►
From YouTube: OpenSSF TAC (February 7, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
C
C
E
A
A
A
A
B
A
A
B
A
A
G
You
are
you
playing
specifically
me:
I'm,
not
sure
I
have
any
special
information,
but
basically
there's
an
oh.
It's
a
summit
in
Vancouver
May
10
through
12..
There
had
been
a
lot
of
discussions
about
having
an
open
ssf
day,
but
I
guess
they
had
wanted
to
sound
out
the
governing
board
before
making
any
assertions
and
I
guess
that
has
occurred
so
Jennifer.
Do
you
have
more
to
share.
C
The
hope
is
that
in
one
day,
we'd
be
able
to
cover
the
you
know
a
lot
of
the
different
parts
of
openss.
The
goal
of
it
is
really
Outreach
page
and
getting
things
on
video
in
terms
of
what's
going
on
in
each
project,
but
also,
hopefully
pull
some
of
the
people
in
who
are
in
town
anyways.
For
for
those
events,
we
did
also
choose
that
day
to
avoid
overlap
with
CD
cdcon.
The
the
conference
of
the
continuous
delivery
Foundation
is
running
because
I
actually
felt
like
the.
C
Then,
if
we
tried
to
do
it
after
it'd
be
on
a
Friday
and
conferences
on
a
Friday
really
cool
way,
people
really
want
to
travel
home
and
it's
Vancouver,
so
most
people
are
gonna,
have
to
go
one
hop
away
so
we'd
really
like
everyone
to
be
there.
This
will
be
you
know
really.
This
plus
the
cloud
native
security
conference
were
like
I'd,
say
the
two
anchor
events
for
us
this
year
for
for
our
community.
C
So
as
a
in
terms
of
like
public
access
to
things,
and
so
we
will
be
in
Europe
as
well
and
we
probably
will
do
another
Japan
one.
We
have
to
think
about
that
and
talk
about
that.
But
that's
what
the
point
of
open
ssf
day
is.
We
really
would
love
the
tax
help
and
making
sure
where
it
gets
out
about
the
cfp,
when
once
we
publish
it,
it
should
be
pretty
soon
and
and
that
we
have
a
really
healthy
presence.
There.
A
Awesome,
thank
you
Brian.
That
sounds
wonderful,
I!
Guess
the
the
call
to
action
for
the
attack
and
folks
on
the
call
is
keep
an
eye
out
for
announcements
and
at
some
point
we'll
be
looking
for.
You
know,
paper
committee
reviewers
focus
on
us
are
putting
their
hand
up.
I!
Guess,
we'll!
You
know,
look
right!
Look
for
an
email
on
the
TAC
mailing
list
for
that
any
questions
before
we
move
on
to
pack
elections.
E
Yeah
I
agree
with
Brian's
sentiment
about
the
timing
on
the
conference.
My
only
suggestion
would
be
to
make
the
financial
thresholds
a
relatively
low
bar.
You
don't
want
to
necessarily
make
it
free,
because
then
people
won't
necessarily
respect
the
attendance
but
based
on
the
attendance
at
the
cncf
security
conference.
I
know
there
were
a
lot
of
efforts
to
make
sure
that
that
was
well
attended
as
a
kind
of
an
inaugural
event
and
I
think
we'll
have
the
same
challenge.
E
A
Okay,
so
I
know
Luke
had
to
leave
when
I
get
at
least
15-20
minutes
to
tack
elections.
The
summary
here
is
last
year
we
popped
together
process
to
bring
together
attack.
It's
been
great
and
we
at
that
time
had
set
about
a
year
before
we
would
reevaluate
the
process
by
which
we
built
attack.
Here
we
are
about
a
year
later,
there
have
been
some
discussions
since
October
November
of
different
ways
to
continue
electing
and
appointing
attack
members,
and
these
two
proposals
I
think
Bob
and
I've
been
chatting
as
of
several
other
folks.
A
We
have
roughly
these
two
paths
ahead
of
us
that
seem
like
we
should
test
the
consensus
on
them
today
see
which
one
we're
going
to
go
with
option.
One
is
to
just
leave
things
as
they
are
right
now
for
four
folks
are
elected
for
one
year
terms.
All
those
terms
are
up
would
be.
Those
folks
could
run
again
and
three
seats
are
appointed
by
the
governing
board
in
option.
A
A
C
Could
I'll
mention
one
thing
which
is
the
the
the
if
we,
if
we
continue,
if
we
do,
as
we
did
before,
there's
the
election
for
four
and
then
the
governing
board
appoints
three
and
the
governing
board
could
decide
and
appointing
the
three
it's
the
same
three,
it's
a
different
three,
but
it's
it
could
achieve
continuity
of
almost
half
of
the
board.
That
way.
The
second
thing
is,
you
know
these
meetings
are
run
very
openly.
You
know
it's.
It's
not
limited
to
only
Tech
members
to
speak
and
the
number
of
times
take
a
hard
vote.
C
H
A
I
I
D
A
J
I
would
prefer
option
two
with
the
staggered
terms,
but
I
feel
we
are
too
late
in
the
game
to
make
any
changes
and
not
derail.
We
have
not,
as
a
group,
made
any
progress
on
anything
in
a
couple
months,
so
I
think
trying
to
stop
everything.
That's
already
stopped
and
try
to
build
a
new
process
is
not
the
best
use
of
our
time
at
the
moment.
So
I
would
vote
for
option
one
with
strongly
asking.
A
J
A
K
Increasing
the
size
you
have
the
tack
for,
in
addition
to
try
to
address
these
I
mean
not
necessarily
have
a
three-phase,
but
at
least
as
you're
saying
so.
I
don't
want
to
confuse
with
this
question,
but
it's
I
think
when
we're
sort
of
raising
all
of
these
issues
about
how
the
the
current
attack
operates
at
that
can
be
another
question
to
propose
in
this
and
related
to
any
questions
that
go
to
the
governing
board
for
changing
the
charter.
A
K
A
I
appreciate
the
question
David
again:
I'd
love
to
focus
today's
discussion
really
just
on
the
election
term.
Lengths
and
staggering-
and
that
is
a
you
know.
The
size
of
attack
is
a
reasonable
question.
To
have
thing
to
talk
about.
I,
don't
want
to
do
it
today,
I'm
gonna,
get
it
it'll
derail
this
one
and
open
up.
You
know,
then
the
floor
becomes
open
to
even
more
questions
about
changing
the
attack.
L
Yeah
I
said
this
over
email
I'll,
just
restate
it
I'm
somewhat
ambivalent,
between
the
two
options.
I
think
staggering
is
great.
In
theory,
I
think
this.
The
tax
setup
already
has
two
different
groups
of
nominations,
though,
and
that
third
one
over
could
potentially
over
complicate
I'm
fine
with
either
option
one
seems
simpler,
but
I'm
not
gonna
complain.
If
people
pick
option
two
either.
A
A
M
A
A
K
A
Is
the
PAC
members
deciding
do
we
have
a
a
strong
collected
opinion
to
ask
the
board
to
make
this
change
right
now
and
terms
are
up.
The
board
gave
us
essentially
an
extension,
because
we've
all
hit
our
one-year
term
limit
we're
supposed
to
do
an
election.
The
board
said:
yeah
yeah
fudged
it
a
little
bit
figure
it
out
in
the
next
month.
So
we
need
to
come
back
to
the
board
and
say
here's
what
we
want
to
do
and
then
we
can
do
it.
A
So
today's
vote
is
which
path
do
we
go?
Keep
keep
the
attack
election
as
it
is,
and
then
we
have
an
election
or
ask
the
board
to
change
the
charter
in
a
specific
way
and
I
I
have
no
strong
opinion
right
now.
I
do
want
to
see
us
move
to
a
staggered
term.
I
think
that
is
structurally
functionally
valuable
to
build
continuity
to
give
folks
longer
term
links.
A
A
Okay
well
I'm,
going
to
ask
Pac
members
present
if
you
have,
if
you
prefer
option
one
right
now
with
a
commitment
that
we
will
address
this
in
the
tax
revenue
board
committee.
You
know
before
the
next
year
for
the
end
of
this
calendar
year.
If
you
prefer
that
path,
give
me
a
hand,
raise
visually
or
select
sort
of
thing.
Oh
there's
a
there's
a
check!
Oh
there's
a
yes
option
in
in
Zoom!
Now
great!
Let's
do
that!
But
yes,
I'm
gonna
vote.
I'm
going
to
vote
on
one
I
see
one
two
three.
A
A
A
J
I
have
been
seeking
feedback
from
the
tech
for
two
months
on
issue
131
and
for
one
month
on
134
and
for
about
a
month
on
issue.
132
I
would
love
to
actually
get
feedback
on
the
two
plan
proposals
on
if
those
are
going
to
move
forward
or
not.
If
we
want
to
recommend
those
or
if
there
are
changes,
we'd
like
to
make
and
then
issue,
132
is
kind
of
a
straight
up
vote.
We
want
to
fund
this
or
not
so.
J
D
J
L
G
L
L
L
L
A
A
K
K
A
G
F
I
A
J
J
A
M
J
C
Yeah
I'll
just
add:
the
governing
board
definitely
wants
to
see
proposals
get
vetting
by
the
tag
before
it
gets
brought
to
them.
Secondly,
there
aren't
quite
categories
ready
to
go
that
just
says
Hey.
As
soon
as
the
attack
approves,
we
can
get
you
know
kind
of
check.
There
is
a
process.
You
know
the
governing
board
will
need
to
kind
of
proactively
Say
Yes.
This
makes
sense
and
we'll
need
to
decide.
C
Do
we
change
the
existing
approved
budget
for
openssf
to
create
to
allocate
for
this
and
take
something
away
from
something
else
or
or
tolerate
the
the
more
greater
expense,
or
do
we
independently
fundraise
this
from
other
governing
board
members
as
an
add-on
to
what
they're
already
spending?
We
have
a
couple
of
options
here
and,
of
course,
there's
there's
other
places
we
might
be
able
to
go,
get
funding,
but
before
open
ssf
staff
before
I
and
others
spend
time
going
and
doing
the
fundraising.
It's
this
you
know
getting
the
tax
approval
of
this
is.
C
A
I
think
all
of
those
comments
also
apply
to
the
next
topic,
which
is
issue
132.
governing
board.
Wants
input
from
the
tax
and
attack
is
here
to
provide
that
input.
We
have
discussed
it
a
couple
times,
David
I
think
you
had
a
question
or
comment.
I'll
give
you
the
four
first.
If
anyone
else
wants
to
ask
about
issue
132
in
the
open
source
here,
there's
mailing
lists
solo
designer
after
that.
K
I'll
re-raise
the
issue
thanks
very
much
Ava
I
mean
it
started,
a
question
of
whether
this
is
a
worthwhile
project
or
not.
It's
just
a
question
of
whether
we
was
the
the
attack
wants
to
set
the
precedent
of
various
groups
coming
directly
to
the
attack
asking
for
funding
for
various
issues,
as
opposed
to
having
the
attack
with
its
the
limited
amount
of
time
and
and
the
tension.
K
Resources
to
you
know,
delegate
these
types
of
initial
triage
to
one
of
the
the
working
groups
and
to
have
that
decision
to
then
forward
it
up
through
that
working
group
or
some
other
assessment
to
the
tax.
Not
trying
to
just
you
know,
create
bureaucracy
or
create
delays,
but
it
not
sure
you
want
to
set
the
precedent
of
people
sort
of
sidestepping
these
other
working
groups,
or
you
know,
with
special
connections
that
it
might.
K
You
know
to
again
not
just
make
this
bureaucracy
for
the
sake
of
bureaucracy,
but
that
you
know
to
not
have
everybody
or
not
look
like
it's
I
mean
sort
of
nepotism
or
just
I've
got
a
friend
on
the
boards
on
the
tax.
We'll
just
ask
it
that
way,
as
opposed
to
trying
to
have
a
more
regularized
process
and
finding
the
appropriate
working
groups
for
these
different
types
of
funding
requests.
J
So
this
is
endorsed
and
brought
up
through
the
vulnerability
disclosures
working
group
has
been
discussed
there
several
times.
They
strongly
endorse
it,
and
there
is
precedent
with
the
new
tool
chain,
where
we
paid
for
we've
offered
to
help
pay
for
Operational
Support
for
that
project
to
continue
and
modernize.
A
G
A
G
A
G
A
M
G
A
G
G
A
A
N
Yeah
I
think
I
can
speak
to
this
a
little
bit.
I
don't
want
to
take
it
off
the
agenda
until
Justin
confirms
that
that
we've
covered
what
he
wanted
to
talk
about
through
a
couple
of
different
working
groups.
In
fact,
at
this
point,
the
prospect
of
the
open,
ssf
being
a
coordinating
Point
around
malware
collection
has
has
come
up
and
what
we
mean
by
that
is
in
the
pipei
or
other
package
repositories.
What
happens
when
a
malicious
package
is
reported?
N
This
is
a
good
idea,
my
suggestion
so
I'm
here
as
a
representative
of
the
securing
software
repos
working
group.
That's
a
working
group
where
we
actually
do
have
participation
from
a
number
of
the
administrators
of
these
package
repositories,
who
are
in
a
really
great
position
to
provide
access
to
that
there's.
A
number
of
efforts
that
have
happened
to
try
to
interpolate
based
on
what's
disappearing
from
these
things,
but
but
in
terms
of
actually
getting
direct
access
to
the
data.
I
think
securing
software
repos
is
a
great
point
for
that.
N
So
I
don't
know
that
there
needs
to
be
any
any
attack
action,
but
this
is
something
that's
come
up
in
in
a
number
of
cases
and
we're
we're
still
trying
to
to
coordinate
around
so
yeah,
so
I
think
in.
In
summary,
everyone
agrees.
This
is
a
good
idea.
We
we
want
to
do
it
and
there
is
a.
There
have
been
a
few
folks
in
screen
software
repos.
Talking
about
this.
There
was
a
meeting
I.
N
Think
Justin
was
at
that
meeting
about
it,
basically
just
to
try
to
get
a
bunch
of
folks
in
the
room.
I
personally
expect
that
if
the
attack
does
nothing,
this
will
happen
in
order
of
months.
If
there
is
any
urgency,
then
we
probably
do
need
a
kick
in
the
pack
dance
and
some
coordination
help
from
the
attack.
A
N
A
H
I
didn't
I
didn't
want
to
prolong
this
discussion
necessarily,
but
I
did
have
a
clarifying
question
for
Zach
Newman.
Was
this
around
continuing
to
host
sort
of
like
metadata
advisory
about
malicious
packages
or
also
hosting
the
malicious
packages
themselves
for
later
analysis,
and
the
only
reason
I
want
to
bring
this
up?
Is
it
might
impact
sort
of?
If
there's
a
funding
request
or
not?
One
is
much
larger
than
the
other
and.
A
N
A
A
C
Oh
okay,
sorry
right,
that's
the
open
source
initiative;
basically,
lots
of
people
left
this
commentary
and,
and
so
broadly
stated,
we
were
supportive
of
the
notion
of
policy
as
a
means
to
help
nudge
things
in
the
right
direction,
but
generally
pretty
critical
of
some
specifics.
They
tried
to
carve
out
non-commercial,
open
source
activity
which,
as
we
all
know,
I
mean
David.
Apparently
you
wrote
a
paper
a
while
ago.
That
said,
there
is
no
such
thing
as
non-commercial,
open
source.
D
C
They
like
to
regulate
it,
the
way
that
they
would
regulate
cars,
for
example,
and
you,
if
you
sold
a
car
without
brakes,
you
know
you'd
be
liable
for
that,
but
not
just
open
source
soft,
but
the
entire
software
industry
is
rested
upon
liability
limitations
on
or
disclaimers
of
liability
entirely.
And
if
you
want
liability
protection,
you
get
a
support
contract,
it's
pretty
straightforward
and
simple
and
anyway
so
so
we
tried
to
approach
it
just
very
gently
and
about
a
education
about.
C
This
is
why
this
won't
work-
and
you
know,
but
it
is,
it
is
worrisome
enough
that
you
know
we
are
putting
Cycles
into
trying
to
help
make
sure
people
understand
why
that's
not
the
right
approach
and
here's
some
Alternatives.
So
if
anyone
wants
to
read
more
I'll,
go
pick
up,
both
I,
don't
think
we've
done
a
blog
post
on
it
yet,
but
yeah,
but
I'll
take
up
the
link
to
the
comments
that
we're
left
behind
on
your
green
Union.
And
if
anyone
has
any
other
questions,
I'm
happy
to
cancel
yeah.
A
I
was
looking
for
any
posts
to
be
made
and
I'm,
not
finding
that
link.
That's
why
I
dropped
in
the
OSI
one
as
sort
of
an
overview
for
folks
who
are
wondering
what
other
foundations
have
have
said
about
it
or
companies
have
said,
there's
a
link
directly
in
the
top
of
that
one
to
the
well
I
think
130
total
responses,
yeah.
J
A
problem
I'm
going
to
channel
my
inner
Bob
Callaway
I
had
a
vigorous
discussion
with
Bob
the
day.
This
was
kind
of
shared
with
the
foundation,
and
he
was
very
disappointed
that
the
attack
was
not
given
a
pre-read
beforehand,
so
he
asks
for
maybe
we
all
share
a
little
more
and
collaborate
a
little
better
in
the
future.
Please.
C
I'll
share
that
feedback
of
the
public
policy
committee.
I
know
there
were
folks
sprinting
because
their
volunteers
like
like
the
rest
of
us
and
they
were
kind
of
sprinting
up
to
the
deadline-
I
mean
I
I,
took
the
final
draft
and
put
it
into
letterhead
like
on
a
Sunday
to
to
get
it
in
in
on
a
Monday
morning.
So
I
I
I
think
they
take
that
as
a
yes.
It
would
have
been
better
to
to
put
it
out.
There
I
think
they
might
also
have
said
you
know
it
we'll
have
to
kind
of
figure
out.
C
J
He
wasn't
looking
for
approval,
he
was
just
looking
for
an
inform.
He
was
not
informed
at
all.
This
was
happening
and
was
very
surprised
and
was
very
vigorously
talking
to
me
about
it,
because
I
happen
to
be
on
that
committee
as
well,
and
I
had
about
an
hour's
worth
a
head
start
on
his
check
slot,
or
his
slack
chat
on
me.
C
A
A
N
N
J
Well,
I
I!
If
there's
you
know,
money
involved,
I
think
the
tech
needs
to
be
aware,
but
I
think
a
working
group
is
allowed
to
make
whatever
choices.
They
feel
you
know
projects
they
want
to
work
on
as
long
as
they're,
in
line
with
with
the
vision
of
what
we
want
to
achieve.
So
I
I
appreciate
the
inform.
N
A
Certainly,
for
assigning
a
graduation
level
or
stage
to
a
project,
that's
a
fact
about
and
depending
on
how
technical
product
is
might
require
a
little
bit
of
you
know.
Diligence
on
the
tax
part,
I,
guess
exact.
One
question
to
either
answer
now
or
get
spun
up
in
that
is.
Is
this
a
whole
clock
new
project
being
started
in
a
working
group
or
is
it
being
contributed
from
outside
of
the
open
ssf?
It
already
has
IP
associated
with
it.
A
A
O
O
There
is
this
project
security
sites
were
we,
we
are
trying
to
define
a
specification
for
a
yaml
file
that
scanner
can
use
to
order
type.
Some
information
that
at
the
moment
have
no
specific
standard
or
policy
or
a
lot
of
products
have
a
member,
but
in
different
place
and
I
have
seen
that
sun
wrapper.
O
Don't
have
a
security
policy,
other
one
have
a
security
policy
or
security,
but
we
don't
have
a
standard
security
policy
for
our
organization,
and
maybe
we
would
like
to
have
some
standard
policy
that
we
can
enable
to
a
organization
level
using
vitam,
because
that
is
it's
very
easy.
You
can
use
the
folder.key
tumble
where
you
add
some
policy
that
you
want
to
have
in
the
repo
and
you
can
over
overwrite
them
easily
in
every
report.
If
you
want
to
just
adding
the
file
with
the
same
name,
so
maybe
a
security
dot.
O
Md
can
be
a
nice
idea,
especially
a
unique
contact
that
the
researcher
can
use
to
contact.
The
open
ssf
to
airport
is
and
the
other
one
is
if
we
want
to
pay
at
least
what
the
most
important
project,
like
the
scorecard,
for
example.
But
the
most
popular,
if
you
want
to
pay
or
have
this
bugs
or
something
similar
for
the
vulnerability,
can
send
us-
and
this
is
probably
an
action
item
not
for
my
working
group
button
for
the
attack
meeting
on
the
board
or
yeah.
A
The
first
one,
you
know
a
standard
security.nd
template
might
be
part
of
a
project.
Repo
template
I,
don't
know
that
we
have
one
consistently
applied
at
this
point
and
I
know
we
do
have
projects
that
exist
outside
of
the
open,
ssf,
GitHub,
org
they're,
doing
it
at
an
or
wide
level
would
not
cover
everything.