2017-07-31 Meeting Notes


Apologies for the delayed notes, I was out of action for much of the last week. Discourse still considers me a “new” user and will only let me include 2 links in a post, hence why the GH repos below aren’t linked :confused:

The recording can be found here: https://docker.zoom.us/recording/play/3aC96B5qJ5Jq35m_lIT00GRxUjimCKrifLGxF4mFyv9nkRcmpIu0Dy3KRevK9pRb (meeting starts at about 14:30, I’ll use the manual recording feature next time to capture the right time slice)


  • William Cox talked on CVEs and CVSS scoring. Some key points:
    • CVSSv3 scores attempt to incorporate more logic around how one can take advantage of a CVE and/or chain multiple CVEs together.
    • CVSS scores change over the lifetime of a CVE.
    • Some vendors provide their own scores which take in to account the context of their platform.
    • Process of issuing a CVE can lack transparency for reporter. DWF (GitHub: distributedweaknessfiling/) is a project aiming to automate and increase transparency of reporting CVEs.
  • Liz Rice presented Manifesto (GitHub:aquasecurity/manifesto) a tool for storing image metadata in the registry beside images.
    • Basic functionality in place to set and get data.
    • Uses a single special tag within the image repository to hold a mapping of all other tags to their metadata.

Next meeting scheduled for August 21

Subsequent meeting after that will be at Moby Summit on September 14th in LA (https://www.eventbrite.com/e/moby-summit-los-angeles-tickets-35930560273). I’m currently uncertain of whether we will have access to video conferencing or sufficiently clear wifi.


Dear David, may I ask whether this is the only recorded meeting or are there others as well?


Hi, unfortunately I didn’t record the earlier meetings. I’m still somewhat experimenting with the best way to run these meetings. I plan to record all the future meetings. I think one of our members may have recorded the SPDX discussion, I’ll see if we can get that up somewhere.