►
From YouTube: OpenSSF TAC (June 27, 2023)
Description
Meeting minutes: https://docs.google.com/document/d/18BJlokTeG5e5ARD1VFDl5bIP75OFPCtzf77lfadQ4f0
https://github.com/ossf/tac
A
B
B
I
have
a
an
urgent
HR
meeting,
a
good
one,
because
not
only
Char
meetings
are
good
ones,
but
I
have
an
internet
shower
meeting
at
half
pass.
So
if
it's
possible
to
Swizzle
me
to
the
front
of
the
agenda,
I
would
greatly
appreciate
it.
D
D
D
E
B
Supposed
to
get
started
without
sorry,
who
is
it
that
was
coming
in
late
Dan,
will.
D
H
A
D
All
right
we
have
four
Tech
folks.
Here
we
will
get
started
if
I
could
ask
everyone.
Welcome
to
the
June
27th
edition
of
the
open,
ssf
technical
advisory
committee
call
I
would
look
to
see
if
we
have
a
volunteer
to
help
us
scribe
notes
for
the
call.
D
Oh
David,
you
are
the
bestest.
Thank
you,
sir
great.
As
I
mentioned,
Dan
will
be
late.
I
will
send
this
first
item
of
business.
I
will
send
a
note
out
to
my
friends
on
the
tack
after
this
call,
I
have
homework
for
you
all
before
our
July
11th
call
I
would
love
to
have
a
backlog,
scrub
of
our
issues
and
PR's
in
the
TAC
repo.
D
We
have
a
substantial
amount
of
issues
that
are
one
two
two
and
a
half
years
old,
so
I'd
like
to
see
if
we
can
get
the
cruft
cleaned
out
or
addressed
so
that
we
can
have
a
clean
slate
of
items.
We're
currently
working
on
so
I
will
send
a
note-
and
please
add
any
comments-
approvals,
counter
proposals,
feedback
on
those
issues
in
PR,
so
we
can
get
that
ready
to
go
any
questions
about
Tac
homework.
D
B
Cool
I
am
actually
going
to
I'm,
going
to
Veer
left
and
as
I
prep,
this
Adrian
I'm
going
to
introduce
you.
So
if
you
want
to
think
about
saying
a
couple
of
words,
we
have
a
new
staff
member
as
part
of
one
of
my
commitments.
To
help
improve
execution
is
hiring
people
that
we
have
approval
for
so
Adrian
I'm,
going
to
turn
it
over
to
you
in
a
sec.
B
I
Hi
I'm
Adrienne
I've
got
a
background
working
in
all
all
facets
of
different
spots.
I've
been
an
engineer.
I've
been
a
product
manager,
I've
been
a
project
and
program
manager,
mostly
just
like
to
find
problems
and
try
to
see
if
we
can
get
folks
to
fix
them.
I
I'm
stationed
in
Northwest
Arkansas
and
it's
cool,
even
the
rest
of
Arkansas,
that's
about
it.
Let
me
know
how
I
can
help.
B
Thanks
so
much
Adrian
and
thanks
for
kind
of
freestyling
I
didn't
warn
you
that
I
was
going
to
do
that.
All.
J
B
So
with
that
said,
I
have
two
requests:
one
I
love
the
engagement
that
we
all
have
in
various
medium
and
Forum.
I
personally
am
terrible
at
multitasking,
while
on
video.
So
if
you
do
raise
a
question
in
chat,
if
you're
comfortable,
please
verbalize
it
because
otherwise
I'm
just
not
going
to
see
it
and
I,
don't
want
you
to
think
that
I'm
ignoring
you
or
being
non-inclusive
I'm,
just
recognizing
some
of
my
own
limitations
as
well.
B
B
Y'all
have
had
an
opportunity
to
pre-read
the
material.
I
know
that
we
all
have
busy
schedules,
so
I
do
want
to
take
an
opportunity
to
kind
of
voice
over
it
for
those
that
may
not
have
reviewed
it
yet
or
perhaps
reviewed
it
a
week
ago,
and
it's
kind
of
paged
out
so
I
got
here
coming
up
on
two
months
on
July,
1.
B
and
I've
been
thoroughly
amazed
with
all
the
work
that
the
openssf
has
done
in
the
last
I.
Guess
we're
coming
up
on
three
years,
however.
I
feel
like
in
order
for
us
to
get
to
the
next
level
and
in
order
for
us
to
be
thoughtful
about
where
the
opportunities
exist,
both
from
the
perspective
of
what
should
we
staff
we
governance
intact
as
well
as
we
community
be
doing.
We
need
this.
B
We
need
this
overarching
plan
like
there
needs
to
be
some
sentiment
of
hey
we're
going
over
this
away
and
here's
the
cool
stuff
we've
done
so
far,
and
here's
opportunities
that
we
haven't
yet
focused
on
I've
been
calling
this
the
subway
map,
because
I'm
going
to
be
that
painfully
New
York.
If
you
want
to
call
it
the
tube
map
or
the
underground
map
or
whatever
I'm.
B
Okay
with
it,
but
the
idea
is
that
we
have
some
kind
of
start
and
end
point
and
that
we
can
trace
through
where
we
are
along
the
way
that
provides
a
couple
of
opportunities,
one
from
the
perspective
of
those
that
sponsor
us.
It
allows
them
to
see
progress,
which
I
think
is
always
good
to
from
the
perspective
of
the
community.
B
It
allows
for
an
Engaged
discussion
about
where
opportunities
lay
and
where
they
might
want
to
focus
their
time
or
things
that
they
think
we
may
have
missed
and
three
when
it
comes
to
the
orientation
of
our
work
groups
Etc.
It
provides
this
kind
of
Steel
thread
that
allows
us
to
understand
and
organize
behind
behind
all
of
the
activity
we
have
in
flight.
So
I've
been
doing
security
for
a
bit
about
20
years,
which
is
far
less
than
Mr
Wheeler,
but
perhaps
more
than
others
and
Jokes
Aside.
B
One
of
the
ways
that
I've
look
security
is
this
infinite
State
problem
right?
You
can
squirrel
away
on
a
thing
for
a
really
long
time
and
realize
you've
made
no
forward
momentum
whatsoever
because
the
bad
people
were
going
to
go.
Do
something
else,
and
one
of
the
ways
that
I've
found
helpful
in
kind
of
sequencing?
Where
should
we
work,
is
to
First
think
about
the
use
cases
that
our
constituents
would
normally
execute?
B
There's
things
that
people
that
build
software
do
there's
things
that
maintainers
do
there's
things
that
companies
that
consume
software
do
and
then
to
build
a
threat
model
against
it
to
determine
hey.
Where
can
these
things
go
awry
and
then
to
use
that
to
roadmap,
a
set
of
controls
that
we
would
consider
now
I'm,
not
saying
that
that
decrees
a
hard
and
fast
roadmap
against
which
we
all
must
execute,
or
we
won't
get
bonuses,
because,
of
course
this
is
an
open
source
Community.
B
B
I've
laid
out
some
steps,
including
the
basics
of
inventorying.
The
current
use
cases
that
already
exist
within
some
of
these
work
groups
allaying
that
over
some
kind
of
standard
threat
model,
be
it
Strider.
Whatever
your
picture
is
I,
see
crop
wincing
and
then
producing
a
set
of
artifacts.
That
will
inform
what
the
construction
of
this
roadmap
should
look
like
I've,
roughly
timelined,
that
to
be
between
now
and
September.
Now,
as
soon
as
we
start
talking
about
timeline,
the
next
question
is
resources,
so
who's
going
to
do
the
thing.
B
Omkar,
wonderful
idea,
I
was
planning
to
go
fishing
all
of
August,
so
we
do
have
a
number
of
new
staff
coming
on
board
in
the
coming
weeks.
Lf
staff,
of
course,
Adrian's
already
on
board
and
she's
got
it
all
sorted
out,
but
my
idea
would
be
that
staff
would
be
facilitating
this,
so
we
would
be
working
with
youth
attack
as
well
as
the
work
group
leads
Etc
to
organize
and
execute
this.
But
this
isn't
an
additional
burden
upon
you,
and
this
would
mostly
be
facilitated
from
staff.
B
B
This
will
be
something
that
we
invite
you
to
participate
in
and
take
your
input
in,
but
we
as
staff
Drive,
so
I
think
that
hits
my
10
minute
Mark,
maybe
just
a
little
shy
but
I'm
more
than
happy
to
feel.
Oh
sorry
only
four!
Well,
it
feels
like
a
lot
longer
more
than
happy
to
field
any
questions,
I
think
Mr,
scavetta's,
first
yeah,
you've.
K
Awesome
awesome
so
in
four
minutes
the
which,
when
we
first
started
I,
think
it
was
the
open
source
Coalition.
We
did
do
a
threat
paper,
which
meant
to
be
a
map
for
the
types
of
that
we
could
work
on.
I,
don't
know
who
has
ever
picked
up
that
way,
but
a
lot
of
the
content,
while
it's
about
two
years
old
now
is
still
pretty
relevant.
K
We
are
planning
to
dust
it
off,
but
if
that
helps
Prime
this
effort-
that's
great
and
I
can
certainly
either
either
myself
or
someone
else
from
the
work
group
can
help
kind
of
do
the
handoff
or
whatever's
needed
to
make
that
happen,
and
if
it's
no
good,
that's
cool
too,
but.
B
I'd
love
that
I
mean
I
I.
Personally,
yes,
thank
you,
please
more
I,
don't
think
any
of
this
I
would
much.
Rather
this
be
a
collate
and
edit
exercise
than
a
create
from
zero
kind
of
exercise,
and
let's
face
it,
we
are
doing
some
novel
stuff,
but
a
lot
of
the
problems
that
we're
trying
to
solve
have
been
around
for
a
while
and
I,
don't
mean
to
claim
any
novelty
in
the
fact
that
we've
identified
like
an
entirely
new
way
of
thinking
of
this
or
anything.
B
H
Thank
you.
So
if
this
staff
is
primarily
going
to
engage
in
trying
to
get
this
done,
I
mean
what's
the
channel
that
people
should
look
at
to
to
to
at
least
monitor
or
interject
if
they
want
to.
B
So
what
I
hope
to
produce
between
now,
and
why
don't
we
say
we
have
a
board
meeting
on
the
13th
during
which
I
intend
on
introducing
this
topic
as
well
by
the
time.
Why
don't
we
give
it
till
the
week
after
the
board
meeting,
so
the
20th
of
July,
by
which
we
will
articulate
a
comms
plan
and
things
of
that
nature?
In
my
mind,
you
know
this
would
have
a
GitHub
repo
and
we
would
publish
artifacts
publicly,
just
as
we
do
with
all
of
our
other
work
groups.
B
So
it
would
be
no
different
in
that
aspect,
but
I
want
to
ensure
that
once
we
have
all
of
our
staff
lined
up
that
we
have
a
semblance
of
a
project
plan
in
which
to
assert
which
Milestones
you
can
expect
by
when
versus
versus
being
too
declarative
of
it
right
now.
As
for
whether
there
would
be
regular
meetings
and
such
I
haven't
thought
through
yet
but
presumed
by
the
20th,
all
that
stuff
will
be
sorted.
H
B
How
often
do
work
groups
come
back
for
updates
quarterly
I
suspect
that
this
will
probably
complete
after
one
of
those
quarterly
updates,
but
we
can
certainly
frequent.
We
can
certainly
attend
more
frequently
if
festacide
only
that
my
original
Target
was
to
wrap
this
by
September
right.
So
yeah.
H
I
guess
that
was
a
good
Twitter
Jake
that
this
is
probably
not
enough.
I
mean
if
we
wait
that
long,
then
they'll
be
over
before
people
get
notified,
so
I
mean
I,
think
you
know
we
don't
have
to
set
that
in
stone.
How
much
often
it
happens,
but
I
think
you
should
keep
in
mind.
That
is
something
you
should
try
and
do
every
now
and
then
at
least
yeah.
B
B
I
simply
haven't
formulated
that
yet,
but
with
if
everyone
agrees
that
this
is
a
good
thing
to
move
forward
with
that'll,
certainly
be
the
The
Next
Step.
The
construction
of
the
plan,
in
terms
of
both
execution,
communication
and
oversight.
L
Yeah
I'll
just
jump
in
on
that
I.
Just
my
comment
on
here
is
as
you're
like,
because
it's
both
Technical
and
conceptual
scoping
altogether
right
getting
the
charter,
everything
as
we're
building
it
out.
Can
we
do
a
radial
road
map
where
yeah
we've
got
long-term
big
goals?
What
are
you
hitting
in
a
year,
but
we
can
coordinate
better
if
there's
details
and
action
plans
three
months
every
three
months
right,
so
that
stakeholders
can
jump
back
in.
That
would
be
awesome.
B
B
The
reason
that
I
point
that
out
is
initially
I
had
thought
of
the
road
map
more
as
a
sequence
of
events
versus
a
prescription
in
terms
of
time,
and
the
reason
for
my
hesitation
with
prescribing
time
is
due
to
the
fact
that
a
lot
of
this
work
is
on
the
shoulders
of
volunteers.
So,
while
I'd
love
to
say
like
here's,
the
execution
plan
for
the
road
map
and
we've
put
x
million
dollars
behind
it
and
30
people,
you
know
we're
kind
of
counting
on
the
volunteers
to
do
this.
So
is
it?
L
Yeah
wallet
Michael
jump
in
after
this,
but
really
I.
Think
the
scary
part
about
road
maps,
especially
if
you
have
to
code
on
them,
is
the
fact
that
writing
it
down
encodes
and
responsibility
right
so
I
think
what
would
be
nice
right
because
I've
got
to
coordinate
across
cncf
everywhere
else
and
like
just
knowing
that
you've
got
Milestones
whatever
you're
accountable
to
as
ossf
even
on
paid
I
know
that
you're
putting
this
together
right,
knowing
that
in
a
quarter
or
in
two
quarters,
I
can
jump
in
and
know
that.
L
B
How
how
do
you
all
do
this
in
cncf,
because
I
know
that
you
face
some
of
the
same
challenges
in
terms
of
hey,
it's
volunteers,
doing
work
against
things
without
necessarily
having
a
software
release
schedule.
So
how
do
you
timeline
that
cncf.
B
Yeah
I
mean
I'd
love
to
learn
more
time.
Yeah
I
don't
want
to
I,
don't
want
to
tank
the
schedule,
and
this
could
just
be
a
hey.
The
new
guy
doesn't
know
yet,
but
if
there's
a
way
that
we've
been
successful
in
committing
time
behind
resources
that
can
committing
time
behind
ideas
that
don't
have
resources
and
funding
kind
of
squared
away,
I'd
love
to
learn
more.
It's
just
been
challenging
in
my
experience
in
the
past
and
I.
D
I
would
route
anyone
that
has
additional
questions
to
approach
omkar
or
staff
via
slack
continue
to
make
comments
on
the
issue
or
the
document,
and
look
forward
to
uncar
and
team
coming
back
and
reading
out
and
sharing
what
the
how
this
moves
forward.
B
Yeah,
so
two
next
Milestones
I
want
to
call
out
for
those
tracking
at
home,
the
13th.
We
have
the
governing
board
meeting
in
which
we
will
discuss
this
as
well
and
by
the
week
of
the
20th
we
will
have
a
more
prescriptive
plan.
I
don't
have
the
tech
calendar
up,
but
is
there
attack
meeting
that
week
or
is
it
the
week
after.
D
Every
two
weeks,
so
we
will
next
meet
next
meeting,
would
be
the
11th
and
then
the
25th
okay.
B
So
but
perhaps
by
the
25th,
we
can
review
a
more
concrete
plan
in
terms
of
project
plan
for
the
execution
of
this
activity,
as
well
as
a
proposal
in
terms
of
the
communication
plan
and
readout.
That
kind
of
thing
really
wonderful,
thanks.
Everyone
I'll
speak
with
you
soon
and
I
will
silently
drop
for
my
other
meeting,
but
on
with
other
business.
Thank
you.
D
All
right
folks,
next
up,
we
have
Tech
issue
161.
Our
friend
Zach
is
looking
for
some
assistance
and
comments.
Zach,
do
you
want
to
help
kind
of
chat
about
this
for
a
moment?
Yes,.
G
So
the
the
most
scoped
request
here
is
that
we
Define
more
descriptive
process
for
syncs
and
then
and
maybe
projects
the
title
kind
of
the
issue,
kind
of
leaves
it
open.
So
without
blowing
up
the
scope
too
much.
What
I
did
is
attempt
to
research
across
a
couple
of
different
resources,
including
the
charter.
The
community
health
check
work,
that's
going
on
in
parallel,
diagrammer
society
and
try
to
understand
what
the
current
structure
is
of
working.
A
G
Special
interest
groups
and
projects
and
how
how
today,
we
even
canonically
track
where
these
things
exist
so
I
have
not
yet
put
forward
a
proposal
for
how
to
solve
issue
161,
but
in
this
linked
documents
there
are
a
number
of
questions.
There's
like
eight
questions
in
10
minutes,
so
I
don't
think
we're
going
to
be
able
to
go
through
all
these
questions
on
this
call,
but
the
the
request
is
that
folks
take
a
look
at
these
questions.
They
give
feedback
on
what
they
think.
G
The
answer
to
these
questions
are
and
then
coming
out
of
that
I
think
we
can
write
a
proposal
for
how
we
want
to
actually
solve
the
issue
161,
which
is
running
down
a
more
descriptive
process
for
sigs
and
maybe
also
projects.
D
What
comments
or
feedback
or
questions
do
we
have.
L
No
I
I
think
it's
important,
so
I
have
been
talking
to
some
of
the
Linux
marketing
and,
as
we
start
to
work
this
together
and
sort
of
figure
out
the
onboard
like
onboarding
Road
roadmaps
for
these
different
identities
right,
like
students,
corporate
hobbyist,
we're
trying
to
get
blog
post
up
for
those,
so
I
just
forwarded
that
issue
onto
that
marketing,
team
and
I
think
we
should
all
be
in
touch
and
see
because
I'm
telling
them
to
like
tap
into
the
head
of
the
Sig
and
ask
them
what
it's
about.
D
D
G
So
I
think
I
think
my
next
step,
then,
is
I'm
going
to
start
writing
a
proposal
to
address
these
open
questions
and
if
anyone
would
like
to
participate
in
that
process,
please
let
me
know.
D
Excellent,
thank
you.
I
appreciate
you
kind
of
taking
the
lead
on
this
and
I
think
it
Echoes
some
of
the
things
that
omkar
wants
to
do
and
some
of
the
other
issues
we
have
going
on.
So
this
all
helps
us
move
forward
and
have
a
little
bit
more
consistency
and
ideally
that'll
improve
our
velocity
going
forward.
D
All
right,
if
there
are
no
further
questions
or
comments,
we
will
move
forward
to
our
next
speaker.
We
have
Nigel
here
to
talk
about
issue
175
about
a
proposal
for
a
new
working
group.
Once
you
take
it
away,
sir,
you
have
10
min
10,
15
minutes.
Okay,.
F
So
it's
I
hope
you
can
see
me
on
screen.
So
what
per
person
I
work
in
group
looking
for
a
approval
and
it's
AIML
and
it's
quite
a
large,
obviously
open-ended
topic
current
faces-
we've
had
met
five
times.
We've
got
a
lot
of
vendors
involved.
There's
a
list
here.
F
People
are
interested,
there's
a
good
attendance
generally
generally
around
10
10
to
12..
We
have
a
mission
statement
which
is
basically
is
designed
to
be
in
a
line
with
the
open
ssf
Charter
that
we've
we've
reviewed,
that
over
a
couple
of
weeks
and
so
deliverable
the
first
delivery
we've
got
is
a
live
version
document
with
the
name
of
collating
a
view
of
existing
work,
avoiding
conflicts,
and
you
know
repetition
of
work,
collecting
resources
and
nurturing
a
balanced
view
on
AI.
F
We
have
a,
we
have
a
in
the
agenda.
We
have
sort
of
some
ideas
about
the
sections
there
and
we're
trying
to
we're.
Also
in
communication
with
the
Linux
Foundation
AI,
secure
security
committee
so
make
sure
we're
not
duplicating
there.
F
D
Foreign,
so
have
you
had
the
opportunity
to
review
the
issue
in
our
repo
I
know
that
there
are
a
couple
outstanding
questions
there,
just
to
start
us
off
before
I
turn
it
over
to
Zach.
I
know
that
Arnold
had
asked
what
are
you
doing
with
other
existing
foundations?
So
you
have
that
kind
of
address
there
on
first
bullet
point,
but
I
had
a
question
there
about
giving
our
folk
listening
to
omkar
earlier
and
giving
our
focuses
around
use
cases
and
threat
models
associated
with
the
consumption
of
Open
Source
software.
F
Yeah
we
reviewed
the
issue
and
the
main
issue
was
conflict
and
overlap
with
other
groups.
So
yeah
we
are
looking
into
that.
We
obviously
we
don't
want
to.
We
don't
want
to
put
anyone's
work,
it's
not
in
anyone's
interest,
so
we've
got
got
questions
who's,
who's
picking
those
out
should
we
go
for
Zach,
go.
G
Yeah
I
think
one
of
the
one
of
the
challenges
with
AIML
as
a
topic
is,
is
like
how
how
cross-cutting
it
is
and
I
was
reading
the
proposal,
and
there
was
like
a
suggested
white
paper
about
what
what
things
to
keep
in
mind
when
developing
using
an
AI
assistant
and
I
thought.
F
Yeah
we've
had
the
same
discussion
actually
and
but
that's
what
we're
looking
for
approval
for
I
mean
with
the
general
feeling.
Is
that
we're
doing
things
that
are
different
enough?
E
J
Hi
so
I'm
sorry
I
have
actually
been
participating
in
this
effort,
although
I
haven't
been
able
to
and
I'm
supportive
of
it,
although
I
haven't
been
able
to
attend
every
call,
unfortunately,
so
I'm
a
little
surprised
now
that
I
look
at
the
mission
statement
that
the
the
statement
here
saying
that
we
do
not
in
that
explicitly
putting
basically
licenses
legal
issues
and
Licensing
of
information,
including
code
generated
by
AIML
out
of
scope.
J
What
was
the
because
I
think
I
expressed
my
view
to
the
group
that
I
felt
that
this
should
be
in
the
scope
and
I'm,
so
in
a
little
just
I'm,
a
little
surprised
to
see
that
this
has
been
declared
out
of
scope,
because
to
me
this
is
one
of
the
key
issues
when
it
comes
to
open
source
and
AI,
especially
when
it
comes
to
code
or
models
that
are
that
are
trained
with
corpuses
of
code.
And
it's
one
of
the
things
that
my
organization
is
struggling
with.
J
So
it's
one
of
the
areas
where
I
would
like
to
see
some
leadership
in
the
open
source
community,
and
it
feels
to
me
like
open
ssf,
should
be
the
place.
That
is
providing
that
leadership,
so
I'm
I'd
like
to
try
and
encourage
us
to
put
that
back
into
scope,
if
possible,
I'm
sorry
to
raise
an
issue
like
that
at
this
point.
But
but
it
feels
like.
K
Yeah,
it's
so
good
if
I
could
jump
because
I
get
to
get
it
out
of
there.
So
I'll
do
the
rationale
for
that
was
open.
Ssf
is
a
security
organization.
We
are
mostly
security
people.
We
should
not
be
opinion
on
legal
match,
for
which
we
do
not
have
expertise,
the
AI
and
sorry
the
AI
and
data
or
data
and
ml
Linux.
Foundation
group.
K
F
Yeah
and
I
must
admit:
I
came
down
pretty
sort
of
on
their
side
that,
if,
if
you
wanted
to
do
this,
Dan
I
thought
it
should
be
in
there.
But
if
you've
heard
the
other
argument,
it's
not
our
expertise.
J
I
think
to
be
to
to
be
honest,
it's
easy
and
I'm,
sorry
to
say
it
this
way,
but
it's
easy
for
big
companies
with
to
say
that
right,
like
let's
take
this
out
of
scope
but
I
think
that
it
it
it
makes
a
difference
for
the
community
and
for
the
for
open
for
the
open
source
ecosystem.
So
I'm,
sorry
I,
don't
mean
to
rat
hole
under
this
topic
and
I'll
shut
up
now.
But
I
I
would
like
us
to
try
and
reconsider
this
and
I'd
like
to
like
to
be.
In
that
conversation.
J
F
See
well
I'm,
certainly
up
for
that
I
mean
that's.
That's
presuming
the
group
goes
ahead.
I
mean
we're
looking
for
approval
of
that
in
the
moment.
So
maybe
it's
a
step
on
for
this.
This
meeting,
but
yeah.
J
Agreed
and
I'm
sorry
to
have
raised
it
in
this
discussion.
F
Yeah,
okay,
yeah
I
mean
it's
assuming
it
does
go
ahead.
I'm
open
for
more
discussions
on
that
I
really
am
I
mean
I,
don't
see
how
I
mean
other
than
other
than
this
planning
the
scope
unnecessarily.
I,
don't
see
any
reason.
It
would
be
too
objective
about
that
yeah.
So
yeah,
but
that's
that's
the
next.
Well,
that's
the
next
time.
I
think
really.
M
Thanks
so
and
then
I
I,
so
for
one
I
was
one
of
the
individuals.
That
was
also
said
that
you
know
as
a
matter
of
legal
issues,
I
mean
we
don't
have
enough
lawyers
in
the
room
to
make
these
kind
of
judgment
calls,
especially
when
it
comes
to
licensing,
but
I
have
a
caveat
for
you
and
I'd
like
to
talk
about
it
here.
M
So
Brian
bellendorf
put
a
put
a
great
meeting
together
with
the
good
folks
over
there
in
the
ml
Security
on
the
mlai
LF
company.
That's
working
on
this
and
we
had
such
a
such
a
dynamic
conversation,
Christine,
Abernathy
and
I,
and
Brian
and
Alejandro.
M
You
know
we
talked
about
the
parallels
and
we
also
talked.
We
talked
about
the
similarities
or
some
of
the
efforts
that
we
might
be
doing
that
might
bleed
into
one
another,
but
we
also
talked
about
a
lot
of
the
good
stuff.
That's
happening,
that's
that
that's
completely
separate
that
we
can
collaborate
on
together
and
I.
Think
one
of
these
areas
does
does
have
to
do
with
their
efforts
on
securing
Ai
and
ml
code
wise
right.
M
So
that'll
cover
things
like
licensing
and
all
that,
and
they
have
lawyers
in
those
meetings
that
can
have
those
kind
of
conversations.
But
what
we'll
do
on
this
side
with
referencing
securely
using
and
the
secure
use
towards
the
development
of
I
think
there's
a
great
bridge
that
can
be
built
to
service
what
we
do
here
in
the
openness
of
supplements
and
security
focused
specifically,
while
you
know
using
those
tentacles
reaching
out,
you
know
having
them
join
our
means.
M
We
join
their
means,
and
we
have
that
cross
communicative
effort
towards
addressing
your
concerns,
specifically
down
around
licensing
and
those
things
while
staying
true
to
what
we
do
here
and
and
the
openness
and
stuff
so
like
I
said
it
was
a
great
conversation.
We
found
a
lot
of
great
ways
to
partner
going
forward.
M
Should
this
working
group
get
approved,
I'm
excited
about
it
so
and
I
hope
that
that
I
hope
that
that
that
will
help
I,
guess
and
and
making
and
kind
of
kind
of
you
know.
I
I.
F
M
I
hope
it
helps
and
and
your
thought
process
around
what
we
do,
what
they
do
and
how
we
can
work
together
to
do
it
better,
but
I
did
want
to
bring
up
that.
We
had
the
conversation
that
was
yesterday
and
we're
gonna
be
putting
some
documentation
together,
I
think
Christine
and
I
to
bring
to
the
work
to
the
to
the
hopeful,
hopefully
approved
working
group.
B
F
D
Or
no
and
then
Luke
and
Zach.
H
Yeah,
thank
you
so
first
I
mean
you
know,
I
I'm,
glad
to
hear
that
my
comment
was
taken
seriously
and
that
conversation
has
been
happening,
I'm
a
bit
confused
as
to
the
state
which
document
are
we
supposed
to
look
at
for
the
proposal,
because
the
the
Google
Doc
that
gets
pointed
to
either
from
the
GitHub
issue
or
the
agenda
doesn't
have
any
information
about
how
this
gets
positioned.
With
regard
to
the
other
effort,
the
other
efforts
we
are
talking
about
here.
F
Oh,
no,
we
that's
the,
but
still
in
the
process
of
being
determined,
we're
still
we're
still
trying
to
get
contact
with
the
the
lfai
ml
security
committee.
We've
yeah
we've
had
a
brief
discussions
with
them.
The
next
meeting
is
not
till
next
month,
so
we're
several
of
us
are
signed
up
to
go
there
recently.
F
E
Can
I
come
in
here
yeah,
so
our
first
deliverable
is
to
understand
Malay
of
the
land
who
exactly
is
doing
what?
Okay,
what
are
the
gaps?
So
it's
a
point
of
view
effectively,
so
we
will
look
at
what
everybody's
doing.
Okay
look
at
what
are
the
tangible
impacts
upon
open
source
in
its
communities
and
then
that
that
will
be
the
document
that
does
not
exist
it.
E
Yet
that
would
be
something
that's
created
in
a
repo
okay,
which
anybody
can
collaborate
to,
and
that
will
simply
be
our
first
deliverable
so
that
we
can
address
concerns
around
duplication.
What
is
our
scope?
What
are
we
doing?
So
we
want
to
start
with
that.
We've
clearly
got
lots
of
vendors
involved
here:
lots
of
people
turning
up
eager
to
do
something,
so
we've
limited
our
scope
to
make
it
easily
digestible
and
that's
a
simple
document:
okay,
which
outlines
what
we
understand
to
be
the
lay
of
the
land.
Currently,
so
what
are
OAS
doing?
E
What
are
LF
doing?
Are
there
certain
gaps
where
nobody's
doing
anything,
but
perhaps
the
open
ssf
should
do
something
and
and
how
do
open
source
communities
and
the
users
of
Open
Source
software
understand
the
risks
that
are
inherent
to
using
AIML
Center
Technology,
so
so
that
is
our
scope.
Essentially,
what
is
within
that
particular
document
that's
to
be
determined.
That's
the
the
Democratic
process
of
the
group
will
collaborate
to
play
that
out.
A
G
Up
Zach
yeah,
and
maybe
this
is
a
slight
change
of
topic,
but
a
few
weeks
ago
there
was
the
open,
ssf
public
policy
committee,
which
was
asking
the
attack
for
technical
feedback
on
the
EU
cyber
resiliency
act.
G
I'm
I'm,
not
sure
how
to
find
information
about
the
open
public
policy
committee
and
what
their
scope
is
or
what
topics
are
under
consideration.
So
I'm
wondering
where
I
can
find
that
information.
First
of
all,
and
then
second
of
all,
if
some
of
these
questions
around
AIML
and
Licensing
would
fall
under
their
purview
or
not.
D
I
can
get
you
a
link
to
their
Charter.
They
don't
use
GitHub,
but
I
can
get
you
a
link
to
the
existing
collateral
for
the
public
policy
committee.
After
this.
H
I
wanted
to
follow
up
on
what
Luke
and
I
got
up
said
because
I
mean
Nigel
the
it
feels
to
me
that
we
are
being
given.
Basically,
the
you
know
the
opportunity
to
oh,
no,
the
proposal
is
kind
of
open-ended
and
the
first
agenda
item
for
the
the
group
is
to
figure
out
the
charter,
which
I
think
is
a
bit
backward.
I
would
expect
to
have,
if
not
a
full-fledged
Charter
being
proposed
to
have
something
that
looks
very
much
like
a
charter
before
we
approve
it.
But
that's
my
take
on
this.
E
Is
that
documented
anywhere
that
we
should
be
doing
that
because
we've
been
trying
to
look
for
what
we
should
do
and
we
saw
stuff
around
creating
a
mission
statement
and
I've
got.
To
be
honest,
this
seems
very
overburdening
for
us
to
come
forward
and
say
we
want
to
contribute
and
help
solve
a
problem
and
look
at
what
people
are
doing
that
I've,
never
known
the
attack,
be
this
heavy
with
oversight
and
requiring
approval
and
so
forth.
H
H
E
Well,
I
mean
we
got
our
deliverable.
Is
there
anything?
That's
not
clear
about
the
deliverable
I
mean
we've
got
a
single
deliverable
We've,
you
know,
we've
kept
it
open
as
to
what
that
is,
because
folks
need
to
contribute
and
summarize
the
consensus
of
what
that
group
found.
Essentially
it's
same
as
any
other
working
group.
D
E
A
D
We
are
at
time
for
this
particular
conversation.
I
have
two
questions.
First
off
who,
from
the
tack,
is
participating
and
would
be
considered
the
working
group
sponsor
if
this
moves
forward.
A
N
I
I
agree
with
Arnold
on
this
one
I'm
just
getting
the
chart
like
this
isn't
a
huge
amount
of
homework,
but
I
think
we
need
a
little
bit
more
clarity
on
the
charter
long
term
to
really
make
a
vote,
but
I
don't
think
it
should
be.
You
know,
months
of
work
or
a
beautiful
encyclopedic
document
or
anything
that
needs
to
get
written
here.
C
D
We'll
point
you
to
the
working
group
workflow
as
it
sits
and
I
would
encourage
anyone
on
the
attack
that
is
interested
in
helping
sponsor
this
effort
start
to
join
the
calls
and
collaborating
with
this
group
I
would
ask
specifically
Nigel
and
Luke
if
you
could
come
back
at
our
next
call,
and
hopefully
we'll
have
any
outstanding
things
documented
so
that
we
can
actually
formally
vote
and
we'll
have
you
folks
move
forward
here
or
go
back
to
the
drawing
board
so
to
speak.
That
sounds.
E
Fine
yeah,
so
I
mean
just
just
one
thing,
so
Zach
has
actually
just
posted
what
the
criteria
is
for
incubated.
E
H
A
H
M
M
You
know
I'll
take
point
on
this,
we'll
jump
all
over
it.
Get
it
done.
Whatever's
being
asked
is
this
is
not
a
hard
like
dancer.
This
is
not
a
hard
ass.
All
right.
We
just
need
to
dot
our
eyes
and
crosstalk
T's
we'll
do
that
we'll
get
it
back
in
front
of
them
and
be
correct.
I
personally
think
this
is
how
the
tax
should
be
run
and
I'm
applaud
and
attack.
M
Fourth,
let's
go
ahead
and
get
what
they
need
to
get
done
and
and-
and
you
know,
smooth
out
the
lines
all
right-
that
that's
I
mean
that
that's
it
I,
don't
the
back
and
forth
I
need,
let's
do
what
needs
to
get
done.
Thank
you.
Thank
you.
Great
yeah.
D
O
Yeah
I'll
just
point
out
as
a
prior
Tech
chair,
one
of
the
points
of
feedback
that
I
think
we
got
loud
and
cleared
in
the
second
half
of
last
year
was
deduping
the
organization
right
and
so
I
think
the
concerns
that
I
think
you're
hearing
here
are
not
a
one
of
this
isn't
worthy
or
this
doesn't
have
Merit.
It's
just
making
sure
that
we're
trying
to
minimize
the
the
technical
debt
that
we.
O
Some
sense,
like
the
pushback
here,
is
not
so
much
on
you,
but
it's
around
ensuring
that
we
don't.
You
know
we
are
intentional
about
driving
collaboration
within
the
open
ssf,
as
well
as
being
intentional
about
our
position
relative
to
the
broader
ecosystem,
so
appreciate
the
collaboration
here.
I
think
like
I
said
this
is
just
part
of
our
our
Growing
Pains
as
an
organization,
but
certainly
supportive
of
the
the
general
concept.
I.
Think
I
would
just
Echo
I
think
that
the
other
Tech
members
here
that
just
the
making
sure
that
we're
not
we
don't.
O
If
we
have
20
best
practice
working
groups
then,
which
one
actually
holds
the
it
holds
the
torch,
is
going
to
be
a
fundamental
challenge,
so
I
think
just
making
sure
that
we're
aligned
from
that
point
of
view
is
is
the
only
feedback.
I
would
give.
D
Thank
you
Bob,
so
again,
if
I
could
have
Nigel
and
Luke
and
whoever
else
from
the
group
come
back
on
the
11th
and,
in
the
meantime,
I
would
encourage
all
the
TAC
members
to
review
this
literature
engage
with
the
group
and
see
if
we
can
find
someone
interested
in
being
the
sponsor
who's
willing
to
collaborate
and
participate
in
this
group.
That
would
be
super
great.
D
C
Right
I
will
I'll
try
to
make
this
relatively
quick,
so
the
great
news
about
open
ssf
is
we.
We
have
over
the
years
developed
some
really
interesting
materials.
We
are
look.
We
have
some
really
interesting
projects
with
more
interesting
materials
to
come
and
when
we
finally
produce
them
all
too
often
they
look
really
awful,
like
you
know,
we're
pointing
people
directly
to
GitHub
markdown
files
and
it
it
doesn't
look
like
the
quality
of
the
work
that
it
actually
is
one
a
challenge
with
fixing.
C
That
is
that
there
are
too
many
ways
to
solve
this
problem.
I
can
probably
glance
on
the
side
and
think
of
100
ways
to
do
this
and
I
think
that's
actually
been
sort
of
the
problem
here,
and
this
doesn't
mean
so.
C
The
best
practices
working
group
was
having
this
challenge
for
some
of
the
concise
guides.
So
after
looking
around
I
I
counter
proposed
and
say,
you
know
what
there
are
a
million
ways
to
do
this,
let
us
find
the
simplest
possible
price
process
that
would
work,
and
so
that's
actually
what
I'm
calling
this
the
simplest
possible
process.
C
It's
something
that
the
best
practices
working
group
is
currently
doing
and
I
think
really
what
I'm
looking
for
is
an
A-Okay
from
the
attack
that
other
groups,
if
they
wish
to
follow
this
process,
are
also
free
to
do
so.
I
think
the
experiment's
been
in
success
if
anybody
thinks
that's
wrong,
certainly,
would
want
to
know
okay,
but
what
I'm
calling
the
simplest
possible
process
is.
It's
already
on
GitHub
for
many
cases,
they're
already
in
GitHub,
they're
already
in
markdown,
so
just
turn
on
GitHub
Pages
Copy,
a
few
files
over
to
make
them
look
decent.
C
There's
a
couple
files
you
can
copy
over
and
the
great
thing
about
doing
it
on
a
per
repo
basis.
Is
that
when
you
make
an
update
within
a
group
repo,
it
immediately
updates-
and
there
are
that
many
pages.
So
it's
quite
quick,
okay.
Now
the
drawback
of
this
is
that
the
easy
way
to
do
things
basically
needs
its
own
domain.
That's
not
a
problem,
though
we
have
an
infinite
number
of
sub
domains
that
we
can
create
down
on
blank.opensssf.org.
C
So,
for
example,
in
the
best
practices
working
groups
repo
we
created,
you
know
it's
a
one-time
access
action
to
create
a
DNS
record
to
point
off
to
a
name
to
a
repo,
and
so
it
would
basically
mean
every
repo.
That's
publishing
would
have
a
subdomain
historically,
that
would
be
a
big
problem
because
you
would
have
to
pay
for
each
of
the
search
if
you're
supporting
PLS.
That
is
just
not
an
issue
today
and
so
I
I.
C
Think
at
this
point
people
would
say
something:
dot,
open,
ssf.org,
it's
pretty,
obviously
open,
ssf.org
and,
and
so
on.
There
are
pros
and
cons
to
everything
we
can
do
other
things,
but
this
seemed
like
the
simplest
possible
way
to
get
things
going,
a
couple
one-time
shots
and
all
of
a
sudden,
the
documents
that
people
are
posting
are
available
looking
much
better
than
they
did
before.
Oh
and
Amanda
has
posted
a
link
to
a
sample
of
this
kind
of
thing,
and
so
you
know
we
don't.
H
Yeah
I
mean
so
David,
you
know
what
I'm
going
to
say,
I
suppose
I'm
totally
in
favor
of
the
approach.
I
think
this
is
a
good
way
and
very
practical.
The
way
to
get
this
done
as
I
said
in
the
comments
on
the
you
know
online
is
you
know
the
key
missing
piece
right
now
is
the
date,
and
you
know
people
if
you
follow
the
link
that
Amanda
posted
you
know,
it
rubs
me
really
the
wrong
way
to
see
the
document
like
this
with
a
single
date
on
it
publication.
H
That
is
a
key
piece
of
information
in
any
kind
of
publication,
and
it
needs
to
be
added
to
the
content
of
the
document.
That's
the
easy
way
to
do
it,
it's
kind
of
a
pain,
because
that
means
every
time
you
update
the
doc.
You
need
to
think.
Oh
I
also
need
to
change
the
gate,
but
the
alternative
is
to
try
to
get
this
problematically
into.
C
C
Yeah
yeah,
so
I
I
agree
dates,
are
great.
The
Simple
Solution
is
to
include
it
in
the
markdown
file
and
you're
right.
That
means
people
have
to
remember.
You
know
what
to
be
fair,
though
that
was
true
for
me.
That's
true
for
many
other
processes.
It's
not
limited
to
this
one,
so
I,
you
know,
and
somebody
forgets
to
include
a
date.
Well,
that's
a
fix.
We
can
then
post
the
things.
H
H
Than
thank.
D
D
G
Fantastic
job
on
the
name,
we
should
put
you
in
charge
of
naming
everything.
D
M
D
Easy
I
also
agree
with
our
no.
We
need
to
have
some
type
of
dating,
so
I
would
request
before
we
would
implement
this.
We
would
any
artifact
we
are
submitting
into
this
process.
We
would
provide
guidance
that
they
should
have
maybe
initial
publication
and
then
last
edited
dates.
Added
to
the
pages
that'd
be
super
helpful,
but
I
like
it.
So
that's
three
folks
that
liked
it
on
the
attack.
D
All
right
I
will
request
my
Tac
members.
Please
officially
comment
on
the
issue.
Bob
gave
you
a
plus
one,
so
that's
four.
We
will
note
that
on
the
issue
and
I
think
that
you're
sanctioned
to
proceed.
Sir.