►
From YouTube: Alpha Omega Project Public Meeting (January 4, 2023)
Description
B
C
C
C
D
A
Hello,
everybody
Welcome
to
the
first
Alpha
Mega
public
meeting
of
2023
hope
everyone
had
a
great
New
Year
and
got
some
time
off,
hopefully,
and
our
at
the
perfect
level
of
caffeination
to
have
a
productive.
A
Oh
so
I
have
an
outline
of
a
deck
I
like
like.
We
usually
do
this.
We
can
stray
far
off
topic
pretty
quickly
if
we
would
like
this
is
really
intended
for
all
of
you.
So
you
have
questions.
Let's
just
get
into
it.
Happy.
First
of
all,
happy
New,
Year.
First
of
all,
I
want
to
mention
and
welcome
Jonathan
Jonathan
light
you
to
the
alpha
omega
team,
Jonathan.
A
Well,
when
he
comes
back,
he
can
introduce
himself.
He
was
a
Dan
Kaminsky
Fellowship.
He
was
on
the
on
the
Dan
Kaminsky
fellowship
at
human.
For
the
past
year,
he's
been
doing
a
ton
of
great
security
research
and
we're
really
excited
to
have
him
on
the
team
driving
at
scale
solutions
to
hard
problems.
A
But
you
know
this
is
really
great,
so
so
between
you
know,
Anna
from
from
from
City
and
Yesenia
who
joined
us
in
in
November
Jonathan,
and
then
all
of
the
wonderful
staff
that
that
we've
we've
staff
support
that
we've
gotten
from
the
Linux
Foundation
from
you
know,
David
and
Michelle
and
and
Jory
who's.
You
know
unable
to
get
away
from
us
and
and
Khalil
and
and
Jay
Bligh
who's
done
an
amazing
job
with
the.
A
Blog
getting
things
actually
out
and
done
has
been
awesome
so
to
all
of
them
and
and
particularly
Brian,
for
you
know,
keeping
us
keeping
us
moving
and
has
been
great.
So
thank
you
to
everyone
associated
with
this
project.
It
would
absolutely
not
be
possible
without
Ever,
every
single
one
versus
one
of
you,
so
go
back.
Jonathan
welcome
back
yeah.
E
You're
gonna,
forgive
me
the
the
original
I,
don't
know.
If
anything
was
said
to
about
me
to
me
at
me,
I
don't
know.
I
was
at
the.
D
E
But
I
realized
that
when
I
I
was
like
wait,
it's
been
quiet
for
a
while.
What's
up
and
I
joined
the
call
and
I'm
like
there's
no
I
see
people's
voices
moving,
but
I
don't
see
any
audio.
The
stupid
thing
was
the
zoom
output,
the
audio
to
my
microphone,
which
has
no
audio
output
and
it
of
course
yeah.
Of
course
it
would
so
yes,
hi
I
couldn't
hear
anything
for
the
first
five
minutes.
The
call
but
I'm
now
here
and.
D
I'm,
a
thrilled
to
have
joined,
I,
I,
think
I.
Think
I'm
excited
this
moment
to
announce
a
complete
change
in
priorities
for
Alpha
Omega,
we're
going
to
focus
on
the
hard
problem
of
getting
the
damn
video
conferencing
systems
to
stop
picking
random
devices
to
use
as
your
audio
just
because
they
haven't
seen
it
before
Jonathan.
Are
you?
Are
you
down
for
that?
Or
do
you
have
something
else
you'd
like
to
work
on.
A
So
I
gave
the
very
thinnest
of
introductions.
So
if
there's
anything
that
you
would
like
to
say
about
yourself,
you
are
welcome
to,
but
I
don't
want
to
put
you
on
the
spot,
although
it
just
oh.
E
You
know
I'm
I
software
security
researcher
been
a
software
developer,
mostly
focused
in
the
Java
kotlin
sort
of
space
for
a
while
did
some
stuff
with
build
tools,
work
for
Gradle
for
a
little
bit
and
then
I
got
accepted
as
the
first
ever
Dan
Kaminsky
fellow
last
year
and
I've
been
engaged
in
finding
and
fixing
widespread
common
security
vulnerabilities
across
open
source,
generating
pull
requests,
tens,
hundreds
and
sometimes
thousands
of
pull
requests
to
mix
various
different
security,
vulnerabilities
across
open
source
and
I
was
looking
for
a
natural
next
fit
for
the
the
work
after
the
Dan,
Kaminsky
Fellowship
to
kind
of
say,
hey
I've
been
working
on
this
project,
but
where
do
like,
where
can
I
continue
it
and
the
alpha
omega
project
seemed
like
the
perfect
Landing
place
for
for
my
work
and
and
and
also
forwarding
the
mission
of
Alpha
Omega,
so
I'm
thrilled
to
be
here
and
I'm.
E
Looking
forward
to
working
with
everybody
to
to
progress
that
mission
of
securing
you
know
critical
projects
and
also
the
long
tail
of
Open
Source
projects
all
over
the
world.
So
yeah.
D
D
I'll
do
this
slide
because
you
did
all
the
hard
work.
So
if
you
haven't
had
a
chance
to
look
at
our
annual
report,
please
do
so
it's
up
on
the
website.
You
can
ping
us
we'll
send
you
links
if
you
really
can't
find
it.
It's
actually
been
a
pretty
exciting
year.
Over
the
course
of
the
year
like
we
went
from
just
starting
out
and
figuring
out
what
to
do
with
money
to
like
actually
meaningfully
making
a
difference.
D
Seeing
studies,
teamwork,
reports
coming
back
from
various
people
and
that
played
out
really
well
Amazon
was
sufficiently
interested
in
the
work
that
we're
doing
that
they've
announced
funding
for
us,
which
really
is
just
great
to
bring
them
to
the
to
the
organization
and
to
have
their
support,
still
have
a
lot
of
things.
We
need
to
figure
out
always
listening
and
always
learning
I.
Think
our
sort
of
spirit
of
experimentation
and
learning
from
sort
of
iteration
will
continue
to
go
on,
but
really
just
a
tremendous
year.
D
I
would
try
and
do
some
highlights,
but
honestly
just
read
the
report.
I
think
that's
what
we
really
want
you
to
do
and
if
you'd
like
to
see
things
in
the
report
that
you
don't
see,
tell
us
about
that
too.
A
So
we
also
have
the
the
whole,
and
this
really
isn't
us-
this
is
open,
ssf
as
a
whole,
but
just
calling
attention
to
it.
This
was
published
last
week.
So
take
a
look
at
this
as
well.
A
This
is
I
think
the
second
item
in
the
on
the
openness
blog
this
this
you
know
is,
is
the
larger
view,
inclusive
of
of
Alpha
Omega,
but
all
the
working
groups
and
the
sigs
and
the
projects
and
everything
else
and
I
think
it
tells
a
it,
tells
a
good
story
for
for
the
impact
that
open
ssf
has
had
in
2022.
A
So
just
encourage
you
all
to
look
at
that.
If
you
haven't
already.
A
So
we've
had
the
you
know
the
alpha
engagements
that
started
in
2022.
Most
of
those
you
know
continue
into
20
I
think
they're.
Both
they
all
continue
into
2023.
A
and
we're
in
active
discussions
with
some
of
them
about
you
know
renewing
and
what
the
future
is
and
potentially
other
Alpha
engagements
all
of
the
updates
are
have
either
started
to
or
will
be
going
to
that
to
our
GitHub
repo
at
that
link.
So
if
you're
ever
interested
in
like
hey,
what
is
you
know?
A
What
has
Eclipse
done
recently?
You
know
around
this,
like
there'll,
be
a
you
know,
page
and
some
markdown
files,
and
things
like
that.
So
we're
going
to
use
that-
and
there
was
always
Our
intention
to
to
use
that
to
collect
kind
of
monthly,
just
updates.
A
On
the
tooling
side
we've
made
so
with
with
you
see
me
having
you
know,
joined
us,
we've
been
able
to
make
a
lot
more
a
lot
more
faster,
better
progress,
so
I'm
excited
to
hear
that
the
analyzer
is
steadily
improving.
We've
been
doing
some
refactoring,
just
bumping
two
versions,
but
getting
into
in
a
more
usable
state
for
for
more
people.
A
A
We
run
some
tools
or
we
do
some
activity
and
we
assert
that
that
activity
or
that
tool
run
has
been
done,
and
these
were
the
aggregated
or
interesting
results
of
that,
and
then
you
as
a
consumer,
can
base
a
policy
on
those
assertions.
So
you
can
say
I
I
I
want
to
know
if
any
of
the
open
source
projects
that
I
use
have
this
type
of
vulnerability
class
found
by
code
ql
in
a
fully
automated
way.
So
there's
no
there's
no
triage
necessary
for
that.
So
it's
a
it's
an
experiment.
A
You
shouldn't
rely
on
it.
Please
don't
base
your
business
off
of
it
or
you
know
things
like
that,
but
feedback
is
very
most
most
welcome
if
you're
interested
in
getting
you
know
getting
involved.
We
are
talking
with
guac
later
this
month
and
we
haven't
set
it
up
but
scorecards
as
well
to
figure
out
like
what
are
the
right
places
to
integrate
this,
and
you
know
how
does
this
need
to
iterate
in
order
to
become
something
real
and
useful
and
stuff.
D
A
We
last
year
we
started
putting
together
a
triage
portal.
We
kind
of
put
pause
on
that
just
for
priorities
and
time
it
looks
like
we're.
Gonna
move
that
forward
a
little
bit
more.
This
is
intended
to
be
a
place
where
security
researchers
can
go
to
essentially
upload
tooling
results
and
then
see
things
vertically
for
a
particular
project
across
multiple
tools
or
for
the
same
tool
or
class
of
vulnerability
or
whatever,
across
all
projects.
A
D
I
think
I
mean
it's
worth
talking
about,
like
you
know,
a
vision
that
we're
starting
to
to
hold
more
dearly
is
this
tool
chain,
ultimately,
should
become
part
of
people's.
You
know
any
projects
release
process
at
some
level
you
should
be
able
to
say:
okay,
we're
gonna,
go
run
a
bunch
of
stuff
and
see
what
it
can
find
and
then
make
assessments
make
you
know,
do
triage,
not
every
not
everything
it
finds
is
a
real
problem
whatever
like
that,
but
like
you
want
to
be
in
a
position
where
no
surprises.
D
You
know
not
quite
script,
Kitty
level,
but
definitely
you
know
a
little
bit
more
easily
integrated
into
someone's
existing
pipelines.
It's
a
very
interesting
opportunity
to
allow
scale
what
we're
trying
to
do
within
Omega,
so
yep.
A
Cool,
so
if
you'll
want
to
help,
if,
if
your
security
researcher
inclined,
you
know,
certainly
using
our
tools
and
telling
us
why
they're,
you
know
if
they
are
terrible,
please
tell
us
that
they
are
terrible
and
why
and
help
us
improve
them.
If
you
have
specific
improvements,
just
open
issues,
pull
requests
are
great.
A
You
know,
that's
that's
all
good
and
we
now
have
Cycles
to
like
action
them
faster.
So
hopefully
we'll
continue
to
make
fast
progress
on
this.
If
you're
a
Dev,
we
have
marked
some
of
the
issues
kind
of
good
first
issue
or
help
wanted
we'll
continue
to
do
that.
A
C
A
F
D
D
All
right,
Jonathan,
I'm
gonna,
put
you
on
the
spot,
I'm
going
to
assume
that
people
know
of
you,
but
maybe
don't
know
exactly
what
you've
been
doing
and
I
think
I'd
be
very
interested
to
hear
you
talk
about
sort
of
the
scale,
PR
approach
that
you've
been
doing
to
find
classes
of
vulnerabilities
and
then
push
the
fixes
out
as
well
feel
free
to
just
chat
and
talk
about
it,
and
hopefully,
that'll
provoke
interesting
questions
and
conversations.
Yes,.
E
So
I
have
been
over
the
past
a
couple
of
years,
been
kind
of
excited
in
this
idea
of
automating
fixing
security
vulnerabilities
at
scale
and
I've.
Given
a
talk
about
this
at
black
hat
Defcon
and
then
a
spread
of
a
bunch
of
other
conferences,
the
best
version
ended
up
being
given
I
thought
it
in
Italy,
because
the
audience
I
don't
know
the
audience
was
great
there.
E
But
if
you,
if
you
want
to
find
that
talk,
it's
titled
scaling
the
security
researcher
to
eliminate
open
source
security
vulnerabilities
once
and
for
all,
and
you
can
find
it
on
YouTube
in
a
bunch
of
places
and
at
a
high
level
it
was
about
basically
using
tooling
in
particular,
I
leveraged,
a
better
tooling
called
open
rewrite,
which
is
a
format
preserving
abstract,
syntax
tree
Transformer
that
let
us
generate
automated
fixes
for
vulnerabilities
in
a
way
that
modified
the
source
code
at
the
AST
level,
but
did
so
in
a
way
that
preserved
the
surrounding
formatting.
E
So
that
the
pull
request
didn't
you
know,
the
big
problem
that
you're
dealing
with
is
like
you're
trying
to
generate
an
automated
pull
request
and
you're
going
to
not
make
it
look
like
the
surrounding
source
code.
Right
you
want
to.
You
want
to
generate
a
pull
request
that
looks
like
the
surrounding
source
code.
E
It
so
you
have
to
use
tabs
or
spaces,
or
you
know,
whatever
their
weird
formatting
style,
is
to
generate
the
new
code
and
open
rewrite
offered
the
unlock
of
trying
to
figure
out
what
the
formatting
was
around
the
source
code
and
then
giving
you
the
ability
to
generate
new
code
that
looked
like
this
that's
surrounding
code
and
so
I
leveraged
it
as
well
as
adding
features
like
data
flow
and
control
flow
analysis.
E
To
open
rewrite
to
allow
me
to
look
at
the
code
and
the
surrounding
code
and
say
there
is
a
vulnerability
here,
because
I
can
see
the
data
flow.
That's
local
to
the
procedure
and
or
I
can
use
control
flow
to
say,
there's
not
a
guard
in
place
to
like
for
zip
slip
right.
There's,
not
an
adequate
guard
to
protect
against.
C
E
Slip
which
is
a
zip
slip,
is
a
vulnerability.
That's
a
past
reversal
vulnerability
while
unpacking
zip
archive
files,
and
so
you
can
say:
okay,
this
is
not
fixed.
We
need
to
inject
a
guard
there.
Okay,
now
the
guard's
ejected.
Is
it
sufficient?
Yes,
it
is
okay.
Now
we
can
generate
the
polar
crust,
and
so
you
know
that
that's
the
kind
of
work
that
I've
been
doing
over
the
past
couple
of
years.
E
E
Did
some
research
around
HTTP
downloader
dependencies
across
the
Java
ecosystem
and
found
that
a
wide
swath
of
the
Java
ecosystem
in
Java
open
source
projects
we're
still
using
HTTP
to
resolve
their
dependencies
instead
of
https
in
their
Maven
and
Gradle,
builds
and
reported
it
to
a
bunch
of
different
organizations
and
then
worked
with
Maven,
sonotype
and
jfrog
and
Gradle,
and
a
bunch
of
other
organizations
to
decommission
support
for
HTTP
in
favor
of
supporting
https
only
to
resolve
dependencies
across
the
Java
ecosystem,
and
so
that
initiative
broke
a
bunch
of
builds
on
January
15
2020
we
stopped.
E
We
dropped
support
for
HTTP
across
the
job
ecosystem
in
favor
of
https
only
which
broke
a
lot
of
builds,
but
it's
it
fixed,
the
gaping
home
the
supply
chain
and
the
entire
Java
ecosystem,
and
so
I
have
kind
of
always.
You
know
looked
at
these
problems
and
been
like
okay:
where
can
we
fix
it
from
the
root
cause
like
where
you
know
how
far
up
the
tree
can
we
fix
it?
Can
we
fix
it
the
root
cause?
Can
we
fix
it
at
the
supplier?
You
know,
if
not,
okay?
E
That
was
just
a
simple
HTTP
to
https
replacement,
sort
of
thing
right,
but
those
you
know
those
sorts
of
projects
of
like
okay.
This
is
everywhere.
Let's
go
clean
it
up,
let's
not
just
report
it
to
the
top
five
projects,
but
let's
go
and
like
tackle
it
across
the
entire
ecosystem.
Those
are
the
kind
of
projects
that
I
have
been
fascinated
by
interested
in
the
line
that
I
always
tell
people
is
I'm,
not
necessarily
really
good.
E
E
I
kind
of
when
I,
when
I
find
things
at
scale,
I
kind
of
feel
like
I,
have
an
obligation
to
deal
with
them
at
scale.
So
you
know
it's
like
all
right,
I've
become
aware
of
it
all
right
now,
I
got
to
do
something
about
it.
Well,
oh!
Well,
so
that's
that's
a
little
bit
about
me
and
I'm,
looking
forward
to
having
the
opportunity
to
continue
to
move
forward
on
these
projects
with
the
openness
Sif
and
you
know
the
alpha
Mega
project.
So
that's
my
resume
in
a
condensed.
E
G
So
I
have
a
question
to
this
General
Community,
as
in
so
as
Jonathan
was
looking
at,
and
he
was
mentioning
about
this
problem
that,
like
he's
looking
at
the
problems
where
things
can
be
scaled,
so
looking
at
small
changes
in
the
code
that
can
be
made
ubiquitously.
On
the
other
hand,
there
is
the
more
serial
like
in
it.
G
It
doesn't
work
when
you're
talking
about,
let's
say
a
SQL
injection
or
a
cross-site
scripting
like
those
kind
of
scenarios
where
you
can
make
us
the
same
change
across
the
board,
and
it
could
still
work.
So
it's
just
like
a
thought
question
of
how
often
do
we
see
that
side
like
where
there's
a
single
fix
that
can
be
spread
far
and
wide
versus
the
effort
is
asymmetric,
as
in
you
have
to
really
prepare
a
fix
for
a
particular
instance,
and
that
takes
time
and
that's
really
hard
to
steal.
E
So
I
mean
I've
thought
a
lot
about
this
sort
of
problem
and
and
like
one
of
the
so
zip
slip
right
like
it
was
a
great
candidate
for
my
research,
because
usually
the
the
location
of
the
vulnerability
is
located
to
a
single
procedure.
Call-
and
you
know,
even
at
best,
the
fix
for
that
and
on
using
automation
is
a
security
vulnerability
fixed
and
at
worst,
is
a
security
hardening.
So
you're
not
inducing
you
know
potential
additional
you're,
not
breaking
the
code
right
with
SQL
injection.
E
You
actually
don't
necessarily
have
those
characteristics
because
you
can
potentially
generate
code
like
if
you
wanted
to
automate
fix
it.
I
think
that
it's
possible
to
fix
SQL
injection
through
automation,
I
think
that
we
could
generate
the
code
to
do
that,
especially
with
things
like
data
flow
and
control
flow
analysis.
Well,.
G
We
did
that
we
do
that,
but
the
point
is
it
doesn't
so
in
in
practice
it
it
works
for,
let's
say
20
25
of
the
cases.
75
percent
of
the
cases
is
manual
because
code
is
complex
and
and
25
is
better
than
zero
percent
right.
G
I
get
that,
but
but
I
mean
people
have
done
that,
like
our
tool,
for
example,
can
do
that
but
I
mean
there's
been
academic
research
for
or
on
this
specific
thing
like
SQL
injection
was
just
an
example,
but
on
this
specific
thing,
but
in
general
the
question
is
that
it's,
like
majority
of
the
hard
vulnerabilities,
the
effort
is
asymmetric
and
it's
one
to
one.
G
So
are
there
any
ideas
of
of
like
how
do
we
and
we're
talking
about
like
having
a
portal
where,
like
a
tree
agent
portal
and
so
on
so
part
of
the
difficulty
that
I
have
faced
before
or
we
have
faced
before
is
when
we,
when
we
try
to
submit
a
pull
request
without
an
actual
fixed,
then
it
largely
gets
ignored
and
and
so
on.
So
how
are
there
any
ideas
of
like?
How
can
we
use
this
portal?
G
To
also
like
could
use
fixes
for
problems
on
behalf
of
the
maintainers
so
that
those
can
be
I
think
the
the
main
problem
is
that
that
the
maintainers,
the
open
source
project
maintenance,
they
are
not
updating
their
code
soon
enough
security,
hardening
or
security
vulnerability
definition.
However,
you
look
at
it,
they're,
not
updating
their
code
so
because
they
are
just
busy.
So
how
can
we
reduce
that
that
workload
from
from
that
side,
any
ideas
on
them.
A
I
think
the
most
interesting
like
there
are
so
many
like
rabbit
hole,
Rabbit,
Hole,
I,
guess:
we've
got
a
rabbit
holes
here
where
the
like.
So
so,
if
you
think
of
a
graph
of
like
the
difficulty
of
effects
like
sub
or
the
the
complexity
of
effects
or
the
complexity
of
the
of
the
you
know,
had
a
reason
from
vulnerability
to
solution
and,
let's
just
say
it's
kind
of
some
sort
of
a
hyperbolic
thing.
A
So
you
have
lots
of
kind
of
low-hanging
fruit
there
and
then
you
have
the
impact
of
the
vulnerability
and
that's
kind
of
probably
the
other
way
where
a
very
small
number
of
vulnerabilities
have
a
very,
very
high
impact
and
there's
a
long
tail
of
lower
impact
ones.
And
if
you
like
mush
these
two
together,
you
probably
get
something.
That's
like
you
could
sort
it
differently,
but
you
have
high,
and
maybe
it's
not
maybe
I'm.
A
A
Like
I
think
is
is
really
hard.
Certainly,
parsers
can
be
really
hard
and
I
would
I
would
say
that
the
strategy
that
we
I
think
would
make
sense,
is
let's
make
all
of
the
let's
make
the
high
impact
easy
to
detect
stuff
go
away
so
that
we
can
stop
eventually
like
stop
worrying
about
those
and,
at
the
same
time,
do
the
research
now
so
that
in
five
to
ten
years
we
have
better
tooling
to
like
start
in
on
the
the
juicier
stuff.
A
I.
Don't
think
it
makes
sense
for
Jonathan
or
anybody
else
to
take
three
months
to
do
like
if
you
take
like
like
Specter
Specter
meltdown
all
that
stuff,
like
that
super
interesting
research,
is
that
the
kind
of
thing
that
we
would
have
spent
you
know
six
months
researching
into
well.
I
mean
probably
not
but
like
the
impact
was
huge,
so
I
think
things
like
that
belong
more
in
Academia
or
dedicated,
like
research,
institution
kind
of
thing,
I.
E
Mean
yeah
so,
like
there's
a
there's,
a
lot
of
like
my
my
mindset.
This
is
a
lot
of
low-hanging
fruit
that
researchers
have
kind
of
found
and
left
lying
around
in
blog
posts
and
stuff,
like
that
and
they've,
like
maybe
reported
it
to
like
half
dozen
projects,
but
never
reported
to
all
the
projects
and
like
this
is
the
kind
of
thing
that's
like
hey.
E
You
know,
handled
all
the
way
through
and
that's
not
it's
not
glorious,
it
doesn't
sound
glorious,
but
I
find
those
sorts
of
projects
to
be
fun
like
you
know,
let's
see
how
we
can
actually
fix
these
things
at
scale,
so
I
do
agree
that
you
need
to
go
deep
in
places
and
I
would
love
to
learn
how
to
go
deep
in
more
places,
because
that's
skill
that
I
actually
need
to
improve
because
being
able
to
go
deep
on
certain
things.
E
May
give
me
wider
angles
on
more
common
security
vulnerabilities,
but
on
top
of
that,
like
let's
just
let's.
E
Let's
go
like
let's
maximize
the
amount
of
time
that
we
can
spend
to
fix
the
most
number
of
vulnerabilities
possible
at
scale
and
hopefully
also
get
some
of
those
harder
to
get
projects
that
we
can't
automate
to
sometimes,
but
in
general,
let's,
let's
focus
on
the
meat
of
the
the
big
problem
and
you
know:
yeah
Dan
David,
you
gotta
hand
up
yeah.
B
If
I
can
jump
in
and
try
to
take
another
crack
at
answering
manora's
questions
and
feel
free,
if
feel
free
to
disagree,
you
asked
earlier:
how
do
we
encourage
you
know
people
to
update
you
know
particular
vulnerable
components
to
a
version
that
isn't
vulnerable?
At
least
that
was
per
the
question
as
I
understood
it
there's
here,
there's
actually
already
quite
a
bit
of
work
to
encourage
this
direction.
B
You
know
for
individual
open,
so
Source
projects.
The
obvious
simple
way
is
to
enable
one
of
the
many
many
tools
available
to
warn
you
when
hey
wait,
a
minute
one
of
the
components
you're
depending
on,
has
a
known
vulnerability.
Please
update
GitHub.
Has
such
tools
built
down
get
lab?
Does
there's
a
lot
of
third-party
tools
that
really
dig
in
that
can
do
that.
B
The
one
of
the
problems,
of
course,
is
not
all
projects
use
these
tools,
even
though
I'm
thankful,
they've,
gotten
easier
to
integrate
and
really
I
would
argue
that
this
is
the
rationale
for
the
big
pressure
from
U.S
government.
Some
other
governments
are
are
looking
at
this
as
well
for
s-bombs,
basically
saying
hey.
B
B
You
know
the
industry
didn't
generate
s
biology
forces.
This
is
a
long.
This
is
a
large
long-term
task,
but
that's
okay.
B
As
long
as
we
acknowledge
that,
but
I
think
that
will
create
pressure
backwards,
to
encourage
projects
to
to
add
those
checks
and
for
you
know-
and
some
people
are
saying-
well,
hey
man.
You
know
where
you
know:
where
are
people
getting
paid
to
do
this?
Well,
this
provides
organizations
incentives
to
pay
projects
to
add
those
tools
to
detect
those
dependency
problems.
B
Now,
here's
the
challenge
that
assumes
that
there's
a
component
with
a
known
vulnerability
and
ideally
with
the
known,
updated
version
with
the
fix-
and
this
is
one
of
the
areas
where
Jonathan
basically
is
a
lot
of
experience
where,
if
all
you
have
to
do,
is
update
a
dependency.
That's
relatively
easy,
but
if,
in
fact
it's
a
pattern
of
code
that
has
repeated
over
and
over
and
over
again,
because
somebody
copied
it
from
stack,
Overflow
or
somewhere
else,
or
it's
just
kind
of
the
obvious
way
to
do
it.
B
You
know
what
Jonathan's
been
able
to
do
is
find
ways
to
scale
up
across
a
very
large
number
of
places
where
it's
not
just
update
the
dependency,
it's
actually
within
the
code
itself
and,
unfortunately,
there's
a
lot
of
those
and
almost
nobody's
been
covering
this
ground.
So
it
made
sense
to
to
work
on
this,
because
it's
not
an
area
where
say
asking
about
s-bombs
or
or
inserting
dependency
analysis
necessarily
helps
you
out.
G
I'm
very
familiar
about
Jonathan's
work
and,
and
what
is
it
and
and
the
value
of
that?
What
I'm
trying
to
suggest
is
like
there's
I
mean
as
as
much
as
we
work
on
this
one
there's
also
the
hard
problem,
and
how
do
we
do
that?
So
one
of
the
things
that
I
was
thinking
of
and
that
that's
basically
I
was
kind
of
creating
a
pretext
to
to
bring
an
idea
which
is
working
with
the
Academia
and
and
like.
G
There
are
these
security
courses
that
have
been
introduced
in
the
Academia
and
they
look
for
like
real
world
exposure.
So
if
we
have
tools
that
have
detected
vulnerabilities
and
what
we
need
is
a
fix
that
we
can
then
pass
to
the
maintainer
so
that
the
fix
can
be
accepted
tree
as
an
accepted
quickly.
But
it's
an
it's
a
hard
fix
to
create.
So
it
would
require
some
manual
effort
in
order
to
do
that,
and
that
can
be
done
in
a
crowdsourcing
way.
G
And-
and
so
we
can
work
with-
let's
say
10
institutions
doing
their
security
course.
We
can
give
them
their
homeworks
or
homeworks
for
their
students
and
there's
tons
of
these
homeworks
that
we
can
create,
because
there's
tons
of
bugs
that
we
can
detect
and
then
they
would
be
done
there.
And
then
this
information
is
going
to
be
passed
as
a
conduit
through
to
the
security
Community
I
mean
that's,
that's
one
of
the
things
that
I've
been
like.
That's
my
new
year
thing.
People
things
are
happening
here
as
thinking.
G
But
anyway,
so
that's
the
idea
that
I
wanted
to
bring
in
as
in
how
do
we,
because
that's
an
asymmetric,
it's
a
hard
problem.
Can
we
do
a
crowdsourcing
model
to
try
to
do
that?
Now?
There
are
reasons
involved,
because
when
we
expose
these
I
these
information,
then
then
it
will
be
also
like
open
for
attackers
or
somebody
else
to
subvert
it.
G
But
it
looks
like
we
are
looking
towards
having
a
portal
of
some
sort
anyway,
whether
information
would
be
public,
so
in
that
case
it's
actually
we
become
more
riskier
because
when
the
information
is
out
at
that
point,
fixing
the
problems
or
the
detective
problems
as
soon
as
possible
is
the
key.
So
how
can
we
leverage
upon
crowdsourcing?
A
At
at
worst
or
private,
like
on
the
other
end
of
it,
but
it'll
never
be
like
Public
public,
but
for
for
the
University
thing,
just
connect
up
with
Yesenia
and
and
Anna
who
are
running
a
project
to
effectively
starting
the
project
to
do
effectively
that,
or
at
least
very,
very
close
to
that,
so
encourage
you
to
just
join
up
with
that
effort
and
and
like
yes,
let's
make
it
happen,
I
I
want
to
be
careful
like
not
to
especially
optically
I.
A
Something
good
out
of
it
I'm
comfortable
with
it,
but
it
wouldn't
you
know
I.
Would
we
just
need
to
be
careful
about
how
that
appears.
B
I
should
observe
that
I'm,
actually
in
my
copious
free
time
and
actually
an
Adjunct
professor
at
George,
Mason
University,
so
I
am
familiar
now.
There
are
some
interesting
challenges.
You've
already
mentioned
one.
How
do
you
keep
information
private?
Another
interesting
challenge
which
you
made
out
of
you
depends
on
where
they
are
in
their
in
their
studies.
But
if
it's
part
of
a
class
now
you
have
to
figure
out
how
to
grade
it,
which
is
a
little
interesting
and
professors.
Don't
scale
very
well
turns
out.
B
So
so,
if
it's
part
of
a
larger
granted
research
project,
then
a
whole
lot
more
becomes
available,
but
you
still
have
some
complications
there.
There
are
some
weird
things
that
are
different
about
incentives.
I
mean
the
fundamental
issue.
Here
is
that
for
academics,
what
matters
is
publishing
papers.
B
A
I
totally
agree,
but
but
but
but
the
difference
is
that
grad
students
Professor
track
grad
students
and
professors
themselves
care
about
publishing
papers,
undergrads,
don't
care
about
publishing
papers.
I
I
I've
never
met
one
that
did.
G
So
there
are
three
things
too:
I
mean
there's
like
professors:
I
mean
I've
been
in
there,
so
I
know
all
of
them,
like
I
was
solely
devoted
to
publishing
papers
and
grants.
G
I
mean
the
fixing
problems,
yeah,
not
not
much,
not
my
thing
but
but
but
then
there's
like
I
know
very
many
colleagues
who
are
in
like
teaching
schools
where,
where
this
is
an
important
skill
that
they
want
to
impart
into
the
student
and
that's
a
noble
goal
altogether,
so
we
probably
will
not
be,
let's
say,
collaborating
with
Stanford
but
let's
say
San
Jose
State
University
I
mean.
A
That's
a
fair
game:
I
I
I
think
at
minimum.
If
you
look
at
like
an
undergrad
or
or
even
a
grad
level,
cyber
security,
education,
I
would.
A
Posit
I
I
guess
that
the
amount
of
applied
stuff
in
there
is
relatively
small
I
could
be
completely
wrong
here.
So
tell
me
if
I'm
wrong,
but
like
as
this
kind
of
work,
is
super
applied
and
real
world
and,
like
there's,
there's
the
the
this
external
thing
that
I
made
better
as
a
result
of
this.
If
I
were
in
school,
like
I
mean
I
feel
like,
that
would
be
a
lot
more,
a
lot
more
compelling
than
you
know
a
theoretical
like
network
security
course
where,
like
you
know,
I.
B
Don't
know
I
I
would
guess.
I
would
go
further
on
I
mean,
as
I
said
I'm
actually,
in
that
that
area
as
well
I
would
encourage
thinking
through.
How
can
we
Square
the
various
incentives,
because
in
fact,
I
have
overseeding
students
who
found
vulnerabilities-
and
you
know
developed-
fixes
and
worked
with
upstreams,
so
it
can
be
done.
I
have
also
found
it
very
challenging
to
do
either
their
goal
is
to
get
you
know,
papers
published,
in
which
case
that's
not
real
fixing
is
not
really
the
goal
or
the
goal
is
to
get.
B
You
know
get
a
grade
in
the
class,
in
which
case
you
know
the
the
goal
is
very
much
you
know
the
teacher
has
to
you
know
the
professor
has
to
oversee
and
find
a
way
to
grade
this,
to
make
sure
that
the
work
was
actually
good
enough
and
how
do
I
upgrade
while
these
aren't
insurmountable
I
will
say
that
I
personally
have
all
I've
had
some
success
doing
it,
but
it's
actually
been
rather
challenging
to
do
just
because
the
incentives
are
not
really
connected.
B
So
if
anyone
has,
if
you
or
others,
have
ideas
about
how
to
improve
the
connection
so
that
it's
wins
for
everybody,
I
think
that
would
be
fantastic.
We
have
that
we
we've
had
some
challenges
doing
it,
even
though
we
have
had
some
successes,
more
connections
with
more
people
who
have
found
a
way
to
square
this
circle
better
would
be
fantastic.
E
Hi
bug,
Bounty
programs
are
pretty
effective
way.
I
mean,
like
you
know,
so
one
of
the
things
that
I've,
you
know,
I
thought
about
you
know
is
so
get
a
get
up
as
the
get
up
security
lab
for
writing.
Code
kill
queries
to
pay
people
to
write,
queries
that
identify
new
vulnerabilities.
E
There
is,
you
know
a
good
it.
It's
they're,
they're,
not
easy
to
write,
but
recipes
for
open
rewrite
is
one
like
one
of
the
things
that
I've
I've
discussed
with
Jonathan
Schneider,
who
is
the
CEO
of
open
rewrite?
E
Is
this
idea
of
let's
encourage
people
to
write
open
recipes
to
fix
security
vulnerabilities
and
pay
them
for
those
in
order
to
get
those
into
a
corpus
of
campaigns
that
can
be
continuously
running
against
new
code,
as
it's
identified
right
so
continuously,
like
my,
like
all
of
the
pull
requests
that
I've
generated
have
been
one-offs,
but
that
doesn't
like
as
soon
as
a
new
vulnerabilities,
identif
or
created
in
an
open
source
project
doesn't
fix
it
right.
E
We
could
use
like
that
that
that
labor,
that
we're
you
know
paying
via
bug
bounty,
to
create
a
series
of
of
recipes
that
are
targeting
open
source
security
vulnerabilities
and
have
a
very
low
false
positive
rate,
and
you
know
actually
getting
those
things
deployed
at
scale
and
continuously
running
against
open
source.
A
Is
is
Michael,
put
you
on
the
spot
is
sos.dev
a
reasonable,
like
I
mean
in
the
current
Diana.
We
haven't
talked
too
much
about
it
recently,
but
like
the
the
idea
of
screw
up
and
source
rewards
is
that
I
can
get
paid
for
making
a
security
fix
for
David's
project
yep.
D
I
think
that
you
know
we've
talked
about
this
right
is
that
you
know
it's
very
much
an
artisanal
process
right
now
in
every
sense
of
the
word
right.
The
people
who
are
coming
in
for
rewards
are
individuals
looking
for
some
stuff
to
do
and
getting
paid
for
it,
and
the
projects
that
are
typically
getting
helped
are
relatively
small
projects
without
a
resources
to
do
things
themselves
and
the
process
for
which
we
decide
and
approve
things
like.
That
is
a
little
bit
sort
of
hand.
D
Handcrafted
now
scaling
that
in
some
way
is
super
interesting
right
like
how
can
we
actually
start
to
get
crowdsourcing
of
fixing
I
I'm
I'm,
cautious
about
this
right
like
anytime,
somebody
says:
oh
we're
going
to
solve
this
problem
by
crowdsourcing.
It
I'm
like
you've,
just
decided
you
don't
have
enough
money
to
pay
for
something
and
now
you're,
depending
upon
a
bunch
of
like
volunteers
right
and
is
the
SOS
money.
D
Gonna
come
like
it's
gonna,
be
hard
for
somebody
to
make
a
job
around
being
an
SOS
fixer
right,
and
so
some
of
the
other
initiatives
that
you
and
Microsoft
and
Google
are
both
doing
around
open
source
maintenance
efforts.
Amazon
as
well
right
are
recognizing
that
you
know
this
stuff
doesn't
pay
for
itself.
It
has
to
be
done
so
I
would
love
for
us
to
see
ways
for
SOS
to
start
being
sort
of
tapped
into
getting
things
done
on
those
that
very
long
tail
of
smaller
projects
right.
A
That's
it
I'm,
just
thinking,
maybe
what
we
need
actually
like
I
would
love
to
see
it
like
a
page
that
has,
like
a
I,
know,
some
sort
of
architecture.
Time
like
thing
where
you
say
you
know:
how
can
you
like
what
what
are
the
incentives
around
participation
in
the
open
source
security
community
and
like
there's
like
bug,
Bounty
stuff
for
certain
projects,
Sosa
Dev
for
other
ones,
and
full-time
employment
for
others,
and
like
these
other
things
where
how.
E
Do
you
get
up
here
on
a
map?
How
do
I
I
live
a
life
while
doing
open
source
yeah
yeah,
because
I
mean
that
I've
had
that
problem
right,
that's!
That
was
why
I
chose
to
join
the
Dan
Kaminsky
fellow
or
I,
applied
to
the
Dan
Kim
Fellowship,
because
I'm
like
I'm
working
for
Gradle
but
I.
Have
this
idea.
I
can't
fund
it
like
I
thought
about.
You
know,
I
thought
about
how
to
do
code
throughout
queries
and
you'd
need
to
do
like
in
order
to
make
a
hundred
thousand
dollars
a
year.
E
You'd
need
to
have
you
know
you
need
to
have
10
critical
security
vulnerabilities
where
you
both
for
fine
four
cases
of
the
cve
and
also
write
the
code
to
a
query
per
year
and,
like
that's
a
lot
of
work,
that's
you
know
it's
it's
that's
you
know,
and
my
Cadence
is
slower
than
that
because
I,
you
know,
dig
in
and
really
try
to
make
sure
that
I
understand
the
vulnerability
and
get
it
fixed
fully
and
also
try
to
like
report
it
to
a
bunch
of
projects,
and
so
the
Dan
Kaminsky
Fellowship
was
a
really
good
candidate,
for
they
paid
me
a
salary
for
a
year,
which
is
you
know
and
I'm
able
to
do
this.
E
So
that's
that's
a
problem
that
I've
actually
tried
to
figure
out
how
to
fail
case
and
and
and
if
you're,
not
you
kind
of
have
to
do
it
as
a
side
gig
until
you
figured
it
out,
it's
you
know,
and
so,
but
offering
the
money,
the
bug,
man,
you
know
bug
Bounty
payments
for
that
sort
of
work.
E
That's
a
good
start
for
people
to
who
are
trying
to
figure
out
how
to
how
to
navigate
that
stuff.
I
also
want
to
bring
to
attention
the
internet
bug
binding
program
that
also
exists.
I,
don't
know
who
that's
I,
think
that's
a
I,
don't
know
who's
running
that
currently
and
who's
associated
with
that,
but
that's
another
one
that
is
trying
to
also
encourage
this
sort
of
work,
or
at
least
pay
for
that
kind
of
work,
post
posted
being
done,
Randall.
F
Yeah
over
the
Christmas
holidays,
there
was
some
talk
about
I
get
because
SKF
is
involved
with
a
lot
of
people,
and
some
of
the
people
that
are
involved
with
SKF
were
interested
in
seeing
SKF,
introduce
a
bug,
Bounty
platform
and
there's
a
significant
amount
of
money
available.
If
we
wanted
to
go
that
direction
so.
F
B
C
B
One
will
happily
take
open
source
projects
yeah.
In
fact,
I
know
that
there
are
a
number
who
are
served
that
way.
Yeah.
A
I
think
doesn't
LFX
have
oh,
no,
that's
sponsors
yeah
now
I
I,
I,
I'm
I'm,
usually
in
favor
of
like
let's
have
more
options.
H
I
did
want
to
throw
a
quick
plug-in
just
because
it
was
mentioned
earlier.
We
do
have
a
doodle
Poll
for
the
the
meeting
on
the
education
dii
working
group,
I
posted
on
the
channel.
It
looks
like
next
Tuesday
the
10th
and
then,
if
you
want
to
get
up
to
date
on
the
information
I
also
added
the
slack
Channel,
we'll
kind
of
be
talking
about
running
these
kind
of
bug,
programs
to
the
underrepresented
groups,
organizations
and
universities
awesome.
A
There
was
something
that
I
wanted
to
follow
up
with
before,
which
is
like
yes,
it's
great
for
us,
or
a
Cron
job
or
people
or
whatever,
to
be
like
looking
at
like
scanning
a
whole
bunch
of
stuff
and
finding
things
and
getting
them
reported.
Obviously,
I
think
we
all
I
think
we're
all
in
agreement
that
it
would
be
even
better
if
the
maintainers
found
this
themselves
as
part
of
part
of
normal
PR's
and
fixed
and
like
we.
A
Never
it
just
never
existed
in
in
the
first
place
and
I
think
that
there
is
a
place
not
for
Alpha
I,
don't
think
it's
an
alpha,
Mega
thing,
but
definitely
open
ssf
in
trying
to
push
on
answer
the
questions
like
why
don't
more
maintainers
use,
you
know,
pick
a
code
scanning
tool
and
fix
things
when
they're
found.
Why
is
the?
A
A
A
If
we
can,
if
more
of
that
work
can
happen,
Upstream,
then
it
kind
of
it
never
becomes
low-hanging
fruit
because
it
never
gets
in
the
first
way
the
other
place
to
do.
It,
though,
is
in
the
platforms
themselves
and
I
mean
platform
like
so.
As
an
example,
I
know
the
munawar,
the
request,
you,
you
open
up,
HTTP
request
without
a
timeout
like
yeah,
you
could
hang
forever.
A
Why
would
the
default
of
that
not
be
something
sane
and
sensible,
and
is
there
a
way
to
work
backwards
and
kind
of
retrofit
in
sensible
defaults
or,
like
you,
just
can't
concatenate
strings
into
a
SQL
query
anymore,
like
let's
just
you
just
can't
do
that
anymore,
like
and
and
and
those
are
years-long
efforts,
but
I
think
to
actually
turn
the
faucet
off
at
the
at
the
house.
A
Okay,
I
would
love
to
see
more
effort.
You
know
Focus
there
random,
you
can
tell
me
that's
impossible
to
go
away.
No.
F
I'll
I'm
going
to
give
you
the
packager's
perspective,
please
no,
sir
yeah
from
a
package's
perspective,
because
we
run
into
a
lot
of
these
problems.
It
really
depends
on
Upstream.
It
also
depends
on
who
you're
talking
about
when
you
talk
about
saying
defaults
because
usually
there's
multiple
opinions
about
what
same
defaults
are
they're,
saying,
defaults
from
a
distro
level,
there's
the
same
defaults
from
a
developer's
perspective
and
a
lot
of
times
they
Clash.
F
So
it's
very
difficult
and
I
also
will
say
that
burnout
is
real,
not
in
that
not
in
that
aspect,
but
sometimes
just
trying
to
deal
with
a
lot
of
like
I,
don't
know
what
to
call
them.
Just
dinosaurs
people
that
resist
change
like
toxicity,
sort
of
behavior
and
it
just
it,
gets
very
tiring.
So
after
a
while,
like
even
from
a
package
level,
you'll
stop
reporting
just
from
the
sheer
fact
that
you
don't
want
to
get
insulted.
F
D
F
And
that's
the
and
that's
the
other
thing
about
tech
debt
is
that
it
it's
very
it's
very
complicated
because,
like
and
for
example,
it
may
be
a
very
good
one
on
Mac
OS
people
just
expect
for
things
to
work.
Homebrew
you
download
things.
They
just
need
to
work
in
Homebrew,
polar
opposite
customization
is
the
word.
Every
single
option
you
can
have
you
want
a
clown.
You
could
have
a
clown.
Basically
it's
your
choice.
So
it's
it's
very
like
it's
also
difficult,
because
I
think
audience
has
a
lot
to
do
with
it.
D
F
D
D
At
that
point,
caveat
and
tour
right.
You
are
consuming
stuff
at
the
end
of
the
day.
The
final
responsibility
for
risk
Falls
on
the
consumer,
the
end
consumer,
producing
application,
because
that's
where
everything
materializes
and
you
can
and
so
I'd
much
rather
know
and
then
be
able
to
make
a
value
of
decisions
and
I'd
like
to
be
able
to
model
those
decisions
better
with
things
like
Vex
statements.
I'd,
like
tools
that
help
me
do
code
coverage
analysis
to
understand
what
the
vectors
for
risk
are
right.
Where
are
those
concatenated
SQL
strings?
Coming
from
right?
D
There's
a
huge
difference
from
County.
You
know
those
all
concatenation
problems
coming
from
static
strings
in
my
code
versus
end
user
input
and
we
all
know
the
SQL.
It's
always
coming
from
a
user
input.
This
is
not
going
to
end
well,
but
you
know
that
you
know
understanding
the
code
paths
and
giving
people
the
tools
that
allow
them
to
take.
The
package
are
not
going
to
shift
they're
not
going
to
move
fast
enough.
D
But
what
do
I
do
right
now
right,
I'm,
sitting
here,
standing
on
this
shoulders
of
giants,
but
the
Giants
have
been
drinking
for
10
years
and
don't
want
to
stop
what
do
we
do?
Maybe
not
drinking,
maybe
they're,
just
sick
I.
Don't
know
the
metaphor
is
tough
but
I
don't
want
to
align
any
of
the
individuals
who
built
the
things
that
we're
depending
upon?
That's
not
the
point.
It's
that
you
know
there
is
no
free
way
to
fix
those
things,
and
you
know
to
my
early
Point
SOS
isn't
going
to
fix
them
either
right.
So.
A
A
You
know
if
you
take
50
open
source
maintainers
that
have
an
identical
problem
and
identical
challenges
in
or
identical
like
activity
levels,
they
may
have
50
different
reasons
for
that
activity
level.
Some
of
them
it's.
You
know
this
is
free
work.
If
corporations
are
benefiting
by
this
I
want
some
I
want.
I
want
cash
out
of
it.
Until
you
give
me
cash,
it's
not
important.
Other
people,
it's
like
no
I,
have
a
family
I.
Just
don't
have
time
for
this.
A
It's
it
was
a
college
project,
whatever
reason
other
ones
that
I'm
drowning
in
stuff.
It's
life
happened
like
whatever
it
is,
whatever
the
reason
is
and
and
I
think
we
would,
we
should
be
very
careful
not
to
paint
too
broad
of
a
brush
stroke
in
that
and
thinking
that,
if
we
just
did
X,
we
could
get
a
significant
portion
of
those
projects
to
to
do
differently.
E
Well,
one
of
the
one
of
the
things
that
I
have
I
have
struggled
with
is
is
staying
on
top
of
priorities
and
I've,
always
kind
of
begged
for
forgiveness.
First,
instead
of
ask
permission
from
my
employer
and
as
a
result.
E
To
Michael
and
Michael
here,
yeah
yeah
a
little
bit
and
also
like
I
I,
mean
this.
How
have
I
gotten
where
I
am
currently
well
I
have
done
a
lot
of
work
in
open
source
that
has
not
necessarily
completely
been
entirely
sanctioned
by
my
employer
right,
because
I
find
this
to
be
fascinating.
I
find
this
to
be
passionate
or
I
was
distracted,
and
you
know
not
passionate
about
what
I
was
doing
at
work
and
got
distracted
and
engaged
in
open
source
security.
E
E
I
need
to
I
need
to
make
sure
that
I'm
spending
the
time
on
this
thing,
and
and
like
you
know,
or
for
security
researchers
like
I
spent
a
week,
this
I
spent
a
week
last
what,
before
the
holidays,
engaged
in
in
a
constant
back
and
forth,
with
a
maintainer
of
snake
animal,
trying
to
convince
him
that
he
should
secure
snake
ammo
by
default
and
stop,
and
then
I
ended
up
on
a
call
with
him
in
the
middle
of
my
vacation
to
finally
come
up
with
a
point
where
we're
like.
Okay,
like
this
is.
E
This
is
a
thing
that
we
can
do
to
make
this
more
secure
that
doesn't
break
a
bunch
of
your
end
users.
That's
like
a
lot
of
dedication
to
a
single
library
or
single
project
to
convince
them
how
to
fix
the
dang
thing
in
a
way,
and
this
is
a
bit
of
vulnerability.
That's
been
known
for
six
years,
this
remote
code,
execution,
vulnerability
in
the
animal
parcel
has
been
known
for
six
years.
Right
and
I.
Don't
see
this
as
any
different
in
a
lot
of
ways
from
like
existing
open
source
problems.
E
Right
like
how
do
you
get
more
people
in
the
in
the
industry
to
contribute
to
open
source?
Well,
you
got
to
convince
them
that
they're
they're
not
going
to
get
fired
because
they're
engaged
in
open
source
work,
or
they
can
do
it
in
a
way
that,
like
you
know,
their
employer
is
not
going
to
be
entirely
upset
with
them
right.
I
know
exactly
you
got,
I
mean
you
Michael
and
Michael
have
managed
to
figure
this
out.
A
E
A
E
B
E
B
I
think,
frankly,
a
little
sympathy
to
the
current
end.
Users
is
really
valuable.
Sometimes
I
find
that
the
obvious
fix
well,
hey,
we'll
just
rewrite
the
whole
API
and
everyone
will
switch.
No,
they
will
not
or
it'll
take
you
10,
10,
15
years
of
unnecessary
pain,
I
think
sometimes
when
you're
at
that
point
step
back.
Is
there
a
way
to
do
this
without
causing
the
pain
not
always,
but
often
you
can
and
I
I
think
a
little
bit
of
extra.
Looking
at
that
consultation,
a.
B
D
End
user
working
group
yeah
they
are
living
and
walking
through
those
things
we're
at
time
thanks
everyone.
Thank
you
thanks.
Everybody
be.