►
From YouTube: OpenSSF TAC Meeting (July 12, 2022)
B
A
B
Sure
hi,
everybody
sorry
apologies
for
my
voice,
a
little
scratchy
getting
over
something.
So
we
are
we
communicated
about
trying
to
put
together
a
town
hall,
the
date
for
that
was
initially
envisioned
as
being
july.
18Th
we're
getting
we're
getting
a
bit
closer
less
than
a
week
away,
I'm
just
about
a
week
away.
We
do
have
some
ideas
for
what
we
wanted
to
share.
B
We
wanted
to
keep
it
more
high
level
for,
for
folks
that
you
know,
haven't
necessarily
been
joining
the
tech
meetings
or
working
group
meetings
or
project
meetings,
but
folks
that
have
heard
about
openssf
and
want
to
get
more
involved.
So
that's
the
angle
that
we
were
wanting
to
to
take
this
time
around.
B
Events
that
are
coming
up-
maybe
a
recap
of
open
ssf
day
and
various
items
like
that,
but
we
really
wanted
to
keep
the
content
not
so
much
focused
on
the
staff
like
providing
an
update
and
having
the
community
more
involved.
So
if
the
question
is,
are
there
at
least
two
or
maybe
three
other
working
groups
of
projects
that
would
be
interested
in
participating
next
monday?
B
If
not,
and
you
need
a
little
bit
more
time,
we
could
push
the
date
out
a
couple
weeks
to
give
you
a
little
bit
more
time,
because
I
know
that's
been.
It's
been
really
busy
and
we've
had,
as
brian
has
mentioned,
there's
been
a
lot
of
big
asks
from
the
community
to
participate
in
events
of
late
so
certainly
understood
there,
but
I
wanted
to
throw
that
out
there
and
see
what
you'll
think.
C
So
I
I
you
know,
I
kind
of
feel
like
unless
there's
a
strong
sentiment
and
and-
and
you
know
here
on,
the
tech
call
is
where
you
know
I
I
assume
most
people
interested
in
doing
this
kind
of
work
would
be
unless
there's
strong
sentiment
on
this
call.
We
should
probably
just
go
ahead
and
defer
to
a
future
date.
I
don't
know
if
that's
a
few
a
few
weeks
out
or
or
further,
but
I
really
want
to
see
this
come
from
this
group,
rather
than
be
something
that
we
impose
on
you.
D
C
C
Are
the
leaders
in
the
working
groups,
but
I
you
know
anybody
here
in
the
tech
you
know
I
I'd
say
you
don't
have
to
wait
for
permission
from
a
working
group
lead
to
volunteer
to
talk
about
your
working
group
on
such
a
call
so
yeah,
it's
just.
We
start
we're
trying
to
figure
out
logically,
how
do
we
go
cascade
down
in
a
way
that
doesn't
end
up
with
mass
broadcast
calls
every
time
we
want
something,
but
we
could
adjust
that
that
approach
down
the
road
too.
E
F
G
Yeah,
I
was
just
gonna
comment
about
the
potential
presenters
you
mentioned.
You
know
I
mean
not
just
the
working
group
leads
and
pac
members,
but
also
the
project
leads.
The
sig
leads.
Yes,
I
think
are
all
real.
Really
anybody
in
the
community,
but
those
I
think
are-
are
particularly
likely
be
plausible
speakers.
Yep.
D
C
More
like
early
to
mid
august
with
enough
lead
time,
you
know
we'll
just
keep
hitting
the
tack
list.
I
guess,
and
the
working
group
leads
who
hopefully
could
cascade
the
ask
out
to
their
working
groups
and
and
and
look
for
for
more
folks,
but
that
would
give
us
I
mean
if
we
really
want
to
take
a
few
weeks
to
promote
we
kind
of
need
the
speakers.
Ideally
we
have
the
speakers
identified
early
in
that
anyway.
C
Okay,
I'm
seeing
thumbs
up
from
from
crow.
So
so
why
don't
we
do
that?
Let's
say
by
the
at
least
the
next
hack
call
to
have
kind
of
the
folks
committed
and
then
and
then
do
a
talk
like
later.
Then
I
see
jacques
willing
to
volunteer
to
talk.
Okay,
thank
you
so
much.
I
think
that
means
we
should
do
it
at
a
time
that
is
australia
friendly
might
maybe
maybe
six
a.m
in
the
morning.
C
H
I
I
was,
if
I
may,
just
interject,
I
was
going
to
point
out
that
it's
summer
and
in
europe
most
people
are
more
into
vacationing,
so
I
think
it'll
be
okay
to
favor
a
time
zone.
You
know
like
australia,
maybe
where
they
don't
have
that
than
europe,
because
I
don't
know,
there's
be
going
to
be
a
lot
of
attendees
from
europe
mid
or
beginning
of
august.
I
A
J
Groups
and
one
of
their
big
initial
items
they
wanted
to
tackle
was
enabling
2fa
across
repositories.
They
did
a
ridiculous
amount
of
awesome
work
there
doing
as
carefully
as
they
could
and
started
making
announcements.
And,
unfortunately,
earlier
this
week
the
pi
pi
esf
announcement
a
bunch
of
backlash
from
folks
and
I
think,
given
our
spot
ecosystem,
consider
making
a
statement
of
support
for
those
maintainers
and
for
that
working
group
that
they
did
here.
J
K
K
K
It's
something
we
can't
even
comprehend,
and
so
I
think,
like
statements
are
cool
and
I'm
all
for
that.
But
we
should
also,
I
think,
like
the
open.
Ssf
has
opportunities
to
do
even
more
like
how
can
we
provide
resources
or
something
you
know
like
put
our
money
where
our
mouth
is
so
to
speak?
And
so
I
think
this
feels
like
this
is
the
group
that
should
help
drive
all
of
this
forward.
K
I
I
H
I
I
Yeah,
basically
the
the
problem
is,
people
do
lose
their
keys,
they
do
lose
their
phones
and
you
need
to
have
a
human
in
the
loop
for
that
reset.
Otherwise,
it's
it's
just
the
soft
soft
underbelly,
and
even
then
it's
still
the
soft
underbelly
right,
like
your.
Your
attackers
can
be
pretty
creative,
so
it's
very
labor-intensive
to
vet
those
requests
and
to
to
go
through
as
many
steps
as
possible.
J
C
C
This
body
just
be
able
to
put
its
stamp
on
it,
and
then
we
publish
in
the
blog
and
and
push
it
in
the
socials
and
and
get
people
to
retweet,
and
all
that
I
did
also
see
in
the
thread
on
the
slack
channel
a
couple
of
people
willing
to
volunteer
ng
byron.
It
looks
like
a
few
others
and
it'd
be
kind
of
great
to
make
it
be
a
post.
I
know
it's
harder
to
write.
C
You
know
to
have
multiple
bylines,
but
I
would
be
interested
in
seeing
that
be
something
written
by
by
a
group
of
people
and
and
getting
new
volunteers.
New
new
energy
into
the
org
is
always
a
a
secondary
priority
for
me,
so
I
yeah.
I
think
this
is
a
good
opportunity
to
do
that
and
third,
if
we
do
have
a
way
to
add
some
new
coupons
or
do
a
refresh,
the
mfa
distribution
could
be
another
chance
to
to
say,
oh
and
by
the
way
we
found
a
stash
of
this
stuff.
C
D
Okay,
so
I
saw
my
hand
then
josh
and
then
david.
I
think
the
idea
of
the
attack
putting
public
comment
out
is
good.
Happy
to
have.
You
know,
do
my
part
to
review
that.
The
balance
that
I
would
like
us
to
strike
is
not
to
just
say:
yes,
these
are
good.
Everyone
should
do
it,
but
to
acknowledge
if
they
are
in
fact
an
additional
burden.
They
shift
the
the
location
of
attack
as
long
as
we
are
looking
at
it.
From
that
perspective,
taking
both
sides
into
account
on
this
issue
been
fantastic.
D
C
K
All
right,
thank
you.
Sorry,
I
lowered
my
hand
and
then
I
raised
it.
My
only
my
only
thing-
and
this
is
kind
of
pointed
at
you
a
little
bit
brian.
I
I
agree.
We
should
do
a
statement,
I'm
that's
great,
but
my
fear
is
always
we
do
a
statement
and
that's
it
and
then
it
dies
like.
I
want
to
make
sure
someone
owns
this
some
working
group
or
some
group
that
way
it's
not.
Oh,
we
did
a
statement,
good
job,
everyone.
K
G
David
yeah,
so
quick,
quick
statements.
First,
we
actually
do
have.
Oh,
this
is
broader,
not
specific,
about
dan's
comment,
but
we
do
actually
have
some
yubikey
tokens
left
that
we
can
distribute
for
the
great
mfa
project
if
the
tax
look,
if
the
tax
says
hey,
let's
a
statement
at
least
is
a
reasonable
start.
I'm
guessing
dan's
gonna
start
by
drafting
something,
maybe
working
with
the
repos
working
group
and
then
try
to
bring
a
report
back.
You
know
the
draft.
G
D
Just
to
comment
that,
let's,
let's
not
spend
too
much
time
trying
to
solve
the
writing
here
once
the
working
group
has
something
then
let's
iterate
over
email
to
discuss
that,
because
I
do
think
it
is
nuanced,
and
each
of
us
have
different
and
good
points
to
bring
to
it.
There's
been
some
lovely
chat
on
the
side
here
as
well
about
about
where
some
of
this
pushback
comes
from
that
I
think
some
folks
may
not
understand.
A
Great
point
all
right,
so
I
guess
just
one
quick.
If
anybody
has
any
dissensions
to
issuing
a
statement,
I
want
to
give
a
chance
for
folks
to
vocalize
that
now
otherwise
it
sounds
like
we
have
consensus
that
everybody's
supportive
of
moving
forward,
so
looking
at
head
nodding,
looks
like
we're
good,
so
awesome.
Well,
thank
you
for
taking
the
action
to
at
least
pull
together
that
draft
and
look
forward
to
helping
review
that
all
right.
Next
on
the
agenda,
david
dco.
G
Enforcement
right,
so
I
I
abused
everyone's
inboxes
earlier,
noting
that,
while
the
open
ssf
charter
says
we're
all
beginning
to
be
using
dcos-
and
that
is
not
a
st
a
thing
that
always
happens,
how's-
that
if
I
I'm
trying
to
be
gentle
here,
some
some
projects
do
enforce
it,
but
a
lot
don't
and
so
it
kind
of
gets
lost.
So
I'm
proposing
that
we
just
turn
on
enforcement
on
the
pull
requests.
G
You
know
if
you're
not
familiar
with
dcos
they're,
not
hard
to
add
yeah,
yet
there's
a
little
startup
pane
if
you've
not
done
them
before.
But
but
the
key
thing
is
that
if
we
just
enforce
it,
it'll
become
just
part
of
the
landscape,
as
opposed
to
the
hopes
and
prayers
of
trying
to
write
in
documentation.
G
A
A
D
D
I
want
to
make
sure
that
if
we
do
something
to
adopt
a
dco
as
an
org,
officially
we
are
very
clear
in
what
it
is
requiring
for
the
signature
and
mike
dolan
summarized
the
lf's
position
very
well
that
this
is
a
common
name
by
which
someone
is
known
and
can
be
found
over
time,
not
necessarily
their
legal
name.
What's
on
their
passport
or
something
oh,.
G
G
D
This
is
about
so
it's
a
discussion.
That's
come
up
in
many
forums,
most
recently
the
cncf,
the
very
contentious
situation
there
over
the
past
couple
weeks.
I'm
glad
mike
weighed
in
the
way
he
did
and
I'm
just
bringing
it
up
here
to
preempt
us
getting
backlash
from
the
security
community,
who
will
say
absolutely
not
all
right.
G
How's
this,
let
me
take
you
somewhere,
I'm
gonna,
wait
for
ava
to
point
me
to
that.
I
will
draft
an
email
for
the
working
group
leads
to
send
to
them.
Hey
we're
planning
on
turning
this
on
a
few
weeks,
please
no
blah
blah
blah
that
doesn't
require
a
legal
name
and
if
the
tax,
okay
with
that,
we
can
send
that
out
to
the
working
group
leads
and
and
ava.
If
it
turns
out
that
shouldn't
be
turned
on
for
some
repo.
G
L
So
no
thanks,
so
this
is
like
the
never-ending
black
hole
of
conversation
around
dco
and
identity
and
so
forth.
I,
I
think
that's
a
red
herring
yeah,
but
you
know
you
you.
As
a
maintainer
of
a
repository,
you
should
be
looking
for
people
putting
in
nobody
at
example.com
for
their
email
right
and
making
sure
that
it's
something
reasonable.
L
G
G
So
for
this
request
from
the
planning
working
group
meeting
so
volunteers
desired,
I
mean
this
is
just
primarily
and
in
many
ways
it's
probably
a
follow-up
to
the
governance
discussion
we're
about
to
have,
but
just
trying
to
make
sure
that
we
minimize
privileges
and
we
remove
privileges
when
they're
no
longer
needed
and
that
sort
of
stuff
anybody
wants
to
be
help
with
that.
That's
great,
my
expectation
is
we're.
A
G
D
Okay,
mostly,
I
wanted
to
just
call
folks
attention
to
pr
112..
This
is
the
sum
of
a
lot
of
work
that
tac
members
and
other
volunteers
have
done
over
the
past
few
months.
To
try
and
coalesce
are
different
proposals
around
tac
governance
structure.
This
is
sort
of
how
the
technical
initiatives
within
the
open
ssf
are
structured
to
report
and
relate
to
each
other
the
process
for
joining
the
open
ssf
for
moving
from
sandbox
to
incubated,
to
graduated.
D
All
of
that
wrapped
up,
including
some
changes
to
how
or
I
guess
clarifications,
perhaps
not
changes
clarifications,
but
we
hadn't
had
an
answer
before
to
which
projects
could
ask
for
space
at
a
conference
which
projects
could
ask
for
funding
or
support
in
other
ways
from
foundation
staff
and
a
little
bit
of
guidance
on
how
exactly
to
do
that
instead
of
the
rather
ad
hoc
way,
we've
been
doing
it
to
date.
So
it's
far
too
long
of
an
update
to
talk
through
the
whole
thing
right
here,
but
I
wanted
to
draw
folks
attention
to
that.
D
Please
get
your
comments
in
and
let's
sort
of
iron
out
any
any
concerns
and
brian
you
raised
an
interesting
point,
which
is:
could
we
separate
out
some
of
the
budgetary
discussion
from
that
pr?
I
think
that's
a
reasonable
request.
I
don't
think
it's
necessarily
feasible
as
some
of
the
the
structural
changes.
Also,
how
do
I
say
this
are
predicated
upon
knowing
who
can
make
a
request
for
funding?
D
I
did
try
to
leave
out
any
specifics
of
like
what
how
much
funding
and
there's
definitely
some
areas
there
to
sort
of
sand
off
the
rough
edges
of
that.
But
I
do
think
it's
important
for
us
to
be
able
to
clarify
that
say.
A
sandbox
project
has
less
standing
to
request
support
from
staff
than
a
graduated
project,
but
maybe
that
isn't
what
you
meant.
C
I
think
getting
that
message
across
is
great
that
that
you
know
the
earlier
stage.
A
project
is
the
less
that
you'd
expect
in
terms
of
other
kinds
of
ancillary
benefits.
I
was
just
concerned
to
the
degree
that
I
saw
things
defining
a
process
for
for
asking
for
for
budget
and
like
folks
like
the
budget
committee,
which
is
not
doing
what
was
suggested
in
in
the
pr
today.
It's
not
chartered
to
do
that.
You
know
approving
requests
for
for
funding
and
the
like.
C
We
can
have
the
the
parts
that
are
about
requesting
resources
and
and
even
the
marketing
ask
by
those
by
projects
at
different
stages,
far
more
important
to
get
the
the
the
structure
encoded
and
some
of
the
stuff
that
has
gone
unsaid,
about
how
we
work
actually
encoded
into
into
docs.
So
I
was
just
kind
of
pleading
that
we
could
tease
that
apart
from
112.,
it.
D
May
be
I'll,
take
a
look
at
it,
I'm
actually
offline
this
week,
but
next
week
I'll
take
a
look.
Unless
some
of
us
wants
to
volunteer
to
do
this
before
then
to
try,
maybe
separate
these
into
two
commits
because
it's
you
know
80
or
some
commits
so
far
as
we
piece
together.
Maybe
we
can
layer
it
as
just
two
one
that
is
structural
and
one
that
is
procedural
and
that
way
review
those
separately.
I
think
brian
that
would
meet
your
request.
C
I
I
do
have
two
other
high
level
comments,
and
I
did
summarize
these
in
an
email
to
tech
on
sunday.
So
just
repeating
what
I
said
there,
but
I'll
try
to
be
very
brief.
The
first
one
is,
I
think,
the
description.
Look,
I'm
I'm
worried
about
what
I've
seen
happen
on
other
projects.
Arno
and
chris
know
what
I'm
talking
about
where
if
you
make
it
a
little
too
cozy
and
easy
for
folks
to
be
at
the
incubating
or
sandbox
stage.
C
That
report
directly
to
the
attack
for
simplicity
for
all
sorts
of
kind
of
social
management
reasons.
That
was
the
two
points
I
made
in
the
email
I
sent
on
sunday
and
I
feel
like
there
are
more
meta
they're,
not
easy
to
make
as
specific
comments
on
the
pull
request
and
may
require
the
attack
as
a
whole
to
talk
about
where,
where
the
the
head,
their
their
heads
lie
in
terms
of
a
position
on
on
on
on
answers
to
that.
D
Thank
you,
justin.
I
see
your
hand.
I
want
to
give
a
quick
response
to
brian's
comments,
I'm
trying
to
capture
them
in
the
notes
as
well.
I've
heard
three
now
the
first
one
we
covered.
Second
one
was
a
concern
about
projects
stagnating
at
the
incubating
stage.
I
think
that
is
a
really
excellent
thing
for
the
attack
as
a
whole
to
discuss.
Do
we
see
the
open
ssf
as
gathering
a
lot
of
potentially
valuable
projects
that
might
sit
at
incubating
for
years?
D
We
want
to
limit
incoming
projects
for
that
only
to
those
that
we
think
should
or
have
a
good
chance
of
becoming
full-fledged
long-lived
projects
or
build
a
sort
of
up
and
out
test
where
they
don't
stay
for
long.
They
go
out.
So
if
they,
if
they
stay
too
long
and
don't
progress,
then
we
kick
them
out.
Those
are
really
good
questions
to
discuss
and
the
second
one
was
the
the
structure
of
too
many
things
to
attack.
I
would
be
happy
to
to
change
that
in
the
pr.
D
H
So
if
I
may
interject,
I
mean
the
reason
we
have
it.
The
way
it
is
is
because
we
have
the
shifts
and
the
sees
were
meant
to
report
to
the
attack,
and
so
they
so
they
kind
of
when
you
generalize
the
model
we
ended
up
with.
You
know,
working
groups
and
cs
being
possibly
under
and
other
projects
being
under
the
attack.
I
don't
think
we
have
any
today,
and
so,
even
if
the
process
allows
it,
it
doesn't
mean
the
attack.
Would
necessarily
you
know,
use
that
part,
but
we
could
just
leave
it
off.
D
M
Is
there
anything
we
need
to
do
to
help
get
that
over
the
over
the
line
like?
Should
there
be
a
you
know,
deep
dive
on
this?
Where
you
you
set
up,
you
know
a
group
of
interested
folks
to
just
go
and
burn
it
to
the
burn
it
down
and
get
all
the
feedback
incorporated
and
then
come
back
and
say:
okay,
we
think
we're
good
or
do
we
feel
like
the
async
model
is
working
because
it
just
feels
like
it's
dragged
on
for
a
long
time.
D
D
We
can
polish
it
so
that
the
next
tac
meeting
and
have
it
ready
for
the
upcoming
board
meeting,
because,
with
the
you
know,
to
brian's
earlier
point
about
separating
out
the
financial
stuff
that
would,
as
written
today,
necessitate
changes
in
the
charters
of
board
working
groups
or
right,
like
the
finance
committee,
the
marketing
committee.
The
way
this
proposal
is
currently
written
impacts,
those
board
committees,
and
so
I
wanted
to
have
this
ready
for
board
review
before
the
next
board
meeting.
C
D
So
so
perhaps
justin
the
the
roundabout
quest
answer
to
your
question
is:
if
we
tease
this
apart
into
apr,
that
the
attack
can
merge,
because
it
is
only
impacting
the
attack,
we
could
do
that
soon.
Some
of
the
larger
changes
that
the
tac
is
now
recommending
require
dialogue
with
the
board
and
others
to
be
able
to
make
them,
and
probably
also
you
know,
further
refinement
or
more
documentation
written
about
how
to
do
them.
That
will
take
longer.
D
C
I
think
a
subset
of
us
coming
up
with
a
proposal
that
then
could
be
more
widely
considered
is
like
just
the
the
right
thing
to
do
and
that's
you
know
coming
out
of
the
planning
meeting
on
yesterday.
I
I
think
a
group
of
us
thought
I
I
you
know
yeah
ava
bob.
I
forget
who
else
I
couldn't
make
it
yesterday
right
right
right,
but
I
think
you
were
volunteered
for
it,
though.
C
Okay
all
right,
just
draft
something
and
and-
and
I
could
even
get
get
us
started
with
something
like
that,
but
just
to
describe
the
process
by
which
folks
would
apply
for
funding
from
a
pool
controlled
by
the
tech,
and
that's
that's
easy
enough
to
do
and
perhaps
even
could
be
done
in
time
to
merge
into
112.
But
you
know,
I
don't
think
it
has
to
wait
a
long
time
after
112
is
accepted
if
it
was.
A
Yeah,
I
put
a
comment
in
the
chat,
but
I
guess
two
quick
things.
One
is
I'm
if
it's
easier
for
understanding
totally
supportive
of
breaking
those
into
two
different
pr's.
I
guess
what
I'm
not
personally
comfortable
with
is
merging
them,
merging
a
structure
pr
and
then
waiting
six
months
to
merge
a
a
procedural
pr.
A
I
think
that
they
can
be
evaluated
independently
if
it
helps
for
understanding,
but
they
need
to
be
voted
on
together,
merged
together
and
reviewed
with
the
gb
together.
I
think
it's
too
confusing,
as
it
is
right
now
further
fragmenting
it.
I
think
only
exacerbates
that
confusion.
The
second
point
I'll
make
is
to
brian's
last
comment.
A
What
I
think
is
is
still
confusing
to
me,
and
I
suspect
this
would
be
confusing
to
many
of
our
working
groups
or
projects
either
already
in
the
foundation
or
looking
to
join
the
foundation.
Is
we
almost
have
this?
This
blessing
of
you
know
different
avenues
to
go:
get
money,
what
what
funds
are
allocated
to
the
tax
for
at
their
discretion,
to
directly
fund
things
versus
what
funds
could
come
through
work
around
the
mobilization
plan
versus
what
funds
come
out
of
sifs.
A
I
don't
think
I
have
a
great,
consistent
answer
to
give
folks
around
when
to
go
down
which
path
to
get
something
done,
and
I
suspect
that,
in
terms
of
you
know,
we
would
want
to
speak
with
one
voice
as
a
foundation
as
to
when
to
take
which
fork
down
the
road
and
in
addition
to
that,
making
sure
that
we
have
the
governing
board's
agreement
to
that
particular
structure
and
that
recommendation
so
that,
as
they
play
their
role
in
the
foundation,
they
understand
where
buckets
of
money
are
being
moved
around.
For
what
purpose?
A
I
don't
get
the
sense,
based
on
ad-hoc
conversations
with
other
gb
members
that
there's
super
deep
understanding
and
clarity
on
that
point.
So
I'm
totally
supportive
of
trying
to
get
to
clarity
to
where
we
can
drive
this
forward
to
justin's
assertion.
I
think
we're
all
dying
to
get
get
this
behind
us
and
move
forward.
A
But
I
think,
without
that
clarity,
just
saying
like
there
are
a
variety
of
different
paths
that
we
could
fund
work
doesn't
really
help
give
the
organizational
clarity
to
the
attack,
in
my
opinion,
around
how
to
make
recommendations
to
the
working
groups
or
to
projects
as
well.
As
you
know,
how
do
we
report
back
to
the
governing
board
around?
What
more
do
we
need,
or
what
structure
have
we
put
in
place
that
might
exacerbate
other
requirements
going
forward?
So
I,
I
think,
there's
still
a
lot
of
confusion
there.
A
A
B
A
And
just
as
a
procedural
reminder
when
we
do
get
to
the
point
of
formally
voting
and
merging
on
this
overall
process,
it
will
require
a
seven
days,
advance
notice
to
the
mailing
list
for
folks
to
review
as
well
as
quorum
at
the
meeting.
So
it's
this
is
something
we
have
to
make
sure
to
give
folks
heads
up
to
to
know
that
it's
coming,
and
it
will
follow
the
requirements
of
the
charter
in
that
in
that
process
all
right.
Next
brian,
I
think
sifs.
C
Sure
let
me
go
and
share
this,
and
I
realize
we
only
have
10
minutes
left,
so
I'm
going
to
try
to
go
very
quickly
through
a
deck
that
jory
predominantly
authored.
Though,
though
you
know,
a
couple
of
us
on
staff
have
have
also
worked
on,
and
it
does
talk
quite
a
bit
about
some
internal
details,
but
I'm
just
trying
to
be
full
full
transparency
to
all
of
you.
But
this
is
let
me
just
start
with
an
overview
that
partly
answers.
C
The
questions
bob
was
asking
before:
where
does
project
funding
come
from
across
open
ssf
for
across
linux
foundation,
projects
in
general
membership
dues,
obviously
sponsorship,
which
isn't
something
that
we've
used
a
lot
so
far?
Actually
at
all
yet,
but
but
is
always
there
as
an
option
for
us
just
an
additional
top
up
that
a
member
might
decide
to
throw
in
specific
initiative
funds,
which
is
what
we're
going
to
talk
about
here
and
then
something
else
that
the
linux
foundation
offers
that
some
projects
have
used
again.
C
Funds
and
and
and
kind
of
the
overall
structure
is
that
they're
used
to
support
discrete
activities
in
a
given
focus
area
using
additional
ad
hoc
funds
similar
to
membership,
with
the
exception
that
the
funds
do
not
go
into
the
open.
Ssf
operating
budget
funds
are
overseen
and
disbursed
by
the
contributing
organizations,
not
the
open,
ssf
governing
board.
It
requires
lf
staff
to
establish
and
oversee
a
separate
charter
and
a
budget,
and
it
does
not
presume
or
require
openssf
membership.
C
So
I
I
and
the
current
examples
of
what
we
have
are
alpha
omega
six
store
and
gnu
tool
chain
initiative,
but
some
of
the
charters
for
those
don't
quite
match
what
what
we'd
like
to
see
it
used,
and
I
can
talk
about
all
of
its
crowdfunding
separately.
The
reason
why
there's
been
a
bit
of
confusion
is
that
the
term
sif
itself
actually
accidentally
developed
two
different
meanings,
one
internally
at
the
lf
for
things
that
are
kind
of
the
next
step.
C
Beyond
something
another
existing
structure,
we
have
called
a
directed
fund
or
an
an
associated
directed
fund,
which
is
that
adf
thing
luke
that
you
might
have
seen
and
then
externally.
The
way
it
was
really
just
meant
to
logically
describe
a
separate,
a
separate
logically
separately,
funded
and
separately
operated
kind
of
thing
that
carries
some
branding
and
technical
oversight
and
and
relationship
to
open
ssf.
But
it's
not
been
entirely
clear.
C
What
that
is
for
us
an
ideal,
open,
ssf,
sif
associated
project,
really
is
that
it
will
have
something
that
requires
some
recurring
membership
dues
and
that's
probably
because
the
sif
is
taking
on
operationally
something
that's
more
than
just
opportunistic
and
which
can
be
dialed
down
if,
in
a
year,
the
membership
kind
of
kind
of
vacates
and
and
people's
attention
moves
elsewhere.
But
it's
instead,
something
that
is
going
to
require
hiring
people
or
setting
up
a
an
ongoing
service
like
in
the
form
of
sig
store.
C
So
what
is
that
connection
then
to
the
open
ssf?
We
think
that
there
should
be
the
financial
governance
kind
of
overseen
by
its
own
funders,
but
with
a
quarterly
report
to
the
open
sf
governing
board
on
the
progress
and
it's
its
financial
status.
Just
to
help
attest
to
this
is
an
ongoing
operation.
That's
producing
some
real
things
that
is
competently
managing
itself
and
as
as
something
that's
affiliated
with
the
open
ssf
is
not
likely
to
be
an
embarrassment
any
time
soon.
C
C
But
it's
when
there's
a
recurring
thing:
it's
when
it's
willing
to
to
follow
all
the
same
policies
as
as
an
open
source,
an
open
ssf
project
would
in
terms
of
the
licensing
and
and
and
how
it's
managed
as
a
project,
its
ability
to
make
quarterly
updates,
and
it's
obviously
related
to
our
mission.
It's
something
that
that
furthers
some
other
work
going
on
under
an
existing
working
group
or
arguably
is
aligned
with
what
we're
doing.
C
Also,
it
should
be
something
that
calls
for
a
budget
greater
than
250
000
a
year
just
as
a
way
to
right
size
this.
So
we
don't
don't
end
up
with
500
small
stiffs
that
are
that
are
just
modestly
active
and
currently
there's
these
three.
They
are
have
been
all
set
up
somewhat
differently,
although
at
six
store
and
getting
tool
chain,
perhaps
most
closely
like
each
other
alpha
mega
is
not
yet
a
recurring
membership
structure.
C
C
You
know,
kind
of
heightened
awareness
and
affiliation
with
with
openssf
and
with
solving
the
supply
chain,
security
challenges
so
being
at
our
events
again
publishing
through
through
our
channels
that
that
sort
of
thing
there
should
be
as
well
pr
and
marketing
support
as
kind
of
mentioned,
and
and
then
involvement
in
an
access
on
the
open,
ssf
community,
tooling,
whether
we
require
that
or
not
could
be
something
we
talk
about.
Do
they.
C
You
know
right
now,
six
store
and
salsa,
I
believe,
have
their
own
slacks.
Obviously
they
have
their
own
blogs
with
their
own
processes.
I
think
we
should
work
out
what's
just
enough
kind
of
coordination
between
on
the
marketing
side
that
that
we
feel
like
again,
there's
there's
enough.
I
don't
say
oversight,
but
enough
enough
coordination,
so
things
don't
look
wildly
different
or
have
wildly
different
standards
for
kids
publish,
but
I
really
don't
want
to
introduce
more
bureaucracy
where
it
isn't
needed,
and
I
want
to.
C
I
think
these
should
have
their
own
identity
their
own
website,
their
own
ability
to
to
move
without
feeling
constrained
by
by
having
to
coordinate
with
with
somebody
central
or
in
the
same
way
that
that
projects
directly
under
the
the
openness
of
tech
need
to
do
that.
And
then
what
are
the
benefits
to
us
of
having
sifs?
Well,
they
allow
us
to
grow
the
footprint
more
of
like
a
franchise
kind
of
way.
C
C
C
C
I
just
wanted
to
a
chance
to
walk
through
this
first
before
people
read
it
cold,
but
but
basically
it's
about
establishing
kind
of
a
liaison
agreement
between
what
are
otherwise
independent
projects,
and
I
see
a
bunch
of
questions
that
have
popped
up
in
chat.
I
can
try
to
use
a
few
minutes
to
answer
them.
The
two
remaining
minutes.
C
C
You
know
you
don't
want
to
accept
20
new
sifs
without
knowing
what
kind
of
burden
does
that
place
operationally
upon
upon
the
staff
and
core
budget
of
open
ssf,
and
I
would
say
in
any
conversation
that
happens
at
a
governing
board
level,
because
the
openness
of
governing
board
would
have
to
approve
setting
up
a
sif
relationship
as
they
have
for
those
three,
and
at
that
point
I
think
we
as
staff
would
say
well
we're
we're
too
much
too
much
we
have
to.
We
cannot
scale,
we
can't
handle
sif
number
four.
C
All
right,
let's
see
bob
asks,
is
this
a
proposal
or
a
readout
of
the
current
sif
definition
operating
model.
The
first
half
of
this
was
more
of
a
readout,
the
second
half.
It
was
a
proposal
to
try
to
at
least
clarify
what,
once
once
you
realize,
this
is
about
a
liaison
agreement
between
two
otherwise
independent
projects.
C
C
As
is
this
a
team,
that's
likely
to
be
responsive
when
we
say
you
know
here's
some
feedback
on
on
the
direction
you're
heading
in
and
is
this
aligned
with
the
mission
and
then
once
the
attack
is
approved,
it
would
go
to
the
governing
board
to
approve,
and
the
governing
board
definitely
wants
to
know
that
technically
these
things
are
solid.
Before
it's
even
asked
to
make
such
a
decision,
then
let's
see
I
I
I
think
we're
probably
at
time
and-
and
maybe
I
should-
I
guess.
A
My
my
ask
I
put
in
chat
was
just
if,
if
part
of
the
slides
are
a
proposal,
if
we
can
clearly
mark
that
at
the
top
to
say,
hey
this
isn't
ratified
in
a
document,
that's
been
improved
by
the
requisite
bodies.
If
we
could
do
that,
that
would
be
ideal,
so
people
understand
kind
of
what's
what's
analysis
in
a
readout
versus
what's
what's
under
discussion
that
needs
to
be
taken
forward.
I
think
that
would
be
super
helpful.
A
At
time,
I
think,
there's
probably
a
number
of
questions,
so
what
I
would
propose
here
is
we
can
continue
dialogue,
async,
but
well,
why
this
is
another
recurring
item
for
the
next
type
meanings
agenda.
Okay,
so
with
that
thanks
everybody
for
participation
today,
there
is
a
question
at
the
bottom
of
the
meeting
notes
around
the
regular
cadence
of
working
groups
and
projects
to
come
back
to
the
tac
to
give
an
update.