
what
else
is
out
there
is
that,
like
things
like
in
total
assertions,
are
the
envelope
that
a
a
statement
could
be
inside
of
what
we're
talking
about
is
the
statement
and
my
video
but
I
hope
you
guys
can
still
hear
me.
M
So
the
the
types
of
assertions
that
we're
looking
for
are,
as
I
said,
you
know
no
critical
vulnerabilities
were
found.
You
know
sorry,
no,
no
critical,
cves
are
known
as
of
this
date
and
it's
time
stamped
because
that's
in
the
assertion
and
it's
signed
and
all
that
stuff.
So
it's
as
it's
a
very
early
experiment.
We
don't
even
have
proof
of
concept,
but
the
API
surface
would
basically
be
you
generate
an
insertion
of
a
of
a
type
against
the
package.
M
You
store
it
someplace
public
and
then
other
folks
can
consume
it
by
saying
I
run
this
policy
against
the
set
of
assertions
for
a
subject.
You
know
the
npm
left
pad
so
that
so
so
the
magic
is
in
the
is
in
the
policy,
so
the
policy
says
all
of
the
projects
that
I
use
must
be
reproducible.
None
of
them
can
have.
You
know
unpacked,
you
know
critical,
cve
or
whatnot,
and
so
we're
we're
working
through
the
conversation
of
what
should
be
in
there.
M
Should
we
embed
evidence,
should
we
not
embed
evidence?
Should
we
include
details
or
not
details?
Are
you
trusting
the?
Is
this
about
transparency,
or
is
it
or
is
this
about
trusting
a
third
party
to
do
a
thing
that's
happening
in
the
in
issue
28
under
under
the
AO
site,
there
was
a
mvsr
that
kind
of
describes.
M
What
we're
trying
to
do
feedback
very
much
appreciated
I
am
so
to
be
super.
Clear,
I
am
not
trying
to
step
on
the
toes
of
in
Toto
or
skit
or
salsa
or
s2c2f,
or
anything
else.
If
I
am,
it
is
accidental
and
please
let
me
know,
I
would
very
much
like
to
align
this
work
with
that
with
many
of
those
and
and
enable
you
know,
for
example,
scorecard
you
know
essentially
running
scorecard
and
then
providing
the
output
of
that
as
an
assertion
so
that
you
have
a
time
stamped.
M
You
know,
as
of
this,
this
date
scorecard
says,
says
you
know,
says
X
and
things
like
that,
but
I
do
I,
would
like
this
wrapped
up
in
a
larger
assertion:
packaging
enveloping
time,
stamping
format
so
that
I
don't
so
that
I
don't
have
to
worry
about
that.
I
can
just
worry
about
the
chocolatey
goo
on
the
inside.
C
M
I
think
it's
too
early,
but
it
doesn't
feel
like
it
should
live
under
a
oh
long
term.
I
think
in
order
to
you
know
to
incubate
it
to
the
point
that
there's
something
real
or
real-ish
sure
but
I
I
think
it's
it's
it's
more
General
I
mean
the
the
the
itch
that
I'm
trying
to
scratch.
Very
tactically
is
we're
going
to
do
a
lot
of
things
with
particularly
Omega,
and
we
need
to
communicate
that
out.
M
M
A
M
D
C
C
I
know
it's
been
a
very
busy
last
several
months
of
getting
things
done,
culminating
with
a
fair
bit
of
the
discussion
last
week,
so
appreciate
everyone's
engagement
and
help
and
look
forward
to
getting
a
little
bit
of
a
break
next
week
and
also
then
reconvening
ahead
of
the
governor.
We're
meeting
on
the
first.
D
K
Yeah,
just
just
a
quick
reminder:
we
posted
a
our
Jennifer
was
kind
enough
to
send
the
blog
post
for
the
s2c2f
contribution
to
the
openness
itself
to
the
tech.
Private
email
and
Abhishek
was
kind
enough
to
go
in
there
and
throw
some
comments
in.
But
if
anybody
else
has
some
comments
that
you
know
today
today
would
be
the
day
to
do
it
as
we
are
planning
to
resolve
some
of
those
and
then
kind
of
kind
of
try
to
get
it
out,
get
it
out
tomorrow.