Convert Google Doc Meeting Minutes to Markdown

minutes/2022-04-05.md

@@ -0,0 +1,54 @@
+# **2022-04-05 Meeting**
+
+
+## Attendance (please add yourself):
+
+
+
+* Bob Callaway (Google, **TAC**)
+* Eric Tice (Wipro)
+* Jeffrey Borek (IBM)
+* CRob (Intel, **TAC**)
+* Matt Rutkowski (IBM)
+* Stephen Chin (JFrog)
+* Dan Lorenc (Chainguard)
+* Aeva Black (Microsoft, **TAC**)
+* Brian Fox (Sonatype)
+* Josh Bressers (Anchore, **TAC**)
+* Arnaud J Le Hors (IBM)
+* Abhishek Arya (Google, **TAC**)
+* Jory Burson (Linux Foundation)
+* David A. Wheeler (Linux Foundation)
+* Jenn Bonner (Linux Foundation)
+* Sarah Novotny (Microsoft)
+* Jay White (Microsoft)
+* Luke Hinds (Red Hat, **TAC**)
+* Steve Chin (JFrog)
+* Dustin Ingram (Google)
+* Sudhindra Rao (JFrog)
+* Melba Lopez (IBM)
+* Justin Hutchings (GitHub)
+* Jamie Magee (Microsoft)
+* Georg Kunz (Ericsson)
+
+## Agenda
+
+
+
+* [bcallaway] Heads-up: Motion to accept new WG “Securing Software Repositories” will be made at the April 19th TAC meeting
+* [jory] Update on housekeeping table
+    * We’ll convert WG meeting notes in Google docs into GitHub (so they can be kept long-term)
+* [Sudhindra Rao] Review and approve [PR 91](https://github.com/ossf/tac/pull/91) - which copies over project approval process from cncf 
+    * [Aeva] looking forward to the discussion
+    * TAC discussion - there’s a lot of good stuff, but there’s a lot of stuff
+    * David W: If it’s accepted, and that’s thet TAC’s decision, mark it as DRAFT - the website should clearly show what’s active & what’s not
+    * David W: I suggest breaking this into smaller chunks so it’s easier to review, then accept little pieces.. This is large & challenging to review all at once
+    * Recommend NOT using Google docs/Google forms for the process, they can’t be accessed from many places
+        * Counter-recommendation: GH notification spam can be too noisy. CNCF’s choices to use forms have contextual reason that may or may not apply today.
+    * Bob: what’s the minimum viable set of policies that we need to reach to merge?
+* [Aeva] requesting review on small community-overview doc
+    * [[DRAFT] initial pass at defining terminology in the readme by AevaOnline · Pull Request #4 · ossf/community (github.com)](https://github.com/ossf/community/pull/4) 
+* [Jory] OpenSSF Day FYI
+    * Register: [https://events.linuxfoundation.org/open-source-summit-north-america/features/openssf-day/](https://events.linuxfoundation.org/open-source-summit-north-america/features/openssf-day/) - June 20
+
+        Let Jory/Ops know if you will be there! (or at OSSNA)

minutes/2022-04-19.md

@@ -0,0 +1,89 @@
+# **2022-04-19 Meeting**
+
+
+## Attendance (please add yourself):
+
+
+
+* Bob Callaway (Google, **TAC**)
+* Matt Rutkowski (IBM)
+* Justin Hutchings (GitHub)
+* CRob (Intel, **TAC**)
+* Jeff Borek (IBM)
+* Dan Lorenc (Chainguard, **TAC**)
+* Eric Tice (Wipro)
+* VM Brasseur (Wipro)
+* Josh Bressers (Anchore, **TAC**)
+* Luke Hinds (Red Hat, **TAC**)
+* Jacques Chester (Shopify)
+* Aeva Black  (Microsoft, **TAC**)
+* Brian Behlendorf (OpenSSF / LF)
+* Melba Lopez (IBM)
+* Jeff Mendoza (Google)
+* Sudhindra Rao (JFrog)
+* Arnaud J Le Hors (IBM)
+* Stephen Chin (JFrog)
+* Jamie Magee (Microsoft)
+* Abhishek Arya (Google)
+* Phil Estes (AWS)
+* Jenn Bonner (OpenSSF / LF)
+
+## Agenda
+
+
+
+* [bcallaway] Motion to accept new WG [“Securing Software Repositories”](https://lists.openssf.org/g/openssf-tac/message/461)
+    * [Email sent by Bob Callaway to TAC last week](https://lists.openssf.org/g/openssf-tac/message/461)
+    * All criteria appear to be met
+    * Expressions of support: CRob
+        * Best practices wg already collabing with NPM community on security guide.  This will be a nice place to get additional feedback/input
+    * Jeff Borek: are there guidelines around standardization, consistency of approach?
+        * Don’t think we want to make this a standards body, not normative, but could deliver documents as a part of the WG - Bob
+        * Common interests will lead to common reference docs and common implementations. Discovery of similar approaches is important. - Jacques
+    * Motion that the TAC accepts the WG application. Call for quorum met; call for voice vote made by Bob. All in favor, none opposed. **Motion passes**. 
+* [~~jory / OSSF staff] - OpenSSF Day - Plan Review~~
+* [aeva & others] - project ~~donation~~ governance process update
+    * Mentions of github PRs [95](https://github.com/ossf/tac/pull/95) and [96](https://github.com/ossf/tac/pull/96), side meetings, [email discussions](https://lists.openssf.org/g/openssf-tac/message/470)
+    * Github branch name: “working version process”
+    * Please engage on the PRs and email thread
+    * Still unclear on SIF structure, how managed by GB? 
+    * Brian B: Putting together a doc from LF/OpenSSF staff to describe proposed model of governance. Will look like SIFs are independent projects that report to OpenSSF GB and TAC in exchange for use of the OpenSSF brand and some staff/operational support.
+    * Arnaud: we need to reconcile the charter with current practice. Aeva’s proposal does stick closely to what we have. However we still use “project” too many places, so the table will help simplify/clarify.
+    * Aeva: proposal articulates both SIFs and SIGs. SIGs are bounded by scope or deliverable, possibly by time. When done, it gets closed, or WGs can evolve the scope to meet a new deliverable. If it’s not code, it should be a SIG. If it lives on, it should be a WG. This is inverted from terminology used by CNCF.  
+    * Aeva: Embedded in GH discussion there are points made about the progress monitoring and procession. E.g. when does IP review happen? Should apply before or during incubation? It should happen (David and Brian agree), it is a part of the process, needs to be documented.
+    * Crob: how does this model accommodate projects within WGs? Aeva: in the new model, projects continue reporting to WGs, but there is a TAC review as projects evolve from one stage to another. This is to ensure consistency across entire foundation, to set a quality bar. Projects can report either to the TAC directly, or to a WG. 
+    * Arnaud: if they do code, they are a project. Terminology is important to agree to early to avoiding confusion in docs and history.
+    * CRob: what are non-code things then? Also small-p projects? Aeva: yes, or a SIG
+    * Brian: should we align better with CNCF? If we’re shaking things up…
+    * Aeva: will take a look at that. Thoughts? CRob: we should align. No strong opposition to the idea of aligning with CNCF.
+    * Steve Chin: this works fine for Pyrsia
+    * VM: Grateful for this work. Concerned about suggestions to align with just CNCF. What do other projects do? 
+    * Bob: CNCF and OpenSSF visions & missions are differ so no need to align. Is it the goal of the OpenSSF to have tens or hundreds of projects? Or do we want something more selective, more top-of-the-pyramid and narrow. And, what do projects get by joining openssf? Use of the same terms and processes as CNCF doesn’t have to imply the same strategy. Aeva: strong agreement.
+    * David: wide variance in size/activity of projects today, so focus should be on lifecycle criteria.
+    * Aeva: CNCF doesn’t have things comparable to scorecards or other things we’d call SIGs. They have lots of code projects, we have comparatively few. 
+    * Bob: It's important not to let the process drive the outcome. Let’s be iterative.
+    * Aeva: proposes putting a pin out in the future, after process docs are done, to then look at what is the best way to meet the objectives of the foundation, whether to be broad & lots of projects vs narrow/selective.
+* [Sudhindra Rao] - Pyrsia Incubation with OpenSSF
+    * Update from Steve: we are looking for a vote in this or next TAC meeting for how Pyrsia fits into OpenSSF. We’re currently still bootstrapping, just want to know where we can fit in.
+    * Bob: let’s defer a motion for now given time
+    * [Steve presents a deck “Pyrsia with OpenSSF”]
+        * Distributed build management and package binary distribution network
+        * Backbone: immutable transaction ledger, suitable for security audits
+        * Multi-node Verification of Source Builds - benefits from & encourages reproducible builds, but can work with non-repro builds
+        * Focus on easy to install and use in CI/CD or on dev machines
+        * Build on Trusted Compute, certify on blockchain, transfer is P2P
+        * Looking to showcase at events in May and hit an MVP in July
+        * Built on Rust, uses libp2p, and AlephBFT for consensus. 
+        * Engaging with Sigstore and Notary V2
+        * JFrog, Docker, DeployHub, LodgON, IBM. Active meetings, Slack, etc
+        * We believe we meet the criteria for incubation (or well on our way based on final wording)
+    * Bob: how many active contributors? Subhindra: ~15 people have merged contributions, ~5 organizations
+    * Sudhindra from chat: “Pyrsia is not a package manager - but a very efficient distribution mechanism that is resilient to network partitions, and also provides an independent build mechanism to ensure that the developer machine is not the one we rely on for quality.”
+
+Out of time:
+
+
+
+* [aarya] How can we encourage some OSS research inside OpenSSF and involve academics. Thoughts?
+
+

minutes/2022-05-03.md

@@ -0,0 +1,82 @@
+# **2022-05-03 Meeting**
+
+
+## Attendance (please add yourself)
+
+
+
+* Josh Bressers (Anchore, **TAC**)
+* Aeva Black (Microsoft, **TAC**)
+* Phil Estes (AWS)
+* Stephen Chin (JFrog)
+* VM Brasseur(Wipro)
+* Luke Hinds (Red Hat, **TAC**)
+* Eric Tice (Wipro)
+* CRob (Intel, **TAC**)
+* Jacques Chester (Shopify)
+* Abhishek Arya (Google, **TAC**)
+* Sudhindra Rao(JFrog)
+* Jory Burson (Linux Foundation)
+* Jenn Bonner (Linux Foundation)
+* Arnaud J Le Hors (IBM)
+* Jay White (Microsoft)
+* Laurent Simon (Google)
+* Jeffrey Borek (IBM)
+* Chris Bensen (Oracle)
+* Matt Rutkowski (IBM)
+* Eric Sedlar (Oracle)
+* Jamie Magee (Microsoft)
+* David A. Wheeler (Linux Foundation)
+
+## Agenda
+
+
+
+* [Jory] Updates on OpenSSF Day (speaker’s announced, virtual accessibility)
+    * AccelEvents Platform, Virtual registration available
+    * Speakers announced, schedule coming soon
+    * Less than 7 weeks away!
+    * Let Jory or events know if you have any questions/issues ([email protected])
+* [Aeva] Review WG & Project Charters (above), request any additional feedback on nomenclature patches, and [organizational terms](https://github.com/ossf/tac/blob/working_version_process/organizational-structure-overview.md)
+    * Suggested charted with the TSC process is not relevant to most WGs
+    * Teams are confused by wholesale copy of language. Unclear who membership of a given P/WG is. 
+    * VM & Jason K working on charter for Vuln Disclosures WG - 
+        * Groups should set out scope and charter, but other governance things (membership, etc) should be set out by the TAC
+    * Identify what needs to be normalized across the Working Groups
+        * Securing Software Repos made minimal changes, doesn’t reflect actual operations of the WGs but adopted current in order to move forward
+        * VM, Jacques, CRob, Arnaud to create Diff of the charter template with areas that need to be changed. Probably week of May 16 before team has bandwidth.
+        * VM: Charter thing just occurred to me: We should probably ask WGs to pause their individual charter efforts for now, or modify directions to be "mission/charter & leadership" instead.
+    * Arnaud: only knows of one WG that has a Steering Committee without elections – SLSA
+        * Arnaud also volunteers to help
+        * Clarification in chat: SLSA is a project under the Supply Chain Integrity WG, not a WG itself
+    * Aeva: bring back up the [https://github.com/ossf/tac/blob/working_version_process/organizational-structure-overview.md](https://github.com/ossf/tac/blob/working_version_process/organizational-structure-overview.md)
+        * Arnaud: it would be convenient to match more what other LF projects do, but [PR #95](https://github.com/ossf/tac/pull/95) is my preferred way to go. 
+        * Aeva - important to preserve some semantic value of software projects, has meaning to consumers.
+            * Confusing to have different terms under WGS
+    * Aeva: can we vote to adopt PR #95? We have a quorum of TAC members
+        * Will open an email to ask members to vote on the PR by Friday.
+        * TAC Vote will happen on the PR: [https://github.com/ossf/tac/pull/95](https://github.com/ossf/tac/pull/95)
+* [laurent]: security best practice for npm. Ideas where to advertise for RFC? (TAC mailing list, package manager WG, other?)
+    * Has draft document, want to put in RFC mode for feedback and comments. How to advertise period, on the TAC, npm mailing list, etc?
+        * Group shared additional forums & encouraged outreach to Justin Hutchings
+* (pulled forward) [aarya] How can we encourage some OSS research inside OpenSSF and involve academics. Thoughts?
+    * Abhishek: Can we get more formalized / document how we are able to assist with researchers and academics?
+        * E.g. - start here, or have a slack channel. “Help desk for researchers”
+    * Abhishek: Can we consider funding research if we put out research questions? E.g. set aside some OpenSSF budget for academic research partners? Maybe like $100K per WG?
+    * David: I’ll reach out to Frank Nagle (Harvard) and LF Research for more ideas [David has since done this]
+    * Aeva: Probably not necessary to have a dedicated WG for researchers. 
+* [Sudhindra Rao] Pyrsia discussion/decision continued
+    * Do we have enough of a framework in place to move this forward ?
+    * Welcome to folks interested in Prysia - Steve & Suhindra walk through open questions
+    * [Pyrsia TAC Questions/Answers 04/19/2022](https://docs.google.com/document/d/1JlP1pDZS1c_K-PF2bcxaTRjxFQoVwPefrGf2Np0h5Rs/edit?usp=sharing)
+* [Jeff Borek] Discuss TAC PoV on this OSSF news item: [https://www.zdnet.com/article/open-source-security-its-too-easy-to-upload-devastating-malicious-packages-warns-google/](https://www.zdnet.com/article/open-source-security-its-too-easy-to-upload-devastating-malicious-packages-warns-google/) based on [https://security.googleblog.com/2022/04/the-package-analysis-project-scalable.html](https://security.googleblog.com/2022/04/the-package-analysis-project-scalable.html) 
+    * [CRob] who from the OSSF officially is being quoted?  This doesn’t feel like it is a piece coordinated with the foundation to speak in our collective voice, but I may be mistaken, perhaps OSSF officials were consulted - dwheeler!!
+    * [VMB] Appears to be an article based around a recent [OpenSSF blog post](https://openssf.org/blog/2022/04/28/introducing-package-analysis-scanning-open-source-packages-for-malicious-behavior/) authored by Caleb & David
+    * [VMB] Which WG is this Package Analysis Project under? Was the TAC aware of it in advance?
+        * Abhishek: It is part of Securing Critical Projects WG and presented there for recent changes. It was created a long time ago, but remained dormant for a while.
+    * [Matt Rutkowski] This project is accredited to the Securing Criteria Projects WG, but was not in meeting notes, nor voted on
+    * [Jenn] Clarity and more discussion needed around the concern - blog post, or article that was written? 
+    * TAC expressed a desire to have a more defined process around product releases and communications deemed the “official word” of the OpenSSF.
+    * Abhishek: I agree that product releases in future should be notified to TAC. It hasn’t been done in the past, but I agree that we should do this going forward. 
+
+

minutes/2022-05-17.md

@@ -0,0 +1,5 @@
+# **2022-05-17 Meeting**
+
+_Meeting was canceled due to several TAC members being at KubeCon EU_
+
+