►
From YouTube: OpenSSF TAC (April 18, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
C
I
wish
now
I've
got
a
two
sound
boards.
E
Oh
Brian,
I,
don't
know
if
you
saw
this
Ian
Coldwater
posted
on
their
Twitter
they're.
Looking
for
a
job,
okay,.
B
Good
to
know,
thank
you,
sorry,
we're
recording
now
so
yep
welcome
everybody.
B
What
have
I
noticing
the
agenda
we
weren't
going
to
have
a
readout
from
the
vulnerability
disclosures
group
unless
that's
something
that
has
just
been
added,
did
you
think
that
might
happen,
or
did
you
want
to
defer
it
to
the
next
meeting.
B
Can
do
it?
Okay,
well,
I!
You
know
if
you
wanted
to
to
prep
I,
think
you'd
be
granted
a
clearance
as
well,
but
there's
a
table
at
the
top
or
on
the
second
page
of
the
attack
meeting
notes
of
yeah.
C
E
Man,
which
which
wait
the
open
the
vulnerability
exposure
working
group,
is.
B
Yeah
that
was
scheduled
to
report
today,
but
that's
that's
fine.
G
I
think
we
do,
in
apologies,
I'm
playing
a
bit
of
a
meeting
room
roulette
here
in
London,
so
I'm
hoping
that
hoping
this
rooms,
even
though
I'm
squatting,
it'll
stay
available.
G
So
as
Brian
know,
it
looks
like
we
do
have
Quorum,
so
we
will
go
ahead
and
get
started.
I
just
wanted
to
give
a
quick
update.
I
know
that
the
last
attack
meeting
I
had
given
an
indication
that,
at
this
tech
meeting,
we
had
hoped
to
had
fully
seeded
the
the
new
tack.
G
The
governing
board
is
currently
in
process
with
finalizing
their
votes
for
the
appointed
seats,
and
so
that
process
will
run
through
the
end
of
this
week,
and
so
at
the
beginning
of
next
week
we
should
have
the
results
to
share,
and
so
I
take
back
what
I
said
last
time
and
the
the
next
tech
meeting
coming
up
on
May
the
second.
If
my
math
serves
me
right,
yeah
May,
2nd,
we'll
have
the
fulltack
the
new
tax
seated.
G
So
just
brief
update
on
that
front,
and
with
that
we
do
have
quota
for
we
are
we'd.
Have
Quorum
rather
is
the
and
I'm
getting
kicked.
G
H
No
worries:
hey
folks,
a
quick
update
from
securing
software
Reaper's
work
group
a
reminder
that
our
our
mission
is
to
bring
together
all
the
maintainers
of
some
repositories
Registries
and
discuss
our
our
various
shared
problems.
I
chair
this
group
with
support
significant
support
from
Jacques
Chester.
H
Newman
we
meet
every
two
weeks
in
alternating
time
zones
to
maximize
coverage
across
the
time
zones.
We
usually
have
about
10
to
20
attendees.
Depending
on
our
agenda.
We
last
updated
the
attack
in
December
2022,
so
I
wanted
to
provide
a
couple
highlights
since
then.
So
one
is
around
salsa
we've
had
a
lot
of
discussion
and
collaboration
around
some
aspects
of
the
upcoming
salsa
1.0
specifications,
specifically
around
distribution
and
discovery
of
salsa
provenance.
H
We
work
together
to
publish
a
guide
to
Distributing
provenance
for
the
salsa
1.9
spec
and
that'll,
be
in
the
it's
in
the
release.
Candidate
now
we'll
be
in
the
final
version,
and
we
had
significant
input
from
many
folks
in
the
working
group
on
that
recommendation.
So
that
was
a
really
great
collaboration
and
we've
also
been
providing
some
light
support
for
npm
as
they
ship
build
provenance
and
beta,
and
you
know
determine
their
attestation
format
for
salsa.
H
We
also
in
the
last
couple
of
months
have
sort
of
finalized
our
survey
that
we
performed
of
Open
Source
software
repositories,
sort
of
aggregate.
All
the
data
kind
of
two
takeaways
from
that
one
is
that
we
published
a
blog
post
about
this
on
open,
ssf
blog.
We
also
sort
of
summarize
our
key
takeaways
and
recommendations.
So
all
the
things
in
those
takeaways
are
considered
actionable
things
that
we
could.
H
H
Ipi
support
is
currently
in
beta
I
think
this
would
be
the
first
software
repository
to
support
it
and
we'll
be
launching
this
week,
and
we've
had
a
lot
of
discussion
about
that
feature,
as
well,
specifically
between
the
pipi
and
the
npm
ecosystem,
which
is
kind
of
support
this
soon,
as
well.
I
think
some
upcoming
things
so
there's
been
a
lot
of
discussion
around
a
shared
data,
setup
malware,
probably
wanting
to
hone
this
in
the
open
ssf
in
some
way.
H
That
is,
you
know,
available
to
security
researchers,
but
not
maybe
completely
publicly
available,
there's
an
upcoming
plan
to
propose
an
implementation
of
how
what
that
would
look
like
and
how
that
could
be
shared
across
multiple
software
repositories
in
a
standard
way,
and
also
there's
been
a
lot
of
discussion
about
dependency,
confusion
attacks
specifically
how
they
affect
many
other
repositories.
H
We
are
considering
drafting
sort
of
a
best
practice
recommendation
for
how
these
passwords
should
best
at
dependence,
combat
dependency,
confusion,
attacks
and
that's
it
any
questions
from
the
tech.
Anything
like
more
clarity
on.
I
Sorry
I
was
not
able
to
find
the
mute
icon
on
the
top.
Yes,
I
would
like
to
present
I
think
the
first
version
that
I
mean
the
first.
The
person
we
won.
Can
you
listen
to
me?
I
Okay?
Yes,
the
version
we
won
for
the
security
policy
in
for
open
ssf
project
and
content
and
resource
and
infrastructure.
We
have
a
shared
document.
The
link
is
in
the
meeting
notes
and
we
are
also
an
issue
open
in
the
working
group
of
vulnerability
disclosure
because
I
well
weeks
ago,
we
agreed
that
it
was
the
probably
the
best
group
that
we
have
to
discuss
this
new
policy.
I
I
It's
important
to
consider
that
open
ssf
is
part
of
Linux
Foundation
or
is
strictly
related
to
Linux
foundation.
So
the
idea
is
to
not
have
document
that
are
in
Conflict
both
internally
for
open
ssf,
for
example
the
inbound
and
the
outbound
security
policy,
but
also
with
the
Linux
Foundation.
There
is
a
David
that
is
following
this:
well,
the
discussion
with
the
Linux
Foundation,
Council
and
yeah
I
think
it's
ready.
I
The
working
group
will
not
be
the
disclosure
as
being
keep
posted
by
me
in
the
channel
and
in
the
Ripple,
and
the
idea
is
to
have
a
sort
of
approval
or
first
approval
or
and
feedback
by
the
TAC
group
to
be
sure
that
we
are.
We
are
aligned,
especially
from
all
the
sentences
and
the
I
mean
idea
concept
and
everything
that
can
be
really
bought
to
legal
and
not
just
to
the
security
or
the
procedure.
Here
is
the
issue.
I
If
you
want
to
see
it,
it's
in
the
room,
chat,
I,
don't
know
if
you
have
had
time
to
read
the
document.
It
is
quite
standard
honestly
and
well
open
a
discussion
or
if
you
don't
have
a
particular
feedback
or
if
you
think
it
is
a
good
version,
see
yes
syrup.
C
To
put
things
in
context
as
part
of
our
guidance,
we
recommend
that
all
open
source
projects
have
a
security
policy
documented
that
describes
how
they
handle
defects
and
reports.
It's
important
for
us
to
kind
of
drink,
our
own
champagne,
so
to
speak.
So
I
I
strongly
agree
with
Luigi's
proposal.
We
still
probably
need
to
over
the
words
for
like
eight
months,
but
the
I
joke,
I
I
think
it's
actually
pretty
in
a
pretty
good
State,
but
we
we
should
talk
about
it.
I
Yeah,
in
addition,
it
is
also
it's
part
of
the
score
card.
I
mean
the
scorecard
check
if
we
have
a
security,
dot,
MD
and
I
think
it's
a
good
idea
if
we
show
that
it's
possible
to
have
a
security.md
or
a
security
process
as
a
foundation.
In
addition,
GitHub
now
have
a
very
good
way
to
report
to
handle
cve
and
in
general
security
issue,
because
every
repo
can
collect
their
own
security,
rep
wrapper
by
researcher
and
handled
by
the
maintainer.
I
So
we
don't
need
to
have
a
sort
of
a
unique
point
in
contact
or
multiple
email,
because
we
can
have
just
an
email
if
someone
want
to
contact
us
via
email
for
a
lot
of
reason.
But
if
the
pro,
if
the
vulnerability
or
the
security
issue
is
in
a
project
that
we
posted
in
GitHub,
the
reception
can
just
just
open
a
vulnerability
report
in
the
in
the
repo.
This
help
has
to
keep
my
order
and
everything.
I
guess.
C
I
Initially
I
mean
it
is
interesting.
The
thank
you
Michael
for
the
commenting.
I
The
chat,
yeah
initially
I
started
to
work
on
this
policy,
because
I
wanted
to
try
to
spread
at
least
a
sort
of
the
food
in
open,
ssf
specification,
the
security
insights
that
should
help
scanner,
a
human
to
collect
information
about
the
security
standard
in
place
by
a
repo,
not
just
if
they
ever
not
a
secure.nd,
but
also
what
are
the
contact
if
they
have
a
back
Bounty
if
they
have
a
penetration
test
report
that
sometimes
some
especially
important
open
source
project
have,
but
it's
not
easy
to
find
them
and
and
I've
seen
that
we
don't
have
a
security
of
MD.
I
I
Yeah
and
yeah
I?
Think
it's
important.
It's
the
first
version.
It
can
be
improved.
There
is
no
pgp
key,
for
example,
at
the
moment,
because
we
need
to
understand
how
we
want
to
share
secret
in
the
foundation.
That's
not
easy
and
other
thing,
and
there
is
also
the
save
Fable
that
is
temporary
removed
because
the
Linux
Foundation
Council
suggests
for
now
to
not
publish
that
kind
of
save
fiber
and
but
yeah.
I
In
the
comments
in
the
document,
but
they
are
resolved,
but
please
you
can
find
in
the
history
of
the
document.
If
you
cannot
it's
a
privileged
issue
and
I
can
try
to
fix
it
and
I
have
a
summarized.
Also.
The
debit
comment
in
the
GitHub
issue
do
not
lose
this
kind
of
information.
J
K
No
worries
thanks
David,
just
echoing
Michael's
comments
from
the
written
chat
and
my
own
feedback.
This
is
fantastic
I
agree.
I
would
suggest
looking
at
how
something
like
spdx
short
codes
work
such
that
there
would
be
a
machine
readable
in
addition
to
the
human
readable
form
in
a
marketing
of
a
good
security.md.
I
Yes,
I
mean
is
still
a
work
in
progress.
There
is
a
tunnel
and
if
you
want
to
join
it,
you
are
definitely
welcome
because
at
the
moment
Jonathan
offered
me
a
lot
of
good
feedback
and
opinion
and
fact
also-
and
it's
definitely
not
easy-
to
write
a
specification.
I
I
am
learning
this
now
and
probably
this
is
the
easiest
part,
because
then
we
need
to
convince
the
community
to
use
it
and
so
having
mark
contacts
and
feedback
on
also
all
the
specifications
that
maybe
I
don't
know
that
are
already
popular
or
not
popular
enough,
but
people
are
working
on
them
and
we
can
try
to
join
in
a
single
file
or
let's
try
to
to
join
them
all
to
understand
if
they
are
in
conflict
or
not,
for
example,
I
know
the
spdx
and
another
one
that
yeah,
not
just
this
spdx
I
joined
them
I
mean
my
first
opinion
about
that
specification.
I
It
was
that
was
too
complex,
but
maybe
I
have
just
misunderstood.
It
so
definitely
open
to
review
and
change
my
mind
honestly.
It's
very
easy
to
change
my
opinion.
If
you
have
a
good
arguments,
so
no
problem
and
MVP
also
to
happen
issue
in
the
repo,
because
I'm
trying
to
track
in
all
the
job
in
GitHub
for
a
lot
of
reasons,
especially
because
it's
like
we
lose
the
conversation
so
better
if
it
is
public
on
GitHub
and
yeah.
But
thank
you.
J
Yeah,
so
real,
quick
first
as
far
as
you
know,
identifying
who
to
report
to
the
security
insights
spec
is
is
really
what
not
not
spdx,
but
as
far
as
the
Safe
Harbor
goes,
we
got
some
interesting
feedback
regarding
the
safe
harbor.
Don't
want
to
go
into
all
the
details,
but
what
was
the
original
text
was
very
U.S
Centric.
Obviously,
vulnerability
reporting
can
go
around
the
world.
J
A
second
problem
is
that
it
is
an
unfortunate
reality
that
some
security
researchers
go
Rogue,
so
they'll
report
but
they're
going
to
report
and
simultaneously
either
attack
or
help
attackers.
So
saying
we
won't.
You
know,
hey
it's
as
long
as
you
report,
it's
okay,
that
you
simultaneously
attack.
People
is
not
really
what
we're
going
for.
J
So
the
suggestion
that
I
I
got
back
was
basically
just
tell
people,
you
know,
obey
the
law
and
keep
it
simple
and
don't
try
to.
E
J
That
well
I'm,
not
actually
I,
don't
I
understand,
that's
your
position.
I,
don't
think.
That's
the
universal
position.
E
K
It's
it's
cmaa,
yep
I'm,
a
strongly
agreeing
with
Jonathan
here.
This
is
well
understood
in
all
the
hacker
communities
that
I
know.
Okay,
that
that
is
the
policy
and
I
can
certainly
offline
cite
plenty
of
Precedence.
Where
hackers
have
reports,
sorry,
where
researchers
have
reported
vulnerabilities
in
production
systems
and
then
been
sued
for
having
done
so.
E
There's
an
entire
document,
that's
held
by
disclosed
IO
that
has
a
long
long,
history
of
all,
of
the
different
cases
where
security
researchers
have
been
legally
prosecuted
by
organizations
for
engaging
in
in
ethical
research.
So
this
is
something
that
we
need
to
carve
out
in
this
policy
that
this
is
allowed
in
behavior
and
that
we
will
not
be
chasing
them
legally
and
that
they
are.
This
is
allowed
like
this
is
allowed
and
we
waive
cfaa.
E
J
I
I
I,
obviously
I'm
I'm,
absolutely
in
favor
of
making
sure
that
they
are
legally
safe.
The
feedback
I'm
getting
from
legal
counsel,
though,
is
that
the
original
text
that
was
proposed
basically
says
in
many
ways:
it's
open
season
on
our
systems
and
feel
free
to
take
everything
and
take
them
down,
and
that's
not
the
goal
either.
J
So
somehow
we
need
to
find
it
sounds
like
there
really
needs
to
be
some
sort
of
meaning
in
the
minds
of
this,
because
there's
a
yo,
I
I
think
there's
a
way
to
handle
this,
but
I
think
it's
complicated.
We
won't
solve
it
here,
but
I
think
we
need
to
find
a
a
forum
to
solve
it.
K
Then
talk,
please
make
sure
that
when
that
call
is
getting
scheduled,
it
is
broadcast
pretty
widely.
Please
include
the
attack
and
the
public
policy
committee.
E
K
Check
on
that
is
within
the
open,
ssf
no
I'd
want
to
have
the
TAC
chat
with
all
of
the
maintainers
before
committing
them
to
that,
but
I
would
suspect.
The
answer
here
is
no
I
know
a
lot
of
other
open
source
projects.
Do
that
and
support
that
I.
Think
the
the
challenging
question
for
a
safe
harbor
is
stepping
outside
of
Open
Source
projects
and
into
commercial
spaces.
That's
where
it's
trickier.
Yes,.
E
G
Yeah
I
was
just
going
to
Echo
what
Eva
just
said.
Also
a
time
check
just
a
few
more
minutes
on
this,
and
we
need
to
move
on
to
other
topics.
G
A
Sorry,
I
I
think
we
actually
did
enable
GitHub
private
reporting
on
every
project
under
ossf
and
look
I'm
trying
to
find
a
repo
that
it
is
not
enabled
on
which
tells
me
that
it's
enabled
on
everyone.
Okay,
I
I,
haven't
found
one
yet
so
this
may
be
moved.
We
could
obviously
revisit
it
and
turn
it
off,
because
I
think
it
was
done
at
the
org
level.
J
G
I
Yes,
it's
like
an
action
item
so
well.
David
is
in
contact
with
the
Linux
foundation
on
Council
and
I.
Think
that
we
can
present
the
document
if
it
is
okay
for
them.
If
they
mail
contact
is
okay
and
we
can
just
spread
in
the
GitHub
organization
and,
let's
see
syrup.
C
And
so
the
working
group
will
take
the
action
item
to
get
the
Safe
Harbor
call
set
up,
we'll
make
sure
we
invite
the
tech
and
public
policy
committee
I
would
strongly
ask
everyone
on
this
call
to
review
the
issue,
provide
any
feedback
you
have
there
and
then
we'll
see
how
and
if
we
can
proceed
with
or
without
the
Safe
Harbor
now
and
we'll,
let
you
know
kind
of
what
the
decisioning
and
where
we
land
on
that,
because
I
think
it's
very
important
to
provide
that
protection
again
to
set
that
role.
C
Modeling
again,
that
we
welcome
open
openness
and
transparency
and
collaboration
with
all
members
of
the
community.
So
we'll
get
that
back
to
everybody.
E
So
there
is
still
the
open
source,
security,
Foundation,
inbound,
vulnerability
or
sorry.
Now
the
outbound,
my
bad
I'm.
Looking
at
the
wrong
document,
this
document
has
been
passed
through
legal.
E
We
need
to
cat
meow.
We
need
to
go
through
this
document
with
the
working
group
and
and
review
the
legal
wording
changes,
but
I
did
want
to
remind
the
TAC
that
if
you
would
like
to
review
this
document
before
voting,
I'm
hoping
that
we
can
do
a
vote
next
attack
meeting
on
this
document
as
to
whether
or
not
we
should
adopt
it
or
not
or
the
tax
should
adopted
or
not.
E
That
would
be
greatly
appreciated.
So
if
you
could
take
the
time
to
read
through
this
document,
if
you
have
not
done
so,
that
would
be
greatly
appreciated
and.
B
E
No,
this
is
not
this.
This
is
the
vulnerability
disclosure
working
group.
This
is
the
open
source
security,
Foundation
vulnerability,
disclosure
policy.
This
is
our
outgoing
reporting,
mostly
associated
with
how
alpha
omega
will
be
reporting
security,
vulnerabilities,
there's
a
tie-in
which
is
the
link.
There
is
a
link
to
a
proposed
policy,
which
is
the
automated
vulnerability
fix
campaign,
but
that
will
not
be
finished
and
complete
and
going
out
and
shipping
with
this
policy,
it
is
currently
a
raft
that
is
being
bounced
around
that
a
snake
for.
B
B
E
D
C
Can
everybody
see
my
screen
yep
great,
so
we're
here
today
to
talk
about
the
vulnerability,
disclosures
working
group
and
our
status
new
things
we're
here
to
talk
about
you'll,
hear
about
today
in
the
following
briefing
we
adopted
openvex
Sig
and
we
are
now
actually
participating
within
the
larger
sisa
Vex
working
group.
C
C
We
also
are
trying
to
solicit
participation
in
a
cvd
guide
for
open
source
consumers,
and
we
have
a
presentation
scheduled
at
openssa,
North
America,
simplifying
vulnerability,
coordinating
vulnerabilities
and
disclosures
at
open
source
projects.
Madison
Oliver
and
I
will
be
doing
that
as
part
of
the
ossna
and
we
are
will
have
a
Blog
coming
out
very
soon
imminently.
That's
actually
on
your
desks
for
comment
getting
to
know
the
open
source,
vulnerability
format.
C
As
a
reminder,
the
vulnerable
disclosures
working
group
has
about
16
active
members
and
15
to
20
kind
of
people
that
float
in
and
out
from
time
to
time,
we
are
focused
on
trying
to
improve
secure
overall
security
of
Open
Source
software,
the
ecosystem
by
helping
mature
and
Advocate
well-managed
vulnerability,
reporting
and
communication
things
like
security
MDS.
This
is
all
of
our
member
projects
and
sigs
and
we'll
talk
briefly
about
each
one.
In
the
coming
slides,
CBD
guides,
we
produce
guidance.
C
We
currently
have
a
document
focused
on
open
source
projects
and
maintainers
on
how
they
can
conduct
themselves
via
widely
accepted
industry,
coordinated
vulnerability,
disclosure
practices.
We
have
a
reverse
of
that
guide,
focused
at
security,
researchers
or
finders,
helping
them
understand
how
best
to
interact
with
open
source
and
how
they
might
find
ways
to
best
collaborate
with
developers.
And
again
we
have
that
CBD
guide
for
consumers
coming
and
ideally,
we
can
find
some
wonderful
developers
someday
that
will
help
us
provide
some
tooling
and
scripts
that
will
automate
some
of
those
practices
to
help
maintainers.
C
The
osv
we've
just
reinvigorated
our
relationship
with
those
folks
live
in
Sydney
Australia.
So
are
not
up
right
now
to
talk
at
the
attack,
so
we
had
to
move
a
meeting
to
accommodate
them,
but
osv
is
a
standard
with
which
producing
and
consuming
vulnerability
information.
The
open
source
way
provides
both
human
and
machine,
readable
data.
C
They
if
you
get
a
security
advisory
from
GitHub.
It's
also
in
the
osv
format.
Fun
fact:
we're
looking
to
engage
with
the
cve
board
to
talk
about
some
challenges
with
the
data
quality
of
some
open
source
projects
there
and
continue
our
partnership
and
collaboration
with
them
as
they
roll
out
their
new
Json
format.
C
C
The
open
source
security
incident
Response
Team
Sig.
This
is
a
spin-off
of
the
mobilization
plan,
and
this
is
the
tldr
on
this
is
to
proposals
to
create
a
team
of
Upstream,
open
source
security
incident
handlers
and
to
work
with
maintainers
and
researchers
and
consumers
of
Open
Source
to
help
get
things
fixed
more
quickly.
We
currently
have
a
funding
proposal
that
is
under
review
by
the
governance
committee.
The
plan
is
always
open
for
comment
and
feedback.
We
would
love
to
hear
additional
thoughts
on
how
this
idea
could
be
implemented.
So
patch
is
welcome.
C
Take
a
look
at
the
issue
and
provide
us
any
feedback.
You
have
and
again
we're
looking
specifically
for
feedback
from
the
governing
board
on.
If
this
is
something
that's
viable,
that
they're
interested
in
funding
and
supporting
or
not
and
there's
a
couple
if
the
plan
is
approved,
we
have
two
software
projects
in
there.
C
One
is
the
siren
service,
which
is
a
vulnerability
communication,
advertising
service
being
able
to
try
to
find
ways
to
get
all
of
the
different
methods
of
advertising,
fixes
more
penetrated
throughout
the
industry
and
then
there's
a
tool
that
cert
CC
created,
called
Vince
and
unfortunately,
its
current
implementation
is
not
super
open
source
friendly.
The
code
is
open
sourced,
but
the
implementation
is
super
tied
to
AWS.
So
we're
looking
at
potentially
trying
to
find
ways
to
make
that
more
portable
being
able
to
anyone
could
use
that
software
in
any
environment
they
wanted.
C
So
we're
looking
to
retool
some
of
that
and
provide
that
back
Upstream
to
the
Vince
crew
I
mentioned
openvex
openvex
is
a
simple
implementation
of
the
Vex
vulnerability
exploitability
exchange
standard.
This
is
a
project
that
is
donated
and
I'm
waiting
on
my
dear
friend
Dan
Lawrence.
To
give
me
an
update
from
legal
on
how
that
IP,
review
and
transfer
is
coming,
but
this
sig
is
focused
on
supporting
the
openvex
spec.
There
is
some
tooling
associated
with
it,
and
then
one
of
our
biggest
goals
is
to
further
the
industry
collaboration.
C
There
are
many
members
that
participate
with
sisa's,
s-bomb
and
Vex
efforts,
we're
looking
to
expand
that
potentially
working
with
Oasis
with
the
csaf
standard
working
on
security,
working
with
security
scanners,
things
like
spdx
and
Cyclone
DX,
and
anyone
that's
interested
in
sharing
information
about
Vex,
which
is
just
a
way
to
State
your
Effectiveness
to
a
vulnerability.
We
think
there's
a
lot
of
value
in
that
and
right
now,
we're
not
looking
for
any
feedback
from
the
tech,
but
patches
and
comments
are
always
welcome.
F
C
You're
welcome
we
missed
you.
Yesterday
we
had
a
great
call.
Everyone
should
check
out
the
video
autofix
Sig,
which
is
heading
up
headed
up
by
Jonathan,
is
a
way
for
security.
Researchers
to
more
quickly
share
vulnerability
reports
at
scale,
and
the
goal
is
not
to
honk
off
all
the
open
source,
maintainers
we're
trying
to
find
best
ways
and
tools
and
methods
that
they
can.
C
Leverage
he's
currently
got
his
specification
for
the
vulnerability,
Fix
Auto
fix
campaigns,
and
also
that
disclosure
vulnerability
disclosure
policy
which
isn't
directly
related,
it's
related,
but
it's
not
directly
for
the
autofix.
So
again,
as
Jonathan
mentioned
and
Luigi
mentioned,
please
review
both
Luigi's
policy
and
also
Jonathan's
Auto
fix
proposal.
That
would
be
super
groovy.
C
D
C
C
I
heard
you
mentioned
discussing
OSB
with
the
cve
board.
I
briefly
got
disconnected
what
outcome
I'm,
not
looking
for
the
TAC
to
do
anything.
I
know:
half
of
the
cve
board
members,
so
I'm
just
waiting
to
try
to
find
a
love
connection
between
Sydney
and
Washington
DC
so
that
we
can
talk.
They
have
some
questions
about
data
quality
and
looking
to
find
ways
to
improve
that
interoperability
and
kind
of
ease
the
ability
for
Upstream
maintainers
to
be
able
to
report
vulnerabilities
and
get
the
cve
identifier.
So
right
now,
there's
nothing.
K
G
Just
a
quick
comment:
I
I
still
think
this.
This
format
is
very
useful,
so
I
would
say
plus
one
to
keeping
it
up
excellent.
G
So
looking
at
the
agenda,
the
only
other
thing
that
we
had
listed
today
was
more
of
an
FYI
and
a
reminder
to
both
attack
directly,
as
well
as
the
broader
audience.
Francis
and
David
wheeler
and
several
others
have
been
working
on
a
I
guess.
G
Skeleton
document
is
the
phrase
that
comes
to
mind,
but
certainly
it's
it's
got
more
more
on
it
than
just
a
few
bullet
points
around
helping
to
flush
out
the
the
meaning
behind
the
phrase
Sterling
tool
chain,
and
so
this
is
something
that
I
would
certainly
ask
the
current
attack
the
incoming
tack,
as
well
as
the
folks
that
are
representing
the
broader
Community
to
please
go
in
and
take
a
look.
C
G
Engage
in
a
meaningful
way
to
help
really
refine
the
concept
and,
as
we
think
about
turning
that
concept
into
a
set
of
action
plans,
it's
going
to
be
very
important
that
we,
we
obviously
have
a
collaboration,
that's
kind
of
a
key
ingredient
to
all
of
this,
so
not
going
to
walk
through
the
document
in
detail
on
this
call,
but
just
another
reminder
to
please
take
a
look
at
that.
G
Add
questions
add
comments
in
there
and
we
will
continue
to
refine
that
once
the
incoming
attack
is
finally
seated
I
think
we
will
have
a
further
discussion
around
how
to
turn
this
document
into
more
of
an
action
plan.
So
I
guess
more
to
come
on
that
front,
but
just
wanted
to
call
everyone's
attention
to
that.
G
All
right
any
other
topics,
folks
on
the
call
want
to
race.
Today,
we've
hit
the
entirety
of
today's
agenda.
G
Awesome
well
safe
travels
to
all
that
are
traveling
for
that
and
I
don't
see
any
other
topics
or
hands
raised.
So
with
that
we'll
go
ahead
and
close.
Today's
call
thanks.
Everybody.