 Yeah, that's okay. I've started the recording. Hey everybody. Welcome to the kickoff meeting for the, and I got to make sure I read the name correctly because it's the package vulnerability management and reporting collaboration space. So we opted for accuracy in our title at the cost of length. Yeah, so we have an agenda here I'll link it in the chat, but it is issue number two on the repo. Which we will go off of. There's the link. I will be taking some rough notes in the that I'll post back into the issue we don't have a doc generated, since this is not part of the bot setup that folks normally use but we'll make sure some notes get posted after. And I think I'm going to take a page out of Darcy's playbook from the npm meetings. Do you want to make. Oh, you made one Darcy. Okay, cool. Yeah, so feel free to add yourself as attendees in there and I've copied and paste the agenda you created. Cool. And the page I was going to pull from your playbook on the npm meetings is reminding everybody that we have a. This is part of the open just foundation. So we have some community guidelines that everybody should follow in any communications in the group and to make sure to be respectful folks so that's what it is for joining us. And we're just one other thing to worth mentioning is, if you actually turn off your camera and block it. That's better than not having it on at all because it will then show you as speaking versus. If you don't have your camera on you sort of are a mysterious voice so that's just one other thing to keep in mind. So to get started the first thing we just want to do is make sure everybody knows who everybody is and I think maybe everybody already does but it's worth doing for the recording so so I'll start. My name is West Todd, I work at Netflix on our NodeJS platform team also have participated in the NodeJS project, the bunch of different levels, mostly through our sort of working groups. I'm interested, particularly in what we're working on here and that's something I'd like everybody else to say is like why they're why they want to participate in this group. So my personal interest is, I think there's a big gap between the experience of open source maintainers communities consuming open source projects and the security ecosystem and how the reporting does and I think there's just a really big gap between us to get people together and sort of come up with better solutions for for the future. So, that's me. I'll hand it off to Darcy as the other code. Thanks. So yeah, my name is Darcy Clark, I work at GitHub as the engineer manager for the MPM client team and support all of our open source tooling from MPM. And the reason I got involved with this sort of space this group was hopefully to, you know, help improve the tooling and the ecosystem around vulnerability reports and sort of, I had heard from many folks on this call and as well as the community that, you know, that we could do better and hoping that we can start some really, you know, helpful conversation in the space so that we can help to give consumers, as well as maintainers, you know, more mechanisms to reduce noise and ensure that that we're being safe, like moving forward and get very excited about what we can do here. And excited about who we can essentially collaborate with in terms of organizations and individuals so that's my interest. And I guess, should I just start choosing folks I guess everybody can choose the next person in line. I'd love to go with Jordan. I'm Jordan. I, let's see, I maintain a bunch of packages. I'm on TC39, I do a lot of participation in JS, OpenJS Foundation Spaces and Node and I maintain NVM and I have a lot of thoughts and use cases about packages and want to help the ecosystem. And who really choosing to go next, Jordan. Oh, yes, thank you. Let's go with Dominicus. I'm Dom. I build things for clients at NFM. The client that I'm working with right now I frequently end up being the person who gets to respond to various fails and alerts when various scanning tools tell me there's security problems. So yeah, I have a direct interest in reducing that workload for myself. But also, as I do get to respond to these, I get exposed to what's actually happening in the actual packages that do have these vulnerabilities and I think that there's scope to improve things for both maintainers and people who get to basically maybe be a bit less involved in the actual ecosystem and just have to deal with all of these alerts. Michael, do you want to go? Hi, I'm Michael Dawson. I work for Red Hat. And I'm interested in this one. The original issue was open. It was like, yeah, I really feel that pain because we've had some, you know, projects that have had to do, say a release of their product, their module because of vulnerabilities that were reported that didn't actually apply, but they really had no other choice. And in one case, they actually had to make like a sember major change, which would like cut off users. So it was very awkward. Also at Red Hat, I'm in the team that gets the reports from our customers saying, hey, we scanned our containers and here's all the reports. And so we actually spend quite a lot of time mapping back and explaining the, well, yes, okay, that's in this sub dependency. And then it's fixed, not fixed. And a lot of times they just don't apply. So that's work that really doesn't add any value. And so very interested in making it so that not just for our own use, but everybody I'm sure is running into that where it'd be nice to focus your work on the things that matter versus the noises as somebody else mentioned. And I will, how about Robin, why don't you go next? Sure, I'm Robin Ginn, Executive Director of the OpenJS Foundation. And I'm here to make sure or help you all be successful. We look at a collaboration space, much like we would a project, whether it's node or NBM or anyone else. So think of us as your business marketing events, legal infrastructure, whatever you need. We're sort of that we're your team to make it happen. And just I would just add, I think this is a really important space and something that we get asked about quite often just generally. So anything I can do to sort of help scale your efforts bring in more participants. I'm happy to be part of that team. Oh, I'm going to pick someone. Okay, because I'm going to try to, you're going to have to help me pronounce names. Z man. Okay, yeah, yeah, every English speaker just calls me ZB so the first two letters are fine. How would you actually say it? I kind of skipped you because I didn't want to take that chance. So I'm Zbigniew Temerowicz, and my name also has different forms. So friends call me Zbisztek and everyone at work calls me ZB because that's easier. I represent prior art so I made NPM audit resolver, which is a wrapper to NPM audit that helps you set up a separate file where you can make decisions about specific vulnerabilities if you want to ignore them and for how long and why. So that's about it and I'm invested in this because I want to develop it further. I want to hold the whole thing started by me asking around, hey, how about we merge this into NPM itself, and that escalated to this. Yeah, thanks. Thanks for opening that for sure. The reason this exists. And I think the last person on the call is Tim. Is that Tim Brennan? Yep. You know, we don't hear you. I think you might be muted. How about now can you hear me. Yep. Cool. So I'm basically a fly on the wall here. West had posted a link to this chat and since I've worked on Netflix is streaming technology and now I'm working on the website foundation. So I figured packages are probably pretty important security is pretty important. I know West handles quite a bit internally but I don't know if he gets as in the weeds as I do with some of these internals at Netflix so fly on the wall. If I have anything that I will but otherwise I'll probably be pretty quiet. Yes, everybody right. So, thanks. Welcome. You know as as the kickoff meeting. You know I think we've got a pretty good group. I am really hoping that we can engage some more folks on the security side so Laurent had to was unable to make it and then I think. I was am I saying his name correctly as well was also unable to make it from a last minute conflict but there are also hopefully folks we can we can get involved in the long run, because I think they represent some pretty important constituencies, the, you know, SNCC, and then the node projects security. What's the name of that that group the is it the security working group that Marcin is is the lead of so. Hopefully in the future we can get get them on board. Okay. Let's see next on the agenda so basically I want to maybe and actually maybe Robin I could tap you or maybe Michael for this. Could you maybe give a quick synopsis of what a collaboration space is and why we're coming in this format as opposed to you know the few others we could have chosen. Like, I can do that collaboration spaces are meant to be. You know provide a place for groups to get together and collaborate on things that are important to the JavaScript ecosystem, but which aren't projects so you know from the beginning of the various foundations actually and as we brought the foundation together into the open jazz foundation. We always had like a good process for, you know, onboarding projects and you know figuring out which projects fit and so forth but the collaboration space was a more recent extension to say, but not everything that that that we want to support in the foundation is a project so as Robin mentioned the beginning this is a way we can support groups coming together. And we have other forms like teams and working groups that have been used in the projects and in the open jazz foundation but often those are more of a subset of the people who are already working in the project, or already working say and then the cross project so it's kind of like people who already know what's going on they know how who all the people are and what resources they have and. And so the collaboration spaces is more for, we want to bring people who may not necessarily be regular contributors to a project to the cross project Council, and give them a space where they can get together and talk about something like this which is important to the ecosystem. But doesn't necessarily, you know it's not going to result in pull request to a particular project or governance at the CPC. But hopefully we have some outputs, you know could be documentation, it could be like agreed sort of specifications, but some sort of work products that are then useful to the greater, the greater ecosystem. You know in in a business it's easy to get you know mailing lists and zoom accounts and slack accounts and, but is a sort of open source group of people getting together that's a bit harder and and like Robin said that's what the foundation is here to support by providing things help us amplify the message through marketing and and if we have legal questions provide support like that so hopefully didn't take too much time but like a collaboration space is meant to provide a vehicle for people like ourselves to come together and work together on on an issue that's important to the foundation and the ecosystem. I think many people are familiar with SIGS the special interest groups that maybe some of the other Linux foundation groups. I think it's, it's a little similar in that regard. So, but yeah, it's, it's, it's, I think that's the best analog, but when I look I did look at like the CNCF SIGS and I thought we're not, I don't quite want to just say it was the same thing because I think it's in my mind anyway it's, it's, it's hopefully like SIGS are again are almost like Hayes and here's a group of people a subset of the people whereas for open collaboration spaces I'm really hoping we can bring in people who haven't even been involved at all in the past so we'll see how that goes. Yeah. Excellent so yeah so that's sort of why we're structuring in this way so let's talk a little bit more about like what this specific specific group is hoping to see as as outcomes so you know if you if you look in the read me we've got sort of this right up that we did in sort of a, it wasn't really a closed call but it was I think only a few folks. And basically what we call out is that there's, there's a lot of work being done in the ecosystem around reporting the tooling, the remediation of security incidents. And so this spans tons of different, you know, service providers like you know we talked about sneak thinking about you know GitHub and npm in this regard as a service provider through like npm audit. And then there's you know folks like ZB who manage projects in the space. We found, especially, and I think maybe this is bigger place for Darcy to, to give some added color here. It's like, it's not always clear what the right places for folks to take those issues. Maybe Darcy if you want to talk a little bit about some of our experience there. Yeah, so this has been something I've been trying to navigate over the last couple years, where the right places to have the conversation whether or not people bring ideas on what we should do in npm specifically and how to improve our own tooling versus jumping into what I thought was potentially the right form with like a package maintenance working group in the node project. And then it seemed like this was even more broader than just the node project specifically, which is why this conversation has eventually led to, I think the scope being widened to the OpenJS foundation which I think because you know the scope there is the entire JavaScript ecosystem I think it's the right, this is the right place to be having this discussion. And then if what springs up are out of these conversations is tooling that eventually npm implements, at least we've hopefully gotten broader consensus with researchers and people that are providing the existing tools, or providing the existing registries of record for that information, whether that is the npm advisor db, gib advisor db, snick advisor db or any of the other you know advisor db's, you know, getting them involved and hopefully getting some exciting, you know, exploration in this space, I think makes sense and I think it's the right place to be having the conversation so that's why I pushed as well. I think that's what you're looking to the West to have this conversation here. And, you know, there's some great ideas like these ideas specifically around, you know, implementing some sort of mechanism for for being able to filter out and giving a tool for maintainers makes a lot of sense. But if we did it only within the scope of let's say npm, the impact would be limited to the folks using our one tool, that one tool so if we can, you know, collaborate with people, you know, and other tooling offer authors or other security and come up with something that we all agree is kind of like a good way forward I think that that's the best outcome and that's sort of what we're, that would be success I think for for this group. And we've sort of written that out in high level read me that we have this is, you know, I think success criteria for this this group is just getting more alignment and trying to ensure that we are more safe a year from now than we are today, and that people are no longer, you know, the problems that we're seeing in terms of noise and or, or what we might because spam or, you know, etc. is being reduced and people really still consider the ecosystem be a lot safer than it was like today. I just wanted to add the one thing I've come to realize as we've been thinking and writing this down and documenting it that it's actually even broader than I originally thought like you know I was thinking you know we think of MPM audit we think of SNCC but actually a lot of reports I see coming in through through container scanners which may not even use MPM or SNCC and so that we need to, we need to try and pull some of the people from those and you know those projects into this effort as well because we'll want all of the scanners to sort of hopefully consume the same data and you know address the the issue in the same way so it's actually, you know just supporting what Darcy said, it's, it's quite a big scope of people that we want to pull into the discussion it's not no specific it may not even be JavaScript specific specific and some of those tools and, and so we'll see I mean I think we should focus on the JavaScript side so let's not make it too big but I'm just raising that it is a bigger scope than any one project for sure. Yeah, and I'll just be mindful there because I know that there is the open source security foundation so that's actually Martin or Martian hope, I think is a part of that group, and that group does I think tackle the wider. Okay. That higher level, so I do think even our original proposal that we were trying to at least scope what we're speaking to within the JavaScript in the community. So, yeah, there definitely is and I think we did mention that as well in that proposal that you know things that we find work for our ecosystem could essentially be leveraged hopefully by other folks that you know, there might be create standards that we have for for the node and JavaScript ecosystem that makes sense for us that also then make sense for other communities but I want to make sure that we that's if we're going to put in some sort of like boundary or some sort of like, let's, let's, you know, try to stay with always within our ecosystem so that we're not trying to tackle too big of a problem and can don't expand a constituents past what I think is probably reasonable. I agreed, agreed, let's not take on more, it would be much better to solve our part of the problem than fail at the whole thing. I think that I think what what the real probably hard of this issue is, is that we just need to make sure that we align with the greater ecosystem, you know, of software security, you know handling. So if we don't want to come up with something that is totally counter to whatever other ecosystem is doing, and then have to like ask all these security researchers to adapt to, to our method like we just want to make sure that we play nicely. Like the goal is that the whole goal of this is all play nicely together right. And so that should definitely be top of mind as we as we solution. Moving forward, I don't want to I kind of want to keep us rolling here so let's let's move on unless anybody has anything final comments on that. I just wanted to add that the, for various reasons the incentives of the entire security industry have caused this issue, and we certainly can't prescribe anything for out anything, you know, we can't even suggest anything outside the NPM ecosystem really If we can come up with a way to solve the problem, then we might actually demonstrate the, the importance of solving it to the wider security industry, and they may then shift their incentives, so that they're not, you know, finding one use case out of 10,000 saying therefore all 10,000 get a CD file on. I'll just one last very short thing is, everybody I've talked to sort of outside the grease that we kind of have the worst case in the JavaScript ecosystem with the deep trees. And so actually we're probably a good group to figure out what makes sense because we're most affected by it. Yeah, excellent points, completely agree. Okay, so let's move on. So we've got a couple of fairly pressing like time sensitive things that we want to work on in this, this meeting so that's basically the last two. Well really the next the next item. We've got the open JS world coming up, we need to prepare. So I posted a link to, or I didn't post like rather I posted the contents of the email talking about the recorded session that we need to produce for that. We need to do that pretty quickly. And then also we want to sign up for the Q&A session there. I imagine, you know everybody. It should probably just be a panel like an open panel that we do so that we're all there and we can, you know, field the folks questions as a group. Does that does everybody kind of agree on that. I see nods. Okay, cool. Do we have any, is there any concerns about that Robin, like can we have as many people show up as we want. Okay, that's fantastic. Yep. Yeah, good question. I sort of just opted in for that but that wasn't really I should have asked. Good. Thank you. So there's a schedule for that. What will maybe take away for that part since it's real quick we can just wrap it up is I can post the options that we have available and then we can just do another similar quick vote on what will work for folks. And I think since it's pretty loose, you know, if, if we can't get everybody, you know, and people can probably come and go as long as there's, you know, four or five of us there to answer people's questions. And correct me if I'm wrong, it's asynchronous right so it's like over slack it's not we don't need to be live on video. Correct. Yeah, it's like, and you all want to, if you have friends in different time zones that are interested then perhaps, you know, you can pass it off to folks who live in different time zones you don't all need to be covering all the time. So maybe we could maybe we could schedule one time that's particularly good for, you know, North America and one time that's particularly good for for Europe. Do we have. I don't, I don't see anybody on the call who I know is in Asia. Do we have or Australia. So maybe we try to shoot for three times. Maybe be good. So I think that takeaway is to open an issue to schedule that now helping everybody from the call on that. Cool. Okay, so then the main topic is just let's, what do we want to do for the, for the session. What topics do we want to cover. Do we have particular particular goals, I think, did I post in here I think it's a 30 minute. I think the goal for a 10 minute lightning talk, these are the options that you posted. It'd probably be good to set the goals, because that'll kind of figure out what do we want to accomplish through this is it recruiting new members. Is it, you know, awareness, what's kind of the, the main purpose. I think since this is really the kickoff. I think it's really awareness and recruiting folks. We, we could, you know, get into the presentation of some of the prior art stuff I don't know, you know, if he's interested in that but, but I'm worried that if we go too deep to so because the scope of this is to bring it together as a discussion. So if we jump into solutioning we might, you know, put off folks or maybe just set the tone that is maybe not what we really want which is we want folks of all different ideas and backgrounds around this topic to come together. And so that would be that would sort of push on the setting the content, you know, explaining the problem and making the awareness that we're working on it to and then to getting people as opposed to getting to solutions because I think you're right as soon as we sort of get into a solution for 130 minutes isn't a huge amount so we wouldn't be able to get into detail. And we're not really at the point where we've spent much time, you know discussing that we have some of the prior art but it would be good to have us. We don't have proposals even to present and like hey we thought about this and we want more feedback on them yet. So with that in mind I, I think we would probably want to do a sort of similar format to what we just did with the intros which would be like, talk about the collaboration space just a little bit, talk about our proposal for, you know the for what we're doing as a collaboration space. One thing I was thinking would be probably pretty valuable is to spend a fair chunk of time on the problem statement. So I think, you know, doing things like putting you know I think and it didn't land in the, the read me, but originally in our discussion we had like a bunch of example links of folks having issues in this, right like I remember there was one that was like a handlebars. I saw you on New Jersey do you want to go ahead. Yeah, I was just gonna say we, when Michael and myself actually spun up the repo. I think we intentionally redacted that section from the proposal. We want to be mindful that we weren't trying to shame anybody and, and, and utilize any specific example like more broadly you know we're, I think everybody's aware of some some issues and that's like, that was one sort of mindful thing I think we did there when we were saying that so I just want to essentially jump in just to make sure that we're that there's a reason why that got redacted. So, I can definitely share with folks, they're missing I think most people on this call actually had access to the original email that we sent out for the proposal so you the examples are there. But, but I think, yeah, I think in terms of like the agenda that we're creating here and I apologize I'm trying to take notes to lock us into a schedule for that, that time. I think it would be good to go over, you know, what action items look like in terms of maybe pulling together the state of the current ecosystem right so it might be finding that new examples of tools. We don't necessarily define examples of like issues maybe I don't know like, I'm just very aware I don't want to like call folks out for. There's one antagonist we can use without shaming anyone in particular and this is regular expression denial of service, which everyone loves. So, I think if we wanted to have our, our presentation be a bit less dry and theoretical we can like show a case where you have a CI job that runs in PM audit and then talk about a redos vulnerability showing up every day and something somewhere in your dependencies and that's that's relatable and that's not shaming anyone in particular. And those are ones that are like false positives is that yeah okay I mean that that's that's that kind of like that's what I was thinking can we take the ones we have and like. That's a good example. The other one we could look at it's like you know I the example I was talking about in abstract is like having to do a release of your of your library because of security vulnerabilities and there's no other way to. You know, basically say no it doesn't apply to me like you've looked at it you've done all the due diligence but there's just no other way to signal that information right. So maybe go through like the problems that that the maintainers are struggling with it and the consumers to right like the consumers are like this tool tells me there's there's there's something I got to fix. I actually don't understand like I can see the consumers a lot of time the person who's responsible doesn't understand the modules they can't look at the JavaScript. They either want it fixed and somebody telling them it doesn't really apply doesn't solve their problem because they've got to somehow explain that then to their to their reports like well why doesn't it and so forth right. Thinking about this a really compelling story that we could, we could tell would include some like testimonials from folks in the ecosystem. It's a bit of a short notice but I would definitely volunteer to reach out to a few folks who I know have expressed, you know, either opinions or just experience and those kind of issues, I imagine, at least a few folks would be willing to hop on a quick video chat and record and just have them, you know, talk about their experience we could probably just even we could probably even feel like almost five minutes with just like a couple of different folks on different levels of this explaining their you know, sort of doing a testimonial style. How well does it work if we if like you have that recorded and you play the video over a zoom call does that. Well, so, but the whole thing is recorded. Right, so I guess we could stitch it in you're right yeah okay. Yeah, I know because I think that would be very effective like that's. Yeah, and after your session we often you know we call these these breakout sessions the gifts that keep on giving will turn it into a blog, and we can even you know use pieces of it, use it for social all kinds of things but that would be really valuable, especially in a sort shorter chunk like that. You know, people are, they're going to hear us talking about it and you know what we can lay out the details but the more voices we have you know I think really illustrates the impact in the community that that this problem creates you know I think you know the structure I would, I would see would be having, you know, a couple of package maintainers. You know I'll, I'll, I don't want to volunteer anybody on the calls being recorded but I'll reach out I have a few people in mind who I know have been like, Hey, there's this issue it's, you know it doesn't apply and has had to like raise a bit of a those things fixed. And you know just hearing from those folks if they're willing to you know to speak about it I think would just be a lot better than us, you know even on this call it you know I hear Michael what you described is great but imagine if they heard you know that from right yeah so like that module popular module X right. Yeah, if you're going to reach out I can send you the name of the person who was the story who had to do the release and we can see if they're be willing to yeah because it'd be much better if they're willing to talk about it publicly right. This can be a team effort to I don't think like, you know we don't, it doesn't mean to all be coming through like Darcy or I as the champions of this like if, if everybody on the call has any ideas and wants to reach out to somebody. We can put together a sort of collaborative effort here. I also know a few folks at Netflix who have been on the very far end, like Michael you described the people who are like, I don't actually know what the right thing is. I think a couple of those folks who are just like, you know application engineers. And it can just say like look I, I got an I remember one story that I, you know had somebody report to me was like, here's a screenshot of my npm audit and it's 48,000 vulnerabilities. And it's like what are they gonna do that like that kind of story is I think what we want getting it from the people right yeah, living it will be a lot more, you know, a lot better I think. And I think maybe the story of how how I needed to build npm audit we over might fit this part as well so this would be like the consumer perspective. Because I had to build it because we had like 20 something repositories with a separate audit CI job for each and it was, it was becoming hard. So, I think that fits. Yeah, that story more than into like next steps or actions because again we don't want to come up with proposed solutions at this point. So let's talk about it not as a solution but as a, as an example of what happened. I think that's a great point yeah so maybe, maybe, do you see, do you see it. Like if we did this sort of testimonial section would you be, would you want to do a recording of yourself talking about it for like, a couple of minutes or would you rather just like have. That's what I'm saying. So, I don't know which format would work better because you know if I'm in the group here so it's, it doesn't have to be a testimonial but if it fits consistency better. It could look like a testimonial as well so we can do, we can do either. I'm really liking that format thinking that like you know we can kind of have like at the beginning, a shortage introduction to like, here's what we're doing. Here's why we think we think it's important, but then even if like there is 20 minutes of, and here, but let's listen to the people who are who are having, you know feeling the pain. If you could get 20 minutes that would be like fantastic and then at the end it could be a bit of a closeout which is the mostly a call to end. So hey, if, if you're interested in this and you can identify with any of these people. Hey come and join us and let's see what we how how we can fix this right. Yeah I think that's a good format. 20 minutes. Right, that's the challenge right. I don't know if we can get that many people in the next week who can give us enough content to snip together in 20 minutes, then absolutely. I have to say fit the other option was 10 minutes and that I can't imagine us fitting into that short of a time right. Yeah, or break it up. You know it's almost like when you watch a presentation you speak for five or 10 minutes and you have two minutes with a customer and then right, right it's, it's like that so smaller, you know smaller chunks. You know, you could have some commentary, you know it could be like you know, you know, Wes and Darcy could be like hey we're introducing here's a few other people then you could, we could play a few and then it could be like you could have some commentary on. Well that's one kind of user but here's another kind of user right and then. So, I guess I was mostly going with like as much of that as we can get so we can see what we can get and then fill in the rest of the time around it with. Okay, that makes perfect sense to me. I think it depends on how many folks are willing to do a quick. Also, this is a VOD, not an actual conference with a schedule we need to fill so I wouldn't focus too much on this being exactly 30 minutes. And in my experience with VOD conferences, they tend not to care if you go like 10 minutes either way, it's still fine. That's right. We'll see if Robin agrees with that. She'll tell us if we're wrong on that. No, I mean securities in such high demand for content. Absolutely. Totally fine. Okay, that's great. So so then the takeaway from that is, let's reach out to folks who we know. So we do. I think it will come better if we reach out to the folks that we know and we've dealt with on the issue that if like, for example, we just called email, some of those folks from me or Darcy. Maybe put together a doc where we can all put in who we think we could contact. Like is that an issue? No, I'm just thinking about, you know, people who don't want to, I don't want to put people on the spot. Sure. Okay. Yeah, you don't want to identify them until they've said yes. Right. Right. So maybe my thinking is could if we reach out to folks who we know who might be interested in doing this and if they say yes, we can come back in. This is probably the starter place and then we can put together a list and do some, right, we did, we did create a channel, right? Or did we decide we were doing it all in the GitHub? We decided we were doing it in the GitHub, didn't we? The only thing I would advise, if it, you know, Wes and Darcy are fine for a session, if you fill it out with a lot of people and they're all men, it will not be accepted. Well, that's why I was asking earlier, right? Like, do we have... Yeah, kind of a rule. If it's, you know, then that kind of turns into a panel and we don't have all the male panels. That is an excellent point. So I will reach out specifically to non-male identifying folks that I know in the ecosystem as well. Make sure that, you know, you reach out to folks, you know, keep that in mind. And does that include, like, I could, you know, if we kept the people who were actually delivering the talk to say Darcy and Wes, but then they were playing videos of people. Is that any different? That's what I'm just trying to understand too, like, do we have to count all the people relating their experience or... No, I just... Darcy and Wes are fine, but again, even if it's not a panel and all of your voices are men, it would not land well. Agreed. So I think from that perspective though, it does say, like, I don't think we should have intros for all of the team then, right? Like, it should be a Darcy and Wes as a, hey, here's this thing that's launching we're talking to versus the... Because that will at least not make it as extreme in that sense, right? And then what we would like to do as soon as possible is get Darcy and Wes up on our schedule, because people are registering now. We've published our schedule, and then we'll start promoting some sessions as well. We're promoting keynotes now, but other special ones will do that. I think, at least for myself, I believe I filled out all my information, but definitely... Okay, you may be on it already, because Shannon... Okay. If you sent it to Shannon and she was on the mail, I'll check when we're talking. Okay. If you can just follow up with myself and Wes to make sure that we're all set up to make sure we're good to go there, then... Pretty sure I'm not. So I'll take that right after this call. And that kind of supports like ZB being a, you know, one of the stories versus part of the talk, right? If you know what I mean? Yeah. Okay. So we've got 15 minutes or 12 minutes left. So I think, like, now that we have that sort of plan for what the session... Actually, before I move on, does anybody have anything they want to say on that? Do folks like the direction of that idea? And does everybody sort of thumbs up? I do. One more suggestion. Does it make any sense for Robin to participate and sort of pitch at the very beginning, pitch the collaboration spaces? This is our first collaboration space, no? No, I think it's fine. Have the community drive it. Wes, you are on the sketch with Darcy with your picture. She's probably stolen from the interwebs perhaps. Just take a look if there's any edits and then Shannon and I can fix you up. The other issue was timing. So Rachel on Romoff, our marketing comms lead had drafted a blog. Darcy, I know you've seen it. Wes, I don't know if everyone else on the team. It's basically, it pulled some of the information from when you all submitted your proposal. We could probably add a little color. We could get that out earlier like we could. So if you want to announce a collab space, you could do it at the event or you could do it a week before. With a blog and just, and try to drive more eyeballs to your session as well. So you might want to think about that. And talk with Rachel and just feel like how you, how comfortable are you with time? I'm comfortable with that. We do have, you know, we'll have to schedule pretty aggressively these, these interviews to make sure that we have time to, to stitch it all together. Does anybody else have any opinions? Would, would we be able to like folks on the call could maybe do some proof reading and stuff. And if we had that, if it was a group effort, I think, you know, we could probably have something together. I think we could just go with a blog, right? And then save the video, but use it as a driver for your session to get it out early. Yeah, like I think the blog post is a, hey, and you can come learn more at the session. And then you could actually maybe turn that into, if you want video content afterwards. Yeah. So I can circle back and, and what I can. So I was working with Rachel and Jory at the time to review that, that blog post originally. So, um, yeah, we can potentially get that out here soon. And then, um, sorry, I didn't catch the interviews part, Michael, that you were at. I'm trying to essentially create like a mock agenda here for ourselves. The idea to essentially have folks like ZB or somebody else also, like we do like little interviews or, I don't think it was necessarily an interview, but I think, you know, Wes had said, had brought up the idea of rather than us relating the story, we try and reach out to the people who's like, they're the one who experienced, hey, I had to do a release or somebody just to spend like one or two minutes, we record, get asked them to record one or two minutes to them explaining, you know, going over their experience and we put those together. Okay. And then, you know, maybe, you know, if that's a good, if we can get enough of that, and that's a good portion of the content, then like maybe you and Wes do some commentary between them like, okay, we've now heard from developers. Now let's hear from say the security practitioner whose job it is to figure out what to do. Right. And. Yeah, I think the word I had used was testimonials testimony. Yeah. That said, I think it might end up being structured a little bit as, you know, when we do them with these folks as interviews, only because asking people to just go talk, it's pretty tough. So I think it'd be a lot better like, like just setting up a quick, you know, 15 minute video chat and just record it and say, hey, I'll cut it, you know, up into segments. I'll be, and then maybe we'll, you know, let them know, we'll send them the segment as soon as we have it to make sure that they are happy and we didn't, you know, misrepresent their thing. I have a couple of folks internally who have done this style of presentation. I can reach out to them and ask them for some advice on if they have any learnings. We've been doing this series of interviewing different teams across Netflix and they've been presenting it in almost this exact format. So I totally did not come up with this idea of my own. I very clearly stole it from these folks. So I'll, I'll reach out to them and see if there's a good way that they found to sort of structure those that get the most value at the lowest, you know, time investment. And then I can, you know, post some feedback. That said, we do need to do pretty aggressive scheduling here. So if we can all spend, you know, reach out to these folks over the next day or two, and then we can, you know, get things scheduled. I'm happy to, and I, you know, I don't know how other folks feel, but I'm happy to just run, even if it's all of them, you know, maybe, maybe if you are the point person who contacts them and says, Hey, would you be interested in sharing your story? Like maybe, you know, we can do it together. But, you know, in interest of saving folks, you know, the time. I think even back to the other point is it probably be better to limit the interviewee interviewers, right? Because otherwise we've got a lot more people involved versus. So yeah, if you're willing to do it, I think that would be better personally. And I can, and I can set up the recourse screen recording and stuff pretty easily. So. And then from once we have that, we will need to do some edits. So I don't know Darcy and I'll probably have to get together and do some, some co-recording as well. You know, we can do that. Starting anytime right after this meeting. Well, I think I have a back to back with this, but, you know, the next couple of days we can, we can set up some time and see if we can get a good cut at, you know, the intro section and. And that. And. I think what else, what else do we need to be able to deliver this to? I think I like your agenda here. Darcy, is there anything else to add to. No, just to confirm, we only have 30 minutes, right? So we're, we're. 30 minutes yet. I'm hoping not to be like documentary here yet. We're going to need some Netflix streaming support. If we go along. I have to figure out a way that people can binge watch this. These sessions. So, no, I think we're good with. There's a number of action items that's taken down here for, for ourselves, I think. And it sounds like we can reach out to. Some folks offline. Take the next steps. And then hopefully. Like I said here, I'm taking the aid to submit. And then we can put that into some sort of docs folder inside the cloud space repo. So folks can give feedback async on that. Just in case they think that we should add different topics. And then, yeah. I think if we queue up the blog post and you're willing to help. Source some of those case studies or testimonials that will help add content to this. And then. Yeah, I think we're looking pretty good. And back to Netflix style. You can think about this as episode one. Love to have, you know, any other time throughout the year, we've been, we brought back a JavaScript trends panel. From Montreal. And just did sort of the standalone. And it was really one of our top five videos for the month. So would love to think about at least a quarterly. Thing with y'all. So video style blog supported. Yeah. Yeah. The other thing I think that's key is that we actually have the time for the meetings. Or at least the next meeting set up so you can. Like in the talk, say, and if we've just gotten you really interested. This is the time you can show up. For the next. Cause it's good to point it to the repo, but the face to face, I think is sometimes the hawk. I totally agree. And I think that was our last agenda item for this meeting too. So I guess that the folks who voted. It looks to be that it was like, this was probably like the latest viable time in the day, right? So we should probably shoot for a bit earlier. Then this, so this is. Was two to three for me central time. So I think we should shoot for something in the morning and preferably something that doesn't conflict with the existing open JS or node calendar, since a lot of folks are. Are on many different groups there. Are we, do we like Tuesday? Cause it seemed like pretty much everybody was comfortable with Tuesday. Tuesday is better for me. It used to be no meeting Tuesday here in GitHub. It's no longer that way, but. I hasn't got full up for myself. So I can do Tuesday and rearrange my schedule if I have to. So I'll let the folks, especially the folks that are here later, the European time zones are definitely tougher. I think for, for CD and on. So if we can do it in the morning, I think that's, that's easier for those folks. I could be wrong. But I could start early. I don't want to speak for all Pacific Coast people, but I wake up quite early. So. Yeah, that's, that's the thing like this 12 Eastern. Is like nine Pacific, right? That one, but that, that actually is a pretty busy time already on Tuesdays. How's eight AM Pacific. Anyone do school drop off? I guess school's not back. Well, maybe it's back. Turning on iPads at eight AM. Turning on iPads at eight AM is the new norm for schools. I think at least this for my little nephew. I can see like Wednesdays at noon. Eastern sorry is, I don't see other community meetings, although I don't know how that works for everybody else. I think so the only thing there for me. Is that that back to backs with the NPM RFC call. Which obviously Darcy goes to. Yeah. Yeah. Yeah. Yeah. Yeah. And I, and I try to generally attend. I mean, what if we, if we shop for that same time? So you said. Oh no, one. That's right after the TSC meeting. Is that the note? Not, no. The TSC meeting rotates to three different times. But it doesn't, I was just looking for gaps, like where I look across the, the weeks. On Tuesdays and Wednesdays in that 12 costs thought there are. Our meetings that take place, but like Wednesday seems to be Wednesday at 12 just seemed to be an empty slot where there aren't any regular meetings at all. So if we wanted something in the middle like that, that was at least open. I can only do a half hour on Wednesday at that time. So we should, so we should try to shoot for Tuesday then. I think Tuesday seemed pretty good. Yeah. I mean, I guess, I guess, I mean, I guess, I mean, and everybody who voted pretty much had at least a couple of available Tuesday slots. So. I mean, if we, I guess, what is our cadence? Have we decided on that? I don't think we need weekly. So I think if we, as long as we don't overlap. Like the standards working group. Is on Tuesday and the CPC meeting is. Tuesday. And then it's the working session, the alternate. But if we just make sure we choose the alternate week from the CPC meeting, I think that's where it gets tough. Right. Well, I may, I have, that's when I have my LF executive director meeting. That's where it gets tough. Yeah. Unless again, you're all West, your West coast, right? I'm central now. But again, if you all are up for an 8 a.m. Pacific. I think earlier is a better, right? Dom and ZB, I'm not good at representing the European folks. Cause for me, 9 p.m. or 10 p.m. is the best time slot. Cause. My kids already in bed and I can do whatever. Yep. So anytime after, I think after 11 a.m. Pacific on these days, because that's when we have a lot of our existing calls. Okay. I'll take the action item. We're over time. I'll take the extra item to open up another issue with a couple of options on Tuesday. And we'll. I'll, I'll put it up for a vote, but I'm, I'm guessing we don't want any more than, and then every two weeks, but I think we should probably shoot for every month to start. Because I think there's going to be a bunch of things where we just don't have quick progress. Anyway, like I said, I'll leave it up to a vote for everybody. And I'll take that action. And I think that's the end. So, uh, I don't know Darcy, do you have any closing thoughts? No, thanks for run. Uh, with this West, um, if we keep up that, um, I already, I already handle one or two calls. So it's great that you're running this and taking charge. I can always just help with notes. Cool. Well, thanks everybody. Um, and we'll, uh, we'll keep in touch over GitHub and, um, we'll get this stuff scheduled and start knocking out. Uh, action items from us. So awesome. Thank you. Thank you. Thanks.