►
From YouTube: OpenSSF Town Hall (November 9, 2020)
Description
Learn More about OpenSSF Here: https://openssf.org/
A
A
So
at
the
kind
of
at
the
end
of
each
section,
we'll
try
to
allow
around
three
minutes
for
q
a
and
then
at
the
end,
we're
also
allowing
up
up
to
30
minutes
for
discussion
and
q
and
a
before
we
get
started.
I
need
to
share
with
you
a
couple
of
housekeeping
items.
A
The
first
is
about
antitrust
policy,
so
we
do
have
people
in
this
meeting
who
work
for
a
variety
of
different
companies
and
industry
competitors
and
to
ensure
that
we
are
complying
with
anti-trust
and
competition
law.
We
need
everyone
to
be
aware
of
some
of
the
requirements
and
those
you
can
find
in
the
link
here,
which
is
to
the
linux
foundation
and
dyspress
policy.
A
Another
item
has
to
deal
with
code
of
content
conduct,
so
our
intent
for
this
meeting
is
to
provide
a
harassment,
free
experience
for
all
of
the
participants
and
to
do
that,
we
have
set
aside
some
code
of
conduct
policies
and
the
details
of
those
can
be
found
at
the
link
below
and
then
our
last
housekeeping
item.
This
has
to
do
with
how
we're
handling
a
q
a
for
this
event
so
again
for
an
improved
audio
and
visual
experience
for
all.
A
A
Just
you
can
go
ahead
and
ask
questions
there
or
you
can
like
an
existing
question
to
upvote
it,
and
we
do
have
some
folks
who
will
be
monitoring
the
questions.
Sharif
is
reading
that
for
us
and
so
he'll
bring
those
up
as
we
get
to
the
points
in
our
presentation
where
we're
ready
for
questions.
A
Well,
let's
talk
about
the
open,
ssf
and
some
background
for
why
we're
here
we
have
a
shared
belief
that
oss
is
a
common
good
and
you
know
like
the
air
that
we
breathe
and
the
water
that
we
drink.
Any
developer
can
create
openness,
open
source
and
others
can
contribute,
and
we
can
all
use
open
source
is
the
basis
for
all
modern
software,
including
the
world's
most
critical
infrastructure
and
the
software
that
we
create
and
consume
whether
what
we're
providing
is
open
source
or
proprietary
software.
A
So
we
founded
the
open,
ssf,
the
open
source
security
foundation.
We
started
in
august
where
it
was
announced
on
august
3rd
of
this
year.
The
purpose
for
the
foundation
is
to
inspire
and
enable
the
community
to
help
secure
the
software.
We
all
depend
on
the
openssf
began
as
a
consolidation
of
existing
efforts.
So
there
there
have
been
over
quite
a
few
years
and
a
number
of
entities
that
have
gotten
together
with
the
focus
on
securing
open
source
and
our
goal
was
to
consolidate
them
and
get
more
of
us
working
together.
A
A
We
have
a
number
of
ways
for
for
individuals
and
organizations
to
get
involved,
so
we
communicate
over
mailing
lists.
We
have
a
group
meeting
calendar,
we've
got
slack
set
up,
we
have
a
github
and
also
a
twitter
account,
and
these
slides
have
links
to
those.
So
so
you
can
see
those
you
can
also
go
to
the
open,
ssf
get
involved
page
and
there's
more
information
and
links
for
all
of
these.
A
For
individuals.
We
have
opportunities
to
participate
in
technical
working
groups.
So
these
are
our
six
technical
working
groups
and
you'll
hear
from
all
of
those
working
groups
later
in
our
presentation,
and
then
we
also
have
a
couple
of
governing
oriented
groups.
So
there's
the
technical
advisory
council
that
helps
with
communication
and
coordination
across
the
individual
working
groups
and
then
also
a
governing
board
planning
committee
and
we'll
talk
about
those
later
as
well.
A
Then
we
have
opportunities
for
organizations
to
join
as
corporate
members
for
the
open,
ssf
and
they're.
By
doing
so,
they
can
showcase
support-
and
you
know
and
and
support
and
eventually
contribute
some
funding
toward
open,
ssf.
A
Initiatives
in
our
first
three
months,
we
have
we've
been
making
great
progress
and
we
reported
some
some
accomplishments
in
our
press
release.
One
of
those
is,
we
established
an
edx
course
on
secure
software
development
fundamentals.
We'll
talk
more
about
that,
we
consolidated
the
core
infrastructure
initiative
projects
into
openssf.
A
We
added
16
new
member
organizations
and
five
new
governing
board
members.
We've
now
done
our
second
press
release.
This
is
our
first
town
hall
meeting
and
no
no
foundation
or
initiative
is,
is
complete
without
a
store
where
you
can
obtain
logo
swag.
A
So
let's
talk
about
the
secure
software
development
fundamentals
course
this
is
an
edx
course.
Edx
is
a
it's
a.
I
think
I
should
call
it
a
mooc,
so
massive
online,
I'm
forgetting
exactly
what
that
stands
for
anyway.
The
key
point
is
that
this
is
the
place:
that's
free
for
anyone
to
go
to
register
for
a
course
go
and
take
it
for
free
edx,
I
believe,
was
founded
by
harvard
and
mit,
and
there
are
a
bunch
of
great
there's
a
bunch
of
great
technical
content.
A
That's
available
there,
the
again
the
courses
are
free.
There
is
a
fee
to
take
a
test
to
obtain
a
formal
certificate,
and
so
but
and
that's
an
optional
thing
for
people
you
can
sign
up
on
the
edx
site
and
there's
a
link
to
that
site
here
and
please
feel
free
to
share
the
blog
post
that
provides
more
information
with
your
network.
It's
again,
it's
open
to
everyone,
not
not
just
open
ssf
participants.
A
B
Almost
all
software
is
under
attack
and
many
organizations
are
unprepared.
That's
why
the
open
source
security
foundation,
a
project
of
the
linux
foundation,
has
developed
the
secure
software
development
fundamentals
professional
certificate.
This
program
is
geared
towards
software
developers
interested
in
learning
how
to
develop,
secure
software,
focusing
on
practical
steps
that
can
be
taken
even
with
limited
resources.
B
The
best
practices
covered
in
the
program
apply
to
all
software
developers,
and
it
additionally
includes
information
especially
useful
to
those
who
use
or
develop
open
source
software.
The
program
consists
of
three
training
courses
covering
all
aspects
of
the
software
development
lifecycle
and
the
best
practices
for
secure
development
during
each
of
them.
Topics
include
security,
basics,
secure
design,
principles,
supply
chain,
evaluation,
implementation,
security,
verification
fielding
and
more
upon
completion
of
the
program.
A
Okay
yeah,
so
that's.
Let
me
just
make
sure
sorry
about
that.
A
So
I
can
mention
that
we're
having
great
response
for
that
course
already.
I
was
looking
at
this
on
friday
with
our
lf
staff,
and
we
have
already
about
600
people
signed
up
across
all
three
courses
and
especially
for
the
first
course.
A
We
have
a
little
about
220
again
as
of
friday,
who
are
signed
up
already.
So
we're
really
excited
about
this.
David
wheeler
put
this
course
together,
and
it's
a
it's
a
great
first
introduction,
a
great
accomplishment
for
lff
for
the
open
source
security
foundation
and
a
great
introduction
to
security
fundamentals.
A
The
first
is
a
survey
of
developers.
This
was
completed
by
a
group
at
harvard
and
in
this
survey,
we're
asking
developers
for
some
of
the
top
open,
ssf
projects
about
some
of
their
their
practices,
and
this
has
been
transitioned
to
the
securing
critical
projects
working
group,
and
you
might
hear
a
bit
more
of
that
in
that
work
when
that
group
reports
out.
The
second
item
is
a
census
project,
and
so
this
was
a
census
of
critical
projects
completed
by
harvard-
and
this
helps
us
understand
how
many
people
are
using,
which
open
source
projects.
A
There
was
a
report
completed
last
february
and
we're
intending
to
do
follow-on
work.
The
last
item
is
the
cii
best
practices
badged
project,
and
what
this
does
is
allow
free
and
open
source
software
developers
or
maintainers
to
show
that
they
are
following
best
practices,
so
they
can
sign.
You
know
they
can
describe
what
they're
doing.
Are
they
requiring
two-factor
authentication?
A
Are
they
using
a
ci
cd.
A
Process
and
more
and
so
we
have,
and
then
you
know
as
they
complete
that
information
they
can
receive
badges
for
anywhere
from
passing
to
silver
and
gold,
and
you
know
higher
levels
based
on
the
the
level
of
security
that
they
provide.
A
We've
increased
our
member
organizations.
We
now
have
35
member
organizations
and
they
come
cover
a
number
of
large
organi.
You
know,
organizations
from
you
know
large
to
small,
and
we
have
also
a
number
of
security
oriented
organizations,
a
couple
of
well
three
of
the
the
big
linux
distro
providers-
and
these
are
on
in
our
general
members,
and
then
we
also
have
associate
members-
and
that
includes
a
number
of
non-profit
organizations
and
also
universities.
A
We
have
decals
with
open
ssn
the
open,
ssf
logo
and
we
also
have
an
adorable
plushie
and
you
can
see
him
there
and
I
also
have
got
a
plushie
now.
So
here's
the
plushie
live.
A
We
encourage
all
interested
stakeholders
to
participate
in
the
foundation
and
we
make
that
work
publicly
available.
So
we
believe
in
openness
and
transparency,
we
have
a
maintainers
first
approach
to
what
we
do.
So
what
we
want
to
do
is
make
maintainers
successful,
and
so
we
show
respect
for
them
and
work
towards
creating
resources
and
tooling
that
scale
to
the
ecosystem
as
a
whole.
A
We
agility,
so
we
we
follow
a
an
approach
where
we,
where
we
we
try
to
work
fast,
learn.
You
know,
create
projects,
work,
fast,
learn
from
our
mistakes
and
and
move
forward,
and
then
the
last
three
we
give
credit
where
credit
is
due.
We
don't
bias
toward
any
ecosystem
vendor
or
platform,
and
we
treat
each
other
with
empathy,
so
we're
committed
to
creating
a
culture
of
listening
and
caring
for
multiple
opinions.
A
D
Okay,
there
was
a
question
on:
can
we
make
the
store
available
for
non-us
countries
and
is
there
a
discount
code
for
swag
for
participants
of
the
town
hall.
A
So
I
don't
I'm
sure,
there's
not
a
discount
code
and
I
don't
know
david
wheeler
or
I
don't
know
if
todd
is
still
with
us.
I
I
don't
know
the
answer
for
international.
E
I
don't
have
an
answer
for
international,
but
I've
just
I
just
saw
the
message
so
I've
asked
some
other
folks
to
look
into
what
it'll
take
for
shipping
to
various
countries.
You
know
I
we
don't
control
some
of
that
stuff,
but
we
will
at
least
see
what
we
can
do.
Okay,.
A
A
Okay,
all
right,
let's
talk
now
about
the
governing
board,
so
the
governing
so
the
open
ssf
has
two
major
governing
bodies:
there's
the
governing
board,
which
deals
with
business
and
finance
issues
of
business
and
finance,
and
then
the
technical
advisory
council
manages
our
the
work
of
our
technical
community,
so
the
governing
board
specifically
is
responsible
for
things
like
membership
and
dues,
business
and
community
outreach,
which
someone
just
asked
about
policies
and
procedures,
committees
to
support
the
mission
of
openssf
budget
and
fundraising
and
then
also
creating
use
cases
user
stories,
keeping
the
website
up
to
date
to
help
inform
the
ecosystem
and
technical
community
governing
board
members.
A
So
here's
a
list
of
our
governing
board
members.
We
initially
had
eight
governing
board
members
and
we've
added
five.
Recently,
our
five
new
members
are
jeff
altman
from
our
store
and
let
me
get
anand
pashupathi
from
intel
and
and
lek
sandecki
from
canonical.
We
also
added
a
representative
from
the
technical
advisory
council.
That's
stan
lawrence
to
our
group.
Actually
I
think
we
miss
him
in
this
slide.
Sorry
dan
and
then
I'm
very
excited
to
announce
our
latest
representative,
who
was
just
elected
on
friday.
A
Last
friday-
and
this
is
ian
coldwater
and
ian-
will
serve
as
our
security
community
individual
representative,
so
we
were
looking
for
someone
who
has
experience,
maintaining
projects
to
come
in
and
make
sure
that
that
point
of
view
is
represented
on
our
governing
board.
So
again,
congratulations
ian
and
welcome
to
the
governing
board
so
activities
of
the
governing
board.
We
have
monthly
meetings
and
the
governing
board
has
monthly
meetings
we
meet
for
one
hour,
the
first
week
of
the
month.
A
In
addition
to
those
monthly
meetings
we
have
one
committee
created
currently,
which
is
our
planning
community
committee
and
I'll
talk
more
about
that
in
a
minute,
and
then
we
we
do
anticipate
future
commitment
committees.
We
haven't
created
those
yet
but
we're
at
a
point
where,
if
we
have
people
who
are
interested
in
helping
to
to
lead
those
and
organize
them,
we
can
get
more
started.
A
Some
that
we've
discussed
are
a
committee
for
identifying
conferences
that
that
we
should
participate
in,
and
you
know
either
helping
to
create
full
day
work
streams
or
just
giving
overviews
of
open
ssf.
We
are
anticipating
a
communications
and
marketing
committee
and
then
another
one
that
we'll
be
looking
at
finances,
budgeting
and
dues.
A
A
A
A
The
other
thing
that
we're
doing
in
the
planning
committee
currently
later
this
could
move
to
a
separate
committee,
but
we're
looking
at
website
updates.
So
we
updated
the
get
involved.
Experience
on
the
website
we're
also
coordinating
community-wide
blog
post
twitter
posts
and
organization
announcements.
A
So
if
you
want
to
get
something
into
the
press
release
or
make
sure
it's
highlighted
in
an
upcoming
town
hall
meeting,
if
you
want
to
create
a
blog
post
for
something
that's
going
on
in
a
working
group
or
otherwise
have
that
posted
to
twitter
through
our
account
or
have
an
announcement
made
to
the
openssf
community
or
if
you
have
changes
that
you'd
like
to
see
to
the
website
and
another.
Another
thing
that
you
can
communicate
to
us
is:
if
there
is
something
you'd
like
to
see
the
community
accomplish
in
an
upcoming
planning
milestone.
A
So
if
you've
got
ideas
for
any
of
those
feel
free
to
send
email
to
the
planning
committee
and
I've
got
a
link
to
the
planning
committee
alias
there,
you
can
also
get
involved
in
the
planning
committee.
So
if
you're,
someone
who
enjoys
planning
or
product
or
product
or
project
management,
everyone's
welcome,
we
meet
weekly
on
mondays
at
10
am,
and
I've
got
some
links
here
to
the
meeting
agenda
and
notes
and
the
the
email
list,
and
also
the
github
page.
A
All
right,
so,
oh
one
last
thing
I
want
to
mention-
and
this
is
an
overview
of
several,
so
the
linux
foundation
provides
as
support
for
us
a
couple
of
really
amazing
people,
and
one
of
those
is
david.
A
So
she
helps
us,
you
know
schedule.
A
bunch
of
our
meetings
keeps
us
on
track
for
the
governing
board
and
she
does
a
lot
of
the
work
on
the
website
for
us,
and
you
know,
helps
with
sending
out
twitter
announcements
and
those
kinds
of
things.
So
so
a
couple
of
great
resources,
and
we
thank
them
very
much.
A
Okay,
let's
take
a
break
again
and
see
sharif.
Do
we
have
any
more
questions
we
can
answer
before
we
move
on
to
the
attack.
D
Yes,
there
was
one
question
which
is:
don't
you
agree
that
active
contributors
to
open
ssl
working
groups
should
receive
a
complimentary
copy
of
ghost
game?
The
untitled
ghost
game.
A
Oh,
that's,
that's
a
great
idea
yeah,
so
I
guess
we'll
have
to
we'll
have
to
capture
that
and
and
take
it
offline
to
to
discuss
with
the
the
linux
foundation
staff
we're
a
little
tight
on
funding.
So
I'm
not
exactly
sure
how
we'd
make
that
happen,
but.
A
F
Thank
you
kay,
hi
everyone.
My
name
is
brian
haney
and
I'm
part
of
the
technical
advisory
council.
Okay,
can
you
go
to
next
slide
yeah?
So
currently
the
members
of
the
council?
F
We
have
seven
of
us,
so
you
can
see
number
of
these
faces
kind
of
showed
up
on
the
governing
board
as
well,
and
so
this
is
the
current
members
and
in
the
future
these
will
change
a
little
bit
because
we
are
considered
bootstrapped
right
now,
and
so
these
are
the
guys
we're
helping
to
figure
out
sort
of
the
next
steps
to
get
more
permanent
members
and
I'll
talk
about
that
in
a
second
so
next
way.
F
So
the
mission
of
the
tag
is
we're
responsible
for
the
oversight
of
the
various
technical
initiatives
of
the
open
ssf.
So
that
includes
the
working
groups,
the
various
projects,
sort
of
all
the
technical
side,
so
we're
going
to
prove
and
facilitate
collaboration
of
those
working
groups.
So,
right
now
we
have
six
different
working
groups.
Those
can
change.
As
time
happens,
you
know
comes
and
goes
we'll
get
new
strategies
and
new
groups
to
focus
on
those
things,
and
some
will
eventually
sunset.
F
As
you
know
in
future,
and
so
we
kind
of
ensure
that
all
those
things
are
coordinated
and
making
sure
that
they're
collaborating
efficiently
and
that
work
is
happening
in
an
optimal
way.
In
addition,
we
assist
with
identifying
funding
requirements.
So
if
a
working
group
has
a
need
for
funding
say
for
infrastructure,
or
perhaps
they
need
to
hire
developer
resources
or
an
outside
vendor,
or
something
like
that,
we
can
help
them
identify
those
needs
and
then
coordinate
with
the
governing
board
to
ensure
that
those
resources
resourcing
needs
to
get
met
next
slide.
F
So
so
far,
what
we've
done?
We've
developed
a
list
of
potential
future
actions
that
we're
not
currently
working
on.
So
like
I
mentioned,
we
have
six
existing
working
groups,
but
we
have
a
massive
laundry
list
of
potential
things
we
could
work
on.
You
know,
as
everybody
knows,
you
know
the
the
world
is
wide
open
as
far
as
security
and
particularly
open
source.
So
there's
a
lot
of
areas
to
go
tackle,
so
we're
sort
of
building
up
a
backlog
of
that
and
then
what
we're
gonna
do
with
that
is
leverage.
F
So
what
we've
been
doing
now
and
the
future
work
that
we
could
do
to
develop
the
the
vision
for
the
tactic
and
sort
of
what
our
technical
strategy
will
be
for
for
the
upcoming
year
and
then
using
that
we're
gonna
formalize
the
the
life
cycle
of
technical
initiatives.
What
does
it
mean
to
be
an
official?
You
know
working
group,
and
you
know
what
are
the
different
stages
once
they
get
sunset
and
that
sort
of
thing
and
then
how
can
you
get
involved?
F
So
we're
kind
of
a
small
group
right
now
as
far
as
the
official
tac
members,
but
we
actually
have
quite
a
few
people
that
participate
in
these
groups,
so
we
meet
bi-weekly,
so
every
other
tuesday
at
8
a.m.
Pacific
time,
so
our
next
meeting
coming
up
is
going
to
be
on
the
17th,
the
calendar
invite
is
listed
here.
F
We
have
our
meeting
minutes
listed,
so
you
can
go
back
and
look
at
see
some
of
the
things
that
we've
discussed
in
the
past
and
where
we're
headed
in
the
future
and,
like
I
said
there,
even
though
there's
a
group
of
seven
people
that
are
official
tech
members,
we
have
much
larger
involvement
even
now,
so
we're
definitely
open
and
welcome
to
have
more
people
come
and
and
join
us
there
and
talk
about
where
you
want
to
see
things
go,
and
if
you
know
you
have
ideas
for
working
groups
that
can
help
contribute.
F
You
know
the
tac
is
the
right
place
to
bring
that
up
and
additionally
for
communications
we
have
the
official
tech
mailing
list.
We
have
the
slack
channels
and
then
also
we're
active
on
github.
So
if
you
have
ideas
for
something
you
want
to
talk
about
in
the
future
tag
meeting,
you
can
open
up
a
github
issue
or
you
can
even
add
it
directly
into
the
media
notes.
We
have
a
section
right
up
at
the
top
for
future
agenda
items.
F
Next,
I
think
that's
it
for
for
the
tax.
So
any
questions
on
that
before
we
jump
into
the
next
one.
G
All
right,
hi
everybody,
my
name
is
mike
scaveda.
I
lead
the
identifying
security
threats
working
group
and
I'm
here
just
to
give
you
a
quick
update
on
what
we've
been
up
to
so
next
slide.
G
Okay,
so
our
mission
is
to
enable
stakeholders
to
have
informed
confidence
in
the
security
of
open
source
projects
that
took
a
while
to
come
up
with
a
short
such
a
short
mission.
Basically,
we
want
to
ensure
that
the
people
that
use
open
source
that
create
open
source
that
base
their
businesses
off
of
open
source
understand
what
the
risk
is
and
that
they're
that
they're,
assuming
based
off
of
lots
of
different
things
and
part
of
that,
involves
understanding
what
the
both
general
ecosystem
threats
are,
but
also
specific
to
individual
projects.
G
So
next
slide,
so
we
have
two
well,
we
have
one
kind
of
accomplishment
and
the
other
one
is
kind
of
the
work
in
progress,
so
the
top
one
is
is
the
accomplishment
we
wrote
a
paper.
The
paper
describes
ecosystem
level
threats,
so
it
was
intended
to
be
a
everything
that
thanks
john
it
tended
to
be.
You
know
everything
that
could
go
wrong
with
the
open
source
ecosystem
from
the
perspective
of
the
kind
of
development
life
cycle.
So
developer
comes
up
with
an
idea.
G
Maybe
the
idea
was
like
just
a
really
insecure
idea
like
that:
the
design
is
bad
or
they're
coding
it
and
they're
making
mistakes
or
they
upload
it
to
a
website
and
the
website
gets
popped
and
the
the
code
is
is
tampered
with
or
someone
consumes
the
code
and
when
they're
consuming
it
it
gets
modified
in
transit
or
something.
So
we
tried
to
look
at
this
broadly
and
say
you
know:
here's
everything
that
can
possibly
go
wrong.
What
do
we?
Where
do?
G
We
really
think
the
risk
is
so
at
the
end
of
the
the
paper?
This
is
kind
of
a
consolidated
list
of
like
you
know,
kind
of
more
or
less
recommendations,
or
you
know
things
that
I
that
that
we
believe
the
community
should
pay
attention
to
or
pay
more
attention
to.
Some
of
these
are
you
know,
short-term
things.
Some
of
these
are
long-term
things.
Some
are
tractable,
some
are
not,
but
we
one
of
the
intents
of
writing.
G
It
would
be
a
little
bit
more
formal
than
you
know,
picking
ideas
that
everybody
has
at
the
top
of
their
head
and
putting
a
little
bit
of
a
little
bit
of
science
behind
it.
That
paper
is
available
through
that
download
link,
luigi
cabello
also
converted
to
markdown,
which
is
awesome.
So
if
you
have
updates,
if
you
disagree
strongly,
you
know
open
up
an
issue.
You
know
send
a
pull
request.
This
is
not
intended
to
be
a
document
that
you
know
is
is
written
in
stone.
G
We
also
could
have
been
wrong
in
certain
things,
so
we
are
interested
in
moving
that
to
you
know
kind
of
a
next
release
at
some
point
pretty
soon.
So,
if
you
have
things
that
you'd
like
to
contribute,
please
do
so
so
that's
the
ecosystem
level,
part
and
and
then
down
to
the
to
the
individual
projects.
What
we
really
want
to
do
is
is
collect
curate,
you
know,
communicate
aggregate
security,
metrics
for
open
source
projects.
So
this
this
means,
like
you,
know,
zlib,
has
these
attributes.
G
You
know
things
like
project
health
and
the
results
of
static
analysis
and
whether
or
not
a
security
team
or
security,
expert
or
researcher
or
whoever
has
like
really
looked
at
it,
and
we
think
that
a
lot
of
these
metrics
and
data
and
information
can
be
pulled
together
to
give
the
stakeholder
either.
G
You
know
someone
that
wants
to
use
an
individual,
open
source
component
or
a
compliance
team
that
uses
you
know
whose
organization
that
they
represent
uses
tens
of
thousands
of
or
hundreds
of
thousands
of
of
components
and
understand
where
the,
where
the
risk
really
lives.
G
So
we've
been
working
at
this
for
a
while,
we
have
a
proof
of
concept
kind
of
ui.
We
have
thing:
we've
put
a
lot
of
thought
into
metrics
definitions
and
formal
requirements.
That
said,
there
are
other
things
that
are
going
on.
So
if,
if
you're
listening
to
this
and
you're
saying
gee,
that
kind
of
sounds
a
lot
like
you
know
what
the
badge
program
does.
Well,
there
is
an
overlap.
G
There
there's
a
natural
overlap
as
you'll
hear
later,
there's
another
project
that
that
there's
definitely
overlap,
and
I,
my
personal
belief,
is
that
all
of
these
should
rationalize
like
where
they,
where
they
fit
and
where
they
feed
and
working
groups
themselves,
are
fluid.
So
we
will,
we
will
do
the
right
thing,
so
yeah
there's
a
source
repository
if
you'd
like
to
play
with
this.
G
You
can
get
up
and
running
pretty
quick,
but
we
are
really
looking
for
more
help
here.
This
is
a
really
hard
problem
and
it's
it's
important
that
we
make
progress.
So
if
you
want
to
contribute,
please
reach
out,
we
will,
you
know,
get
you
invited
and
and
all
that
stuff
so
yeah.
G
This
is
just
a
mock
ui
of
what
this
could
look
like,
but
really
what
this
is
showing
is
you
know
the
the
individual
projects
and
what
their
kind
of
quote
score
is,
and
you
know
score
can
be
a
objective
thing.
It
can
be
a
subjective
thing
like
an
ssl
labs
score,
as
I
think,
as
long
as
we're
clear
and
transparent
in
how
we
calculate
things
we
can,
we
can
provide
something
that
people
can
trust
and
next
slide.
G
I
think
that
was
it:
oh
yeah
you,
if
you
want
to
get
get
involved
more.
We
have
meeting
minutes
there,
so
you
can
kind
of
see
what
we've
been
up
to
shoot
me,
an
email
and
I'll.
Send
you
the
invite.
I
need
to
get
the
invite
to
be
kind
of
public
where
I
can
just
post
it
on
the
in
the
calendar.
I
think
I
can
now,
but
regardless
right
now,
just
email
me
you'll,
get
the
invite
we're
meeting
this
wednesday
at
8
a.m.
Pacific
time.
G
So
if
you're
up
that
early
or
not
live
in
west
coast,
that
would
be
awesome.
Thank
you.
Any
questions.
D
I
have
no
questions,
at
least
on
the
slide
out
too.
C
For
me,
I
think
one
of
the
best
things
for
this
working
group
is
that
it's
brought
together
specialists
in
a
wide
range
of
areas,
so
we've
got
people
in
about
dynamic
testing,
static
testing
software
composition,
analysis,
fuzzing,
delivery,
vulnerable
applications
and
it's
a
chance
to
learn
about
the
challenges
we'll
face,
how
we're
addressing
them
and
where
the
overlaps
are
and
basically
learn
from
each
other
next
slide.
Please
so,
there's
more
work
going
on
this
there's
work
going
on
and
fuzzing
trying
to
identify
the
most
critical
open
source
projects
to
fuzz.
C
We
want
to
just
focus
on
a
couple
of
con
accomplishments
this
time.
The
first
of
those
is
the
publishing
of
the
github
actions
for
or
sap
for
those
who
don't
know,
we
believe
zap
is
the
the
world's
most
frequently
used
web
application
scanner
and
is,
of
course,
completely
free.
C
So
the
baseline
scan
is
just
a
by
default,
is
a
one
minute,
spider
and
then
passive
detection.
So
it's
quite
quick
and
therefore
quite
good
to
run
in
ci
cd,
but
can
still
find
a
whole
load
of
potential
vulnerabilities,
especially
particularly
missing
security
controls
and
then
there's
a
zapful
scan,
which
is
a
a
an
active
scan.
So
it's
really
attacking
your
application.
That
can
take
some
time.
If
you
want
to
know
any
more
about
that,
then
please
talk
to
me
about
it.
C
So
that's
metadata
and
branches
with
both
the
all
the
code
before
that
when
the
vulnerability
was
present
and
immediately
after
it's
been
fixed
and
the
idea
with
this
is
it
allows
anyone
to
benchmark
their
static
analysis
tools
against
real
vulnerabilities.
So
can
your
tool
find
the
original
vulnerability
and
then
can
it
detect?
It's
actually
been
fixed.
C
So
we've
gone
to
the
next
slide
and,
as
you
can
see,
there's
details
for
getting
involved.
That's
going
to
be
the
cv
benchmark
is
going
to
be
presented
at
black
black
hat
in
london
this
year
and
then
it'll
be
open
sourced
and
there's
more
details
getting
involved
in
there.
C
If
you
want
to
get
involved
in
the
working
group,
then
the
details
are
on
the
on
the
repo
and
the
the
link
to
join
is
on
the
open,
ssf
calendar
as
well
and
be
able
to
get
involved
with
the
zap
then
get
in
touch
with
me
and
that's
it.
I
thought
keeping
to
keep
it
short
and
sweet
any
questions.
D
Hey
simon,
there
was
one
question
on
how
frequently
this
zapscan
database
library
is
updated
with
vulnerabilities
and
any
defined
frequency
for
such
library
updates.
C
So
we
don't
have
a
library
as
such
we
have
code,
so
we
have
a
set
of
scan
rules
and
we
have
passive
scan
rules,
active
scan
rules,
web
socket
scan
rules
and
we
have
different
levels
of
so.
We
have
release
quality,
beta
quality
and
alpha
quality,
and
these
are
all
defined
in
packages
add-ons
which
are
on
the
zap
marketplace.
C
So
we
will
change
these
as
frequently
as
necessary,
and
the
one
thing
I
think
is
worth
remembering
is
that
zap
is
a
tool
for
finding
vulnerabilities
in
custom
applications.
So
it's
not
like
we're
looking
for
known
vulnerabilities,
we
go
okay,
there's
one
particu.
We
know
that
you're
running
wordpress,
this
particular
version.
D
Okay
and
what
composition
software
component
composition,
analysis
tools?
Are
you
evaluating
in
the
tools.
C
So
we've
had
one
of
the
was
a
couple
of
the
guys
from
owasp
who
are
involved
in
some
of
us
projects
around
that.
So
that's
really
where
that
focus
has
been.
I
mean
we're
not
at
the
moment
evaluating
new
tools.
I
don't
think
anyone's
looking
at
that.
I
think
it's
very
much
bringing
together
people
working
on
existing
tools.
I'm
certainly
not
aware
of
a
load
of
resources
we
have
to
across
open
ssf
or
in
the
tools
working
group
for
doing
a
big
analysis
of
new
tools
or
actually
creating
new
tools.
D
Okay
and
there's
another
one:
are
you
also
looking
at
teaching
vulnerability
finders
how
to
improve
their
vulnerability
reports,
ie
digging
deeper
on
fuzzing
results
before
reporting.
C
We're
not
looking
at
that
at
the
moment,
but
sounds
like
a
very
interesting
thing
to
look
at.
So
if
anyone
wants
to
come
along
to
the
working
group
and
talk
about
that,
then
you'd
be
very
welcome.
D
C
Yeah
I
mean
for
the
working
group
we're
definitely
covering
both
sast
and
dust
for
zap
itself.
We
have
no
intention
of
going
to
the
sast
world
they're
very
different
and
very
yeah.
Our
expertise
is
definitely
in
dust,
but
for
the
working
group
we're
covering
all
security
tools
and
all
techniques.
Yes,
okay,.
H
Hello,
everybody,
my
name
is
krobe.
I
have
the
humbling
great
pleasure
to
represent
two
of
the
working
groups
today,
first
off
zav
and
I
are
going
to
talk
about
the
developer
best
practices
working
group
next
slide.
Please.
H
So
you
might
ask
yourself
self:
what's
this
developer
best
practices
working
group
about?
Well,
our
objective
is
to
try
to
provide
open
source
developers
with
best
practices,
recommendations,
the
good
practices
in
writing
code
testing
code
checking
code,
and
we
want
to
supply
easy
ways
to
learn
about
that
and
to
apply
that
learning.
Oh,
my
poor
little
goose,
ideally
we're
looking
to
make
this
available
for
all
open
source
developers.
H
Everything
we're
doing
is
currently
community
sourced
and
we
want
these
practices
to
remain
sticky
so
that
we
just
don't
apply
security
once
and
then
move
on
and
forget
about
it.
We
want
these
things
to
be
ingrained
into
the
developers,
activities
their
ways
of
thinking
and
kind
of
our
vision
on
how
we're
going
to
execute
on
this
is
first
off.
H
Secondly,
we're
looking
at
creating
this
community.
It's
can
be
very
complex
and
challenging
to
keep
up
with
everything
that's
going
on,
so
our
idea
is
to
try
to
attract
open
source
contributors
and
help
them.
You
know
kind
of
remain
engaged
and
continually
contribute
to
our
the
inventory
of
practices
so
that
the
whole
community
can
benefit
and
finally,
we're
looking
at
implementing
a
learning
platform,
and
this
is
a
way
we
mentioned
the
earlier
training
courses,
so
we're
looking
to
try
to
find
a
way
to
help
educate
people.
First
and
foremost,
you
know
the
courseware.
H
We
are
looking
at
implementing
tools
and
methodologies
to
get
things
either
out
to
developers
through
containers
or
the
web,
or
even
integrated
into
their
ides
potentially,
and
we're
looking
to
provide
a
suite
of
exercises
to
help
teach
some
of
these
practices
that
are
built
into
the
inventory
next
slide,
please
just
a
quick
snapshot.
This
is
currently
our
most
active
contributors.
I
So
me
and
my
friend,
the
ghost
we
will
tell
you
where
we
are
in
this
working
group,
so
my
name
is
xavier.
So
first
we
have
released
the
courses
that
kay
already
talked
about,
so
I
won't
spend
a
lot
of
time
on
it.
Just
what
I
want
to
tell
you
is
that
it's
not
a
theoretical
course.
It's
very
practical
and
also
all
the
practices
that
are
in
there
any
developer
can
apply
them
right
now
without
requiring
unlimited
resources
right.
I
We
contributed
to
the
new
major
release
of
the
owasp
skf
learning
platform,
so
skf,
the
secure
knowledge
framework
developed
by
glenn
and
ricardo
10k
is
a
vital
asset
to
the
coding
toolkit
of
your
development
team.
In
skf,
you
can
learn
from
an
open
source
security
knowledge
base.
You
will
have
code
examples
in
multiple
programming
languages.
I
You
will
have
hands-on
labs,
but
you
can
also
create
manageable
projects
with
checklists
matching
the
specific
requirements
of
your
application,
and
so
this
checklist
will
guide
you
through
your
design
and
development
phases
and
therefore,
this
way
you
will
integrate
security
by
design
in
your
application,
and
you
can
start
using
skf
with
the
link
below
right
away,
download
it
and
store
it
and
go
next
slide,
please.
I
So,
what's
next
on
our
agenda!
First
of
all,
we
would
like
to
provide
a
public
sas
platform
for
skf.
So
this
way
you
won't
need
to
download
it
and
start
it
on
premises,
but
you
will
be
able
just
to
log
in
and
get
started
right
away
using
it
to
build
your
applications.
I
Also,
we
think
that
it
will
make
it
much
easier
to
welcome
contributions
from
the
community
with
this
public
platform.
Second,
we
want
to
contribute
to
the
owasp
integration
standards
projects
with
the
goal
of
providing
an
open
source
mapping
of
security
requirements,
testing
strategies,
best
practices,
threats
and
weaknesses.
I
This
would
be
really
part
of
the
inventory
project
that
crave
mentioned
in
introduction.
Last
but
not
least,
we'll
contribute
to
the
securities
score
scouts
project.
The
goal
of
scorecards
is
to
auto
generate
a
score
for
the
security
posture
of
an
open
source
project,
so
you
will
use
these
on
your
project.
As
you
decide
the
target
posture
that
you
want
for
your
use
case.
You
can
also
use
this
data
to
augment
your
decision
making.
I
When
you
introduce
new,
open
source
dependencies
into
your
project,
we
we
we
want
to
build
with
these
workouts
a
culture
of
security
through
improved
visibility.
So
this
was
a
project
initiated
by
dineroland.
H
If
you
are
a
project
or
package,
maintainer,
hey
look
at
tools
like
the
best
practices
project
and
make
sure
that
you
can
get
your
project
badge.
Do
you
meet
those
that
kind
of
higher
level
of
quality
and
expectations
that
the
badge
project
can
help
you
earn
and
we
meet
every
monday
at
8
a.m?
Pacific.
D
Hi
there
wasn't
any
particular
questions
with
regarding
to
working
group.
There
was
a
question
on.
Was
there
any
particular
reason
why
a
goose
was
chosen
as
the.
D
Mascot
yeah,
so
there
was
a
link
to
it
in
the
chat
as
well,
but
yeah
it
was
from
ian
coldwater.
It
would
likes
the
untitled
goose
game.
She
made
a
presentation
before
which
I
watched
talking
about
how
hacking
sometimes
reminds
you
of
the
untitled
boost
game.
So
when
we're
looking
at
badges
or
sort
of
logos,
I
sort
of
mentioned
it,
and
chris
from
the
linux
foundation,
wrote
it
down
so
that
the
designer
can
mock
something
up
and
then
we
had
to
vote
on
the
design
in
the
design.
One.
D
Okay,
that's
it!
There
is
one
other
question,
but
I
believe
that
would
be
more
on
the
vulnerability
disclosure
working
group
so
I'll
leave
that
to
later.
H
That
later
is
now
I
have
by
process
of
elimination.
Today
I
have
been
nominated
to
talk
on
behalf
of
vulnerability.
Disclosures
working
group,
I'm
one
of
the
co-leads
for
the
group.
Unfortunately,
our
dear
friend
marcin,
is
not
feeling
well
today,
so
we
hope
he
feels
better,
but
if
we
get
next
slide,
please
matthew-
and
I
are
here
to
represent
the
group,
so
this
particular
group
is.
We
are
interested
in
to
help
the
overall
security
of
open
source
software
ecosystem
by
helping
develop
and
advocate
well-managed
vulnerability,
reporting
and
communications.
H
This
is
again
another
snapshot
of
the
working
group
members.
We
like
every
group
are
very
interested
in
participation,
so
if
you
feel,
if
you
have
a
particular
hankering
or
interest
or
desire
to
help
participate
in
this
community,
please
welcome
and
welcome,
join,
come
on
in
and
you
get
to
work
with
all
these
great
people
next
slide.
Please.
H
We're
collecting
these
through
a
series
of
user
stories,
they're
going
to
help
frame
our
future
work
and
we've
already
gone
through
and
reviewed.
The
disclosure
practices
that
employed
by
several
of
our
members
we've
looked
at
how
vulnerability
disclosure
and
coordination
is
handled
by
the
node.js
ecosystem,
the
ruby
community,
our
friends
over
at
arch
linux,
and
what
we
do
here
at
red
hat
next
slide,
please
so
what's
next
is
we're
going
to
start
sharing
those
standards
of
coordination
for
both
cve
and
advisory
data
in
consumable
formats?
H
So
right
now
we're
kind
of
doing
an
assessment
of
what
standards
and
techniques
are
used
today
and
we're
starting
to
debate.
You
know
what
the
best
path
forward
is
to
make
a
good
recommendation
for
the
ecosystem
and
actually
coming
up
at
our
next
meeting,
we're
talking
with
the
folks
from
cert
cc.
They
have
a
project
called
vince
that
speaks
to
vulnerability,
coordination
and
disclosure
and
they're
looking
at
open
sourcing
that
project,
so
we're
looking
at
the
potential
to
possibly
collaborate
or
leverage
that
project
as
we
move
forward
and
share
our
data
next
slide.
Please.
H
And
again,
everyone
is
welcome
to
come
and
open
up.
A
discussion
continue
on
discussion
as
it
relates
to
our
mission
and
charter.
If
you
have
pain
points
and
whether
it's
reporting
sharing
or
coordinating
vulnerabilities
in
open
source,
we
would
love
to
talk
to
you
we'd
like
to
hear
your
perspectives
and
hear
your
feedback
on
how
we
can
make
it
better.
Do
you
have
suggestions
on
how
we
can
more
securely
coordinate
these
reports
to
the
subject
matter?
Experts
that
help
fix
the
salute
help
will
fix
the
problem.
H
Great,
let
us
know
and
again
we're
looking
to
capture
all
those
perspectives
and
try
to
find
some
collaborative
solution
that
benefits
the
whole
community.
Again,
we
meet
at
8
a.m.
Pacific
currently-
and
ideally,
it's
the
alternate
mondays
from
the
developer
best
practice
group.
I
hope-
and
we
welcome
you
and
hope
that
you
can
come
join
us
and
I
would
open
the
floor
for
questions.
H
D
So
there
is
one
question
that
I've
been
saving
for
this
moment,
but
the
question
is:
when
working
with
cves,
we
have
the
c
have
the
cvss
to
say
how
severe
they
are.
Should
we
have
a
scoring
system
for
the
extensiveness
of
the
test
coverage
for
a
cve
fix.
H
It's
a
very
interesting
idea:
it's
something
that
the
working
group
currently
hasn't
explored,
but
you
know
kind
of
listening
to
the
presentations
before
me
myself
and
thinking
about
who's
coming
forward.
After
me,
I
think,
there's
very
definitely
potentially
a
lot
of
people
that
could
help
contribute
to
that
idea
and
have
helped
bring
it
together
and
see
if
we
can
think
up
some
kind
of
a
reasonable
standard
yeah.
I
think
it's
something
the
foundation
at
large
could
explore,
and
potentially
the
vulnerability
group
might
be
a
good
place
for
that.
D
Okay,
there
were
two
sort
of
admin
related
questions,
so
the
first
one
is:
how
do
we
access
the
deck
used
in
the
presentation,
so
I've
put
them
in
the
chat
and
then
also
slide
that
do
that
was
another
question:
is
that
how
do
we
join
a
working
group
that
interests
us?
So
an
example
of
that
is
how
would
someone
join
the
vulnerability
disclosure
working
from
that
matter?.
H
At
least
in
the
groups,
I'm
affiliated
with
every
single
one
of
us
has
that
public
calendar.
So
if
you're
interested
in
joining,
you
know
contact
us,
let
us
know
whether
it's
in
whether
you
know
get
issue
or
contacting
us
through
slack
or
on
our
mailing
lists
and
we'll
be
glad
to
coordinate
you
and
get
you
included
into
our
awesome.
Little
team.
D
Thank
you
last
question.
Not
working
group
related,
but
is
participation
in
the
outreach
committee
open.
D
I
believe
that
question
is
yes,
it's
just
hasn't
started
yet,
but
we
do
have
the
github
link
there.
If
anyone
would
like
to
join.
E
I
mean
technically
right
now.
I
don't
believe
there
is
a
an
outreach
committee,
but
that's
that
is
something
that
is
being
discussed.
So,
if
you're
interested,
let
us
know.
J
Oh
just
to
comment
on
that,
we
had
started
off
of
the
governing
board
and
outreach
group,
but
it
was
like
on
friday.
So
it's
not
even
in
the
slides
yeah,
it's
open
anyone
that
wants
to
get
involved.
D
Yeah,
I
think
those
are
all
the
questions.
K
Okay,
my
turn,
I
think
I
just
unmuted.
My
name
is
dan
lawrence
and
I've
been
helping,
coordinate
the
digital
identity
at
a
station
working
group
next
slide.
Please
thank
you.
So,
in
addition
to
geese
and
geese
memes,
we
also
like
other
memes
too
and
other
animals
on
the
internet.
Nobody
knows
you're
a
dog.
This
applies
to
open
source
software
as
well.
You
wouldn't
give
a
stranger.
You
met
on
a
sidewalk
access
to
commit
to
your
internal
git
repository,
but
when
you
take
binaries
you
find
on
the
internet
and
run
those
in
production.
K
That's
basically
what
you're
doing
this
is
not
a
new
problem
or
a
new
space,
but
we
are
a
new
working
group.
The
rise
in
open
source
software
over
the
last
couple
years
has
started
to
make
this
problem
way
more
apparent
and
way
scarier.
So
that's
what
we're
here
to
help
out
with
we
want
to
make
it
easier
and
safer
thanks.
Sorry,.
C
K
Want
to
make
it
easier
and
safer
for
users
of
open
source
to
understand
where
the
software
they're
using
is
coming
from.
So
far,
we've
mostly
been
learning
about
this
space.
Do
you
want
to
go
to
the
next
slide
thanks?
So
far,
we've
been
mostly
learning
about
this
space
through
a
whole
bunch
of
awesome
presentations
from
domain
experts.
All
over
the
industry.
K
We've
had
presentations
from
people
running
things
like
the
entodo
project,
which
is
a
framework
to
secure
the
integrity
of
software
supply
chains
and
stuff
like
the
self-sovereign
identity
project
out
of
the
hyperledger
effort,
and
we've
also
been
learning
how
existing
projects
do
try
to
solve
this.
Today
we
had
some
awesome
presentations
from
people
like
constantine
riya
bitsev.
K
Next
week
we
have
enrico
xeno
of
the
debian
project
on
how
they
verify
debian
maintainers
and
how
debian
handles
gpg
key
management
and
web
of
trust
issues,
especially
now
with
some
changes
they
put
in
place
due
to
the
lack
of
in-person
meetings
because
of
covid,
and
then,
after
that,
we
have
some
people
presenting
from
the
did
or
decentralized
id
project
on
some
work
to
integrate
did
directly
into
git,
as
well
as
how
to
refactor
some
of
the
git
internals
to
allow
signing
of
commits
and
other
git
objects
with
things
other
than
gpg.
K
So,
if
you're
interested
in
this
space
and
want
to
present
or
are
trying
to
solve
this
problem
in
an
open
source
project
that
you're
a
maintainer
of
reach
out,
we
have
meetings
every
two
weeks.
There's
a
link
here
in
the
github
repo
and
everything
is
open
in
public.
So
you
should
be
able
to
find
the
calendar
invitation
and
join.
D
There's
one
question
not
necessarily
related
to
the
working
group.
There
was
a
question
on:
will
the
github
org
for
open
ssf
change
to
open
ssf,
since
the
linux
foundation
has
ossf,
meaning
open
source
strategy
form.
D
I
think
it's
you
know
that
we'll
keep
it
as
is
for
now.
If
there's
any
confusion.
F
K
L
Cool,
so
hey
everyone
thanks
again
for
attending
our
first
town
hall
today
and
kay,
and
lindsay
for
organizing
all
of
it
and
getting
us
together,
and
so
I
I'm
kim
I
work
at
google
as
a
product
manager
and,
of
course,
focusing
on
securing
open
source
projects.
We
all
depend
on.
So
this
is
the
last
working
group
we'll
be
discussing
today,
and
this
is
a
great
recent
xkcd
image
that
really
sums
up
the
problem.
L
We're
trying
to
tackle
our
modern
infrastructure
is
all
being
held
up
by
some
random
project
by
some
random
person
in
nebraska,
that's
been
maintaining
it
and
then,
as
dan
says,
you
know,
all
of
our
usage
of
open
source
software
keeps
increasing,
and
so
this
this
sort
of
picture
becomes
more
and
more
scary,
and
so
next
next
slide.
So
our
mission
is
pretty
it's
really
quite
simple.
Is
we
want
to
improve
the
security,
the
most
critical
projects
that
people
rely
on,
and
we
want
to
do
this
with
like-minded
people
and
an
organization?
L
So
you
know
there's
no
point
in
all
of
us
duplicating
work
to
make
improvements
to
one
specific
project
and
it's
obviously
better.
If
we
can
combine
efforts
and
tackle
these
problems
collectively,
okay
next
slide,
so
kate
covered
a
bit
of
this
in
the
beginning
about
some
of
the
cii
efforts
that
we've
folded
in.
So
we
got
presentations
from
the
folks
at
harvard
on
those
and
we're
really
looking
forward
to
working
with
them
going
forward
and
making
improvements,
and
some
changes
on
that
work
that
they're
doing
we've
also
had
some
other
presentations.
L
Folks
from
osif
gave
us
a
presentation
on
how
their
security
audits
process
works.
So
that
was
very
interesting
and
then
one
of
the
docs
that
we
started
working
on
was
what
we're
calling
a
menu
of
services.
So
not
every
open
source
project
needs
the
same
sort
of
thing
when
it
comes
to
the
securities.
L
So
this
was
supposed
to
be
a
just
a
dumping
ground
of
all
sorts
of
ideas
that
we
could
come
up
with
for
helping
projects
out
and
then
and
then
again
I
mentioned
the
harvard
work
next
slide,
please
so
what's
coming
up
next,
so
we're
looking
at
ways
to
raise
money
or
for
organizations
to
put
funds
towards
specific
efforts
and,
like
I
said,
that's
not
all
about
just
money,
so
you
know
other
ways
that
we
can
help
projects
if
it's
through
like
consulting
or
what?
What
have
you.
L
So
those
are
ideas
being
collected
in
that
doc
and
then
another
big
problem,
which
is
why
we
folded
in
some
of
the
harvard
work,
is
coming
up
with
that
list
of
critical
projects.
So
in
doing
that
in
a
collective
fashion,
we
want
to
identify,
you
know
the
top
say
hundred
a
thousand
and
then
go
proactively
figure
out
how
to
help
and
improve
them
next
slide
and
then
similar
to
the
other
working
groups.
We
meet
every
two
weeks.
L
You
can
see
all
of
the
links
to
the
calendar
and
slack
and
things
from
the
github
repo,
and
then
I
think
you
know
one
of
our
hardest
problems
is
really
figuring
out
how
to
to
make
real
impact.
So
even
if
we
have
money
sort
of
connecting
that
to
get
to
get
projects,
you
know
our
contractors
fixing
things
is
not
as
easy
as
as
we
would
like.
So
if
you
are
interested
in
any
of
these
would
love
new
ideas
would
love
creative
thinking
and
ways
we
can
help
tackle
this
together.
L
D
Okay,
I
think
there
aren't
any
further
questions,
so
we
did
manage
to
answer
as
many
as
we
can
along
the
way.
I
think
we
got
about
18
questions
covered
already
through
throughout
the
town
hall.
D
K
A
A
Now
you
know
we're
coming
to
the
end
of
the
meeting,
and
so
maybe
we
can
open
up
and
if
others
just
have
questions,
why
why
you
know
feel
feel
free
to
unmute
yourself
and
and
ask
those
questions
so
we're
interested
in
questions
or
any
other
discussions.
We
have
there.
A
And
we
don't
have
to
use
it
if
we
don't
have
questions
but
but
we're
we're
within
your
thought.
Sorry
about
all
of
my
notifications.
That's
clearly.
I
forgot.
A
A
I
don't
know
what
I
did,
but
okay,
all
right
yeah.
So
I
was
saying
that
you
know
it
would
encourage
people
to
have
a
look
at
some
of
the
other.
The
links
and
content
from
the
slide
today
so
to
wrap
up.
A
A
We'll
take
you
to
a
page
where
you
can
sign
up
for
our
mailing
list
and
we
have
eight
or
nine
or
so
of
those.
Currently,
you
can
have
a
look
at
our
calendar,
so
we
have
a
google
calendar
that
has
all
of
the
ongoing
meetings
on
it.
So
you
can
see
when
those
meetings
occur.
If
there's
a
group
you're
interested
in
and
you're,
not
quite
sure
you
want
to
commit
to
it.
Yet
you
can
just
attend
to
one
of
the
meetings.
They're
open
and
learn
more
about.
A
A
So
you
can
follow
that
to
see
news,
so
some
of
those
are
some
other
ways
that
you
can
get
involved
and
everyone's
welcome
and
then
just
as
a
final
note,
if
you
can
take
a
couple
of
minutes
to
complete
the
town
hall
survey
and
here's
a
link
to
that
survey,
there
are
six
questions
on
it.
Two
of
them
are
just
you
know.
A
The
basic
you
know
was
this:
you
know
what
was
the
what
was
the
quality
of
the
town
hall
and
do
you
have
any
suggestions
for
how
to
make
it
better
for
the
future
anything
else
you'd
like
to
see
in
it.
You
know
any
ways
to
organize
it
differently
or
better.
Why
we're
we're
open
to
all
that?
So
we
want
this
to
be
an
opportunity,
that's
informative
and,
and
you
know
fun,
for
people
to
learn
about
the
open
ssf.
A
We
will
be
sharing
the
deck
and
recording
for
it.
I'm
not
sure
exactly
how
we
will
share
that,
yet
it
might
be
on
the
website
or
we
might
send
it
as
a,
I
think,
probably
we'll
send
it
at
least
to
everyone
who
is
registered
for
the
event
so
you'll
see
it
there
and
feel
free
to
forward
the
recording
or
the
slide
deck
to
others.