In addition to the in-person meeting next month, we are invited to send
read-ahead material and there will be a brief phone call. Given that
the call will only last 30 minutes, I presume that call will be consumed
by introductions, logistics, and perhaps questions about the read-ahead
material. That call will be on Wednesday, so I would like to send any
read-ahead material that we might have late morning EST on Monday.
My thoughts are to lead with a summary/bulletized version of what has
been discussed recently on this list, followed by actual pointers to the
original emails. Here's a first draft... additions/corrections welcome,
both to the bullet points and new posts (preferably to this list) that
should be added.
Key bullet points
* This will require collective action
o There are things we can do, both individually and together, to
reduce the number of vulnerabilities.
o There are things, such as SBOMs, that can help identify what is
affected once a vulnerability is found.
o Much of this is moot if patches are never applied.
* Volunteers/community/participation
o Out contributors tend to be seasoned software professionals
whose employers include ASF releases in their commercial products.
o Our communities are healthy, open, and transparent.
o Companies an government agencies that want to help don't need
money or formal contracts to do so. Join our mailing lists,
review our code, contribute fixes.
Background reading:
* EO - Mark Cox - https://s.apache.org/3nctr
* SBOM - David Nalley - https://s.apache.org/hccur
* Applying updates - Mark Thomas - https://s.apache.org/5jqab
* Collective action - Phil Steitz - https://s.apache.org/ljzn0
* Volunteers - Sam Ruby - https://s.apache.org/3vkpr
* Contributors/maintenance - Dominik Psenner - https://s.apache.org/3lrk1
* CISA - David Nalley - https://s.apache.org/1gr1c
* Get Involved - https://www.apache.org/foundation/getinvolved.html
- Sam Ruby
