AlmaLinux · codyro · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025 · bennyvasquez
diff --git a/docs/alesco/meeting-minutes.md b/docs/alesco/meeting-minutes.md
@@ -5,6 +5,8 @@ Title: 'ALESCo Meeting Minutes'
 Each meeting of ALESCo is public, and future meetings can be found on [events.almalinux.org](https://events.almalinux.org/category/7/)
 
 # ALESCo Meeting Minutes
+- [January 8, 2025](/alesco/meeting-minutes/2025-01-08)
+- November 13, 2024
 - [October 2, 2024](/alesco/meeting-minutes/2024-10-02)
 - [September 4, 2024](/alesco/meeting-minutes/2024-09-04)
 - [August 21, 2024](/alesco/meeting-minutes/2024-08-21)

diff --git a/docs/alesco/meeting-minutes/2025-01-08.md b/docs/alesco/meeting-minutes/2025-01-08.md
@@ -0,0 +1,87 @@
+# ALESCo Meeting Minutes (2025-01-08)
+Minutes recorded by Cody Robertson.
+
+## Members
+### ALESCo Member Attendees
+- Andrew Lukoshko
+- Ben Thomas
+- Cody Robertson
+- Elkhan Mammadli
+- Neal Gompa
+
+### Unable to attend
+Jonathan Wright
+
+### Board Attendees
+- Alex Iribarren
+- benny Vasquez
+
+## Community Attendees
+- Luna Junberg
+
+## Decisions Adopted
+  - Confirm marketing requests (Reddit AMA, Q&A Video, updated ALESCo blog post)
+  - Official security reporting workflows, starting with security.txt publishing
+
+## Minutes
+
+Cody: Started meeting with the first agenda item being marketing requests from the Marketing SIG   
+benny: Noted we had an AMA on /r/linux subreddit 3~4 years ago, reached out to see if there was interest in another one and they said yes.  
+benny: Would like to have some ALESCo members available for the thread throughout the day. Looking to schedule it sometime in mid-February for a 3~4 hour block of time.  
+Cody: Only concern would be difficulty if it required scheduling/logistics for video  
+benny: Explained how previously we had a meeting where AlmaLinux members joined and answered the text-based questions from the thread, making it not difficult  
+Cody: Do you have any dates in mind you want to throw out?  
+benny: Maybe February 11, 12, 13 or 18, 19, 20. We would do it in the mornings (local, EDT)  
+Cody: Will ask in the ALESCo channel what works best for everyone  
+benny:  Asks for an update blog post from ALESCo, I have a pseudo-draft ready for anyone who wants to take it. I'd like to be able to post it next week if we can.  
+Cody: I don't mind taking it, you can put it in one of the channels and I'll grab it  
+Cody: And there was a third one?  
+benny: Andrew has done one in this group, but Q&A video that goes on our YouTube channel, 3~4 minutes, simple questions that we want to answer. Who wants to do that one?  
+Neal: *Raises hand like a champion*  
+benny: Cool I'll get a list of questions/"script" to you  
+Cody: Awesome, will you two figure out a time and schedule it?  
+benny: Yeah  
+Neal: Yeah, timezones are closer so it's easier  
+Cody: The next thing is surprisingly we don't have yet, security flaw reporting/proposals/basically a way to submit security issues and so forth  
+Cody: That starts with a security.txt file, which provides a bunch of reporting information  
+Cody: Then in addition to that, an actual page with an explanation of policies, procedures, and how about do you actually doing this in an official capacity?  
+Cody: Because right now it's a lot of reaching out to somebody in a bug or reaching out in a mattermost, or e-mail, or it's a little loosey-goosey.   
+benny: Yeah, it's super loosey-goosey  
+benny: It is something I've wanted to do for awhile, and Noam Alum (foundation member, contributor) asked what he could do, and I said can you take this conglomeration of notes and make it something that's helpful and useful, submit a PR?  
+benny: He said he'd love to, and because it impacts everyone because it's affects every projects, it's not just the website, OS, I wanted to make sure ALESCo got eyes on it and had a change to provide feedback.  
+benny: Has everybody had a chance to look at it?  
+Cody: I haven't seen the latest iteration, but I did see the origin/daft  
+benny: We only submitted the issue a couple of days ago  
+Cody: I don't have any concerns. It's something long overdue.  
+Cody: The only thing that is remotely important to me and ALESCo, I think, as a whole, is the key generation and all of that stuff  
+Cody: Like who, what SIGs and people are going to be responsible for it, since you mentioned it's cross project not just specific to the OS, it's for everything.  
+Cody: Whose it going to go to? I think basically what SIGs will be responsible for it are my main concern. Where do the e-mails go? Whose going to triage them?  
+benny: So yeah, right now they get create don bugs.almalinux.org unless it's something that needs to be private, then there is an e-mail, I think [email protected]. I don't care who is on that, anyone who is appropriate is fine. What do you guys think?  
+Neal: I don't have a problem with this. There are two things though, right?  
+Neal: A shared e-mail that goes to a bunch of people means we need to have a shared GPG private key because anyone needs to be able to decrypt/read those e-mails  
+Neal: The second thing: before we do this, we should probably have someone actually responding to [email protected]  
+benny: We do respond to it  
+Neal: That's fine, looks good  
+benny: I think what Cody is actually drawing attention to is that if it's everybodys problem, it's nobodies problem.   
+benny: We should make sure anyone who joins that mailing list also agrees that things under their purview/responsibility will be handled. Maybe we should specify that, even if it's in a document somewhere, we can say hey, this is yours, can you look at it?  
+Neal: Each SIG should have a security point-of-contact  
+Cody: Asks benny how she thinks it should be handled, should we reach out to the SIG leads, and asks for logistic clarification/what she thinks would be best  
+benny: I think handling the policy overall would be a good thing for ALESCo to handle, I wouldn't mind reaching out to SIG leads as there aren't many of them.  
+benny: I also think if you guys manage the mailing list if that's okay too  
+Cody: Alright, we will figure out the worfklow  
+Cody: Neal did bring up a good point about the PGP key, and obviously shared PGP keys are less than ideal, but we can figure something out. We'll chat in the channels   
+Ben: If we have a point person for each SIG that there is a process to make sure the role gets handed over if the lead changes, or if you need a deputy for a holiday cover because security things can happen pretty quickly and inconveniently  
+benny: Yeah, whoever is appointed as the security person needs to understand they have a responsibility there  
+Cody: Anyone else have any other concerns regarding security/reporting stuff, or are we good on that front?  
+Cody: There is nothing else on the agenda, asks if anyone has any loose ends/misc things to bring up or propose for next meeting?  
+Cody: I know Neal and Jonathan are working on the official V2 RFC proposal so people waiting for that should have an official answer or an official document sooner than later  
+Neal: We have a draft, waiting on Jonathan to finish things up  
+benny: One last thing, last April board approved new sponsorship level that allows a company to ask us to sign kernel modules  
+benny: And we never defined that process, and now we have a potential sponsor that wants to take advantage of that  
+benny: Cody it's already in a draft and a message to you that I didn't send so you didn't start your day with a document  
+benny: I'll be coming to you guys to make sure the process is good  
+benny: I went through it with Andrew and Jonathan in Tokyo so I'm hoping it's pretty solid, but it'll definitely need to go through you guys to make sure nobody sees any flaws or concerns  
+Cody: Acknowledges he completely goofed up Indico/scheduling so everyone receiving between 0-1,000 events  
+Cody: Says he will be deleting everything and starting from scratch  
+Everyone: Bye!  
+