►
From YouTube: Alpha Omega Project Public Meeting (May 6, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
C
E
F
C
D
Yeah
I
if
I
may
interrupt
real,
quick
one
phrase
that
I
think
has
been
helpful
is
the
phrase
office
hours
you
know
yeah.
I
I
find
that
actually
a
mentally
helpful
phrase.
You
know
they
come
with
questions,
we
don't
we
don't
know
all
answers,
but
we
may
know
some
and
the
the
opportunity
for
that
conversation.
C
So
I'll
start
by
saying
you
know
when
I,
when
I
distill
it
down
to
its
absolute,
you
know
purest
essence.
Alpha
omega
is
about
seeing
how
well
we
can
turn
money
into
security,
quickly,
more
money,
more
security,
more
quickly
which
money
works
and
doing
more
of
that.
The
action
item
that
is
on
our
plate
number
one
is
hiring
people
to
actually
do.
C
Doing
it
in
our
volunteering
time,
with
jorie's
and
david's
and
other
people's
help
on
a
regular
basis,
and
then
the
first
section
out
of
that
is
to
document
the
work
that
we're
doing
and
how
we're
doing
it
so
that
people
can
actually
read
and
benefit
from
and
contribute
to
how
we're
doing
it,
and
we
acknowledge
that
we
are.
We
are
there's
more
that
we
can
publish
so
that
that
feedback
is
well
taken
and
very
much
in
line
with
what
we
want
to
do.
H
One
for
that
I
mean
we
are,
you
know,
so
we
announced
the
node
engagement
three
weeks
ago
two
weeks
ago,.
F
H
Mid
last
month,
so
that
was
the
one
that
I
could
that
we
couldn't
really
talk
about
last
night
at
this
call.
So
so
so
we
have
that
one
more
to
come
there
we
do
want
to
have
periodic
check-ins
with
the
node
team
and
documented,
like
artifacts
of
like
what
you
know
like
like
specifically
like
what
are
they
doing
before
this,
so
so
that'll
that'll
be
come.
I
would
imagine
by
next
month
this
time,
we'll
probably
have
more
of
that
information.
I.
A
I
can
add
just
on
on
that.
I
had
hoped
to
be
able
to
come
to
this
meeting
with
an
update
from
our
first
meeting
with
the
node,
the
the
node
team,
that
that
we've
secured
what
that
was
supposed
to
be
on
may
the
fourth.
We
had
a
a
tragedy
this
last
week
in
the
lf
family,
and
so
that
was
cancelled
and
rescheduled
for
may
the
11th.
A
So
that's
when
the
node
team
will
be
meeting
to
discuss
the
metrics
and
framework
that
we'll
be
reporting
out
to
alpha
and
to
open
ssf.
H
So
that's
kind
of
what's
going
on
with
with
alpha.
We
do
have
a
couple
other,
let's
say
engagements
in
the
hopper
they're,
not
at
the
point
where
we
can.
H
We
want
to
talk
about
them,
but
I
would
expect
over
the
next,
let's
say
eight
weeks,
eight
or
ten
weeks
to
have
more
more
good
stuff
announced
on
the
omega
side
we're
trying
to
move
in
with
something
because
without
having
a
security
analyst,
an
engineer
hired
to
do
the
work,
it's
kind
of
hard
to
like,
like
alpha's
alpha's
easier
for
us
to
like
write
a
check
and
get
something
done.
Omega
kind
of
needs
hands-on.
H
So
we're
doing
we
started
an
experiment
this
week
to
run
a
bunch
of
security
tools
against
a
bunch
of
open
source
projects
and
if
the
results
come
back
completely
clean,
meaning
no
one
needs
to
triage
anything
because
there's
nothing
to
triage.
Then
we
automatically
publish
a
security
review
to
the
security
reviews
project.
This
is
an
experiment.
H
It
will
we'll
see
what
goes
on
with
that.
I
have
a
pull
request
with,
I
think,
15
or
so
of
these
initial
reviews,
just
to
just
to
say,
like
everything
else.
Having
to
do
with
this,
it's
an
experiment
so.
H
Watch
what's
going
on
there,
you
guys
have
any
questions,
topics,
anything
else
like
helping.
How
can
we,
what
do
you
want
to
talk
about.
A
Can
you
participate
in
the
may
11
meeting
and
that's
a
great
question
that
is
a
meeting
with
the
node
tsc
and
the
security
staff
that
the
alpha
omega
project
has
helped
us
secure.
I
think
they
are
looking
to
keep
that
closely
held
to
the
tsc
at
this
point,
but
we'll
be
reporting
out
really
soon
thereafter.
A
What
the
outcomes
of
that
meeting
are
and
then
open
it
up
to
the
broader
community,
because
you
know
one
of
the
objectives
here
is
to
facilitate
more
participation
in
node
security,
from
the
broader
like
contributor
base
and
and
all
of
that,
so
the
answer
is
probably
not
for
the
may
11th
meeting,
but
very
probably
for
things
thereafter
and
and
the
may
11
meeting
will
will
kind
of
generate
what
that
looks
like
and.
H
Thing
and
they
can
show
up
when
they
can,
but
we'll
do
that
for
all
the
alpha
projects.
F
H
No,
so
for
for
node
we're
particularly
looking
for
two
things
number
one:
how
is
the
node
project
handling
security?
So
if
you
report
a
vulnerability
to
the
node
project
and
they
whatever
they
drop
it
on
the
floor
or
they
are
really
slow
to
respond
or
they're
just
overworked
like
improving
that
to
to
get
that
vulnerability
fixed
in
a
more
rapid
way,
whatever
the
vulnerability
is.
These
are
vulnerabilities,
though,
in
the
node
runtime
or
the
packaging
around
that
or
anything
like
it's,
not
random,
npm
projects.
Nor
is
it
like
the
v8
runtime.
H
So
a
great
example
would
be
making
sure
that
static
analysis
and
fuzzing
and
whatever
else
is
needed,
is
well
integrated
into
their
their
processes.
As
an
example.
F
Now,
what
what
I
meant
is
that
if,
for
example,
someone
can
pass
some
parameter
to
a
javascript
function
which
will
cause
node.js
and
timecare,
will
it
constitute
automatically?
Will
it
be
automatically
considered
as
vulnerability?
C
I
think
I
think
the
real
answer
to
your
question
here
is
we're
not
the
people
to
answer
that
question
and
I
would
say
that
right
now,
node
doesn't
have
to
their
level
of
satisfaction
and
certainly
we'd,
encourage
them
to
have
more
a
well-defined
process
for
deciding
whether
that's
a
vulnerability
or
not,
and
a
set
of
principles
that
help
them
make.
That
decision
and
I
think,
also
process
for
actually
dealing
with
it
when
they
do
decide
it's
a
vulnerability.
So.
E
C
All
those
dimensions
that
they
want
to
be
better
and
by
the
way,
I'm
I
don't
want
to
be
damning
them
with
fame
praise
they're
doing
an
awful
lot
as
it
is
over
here.
There's
a
lot
of
smart
people
working
across
it,
but
our
goal
right
now
is
to
give
them
a
dedicated
resource
to
really
up
level
across
the
org.
What
they're
doing
so,
your
question
is
entirely
relevant
and
needs
to
become
a
conversation
within
the
node
community.
Not
ours.
A
I
do
think
that's
an
interesting
question
and
that
you
know
one
thing
that
we
might
learn
how
to
do
better
out
of
this
process
is
like
where
to
surface
and
to
whom
to
surface
things,
because
that's
a
question
that
we
get
at
tc39
you
know
is
this
a?
Is
this
an
issue
with
the
spec?
Is
this
an
issue
with
the
browser?
A
Is
this
an
issue
you
know,
and
so
we
we,
I
think,
we'll
we'll
start
to
learn
more
about
how
we
can
map
out
that
space
for
developers
when
they
run
across
problems
and
where
to
report.
C
Jerry,
I
think
you're
100,
correct
and
I
think
part
of
our
intent
about
working
with
node
and
other
projects
and
foundations
is
to
broaden
our
organizational
awareness
of
the
challenges
and
patterns.
Here
is
alpha
omega,
going
to
solve
the
vulnerability
management
life
cycle
and
you
know
or
disclosure's
life
cycle.
No,
are
we
going
to
be
part
of
the
conversation
with
the
working
groups
and
other
foundations
that
do
with
it?
Absolutely.
G
Go
ahead,
jordan,
okay,
sure,
thanks
yeah!
So
I
just
like
that
particular
question.
I
think
the
problem
in
the
whole
security
industry
is
that
the
nuance
required
to
answer
that
question
is
rarely
applied.
The
npm
ecosystem
sees
a
ton
of
cves
that
are,
in
my
opinion,
should
never
have
been
cbes
they're
self-attacks.
G
Anything
that
requires
you
to
attack
yourself
is
not
a
vulnerability
and,
like,
I
think
so.
My
concern
is
more
on
the
omega
side
of
it
than
the
alpha
side
of
it,
but,
like
I
think,
getting
these
resources
built
up
in
node,
for
example,
and
creating
a
well-established
experts
and
like
precedent
of
applying
this
nuance
will
really
help
the
long
tail
of
the
ecosystem
have
something
to
look
to
and
to
follow,
to
be
able
to
make
more
properly
nuanced
decisions
about
this
sort
of
thing.
C
Yeah,
I
think
that
jordan,
I
totally
agree.
I
would
love
for
us
to
be
able
to
start
to-
and
I
guess
a
lot
of
soft
words
that
be
able
to
start
to
eventually
get
to
the
end
state
we
want
is
a
sort
of
progression
of
guidance,
playbook
process,
tooling
trusted
tooling,
to
manage
the
decision
flow
and
the
actual
disclosure
of
you
know.
C
These
things
like
you
know,
and
and
for
that
to
be
something
that
is
fully
transparent
across
the
space
in
terms
of
people,
know
how
these
decisions
are
reached
can
understand
how
these
decisions
are
reached
without
necessarily
seeing
the
you
know,
the
vulnerability
being
disclosed
before
we've
actually
had
the
conversation,
because
we
have
like
we
said
many
times.
We
really
don't
want
to
be
a
bank
of
zero
days
anywhere
right,
but
sooner
or
later,
there's
going
to
be
a
pile
of
stuff
flowing
through
some
system
right,
you
don't
also
want
to
be.
You
know.
C
Bob
from
accounting
has
a
piece
of
paper
with
the
zero
day
written
on
it.
So
what
is
the
right
operational
model
for
the
industry
writ
large
and
I
think
most
likely
we're
going
to
end
up
where
the
foundations
start
to
become
the
right
locus
of
control
for
that
within
their
space,
but
with
support,
maybe
tooling,
support
and
definitely
process
and
experience
and
guidance
from
joint
experiences
across
the
open,
ssf.
D
Yeah,
so
yes,
but
but
now
I've
discovered
how
to
raise
my
hand.
I
I
didn't
know
how
to
do
that.
I
just
didn't
so
all
right,
so
you
know
that
earlier
question
kind
of
triggered
a
a
thought,
which
is,
I
think,
in
general,
for
for
security
from
development
through
distribution
writ
large.
D
The
one
of
the
things
I
certainly
encourage
is
in
general,
trying
to
think
systematically
think
trying
to
identify
what
seems
to
happen
over
and
over
again.
Is
there
a
systematic
way
we
can
prevent
that
in
the
future.
There
is
no
way
alpha.
Omega
can
do
all
things.
That's
just
not
not
reasonable.
There
are
some
things
alpha
omega
can
do
and
it's
what's
the
handoff.
D
I
see
well,
I
guess
that
is
another
system,
so,
but
I
you
know,
obviously
there
are
things
that
it
is
scoped
to
do
and
hooray
for
that.
I
think,
as
I'm
expecting
that
as
alpha
omega
goes
through
they're
going
to
identify
some
other
systemic
issues
and
then
they
will
raise
that
over.
D
Probably
to
you
know,
if
there's
an
existing
working
group
say
hey
go
go,
can
you
can
I
talk
into
working
on
that
or
if
there
really
isn't
a
home,
maybe
bringing
it
up
to
the
pack
and
saying
I've
noticed
a
stem
against
you.
You
know
so
you
know
no
project.
No
individual
can
do
everything,
but
it's
okay
to
identify
these
ideas
as
systemic
issues
and
if
it's
not
in
scope
within
this,
that
doesn't
mean
it's
dead.
D
That
just
means
that
hey
we're
going
to
try
to
make
sure
that
at
least
it's
raised
and
if
there's
agreement
that
that,
in
fact,
that's
a
problem
that
those
other
pieces
can
get
worked
on.
I've
had
a
whole
bunch
of
discussions
of
different
issues
and
things,
including
you,
know,
gee.
Why
are
all
these
problems
within
npm?
Well,
there
are
reasons,
but
there
are
also
opportunities,
and
you
know
it,
and-
and
so
I
I
think,
there's
there's
ways
to
even
if
they're
not
going
to
be
addressed
within
alpha
omega.
D
E
Oh
lower
the
hand
now
because
the
chair
is
acknowledged,
I
think
it
was
one
of
the
michaels
who
mentioned
something
about
having
having
a
collection
of
zero
days.
In
my.
C
E
Them
yeah
but
yeah,
but
that
was
the
intro.
To
my
to
my
comment,
I
have
I
have
a
bit
of
ancient
history
to
share
and
it
goes
back
to
the
late
1980s.
E
E
C
Yep
and
it's
it's.
E
But
there
is
this:
this
middle
middle
middle
area,
where
somebody
can
be
a
mediator
for
security
problems.
I.
C
Think
that's,
they
will
yeah
yeah
you're
on
the
right
track
there.
I
think
that
this
is
where
different
foundations
will
play
more
assertive
and
supportive
roles
right.
Just
look
across
the
different
major
foundations.
Not
everything
is
in
linux
foundation,
there's
really
important
projects
and
each
of
them
actually
have
their
own
flavor
of
like
what
the
foundation
does
supports,
centralizes
or
whatever,
without
knowing
what
I'm
talking
about,
though
I
I
I'm
imagining
that
you
know
there
are
some
interesting
things
like
essentially
vulnerability
life
cycle
like
vulnerability
disclosure
as
a
service,
without
even
knowing
what
that
means.
C
C
They
don't
have
to
worry
about
managing
these
things
and
doing
it
right
and
I'm
and
now
just
because
of
this
conversation
starting
to
imagine
what
would
it
look
like
for
us
to
have
a
you
know,
a
stack
of
capabilities
that
go
all
the
way
from
here's,
a
bunch
of
open
source
components.
You
can
run
to
help
yourself
manage
it
for
yourself
up
to
vulnerability
disclosure
as
a
service
run
by
some.
C
F
D
C
G
G
I
like
the
alpha
omega
concept,
because
it
kind
of
covers
the
long
tail
which
is
often
ignored,
but
I
also
think
the
long
tail
is
much
more
important
and
much
harder
to
target
in
the
sense
that
if
there's
a
security
issue
in
node,
let's
say:
there's
a
lot
of
people
and
a
lot
of
companies
and
a
lot
of
money
already
paying
attention
to
that,
and
it's
great
that
they
are
there's
some
money
injected
to
centralize
that
in
node
core
itself,
of
course.
G
But
I
am
the
sole
maintainer
of
over
10
of
npm's
download
traffic.
That's
a
lot
of
security
responsibility
to
rest
with
the
whims
of
an
individual
who
has
paid
virtually
nothing
for
that.
H
So
I
would
argue
that,
by
nature
of
of
being
responsible
for
10
of
npm
traffic,
you
probably
qualify
as
a
critical
project
or
as
a
critical
entity,
in
which
case
like
I
wouldn't
like,
and
no
no
promises
like.
Don't
don't
quote
me.
This
is
being
recorded,
but
whatever
like
it
would
make
sense
on,
on
paper
at
least
to
have
a
conversation
with
you
about.
H
You
know.
What
do
you
need
right.
G
And
I
mean
I
would
certainly
appreciate
that
attention
and-
and
I
would
like,
but
but
not
because
of
the
impact
it
has
on
me-
I
fully
employed.
G
You
know,
full-time
employee
engineer,
although
I
wouldn't
turn
down
my
fair
share
of
whatever
contributions
there
were,
but
more
because
there
are
many
other
individuals
who
are
similarly
critically
positioned,
who
are
wildly
underfunded
and
who
may
not
have
a
similar
employment,
and
so
I'm
I
want
to
use.
G
You
know
I
like
again,
I'm
not
going
to
turn
down
my
fair
share,
but
I
want
to
use
my
access
to
advocate
for
that
traditionally
under
addressed
group
and,
like
I
see
the
same
with
with
open
collective
patreon
sponsor
stuff,
everyone
knows
about
like
webpack
and
babble
and
typescript
and
eslint,
but
like
nobody
knows
about
the
3
000
developers
whose
pieces
contribute
to
that,
and
so
I'm
really
pleased
that
the
omega
parts
in
there.
So
I
guess
the
this
all
rambly
leads
back
to
my
question.
G
Is
there
it
kind
of
doesn't
matter
which
one
is?
First,
you
have
to
do
something
first,
but
like
what's
the
next
step?
Is
it
going
to
be?
On
the
other
end,
so
that
we
can
kind
of
so.
C
I
I
want
to
I
want
to
try,
I
think,
there's
a
misconception
that
you're
working
from
and
if
I'm
wrong,
we'll
go
there.
Omega
like
alpha
omega
is
not
a
first
of
all.
It's
an
experiment,
everything
we
do
we're
doing
small
and
learning
how
it
works
and
seeing
what
things
like
that-
and
so
you
know,
if
you're
gonna
turn
money
to
security,
which
things
work
well
and
also
pragmatically,
where
we
now
don't
have
humans
yet
for
our
jobs.
So
we're
gonna
do
things
that
can
leverage
other
people's
ability
to
find
humans.
C
But
I
don't
think
that
there
is
a
future
in
which
alpha
omega
and
I'm.
This
is
perhaps
a
strong
statement.
I
am
not
currently
on
a
path
where,
where
the
omega
piece
of
alpha
omega
becomes
a
funding
vehicle
to
ensure
that
that
long
tail
of
projects
that
all
deserve
more
resources
get
those
resources,
that's
not
the
goal
of
omega
sure,
and
I
think
that
it
brought
separate
open,
ssf
conversations
and
many
large
organizations
who
are
very
much
worried
about
the
problem.
You're
describing
right.
G
And,
and
while
I
agree
with
you
like
I
like
I-
I
wasn't
assuming
that
that
was
the
goal
of
open
ssf's
project
here,
like
it
and
it
okay.
It
wouldn't
be
reasonable
to
expect
open
ssf
to
be
the
funding
source
period
right,
but
security
like
I.
I
see
it
as
a
precondition
for
security
here
that
maintain
that
a
critical
maintainer
has
levers
on
them
to
do
the
right
thing
so
that
if
they
have
a
bad
day
or
a
disastrous
week
or
something
they
can't
violate
a
bunch
of
security,
best
practices.
G
G
C
Everything
you're
saying
is
true:
you
know
it's
a
fundamental
principle
of
getting
big
things
done
with
organizations
is
smaller
teams
know
what
their
boundaries
are,
and
other
teams
like
that,
but
you're
raising
a
thing
which
is
keeps
coming
up
in
conversations.
It'll
come
up
next
week
at
the
white
house
summit
as
well
around.
C
How
do
we
as
an
industry
right
address
that
problem,
because
you
can't
and
honestly
it's
not
even
a
question
just
giving
enough
money
to
those
people,
because
one
of
the
funds
is
being
a
security
person
is
not
the
same
thing
as
being
a
person
who
can
write
good
whatever
code.
It
is
right
right
and
so
there's
a
different
set
of
skills
and
applying
those
at
scale
right.
There's
a
non-fungibility
of
human
resources.
Now
you
could
say
we're
going
to
apply
a
lot
of
humans
to
a
thousand,
even
if
it's
just
javascript
right
right.
C
G
C
H
I
was
gonna
so
so,
if
I
take
my
alpha
mega
hat
off
and
put
on
my
open
ssf,
more
generally
hat
on
what
would
you
need?
If
so,
so
you
you
so,
and
it's
not
not
really
about
you
and
your
projects
in
particular,
but
as
much
as
you
represent
maintainers,
that,
like
small,
maintain
single
maintainers
that
maintain
a
lot
of
stuff.
H
C
H
G
Yeah
I
mean
like
I,
I
I
have
somewhat
of
a
unique
situation
I
think,
but
in
general
terms
like,
I
have
never
had
the
option
to
quit
my
job
in
full-time
work
on
open
source.
The
number
of
critical
open
source
developers
that
have
that
option
is
probably
in
the
single
digits
like
period,
not
just
in
javascript,
and
I
like
my
job.
I
don't
I'm
not
asking
for
someone
to
give
me
enough
money
to
quit.
G
G
G
The
the
economy
and
safety
of
companies
and
countries
shouldn't
rest
on
my
altruism
in
any
way
and.
G
The
way
things
work
in
capitalism
is
that
people
are
paid
to
do
jobs,
because
the
threat
of
losing
that
money
ensures
that
they're
going
to
do
a
good
thing.
There's
a
lot
of
things
you
can
get
fired
for
that
aren't
criminal,
but
you
don't
do
them,
even
if
you
don't
have
any
ethical
boundaries,
because
you
want
to
keep
getting
the
paycheck
and
similarly
speaking,
open
source
maintainers
need
enough
of
a
carrot
so
that
the
the
cost-benefit
analysis
of
doing
unethical
things
so
that
the
calculus
changes
and
it
no
longer
becomes
an
option.
G
And
you
know
the
there's,
there's
a
bunch
of
philosophical
debate.
One
could
have
about
that.
But
if
one
accepts
capitalism
as
a
given
then
like
that
is
something
we
want.
Is
we
want
money
to
be
a
lever
because
that's
how
it
works.
G
So
I
I
guess,
like
my
magic
wand,
would
be
if
every
company
donated
0.01
of
their
profit,
not
even
revenue.
G
To
the
open
source
software
that
is
part
of
their
stack,
I
feel
like
we
would
no
longer
be
having
discussions
about.
Is
there
enough
money
in
open
source?
We
would
be
having
discussions
about
what's
the
best
way
to
channel
it.
A
A
If
the
hell
of
the
internet
is
coming
down
on
me,
because
I
something
happened
and
my
package
was
exploited
and
now
you
know
everybody's
looking
at
me,
the
maintainer
of
this
to
to
to
deal
with
it-
and
you
know
and
you're
not
certainly
not
getting
compensated
to
to
deal
with
that
and
you
and
the
maintainers
may
not
also
have
their
resources
available
to
deal
with
such
a
an
incident
either,
and
I
think
that's
where
sometimes
you
just
see
these
folks
put
it
down
and
walk
away
and
say
not
my
problem
anymore.
A
Y'all
y'all
deal
with
it.
What
can
and
I
think
that's
probably
a
more
frequent
occurrence
than
somebody
saying-
I'm
not
getting.
I'm
I'm
actually
just
not
getting
paid
enough
to
do
this.
So
you
know
peace.
H
I
think
it's
interesting,
I
think
perhaps
the
I'm
just
thinking
out
loud
here,
so
this
may
be
a
terrible
thought,
but
perhaps
the
altruism
that
drives
so
many
open
source
maintainers
is
in
some
ways
working
against
them,
because
if,
if
the
normal
occur,
if
the
normal,
like
the
way
this
worked,
was
you
know,
someone
found
a
terrible
vulnerability
in
in
a
project
and
the
maintainer
said
great
it'll
cost
thirty
thousand
dollars
for
me
to
to
to
fix
this
here's
the
link
as
soon
as
it
hits
thirty
thousand
dollars
I'll
I'll,
publish
a
release
like
I
wonder
what
that
would
I
mean
I
I
don't
because
we
are
where
we
are.
H
I
don't
see
a
road
of
getting
from
here
to
there,
but
it'd
be
interesting
in
like
a
parallel
universe
if
things
had
developed
that
way
where
it
was
much
more
financial
incentives
and
transactional-
and
you
know-
oh,
you
want
a
new
version
of
this.
You
want
this
feature.
It
features
500
like
that's,
that's
the
cost
of
it,
in
which
case
it
there
is
more
of
a
well.
The
incentives
are
just
different.
A
There
was
an
experiment
like
that
in
the
standards
space.
Let
me
see
if
I
can
find
it,
it
was
egelia
did
it
where,
basically,
they
were
saying
you
know
here
are
a
few
different
ideas
for
improvements
we
can
make
to
these
different
web
apis.
A
If
we
receive
funding
on
the
open,
collective
for
x
amount
of
dollars,
we
will
we
will
go.
Do
those
and,
and
people
could
pledge,
with
their
with
their
bank,
account
to
see
it
and
come
for
open
prioritization.
That's,
what's
called
a
full
link
to
it.
E
There
you
go,
no,
no,
but
it's
using
the
wrong
mic.
It's
supposed
to
use
it's
supposed
to
use
this
microphone,
but
it
doesn't
all
right.
You
know
good,
I'm
still
intrigued
by
the
the
omega
end
of
the
spectrum,
where
order
of
one
maybe
two
persons
are,
are
you
know
creating
the
software
and
it
ends
up
being
used
in
unexpected
places.
E
I
yeah
I
I
have
I've
noticed
that
that
the
software
that
I
that
I
wrote
ends
up
being
scanned
by
conference
and
all
those
other
products
because
well
they
they
want
to
do
a
good
thing
and
and
get
some
recognition
too,
but
they
don't
leave.
They
don't
really
fix
all
the
problems
they
just
you
know
they
do
things
that
maybe
I
should
have
done
anyway,
but
yeah
finding
finding
ways
and
models
to
address
that
other
end
of
the
spectrum.
That
is,
I
think,
an
intriguing
problem.
H
Yeah
yeah,
and
so
so
the
the
approach
that
we
are
at
least
taking
initially
is
you
know
it?
I
think
it's
easier
to
experiment
with
a
closed
group
where
you
know
as
a
as
a
full-time
hire.
This
is
there.
You
know,
we
know
we're
getting
40
hours
a
week
of
you
know,
triage
and
and
fixes
and
reporting
and
whatnot
it's
come
up
very
frequently
on,
like
is
did
like.
Where
does
this
intersect
with,
like
bug
bounty
patch
bounty
like?
H
How
can
we
leverage
the
community
in
such
a
way
that
we
disclose
like
in
a
responsible
way
and
and
and
avoid
just
an
enormous
overhead
of
you
know,
though
they
would
manage
that
at
some
point,
though,
like
I
don't
think
that,
like
omega
is
not
gonna
scale
to
a
hundred
secure
or
a
thousand
security
researchers,
I
don't
know
what
the
right
number
that
society
needs.
Maybe
the
answer
is
it's
a
bit
of
both
where
it's
you
know
some
full-time
staff
and
some
kind
of
trusted.
H
Third
parties
that
are
paid
by
the
by
the
whatever
in
terms
of
getting
work
done.
H
I
would
imagine
both
we
haven't.
I
don't
think
I'm
not.
I
don't
think
that's
come
up.
It
should
just
be
known
as.
G
H
G
So
the
only
place
node
is
officially
distributed
is
their
website,
which
has
some
binaries.
I
believe
they
also
distribute
docker
images
which
may
have
the
same
content.
If
I
look
at
the
specific
like
there's,
I
don't
know
10
to
15
pre-compiled
binaries.
It
won't
cover
every
operating
system
in
every
situation
you
have
to
compile,
if
you're,
not
in
in
one
of
that
list
and
then
there's
a
bunch
of
unofficial
places,
including
node
source
and
the
default
app
repo
and
a
bunch
of
others
yeah.
A
If
this
takes
us
away
from
where
you
wanted
to
go
david,
we're
happy
to
save
this
for
another
time,
but
where,
when
we
think
about
the
the
support
from
the
engineering
hire
that
the
alpha
omega
project
will
will
hopefully
have
soon
how
much
of
what
they're
going
to
be
doing
is
thinking
about
like
tooling,
and
this
kind
of
support
question
for
omega
versus
other
things.
Like
I
mean,
that's
actually
a
good
question
for
me,
because
I'm
trying
to
find
these
people.
H
So
the
the
intent
of
the
two
that
that
would
be
that
the
the
engineer
and
the
security
analyst
like
work
side
by
side,
the
security
analyst
is,
I
mean
they
both
have
both
engineering
and
security
chops.
I
guess,
but
the
engineer
is
more
on
the
triage.
This
is
this
vulnerable.
How
would
one
fix
this?
What
are
the
trade-offs?
Is
this
real
all
of
that
stuff
and
the
engineer
their
primary
mission
is
to
make
the
machine
that
generated
that
finding
for
the
security
analyst
to
have.
H
You
know
no
false
positives
and
no
false
negatives.
You
know-
or
at
least
kind
of
so
driving
that
so
so
the
the
and
the
reason.
I
think
that
the
engineer
is
critical
is
I
forgot
who
who
said
it
before.
H
But
you
know,
tools
are
noisy
and-
and
you
know,
every
false
positive
that
pops
out
is
wasted
time
and
money
and
every
false
negative
that
the
tool
doesn't
find
is
risk
that
we
are
ignorant
to
so
having
having
those
two
kind
of
be
a
partnership
team
to
continually
improve
the
tools
either
in
feedback
back
to
the
tool,
authors
or
new
rules
or
better
rules
or
whatever
to
kind
of
make
that
happen.
H
So
yeah,
so
I
see
both
of
them
being
primarily
focused
on
omega.
It's
possible
that,
after
a
year
of
iteration,
the
engineer
would
have
cycles
freed
up
to
tackle
adjacent
problems,
but
I
would
say,
for
the
for
a
while
it'll
just
be
on
tool
tool
tuning.
D
Yeah,
if
I
could
jump
back,
I
want
to
jump
back
to
the
previous
question
about
node
and
specific
platforms.
If,
if
I
recall
cr,
I
don't
remember
really
ever
discussing
one
platform
versus
another,
so
as
as
long
as
it's
a
platform
that
node
supports,
then
I
think
it's
a
platform
that
we
would
care
about
because
they
care
about
it.
I
mean,
if
there's
a
vulnerability,
found
that
only
affects
one
platform,
then
I
would
expect
that
node
would
want
that
fixed.
We
would
want
that
fixed
now.
D
I
do
suspect
that
if
there's
any
issues,
most
of
them
are
not
going
to
be
specific
to
a
platform.
Frankly,
but
you
know
I
can
be
proof
wrong
and-
and
you
know
I
I
think
we
just
want
to
make
sure
that
it
work
that
we
squeeze
out
as
many
vulnerable
as
we
can,
regardless
of
the
platform
that
folks
use
it
on
at
least
that's
my
expectation
coming
in,
and
somebody
can
tell
me
otherwise.
H
I
I
would
imagine
that
if
node
had
like
specific
work,
that
was
targeting
a
very
long
tail
operating
system.
So
you
know
16-bit
windows,
I
hope
they're
not
supporting
16-bit
windows,
but
if
they
did-
and
there
was
a
bug
that
just
that
that
just
affected
that
and
they
were
like
well,
we
have
this
dollar.
Where
should
we
spend
it?
We
would
say
not
on
the
16-minute
windows.
D
Fair
enough,
fair
enough,
but
but
I
think,
on
the
more
commonly
used
ones
you
know
I
think
there'd
be
a
desire
to
fix
no
matter
what
and
really
so
much
of
node
it's
not.
I
don't
think
most
of
node
is
platform
specific
frankly
or
a
lot
of
it.
Isn't
I.
D
Yes,
yes,
but
I
mean
that's,
that's
a
separate,
separate
topic.
A
I
have
a
different
topic
if
we're
ready
to
change.
Well,
it's
still
the
same
topic
subtopic,
which
is
y'all,
had
asked
async
what
kind
of
like
citable
data
like
we
could
be
reporting
out
to
the
community.
That
would
be
interesting,
and
so
I'd
like
to,
I
guess,
ask
discuss
that
as
a
group
like
what
kind
of
what
what
do,
what
what
facts,
what
info?
A
H
I
think
what
was
one
of
the
simple
metrics
that
we'd
certainly
collect
is
like
number
of
vulnerabilities
found
and
fixed.
You
know
we,
I
think,
for
the
alpha
projects
having
the
narrative,
you
know,
via
monthly
or
quarterly
kind
of
updates
of
you
know.
This
is
what
you
know:
we've
streamlined
the
build
process
to
blah
blah
blah
and
it
it's
you
know
and
draw
a
line
to,
and
this
is
good
for
security,
because
I
think
that
that
makes
sense,
I
I
do
think
we're
gonna
have
to
like.
H
Maybe
if
we
think
ahead
six
months
and
say
what
like?
What
do
we
want?
Our
you
know,
october
or
november
announcement
to
be
on
like
looking
back
over
the
path
over
the
first
six
months
of
alpha
omega,
like
we've
achieved
blah
blah,
blah
and
kind
of
start
with
that
and
and
kind
of
work
backwards,
at
least
to
the
types
of
things
we
want
to
do.
A
I
didn't
figure
he
would
but,
but
I
mean
seriously
like
it
would
be
kind
of
an
interesting
thing.
Taking
the
like
soul,
maintainer
metric
of
some
kind
metrics.
G
G
Yeah,
I
mean,
I
think,
the
the
trick
about
talking
about
single
maintainers
and
this
I've
already
brought
this
up
with
the
security
scorecard
folks
is
nobody's
a
single
maintainer
by
choice,
and
so
penalizing
that
does
not
help
anyone.
F
G
Incentivizing
additional
maintainers
is
the
only
thing
I
can
think
of
that
would
fix
that
problem
and
that's
to
our
earlier
discussion.
That's
another
thing:
money
can
help
solve,
but
not
solve
alone.
H
G
D
And
if
I
may
add
the
trustworthiness
because
and
trustworthiness.
D
D
H
I
wonder
so
in
in
the
you
know,
number
of
jordan
satisfied
per
month
metric,
which
I'm
gonna,
I'm
gonna,
have
to
start
using
like
what
I'm
suspecting
is
that
there
are
a
relatively
small
number
of
individuals
like
you
that
maintain
a
vastly
outsized
impact
on
on
the
relative
ecosystem.
B
H
G
That
would,
with
a
caveat,
which
is
that
or
a
condition
which
is
that
such
an
entity
would
need
to
have
demonstrated
a
repeated
long.
History
of
balancing
maintainer
needs
sufficiently
in
a
way
that
the
current
security
industry
very
much
does
not
do
so.
It
would
have
to
be
better
than
all
current
security
experts,
and
you
know
the
majority
of
them
shouldn't
be
two
absolutists,
but,
and
in
that
case,
maintainers
would
then
have
trust
and
rapport
with
this
group
such
that
it
was
a
fluid
and
efficient
exchange.
A
So
david
is
making
a
crack
about
a
high
council
of
maintainers,
but
honestly,
I'm
not
so
sure,
that's
a
bad
idea.
I
think
that
might
be
kind
of
an
interesting
idea
to
get.
You
know
y'all
together
at
some
point,
because
I'm
sure
that
there's
a
information
you
know
and
like
just
ideas
that
could
be
generated
from
that
group.
One
and
two
there's
probably
a
percentage
of
packages
out
there
that
we
could
say
all
right
like
this
class
like
y'all,
have
packages
you're
not
supporting
anymore,
like
that
should
be.
G
Well,
and,
and
also
there's,
somebody
who
has
an
outsized
impact
on
the
ecosystem
is
likely
to
be
vocal
about
some
things
and
people
vocal
about
some
things
are
likely
to
generate
interpersonal
conflicts
at
times,
and
it
is
in
everyone's
best
interest
that
any
you
know
the
folks
eligible
for
this
council
or
whatever,
are
able
to
freely
share
information
in
a
neutral
venue.
G
Even
when
such
interpersonal
conflicts
exist
there.
You
know
I've
seen
many
examples
of
high-profile
maintainers
having
little
spats
about
things
and
creating
a
norm
where
those
spats
can
continue,
but
they
can
still
show
up
in
one
neutral
place
and
kind
of
commune
on
important
things
around
security
or
best
practices,
and
things
like
that,
and
that
seems
like
a
valuable
thing
to
have.
D
Yeah,
if
I
may,
if
I
may
jump
in
you
know,
we
mentioned
npm
a
couple
times.
You
know
the
the
challenges
of
single
maintainer
projects
and
so
on
happen
everywhere.
I
think
for
for
various
systemic
reasons,
it's
way
more
common
in
in
npm,
and
we
can
talk
about
some
of
the
systemic
pressures
that
lead
to
that.
D
But
but
you
know
what,
but
I
think
part
of
it
is
just
there's
a
general
social
expectation
that
in
npm
the
packages
are
much
much
smaller,
which
encourages
single
maintainers
and
finding
a
but
but
finding
a
way
to
overcome
that,
so
that
it's
not
a
single
burden
on
someone,
I
think,
is
wonderful,
but
I
I
should
note,
by
the
way
that
jordan
was
crediting
me
for
these,
the
high
council
of
maintainers.
D
I
was
really
just
doing
a
small
riff
on
jordan's,
the
council
of
maintainers,
but
but
you
know,
you
know
what
it
may
be
a
a
a
little
bit
of
sound
funny,
but
if
it
works,
that's
not
crazy.
D
H
So
if
there
were
the
right,
if
the
right
people
were
available
to
serve
on
this
council,
who
had
the
right
balance
of
subject
matter,
expertise
and
good,
really
really
really
good
people
skills
to
manage
everything,
to
try
it
out
for
six
months
or
a
year
and
see
if
it
was
useful
and
if
it's
not
useful,
then
try
something
else,
but
like
it
doesn't
it's
not
the
kind
of
thing
that,
like
contracts,
don't
need
to
be
but
other
than
like
being
paid
like
there's
no
contract
with
the
maintainers
themselves.
H
It's
a
we're
available
like
leverage
it.
If
you'd,
like
kind
of
thing.
A
I
think
there's
this
is
an
interesting
idea.
We
should
we
should
explore
yeah.
G
A
No,
no
it
just
it
just
just
give
it's
giving
me
like
just
because
two
to
one
point
that
I
think
you
started
to
make
some
of
this
is
some
of
this
is
the
technical
problem,
and
some
of
this
is
a
human
problem
right,
because
people
like
yourself
who
have
done
a
lot
for
their
respective
ecosystem
by
you,
know
providing
all
this
support
and
labor
and
all
that
sort
of
stuff
aren't
always
like
consulted
or
supported
or
you've
reached
out
to
when
github
decides
to
do
xyz
as
a
security
measure,
and
so
like
you
know,
and
maybe
that's
a
maybe
that
is
a
good
thing,
but
they're
not
considering
like
how
much
of
a
lift
that
would
be,
and
so,
like.
A
Oh
here's,
a
here's,
here's
a
group
you
can
reach.
If
you're,
considering
a
change
you
can
test
that
idea
out
with
you
know
this.
This
group
of
people,
that's
one
idea.
Another
you
know
is
again
like
those
folks
kind
of
surfacing
of
the
packages
that
we've
we've
brought
into
the
world.
A
These
are
the
packages
that
we
can
take
out
of
the
world
with
and
and
can
get
maybe
help
and
resources
from
the
respective
package
distros
to
to
to
dan
to
handle.
But
I
was
just
still
concentrating
on
this
idea.
H
If
I'm
imagining
a
scenario
where,
like
for
a
github
issue
like
something
like
you
know,
open
ssf,
help
or
open
sf
council
council
call
is
kind
of
tagged
in
some
way
that,
because
I
I
don't,
I
I
I'm
not
sure
like.
H
H
D
Yeah,
if,
if
I
could
jump
in
here,
real
quick
and
I
did
raise
my
hand,
so
I
I
actually
have
a
citation
so
census
2-
actually
reports
some
interesting
status
about
how
important
a
relatively
small
number
of
contributors
are.
So
I'm
just
gonna
read
the
quote,
but
it's
page
19
census
to
harvard
which
ella
funded
you
know.
So,
basically,
you
know
look
49
of
the
top
50
non-npm
projects
we
looked
at
commits
23.
D
The
percent
of
the
projects
had
one
developer,
accounting
for
more
than
80
of
the
code.
94
of
the
projects
had
fewer
than
10
developers,
who
accounted
for
more
than
90
percent
and
looking
and
for
the
top
15
99
pm.
136
developers
were
responsible
for
more
than
80
of
the
lines
of
code.
D
You
know,
that's
I
mean
that.
That's
a
snapshot,
that's
a
piece,
I'm
sure
that
worn
out
you
know
this
was
you
know
one
attempt
to
quantify
the
the
question,
but,
but
I
think
I
I
think
we
have
quite
a
bit
of
evidence
for
what
jordan
said
earlier-
that
there's
a
relatively
small
number
of
people
who
are
making
massive
contributions
to
which
we
need
to
say.
Hey,
thank
you.
D
Thank
you,
jordan.
So
thank
you
and
b.
We
need
to
find
a
way
to
come
alongside
and
help
these
awesome
people.
H
B
Yeah
there's
one
there's
one
metric,
I
would
love
to
see
omega
have
in
six
months,
and
that
is
the
coverage
of
you
know,
projects
being
looked
at
and,
being
you
know,
the
coverage
in
the
npm
ecosystem
of,
like
whatever
that
looks,
like
you
know,
of
the
top
thousand
most
downloaded
pro
npm
projects.
F
B
G
H
Love
it.
Thank
you
all
very
much.
I
really
appreciate
everybody's
time
if
you
want
to
do
a
new
conversation,
join
us
on
the
slack
channel
or
we'll
try
again
next
month,
and
hopefully
it'll
be
some
news
out
before
then
so.
A
Do
you
have
michael
scaveta
and
david
wheeler?
Do
you
have
time
to
chat
right
now.