►
From YouTube: Alpha Omega Project Public Meeting (November 2, 2022)
Description
A
Awesome
everybody
well
welcome
to
the
November
2022
Alpha
Omega
public
community
meeting.
This
is
a
forum
for
you
all
to
ask
whatever
questions.
C
A
Us
appointed
questions
whatever
you
want
our
families
here,
so
so
welcome.
If
you
would
like
to
give
an
update
on
npm
you're
welcome,
you
don't
have
to,
but
there's
a
forum
for
anybody
to
chat
about
anything
related
to
AO,
current
Future
Past
and
all
that
I
do
not
have.
This
is
my
only
slide,
so
we.
A
I,
like
the
slide
I
like
that,
the
logo
is
top
notch,
so
is
there.
C
I
can
start
I
would
like
just
to
give
an
update
in
the
node.js
slide
this
this
week.
Actually,
past
week,
we
we
opened
two
important
pull
requests
that
includes
the
the
threat
model
for
an
OJs
and
also
a
document
that
we
call
node.js
Secrets
best
practices.
It's
pretty
similar
that
the
one
that
I
think
Alpha,
Omega
or.
D
C
Okay,
yeah,
he
is
creating.
So
basically,
we
explain
that
some
threats
that
might
affect
node.js
is
not
considered
a
vulnerability
node.js
and
what
you
need
to
do
to
to
to
guard
the
Glen
against
those
threats.
Those
are
very
important
documents
and
they
they
were
created
through
the
secret
working
group.
B
C
Yeah
actually
I
have
a
presentation:
yeah
where's,
yours,
okay,
let
me
start
sharing
with
you.
E
E
E
C
So
basically,
I
have
presented
these
those
slides
for
the
node.js
collab
Summit.
It's
a
summit
that
we
that
week
it's
a
collaborative
from
the
node.js
members
we
discussed
important
stuff
and
what
is
the
future
of
node.js?
What's
the
current
threats,
what
what's
the
the
current
features?
Print
bugs
and
so
on?
Basically,
it's
pretty
simple
I
have
showed
the
current
secret
written
group
participants
and
the
current
initiatives.
C
I
have
showed
it
I,
don't
know
three
weeks
ago
or
one
month
ago,
more
or
less
and
basically
the
active
members
are
Facundo,
Michael,
olisis
and
and
Thomas
and
well
one.
The
first
initiative
that
we
have
concluded
is
one
called
node.js
vulnerability,
assessment,
workflow
I
know
this
is
a
long
name,
but
we
don't
have
a
better
sorry
for
that.
C
Basically,
one
of
the
problems
with
no
jail,
not
not
node.js,
but
any
any
two
that
depends
on
other
dependence.
For
instance,
node.js
contains
a
bunch
of
dependencies,
for
instance,
any
g832,
open,
SSL
review,
V
and
so
on,
and
when
those
those
dependencies
send
expose
or
disclosure
cve,
we
get
not
not
set
by
the
users,
or
at
least
in
you
know,
with
some
delay.
C
This
workflow
has
the
intention
to
to
basically
run
every
night
and
check
if
there
are
any
disclosure
CV
so
in
case,
let's
say
open
without
just
bump
it
critical
secret
release.
Yesterday
we
are
operating
today
by
the
way
and
we
received
an
issue
telling
okay.
This
is
a
new
CV.
C
We
need
to
predict
because
those
those
versions
is
affected
by
node.js
and
also
it's
a
good
way
to
to
perform
assessments
because,
for
instance,
that's
that's
what
a
real
vulnerability
from
zillid
but
does
not
affect
node.js
and
users,
were
the
users
were
complying
complaining
about
the
these
vulnerability
and
that's
a
good,
a
good
repository
that
they
can
see
if
that
affects
their
their
apps
or
not.
C
The
second
one
is
the
threat
model
not
too
much
to
share
about
it,
because
it's
pretty
concise,
basically
most
almost
40
percent
of
or
hacker
one
reports
were
closer
closed
as
a
non-applicable
or
informative.
C
This
is
a
clear
indicator
that
security
research
does
not
know,
don't
know
how
node.js
works
because,
for
instance,
let's
say
you
install
a
package
and
this
package
perform
malicious
requests.
It's
not
consider
an
old
yet
vulnerability,
but
if
the
user
installs
it
they
can
be
infected
by
it.
So
we
need
to
be
clear
in
all
the
things
that
node.js,
trust
and
or
not
node.js
does
not
trust.
That's
the
intention
of
this
threat
document
and
it
the
pull,
requests
were
created
or
was
created
and
we
are
discussing
it
with
the
TSC
probably
next
week.
B
This
is
can
I
interrupt.
This
is
really
interesting
and
I'm
curious.
Like
and
general
question
to
the
group
here.
Is
this
a
is
there
a
standard
practice
of
this
system
here?
If
you're
going
to
report
a
vulnerability
here,
here's
our
threat
model,
please
express
your
vulnerability
in
terms
of
this
threat.
Was
that
a
common
practice
and
you
guys
are
getting
there
or
yeah.
C
Honestly,
I
don't
have
a
strong
background
on
on
that
field
to
say,
but
I
did
some
research
before
and
basically
all
the
runtimes
like
python
or
Java
PHP.
They
have
their
own
threat
model
and
some
vulnerabilities.
Some
threads
can
be
applied
to
some
to
those
run
times,
but
in
different
ways.
For
instance,
supply
chain
attacks
in
node.js
is
very
common,
but
that's
the
way
the
node.js
works.
C
E
If
I
make
jumping
real
quick,
there
are
I've
seen
some
terminological
differences
in
in
my
mind,
you
know
as
long
as
you
get
to
where
you're
going
I,
don't
care,
which
words
you
use
some
people,
you
know
refer
this
as
the
threat
model.
Some
people
call
these
security
requirements.
I
tend
to
call
them
security
requirements,
but
whatever
you
call
that
having
some
idea
of
what
you're
trying
to
achieve
and
not
achieve
is
pretty
important.
C
Yeah
yeah
totally
so
yeah
I
mean
the
idea
of
this
document
is
to
be
a
live
document.
I
am
pretty
sure
that
we,
we
are
missing
a
bunch
of
statements
in
the
in
the
initial
version
of
this
document,
but
it
will
be
built
in
collaboration
with
secret
researches,
because
once
we
receive
hacker
one
reports,
we
we
say:
okay,
it's
missing
in
the
threat
model.
Then
let's
play
that
but
yeah.
Currently
the
name
is
threat
model,
but
it
might
be
like
what
no
just
trust
org
is
not
addressed.
C
Yeah,
okay,
just
moving
on
moving
on
the
idea
when,
when
we
started
that
that
initiative,
it
was
just
threat
model,
but
in
the
middle
of
that
document
we
were
adding
a
lot
of
explanation.
That
does
not
that
the
target
was
not
clear
and
the
intention
of
threat
model.
C
The
target
of
threat
model
is
secret
researchers,
but
we
also
wants
to
provide
a
kind
of
explanation
for
end
users,
how
they
can
secure
the
application,
how
they
they
can
understand
how
node.js
Works
under
the
hood,
without
going
deeper
in
the
code,
and
then
we
call,
we
created
the
node.js
secret
best
practice
document
the
we
have
a
request.
C
I
need
to
play
this
Slide
by
the
way
we
have
a
podcast
for
both
and
they
are,
they
are
they're
being
analyzed
and
that's
important
to
say
that
most
of
our
hacker
one
reports
is
who
are
our
attacks.
That
is
a
fact,
a
fact
not
just
developer,
but
not
just
users.
This
is
important
to
say
that
developers
are
more
susceptible
to
vulnerabilities,
because
some
of
them
just
follow
a
hand
on
tutorial
on
their
internet
so
to
to
install
a
malicious
like
a
package
with
a
typo
that
performs
something
very
weird.
C
C
So,
let's
assume
that
you
are
on
Windows,
okay
and
you
have
opens
itself
installed
and
that's
pretty
common,
because
let's
say
if
you
are
on
Windows
and
you
install
a
game,
you
have
open
SSL,
that's
all,
then
you
have
node.js
and
you
are
following
a
a
tutorial
in
the
internet
that
tells
you
to
install
fetify
with
e
in
the
end
with
a
typo,
because
it
is
a
different
one,
and
then
this
package
basically
contains
a
providers.dll
inside
of
that
package.
C
C
And
then,
basically,
every
time
that
require
a
module
that
requires
open.
The
cell
opens
the
cell
gets
loaded
and
by
default
it
loads
its
search
for
providers.dll
in
the
current
working
directory,
which
means
that
when,
if
my
malicious
package
specify
contains
a
script,
posting
Style
just
to
check
the
npm
version,
that
internally
calls
require
crypto,
it
will
load
the
providers.dll
from
my
current
working
director
with
maze.
It
will
load
my
malicious
dll
instead
of
the
the
expected
one
from
the
open,
SSL,
and
then
the
user
will
see
the
calculator
so
that
that's
that's.
C
That
was
a
real
vulnerable,
real
node.js.
It
was,
he
said
hopefully
but
yeah.
That's
that's
the
intention
of
how
how
this
thing
works
and
after
this
well,
we
are
basically
saying
the
threat
model
that,
if,
if
a
package
or
if
dll,
is
not
specifying
the
documentation
that
node.js
will
try
to
load.
This
is
a
vulnerability
and
my
and
needs
to
be
reported
to
node.js.
This
will.
This
will
increase
their
collaboration
between
node.js
developers
and
secret
researchers
and
also
I'm
working
on
a
test.
C
Is
that
basically
I
asked
race
that
will
will
check
what
node.js
is
loading
on
the
startup
and
then
we
document
it
and
every
time
that
we
perform
a
pull
request.
We
check
if
that
changes
or
not
just
prevent
vulnerabilities,
but
you
know
that
that
was
a
crazy
one,
but
that
that's
all
I
have
another
presentation
about
the
permission
system,
but
I'm
still
I'm
still
developing
it,
and
once
it's
done,
I
I
can
share
it
here.
Okay,
foreign.
A
A
Two
two
questions
and
feel
free
if
this
is
outside
of
the
bounds
of
what
you
want
to
talk
about,
just
tell
me
to
be
quiet.
First,
one
was
on
on
on
open
SSL.
A
Specifically,
it
does
no
do
you
guys
feel
like
you,
have
the
right
level
of
Engagement
for
like
Advanced
notification
of,
and
it's
not
about
open,
SSL
specifically
but
like
for
the
for
the
major
tools
that
you
include
in
node,
your
your
as
a
platform,
you
know,
I've
put
you
guys
on
par
with
Ubuntu
or
anybody
else
in
that
you
know.
Essentially,
did
you
get
Advanced
notification
of
openssl
and
what
and
if
the
answer
is
no,
would
exploring
that
further
be
be
helpful.
A
I
know
that
it,
you
know
it
went
from
critical
to
high,
but
so
we
kind
of
dodged
the
whole
repair,
but.
C
We
do
actually
we
just
subscribe
to
their
newsletter
as
a
thing,
and
we
receive
notification
when
upcoming
secret
release
on
upcoming
secret
release.
The
only
thing
that
we
are
we
need
to
work
on
is
to
receive
the
the
assessment
before
they
release,
because
once
they
they
release
the
the
the
secret
release
itself,
we
basically
assess
it
on
node.js
to
check
if
that
affects
node.js
or
not,
and
then
we
we
discuss
internally.
C
When
should
we
do
the
secret
release,
because
normally
critical
or
high
vulnerability
should
be
updated
as
soon
as
possible,
node.js
Right,
but
can.
E
I
jump
in
on
this
real,
quick
I
think
the
open
SSL
one
is
a
little
unusual
in
that
a
lot
of
Open
Source
projects.
The
way
you
find
out
is
the
up.
Here's,
the
patch
open
SSL
in
this
particular
case
basically
set
gave
a
heads
up
to
everybody
publicly
we're
going
to
have
a
release
in
a
few
days
at
this.
Well
at
this
particular
date,
there's
some
vulnerabilities
for
fixing
get
ready.
E
So
I,
that's
a
little
unusual
frankly
in
the
in
the
grand
world,
but
I
think
it
can
be
helpful,
so
Raphael
I
guess
you
know.
Let
me
put
you
on
the
spot
a
little
bit.
Was
it
helpful
for
open
SSL
to
have
told
you
that
at
a
time-
and
if
so,
is
this-
something
that
we
should
incur
projects
to
do
in
general
is
to
give
heads
up
that
we're
going
to
make
a
release
on
this
date.
Yeah.
E
C
Absolutely
well
we
received,
and
we
normally
when,
when
we
see
the
the
assessment
from
the
the
open
SSL,
we
start
the
workflow
to
perform
security
release
nowadays.
Security
release
on
node.js
is
a
tough
operation.
It
requires
at
least
four
releasers,
because
it's
a
42
steps
to
perform
a
security
release
because
we
have
a
well-defined
workflow.
We
have
some
companies
depending
on
on
it.
That
needs
to
be
get
notified,
and
if
we
receive
a
notification
like
today,
we
can't
do
it
because
it
requires
at
least
one
week
of
effort.
C
So,
for
instance,
if
we
receive
if
silly
disclosure
as
height
vulnerability
that
affect
node.js
today
or
tomorrow
without
prior
Nazi,
certainly
it
will
affect
node.js
in
a
bad
way.
C
A
This
is
you
know
how
things
are
done
in
in
those
cases
and-
and
those
are
you
know
this
relatively
small
list,
but
if,
if,
if
node
thinks
that
getting
access
to
that
in
advance
of
public
would
be
helpful
in
getting
a
release
out
at
the
same
time
as
when
it
goes
public
which
is
kind
of
how
like
Ubuntu
did
it
and
Canuck
on
some
others
like
it,
I
would
be
happy
to
at
least
attempt
to
broker
that
conversation,
so
just
put
it
out
there.
A
You
know,
if
you
think,
would
be
useful
yeah
a
couple
days,
and
in
this
case
it
doesn't
really
matter,
but
in
the
future
you
know.
C
Yeah,
the
Decades
of
no
jazz
is
light
different
from
from
the
vendors
that
use
open,
SSL
directly,
we
don't
use.
The
main
openness
is
how
we
use
a
fork
version,
because
we
use
the
quick
protocol
for
the
16
and
18
version
and
we
basically
know
open
Cell
release
their
fixed.
We
wait
for
the
fork
from
the
chromium,
I
guess.
C
We
use
that
fork
because
we
we
have
initiatives
using
quick
and
probably
in
the
832.
C
Yeah
but
usually
they
are
very
fast
yeah,
for
instance,
it
tends
to
to
to
to
be
updated
in
one
day
maximum
yeah,
so
they
are
good
cool
awesome.
E
Yeah,
sorry
to
get
so
you
so
it
sounds
like
you
do
think
that
it's
helpful
to
have
at
least
the
advanced
warning
without
the
patch.
C
E
It
might
be
Michael's
been
asked
about
the
one
with
the
patch
okay,
because
that's
that
might
Michael.
This
might
be
useful
feedback
to
the
vulnerability
disclosures
working
group,
because
right
now,
I.
Don't
think
that
that's
you
know
giving
an
advance
hey
we're
going
to
have
one
I,
don't
remember!
If
that's
in
their
process,
I
don't
think
it
is,
but
at
least
something
to
consider.
C
Yeah
totally
I
mean,
if
all
the
dependents
do
it
would
be
awesome
because
we
need
we
need
planning.
We
need
most
of
the
the
books
working
on
nodejas.
It's
not
they
don't
work
full
time
on
it,
so
they
need
to
schedule.
They
have
a
schedule
to
work
girl,
no
jazz,
so
yeah.
C
We
didn't
we
have
some
internal
discussions
that
are
on
that,
but
I'm,
not
the
part.
A
And
then
the
the
and
one
other
question
when
you
were
showing
the
GitHub
action
that
you
know
spits
out.
You
know.
C
C
Basically,
it's
a
a
pretty
simple
python
script
that
look
toward
dependence
3
and
check
if
they
are
open,
vulnerability,
open
cve.
That
node.js
is
not
it's
not
a
war,
but.
C
D
D
C
A
Thank
you
very
much,
really
appreciate
your
your
collaboration.
A
A
All
right
well
so
the
topic
here
so
I
posted
a
message
in
Alpha
Omega
last
week.
Maybe
and
there's
a
there's,
an
open
issue
about
it
in
the
in
the
repub.
Essentially,
I
wanted
to
get
everybody's
thoughts
on
attestations
like
I'm,
not
sure
if
it's
an
attestation
or
an
assertion
I
think
it's
actually
an
assertion,
but
it
doesn't
really
matter
so.
Here's
a
scenario
as
part
of
the
Omega
analysis.
So
we
find
an
open
source
project.
We
run
a
bunch
of
tools
against
it.
We
get
some
output.
A
A
A
Now
we
could
do
that
ourselves
and
just
keep
that
information.
You
know
private
on
which,
which
ones
we
looked
at
and
what
the
results
were,
and
you
know
eventually
a
component
will
get
we'll,
have
a
vulnerability
fix
and
everybody
will
benefit
and
all
that,
but
as
a
consumer
and
I
mean
as
a
consumer
developer
or
you
know,
a
compliance
department
or
whatever,
knowing
that
that
particular
component
was
examined
and
found
to
be
in
one
of
those
categories,
allows
you
to
make
different
decisions.
That
gives
you
knowledge
that
you
didn't
have
before.
A
So
the
question
is:
if
Omega
were
to
generate-
and
let's
just
keep
this
at
like
an
abstract
level
and
an
assertion
saying
that
we
ran
this
tool
against
this
component
and
these
were
the
results
aggregated.
So
you
know
we
found
there
were
no
issues,
there
was
an
issue
and
it
hasn't
been
triaged.
Yet
you
know
whatever
things
like
that,
we
we
try
to
reproduce
it
and
we
couldn't
or
we
could.
We
checked
here
are
the
scorecard
values.
A
As
of
like
that
that
moment
in
time,
I
don't
know
you
can
think
of
other
things
other
than
static
analysis
too,
but
essentially
we
did
some
Assurance
work
against
a
thing.
A
E
Well,
I,
oh
just
for
me,
but
you
know
basically
I
think
it
is
useful
to
know
that
hey
a
tool
was
run.
It
didn't
find
anything
while
that
doesn't
guarantee
things.
Guarantees
are
hard
and
I
I.
Think
a
lot
of
organizations
are
looking
for
some
information
I'm.
Looking
at
this
package
is
there
you
know
any
indications
of
either
problems
or
not
problems.
E
Now
I
think
you
have
to
be
a
little
careful
if
you
do
find
a
problem
I'm
a
little
hesitant
to
make
an
indicator
yet
for
a
variety
of
reasons,
including
the
fact
that
for
a
lot
of
tools,
false
positives
are
absolutely
a
thing.
So
I
I
think
us
I.
Think
attestations
of
I
ran
a
tool
under
some
configuration
and
it
didn't
find
anything
or
didn't
find
anything
at
a
critical
or
a
high
level.
Is
useful,
I'm
really
hesitant
to
help
the
attackers
too
much
I
I
saw
your
note
about
hey
the
attack.
E
They
can
run
the
tools
public
tools
anyway,
which
is
absolutely
true,
but
it
is
a
little
extra
work
to
run
a
tool
as
opposed
to
just
download
somebody
else's
work.
So
I
I
I
hesitate
to
help
the
attackers
too
much
look
right
here,
but
as
soon
as
you
get
to
the
point
where
you
can
make
an
attestation
that
you
don't
find
anything
or
don't
find
anything,
a
certain
level
I
would
say,
go
for
it.
I,
don't
think
you
need
to
say:
hey
didn't,
find
SQL
injections,
I
mean
I.
E
E
So
I'm
not
sure
how
strong,
if
you
don't
know
the
details
about
the
tool,
I'm,
not
sure
that
that
gives
you
much
information
and
it
sure
will
be
a
whole
lot
of
extra
work
for
probably
a
little
gain,
but
yeah
two
Lux
didn't
find
something
or
didn't
find
something
at
certain
levels.
I
would
certainly
like
to
know
that
of
this
version.
Obviously
version.
E
Version
of
of
you
know
from
a
version
of
tool,
but
more
importantly,
version
of
software,
because
obviously
you
know
2.0
may
have
zero
vulnerabilities
of
1.0.
Maybe
a
disaster.
A
Yep
yeah
and
then
what
I'm
imagining
is
you
know
the
the
consuming
end
of
it
is
a
a
reference
implementation
of
a
you
know.
Your
your
policy
is
no
critical
vulnerabilities
and
I
don't
care
if
it's
reproducible
or
not,
let's
say
so
that
that's
expressed
in
some
policy
format
and
then
use
a
consumer.
You
just
say
you
know,
check
left
pad
policy,
one
two
three
and
it
says
pass
so
from
from
that
perspective,
it
would
be
something
that
yeah
you'd
it'd
be
like
a
you
know.
Pre-Install
about
you
know,
test
pass.
D
So
the
producer
will
have
to
be
like
similar
to
a
certificate.
Authority
right
I
mean
that
is
producing
attestations.
What
is
preventing
from
like
an
authority
spoofing
like
somebody
else,
maliciously
producing
some
attestations.
That
is
wrong.
Those
are
wrong.
So
so
what.
A
I'm
thinking
there
is
the
so
each
of
these
assertions
would
be
signed
in
in
some
way.
The
signer
would
either
explicitly
be
trusted
in
the
way
that,
like
Linux,
like
ppas,
are
or
delegated
trust
based
on
lab,
the
ca
system
works
or
something
else.
A
A
So
you
could
like
point
at
a
registry
when
you're
doing
the
policy
evaluation,
but
then,
more
than
that
you
can
say
I
only
trust,
a
b
and
c
or
I
only
trust
people
that
trust
that
are
trusted
by
a,
and
you
know
that
kind
of
thing,
so
you
should
be
able
to
ignore
the
you
know.
If,
if
you
know
just
let's
just
say,
random
people
are
providing
assertions
of
whatever.
A
And
you
say:
I
only
trust
the
ones
from
openssf
and
my
company,
or
only
my
company
or
you
know,
whatever.
E
Yeah,
if
I
could,
what
do
you
think
about
the
idea
of
signing
them
with
like
six
door.
E
E
E
Yeah,
so
that's
the
the
I
mean
it
doesn't
have
to
be
six
store
necessarily,
but
if.
A
We
want
I
mean
it
would
be.
It
would
be
as
I'm
learning
more
about
this,
so
it
would
be
cosine
either
off
of
an
oidc
thing
from
us
wherever
or
I
could
have
a
hardware
token
or
anything
else
that
reacts
back
the
thing
so
and.
E
Then
right
I
mean
six
door
can
do
either
of
those
things.
It's
the
it's.
The
oidc
that's
different
and
unusual
right,
but
I
mean
it
can
do
the
tokens
as
well.
But
the
point
is
that
they
don't
have
to
have
your
public
key
to
be
able
to
verify
that
it
was.
You
know
you
know
at
org
or
whatever
yep
yep.
E
E
I,
don't
think
we've
generated
that
workflow.
So
if
you
want
to
do
that,
we
probably
ought
to
I
I
think
that's
a
great
idea.
We
just
need
to
work
out
how
we
make
sure
that
that
can
actually
happen.
Yeah.
A
A
And
the
other
nice
thing
about
this
is:
it
does
provide
us
a
way
to
generate
manual
assertions.
So
I
took
a
look
at
left,
pad
I
reviewed
the
code.
I
think
it's
awesome,
no
issues
found
and
I
was
taking
my
reputation
on
it
by
credit
by
you
know.
Creating
this
assertion
and
saying
you
know:
Michael
thinks
this
is
fine
and
and
putting
this
out
there
so
similar
to
these
Security
reviews
open
ssf,
you
know
repo,
you
know
there
should
be
just
a
another.
A
Actually,
as
a
consumer
I,
don't
trust
manual
assertions
because
you
know
people
make
mistakes
and
machines
never
do
so.
Just
blanket
provide
no
value
to
the
you
know.
Don't
look
for
manual
assertions.
E
Wow,
those
are
that's
a
whole
lot
of
assertion
about
automated
systems.
Never
making
mistakes,
I.
E
Yeah
but
but
in
in
fact,
I
think
what
you
would
like
to
see
is
multiple
assertions
from
multiple
different
sources.
You
know
this
tools
run.
This
manual
analysis
was
run,
hopefully
by
work
people
organizations
you
actually
have
a
reasonably
are
reasonable,
and
then
that
gives
with
multiple
signals
like
that
and
give
you
really
strong
justification
that
well
I
mean
mistakes
can
happen,
but
there's
been
some
real
effort
here
and.
F
F
I'm
just
saying
hi
hi,
we
had
a
few
of
my
colleagues
I
think
on
the
phone
earlier
at
least
until
12
30.,
so
David
you're
you're
in
Brian's
yeoman's
effort
is,
is
showing
some
results.
Thank
you.
E
Oh
well,
thank
you
and
well
for
Alpha
Omega,
the
two
Michaels
one
of
which
has
I
think
had
to
leave
early.
Sadly,
but
Michael
scavetta,
Michael
Windsor,
you
know
they've
been
you
know
very
much
polling
on
this
for
a
while.
So
and
you
know,
we've
got
our
our
new
awesome
person.
Citibank
so
I
mean
we
do
there's
a
number
of
folks
who
are
pulling
this
particular
rope
and
I'm
grateful
to
everybody.
F
A
Awesome
anything.
E
No,
not
myself
but
Aaron
whitsling
just
put
posted
in
the
chat
and
I
think
it's
so
important.
I'd
like
to
highlight
it.
You
know
coming
back
to
the
hash.
What
about
posting?
You
know
find
no
vulnerabilities,
I
I,
like
the
summaries,
so
I'm,
just
gonna
post
it.
This
feels
like
no
failing
tests
when
you're
picking
up
a
new
repo,
yeah,
obviously
no
failing
tests
when
you're
looking
at
a
repo
might
mean
hey.
E
They
haven't
written
any
tests
yet
or
they
only
have
one,
but
nevertheless
there
is
a
stronger
feeling
of
wait
a
minute
at
least
there's
some
there's
at
least
some
signal
that
there's
things
are
kind
of
on
the
ball
from
that
and
I.
Think
that
that's
a
really
important
point.
G
D
A
Cool
what
else
do
I
have
so
on
the
also
on
the
Omega
side,
so
you
know
release
the
tool
chain.
The
docker
Docker
may
go
back.
I
am
I,
haven't
gotten
a
ton
of
feedback
on
it,
which
is
fine
because
it's
mostly
for
our
use,
but
really
that
that's
what
the
primary
you
know,
user
of
it
is.
A
Has
picked
it
up
and
use
it
and
has
feedback,
and
you
think
other
tools
should
be
added
or
you
think
it's
it's
you
know
whatever
it
is.
It
should
just
it
should
just
you
know,
Docker
build
blah
and
it
should
just
just
build,
and
you
know
we
have
users,
you
know
to
find
things
I
I
do
I,
do
have
some
plans
on
you
know,
adding
better
support
for
scanning
things
like
you
know
or
like
existing
jar
files.
A
So
you
can
just
kind
of
point
it
at
a
thing
and
you
know
have
it
go,
but
if
there,
if
there
are
features
that
you
think
if
it
had
it
would
make
the
lives
of
security
researchers
easier
and
the
the
intent
of
this
is
always
it's
a
security
researcher
Tool.
It's
not
really
meant
for
someone
to
plumb
into
their
own.
You
know
their
own
repo,
although
I
guess
it
could.
But
that's
not
really
the
purpose
and
please
open
an
issue
or
you
know,
get
in
contact.
G
A
I,
probably
so,
I
don't
know
right
now,
I
I
think
I
might
know
in
like
two
months.
So
we
have
a
software
engineer.
That's
going
to
be
starting
soon,
so
I'd
imagine
part
of
their
job.
You
know,
will
be
to
kind
of
push
on
this
on
this
tool.
A
little
bit
further
and
I.
Think
it'll
show
like
where
the
edges
are
I,
know
I,
think
I
think
the
Java
ecosystem
is
probably
its
least
mature
support.
D
A
In
general,
the
the
the
architecture
is
start
with
a
package,
as
opposed
to
start
with
the
repo.
So
we
probably
need
to
think
about
that
a
bit
too,
because
you
know
you
can
do
some
analysis
on
you
know
a
python
or
node
or
whatever
npm
package,
but
a
jar
file
is
going
to
be
compressed
class
files
unless
you're
like
decompiling
and
then
trying
to
recompile
or
doing
something
weird
you're
only
going
to
get
value
if
you
go
back
to
the
source
and
then
kind
of
start
from
there,
so
we
that
support.
G
You
you're
speaking
of
you're
speaking
of
source
code
and
so
forth,
between
java.net.
How
does
that
compare
Michael.
A
The
same
thing
nougat
or
existing
nuget
packages
are
going
to
be
I,
believe
I
do
do
I'll
spy
against
them
so
that
some
of
the
things
will
work
but
I,
don't
believe
code.
Ql
does
a
very
good
job
with
decompiled.
A
The
the
it
is
kind
of
kitchen
sinky,
where,
like
everything,
goes
into
a
directory,
and
then
the
tools
are
just
like
go
explore.
Tell
me
what
you
see
so
I
have
a
little
bit
more
rigor
on
that
would
be
certificate.
E
Yeah
so
you're
saying
many
of
the
tools
want
the
source
code.
It
doesn't
do
a
lot
with
just
the
compiled
versions,
but
I
I
know
there
are
tools
that
work
on
compiled
programs.
I
mean
you
know,
PMD
and
spot
bugs,
for
example,
are
specifically
Java
tools
that
look
at
I.
Think
yeah.
My
apologies
I
see
too
many
tools,
but
I
think
both
of
them
at
least
one
of
them
works
on
the
source
versus
the
on
the
bike
goes
as
other
source.
A
E
I
mean
I
mean
what
what
you
might
want
would
be
something
where
I
mean
really.
What
you
want
to
do
is
analyze
both
you
want
to
analyze
the
here's.
What
actually
is
going
to
be
running
and
some
tools
are
designed
for
that
and
then
be.
You
know,
so
do
the
analysis
of
the
compiled
package
and
then,
ideally,
it
can
automatically
figure
out
from
that.
What's
the
expect
what
is
supposed
to
be
at
source
code?
D
So
our
guys
have
done
a
test
drive
on
on
on
the
analysis,
tool
chain
and
and
yeah
they're
right
now,
Conjuring
the
results,
so
I
I
will
have
some
feedback
when
ready,
I'll,
send
it
directly
to
you
and
what
there
are
some
minor
issues
like
there's
a
python
version,
a
python
version
thing
where
python
version
two
versus
three
mismatch
for
which
it
was
not
building.
D
So
it
took
some
anion,
so
maybe
some
clarity
Etc
needed
there
as
far
as
and
also
the
the
fact
that
the
package
needs
to
be
provided
that
that
was
kind
of
a
like.
A
stumbling
block
on
like
just
to
wondering
about
like
okay
for
us
random
project
from
GitHub
like
what
would
what
needs
to
be
provided,
there's
kind
of
like
at
the
starting
point,
but
yeah
I
mean
these
are
feedback
that
already
have
been
discussed.
Specific
feedbacks
when
radial
send
it
to
you
yeah
that'd,.
A
Be
great
you
you
and
not
to
go
too
far
down
in
the
weeds,
but
you
should
GitHub
tags
I
believe
are
a
valid
package
URL
in
the
way
that
that
I
I
use
them
so
I
think
it's
like
like
package,
colon
GitHub
slash,
you
know,
Foo
slash
bar
at
TAG,
name,
I!
Think
it's
something
about
it!
So
if
you
I
I,
we
we
can
connect
on
it,
but
but
you
should
be
able
to
do
that
if
they're
tagged.
D
So
that's
why
I
I
can't
really,
like
you
know,
say
like
exactly
what
the
issues
were,
but
there
were
some
like
minor
needling,
but
I
mean
they
could
start
in,
like
so
a
few
hours
or
a
couple
of
hours,
and
a
majority
of
that
was
actually
because
of
the
docker
build
which
was
taking
I.
Think
about
three
four
hours
to
finish.
We.
C
D
One
other
thing
was
which
was
not
peers
and
we
were
not
sure
of
like
where
how
to
because
of
the
licensing
of
code
ql
and
red
R.
How
could
this
be
like?
What
are
the
implications
of
like
running
it
on
some
other
projects?
So
what
we
did
was
we
actually
created
a
bill
since
these
two
projects,
code,
ql
and
radar
and
and
then
I
mean
we
could
run
it
on
whatever
we
want
just
for
trial.
So
is
that
what
what
would
be
the
recommended
way
of
doing
things
I
mean?
D
Maybe
that
that
specific
guidance
of
like
what
there
is
no
to
the
legal
thing
about
like
what
can
be
run?
What
can
this
be
run
on
Etc,
but
maybe
some
clarity
on
that
would
be
good
yeah,
that
that.
A
A
A
If,
if
those
are
true,
which
is
true
in
the
vast
majority
of
cases,
then
you
as
a
consumer
should
be
fine
and
you
can
run
the
run
the
tool
chain
now,
if
you
wanted
to
run
the
Omega
tool
chain
on
your
own
proprietary
source
code,
that
may
also
be
allowed
through
the
code
ql
terms,
but
maybe
not
I,
and-
and
there
are
a
couple
areas
where
you
definitely
cannot
like
are
not
like
allowed
to
do
by
the
license.
B
D
D
A
Actually
helped
even
and
yeah
and
the
reason
I
I
pre-built
code
ql
in
the
docker
container,
is
it
speeds
up
later
execution
significantly.
Otherwise
it
needs
to
recompile
the
rules
each
time
it
runs,
and
it's
it'd
be
ephemeral
at
that
point.
So
you
don't
need
that
the
other
one
is
snip
code,
I,
believe
I
I
pushed
an
update
to
it
to
use
snake
code,
but
only
if
you
provide
the
license
key.
A
So
you
know
we
have
a
license
key,
so
we
can
do
that
and
it's
it
should
just
be
silent
and
and
fail
fail.
Happily
yeah.
D
D
We
were
running
specifically
on
JavaScript
and
and
PHP
projects
just
to
see
like
what
what
sort
of
results
are
being
found.
In
these
cases,
nice
very
cool.
A
A
So
we
have
results
so
so
we've
as
part
of
Omega
we've
collected
the
results
from
lgtm.com,
which
is
like
350
something
thousand
projects.
We
have
the
infrastructure.
Now
we
can
scan.
You
know
entire
ecosystems.
A
The
problem
there
is,
then
we
get
a
giant
list
of
you,
know
millions
and
millions
of
findings
and
the
ability
to
efficiently
look
through
that
I
don't
mean
like
how
do
you
grab,
but
you
know
we
we
started
on
a
portal,
I
mean
going
back,
probably
six
or
eight
months
to
kind
of
bring
in
all
these
findings
and
show
them
in
a
per
project
or
a
per
finding
type.
So
you
can
do
horizontal
or
vertical
kind
of
analysis,
and
then
you
can
triage
it
and
say
that
you
know
Yep.
A
A
D
D
E
I'm
one
of
those
people
that
says
you
know
you
know
as
long
as
you're,
making
it
clear
like
putting
his
version
zero
point.
Something,
and
maybe
you
know
maybe
clearly
stating
you're
going
to
read
me
you're,
better
off
releasing
earlier
than
waiting
until
it's
all
wonderful
and
perfect
yeah.
You
know
just
you
know
now,
if
you're,
if
there's
a
licensing,
question,
hey
I,
don't
know
if
it's
legal
for
me
to
release
something,
that's
a
different
matter!
Yeah
go!
Go!
E
Make
sure
that
that
there's
nothing
that
you're
going
to
accidentally
release
that
will
not
that
you
don't
have
authority
to
do
so,
but
yeah
as
soon
as
you've
made
sure
that
it's
legal
to
do
just
post
it.
Even
if
you
don't
get
feedback
you
can.
You
can
always
go
back
and
said.
Yes,
you
have
that
opportunity.
F
Hey
Michael
just
to
check
for
understanding
this
is
the
and
I'm
sorry
I'm
I'm
new
to
this.
But
this
is
the
my
understanding
is
Alpha
sort
of
the
identification
of
the
critical
few
on
the
Pareto
projects
and
then
Omega
sort
of
the
longer
tale
of
projects
is.
Is
that
right
and
and
on
that,
do
you
have
any
Viewpoint
or
any?
Can
the
data
tell
us
like
what
are
the
most
used
projects?
Then?
What
does
the
long
tail
look
like
by
industry.
E
Yeah,
okay,
so
so
I
I,
think
that
was
a
dump
dump
to
me.
So
so
I'll
make
a
first
that
thumbs
up
all
the
hard
Parts
on
Michael
people
have
very
much
worked
on
that.
In
fact,
a
number
of
years
ago
I
led
an
effort
to
analyze,
to
do
quantitative
analysis,
to
try
to
identify
critical
projects
and
in
order
to
scope
it
down.
We
specifically
looked
at
the
Debian
packages.
E
Just
to
kind
of
you
know:
hey,
let's,
let's,
let's
focus
on
a
specific
scope,
because
at
the
time
you
know
there
was
just
a
hey.
We
there
were
some
let's
hurry
and
get
at
least
a
reasonable
analysis
out.
That's
actually
public
called
census.
One
much
more
recently.
Harvard
did
an
analysis
using
SCA
vendor
data
when
they
basically
average
their
Z
scores,
and
we
can
talk
about
that
which
is
I.
E
Thought
was
a
very
interesting
and
useful
way
to
handle
that,
and
they
came
up
with
a
sorted
list
of
what
were
the
top
dependencies
as
far
as
both
direct
and
indirect
dependencies
go
within
language
level
packages,
as
opposed
to
the
system
level,
packages
of
say
Debian
by
the
way,
although
we've
analyzed
Debian
most
the
other
Linux
distributions
pull
in
a
lot
of
the
same
packages,
heck
even
a
lot
of
the
other
distributions,
like
the
bsds,
often
end
up
using
some
of
the
same
packages,
because
you
know
you
want
to
use
software.
E
That's
you
know
reasonably
high
quality
does
particular
kinds
of
functions,
and
so,
while
it's
certainly
not
all
the
same,
that's
not
true.
There's
a
lot
of
overlap.
Similarly,
for
the
ecosystems
within
each
of
the
ecosystems,
certain
packages
showed
up
over
and
over
and
over
again
I.
Don't
think.
You're
you'd
be
terribly
surprised
by
that,
although
the
timing
was
not
where
we
would
have
liked.
For
example,
log4j
was
very
high
on
that
list
would
have
been.
E
You
know,
it
would
have
been
nice
to
know
that
before,
but
you
know
that's,
you
know
you
wanted
to
do
everything
at
once.
So
census,
1
and
census
2
are
publicly
available.
You
can
go,
take
a
look
at
them
right
now.
You
can
complain
about
analyzes,
as
with
any
analysis,
I'm
happy
to
tell
you
all
the
words
and
everything
because
you
always
have
limited
data
sets.
You
know,
there's
always
challenges
any
kind
of
analysis,
but
we
do
have
some
of
this.
E
There
is
a
separate
group
called
the
critical
projects
working
group
which
has
been
who
actually
they
were
the
working
group
that
oversaw
the
Harvard
work
and
basically
they've
been
trying
to
take
the
various
data
sources
and
from
that
try
to
identify
some
sort
of
critical
list.
They
do
have
a
draft
list
now
they're
in
the
process
of
trying
to
make
things
better,
but
I'll
tell
you
someone
who
did
census
one
and
the
some
of
the
challenges
showed
up
in
census.
2
also
there's
a
lot
of
context.
E
I'll
I'll
give
you,
for
instance,
in
census,
one
the
mail
transfer,
the
the
mail
transfer
agents.
Mtas
were
really
high
because
they're
directly
exposed
to
the
internet.
They
process
data
in
all
sorts
of
crazy
formats,
but
the
reality
is
that
very
very
few
people
run
fully
open
mtas
directly,
so
even
though
it
had
all
the
earmarks
of
man,
this
is
important
when
you
start
asking
yes,
but
it's
more
complicated.
E
So
it's
it's
my
position
that
we
really
need
to
do
all
sorts
of
analyzes
and
so
on,
but
then
add
the
human
factor
to
add
that
information
that
otherwise
you
know
the
quantitative
analysis
really
misses
so.
F
Let
me
just
editorialize
to
say
I
think-
and
this
may
be
an
intersection
point
between
openssf
stuff
and
finno
stuff,
but
there's
a
lot
of
people
that
that
care
a
lot
about
the
answer
to
the
question.
What
are
the
top
used
open
source
projects
in
Investment,
Banking
and
banking
Capital
markets,
and
that
answer
may
be
industry.
The
dependent
like
I
would.
F
Our
use
of
numpy
and
pandas
is
higher.
I
would
also
probably
suggest
that
our
use
of
O
camel
as
a
language
is
probably
higher
than
other
Industries
just
to
pick
one
right,
and
so
so
some
of
the
and
every
industry
is
unique
so
that
that
would
just
be
and
then
in
the
longer
tail.
Looking
at
some
of
the
projects
that
are
in
the
longer
tail
so
that
industry
context
it
just
would
be
helpful
for
us
and
that's
why
I
was
curious.
So.
A
It's
you
know
for
for
whether
it's
medical
or
Automotive,
or
financial,
or
whatever,
like
essentially
what
are
your
top
and
and
let
us
think
about
how
to
how
to
manage
that,
and
some
questions
are
going
there
on
on
funding.
You
know
how
do
we,
you
know,
you
know,
put
that
focus
on
those
areas,
but
the
intact
yeah,
like
obviously
there
are
different.
The
curves
are
different
in
different.
You
know
areas.
E
Yeah
and
indeed
the
critical
that
this
is
actually
an
area
that
came
up
earlier
this
year,
I
mean
the
critical
projects
working
group,
but
it
was
kicked
off.
The
theory
was,
you
know,
hey
we're
going
to
make
a
list,
you
know
just
looking
broadly
and
I
still
think
that's
appropriate,
because
when
you
start
merging
the
verticals,
you
still
find
some
things
that
are
really
really
common,
that
it's
worth
everybody,
but
you're
right.
E
They
particular
verticals
or
particular
organizations,
are
going
to
have
a
different
set
and
so
I
think
they're
actually
they've
been
talking
about
not
just
making
a
list,
and
you
know
working
out
their
process
and
making
a
list,
but
coming
up
with
a
process
that
you
that
can
be
franchised.
Basically,
you
know
hey
your
organization's
different.
Your
vertical
is
different.
Here's
a
process
that
we
use,
but
you
might
want
to
reapply
to
your
particular
vertical,
because
your
answers
are
almost
certainly
going
to
be
different.
E
I
haven't
talked
about
this
as
much
in
the
finno
setting,
but
I've
I've
talked
with
some
government
folks,
particularly
in
the
U.S
federal
government,
where
they
have
exactly
the
same
concerns.
Their
lists
are
not
going
to
be
the
same
as
a
generic
General
list
and
I
think
that's
right
and
So,
eventually,
I
think
it's
incumbent
on
organizations
and
verticals
to
try
to
help
identify
the
things
that
are
unique.
I
would
be
unsurprised
just
from
undercuts
I've
heard
that
there's
a
non-trivial
number
of
Finos-
it's
not
just
python
but
python
2..
E
A
I
think
probably
make
sense
as
an
as
an
operating
model.
The
theme
for
2023
is
going
to
be
like
let's
operationalize,
like
what
we've
been
doing
and
write
it
down
and
have
something
that's
kind
of
repeatable
that
we
can.
We
can
share.
F
Just
related
to
that,
a
bit
of
just
meta
feedback
or
thoughts
for
what
it's
worth
is
that
in
terms
of
engaging
with
our
industry,
I'd
say
too
that
you
know
I
think
you
know
I
know
some
of
our
other
organizations
from
Capital
markets
have
been
taking
significant
roles
in
openssf.
I
would
just
say
that
I
I
don't
want
to
make
a
sweeping
generalization,
but
I
would
share
that.
It's
probably
a
reasonably
safe
generalization
to
say
that
there
you'll
have
a
higher
rate
of
success.
F
If
you
want
some
one
of
our
developers
to
take
something
on,
if
you
can
suggest
hey,
there's
like
one
or
two
things,
we
really
need
help
on.
Would
someone
like
to
help
on
XYZ,
rather
than
just
put
like
a
long
list
of
issues
in
a
GitHub
thing,
the
chances
that
someone's
going
to
go
and
just
like?
Take
and
I'm?
Not
this
isn't
to
say
that
we're
the
only
busy
industry
everyone's
busy,
but
it's
just
it's
just
kind
of
a
thing
so
totally.
B
G
D
One
thing
I
do
one
thing
that
is
also
related
just
one
minute.
One
minute
comment,
so
Michael
you
and
I.
When
we
were
reviewing,
for
example,
the
Pi
Pi
results,
you
made
a
comment
or
like
we
discussed
about
like
the
content
of
a
file,
not
considering
them
as
as
stain
sources
Etc,
but
I've
had
clients
from
specifically
like
female
Industries,
where
these
are
also
considered
actually
highly
valuable,
so
it's
dependent
on
on
a
particular
vertical.
It's
also
the
the
kind
of
threats
they
are
very,
very
different.
Yeah.
A
I,
don't
agree,
yeah
if
you
told
me
that
one
of
these
things
we're
going
into
a
pacemaker
or
space
shuttle
or
another
kind
of
Can't
Fail
system.
The
bar
is
going
to
be
way
higher
than
like.
This
is
this
is
part
of
part
of
the
calendar
widget
on
a
startup
website,
but
yeah
we
should.
We
should
think
about
that.
We
are
over.
Thank
you
all
very
much
for
the
conversation.
This
was
amazing,
stay
tuned
and
see
you
next
month
and
please
engage
on
slack
or
or
just
get
in
touch
and.
F
I
just
I
would
say
a
lot
of
us
can't
use
slack.
So
that's
another
thing,
but
we'll
another.