►
From YouTube: OpenSSF TAC Meeting (October 6, 2020)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
Give
people
some
more
time,
but
just
a
quick,
fyi
ryan
is
unfortunately
not
feeling
great
today.
So
he
asked
me
to
run
the
agenda
while
he
gets
better.
A
I'm
very
sorry
to
hear
that
you
know
I'm.
A
B
B
A
Sorry
about
that
I
just
became
the
host
I
didn't
realize.
I
was
going
to
be
the
host
for
this
meeting
so.
A
But
I
I
think
that
our
our
our
normal
host
she
had
to
do
double
duty
on
two
different
meetings.
At
the
same
time,
so.
B
A
So
so
you're
getting
the
second
screen
here
today.
Oh
I'm
not
so
sure
about.
A
A
Okay,
dan
middleton
is
just
joining
for
those
who
just
joined.
We
are
recording.
C
C
C
I
will
remind
everyone
to
sign
in
again
I
see
some
people
in
the
zoom
that
are
not
signed
in
here,
and
then
we
can
jump
in
so
here's
the
agenda
for
today
ryan
put
this
together
last
night.
I
think
if
you
have
any
other
topics,
you
want
to
cover,
go
ahead
and
add
them
up
in
the
next
section
up
here
and
we
can
get
to
those.
After
all,
right
looks
like
first,
we
have
an
update
on
the
1029
press
release
from
k.
I
I
think
k
is
here.
D
Yes
and
what
hi
I
was
just
hitting
the
mute
button
yeah
so
first
thing
I
wanted
to
do
is
talk
about
the
get
involved,
work
that
we're
doing
related
to
the
press
releases
and
it
actually
ties
to
a
couple
of
things.
D
So
what
we're
doing
is
we're
updating
the
text
on
the
open,
ssf
homepage,
actually
dan
or
anyone.
I
think
I'll
try
to
take
the
screen
for
a
second
and
then
I
can
walk
through.
B
D
Now
can
you
see
flying
geese?
I
can
perfect
okay,
so
so
we
have
there
used
to
be
a
join
button
up
here
in
the
top
right
corner.
We've
changed
that
now
and
it
says,
get
involved
and
we're
going
to
be
modifying
the
text
here
to
just
to
be
to
expose
more
information
for
participants
who
are,
you
know,
first,
having
a
look
at
our
project
and
so
specifically
under
the
participate
in
openssf.
D
We
want
to
include
each
of
the
projects
and
and
open
governing
board
subcommittees
and
have
a
short
text
description
of
those
along
with
a
link
that
goes
back
to
the
readme
document
for
more
information
about
how
to
get
involved
for
the
press
release.
We
want
to
have
something
similar.
In
fact.
Maybe
it's
the
same
thing,
so
we
want
to
list
each
of
the
working
groups
and
public
subcommittees
have
a
short
description
of
those
along
with
a
link
that
goes
to
more
information.
D
D
Place
we
can
get.
It
is
from
the
read
me
itself
so
now,
I'm
just
looking
at
this
happens
to
be
the
planning
committee
that
we
could
look
at
any
of
the
working
groups.
So
if
we
have
a
consistent
place
in
the
in
the
read
me
we
can
we
can
pull
that
short
description
from
there.
D
D
So
it
was
striking
me
as
convenient
if
we
had
the
descriptions
be
on
the
repository
themselves
and
here's
where
you
can
see
that.
So,
if
I
go
back
so
up
here
in
the,
I
think
this
is
where
I
found
it.
No,
it's
here
so
over
on
the
right
hand,
side
when
you're
looking
at
the
repository
there's
an
about
section
and
if
you
go
here,
there's
a
place
where
you
can
put
a
description.
D
F
So
you
can
also
commit
that
I
think
in
a
dot
settings
file,
there's
probably
a
way
that
you
can
reference
the
same
text
between
the
readme
and
the
settings
file.
If
you
did
that.
D
F
You
have
to
commit
one,
but
I
think
a
lot
of
these
configuration
items
for
the
github
repository
can
go
into
a
settings
file
and
then
you
just
commit
that
into
the
repo
oh
yeah.
It
should
be
under
github.
D
D
You,
if
I
manually
did
it
okay
well,.
D
Oh
so
yeah
all
right,
it
could
be
that
this
is
gonna.
I
I
think
the
short
description,
the
you
know
this,
the
description,
the
size
that
goes
into
the
pin
repositories.
This
is
what
we
want
on
the
on
the
web
page,
okay,.
D
Okay,
so
there
was
a
question:
is
there
a
house
house,
the
oh
dan
did
some
mail
yesterday
and
asked
people
to
update
their
read
me,
so
this
would
be
a
second
request
to
update
settings.yaml
file.
So,
let's
see,
how
can
I
help
with
this?
Maybe
should
I
create
issues
for
each
of
the
working
group
leads
and
to
ask
for
the
description
to
be
completed
and
I'll
do
some
checking
ahead
enough
time
to
make
sure
that
the
settings
file
works,
and
then
I
can
just
ask
people
to
update
the
settings
file.
F
There
might
be
a
settings
issue
in
the
tac
repo.
I
can't
find
it
live
at
the
moment
whether
it
is
add
settings
to
tac
repo.
I
don't
know
if
somebody
wants
to
build
out
a
template
within
that
issue,
and
then
you
can
just
link
to
that
so
that
there's
some
consistency
and
you
don't
have
to
do
the
same
thing
in
six
other
places.
F
D
Okay,
let
me
let
me
do
a
little
work
on
that
offline
and
then
I'll
I'll
send
an
email
out
once
I've.
You
know
figured
once
I've
created
an
issue
or
multiple
issues
and
be
clear
about
what
I've
done.
C
D
C
C
Okay,
yeah,
and
since
we
need
this
soon,
I
guess
we
should
try
to
get
the
these
filed
today.
So
we
can
start
tracking
them.
D
Well,
we
want
it
by
the
15th,
and
so
our
our
the
press
release
would
call
so
it's
in
draft
form
right
now
and
the
15th
is
when
we
have
it
mostly
final.
So
then,
at
that
point
we'll
have
pr
folks
from
other
companies
and
such
start
reviewing
it,
and
then
it
goes
out
on
the
on
the
29th.
D
C
C
I
will
take
this
screen
back
over.
I
guess:
does
that
make
sense.
C
D
It's
the
calendar,
so
so
let
me
mention
that
as
well,
so
some
folks
have
noted
that
they,
the
google
calendar,
so
the
google
calendar
works
well
for
some
folks
and
not
for
others.
I
think
it.
If,
if
you
currently
have
a
google
calendar,
I
think
it
works
well,
if
you
don't-
or
at
least
some
of
us
who
are
using
microsoft
products
so
exchange
it's
very
difficult
with
the
google
calendar
at
least
is
the
way
it
is
currently
to
be
able
to
add
items
from
that
calendar
to
your
private
calendar.
D
There
is
no
active
calendar
option
and
if
you
publish
the
calendar
to
get
an
ics,
then
you
get
all
of
the
items
all
of
the
meetings.
So
it's
hard
to
just
add
a
meeting
at
a
time.
So
excuse
me
so
we've
been
looking
at
some
other
options
and
one
that
we've
been
discussing
is
a
calendar.
That's
part
of
the
list.io
platform,
which
is
the
technology
that
we
use
for
our
mailing
lists,
and
so
from
here
let's
see,
there's
I
go
to.
D
Okay,
so
from
here
there's
a
built-in
calendar
and
then
we
have
a
couple
of
lindsay
has
populated
a
couple
of
meeting
items
in
this
calendar.
We
don't
have
them
all
in
here
yet
because
we're
still
exploring
so
from
an
item
you
can.
D
There
is
an
ics,
you
know
built
right
in
and
so
then
you
can
click
on
that
and
then
it
can
get
added
to
your
own
calendar
and
the
series
gets
added,
not
just
the
individual
meeting.
So
so
it
feels
like
a
you
know.
Maybe
it's
a
a
good
neutral
option
for
a
calendar
that
you
know
still
gives
us
what
we
have
in
the
google
calendar,
which
is
an
overview
of
all
the
meetings
and
then
makes
it
easy
to
add
items
to
your
own
private
calendar.
D
G
G
D
Am
I
wrong
in
that
thinking?
You
know
what
lindsay
had
mentioned
to
me
is
that
it
takes
about
24
hours,
so
it
doesn't
happen
immediately,
but
it
does,
but
that's
something
that
that
I
can
check
into
so
what
I
wanted
to
do
today
is
just
you
know,
present
this
as
an
option.
I
I
don't
want
us
to
change
without
making
sure
that
we're
we're
not
giving
up
one
set
of
issues
for
a
different
set
of
issues
so
and
this
calendar
might
not
be
the
best.
D
There
might
be
better
ways
to
do
it
so
anyway.
So
there's
a
question
about
ics
files
or
icalendar
files
and
how
quickly
or
if
they,
if
changes,
get
updated.
C
Yeah
one
of
the
things
that
wasn't
clear
to
me
when,
when
he
was
showing
yesterday,
was
how
to
just
see
all
of
the
events
like
when
I
log
in
here.
It
shows
me
the
events
for
groups
that
I'm
a
part
of,
but
one
of
the
things
that
we
had
set
up
nicely
with
the
google
calendars.
Anybody
can
just
click
on
that
link
and
see
all
of
the
working
group
events
without
actually
having
to
join
any
of
the
mailing
lists.
It's
not
clear.
C
D
Yeah
I
thought
that
there,
okay,
that's
another
good
question.
I
thought
lindsey
was
saying
there
could
be
some
way
to
pre-populate
the
calendar,
so
I
had
the
impression
we
could
work
around
that.
But
let
me
let
me
just
note
it
now
as
a
requirement
so
because
I
think
it
is,
we
want
there
to
be
a
way
that
you
can
just
click
and
see
all
of
the
meetings,
regardless
of
whether
you're
signed
up
to
the
working
group.
G
But
if
the
consumer
has
an
ical,
I
believe
google
calendar
lets
you
export
an
ical
file,
and
so,
if
this
works
with
outlook,
presumably
google
calendar
also
works.
That
work.
D
Yeah
so-
and
this
might
be
so
possibly
in
oh,
so
here
is
the
constraint
there.
So
I
think
you
can
only
export
an
ical
from
google
calendar
and
correct
me
if
I'm
wrong
for
the
entire
calendar,
and
so
since
we
have
all
of
the
meetings
on
one
calendar,
if
you
export
an
ical,
you
get
all
of
the
meetings
and,
if
so
yeah.
D
So
if
you
only
want
to
you
know
get
to
one,
then
we'd
have
to
break
up
all
of
the
meetings
in
their
own
calendar,
but
then
you'd
lose
the
one
view
of
all
the
meetings.
D
D
G
D
That,
okay,
I
think
that's
all.
I
have.
D
Okay,
yeah,
so
jennifer
has
is
working
on
a
draft
for
a
blog
post
all
right.
So
let
me
step
back
to
the
higher
level.
In
our
planning
committee
meeting
yesterday,
we
noted
that
we
don't
currently
have
any
any
self-nominations
for
that
role,
so
the
role
is
for
someone
from
the
security
community
to
join
the
governing
board,
and
we
have
one
seat
set
aside
for
that.
D
We
did
have
a
couple.
People
say
that
they
knew
of
people
who
were
who
were
interested
in
joining,
but
there
had
been
some
concerns
about
the
we
had
set
up.
The
nomination
form
to
be
a
spreadsheet,
which
means
everyone
sees
everyone
else,
and
some
people
felt
a
little
uncomfortable
about
nominating
themselves
in
a
public
way.
D
So
we
we
decided
on
two
things.
Yesterday
one
was
to
change
the
nomination
form
from
a
spreadsheet,
to
a
google
form,
and
ryan
has
already
done
that,
so
that
will
address
the
concern
that
people
want
to
be
able
to
self-nominate
privately
and
then
the
the
second
concern
was,
you
know.
Are
we
not
giving
quite
enough
time
because
I
think
previously
our
nomination
period
closed
on
thursday
of
this
week?
D
So
what
we
decided
to
do
there
is
to
extend
the
nomination
period,
and
I
don't
have
it
right
in
front
of
me,
but
I
think
we
extended
it
by
two
weeks.
Okay,.
B
D
And
then
also
jennifer
is
working
on
a
blog
post
and
our
aim
is
to
get
that
up
today.
I
think
so.
We
have
a
draft
of
it
already
and
we've
iterated
it
a
couple
of
times.
So
I
think
we're
close
on
that.
So
we'll
put
the
blog
post
on
the
open,
ssf
website,
then
we'll
send
out
an
email
we
we're
going
to
have
dan
sent
that
out.
But
since
he's
not
feeling
well,
we
might
have
someone
else
send
it.
D
I
don't
I
don't
mean
to
predict
to
protect
things
on
you,
sorry,
okay,
so
yes,
so
so
we'll
get
an
email
out
and
the
email
can
point
to
the
blog
post
and
then
we'd
also
like
to
have
anyone
from
you
know
on
this
call
or
others.
You
know
government
board
members
or
attack
members,
or
you
know,
people
from
the
working
groups
feel
free
to
oh.
The
other
thing
we're
going
to
do
is
we're
going
to
tweet
on
the
open.
D
You
know
a
few
really
strong,
really
great
engaged
and
motivated
candidates.
B
Else
sure
so,
just
just
on
that
note,
the
the
blog
post,
the
purpose
was
to
provide
some
information
about
like
what
the
role
entails,
how
long
it
runs
for
all
that
kind
of
stuff,
and
some
of
our
rationale,
which
I
think
is
what
I
shared
in
that
announcements
thread
last
week.
B
If
people
would
like
and
maybe
I'll
just
take
a
quick
temperature
read
here,
I
can
send
out
a
copy
of
it.
If
anyone
would
like
to
add
comments
or
edits
today,
I
could
send
out
an
email
to
the
tag
that
contains
the
blog
post.
If
you
guys
want
to
look
at
wording,
let
me
know
if
someone
would
like
that
and
I'll
send
it
to
the
group.
Otherwise
we
can
just
finalize
publication
later
today.
B
B
Otherwise,
we'll
we'll
just
do
it
on
our
own.
E
C
Okay,
town
hall
meeting-
I
think
this
is
just
referring
to
the
doodle
poll
that
kay
sent
out
yesterday
or
today.
D
Yeah,
so
we
yeah
it's
covered
in
in
that
mail,
but
we
are
going
to
be
doing
a
town
hall
meeting,
which
is
an
open
meeting
for
all
members,
but
anyone
from
the
public
can
join
as
well
and
in
that
we'll
talk
about
we'll
cover
some
of
the
things
that
we've
covered
in
our
press
release
we'll
also
allow
we'll
you
know
doing,
updates
from
the
governing
board
and
the
tac
and
then
also
allow
each
other
working
groups
to
do
an
update
on
what's
happening
in
their
working
groups
and
then
we'll
leave
time
open
for
q
a
so.
D
Yeah,
I
I
think
that
we,
we
did
choose
november
9th
instead
of
the
instead
of
the
previous
week
because
of
the
elections
but
but
you're
right.
It
could
understand
right.
It
could
be
disruptive
enough
that
you
know
that
we
might
delay
again.
So
I
don't
know
do
do
folks
have
a
thought
on
that.
We
could
say
that
we'll
already
know.
I.
G
C
Next,
one
is
update
on
consolidation
from
cii
and
open
ssf
initiatives,
david
wheeler.
A
Okay,
all
right,
if
you
don't
mind
I've
got,
can
I
share
my
own
screen
dan?
If
you
can.
C
A
Yeah
afraid
so
so,
hopefully
so
I
made,
I
thought,
it'd
be
simpler,
just
to
make
a
little
deck
and
and
present
that
way.
Okay,
so
and
I'm
gonna
talk
about
ci
consolidation,
but
in
particular
the
ci
best
practices,
which
is
the
more
complicated
situation.
A
So
all
the
other
cii
projects
seem
to
have
transitioned
smoothly.
Basically,
the
nx
course
technically
isn't
cii,
but
I've
been
treating
that
way,
because
that
just
seemed
easiest
and
and
that
one
is
officially
transitioned
over
best
practices.
Ci
census
and
cia
survey
are
over
in
the
securing
critical
work
projects
working
group.
Everyone
seemed
to
agree
that
was
a
reasonable
place
for
it.
The
complication
is
that
the
cii
badge
project
is
not
is
a
little
more
complicated.
So
for
those
of
you
don't
know,
I
think
most
of
you
do.
A
It
identifies
best
practices
and
then
implements
a
site,
so
projects
can
self-certify.
So
it
includes
a
variety
of
automated
measures
to
actually
determine
and
measure
this
stuff
and
I'm
the
lead.
So
two
different
working
groups
voted
and
two
different
working
groups
both
wanted
as
part
of
their
working
group.
So
it's
good
to
be
wanted.
I
think,
but
so
those
two
working
groups
are
the
best
practices
working
group
and
the
security
threats
working
group.
A
Now
the
fact
that
both
of
them
wanted,
I
I
think
I
think
we
can
at
least
declare
well
it's
going
to
end
up
in
open
ssf
somewhere.
We
don't
know
where.
Yet
both
working
groups
agree
to
bait.
We
have
to
have
one
home,
that's
just
simpler
and
we
could
create
a
separate
working
group
for
this,
but
there's
really
no
appetite
for
that.
Put
the
little
quote
there.
We
have
enough
meetings
so
so,
basically,
because
two
working
groups
are
are
saying
or
proposing
different
things.
It
just
seems
like.
A
Procedurally,
it
needs
to
raise
up
to
the
attack,
and
so
I
think
what
ever
working
group
is
the
home
for
this
thing
needs
adjudication
from
this
now
originally,
when
I
proposed
this
in
the
agenda,
it
seemed
like
we
needed
adjudication
pretty
quickly
because
we
were
going
to
announce
it
in
the
press
release,
but
I
think
now
it's
been
decided
that
we're
not
going
to
announce
specific
homes,
so
the
pressure
to
do
this
make
this
decision
is
released
a
little
bit
and
we
can't
wait
until
the
working
groups
get
more
formalized.
A
That
said,
it
still
seems
like
this
is
almost
certainly
going
to
require
attack
decision,
because
both
working
groups
views
within
their
scopes.
So
I
think
we
need
to
at
least
raise
the
issue
now
discuss
it
now.
The
attack
has
all
the
authority
needs
to
make
the
decision
now
or
later
your
choice,
but
I
think
it's
important
to
at
least
discuss,
even
if
the
tax
decides
not
to
make
the
decision
right
now.
I
just
want
to
make
sure
that
you
know
rebranding.
A
This
probably
eventually
should
say
something
other
than
cii,
but
I
think
that
that's
a
separate
discussion.
We
don't
need
to
make
that
decision
right
now
or
even
very
very
soon.
I
think
it'd
be
better
to
wait
for
that
as
a
separate
action,
so
the
next
slides
basically
are
two
views
from
each
of
the
working
groups.
A
A
A
A
Okay,
so
that's
all
I
was
going
to
present.
You
know
the
attack
can
make
a
decision
now.
I
think
some
of
the
pressure's
off,
but
I
think
that
this
the
attack
is
eventually
going
to
need
to
make
a
decision,
and
so
I
want
to
at
least
raise
it
now
and
now
the
dot
can
choose
whatever
it
wishes
to
do
so.
Dan
back
to
you,.
C
H
Absolutely
yeah
so
my
curse
review,
so
I
took
a
project
through
the
cii
badge
program.
F
H
Just
that
was
open,
stack,
okay,
okay
and
there
was
also
the
car.
What's
it
called
opnfv
it's
another
linux
foundation
project
and
it
appears
to
me
to
be
a
very
good
match
for
best
practices,
because
when
I
went
through
the
badging
program,
it
was
all
about
best
practices.
It's
about.
You
know
it's
not.
It
was
not
just
threats
per
se.
It
was
your
website.
H
Is
it
clear
how
to
report
security,
vulnerability,
crypto
types
that
you
use,
how
your
I'm
sure
there
was
some
stuff
around
your
releases
and
using
the
semantic
version.
H
So
to
me,
it
just
seems
very
matched
to
best
practices,
for
you
know
from
from
somebody,
that's
not
really
giving
it
a
great
deal
of
thought
before
this
meeting
just
off.
What
I
see
in
front
of
me.
A
Oh
it
clearly,
it's
it's
a
sensible
thing.
I
think
the
now
my
personal
opinion,
I
think
the
security
threats
working
group
name
is
a
little
complicated
because
when
you
start
looking
what
they're
actually
doing
it's
all
about
metrics
so-
and
I
think
that's
well
not
all
about-
but
a
key
part
of
that
working
group
is
focusing
on
metrics
and
I
think
that's
why
it
gets
a
little
complicated.
Both
working
groups
think
that
makes
sense
for
them.
C
G
It's
not
really
metrics
but
metadata.
That's
what
the
security
identifying
security
is
working
on.
G
If
I
can
my
view
on
this
is
the
best
practices
group
seems
to
be
focused
on
training
and
educating
maintainers
as
to
what
our
best
practices
they
should
follow,
and
the
secure
and
the
identifying
threats
working
groups
need
to
be
focused
on
consuming
information
or
metadata
about
projects
and
if
they
follow
certain
best
practices.
Neither
of
these
right
now
has
in
its
scope,
really
creating
that
information
generating
that
information
initially,
which
is
effectively
what
this
project
is
about.
It's
about
going
to
maintainers,
to
volunteer
to
provide
that
information
in
a
documented
easy-to-access
way.
G
I
think
it
probably
fits
slightly
better
in
the
the
first
one.
Sorry,
the
educational
one
practices
yeah
as
practice
is
one
yeah.
I
think
it's
slightly
better
in
the
best
practices
one
just
because
there
is
a
lot
of
educational
content
and
stuff
that
isn't
just
pure
security,
but
it
could
really
have
a
home
and
either.
H
C
Think
it'd
be
weird
to
have
a
group
called
best
practices
and
a
program
called
the
best
practices
program
and
not
have
them
be
together.
But
that's
not
a
great
reason.
I
think
a
lot
of
what
we're
talking
about
is
like
what
these
groups
are
actually
doing,
versus
what
the
names
and
maybe
even
readme's
represent.
C
One
of
the
my
suggestions
david
stock
was
to
like
have
the
working
groups
go
through
the
exercise
of
filling
out
the
goals
and
non-goals
and
scope
section
and
the
template
that
ryan
just
created
and
then
revisit
because
maybe
like
we
all
just
have
slight
misconceptions
about
what
the
working
groups
are
actually
doing
or
what
they
hope
to
be
doing
long
term.
C
B
There's
there's
definitely
a
fair
bit
of
overlap
between
the
groups.
I
guess
so
I'm
on
the
side
of
thinking
that
it's
a
better
fit
for
the
threats
and
metrics
group,
simply
because
I
think
the
dashboarding
project,
which
is
core
to
that
threats
and
metrics
group,
is
about
measuring
or
otherwise
observing
properties
of
a
given
repository
to
give
some
kind
of
indication
about
security
levels
and
the
cii
best
practices
badge
is,
you
know,
measuring
things
about
a
repository
to
give
some
indication
about
security
levels.
B
So
I
think
the
goals
like
the
core
objectives,
as
well
as
how
those
things
are
communicated
and
processed,
are
very
aligned
between
those
groups.
But
again,
I
I
think
that
the
argument
about
having
a
best
practices
badge
and
a
best
practices
group
as
separate
and
the
idea
that
the
best
practices
do
relate
to
the
things
that
are
displayed
on
a
dashboard
are
all
relevant
as
well.
D
So
I
I
just
to
echo
what
jennifer
said
and
then
add
one
slight
additional
factor
to
it.
I
I
have
been.
G
D
So,
but
but
then,
if
I
step
back
to
customer
level,
I
what
I
would
like
for
us
to
provide
to
customers
is
a
way
for
them
to
and
when
I
say,
customers
in
this
case
I
mean
you
know
github
as
a
customer
or
as
a
proxy
for
for
open
source
developers
and
microsoft
as
a
customer
and
anyone
who
wants
to
gate
their
consumption
of
software
based
on
the
security
of
the
software.
D
You
know
one
way
to
get
security
information
about
open
source
software,
and
I
think
it
would
be
a
shame
if
we
ended
up
having
an
open
source
badge
project
which
has
one
way
of
exposing
the
metadata
that
it
captures
and
a
separate
open
source
metrics
project
that
has
a
different
way
of
exposing
its
data,
because
that
just
makes
it
harder
for
the
people
who
want
to
consume
and
ultimately
their
goal
is
you
know
I
want
to
understand
the
security
properties
about
software
before
I
bring
it
into
my
organization
or
into
my
project.
G
G
But
that
is
not
something
that
necessarily
means
the
project
is
more
or
less
safe,
and
I
mean
the
project
is
more
mature
project
is
better
organized,
but
it
does
not
mean
that
there's
a
security
vulnerability
in
the
project,
and
so
I
think,
there's
again,
I
don't
want
to
dictate
what
these
working
groups
should
be
doing.
I
I
could
see
the
best
practices
working
group
actively
engaging
maintainers
actively
going
out
and
educating
maintainers
as
to
what
is
the
right
thing
to
do
to
to
follow
best
practices,
to
increase
your
security
right.
G
That
is
a
different
for
me
than
consuming
that
information
down
the
line,
and
ideally
the
way
to
consume
information
would
be
mostly
automated,
based
on
a
core
set
of
security,
metadata
that
and
that
group
might
not
directly
go
interact
with
maintainers
and
incentivize
them
to
adopt
those
best
practices.
H
H
Action
to
investigate,
and
then
I
would
then
talk
to
somebody
and
say
well,
this
is
what
we
do
at
present.
So
how
could
we
improve
it?
It
was
very
much
a
kind
of
an
open
communication
thing
rather
than
rendering
our
current
state.
If
you
see
what
I
mean
so
it
just
seemed
to
marry
quite
well
with
this
developer
outreach
area.
If
that
makes
sense
for
the.
C
So
it
really
is
just
taking
the
people
at
their
word.
A
lot
of
them
are,
you
know,
detectable
and
david's
got
a
bunch
of
code
there
to
look
for
things
that
you
know
can
be
found,
but
a
lot
of
them
are
really
just
that
you're
stating
that
I've
read
and
understand
and
agree
with
this
best
practice
and
I'll
try
to
do
it.
For
my
project.
H
F
Yeah
that
that's
also
been
my
experience.
We
just
went
through
it
a
second
time
with
with
another
project
that
I'm
on,
and
we
explicitly
did
it
as
a
group
so
that
everybody
was
on
the
same
page
and
it
was
an
educational
task.
Oh
how'd,
that
work,
it
was
good.
I
actually
captured
some
feedback
that
that
I
should
figure
out
how
to
feed
to
you,
which
relates.
F
A
I
think
the
tangible
outcome
is
primarily
reporting
too.
I
you,
I
think
you
know
right
now.
The
cia
best
practices
badge
once
the
cia
became
kind
of
moribund.
Is
you
know
we
want
to
keep
it
going,
and
so
we
but
it'd
be
much
better
for
it
to
have
some
people
to
report
to
who
are
examining
it,
making
sure
it
makes
sense
proposing
new.
You
know
improvements
to
it.
Reviewing
changes
to
it.
A
So
I
think
it's
that
sort
of
thing.
I
haven't
really
thought
that
hard
about
moving
the
repo,
obviously
that's
totally
doable,
but
I
think
things
like
changing
names
and
changing
repos
are
down
the
road.
The
first
step
is
where
you
know:
does
it
have
a
home
and-
and
if
so,
where
I
I
do
want
to
make
it
clear
that,
although
I
did
have,
I
I
think
it's
easier
to
make
specific
proposal.
I'm
perfectly,
I
think
it
makes
sense
for
either
group
either
group
has
in
fact
you
can
hear
the
disagreement
within
the
attack.
A
Both
groups
have
have
some
rationale
for
that,
and
I
think
either
group
would
be
a
perfectly
reasonable
outcome.
H
So
david,
I
think,
just
to
to
set
the
expectation
it
is
hands-on
as
well
from
from
what
I
recall
last
time,
you're
going
to
get
a
lot
of
questions
from
people
saying
well,
I
use
md5,
but
it's
to
check
network
packets
of
been
constructed
properly.
There's
no
security
context.
So
what
should
I
do
here
so
so
I
think
anybody
that
is
going
to
take
this
on
should
be
mindful
of
there's
likely
to
be
an
expectation
that
there
is
an
expectation
that
you
would
collaborate
and
work
with
people
trying
to
get
through
the
list.
A
A
A
C
A
Yeah,
what
I
would
propose-
and
it's
up
to
up
to
you
guys
but
all
of
you,
but
I
would
propose
originally
we
had
to
make
this
decision
asap
in
order
to
do
the
press
release,
and
that
was
the
original
reason
to
put
this
on
the
agenda.
I
don't
we
don't
have
to
do
that
for
press
release
time.
I
think
a
decision
will
have
to
be
made
eventually,
but
what
I
propose
is
I've
done.
What
I
think
is
the
key
step,
which
is
there's
an
issue
the
tax
need.
A
I
think
the
tax
eventual
need
to
resolve
it
and
nothing
else.
While
the
working
groups
are
working
out
their
scopes,
this
should
be.
One
of
the
questions
for
the
attack
is
hey.
Does
this
help
us
make
this
decision,
so
I
I
think
I
would
just
say
for
right
now
I
won't
put
this
in
you
know
everybody's
heads.
This
is
a
decision
that
will
need
to
be
made
eventually
and
and
go
from
there.
Does
that
sound
like
a
reasonable
step
forward.
D
So,
there's
a
there's,
a
project
that
I'm
working,
so
I
help
out
in
the
the
identifying
security
threats
working
group
and
there's
a
project
that
I'm
working
on,
which
is
sort
of
understanding
the
differences
between
the
best
practices
badge,
the
security
metrics
project,
and
then
google
had
proposed
an
another
kind
of
similar
sounding
project,
which
is
a
security
scorecard,
and
so
what
we're
working
on
in
that
group
is
gathering
information
about
each
of
those
projects.
D
What
the
goals
of
the
project
are,
what
the
target
audience
is
what
the
scenario
is
and
then
just
you
know,
kind
of
rationalizing
how
those
things
come
together
or
not.
So
it
could
be
interesting
as
part
of
that
effort.
You
know
once
people
kind
of
have
a
have
a
chance
to
look
more
deeply
at
what
the
projects
are
trying
to
do.
I
think
that
information
could
be
valuable
to
inform
a
decision.
D
So
that's
a,
I
guess,
that's
a
long
way
of
saying
that
it
seems
reasonable
to
not
make
a
decision
today,
but
you
know
let
it
wait
a
little
bit
and
have
the
working
groups
look
at
it,
some
more
and
then
come
back
with
a
proposal.
A
little
later.
A
C
A
Think
my
plan
is,
I
think,
for
today
what
I
need
to
do
is
do
what
I've
just
done,
which
is
hey,
there's
a
decision
that
will
need
to
be
made
and
let's
move
on
for
now
and
come
back
probably
within
well
two
to
four
weeks
once
the
scopes
have
been
worked
out
and
then
hopefully
that
will
make
the
decision
a
lot
clearer.
C
Sounds
good
all
right!
The
next
topic
on
here
we'll
just
go
through
a
little
quickly.
This
is
working
group
updates.
I
assume
this
was
a
time
for
all
the
people
from
working
groups
to
give
status
updates.
I
don't
think
we
really
have
enough
time
to
go
through
those
so
type
them
in
here.
If
you
can
and
if
you
do
want
to
give
a
quick
highlight
for
working
group
jump
in,
but
we
don't
necessarily
have
to
do
a
full
round
table
from
everyone.
G
Can
I
propose
that
the
default
here
is
to
be
async,
that
the
default
should
be
an
updated
issue,
or
something
like
that?
Not
at
this
meeting.
C
Yeah,
I
would
agree,
we
can
have
people
fill
this
out
ahead
of
time.
Hopefully
I
think.
C
G
Yeah
some
static
like
follow
the
issues
or
whatever
that
they're
interested
in
rather
than
spending
time.
C
C
Yeah
and
if
anybody
has
something
they
want
to
say
that
they're
really
excited
about
go
ahead.
Otherwise,
we'll
move
on
to
this
next
one
review
remaining
pr's
issues
on
attack,
repo
propose
closing
seven
and
twenty
six.
When
I
open
these
they're
taking
me
to
new
tabs,
let
me
see
if
I
can
switch,
which
what
I'm
sharing
actually
I'm
not
sharing
anything
now.
F
Yeah
I
took
the
liberty
to
go
through
and
try
to
pre-triage
some
of
these.
So
those
two
look
like
they're
ready
to
be
closed
and
then
just
shine
a
little
light
on
the
next
one
that
might
have
been
stalled
and
then
the
last
one
probably
also
can
be
closed.
C
Thanks
dan
okay,
so
I
have
seven
that
I'm
sharing
here
yep.
I
I
think
this
one's
fine
to
close.
C
You
can
always
reopen
it.
26
was
the
licensed
clas.
C
C
Yeah,
so
these
aren't
actually
filled
out
things
yet
so
just
do
we
want
to
set
something
default
at
the
open,
ssf
level,
the
one
that
you
we
can
kind
of
discuss
this
in
the
issue,
but
yeah
it
says
we
default
to
apache
2..
A
I
believe
the
correct
answer
is
a
working
group
can
specify
a
different
license.
It
just
has
to
be
approved
by
the
attack.
I
would
recommend
against
using
and,
as
I
mentioned
here,
I
would
recommend
against
requiring
clas
right.
You
know
that
is
just
a
way
to
prevent
project
participation.
C
Just
blocked
one.
C
C
A
If
we
can
circle
back
real
quickly
to
the
number
26
the
license,
cla
policy
yeah,
we
should
figure
out
what
we
need
to
do
for
clas
and
licensing.
A
You
know,
I
guess
the
default
licenses
are
apache,
2o
and
ccsa,
there's
no
particular
requirements
for
clas.
I
personally
recommend
against
them,
but
there
are
sometimes
legal
reasons
you
should
have
them.
Does
anyone
have
an
objection
to
or
plan,
because
I
think
we
can
close
this
out?
If
somebody
ever
says
we
need
a
cla
or
we
need
a
different
license.
A
That
working
group
can
just
raise
it
to
the
attack
and
for
approval.
So
I
don't
think
we
need
to
do
anything
different
unless
somebody
thinks
that's
that
they
need
to
do
something
special
now.
A
B
A
C
Right,
so
I
think
this
is
the
wrong
document.
Actually,
I
think
we
might
need
to
move
this
up
into
something
at
the
tac
level,
because
this
is
a
document
that
basically
just
got
copied
into
each
working
group,
that's
kind
of
complete
boilerplate
and
isn't
really
filled
out
or
relevant
to
many
of
them.
C
So,
like
any
of
the
working
groups
could
just
delete
this
file
or
change
it
to
say
whatever
they
want
like
this
talks
about
how
working
groups
will
elect
their
own
technical
steering
committees
and
things
within
working
groups.
Sorry,
I
think
I'm
sharing
the
wrong
tab.
Okay,.
G
G
I
think
to
dan's
point:
that's
not
a
very
useful
template
for
most
working
groups.
F
Yeah,
I
think
that
might
be
captured
in
another
issue
about
some
of
the
structure
for
the
working
groups,
but
all
the
member
group,
all
the
member
companies,
have
signed
a
participant
agreement
that
has
a
charter
in
it
and
I'm
trying
to
skim
live,
and
I
don't
see
the
licensing
in
there
like.
I
thought
it
was
so
then
yeah.
C
There's
too
many
things
called
charter
flying
around
yeah
the
the
thing
that
all
the
companies
signed
is
in
ossf
foundation
and
there's
a
pdf,
I'm
not
sure
if
it
mentions
anything
about
licensing
there.