_Copy this template to the subdirectory for the current year and name the file `YYYY-MM-DD-TAC-meeting-record.md` (e.g., `2023-02-02-TOC-meeting-record.md`). Update the information above to change the `title` (e.g., `2023-02-16 TOC Meeting Record`, the `parent` to `YYYY` (e.g., 2023), the `grand_parent` to `Meeting Minutes`, and remove the `nav_exclude` line. Update the links below to reflect the appropriate image location (e.g., `../images/`). Text between `` are instructions. Please remove when section has been completed._

Agenda

  1. Finalize agenda
  2. Presentation: Dana Wang from OpenSSF
  3. New business
  4. Misc
    • Workgroups
    • OS summit conference
    • Blogs
    • Vice-chair election
    • Action Items

Announcements

None

Presentation

Dana Wang from OpenSSF

  • OS security matters
    • dependency management
    • Software supply chain threats
    • Various recent headlines on OSS security vulnerabilities
  • OpenSSF is second try at LF security
  • Mission: Make OSS more secure
  • Values and strategies 1. Education and training 2. Facilitate collaboration 3. Sustainable tech innovation 4. Advocacy and policy 5. Community engagement
  • Operations
    • Strcture
    • Working groups
    • Tech initiatives
  • Scorecard: github.com/ossf/scorecard
    • Analysis on project but not code level
    • Metadata
    • APIs based
    • Looks at various items
      • Workflows
      • Vulnerabilities
      • Binary artifacts
      • Code reviews
      • Dependency update tools
      • Maintained
      • Signed releases
      • Token permissions
      • Pinned dependencies
      • Fuzzing
      • Packaging
      • SASAT
      • Security policy
      • CI tests
      • CII best practices
      • Contributors
      • Licenses
      • Branch protection
      • SBOM probe (will be adding)
      • Expand SBOM probe to CBOM
  • How to customize / modify
  • GSA is currently working on the below SBOM efforts -Develop three user guides -Validate SBOM workflow (ITC Lab Project) -Incorporate contract language into our Multiple Award Schedule Contracts
  • GUAC project
  • Protobom - ingest SBOM data and write protobom
  • MVSP – minimum viable secure product
  • Take a risk-based approach, minimal, practical
  • Establishing process for projects to be secure Baseline
  • All OpenSSF following Security Baseline
    • tooling limited
    • Scorecard to use
  • Various events coming up, podcast (what is SOSS?)

Decision

Add here

Discussion

  1. New business
    • ARM / Github funding
      • $5K / month
      • Ry has it on the board
      • Circle CI free plan (need to move out)
  2. Misc
    • TSC update
      • MLKEM
      • Nigel elected TSC chair

  • Workgroups update

    • Lifecycle doc review: https://docs.google.com/document/d/1NV-0vNgXWdc81oqT0jv0C-9Funb8dySS06u90ghF-X4/edit?usp=sharing
      • Please read
      • What do you think

  • Conferences

  • Vice-chair election

    • Deadline to submit

Action items

Action items

## Done (from previous minutes)

  • Create GH issue for content reviewers [Naomi]

## Old

  • Docs / Education / Website — look at PQ Code package as example [Nigel]
  • Lifecycle document review [All]
  • Summary for security workgroup [Nigel]

  • SBOM / CBOM interest query [Nigel] ## New

  • Lifecycle document completion [Hart]

Recordings

Upcoming TAC meetings

Please check the calendar

Attended by

TAC members

Norman, Sam, Sophie, and Brian attended

  • Norman Ashley, Cisco
  • Michael (Max)imilien, IBM
  • Yarkin Doroz, NVIDIA
  • Sophie Schmieg, Google
  • Brian Jarvis, Amazon Web Services Inc.
  • Thomas Bailleux, SandboxAQ

Additional attendees

Ry Jones (LF) Hart Montgomery (LF) Naomi Washington (LF) Dana Wang (LF)

Alex Bozarth (IBM) Nigel Jones (IBM)

Bryan Uhri () Jason XXX (GSA) Jim Miller (Trails of Bits) JP Lomas (QRL Foundation)