►
From YouTube: OpenSSF TAC (February 7, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0/edit#heading=h.9m0zi4b0wnne
C
Pretty
good
but
I'm
about
to
ruin
it
with,
with
my
play
with
my
musical
preferences,
I'm
apparently
DJing
at
6
p.m.
In
a
few
hours,
so
we'll
see
how
that
goes
now,.
C
Yeah,
oh
no
I
I
just
always
have
gone
under
my
own
name.
I
yeah
I
I
never
found
a
something
more
suitable
than
that
more
distinctive
than
that
I
guess.
The
other
Brian
Builder
has
issues
blistering.
E
A
You
have
a
sort
of
a
crate
that
you
always
travel
with
lots
of
a
deck
that
you
brought
with
you
I'm,
trying
to
visualize
this
Brian
DJing.
How
is
that
a
heck
Maybe,
sometimes
we'll
catch
you
DJing
at
DNA
Lounge
or
something
an
SF.
A
We're
still
joining
I'm
going
to
drop
a
link
in
the
zoom
chat
to
our
meeting
notes
feel
free
to
add
yourself
to
the
attention
attendance
list.
If
you'd
like
to
Bob
sends
his
regrets,
so
I
will
be
sharing
the
meeting
today.
A
A
A
We
do
have
some
some
news
to
share
from
yesterday
about
the
open
source
Summit.
A
Okay,
our
participants
list
has
been
a
bit
stable,
so
let's
go
ahead
and
get
started.
Welcome
everybody
to
Tuesday,
no
February
7th
tackle
it's
not
November
I'm
I'm
here
in
wintertime,.
B
Yeah
sure
not
as
much
of
an
announcement
as
a
question
whether
and
when
we
would
like
to
do
our
next
town
hall,
our
last
one
was
in
August
2022.,
so
about
six
months
is
February.
B
Is
there
thoughts
on
when
we'd
like
to
do
the
next
one?
Are
we
at
a
point
where
we
feel
like
we
are
ready
to
convene
yet
again.
A
One
thought
that
was
brought
up
on
the
planning
call
yesterday
is
hence
the
next
point
out
here.
Folks
have
confirmed
that
we
will
be
able
to
do
an
open
ssf
a
day
and
current
with
the
open
source
Summit
in
Vancouver.
This
is
this
hasn't
gone
out
in
like
a
website
yet
but
breaking
news.
A
E
Good
morning,
thanks,
I
would
strongly
suggest
a
town
hall
before
a
virtual
one,
because
one
of
the
things
we've
heard
from
a
number
of
different
groups
across
the
sigs
and
working
groups
is
still
a
large
lack
of
awareness
of
what
the
open
SS
ssf
is
and
what
it's
up
to
so
I
think
we
should
take
advantage
of
the
big
gap
between
now
and
the
summit
and
do
a
town
hall,
perhaps
sometime
in
the
next
45
days,
that
as
the
consensus
from
the
group
here,
but
also
look
at
doing
something
similar
as
part
of
the
a
big
week
in
Vancouver.
A
Thanks
Jeff
Jen
in
terms
of
planning
in
the
past
is
30
days
enough
time
to
get
everyone
together,
and
so
we
could
do
when
we
say
first
week
of
March.
This
is
still
Paul
or.
B
B
A
I
have
I,
have
no
princess
I,
think
that's
a
fine
idea
to
fill
in
the
Gap
and
help
cross-pollinate
ideas
raise
awareness
so
that
folks
know
more
of
what
they're
getting
you
know
where
to
where
to
pay
attention
in
in
Vancouver.
A
B
All
right,
so
let
this
be
an
invitation,
anyone
who
is
interested
in
presenting
at
our
next
town
hall,
please
let
us
know.
A
Thanks
Jennifer
and
the
second
one
is
convert
here
or
I,
guess,
David
or
Jennifer.
You
want
to
talk
at
all
about
open
source,
Summit
and
open.
This
is
FDA.
G
You
are
you
playing
specifically
me:
I'm,
not
sure
I
have
any
special
information,
but
basically
there's
an
oh.
It's
a
summit
in
Vancouver
May
10
through
12..
There
had
been
a
lot
of
discussions
about
having
an
open
ssf
day,
but
I
guess
they
had
wanted
to
sound
out
the
governing
board
before
making
any
assertions
and
I
guess
that
has
occurred
so
Jennifer.
Do
you
have
more
to
share.
C
To
Jennifer
too
no,
so
we've
been
working
with
the
LF
events
team
we've
got
a
day
that
I
can
get
the
exact
number,
but
it
is
overlapping
at
the
first
day
of
OSS
Summit.
C
So
one
thing
you
still
have
to
resolve
is:
can
we
avoid
like
the
keynote
overlooking
the
Keynotes,
at
least,
but
some
of
the
decisions
we
made
kind
of
to
to
get
rolling
in
this
were
to
have
it
be
a
separate
registration
and
to
ask
for
199
for
for
the
event
to
give
us
the
ability
to
have
a
little
bit
less
of
like
a
lot
of
people
signing
up
and
then
not
showing,
which
makes
it
hard
to
to
plan
basically,
but
also
then
work
with
the
the
Linux
foundation's
team
to
earn
a
proper
cfp
for
it,
rather
than
the
kind
of
ad
hoc
kind
of
thing
that
we've
done
to
date,
I
think
yeah.
C
The
hope
is
that
in
one
day,
we'd
be
able
to
cover
the
you
know
a
lot
of
the
different
parts
of
openss.
The
goal
of
it
is
really
Outreach
page
and
getting
things
on
video
in
terms
of
what's
going
on
in
each
project,
but
also,
hopefully
pull
some
of
the
people
in
who
are
in
town
anyways.
For
for
those
events,
we
did
also
choose
that
day
to
avoid
overlap
with
CD
cdcon.
The
the
conference
of
the
continuous
delivery
Foundation
is
running
because
I
actually
felt
like
the.
C
If
we
were
to
overlap
that
we
would
have
a
would
be
worse
for
a
whole
bunch
of
in
terms
of
like
too
much
too
many
too
many
places
to
be
at
the
same
time
in
terms
of
similar
content
and
like
so
that's
that's
the
primary
decision.
C
Then,
if
we
tried
to
do
it
after
it'd
be
on
a
Friday
and
conferences
on
a
Friday
really
cool
way,
people
really
want
to
travel
home
and
it's
Vancouver,
so
most
people
are
gonna,
have
to
go
one
hop
away
so
we'd
really
like
everyone
to
be
there.
This
will
be
you
know
really.
This
plus
the
cloud
native
security
conference
were
like
I'd,
say
the
two
anchor
events
for
us
this
year
for
for
our
community.
C
So
as
a
in
terms
of
like
public
access
to
things,
and
so
we
will
be
in
Europe
as
well
and
we
probably
will
do
another
Japan
one.
We
have
to
think
about
that
and
talk
about
that.
But
that's
what
the
point
of
open
ssf
day
is.
We
really
would
love
the
tax
help
and
making
sure
where
it
gets
out
about
the
cfp,
when
once
we
publish
it,
it
should
be
pretty
soon
and
and
that
we
have
a
really
healthy
presence.
There.
A
Awesome,
thank
you
Brian.
That
sounds
wonderful,
I!
Guess
the
the
call
to
action
for
the
attack
and
folks
on
the
call
is
keep
an
eye
out
for
announcements
and
at
some
point
we'll
be
looking
for.
You
know,
paper
committee
reviewers
focus
on
us
are
putting
their
hand
up.
I!
Guess,
we'll!
You
know,
look
right!
Look
for
an
email
on
the
TAC
mailing
list
for
that
any
questions
before
we
move
on
to
pack
elections.
A
Great,
oh
Jack
go
ahead.
E
Yeah
I
agree
with
Brian's
sentiment
about
the
timing
on
the
conference.
My
only
suggestion
would
be
to
make
the
financial
thresholds
a
relatively
low
bar.
You
don't
want
to
necessarily
make
it
free,
because
then
people
won't
necessarily
respect
the
attendance
but
based
on
the
attendance
at
the
cncf
security
conference.
I
know
there
were
a
lot
of
efforts
to
make
sure
that
that
was
well
attended
as
a
kind
of
an
inaugural
event
and
I
think
we'll
have
the
same
challenge.
E
A
Perhaps
there
can
be,
you
know,
199
for
corporate
attendees
and
a
lower
rate
for
independent
or
anyone
who's
having
some
financial
hardship.
A
Okay,
so
I
know
Luke
had
to
leave
when
I
get
at
least
15-20
minutes
to
tack
elections.
The
summary
here
is
last
year
we
popped
together
process
to
bring
together
attack.
It's
been
great
and
we
at
that
time
had
set
about
a
year
before
we
would
reevaluate
the
process
by
which
we
built
attack.
Here
we
are
about
a
year
later,
there
have
been
some
discussions
since
October
November
of
different
ways
to
continue
electing
and
appointing
attack
members,
and
these
two
proposals
I
think
Bob
and
I've
been
chatting
as
of
several
other
folks.
A
We
have
roughly
these
two
paths
ahead
of
us
that
seem
like
we
should
test
the
consensus
on
them
today
see
which
one
we're
going
to
go
with
option.
One
is
to
just
leave
things
as
they
are
right
now
for
four
folks
are
elected
for
one
year
terms.
All
those
terms
are
up
would
be.
Those
folks
could
run
again
and
three
seats
are
appointed
by
the
governing
board
in
option.
A
Two
is
to
move
to
a
staggered
election
right
now
to
set
the
intention
that
those
four
seats
that
are
elected
become
elected
for
two-year
terms,
but
that
they
alternate,
which
two
seats
are
elected
every
year,
and
to
do
that,
we
could
have
all
four
seats
up
for
election
now,
with
two
of
them
being
elected
for
a
two-year
term
and
two
of
them
elected
for
a
one-year
term
or
some
variation
of
that,
and
so
that's
the
the
poll
today
is.
A
F
So
Luke
It's
a
I'm
inclined
for
option
two,
but
one
thing
I'd
like
to
understand:
let's
take
a
scenario
where
there's
a
complete
refresh
of
the
whole
tack,
so
none
of
the
existing
members
are
re-elected.
A
C
Could
I'll
mention
one
thing
which
is
the
the
the
if
we,
if
we
continue,
if
we
do,
as
we
did
before,
there's
the
election
for
four
and
then
the
governing
board
appoints
three
and
the
governing
board
could
decide
and
appointing
the
three
it's
the
same
three,
it's
a
different
three,
but
it's
it
could
achieve
continuity
of
almost
half
of
the
board.
That
way.
The
second
thing
is,
you
know
these
meetings
are
run
very
openly.
You
know
it's.
It's
not
limited
to
only
Tech
members
to
speak
and
the
number
of
times
take
a
hard
vote.
C
It's
rarely
ever
three
to
four
right.
It's
so
yeah
I
think
we're
in
a
good
spot
with
that
concern,
but
I'm
open
to
other
ideas.
H
A
I
I
just
wanted
to
offer
some
experience
and
I
in
the
w3c
we
have
the
technical
architecture
Group,
which
I'm
our
co-chair
of
and
that
group,
as
well
as
The
Advisory
Board
in
WTC.
We
go
with
the
staff
process.
I
I
think,
having
a
long
longer
terms,
I
think
it's
more
about
the
longer
terms
than
it
is
about
playing
continuity
honestly.
But
but
that's
just
a
point
of
data.
I,
don't
even
have
a
strong
view
about
either
approach,
but
just
to
say
that
with
the
Stagger
terms
has
worked
well
for
us
in
w3c.
D
A
J
I
would
prefer
option
two
with
the
staggered
terms,
but
I
feel
we
are
too
late
in
the
game
to
make
any
changes
and
not
derail.
We
have
not,
as
a
group,
made
any
progress
on
anything
in
a
couple
months,
so
I
think
trying
to
stop
everything.
That's
already
stopped
and
try
to
build
a
new
process
is
not
the
best
use
of
our
time
at
the
moment.
So
I
would
vote
for
option
one
with
strongly
asking.
J
We
spent
some
time
in
the
year
before
the
next
election
cycle
to
get
this
staggering
entered
and
through
the
board.
A
J
A
K
Well,
I
mean
it's
related
to
this
topic,
but
another
question
is:
should
the
board
consider
increasing
the
size
of
the
board
as
well,
given
the
amount
of
work.
K
Increasing
the
size
you
have
the
tack
for,
in
addition
to
try
to
address
these
I
mean
not
necessarily
have
a
three-phase,
but
at
least
as
you're
saying
so.
I
don't
want
to
confuse
with
this
question,
but
it's
I
think
when
we're
sort
of
raising
all
of
these
issues
about
how
the
the
current
attack
operates
at
that
can
be
another
question
to
propose
in
this
and
related
to
any
questions
that
go
to
the
governing
board
for
changing
the
charter.
A
K
A
I
appreciate
the
question
David
again:
I'd
love
to
focus
today's
discussion
really
just
on
the
election
term.
Lengths
and
staggering-
and
that
is
a
you
know.
The
size
of
attack
is
a
reasonable
question.
To
have
thing
to
talk
about.
I,
don't
want
to
do
it
today,
I'm
gonna,
get
it
it'll
derail
this
one
and
open
up.
You
know,
then
the
floor
becomes
open
to
even
more
questions
about
changing
the
attack.
L
Yeah
I
said
this
over
email
I'll,
just
restate
it
I'm
somewhat
ambivalent,
between
the
two
options.
I
think
staggering
is
great.
In
theory,
I
think
this.
The
tax
setup
already
has
two
different
groups
of
nominations,
though,
and
that
third
one
over
could
potentially
over
complicate
I'm
fine
with
either
option
one
seems
simpler,
but
I'm
not
gonna
complain.
If
people
pick
option
two
either.
A
Now
I'll
read
in
see
Rob's
comment:
the
tax
size
could
be
addressed
within
the
governing
board
tax
governance
committee.
Discussions
I
think
that's
a
fine
place
for
that
to
go.
A
And,
in
fact,
a
finding
place
for
any
of
the
related
Charter
changes
to
get
word
Smith
and
hammered
out
in
the
fullness
of
time.
Okay,
anybody
else
want
to
want
to
chime
in
with
opinions,
questions.
M
A
A
Well,
I
don't
hear
any
strong
preferences
in
either
direction
yet
which
makes
taking
a
vote
a
little
bit.
Tricky
foreign,
oh
Josh,.
K
A
Is
the
PAC
members
deciding
do
we
have
a
a
strong
collected
opinion
to
ask
the
board
to
make
this
change
right
now
and
terms
are
up.
The
board
gave
us
essentially
an
extension,
because
we've
all
hit
our
one-year
term
limit
we're
supposed
to
do
an
election.
The
board
said:
yeah
yeah
fudged
it
a
little
bit
figure
it
out
in
the
next
month.
So
we
need
to
come
back
to
the
board
and
say
here's
what
we
want
to
do
and
then
we
can
do
it.
A
So
today's
vote
is
which
path
do
we
go?
Keep
keep
the
attack
election
as
it
is,
and
then
we
have
an
election
or
ask
the
board
to
change
the
charter
in
a
specific
way
and
I
I
have
no
strong
opinion
right
now.
I
do
want
to
see
us
move
to
a
staggered
term.
I
think
that
is
structurally
functionally
valuable
to
build
continuity
to
give
folks
longer
term
links.
A
A
Okay
well
I'm,
going
to
ask
Pac
members
present
if
you
have,
if
you
prefer
option
one
right
now
with
a
commitment
that
we
will
address
this
in
the
tax
revenue
board
committee.
You
know
before
the
next
year
for
the
end
of
this
calendar
year.
If
you
prefer
that
path,
give
me
a
hand,
raise
visually
or
select
sort
of
thing.
Oh
there's
a
there's
a
check!
Oh
there's
a
yes
option
in
in
Zoom!
Now
great!
Let's
do
that!
But
yes,
I'm
gonna
vote.
I'm
going
to
vote
on
one
I
see
one
two
three.
A
A
Luke
then
that's
four:
anybody
for
option
two,
just
to
record
this.
A
A
Moving
on,
then,
we
have
a
couple
issues
that
folks
have
added
cool
I
think
these
are
yours.
The
floor
is
yours,
right.
J
I
have
been
seeking
feedback
from
the
tech
for
two
months
on
issue
131
and
for
one
month
on
134
and
for
about
a
month
on
issue.
132
I
would
love
to
actually
get
feedback
on
the
two
plan
proposals
on
if
those
are
going
to
move
forward
or
not.
If
we
want
to
recommend
those
or
if
there
are
changes,
we'd
like
to
make
and
then
issue,
132
is
kind
of
a
straight
up
vote.
We
want
to
fund
this
or
not
so.
J
D
J
L
G
L
L
L
L
A
Looking
at
these
issues
right
now
and
I
will
admit
that
they
came
in
and
I
have
missed
them
in
my
own
business
over
the
holidays,
I'm,
so
sorry,
I,
don't
see
any
specific
funding.
Numbers
attached
am
I,
simply
missing
it
or
were
they.
You
know
talked
about
while
I
was
out
sick,
they're.
A
Yeah
I
will
abstain
from
having
a
vote
on
having
an
opinion
on
this
until
I
can
go,
read
them
now.
K
K
K
This
is
something
that
the
attack
should
be
addressing
directly
as
opposed
to
delegating
this
to
one
of
the
other
working
groups
that
having
percolated
through
the
other
ways
that
that
the
open
ssf
is
addressing
security
issues,
whether
it's
Alpha,
Omega
or
critical
projects,
or
anything
else
I'm
other
than
this
came
through
a
personal
contact
from
this
person
to
a
member
of
the
attack
I'm,
not
certain
why
this
is
something
that
attacks
should
be
directly
deciding
so.
A
K
Okay
we
were
talking
about
funding
for
this,
so
it's
related
to
no.
G
F
I
A
Through
the
okay,
okay,
great
any
other
comments
on
131
or
134.
A
J
Do
I
I
would
be
absolutely
super
if
we
add
more
time.
I
would
like
to
not
have
that
be
another
two
months,
I'd
be
pretty
groovy
and
I
I
don't
feel
since
I
am
the
Prime
driver
behind
both
these
plans.
I
can
I'll
vote
on
it,
but
I'm
not
going
to
Second
it.
A
J
A
Make
sure
that
I
review
these
in
the
next
week?
So
let's
put
this
at
the
top
of
the
agenda
for
the
next
tax
meeting
in
two
weeks,
maybe
drop
a
reminder
on
the
TAC
and
Tack
private
lists.
Nudge
nudge
link.
Go
read
this
folks.
M
J
Nobody
knows
anything
about
it,
because
this
is
the
first
place.
I
brought
this
for
comments
and
review
and
then
to
suggest
to
the
governing
board
to
take
a
look
at
it
and
consider
and
and
Brian
looks.
C
Yeah
I'll
just
add:
the
governing
board
definitely
wants
to
see
proposals
get
vetting
by
the
tag
before
it
gets
brought
to
them.
Secondly,
there
aren't
quite
categories
ready
to
go
that
just
says
Hey.
As
soon
as
the
attack
approves,
we
can
get
you
know
kind
of
check.
There
is
a
process.
You
know
the
governing
board
will
need
to
kind
of
proactively
Say
Yes.
This
makes
sense
and
we'll
need
to
decide.
C
Do
we
change
the
existing
approved
budget
for
openssf
to
create
to
allocate
for
this
and
take
something
away
from
something
else
or
or
tolerate
the
the
more
greater
expense,
or
do
we
independently
fundraise
this
from
other
governing
board
members
as
an
add-on
to
what
they're
already
spending?
We
have
a
couple
of
options
here
and,
of
course,
there's
there's
other
places
we
might
be
able
to
go,
get
funding,
but
before
open
ssf
staff
before
I
and
others
spend
time
going
and
doing
the
fundraising.
It's
this
you
know
getting
the
tax
approval
of
this
is.
C
G
If
I
may
add,
the
general
rule
I've
been
telling
people
who
are
often
mystified
by
the
open,
ssf
I
realize
well,
is
you
know
the
governing
board
is
the
power
of
the
purse,
but
they,
but
the
government
board,
wants
the
tact
to
review
things
before
they
make
those
decisions
they
can
make
the
decision
you
know
given
that
input,
but
it
they
really
want
that
input
from
from
the
group
here,
foreign.
A
I
think
all
of
those
comments
also
apply
to
the
next
topic,
which
is
issue
132.
governing
board.
Wants
input
from
the
tax
and
attack
is
here
to
provide
that
input.
We
have
discussed
it
a
couple
times,
David
I
think
you
had
a
question
or
comment.
I'll
give
you
the
four
first.
If
anyone
else
wants
to
ask
about
issue
132
in
the
open
source
here,
there's
mailing
lists
solo
designer
after
that.
K
I'll
re-raise
the
issue
thanks
very
much
Ava
I
mean
it
started,
a
question
of
whether
this
is
a
worthwhile
project
or
not.
It's
just
a
question
of
whether
we
was
the
the
attack
wants
to
set
the
precedent
of
various
groups
coming
directly
to
the
attack
asking
for
funding
for
various
issues,
as
opposed
to
having
the
attack
with
its
the
limited
amount
of
time
and
and
the
tension.
K
Resources
to
you
know,
delegate
these
types
of
initial
triage
to
one
of
the
the
working
groups
and
to
have
that
decision
to
then
forward
it
up
through
that
working
group
or
some
other
assessment
to
the
tax.
Not
trying
to
just
you
know,
create
bureaucracy
or
create
delays,
but
it
not
sure
you
want
to
set
the
precedent
of
people
sort
of
sidestepping
these
other
working
groups,
or
you
know,
with
special
connections
that
it
might.
K
You
know
to
again
not
just
make
this
bureaucracy
for
the
sake
of
bureaucracy,
but
that
you
know
to
not
have
everybody
or
not
look
like
it's
I
mean
sort
of
nepotism
or
just
I've
got
a
friend
on
the
boards
on
the
tax.
We'll
just
ask
it
that
way,
as
opposed
to
trying
to
have
a
more
regularized
process
and
finding
the
appropriate
working
groups
for
these
different
types
of
funding
requests.
J
So
this
is
endorsed
and
brought
up
through
the
vulnerability
disclosures
working
group
has
been
discussed
there
several
times.
They
strongly
endorse
it,
and
there
is
precedent
with
the
new
tool
chain,
where
we
paid
for
we've
offered
to
help
pay
for
Operational
Support
for
that
project
to
continue
and
modernize.
A
G
A
G
G
G
Regards
I
mean
specifically
that
that
not
publicly
disclosed
vulnerabilities
are
always
going
through
a
a
mailing
server
in
the
Russian
Federation
I.
A
A
G
A
M
G
A
Let's
take
the
let's
take
the
vote
here
and
then
also
accurate
on
email.
Ask
for
everyone
who
votes
today
to
also
vote
on
email
just
for
the
record.
So
if
I
could
get
a
tax
members
to
register
your
vote
in
the
zoom
reactions,
button.
G
G
A
We've
only
lost
in
terms
of
participant
count;
it
only
went
down
by
one
yeah.
A
G
Okay-
that's
probably
just
as
well
anyway,
but
having
three
yeses
at
least
suggests
that
it's
very
much
worth
finishing
up
a
vote
on
this.
A
Yeah,
okay!
Well,
let's
take
that
email
quickly,
because
I
do
agree
that
this
has
been
lingering
for
a
while
it
convert
to
their
clothes
on
it.
A
Okay,
Justin
I
think
you
had
a
discussion
when
you
bring
up
about
pipeline
malware.
A
No
okay,
Zach,
hey.
N
Yeah
I
think
I
can
speak
to
this
a
little
bit.
I
don't
want
to
take
it
off
the
agenda
until
Justin
confirms
that
that
we've
covered
what
he
wanted
to
talk
about
through
a
couple
of
different
working
groups.
In
fact,
at
this
point,
the
prospect
of
the
open,
ssf
being
a
coordinating
Point
around
malware
collection
has
has
come
up
and
what
we
mean
by
that
is
in
the
pipei
or
other
package
repositories.
What
happens
when
a
malicious
package
is
reported?
N
This
information
could
actually
be
quite
useful
to
researchers
to
folks
in
Industry,
both
in
terms
of
just
trying
to
characterize
what
kinds
of
malware
we're
seeing
the
rates
at
which
we're
seeing
it,
and
also
try
to
train
automated
tooling
much
like
the
tooling
coming
out
of
a
lot
of
the
working
groups
here.
N
For
and
for
that,
you
need
examples
of
malware
right
and
so
the
the
I
guess
broad
initiative
would
be
around
having
some
buddy
in
the
open
ssf
and
that's
that's
where
the
hand
waving
starts
sort
of
kick
off
an
initiative
to
coordinate
better
data
around
specifically
malware
packages,
but
package
repositories
generally
and
so
I
think
there
was
a
lot
of
discussion
in
the
slack
thread
that
roughly
summarizing
everyone
said.
N
This
is
a
good
idea,
my
suggestion
so
I'm
here
as
a
representative
of
the
securing
software
repos
working
group.
That's
a
working
group
where
we
actually
do
have
participation
from
a
number
of
the
administrators
of
these
package
repositories,
who
are
in
a
really
great
position
to
provide
access
to
that
there's.
A
number
of
efforts
that
have
happened
to
try
to
interpolate
based
on
what's
disappearing
from
these
things,
but
but
in
terms
of
actually
getting
direct
access
to
the
data.
I
think
securing
software
repos
is
a
great
point
for
that.
N
So
I
don't
know
that
there
needs
to
be
any
any
attack
action,
but
this
is
something
that's
come
up
in
in
a
number
of
cases
and
we're
we're
still
trying
to
to
coordinate
around
so
yeah,
so
I
think
in.
In
summary,
everyone
agrees.
This
is
a
good
idea.
We
we
want
to
do
it
and
there
is
a.
There
have
been
a
few
folks
in
screen
software
repos.
Talking
about
this.
There
was
a
meeting
I.
N
Think
Justin
was
at
that
meeting
about
it,
basically
just
to
try
to
get
a
bunch
of
folks
in
the
room.
I
personally
expect
that
if
the
attack
does
nothing,
this
will
happen
in
order
of
months.
If
there
is
any
urgency,
then
we
probably
do
need
a
kick
in
the
pack
dance
and
some
coordination
help
from
the
attack.
A
Yeah,
nothing
jumps
to
my
mind
as
a
reason
you
shouldn't
just
do
it
unless
there's
a
funding
request
or
you
need
legal
support
from
legal
or
staff
and
and
the
one
thing
that
I've,
if
it,
if
it
hasn't
already
been
discussed
in
the
securing
software
reposition
group,
would
ask
folks
to
consider
is
under
what,
under
what
sort
of
terms
and
legal
protections,
this
information
is
being
shared
among
participants.
A
N
Excellent
point:
it
is
something
that's
being
discussed
and
we
will
likely
come
back
with
more
concrete,
legal
and
or
funding
assets
at
some
point
in
the
future.
Right.
A
H
I
didn't
I
didn't
want
to
prolong
this
discussion
necessarily,
but
I
did
have
a
clarifying
question
for
Zach
Newman.
Was
this
around
continuing
to
host
sort
of
like
metadata
advisory
about
malicious
packages
or
also
hosting
the
malicious
packages
themselves
for
later
analysis,
and
the
only
reason
I
want
to
bring
this
up?
Is
it
might
impact
sort
of?
If
there's
a
funding
request
or
not?
One
is
much
larger
than
the
other
and.
A
And
lethal
issues
around
hosting
malicious
packages
for
research,
yes
of.
N
Course,
yeah
great
question:
thanks
thanks
for
asking
other
Zach,
so
yeah
both
have
been
discussed,
I
think
the
the
plan
would
be
to
start
with
sort
of
the
minimum,
viable
least
invasive
initiative,
which
is
just
the
metadata
which
again,
we
think
is
going
to
require
less
in
the
way
of
funding,
require
less
in
the
way
of
legal
support
and
then
possibly
from
there
to
move
on
to
actually
hosting
samples
of
malware,
which
is
where
we
would
want
a
and
legal
help
we
would
want
to
have.
A
N
A
A
Okay,
we've
got
a
little
bit
of
time
left
the
CRA
response,
since
Brian
is
here
Brian.
Would
you
like
to
talk
about
that,
since
you
were
also
working
closely.
C
On
that
sure,
so
that
open
ssf
public
policy
committee,
which
is
a
group
of
folks
from
our
members
who
are
really
just
help,
inform
kind
of
like
what
positions
we
might
want
to
take
when
we're
asked
for
comment
on
various
things
or
there's
a
opportunity
to
leave
comments
on
a
on
a
public
process
or
sometimes
a
blog
post
or
that
kind
of
thing.
C
So
the
the
let
me
back
up
a
little
bit,
the
CRA,
the
Civil
resiliency
civil
resilience
act
so
I'm,
sorry,
cyber
resilience,
Act
is
something
being
proposed
at
the
European
Union
level,
and
it
has
actually
moved
forward
and
down
into
the
local
parliaments
of
the
different
countries
for
commentary
and
for
the
revolution,
which
calls
for
a
bunch
of
new
requirements
to
be
placed
on
the
creators
of
Open
Source
software,
especially
for
those
that
are
deemed
to
be
part
of
critical
infrastructure,
including
all
the
way
up
to
needing
to
prove
that
you've
had
a
third-party
audit
of
your
software
development
process,
not
of
the
code
but
of
the
process.
C
None
of
them
are
bad
ideas
entirely,
but
it
seems
to
be
jumping
directly
from
zero
to
mandate
and
skipping
over
the
steps
of
carrots
and
defaults
and
and
the
kinds
of
things
that
we
know
you
need
when
you
really
want
to
move
an
entire
ecosystem
from
you
know,
one
one
state
of
security
to
a
higher
state
so
and-
and
it's
it's-
you
know
there
actually
was
a
bunch
of
conversations
about
this
at
fosdem
in
Brussels
this
past
week,
as
well
as
the
open,
Forum
Europe
event
on
Friday.
C
C
Oh
okay,
sorry
right,
that's
the
open
source
initiative;
basically,
lots
of
people
left
this
commentary
and,
and
so
broadly
stated,
we
were
supportive
of
the
notion
of
policy
as
a
means
to
help
nudge
things
in
the
right
direction,
but
generally
pretty
critical
of
some
specifics.
They
tried
to
carve
out
non-commercial,
open
source
activity
which,
as
we
all
know,
I
mean
David.
Apparently
you
wrote
a
paper
a
while
ago.
That
said,
there
is
no
such
thing
as
non-commercial,
open
source.
A
Right
Metro
software
is
also
tree
of
speech
in
the
U.S
Court
precedence.
D
C
They
like
to
regulate
it,
the
way
that
they
would
regulate
cars,
for
example,
and
you,
if
you
sold
a
car
without
brakes,
you
know
you'd
be
liable
for
that,
but
not
just
open
source
soft,
but
the
entire
software
industry
is
rested
upon
liability
limitations
on
or
disclaimers
of
liability
entirely.
And
if
you
want
liability
protection,
you
get
a
support
contract,
it's
pretty
straightforward
and
simple
and
anyway
so
so
we
tried
to
approach
it
just
very
gently
and
about
a
education
about.
C
This
is
why
this
won't
work-
and
you
know,
but
it
is,
it
is
worrisome
enough
that
you
know
we
are
putting
Cycles
into
trying
to
help
make
sure
people
understand
why
that's
not
the
right
approach
and
here's
some
Alternatives.
So
if
anyone
wants
to
read
more
I'll,
go
pick
up,
both
I,
don't
think
we've
done
a
blog
post
on
it
yet,
but
yeah,
but
I'll
take
up
the
link
to
the
comments
that
we're
left
behind
on
your
green
Union.
And
if
anyone
has
any
other
questions,
I'm
happy
to
cancel
yeah.
A
I
was
looking
for
any
posts
to
be
made
and
I'm,
not
finding
that
link.
That's
why
I
dropped
in
the
OSI
one
as
sort
of
an
overview
for
folks
who
are
wondering
what
other
foundations
have
have
said
about
it
or
companies
have
said,
there's
a
link
directly
in
the
top
of
that
one
to
the
well
I
think
130
total
responses,
yeah.
J
A
problem
I'm
going
to
channel
my
inner
Bob
Callaway
I
had
a
vigorous
discussion
with
Bob
the
day.
This
was
kind
of
shared
with
the
foundation,
and
he
was
very
disappointed
that
the
attack
was
not
given
a
pre-read
beforehand,
so
he
asks
for
maybe
we
all
share
a
little
more
and
collaborate
a
little
better
in
the
future.
Please.
C
I'll
share
that
feedback
of
the
public
policy
committee.
I
know
there
were
folks
sprinting
because
their
volunteers
like
like
the
rest
of
us
and
they
were
kind
of
sprinting
up
to
the
deadline-
I
mean
I
I,
took
the
final
draft
and
put
it
into
letterhead
like
on
a
Sunday
to
to
get
it
in
in
on
a
Monday
morning.
So
I
I
I
think
they
take
that
as
a
yes.
It
would
have
been
better
to
to
put
it
out.
There
I
think
they
might
also
have
said
you
know
it
we'll
have
to
kind
of
figure
out.
C
J
He
wasn't
looking
for
approval,
he
was
just
looking
for
an
inform.
He
was
not
informed
at
all.
This
was
happening
and
was
very
surprised
and
was
very
vigorously
talking
to
me
about
it,
because
I
happen
to
be
on
that
committee
as
well,
and
I
had
about
an
hour's
worth
a
head
start
on
his
check
slot,
or
his
slack
chat
on
me.
C
I
think
those
surprises
become
delightful
rather
than
concerning,
but
oh
look,
something
I
didn't
have
to
like
follow
is
actually
creating
something
of
quality,
but
I.
I
I'll
show
that
to
you,
backpack
over
classes.
A
A
Minutes
left
with
two
more
items
on
the
agenda
hope
that
we
can
get
through
them.
Zachary,
Newman,
yeah,.
N
Approximately
zero
time
purely
as
a
heads
up,
the
security
software
repos
group
has
voted
or
has
achieved
consensus
on
sponsoring
a
new
project.
Under
that
group,
we
are
early
stages.
N
N
N
Oh,
maybe
not
I
I
was
under
the
impression.
This
is
not
a
problem
with
the
the
guidelines
as
written.
This
is
a
problem
with
my
reading
of
them.
I
think
there's
a
yeah
can
I
can
I
phone
a
friend,
see
Rob
yeah.
J
Well,
I
I!
If
there's
you
know,
money
involved,
I
think
the
tech
needs
to
be
aware,
but
I
think
a
working
group
is
allowed
to
make
whatever
choices.
They
feel
you
know
projects
they
want
to
work
on
as
long
as
they're,
in
line
with
with
the
vision
of
what
we
want
to
achieve.
So
I
I
appreciate
the
inform.
N
A
Certainly,
for
assigning
a
graduation
level
or
stage
to
a
project,
that's
a
fact
about
and
depending
on
how
technical
product
is
might
require
a
little
bit
of
you
know.
Diligence
on
the
tax
part,
I,
guess
exact.
One
question
to
either
answer
now
or
get
spun
up
in
that
is.
Is
this
a
whole
clock
new
project
being
started
in
a
working
group
or
is
it
being
contributed
from
outside
of
the
open
ssf?
It
already
has
IP
associated
with
it.
N
Docs
are
clear
about
what
what
needs
to
happen
from
a
legal
perspective,
so
we
will
I,
don't
think
I
want
to
get
the
whole
tack
involved,
but
we
will
send
notes,
as
the
lawyers
from
the
contributing
company
will
will
connect
those
with
LF
and
legal
and.
A
N
So
so
far,
so
good
I
will,
at
the
end
of
this
process,
make
any
suggestions
for
clarifications
that
we
run
into.
A
Awesome
with
just
two
three
minutes
left
Luigi
I
think
we
might
have
time
for
your
your
topic.
After
all,.
O
Right,
well,
we
can
try
to
introduce
it
and
we
can
continue,
maybe
in
the
next
meeting,
but
I
was
checking
the
that
I
put
in
open
ssf
organization
in
GitHub,
because
I
would
like
I
I
win
the
my
current
working
group.
That
is,
identify
security
threats.
O
There
is
this
project
security
sites
were
we,
we
are
trying
to
define
a
specification
for
a
yaml
file
that
scanner
can
use
to
order
type.
Some
information
that
at
the
moment
have
no
specific
standard
or
policy
or
a
lot
of
products
have
a
member,
but
in
different
place
and
I
have
seen
that
sun
wrapper.
O
Don't
have
a
security
policy,
other
one
have
a
security
policy
or
security,
but
we
don't
have
a
standard
security
policy
for
our
organization,
and
maybe
we
would
like
to
have
some
standard
policy
that
we
can
enable
to
a
organization
level
using
vitam,
because
that
is
it's
very
easy.
You
can
use
the
folder.key
tumble
where
you
add
some
policy
that
you
want
to
have
in
the
repo
and
you
can
over
overwrite
them
easily
in
every
report.
If
you
want
to
just
adding
the
file
with
the
same
name,
so
maybe
a
security
dot.
O
Md
can
be
a
nice
idea,
especially
a
unique
contact
that
the
researcher
can
use
to
contact.
The
open
ssf
to
airport
is
and
the
other
one
is
if
we
want
to
pay
at
least
what
the
most
important
project,
like
the
scorecard,
for
example.
But
the
most
popular,
if
you
want
to
pay
or
have
this
bugs
or
something
similar
for
the
vulnerability,
can
send
us-
and
this
is
probably
an
action
item
not
for
my
working
group
button
for
the
attack
meeting
on
the
board
or
yeah.
A
A
The
first
one,
you
know
a
standard
security.nd
template
might
be
part
of
a
project.
Repo
template
I,
don't
know
that
we
have
one
consistently
applied
at
this
point
and
I
know
we
do
have
projects
that
exist
outside
of
the
open,
ssf,
GitHub,
org
they're,
doing
it
at
an
or
wide
level
would
not
cover
everything.
A
O
Okay,
Channel
and
then
we
can
try
to
mobile
okay
right
and.
A
O
J
G
Quick
note
Ava
who's
going
to
bring
up
that
vote
on
that.
We
need
to
move
to
electronic.