►
From YouTube: OpenSSF Town Hall Quarterly Meeting (August 15, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
And
I
know
we've
got
a
big
agenda,
so
actually,
why
don't?
We
just
get
started,
and
this
is
being
recorded,
so
it'll
be
up
on
youtube
as
well
for
for
folks
to
be
able
to
review
at
that
point.
So
welcome.
Thank
you
all
for
joining
us
today.
Here
we
are
beginning
right
at
1002
am
pacific.
Please
take
a
moment
to
do
one
or
more
of
the
following.
A
Please,
if
you
do
have
questions
you
can
ask
them
using
the
zoom
q
a
feature
we're
just
trying
to
do
that
to
manage.
You
know
the
volume
of
questions
we
might
get
follow
us
on
twitter
at
the
open
ssf
we
are
trying
to
get
at
openssf.
We
don't
quite
have
that
yet
feel
free
to
sign
up
for
the
edx
courses.
A
We've
put
on
put
up
that,
I
think,
will
be
a
really
good
way
to
to
get
accelerated
into
both
our
universe
and
the
world
of
securing
software
development
in
general
and
there's
our
website,
of
course,
at
openssf.org.
A
This
is
something
that
some
of
you
might
not
be
familiar
with,
but
it
is
something
that
helps
keep
us
all
in
the
clear
from
a
legal
point
of
view,
as
we
work
together
to
build
open
source
code
and
advance
the
state
of
things.
This
is
available
on
the
linux
foundation
website.
It
is
the
standard
one
feel
free
to
review
it
at
your
leisure.
A
This
meeting
as
well
is
also
governed
by
the
linux
foundation's
code
of
conduct,
and,
and
so
that
is
one
more
thing
that
we'd
love
you
all
to
be
familiar
with
and
to
learn
about
and
help
us
make
sure
that
these
meetings
stay
productive
and
positive
and
helpful
to
all
people
who
want
to
participate
and,
just
as
another
bit
of
housekeeping,
please
submit
the
questions
using
the
q
a
button
at
the
bottom
of
the
screen
that
all
of
you
should
be
able
to
see.
A
So
why
don't
we
jump
in
and
begin
so
just
to
give
you
kind
of
an
overview
of
we'll
be
talking.
I
will
give
a
very
brief
tour
and
update
since
I
believe
the
last
time
we
did
a
town
hall
was
february,
which
feels
so
long
ago
at
this
point
and
we're
way
overdue
for
it
so
we'd
like
to
try
to
do
these
once
a
quarter
just
to
help
grow
the
community
and
and
and
help
keep
people
informed
about.
A
What's
going
on
so
there's
a
lot
to
update
you
on
then
we'll
be
hearing
from
dustin
ingram
on
securing
software
repositories,
hearing
from
amir
montezeri
about
securing
critical
projects
and
the
security
audits
work,
that's
going
on
in
the
open,
ssf
signing
verifying
and
protecting
software
with
sigstor
by
azra
ali
and
then
finally,
how
to
get
involved
in
openssf
working
groups
and
projects
by
our
own
david
wheeler,
hopefully
leaving
us
with
at
least
10
minutes
for
a
q
a
at
the
end.
A
So
I'm
going
to
breeze
through
this,
I
it
all
references,
stuff,
you'll,
you'll,
be
able
to
find
elsewhere
on
on
our
website.
Apologies
if
it
seems
abbreviated,
as
all
of
you
might
know-
and
I
haven't
had
a
chance
to
really
formally
introduce
myself-
if
not
I'm
the
general
manager
for
the
open
source
security
foundation.
I've
been
with
the
linux
foundation
for
about
six
years
now,
but
active
in
the
broader
open
source
community
since
dinosaurs
roamed
the
web.
A
I,
the
purpose
of
the
open
source
security
foundation,
is
to
inspire
and
enable
the
community
to
secure
the
open
source
software.
We
all
depend
upon,
including
the
development
testing,
fundraising
infrastructure
and
support
initiatives
driven
by
working
groups
which
are
not
inherently,
are
necessarily
software
focused
themselves
and
by
projects
which
are
software
focused
each
forming
technical
initiatives.
So
so
this
is
about
just
just
how?
What
is
our
theory
of
change
like?
How
do
we
go
out
in
the
world?
A
We're
not
trying
to
be
like
the
cncf,
where
we're
the
home
for
all
things,
security,
we're
not
trying
to
be
like
hyper
ledger
where
we're
trying
to
like
push
something
dramatically
new
and
different.
What
we're
trying
to
do
is
pull
together
the
best
practices,
the
the
best
things
that
happen
out
there
in
the
open
source
world.
A
When
it
comes
to
securing
the
supply
chain
to
up
level
everybody
right
to
try
to
figure
out
where
the
gaps,
where
what's
what's
missing,
and
sometimes
that's
education
and
guides
and
funding
of
security
audits,
sometimes
it
is
new
code
such
as
sig
store
or
specifications
like
salsa,
there's
a
really
rich
rainbow
of
different
projects
at
openssf,
and
I
encourage
you
all
to
check
it
out
predominantly.
We
are
driven
as
a
developer
and
a
maintainer
and
a
volunteer
first
organization.
A
We
try
to
have
a
minimum,
viable
bureaucracy
in
what
we
do,
and
this
is
really
just
intended
to
help
you
understand
kind
of
how
the
pieces
fit
together
from
the
bottoms
up,
though
we
have
seven
different
working
groups
focused
on
broad
thematic
areas
and
within
each
of
those
working
groups,
a
series
of
technical
initiatives
that
that
they
focus
on
a
mix
of
software
projects
and
non-software
projects.
As
I
mentioned,
I
there
there
are.
A
There
is
a
path
to
get
new
working
groups
created
under
open
ssf,
but
that's
that
that's
a
lot
of
takes
a
lot
of
rigor.
Starting
new
things
within
one
of
the
existing
working
groups
is
always
going
to
be
better.
We
also
have
a
set
of
associated
projects,
and
now
it's
the
categorization's
a
little
little.
Something
we're
still
working
out
in
practice.
A
Sig
store
is
definitely
a
core
part
of
the
open
ssf,
but
it
has
a
funding
mechanism
of
its
own
that
that
helps
it
do
some
things
on
top
of
what
we're
able
to
provide
from
open
ssf,
but
we
also
have
two
that
are
that
are
all
a
little
bit
more
distinct
that
also
live
kind
of
operationally
within
the
working
groups,
but
have
a
bit
of
their
own
direction
and
prerogative.
A
One
is
called
alpha
omega,
which
is
focused
on
securing
software
by
doing
scanning
of
a
wide
number
of
repositories
for
new
kinds
of
vulnerabilities,
as
well
as
directing
funding
to
open
source
foundations
and
other
alpha
projects
that
to
help
them
basically
capacity,
build
and
uplevel
their
security
practices,
and
then
the
canoe
tool
chain
infrastructure
project
is
about
supporting
the
gnu
project's,
build
infrastructure,
the
core,
when
you
think
about
how
much
that
code
is
used
and
just
ingested
as
as
as
binaries
by
so
many
distributions
and
other
software
packages
out
there.
A
We
felt
this
was
in
particular,
a
project
that
was
worthy
of
supporting
and
then
at
a
high
level.
We've
got
support
from
a
number
of
different
organizations.
I'll
show
you
in
just
a
bit.
Most
of
those
organizations
are
represented
on
the
governing
board
and
then
the
governing
board
has
a
a
a
bit
of
kind
of
oversight:
management
of
the
tech,
the
technical
advisory
council.
But
these
two
organizations
are
much
more
like
peers.
A
The
tac
is
really
the
home
for
all
things:
technical
kind
of
coordinating
that
and
and
having
some
oversight
on
the
working
groups
and
the
governing
board.
Is
there
to
provide
resources,
provide
funding
to
provide
marketing,
support,
budget
and
finance
planning
public
policy?
These
are
kind
of
some
things
the
governing
board
does,
but
the
really
the
heart
and
soul
of
the
openssf
is
there
in
the
in
the
tech
and
the
working
groups
and
all
the
technical
initiatives.
A
Very
briefly,
thanks
to
all
of
our
companies
who
are
supporting
us
at
either
the
premier
level,
which
means
you
have
a
seat
on
the
board
or
or
the
general
or
associate
number.
These
are
all
organizations
that
believe
in
the
fight
that
are
contributing
in
one
way
or
another,
and
then
we're
really
grateful
for
their
involvement
in
the
open
ssf
and
in
fact
we
have
some
news
to
announce
just
today.
A
It
hasn't
yet
formally
hit
the
wires
or
or
the
press
or
anything
like
that,
but
we
have
a
bunch
of
new
members
to
announce,
including
capital,
one
joining
us
another
premier,
member,
so
I'll
be
joining
the
board
capital.
One
has
made
a
huge
commitment
to
open
source
software
adoption
internally
as
well
as
starting
to
create
it
externally,
and
so
they
join
a
number
of
other
financial
organizations
who
are
members
of
the
open
ssf
and,
in
addition,
we've
got
some
other
great
companies
joining
from
around
the
world.
A
Really,
when
you
think
about
the
geographic
distribution
of
them
and
it's
great
to
have
them
engaged.
I
won't
spend
time
here,
but
our
governing
board
again.
The
group
that
provides
the
resources
to
do
everything
we
need
to
do
is
filled
with
a
bunch
of
very
senior
folks,
many
of
them
at
a
c
level
inside
of
some
pretty
amazing
organization,
so
very
grateful
for
their
help
on
it.
A
As
I
mentioned,
the
heart
of
what
we
do
is
the
technical
advisory
council
and
all
the
technical
initiatives,
and
these
are
the
seven
representatives
from
the
technical
community
who
help
coordinate
that
work
and
help
harmonize
everything
that
goes
on
and
make
sure
that
it's
all
at
a
level
that
all
of
us
can
be
proud
of.
So
I
deeply
appreciate
the
commitment
and
time
that
they're
making
to
to
this
project,
because
they're
all
volunteers
here
and
finally,
this
is
just
a
quick
glance
at
the
staff
that
is
supporting
these
operations.
A
Some
of
us
are
very
behind
the
scenes.
Others
are
out
there
giving
presentations
and
the
like
and
many
of
them.
Some
of
them
are
also
based
in
asia.
Helping
us
grow
the
community
out
there
and
I'm
very
grateful
to
all
of
them
very
indebted
to
them
for
helping
build
a
really
efficient
organization
behind
what
we
do.
A
A
A
That
is
adorably
2004
era,
perhaps,
but
we
find
that
that
is
really
the
best
way
to
get
real
technical
information
out
in
a
thoughtful
way
and
yet
also
have
a
degree
of
informality
and
help
share,
not
only
the
technical
stuff
going
on,
but
some
of
the
organizational
and
and
global
kinds
of
things.
Our
blog
also
has
articles
contributed
by
our
member
community
and
sometimes
even
from
first-time
contributors
or
people,
people's
first
experiences
with
different
tools
or
with
the
education
modules,
for
example.
That
sort
of
thing
so
would
welcome.
A
All
of
you
not
only
to
read
that,
but
but
also
have
that
in
mind.
If
you'd
like
to
be
a
contributor,
we
are
always
open
to
contributions
from
from
certainly
our
core
contributor
community,
but
even
beyond
so
won't
read
through
these
here,
because
I'm
actually
covering
a
lot
of
them
in
the
subsequent
slides,
but
really
invite
you
to
look
at
that
or
follow
us
on
twitter.
A
One
of
the
most
important
events
we've
had
since
february
has
been
open
ssf
day
at
the
open
source
summit
north
america
in
austin
just
june
20th.
It
feels
feels
like
it
feels
like
yesterday.
In
a
way,
and-
and
we
had
a
couple
hundred
people
there
in
person
as
well
as
several
hundred
following
along
virtually
all
of
the
presentations-
are
available
on
our
youtube
channel
and
and
so
there's
even
a
playlist.
A
Once
we
distribute
these
slides
to
be
able
to
click
on
that
and
watch
watch
the
different
presentations
that
were
given-
and
we
will
be
repeating
this
in
dublin
next
month
on
tuesday
september
13th,
if
you're
able
to
get
to
dublin
if
you
are
based
in
europe
or
or
or
otherwise,
able
to
attend
or
otherwise
planning
to
be
in
dublin.
That
week,
that
is
the
week
of
the
open
source
summit
that
the
linux
foundation
is
producing.
A
We'd
love
to
have
you
there
to
attend
and
if
you'd
like
to
be
involved,
let
us
know
as
well
we're
still
putting
together
the
agenda
for
this,
but
we
have
a
bunch
of
great
speakers
already
lined
up.
Finally,
I
wanted
to
close
just
by
mentioning
the
the
other
big
news
since
february.
A
Is
that
in
kind
of
early
part
of
the
spring,
we
responded
to
a
call
from
the
us
government,
certainly
but
but
but
by
many
others,
in
in
the
wake
of
the
log
for
shell
vulnerability
and
the
disruption
that
that
caused
in
the
industry
to
think
about
what
would
it
take
to
actually
take
all
these
flowers
that
are
kind
of
springing
up
from
from
this
garden?
All
these
you
know
software
packages,
the
guides,
the
educational
content.
A
What
would
it
take
to
actually
put
those
into
action
to
the
degree
where
you
could
credibly
go
and
say,
we've
really
made
a
dent
in
mitigating
the
chances
of
the
next
log
for
shell
or
the
next
major
vulnerability,
causing
this
massive
earthquake
in
society
or
when
it
does
happen,
mitigating
the
cost
of
that
going
down
the
road.
So
we
really
thought
hard
about
as
a
community
about
where
are
the
gaps
out
there?
We
talked
a
lot
with
the
folks
in
government
studying
this
topic.
A
We
came
up
with
a
set
of
ten
different
categories:
ten
different
streams
of
effort
that
are
nicely
separate
from
each
other,
but
build
upon
each
other's
work.
Many
of
those
mapping
to
existing
open
ssf
initiatives,
some
of
them
mapping
to
external
initiatives
or
issues
that
haven't
even
been
started.
Yet
we
then
asked
our
community
to
form
teams
around
those
different
ten
and
come
up
with
what
would
a
first
year
or
two
first,
two
years
of
operations,
look
like
to
actually
put
this
into
practice
right.
A
You
know,
assuming
lots
of
volunteers
can
show
up
to
help,
but
but
I,
but
but
not
necessarily,
presuming
that
volunteers
can
do
all
the
work
right.
If
you
really
want
to
set
a
target
of
getting
a
million
people
to
take
the
the
training
course,
for
example,
on
secure
software
fundamentals,
there's
a
lot
that
volunteers
can
accomplish
to
make
that
work.
But
sometimes
you
want
to
spend
some
money
too,
on
partnerships
on
marketing
on
those
kinds
of
things
right.
A
So
what's
that
minimum
viable
kind
of
amount
that
we
would
spend-
and
we
came
up
across
those
10
with
a
two-year
budget
of
150
million
dollars,
which
seems
like
a
lot
of
money
to
an
open
source
project,
it
seems
pretty
pricey
on
one
hand,
but
this
is
150
million
pound
ounces
of
prevention.
For
what
could
or
most
likely
would
be
tons
and
tons
of
cure?
Well
beyond
that,
so
we've
gotten
a
lot
of
great
reception
to
this.
A
We
rolled
it
out
with
a
meeting
in
dc
in
may
a
combination
of
many
of
you
and
the
organizations
you
work
for
or
represent
that
were
there
this
meeting
along
with
folks
from
the
u.s
government,
and
so
our
goal
wasn't
to
go
and
ask
the
government
for
money
directly.
It
was
to
say
here's
what
we
in
the
open
source
community
are
doing
on
this
front
and
we'd
love
your
help.
Let's
find
ways
to
work
together
and
in
fact
we
have,
and
at
that
meeting
we
were
also
able
to
line
up.
A
This
was
again
not
our
goal,
but
this
really
just
emerged
out
of
the
out
of
the
conversations,
and
especially
in
the
last
week
before
that
meeting,
with
30
million
in
commitments
from
amazon,
ericsson,
google,
intel,
microsoft
and
vmware,
as
well
as
conversations
now
beginning
with
many
other
partners,
even
far
beyond
the
existing
open,
ssf
community
to
go
and
ultimately
fulfill
that
150
million
dollar
number
and
we're
already
getting
started
on
a
number
of
the
streams
so
and
it
was
finally
I'll
just
end
with
it-
was
reassuring
to
see
the
cyber
safety
review
board
report
unlocked
for
jay
come
back
at
the
end
of
july,
well
in
sorry,
early
july,
so
about
a
month
ago,
which
was
kind
of
a
you
know,
summary
of
everything
that
happened.
A
In
that
event,
an
open
ssf
was
mentioned
in
that
report
29
times
when
it
came
to
potential
ways
to
address
those
those
vulnerable,
those
issues
that
led
to
the
vulnerability
in
the
first
place.
So
that
was
pretty
gratifying
to
see
and
evidence
that
the
world
is
kind
of
behind.
What
we're
doing
here
that
the
world
needs.
What
we're
doing
here
and
it's
kind
of
up
to
us
to
organize
and
make
it
work,
but
we
could
certainly
use
all
of
your
help
in
accomplishing
some
really
big
things
we
have
in
front
of
us.
A
So
with
that
I'd
like
to
pass
the
baton
over
to
dustin
and
and
get
started
on
hearing
about
more
about
securing
software
repos.
So
dustin,
are
you
okay
with
me
driving
you
just
tell
me
the
next
slide,
or
did
you
want
to.
C
C
So
hey
folks,
I'm
dustin,
I'm
a
senior
software
engineer
at
google,
where
I
work
on
our
open
source
security
team.
That
team
is
an
externally
focused
team,
not
just
focused
on
google's
open
source
projects
or
properties,
but
generally
working
on
improving
security
across
all
open
source
software
and
across
all
ecosystems.
C
B
C
C
C
We
now
have
a
securing
software
repos
work
group,
and
this
is
sort
of
a
I
like
to
call
it
group
therapy
for
the
software
repository
maintainers,
because
we
all
sort
of
get
together
every
every
two
weeks
and
we
talk
about
all
sorts
of
things
that
sort
of
are
inherent
to
running
and
maintaining
a
software
repository,
but
also
we
spend
a
lot
of
time
discussing
potential
improvements
and
changes
and
sharing
notes
across
what
each
of
these
sort
of
ecosystems
is
doing.
C
Right,
I
wouldn't
say
we're
necessarily
in
competition
with
each
other
and
we
really
want
to
see
each
other
succeed.
So
this
has
been
incredibly
helpful
and
I'm
amazed
we
hadn't
done
it
sooner,
because
we've
we've
really
like
collaborated
on
sort
of
general
plans
around
things
like
package
signing
two-factor
mandates.
Things
like
that,
and
it's
been
really
valuable
and
also
sort
of
just
like
focusing
on
adoption
right.
C
So
we
have
projects
of
the
openness
f
and
we're
trying
to
figure
out
what
would
be
the
best
way
to
make
them
successful
and
integrated
into
the
you
know
the
repositories
where
people
are
going
to
end
up
actually
using
them
so
yeah
this.
This
work
group
is
sort
of
a
good
place
for
people
who
are
maintainers
to
share
their
experiences,
discuss
those
problems,
risk
and
threats.
C
But
it's
also,
I
think,
a
good
place
if
you
want
to
sort
of
understand
where
these
software
repositories
are
headed
or
where
what
we're
thinking
of
or
what
we're
working
on,
and
maybe,
if
you're
interested
in
helping
contribute.
A
lot
of
the
stuff
that
we're
discussing
represents
the
the
new
work.
That's
happening
in
a
lot
of
these
places,
so
especially
for
those
of
them
that
are
open
source
projects.
It'd
be
a
great
place
to
come
and
share
your
voice
next
slide.
C
Please
yeah,
there's
a
lot
of
things
that
sort
of
fall
under
the
umbrella
of
this
work
group,
essentially
to
cross-pollinate
between
ecosystems,
if
some
ecosystem
or
some
organization
or
some
repository
comes
up
with
a
really
like
great
idea,
making
sure
that
everyone
else
is
aware
of
it
and
they
understand
it
and
they're
able
to
adopt
it
or
potentially
even
improve
it
even
more.
It
sort
of
allows
us
as
maintainers
to
align
and
coordinate
things
like.
C
I
said,
for
example,
the
two-factor
mandate
stuff,
like
a
lot
of
folks,
are
making
announcements
about
those
recently,
but
we've
been
sort
of
talking
in
the
background
about
that
in
public
via
the
working
group
for
quite
a
while
and
trying
to
figure
out
the
best
path
forward
there
for
each
of
these
repositories.
C
So
that's
been
a
really
great
use
of
the
work
group
and
yeah
just
a
lot
of
regular
stuff
and
again,
like
kind
of
just
focused
on
you
know,
we
have
there's
other
work
groups
at
the
open,
ssf
and
they're
doing
really
interesting
stuff
and
we're
sort
of
practically
trying
to
figure
out
how
to
apply
them
to
these.
These
really
big
software
repositories
next
slide
yeah.
As
the
chair
of
this
work
group,
I'd
really
like
to
invite
anyone
listening
to
to
join
us
come
and
listen
to
one
of
our
group
sessions.
C
They
happen
every
other
week
and
they
alternate
between
you
know:
sort
of
emea
european
friendly
times
and
apac
asia,
pacific
friendly
times.
So
we
we
have
pretty
good
coverage
there
across
all
possible
time
zones
and
we
also
have
a
securing
software
repos
channel
in
the
openness
of
slack,
where
you
can
find
all
of
us
as
well
and
have
some
informal
chat
or
discussion
and
I'd
love
to
see
you
there
back
to
you,
brian.
A
Thanks
dustin
and
feel
free
to
ask
questions
in
the
in
the
in
the
q,
a
and
kind
of
slide
a
section,
and
we
might
be
able
to
get
them
answered
as
we
as
we
go
along
and
certainly
we'll
leave
time
at
the
end
for
for
kind
of
more
open
q.
A
if
you,
if
you
have
any
then
but
feel
free
to
queue
up
questions,
even
even
even
even
in
anticipation
of
that.
A
So
now,
I'd
like
to
pass
the
baton
to
amir
montezeri,
to
talk
about
the
work
of
the
securing
critical
projects.
Working
group
and
the
security
audits
work
that
that
he
and
others
do
through
austiv
amir.
B
Wonderful,
thank
you.
Brian
morning
and
afternoon
everybody
I'm
amir,
I'm
the
co-founder
and
managing
director
of
ostif.
That's
the
open
source
technology
improvement
fund
bit
of
a
mouthful,
but
basically
what
we
do
is
help
open
source
projects,
improve
their
security
posture,
typically
through
security
audits
and
associated
work.
B
We've
done
a
ton
of
audits
so
far
this
year
and
have
been
doing
so
since
2015,
really
honing
in
on
a
good
model
for
working
with
open
source
projects
and
improving
their
security
posture
holistically
in
and
in
a
way
that
helps
the
project
over
the
long
term,
we've
strategically
partnered
with
lf
linux
foundation
since
2020,
and
have
worked
closely
with
openssf.
B
I
contribute
to
securing
critical
projects
and
trying
to
help
in
providing
insight
into
ways
to
basically
do
that
to
secure
important
projects
that
a
lot
of
folks
depend
on,
as
well
as
identifying
security
threats
and
increasing
awareness
with
security
reviews
and
the
great
work
that's
happening
out
there.
B
B
We
are
incorporating
an
apac
friendly
time
zone
to
alternate
to
be
more
inclusive
of
folks
in
different
time
zones,
and
what
we're
currently
working
on
is
one
of
our
main
objectives
is
an
effective,
inclusive
and
repeatable
process
for
having
a
set
list
of
projects
deemed
critical,
so
we're
currently
in
phase
one,
which
is
really
to
kind
of
build
that
out
and
we're
initially
calling
it
a
set,
which
I
think
is
an
important
thing
to
note
over
a
list
because
to
indicate
that
there
is
really
no
hierarchy
or
prioritization
at
this
time.
B
We're
currently
exploring
using
github
as
a
tool
not
to
exclude
non-github
projects,
but
just
use
github
as
a
way
to
kind
of
track
the
change
it
track,
changes
and
kind
of
have
a
process
for
doing
this
in
a
way
that
is
transparent
and
inclusive
and
we're
currently
building
off.
Of
some
previous
work
so
earlier
in
the
year
late
last
year,
we
did
as
a
work
group,
do
an
a
first
iteration
and
came
up
with
a
project
a
list
of
about
a
hundred
projects
and
as
well
as
us,
ostif,
oh
stiff.
B
We
have
curated
a
short
list
of
projects
as
well
to
provide
another
data
point
to
help
with
that
and
all
going
along
with
that
next
slide.
Please
we
have
some
security
audit
results,
some
of
which
brian
did
mention
at
the
beginning
were
posted
in
the
blog,
but
the
first
one
was
of
six
store,
which
I'm
sure
we're
gonna
hear
more
about
soon,
but
this
was
sponsored
by
the
six
store
project.
B
B
This
was
sponsored
by
google
and
the
and
and
ghost
geo
sst.
The
google
open
source
security
team,
slf,
4j
or
simple
logging
facade
for
java
is
was
identified
in
the
recent
harvard
census.
2
results
as
a
top
java
package
in
terms
of
downloads
and
use,
and
we
were
able
to
get
it
validated
and
reviewed
and
audited
by
a
third
party
in
which
one
low
risk
vulnerability
was
found
and
fixed,
as
well
as
some
associated
work.
We
currently
have
the
curl
security
audit
in
progress.
B
This
was
sponsored
by
open
ssf
just
recently
this
I
believe
it
was.
Last
week,
last
monday,
oh
stiff
released
a
impact
report
with
cncf.
B
There's
currently
a
google
impact
report
in
progress,
which
we
hope
to
share
with
everyone
soon,
as
well
as
planning,
more
audits
and
bringing
on
new
partners
for
2023
thinking
into
the
year
ahead.
For
doing
more
audits,
I
definitely
recommend
anyone
listening.
Please
join
the
work
group.
If
you
are
interested
in
this
topic,
we
can
definitely
use
all
the
help.
We
can
get.
B
We
have
a
great
group
of
folks
and
we'd
love
to
see
you
there
we
meet
every
two
weeks
and
the
information
is
all
on
the
open,
ssf
website
and
our
github
repo.
So
with
that,
thank
you
very
much
and
I'll
pass
it
back
to
you,
brian.
A
That's
that's.
That's
great
now
I'd
like
to
pass
the
baton
to
azura,
to
tell
you
more
about
what's
new
and
exciting
in
sixth
store,
oh
sure,.
D
Thanks
brian,
so
I
am
gonna,
be
talking
a
little
bit
about
sigstor,
so
just
as
an
introduction
in
case,
any
of
you
haven't
seen
me
or
met
me
before
my
name
is
astra
and
I
work
at
google
on
the
google
open
source
security
team
and
I'm
a
contributor
and
maintainer
on
sixer
projects
as
well
as
a
couple
other
projects,
including
gotough,
which
is
the
update
frameworks,
go
implementation
and
in
the
past
I
have
worked
on
envoy
doing
some
security
and
fuzzing
work
there.
D
So
next
slide,
please
I'm
going
to
be
covering
a
little
bit
of
updates
on
with
the
six
door
project
in
terms
of
administer
via
and
there's
also
like
some
fun
adoption
events
that
have
been
going
on
recently
that
I'd
love
to
shout
out
so
starting
a
little
bit
with
the
more
administrivia
fun
announcements.
The
the
first
thing
is
that
our
ga
is
project
projected
for
october,
so
this
would
involve
general
availability
of
full
co
record
and
the
services
surrounding
that.
D
So
hopefully
our
productionization
efforts
will
be
completed
then,
and
we're
super
excited
for
this.
We
started
a
dry
run
of
the
on-call
rotation
and
yeah,
we're
looking
forward
to
that
as
well
as
that
we
completed
a
new
route
signing
event
last
month
in
which
we
rotated
out
one
of
our
six
drawer
root
key
holders.
D
So
super
excited
to
welcome
joshua,
lock
from
vmware
as
the
new
brew
key
holder
and
then
saying
a
loving
goodbye
to
luke
hines,
who
is
the
rotated
out
key
holder
and
another
really
awesome
shout
out,
is
to
github
for
their
rfc
on
improving
npm
security,
with
six
store
so
feel
free
to
click
on
that
rfc
for
the
the
whole
details
there.
D
But
it
involves
how
to
integrate
six
store
into
the
npm
registry
and
use
things
like
you
know,
general
tooling,
for
six
story,
js,
which
is
released
also
this
week
and
then.
Finally,
in
terms
of
administeria,
the
technical
steering
committee
added
two
new
members
trevor
rosen
from
github
and
santiago
taurus
arias
from
purdue.
Both
of
them
have
been
contributing
a
lot
in
the
last
six
months
and
have
been
bringing
new
research
ideas,
new
implementation
and
really
help
guiding
a
lot
of
the
focus
work
on
six
door.
D
So
we're
super
excited
to
welcome
them
all
right
next
slide,
so
in
terms
of
other
sorts
of
updates
in
the
six
door
community.
One
thing
that
you
know
we're
starting
to
do
as
we're
getting
up
to
ga
and
so
on
and
is
you
know,
increase
our
adoptions
and
really
integrate
with
a
variety
of
different
ecosystems.
D
So
url
url
live
three
adopted
sixstar
for
signing
releases,
seth
larson,
who
did
the
work?
There
has
also
been
doing
a
ton
of
work
on
securing
repositories
on
github
and
releasing
all
sorts
of
templates
to
improve,
secure
card
score
and
six
store
release
signing
as
well
as
that
trail
of
bits,
released,
github
actions
for
signing
python
packages,
and
so
I
took
a
look
at
the
implementation.
D
It's
extremely
seamless
and
awesome,
so
I'm
really
excited
to
see
more
python
packages
signed
and
a
lot
more
integration
in
the
python
community
there.
Another
really
cool
shout
out
is
six
doors
in
the
production
pipeline
for
agile
systems
latest
project
constellation
which
does
confidential
computing.
D
So
we
had
a
really
nice
presentation
about
that
in
the
last
six
star
office
hours
and
then
finally,
we've
been
seeing
a
lot
of
integrations
that
are
built
on
top
of
some
of
our
six
store
products.
So
we
have
a
really
awesome
project
called
tlogistry.dev.
D
That's
logging,
transparently
immutable
tags
on
recourse
that
you
can
see
did
have.
I
seen
this
project
before
using
this
tag.
So
just
as
kind
of
a
conclusion,
we've
been
doing
a
lot
of
integrations
and
a
lot
of
work,
securing
both
ecosystems
and
package
repositories
and
individual
projects
themselves.
D
As
a
small
shout
out,
we
have
six
store
office
hours
now,
which
is
every
other
week
of
our
six
store
community
meetings.
So
if
you
go
check
out
the
sixth
year
community
calendar
that
office
hours
is
meant
for
users
and
developers
and
representatives
of
ecosystems
to
come
and
sort
of
chat
or
discuss
where
sigster
can
fit
into
their
project.
D
So
with
that
I'll
kind
of
wrap
up
and
hand
it
back
to
brian.
Thank
you.
A
And
I
will
thank
you
very
much
asura
and
I
will
pass
the
baton
immediately
off
to
the
own
our
own.
What's
the
journal,
looking
for
all
right,
there's!
No
one
else
like
him.
That's
all
I
can
say
david
wheeler.
Ladies
and
gentlemen,
david.
E
Sure,
okay,
I'll
I'll,
take
that
okay.
So
next
slide,
I'm
gonna
talk
about
how
to
get
involved
because
that's
really
important,
we
really
really
do
need
people
to
get
involved.
The
bad
news
is
that
there's
a
lot
of
challenges.
The
good
news
is:
there's
a
lot
of
opportunities.
E
Here's
a
little
bit
about
me
if
and
I've
been
honored
to
meet
many
and
many
of
you
interact
with
many
of
you
if
I
haven't
had
that
chance.
Yet
I
look
forward
to
it
next,
so
I'm
not
gonna
have
time
to
talk
about
the
soul.
Open
ssf
structure,
brian
showed
the
slider.
I'm
gonna
primarily
focus
on
the
left,
the
working
groups.
Next,
oh!
Thank
you
great.
So
let
me
talk
real
quickly
if
you
are
not
currently
involved
or
you're
only
involved
in
part
of
the
openness
itself.
E
Let
me
talk
you
through
some
of
the
working
groups
and
and
at
least
a
little
bit
about
some
of
the
projects
and
sigs
that
they're
working
on
there's
some
terminological
change.
That's
happening
project
is
being
changed
to
a
term
folk
about
activities
more
focused
on
code
and
sigs
more
on
things
that
aren't
aren't
code
to
over
summarize
so
best
practices
working
group
all
involved
with
identification
awareness,
education
of
security,
best
practices.
E
So
this
is
where
things
like
the
open,
ssf,
best
practices,
badges,
scorecards,
live
it's
where
our
educational
efforts
live,
like
the
secure
software
development
fundamentals,
skf
the
education
city
next
up,
voldemort
disclosures
working
group
in
red
in
the
bottom
left
here,
and
this
is
basically
all
about
efficient
vulnerability,
reporting
remediation
things
like
various
guides
to
help
people
do
the
job
efficiently
and
be
prepared
for
it.
Next
up
identifying
security
threats.
This
is
probably
one
of
the
more
mysteriously
named
working
groups.
E
It's
all
about
security,
metrics
reviews
things
like
we
have
a
a
well
a
collection
of
many
many
reviews
of
open
source
projects,
so
you
can
see
if
the
project
you're
looking
at
has
such
there's
a
dashboard.
There's
various
other
efforts.
Next
up
security,
tooling,
it's
all
about
state-of-the-art
globally,
accessible
security
tools.
I
think
that
actually
kind
of
speaks
for
itself.
We've
already
heard
about
the
security
securing
software
repositories.
Thank
you
very
much
dustin
for
that
awesome.
Summary
supply
chain
integrity.
E
E
Next
up
securing
critical
projects,
we've
already
heard
from
amir
a
lot
about
that
identification
of
critical,
open
source
project.
This
is
where
things
like
the
criticality
score
and
harvard
research
live
next,
so
it
kind
of
gives
you
an
idea
of
how
we
divide
this
up.
I'm
not
going
to
have
time
to
walk
through
this
chart,
but
I
just
want
to
emphasize
that
yes,
there's
a
number
of
individual
projects
and
sigs,
but
they
they
are
very
much
intended
to
be
able
to
work
together.
E
So
if
you
look
at
things
from
the
developer
through
source
and
build
and
packaging-
and
you
know
repeatedly-
you
know
looping
through
various
dependencies
and
finally
out
to
that
consumer
of
that
software-
those
various
projects
and
sigs
end
up
all
throughout
the
development,
distribution
and
distribution
processes.
Next,
so
how
do
you
get
involved?
Well,
if
you're
interested
in
a
well?
First
of
all,
if
you
are
interested
in
particular
working
group
project,
sig
look
look
at
what
we're
doing.
E
If
you
are
take
a
look
at
those
working
groups
and
take
a
look
at
the
particular
working
groups
that
you
are
interested
in,
learn
more.
Each
of
those
working
groups
tells
them
on
their
github
page
how
to
get
involved.
Every
working
group
has
a
virtual
meeting
on
alternate
weeks.
Every
working
group
has
slack
channels
and
mailing
lists.
Basically
join
visit,
participate
just
show
up
and
kind
of
see
what
what
we're
doing
so.
Please
get
involved
next.
E
E
If
you
prefer
general
announcements,
we
do
have
an
open,
ssf
announcements,
mailing
list
there.
You
know
we'll
get
a
link
in
a
moment.
But
if
you
follow
the
link,
this
is
what
you'll
see
and
just
go
join
that
list
and
you'll
get
a
a
a
low
traffic,
but
hopefully
high
value,
email.
Next.
E
Attend
our
public
needs
if
you're
interested
in
a
particular
working
group
show
up
at
it,
they
will
show
theirs.
We
also
just
have
a
general
open,
ssf
mailing
list,
there's
the
the
shortened
url,
so
you
can
see
our
entire
calendar
of
all
the
things
that
are
going
on.
If
you
want
to
show
up
multiple
next
slack,
we
use
slack,
you
want
to
see
some
of
things
go
to
slack.opennessf.org
go
talk
about
things.
I
do
want
to
warn
that
the
slack
messages
disappear
for
a
while.
E
So
this
is
not
a
good
place
for
detailed
design
analysis,
but
if
you're
trying
to
work
out
hey,
when
can
we
meet
to
talk
about
this
issue,
or
you
know
raise
an
issue
for
this
is
a
great
place
for
that
next,
social
media,
we
output
on
all
sorts
of
social
media,
twitter,
linkedin,
youtube
facebook,
and,
if
you
want
to,
if
you
found
something
really
interesting
that
you
think
this
larger
community
would
be
interested
in,
let
us
know
we'd
love
to
retweet,
or
you
know
linkedin
that
sort
of
thing.
But
you
know
let
us
know
next.
E
If
your
organization
is
interested
in
becoming
a
member,
go
here,
openssdf.org
join,
so
you
know,
openssf
depends
on
organizations
as
a
whole
to
join,
providing
some
funds
providing
ways
to
connect
to
the
different
things
that
those
organizations
as
a
whole
can
do.
This
is
very
much
an
important
part
of
making
the
open
ssf
effective.
So
thank
you
for
all
those
have
joined,
and
if
your
organization
hasn't
please
contact
us,
we
would
love
to
talk
with
you
about
that
next,
so
here's
your
little
checklist,
various
urls
to
go
click
on.
E
I'm
sure
that
we
will
get
those
links
and,
of
course
you
can
view
this
recorded
message
for
later
next,
because
one
of
the
first
ways
that
you
can
get
involved
is
take
the
survey
about
today's
town
hall,
because
we
want
these
town
halls
to
be
effective
and
we
want
all
the
things
that
we're
doing
to
be
effective,
and
this
provides
us
some
quick
feedback.
So
we
can
improve
really
for
everything
that
we
do
within
the
open
ssf
it's
all
about.
Where
are
we
now?
How
can
we
improve
for
the
most
part?
E
A
That's
great
thanks
and
yeah:
let's,
let's
open
it
up,
I
see
some
questions
in
the
the
q,
a
section
I
think
david.
You
can
see
those
as
well.
I
think
one
of
them
was
answered.
How
do
I
get
involved
with
the
opensf
community,
but
but
there's
a
large
one
as
well
about
the
the
vex
format
and
david
or
is
there
anybody
else
here
from
the
vulnerability
community
wants
to
take
that.
A
E
Yeah,
so
I'm
quite
well
aware
of
the
the
vex
program
in
vex
format.
Sadly,
I
can't
be
at
everything
some
people
have
claimed
my
claims
about
me
to
the
contrary,
so
I
personally
haven't
been
as
directly
involved,
but
we
certainly
intend
to
take
advantage
of
the
the
vex
work
and
trying
to
integrate
that
and
connect
it
to
to
various
folks.
I
certainly
the
folks
who
are
interested
in,
in
particular
with
s-bombs
one
of
the
key
things
that
vex
does
is.
E
Yes,
there
is
a
vulnerability,
it's
a
dependency
of
mine,
but
because
of
the
way
this
dependency
is
used,
it's
not
actually
a
vulnerability,
so
you
know
we're
certainly
aware
of
it
and
and
that
sort
if
anybody
else
wants
to
speak
up,
but
I
mean
I
think
in
general,
the
open
ssf
isn't
interested
in
trying
to
redo
what
other
folks
are
doing,
we're
very
interested
in
using
things
that
already
exist,
presuming
that
they
that
they're
working
well
and
if
they're
not
working
well,
maybe
we're
interacting
with
them
to
try
to
resolve
some
of
the
challenges.
E
A
No,
that's
very
helpful,
I
I
mean
maybe
dustin
I
don't
know.
If
has
vex
come
up
or
it's
kind
of
related
as
well
to
a
different
topic
which
is
s-bombs.
You
know
as
a
way
to
try
to
find
where,
where
organizations
and
the
software
they
deployed
have
been
vulnerable
to
that
to
different
things,
dustin
has
vex
or
or
s
bombs
come
up
in
the
in
the
software
repositories.
C
Yeah
yeah
yeah.
Definitely
I
think
you
know
the
repositories
are
sort
of
we're
sort
of
figuring
out
how
s-pumps
fit
into
existing
artifacts
that
are
there
and
how
you
know
in
what
way
it
makes
sense
to
publish
an
s-bomb
for
something,
that's
a
library
and
might
not
have
you
know
other
things
contained
within
it.
I
haven't
like
vex.
C
A
Okay,
great,
let's
see,
I
think,
the
other
three
questions
that
are
open
or
either
just
comments
or
that
they've
they've
been
answered.
Actually,
I
see
one
from
an
anthony
harrison
that
just
popped
up,
there's
a
lot
of
activities
going
on
in
security
and
standards
to
share
information
such
as
spdx,
cyclone
dx
and
by
currently
by
owasp.
How
do
we
ensure
that
everything
is
aligned
and
doesn't
compete,
I'll
jump
in
with
an
answer,
but
I
certainly
welcome
you
know
anyone
else
who's.
A
You
know,
even
even
if
you're
an
attendee
and
you
have,
if
you've
been
a
part
of
because
I
see
some
familiar
names
in
the
attendee
roster
for
the
call
as
well.
If
you
wanted
to
share
something
with
it
on
this
with
us.
A
So,
as
david
said,
you
know
we're
trying
to
be
very
complimentary
to
all
the
other
efforts
out
there,
we're
not
trying
to
be
the
standards
body
for
cyber
security,
we're
not
trying
to
be
the
open
source
project,
for
you
know:
supply
chain
security,
we're
not
trying
to
you
know
we're
trying
to
be
helpful,
fill
in
some
gaps
and
hopefully
be
some
connective
tissue
as
well.
A
One
of
the
topics
that
has
been
more
you
know
very
important,
but
hasn't
yet
really
had
a
lot
going
on
at
openssf
has
been
the
topic
of
software
bill
of
materials
and
s
bombs,
but
it
is
one
that
we
know
is
really
important.
In
fact,
it
was
one
of
the
ten
streams
in
the
mobilization
plan
was
this
kind
of
broader
concept
of
s
bombs
everywhere,
the
more
ubiquitous
that
we
can
make
generating
softer
billet
materials,
especially
upstream
by
dependencies?
A
The
more
that
the
easier
lift
it
is
for
folks
at
the
tail
end
of
that
supply
chain
to
be
able
to
assemble
them
and
get
them
out
there
and
the
more
likely
than
that.
It
remains
an
open
source
thing
rather
than
something
that
vendors
compete
on
at
the
at
the
last
mile.
A
So
one
of
the
issues
in
talking
about
s
bombs
is
that
there
are
two
major
formats
out
there
there's
a
couple
of
minor
ones,
but
there's
really
two
that
have
seen
widespread
adoption,
cyclone
dx,
which
has
been
olaf's
project,
as
well
as
the
spdx
format,
which
has
been
a
part
of
the
linux
foundation
for
a
while
in
a
separate
project.
A
It's
something
that
started
more
for
license,
conformance
to
make
sure
everything
in
your
package
is
appropriately
licensed
and
compatibly
licensed
with
each
other,
and
so
it
has
been
extended
to
cover
this
kind
of
inventory
use
case,
and
potentially
it
could
cover
some
other
security
use
cases,
whereas
cyclone
dx
is
you
know,
comes
from
kind
of
the
other
direction
is
predominantly
there.
Both
have
such
a
footprint
that
we
know
that
one
of
the
important
questions
out
there
is:
how
do
you
come
up
with
whatever
you
do
in
this
space?
A
How
do
you
come
up
with
something
that
will
support
both
or
will
use
the
the
strengths
of
each
and
combine
them
in
some
interesting
way?
And
that's
going
to
be
a
challenge
because
they
take
some
semantically
different
approaches
to
to
to
how
they
name
things.
You
know
you
can't
quite
get
you
just
convert
from
one
to
the
other
as
if
they
were
you
know.
Actually,
jif
to
jpeg
is
a
good
example
of
how
you
know
when
you
com
convert
from
one
to
the
other,
you
might
lose
a
bit
semantically.
A
So
I
I
well
we're
working
that
out
the
the
the
there's
a
special
interest
group
that
has
formed
called
the
s
bomb
everywhere
group
under
the
security
tooling
working
group,
to
try
to
tee
up
a
series
of
investments
that
could
be
made
to
help
improve
the
tooling
out
there,
for
spdx
is
the
first
thing,
but
cycling
dx
as
well
could
be
a
part
of
that
and
then
tooling,
to
help
with
combining
of
the
two
and
and
conversion
between
them
and
the
like.
A
So
if
you're
interested
in
the
topic
of
s
bombs
come
to
the
security
tools
working
group,
which
is
the
home
for
this
s,
bomb
everywhere
effort
and
in
the
meantime
we
have
folks
from,
for
example,
alan
friedman
from
sissa
who
is
helping
us
with
the
conversation
you
know,
they've
been
at
the
u.s
government
level,
really
pushing
for
adoption
of
s
bonds
and
and
it's
working
its
way
into
regulatory
requirements
and
the
like
so
so.
Yeah.
A
If
this
is
a
particular
interest
to
you,
engage
with
us
in
the
security
tools
working
group
and
especially
if
you
can
help
us
write
some
code
or
or
think
about
ways
to
drive
adoption
and
manage
the
differences
between
those
standards.
E
If
I
may
jump
in,
you
know,
first
of
all,
brian
thank
you
very
much
for
pointing
specifically
to
the
tools
working
group.
You
know,
just
as
as
brian
mentioned,
that's
where
the
s
monitor
where
kinds
of
things
are
are
working.
You
mentioned
the
word
in
one
of
the
things
in
that
question
was
ensure
alignment.
E
The
en
s-u-r-e-m
requires
some
sort
of
control
that,
sadly,
neither
the
open
ssf
nor,
I
think
anyone
else
truly
has
that
kind
of
superpower.
What
we
can
do
is
encourage
those
who
encourage
organizations
and
people
to
collaborate.
E
We
can
strongly
encourage
collaboration,
but
if
we
can
ask
people
to
collaborate,
but
in
the
end
we
can't
make
them
collaborate.
That
said,
for
those
who
are
willing
to
collaborate,
I
think
that
we
can
encourage
it.
We
can
provide
for
to
do
that,
but
we
really
need
to
we.
I
think
the
the
broader
goal
here
is.
We
need
to
have
everyone
focus
on
that
broader
goal.
E
We
need
to
improve
security,
we
need
to
improve
identification
of
you
know
software
bill
material
information
so
that
people
can
get
their
needs
met,
and
so
I
think
that
that's
you
know
that
ensure
I'm
not
sure
we
can
manage,
but
we
can
at
least
enable
encourage
that
kind
of
collaboration.
A
Great
point:
thanks
david
there's,
another
question
that
that
I'd
love
to
see
us
take,
which
is:
are
there
any
plans,
ideas
or
groups
working
on
reducing
the
amount
of
work
for
developers
while
increasing
security?
A
This
is
this
is
a
pretty
important
topic
and-
and
I've
got
lots
I
could
say
on
this,
but
I
I'm
wondering
if
this
is
something
amir
wanted
to
touch
on,
partly
because
just
from
the
angle
of
doing
of
securing
code
and
doing
third-party
audits,
sometimes
you
wan,
the
the
engagement
isn't
as
productive
as
it
could
be
if
the
maintainers
don't
want
to
engage,
but
at
the
same
time,
if
you
just
show
up
with
things
that
are
broken,
that
can
backfire
too
right
ramir.
A
Do
you
want
to
give
like
an
angle
on
this,
then?
Maybe
I'll
give
some
other
other
context
or
a
bit
of
another
answer.
B
You
know
we
want
this
to
be
as
minimally
disruptive
for
the
the
maintainers
or
the
contributors
as
possible,
so
kind
of
so
really
pushing
for
that
from
a
high
level
standpoint
where
you
know,
we
understand
that
that
that
y'all,
that
these
that
open
source
maintainers
are
really
doing
this
really
important
work
and
a
lot
of
times
it
can
be
thankless,
work
and,
and
and
and
and
especially
with
limited
resources,
really
just
catering
to
that
and
understanding
that
you
know
we
want
to
help
you
in
a
way
that
will
not
be
increasing
your
workload
has.
B
I
has
been
very
helpful,
but
at
the
end
of
the
day
and
going
back
to
what
you
said
david,
I
mean
you
can't
really
make
anyone
do
anything,
especially
in
the
open
source
space.
So
I
think
just
pushing
for
collaboration.
You
know:
how
can
we
help
you?
How
can
we
help
each
other?
How
can
we
work
together
is
is
the
best
approach
there.
A
Yeah
and
and
azra-
I
don't
know
if
you're
still
online,
but
I
I
I
know
this
is
a
recurring
theme
in
the
six
store
community
as
well
like
how
do
you
get
integrations
and
tooling
support
to
to
be
great,
but
I'm
sure
you
know
if,
if
your
repo
suddenly
says
hey,
you
know
we're
going
to
require
you
to
use
six
store
if
you're
one
of
the
top
hundred
packages
or
something
like
that.
Suddenly
that
can
come
a
little
bit
as
a
surprise
to
a
developer
in
their
workflow.
A
So
can
you
share
a
little
bit
about
what,
like
the
sig
star
community,
might
be
thinking
on
this
front
about
how
to
make
adoption
easier,
or
you
know
kind
of
address.
This
concern
that
you're
just
creating
more
work
for
me
by
developers
not
to
put
you
on
the
spot
a
bit,
but.
D
No,
no
that's
a
fair
question.
I
think
that
a
lot
of
us
have
been
thinking
about
this
with
regards
to
like
the
tooling
that
we're
building
on
top
of
sigstor.
So
a
handful
of
us
like,
for
example,
the
trail
of
this
shout
out
that
I
did
earlier.
D
A
lot
of
us
are
trying
to
integrate
within
github
actions
directly
and
hoping
that
most
projects
have
those
workflows,
but
we
do
anticipate
and
know
that
there
are
going
to
be
problems
in
some
of
those
like,
for
example,
people
who
you
know
maybe
are
relying
on
gcb
or
like
external,
builds
and
workflows
like
that.
So
I
think
we're
slowly
coming
to
more
and
more
tooling.
That
is
easy
to
use
and
also
in
cross
language,
but
I
think
it
will
take
time
and
I
think
a
majority
of.
E
A
That's
great
and,
and
I'll
just
add,
yeah.
This
is
something
that's
on
our
mind
as
as
staff
and
on
the
minds
of
I
know
the
tech
as
well
as,
as
we
talk
about
our
plans,
our
ambitions,
our
ideas,
our
goals.
We
have
to
keep
in
mind
that
there's
no
open
source
developer,
I
know
of
who
feels
like
they
get
to
all
of
the
things
on
their
to-do
list
every
day
you
know,
there's
no
open
source
project
that
doesn't
have
open
pr's
in
need
of
review
in
need
of
some
help.
A
You
know
no,
no
open
source
project
like
that
feels
like
they
have
enough
documentation
for
what
they're
doing,
and
none
of
them
who
are
asking
for
more
steps.
You
know
just
for
the
sake
of
asking
for
for
steps
in
bureaucracy
right,
so
everything
that
comes
out
of
the
open
sf
should
have
this
thought
towards
like
how
do
we
make
it
actually
worthwhile
for
the
devs?
How
do
we
create
incentives?
A
How
do
we,
I
I
have
this
actually
solving
problems
for
the
devs,
not
just
for
downstream
end
users
right
and
at
the
same
time,
trying
to
engage
downstream
end
users
in
in
the
work
that
we
do
and
so
there's
a
group
kind
of
talking
about
putting
together
an
end
user
working
group
who
would
be
focused
on
the
needs
of
developers
and
of
organizations
who
aren't
at
the
platform
or
like
the
cloud
layer
or
or
the
tooling
software
layer,
but
instead
view
themselves
as
kind
of
as
the
the
last
mile
in
that
supply
chain
right
and
how
do
their
needs
kind
of
get
expressed
upstream
and
maybe
there's
work
that
they
can
do
to
help
something
that
they
wouldn't
have
otherwise
realized
kind
of
further
upstream
make
their
lives
in
the
lives
of
other
end
users
easier
and
then
there's.
A
Other
groups
like
the
cloud
native
compute
foundation
has
a.
If
I
understand
it,
a
contributor
experience
sig
that
focuses
entirely
on.
What's
it
like
to
contribute
to
cncf
projects,
but
then
also
a
bit
about
using
those
projects
and
getting
them
integrated
into
other
pieces.
So
that's
something
that
our
community
could
could
launch
a
similar
thing.
So
I
think
I
think,
there's
more
more
work
to
do
in
the
space
for
openssf
and
I'll
just
end
with
yeah
everything
in
the
mobilization
plan.
A
All
those
streams
has
had
a
component
of
how
do
we
not
just
build
a
thing
but
drive
adoption
of
it
and
help
with
the
adoption
and
help
you
know
when
we
fund
a
third
party
audit
also
fund
the
the
the
work
to
do
to
fix
the
bugs
that
are
found
at
the
same
time.
Right
and
so
that's
that's
a
recurring
theme
and
it's
a
really
important
question
in
our
minds.
Yeah.
E
If
I
can
jump
in
just
quick,
quick
additions,
I
mean,
I
think,
pretty
much
every
project,
every
sig,
you
know
every
working
group
repeatedly
comes
back
to.
How
can
we
make
this
easier?
Partial
answers
include
automation
as
much
as
you
can
ideally
making
the
defaults
wherever
you
can.
E
If
you
can't
do
that,
then
at
least
you
know
guides
to
help
people
do
that
quickly
and
many
I
think
I
don't
have
the
I
don't
have
any
numbers,
but
I
think
in
the
majority,
if
not
all
these,
the
majority
of
the
people
involved
are
in
fact
developers
themselves.
So
we're
painfully
aware
of
the
challenges,
because
we
also
have
those
challenges.
E
I
think
long-term
education
is
gonna
have
to
be
part
of
that,
because
part
of
the
problem
is
that
we've
got
a
lot
of
interfaces
that
are
by
default
are
very
hard
to
use
securely.
So
we
need
people
to
think
about
when
they
make
interfaces.
How
do
I
make
that
secure
by
default?
That
won't
happen
overnight,
but
the
more
we
have
people
educated,
the
better
and
more
likely
that'll,
be
thanks.
A
Thanks,
I
think
this
time
for
this
one
last
question
from
an
anonymous
actor:
anonymous
attendee
asking
it,
but
it's.
How
is
the
open
ssf
engaging
with
emea
and
aipac
governments?
So
I
I
first
I
want
to
clarify
in
our
engagement
with
the
u.s
government
and
and
and
and
in
general
how
we'd
like
to
engage
with
governments,
we're
not
a
lobbying
organization,
so
we're
not
about
like.
A
Let's
get
more
laws
into
government
regulations
about
you
know,
spent
only
spending
money
on
open
source
code
or
anything
like
that.
What
we're
there
to
do
when
we
engage
with
like
the
us
government
and
others
is
to
say
here's
what
we
are
doing
in
the
private
sector,
so
to
speak,
here's
how
you
can
get
involved
as
a
major
consumer
of
open
source
code,
the
us
government
and
governments
around
the
world
are
using
a
huge
amount,
but
also
as
they're
writing,
open
source
code
and
contributing
it
back
upstream.
A
Here's
things
you
could
think
about
doing
or
supporting
to
make
that
even
more
secure,
even
more
impactful
and
then.
Finally,
there
is
a
role
we
think
for
governments.
You
know
in
the
same
way
that
they
fund
bridges
and
highways
and
that
they
help
with
the
electrical
grid
and
water
systems.
A
You
know
open
sources
become
critical
infrastructure,
and
so
our
hope
is
that
we
can
inspire
them
to
get
involved
and
direct
some
funds
and
efforts
in
ways
that
we
find
compatible
and
many
of
them
from
the
us
have
engaged
in
many
of
our
working
groups.
You
know
I
mentioned
alan
friedman,
for
example,
and
and
like
I
don't
want
to
single
him
out-
certainly
there's
others,
and
so
when.
A
So
that
is
the
as
a
frame
that
we
can
have
started
to
have
some
conversations
with
some
other
governments
as
well,
and
I
there's
nothing
to
announce
formally
on
that
front.
Yet
there's
some
meetings
coming
up
in
apac
this
next
two
weeks
and
then
when
we're
all
out
in
in
dublin
we're
hoping
to
have
some
similar
conversations
out
there.
A
But
you
know
we'll
talk
to
anybody,
we'll
tell
them
what
we're
doing
and
we'll
look
for
ways
to
bring
them
into
our
community
as
as
peers
with
all
of
you
and
and
move
this
ball
forward.
So
that's
that's
about
as
all
I
have
to
really
report
on
that,
but
it's
exciting
stuff
and
if
any
of
you
know
of
opportunities
to
connect
with
governments
in
your
region
or
people,
are
simply
interested
in
wanting
to
learn
more
about
what
we're
doing
or
the
open
source
community
is
doing
on
security.
A
Please
connect
us
because
we'd
love
that,
and
I
think
time
for
I
I
think
we've
answered
this
one.
I
I
and
tejas
asks
how
do
I
get
involved
in
the
openssf
community?
Hopefully,
we've
answered,
given
you
a
bunch
of
answers
to
this.
I
really
want
to
highlight
slack
as
like
the
best
informal
way
to
get
connected
to
the
people
behind
the
different
projects
and
working
groups
and
the
like.
Please
come
there
and
and
get
to
know
people
just
yeah.
A
I
mean
open
source,
it's
kind
of
like
soylent
green,
it's
made
of
people,
so
that's
the
best
way
to
to,
I
think
start
to
come
up
to
speed
on
what
we're
doing
and
we'll
keep
in
mind
opportunities
for
for
internship
and
make
sure
folks
are
very
aware
of
that
and
then
finally,
a
nice
closing
note
from
tracy.
Thank
you
so
much
for
that.
She
says
not
a
cop,
not
a
not
a
question,
just
a
comment,
great
job.
A
This
was
a
great
update
on
what
you're
up
to
thanks
to
the
team
for
pulling
it
together,
and
let
me
relay
that
as
a
thank
you
to
david
to
azra,
to
dustin,
to
amir
to
jennifer,
bly
and
and
jennifer
bonner
and
jory,
and
everyone
kahil
and
everyone
on
the
open
staff
who
helped
make
this
work,
but
most
of
all,
to
the
broader
open,
ssf,
the
contributor
community,
for
making
this
such
a
fun
project
to
be
involved
in,
and
hopefully
all
of
you
decide
to
join
and
be
a
part
of
that
from
this
point
forward.