►
From YouTube: Alpha Omega Project Public Meeting (May 3, 2023)
Description
A
A
B
I
figured
I
might
as
well
start
I.
I
was
needing
to
talk
to
you
about
the
I
know.
We
talked
about
making
training
for
Alpha,
Omega
and
I
talked
to
Tim
and
I
I
needed
to
talk
to
you
about.
If
you
wanted
to
make
that
a
part
of
Ls
main
curriculum,
we
needed
to
talk
at
some
point.
I
just
wanted
to
say
that
I.
A
B
B
B
A
C
B
I'll,
and
and
also
the
way
our
system
is
plugged
into
credibly.
So
when
you
actually
do
that's
how
you
actually
like
verify,
the
certifications
is
through
their
system
because
I'm
not
entirely
clear
how
it
all
works,
but
it's
very
highly
accredited
and
all
that
stuff.
So
we,
if
we
do
make
a
certification,
we
can
make
the
verification
through
credibly,
so
that
people
could
also
post
like
post
it
on
LinkedIn
nice.
B
And
are
smashing
the
web,
the
first
the
basic
course
on
just
how
to
do
like,
like
it's
basically
a
bug,
Bounty
type,
of
course,
yeah.
That's
free!
The
advanced
course
we're
gonna
not
make
it
free,
but
like
pretty
much
the
difference
between
the
Advanced
course
and
the
regular
course
is.
The
advanced
course
goes
into
like
automated
bug,
finding,
which
is
something
that
I
was
gonna.
I
was
talking
already
with
Jonathan
about
as
well,
and
the
free
course
teaches
you
how
to
do
it
manually.
Okay,.
B
That's
more
application
security.
This
is
more
specifically
about
like
bug
finding
it's
like.
If
you
wanted
to
get
into
bug,
Bounty
like
how
would
you
go
about
doing
that
with
many
of
the
people
that
we've
surveyed
have
a
limited
knowledge
of
coding
so
like
trying
to
get
them
up
to
speed
with
what
they
need
to
know
about
code
and
how
you
could
use
tools
like
semgrab?
We
cover
set,
we
cover
some
grab.
We
cover
stuff
like
that
in
the
in
the
initial
course,
but
we
don't
cover
how
you
would
go
about
making
like
a
pipeline.
D
Hey
everyone,
I
I,
just
have
like
a
kind
of
like
beginner
question
on
security
and
open
source.
So
let's
say
like
an
Omega
project,
if,
like
I'm
working
on
it
and
and
let's
say,
like
I,
identify
some
vulnerability.
That's
in
multiple
repositories
like
what's
the
way
to
approach,
say
in
general,
like
these
organizations
and
if
I
make
put
this
information
since
it's
open
source
and
if
I
put
this
information
in
public.
A
Yeah,
and
so
this
is
a
super
timely
discussion,
we're
having
this
conversation
multiple
times
a
week,
because
we
we
have
the
tooling
to
find
lots
and
lots
of
vulnerabilities.
We
do
not
have
the
people
to
scale
out
manual
reporting
to
hundreds
to
thousands
of
repos.
If
you
find
it
in
five,
that's
different!
You,
you
know
you,
you
can
do
it
do
it.
Do
it
five,
but
you
know
at
a
certain
point.
A
Github
private
developer,
vulnerability
reports
where
they're
used
can
absolutely
do
this,
but
they're
not
prevalent
enough
that
you
know,
if
you,
if
you
pick
a
random
project,
it
probably
won't
have
private
vulnerability,
reporting
enabled
we
did
just
to
plug
my
own
thing.
We
did
I
did
write
a
proof
of
concept
tool
to
you
know,
given
a
package
identify
all
the
different
ways
that
you
could
privately
report
from.
Email
addresses
to
tidelift
vulnerability
reports,
things
like
that.
A
You
know
so
that
that
can
certainly
help
it's.
It's
not
doing
anything
magical
that
you
couldn't
just
do
by
looking
at
security.md
and
read
me,
and
you
know
other
things
like
that.
But
it
saves
you
the
time
of
having
to
do
that
and
if
you
have
to
do
that
n
times,
it'll
save
you.
You
know
and
Times
of
of
work
I'll
put
a
link
to
that
in
chat
and
if
you
think
it's
useful
or
it's
like
80
useful,
please
let
me
know
what
would
make
it
the
other
20.
E
F
F
You
know
like
Apache
software
Foundation
like
if
you
have
a
vulnerability
that
spans
all
of
those
you
they're
better
placed
they're,
not
as
necessarily
well
connected
to
I
mean
they're,
also
leveraging
like
existing
connections
and
relationships
to
to
communicate
that
that
information
they
are
gonna
end
up.
If
you
found
like
a
bunch
of
projects
with
the
same
vulnerability
everywhere,
they're
gonna
have
to
do
the
same
legwork
that
any
one
of
us
would
have
to
do,
which
is
you
know,
go
go
to
every
single
project.
That
being
said,.
F
F
Certain
involvement
vulnerabilities,
three
eight
two,
three
zero
one-
it
was
a
CD,
it
was
a
is
an
R
host
name
array,
overflow
vulnerability.
It
was
a
2020
vulnerability
and
I.
Some
some
chunk
of
code
ended
up
being
like
vendored
across
multiple
different,
open
source
repositories
in
C
and
GitHub
used.
The
bulk
pull
request
generator
that
I
wrote
to
bulk
generate
fixes
for
that
across
a
bunch
of
Open
Source
projects.
So
that's
that's.
You
know,
then
that
was
Sir
coming
to
GitHub
and
saying
hey,
we've
got
a
problem
and
get
up
saying.
B
F
G
A
Hours
of
work
to
privately
report,
something
and
including
the
back
and
forth
on
average,
then
whether
the
finder
does
it
or
we
do
it
or
cert,
does
it
or
somebody
else
does
it,
it
still
costs
the
same.
And
honestly,
if
you
dumped
a
thousand,
you
know
issues
over
to
cert
I
think
they
would
come
back
and
say
sorry
like
we're
we're
not
a
like.
You
know:
I
I,
don't
think
that
would
be
the
issue
Clearinghouse.
If
you
had
one
that
would
be
fine
or
three.
A
That
would
be
fine,
but
yeah
at
scale
like
that's
yeah
I
would
I,
but
but
that
does
actually
raise
another
point,
which
is
you
know,
would
it
do?
We
think
that
it
would
be
useful
if
there
was
a
and
I'm
just
throwing
this
out
there
there's
no
promises.
This
is
just
ideas
and
brainstorming
like
do.
We
think
that
it
would
be
useful
if
there
was
a
funded
team
that
did
this
leg
work
where
they
were
essentially
a
funnel
for
validated
like
you,
you
have.
A
You
know
good
faith
belief
that
this
is
a
real
vulnerability
that
really
affects
something,
but
you
do
not
have
the
Cycles
or
for
whatever
reason.
We
think
that
that
might
be
better
for
a
team
to
do
this
stuff,
because
they
would
get
better
at
it
over
time
and
they
could
develop
tools
to
make
themselves
more
efficient
Etc.
But
essentially
you
could
feed
those
thousand
vulnerabilities
over
to
this
team
and
the
team
would
handle
the
rest
of
it.
F
B
F
B
B
Would
it
be
valuable
if
we
had
like
a
paid
group
that
did
this
and
the
community
and
I
think
probe
has
the
the
like
the
paper
somewhere,
but
the
community
came
back,
it
was
kind
of
like
we
would
prefer
if
it
was
volunteers
and
yeah
and
we
we
made
a
whole
plan
last
year,
based
on
like
what
we
found.
But
I
was
part
of
the
team
that
went
and
talked
to
a
bunch
of
people.
I'm.
B
I
think
that
was
I.
There
was
yeah.
They
wanted
people
that
were
like
actually
involved
in
the
community,
not
like
a
bunch
of
randos
that
now
came
in
and
submitted
a
bunch
of
stuff
and
yeah.
So
like
we
made,
we
made
a
whole
plan
based
on
like
volunteers
and
instead
of
like
reporting
stuff
and
like
going
down
on
people.
B
H
I
believe
that
that
actually
there's
a
proposal,
I
think
it
was
brought
up
to
the
governing
board
to
decide
whether
or
not
to
fund
and
I.
Think
that's
where
it
is
currently
stated,
because
as
long
as
you
don't
as
long
as
you
don't
need
funding,
that's
one
thing.
But
as
soon
as
you
need
a
significant
amount
of
money,
but.
A
G
F
Many,
how
many
of
these
people
that
were
queried
actually
have
been
in
an
incident
like,
for
example,
the
people
from
es
lent
or,
like
you
know,
other
projects
that
have
been
actively
attacked
like
I
get.
You
can
ask
for
what
you
want
if
you've
never
been
through
it,
but
I
feel
like
if
you've
actually
been
through
an
incident.
Your
your
ask
would
be
very
different.
I.
B
Think
it
David
correct
me
if
I'm
wrong,
I
think
that
right
now
they
wanted
comments
on
the
rewrite
correct
before
I'm,
not
sure.
But
you
are
right.
Jonathan
I,
I!
Don't
think
that
we
talk
to
a
lot
of
people
like
we
talk
to
a
lot
of
people
in
the
community
like
the
colonel
people,
a
lot
of
packagers,
because
that's
what
I
know,
but
we
didn't
talk
to
like
eslin.
Specifically,
you
can
but
yeah.
G
A
A
mental
model,
the
mobilization
plan,
which
was
described
as
like
a
volunteer
fire
brigade
so
long
for
J,
happens
and
or
I,
don't
know
pick
on
Apache
Foo
happens.
Foo
is
super
complex
and
hard
and
touches
lots
of
different
things
and
the
maintainers
like,
oh
my
God,
like
I'm
overwhelmed
I,
don't
know
what
to
do
like
how
do
I?
How
do
I
manage
multi
multi-party?
Just
you
know
private.
You
know
private
and
coordinated
disclosure
like
I'm.
B
I
B
I
know
that
things
that
we
wanted
to
do
was
talk
to
like
to
the
Apache
security
team
and
the
open,
SSL
security
team.
We
wanted
to
talk
to
existing
security
teams
and
see
how
they
see
it,
including
Google,
zero
day
team
and
the
bug
Bounty
community
of
interest,
and
even
we
wanted
to
also
talk
to
the
cert
and
red
hat
and
different
vendors
and
see
what
they
thought.
We
never
really
got
around
to
that.
Yet
we
talked
as
they
said,
to
Colonel
people
and
packagers
distros
people
that
I
work
with.
G
B
And
if
you
actually
go
into
the
plans,
you'll
see
that
the
tables
are
broken
up,
where
you
have
estimated
individual
hours
and
estimated
volunteers.
Because,
as
I
said,
most
of
this
plan
was
kind
of
done.
From
the
point
of
view
that
most
of
the
people
involved
here
were
going
to
be
volunteers
which
were
kind
of
the
group
that
is
the
cert
or
that
meets
with
the
cert.
So
yeah.
H
B
A
Right,
okay,
so
let's,
let's
do
that
so
for
for
a
hell,
at
least
since
that's
that's
a
little
sphere.
I
have
some
control
over.
Let
let's
pursue
this
as
another
potential
kind
of
Last
Mile
reporting.
You
know
mechanism.
At
the
same
time,
though,
I
still
feel
uncomfortable
with
like
well,
it
would
take
us
five
hours
to
do
it.
So
maybe
we'll
give
it
to
this
other
group
and
have
them
spend
five
hours
like
it
doesn't
make
anything
more
efficient
or
better.
A
B
The
big
thing,
the
biggest
thing
about
it,
if
I
can
mention
something,
is
shocking
about
all
of
this
is
that
a
lot
of
it
was
not
so
much
like.
We
thought
a
lot
of
it
was
going
to
be
like
a
fire
brigade,
but
from
our
initial
research.
They
wanted
more
of
like
help
us
prevent
this
from
happening
and
help
us
from
preventing
from
like,
in
other
words,
almost
post
incident.
So
if
you
read
the
plan
it's
in
there
but
yeah,
it
was.
G
F
Which
I
disagree?
You
don't
need
I
mean
I,
hear
what
they're
asking
for,
but,
like
you,
you
have
a
fire
department
because
happens
right.
This
is
like
you,
you
I
mean
I,
agree
that,
like
you
know,
you
have
a
fire
whatever
the
for
the
town.
It's
like
you
know,
I
set
codes
and
it
means
you
can't
have
a
certain
number
of
people
like
in
a
space
that's
bigger
than
this,
but
like
at
the
end
of
the
day,
your
fire
department
shows
up
because
there's
been
a
fire.
A
Correct
yeah,
it's
so
I
I.
What
I
suggest
is,
if
read
the
read,
be
because
it
does
clarify
like
what
this
is
and
I.
At
least
from
from
this,
it
seems
like
the
search
purpose
is
when,
when
open
source
maintainers
need
help,
the
cert
is
available
to
help
correct
but
dumping
a
thousand
vulnerabilities
on
the
cert
and
saying
hey.
Could
you
go
out
and
find
the
maintainers
and
get
make
the
right
thing
happen?
A
A
B
B
E
Cool
foreign,
so
if
we
narrow
it
down
to
the
vulnerability
reporting
thing
and
and
that's
what
I
think
like
Rambo
I
mean
my
interpretation
of
what
Campbell
was
mentioning
initially
and
what
I've,
also
seen
overwhelmingly
by
like,
like
speaking
with
the
maintainers
and
and
so
on,
is
that
there's
needs
to
be
some
compassion
involved.
It's
a
human
game.
G
E
B
B
G
E
So
I
would
like
to
know
about
like
how
the
triage
portal
is
is
coming,
and
so
it's
basically
because
we
are
also-
we
have
our
own
like
clear
portal
and
at
some
point
we
want
to
code
in
it
actually
like
I
I,
want
to
stop
developing
the
tier
portal
and
start
using
the
alpha
omega,
and
so
there's
there's
two
things
like
it
would
be
great
to
have
some
visibility.
At
the
same
time,
we
also
have
a
lot
of
anecdotal
evidences
of
like
what
works
and
what?
What
doesn't
because
this.
E
A
Totally
agree,
yes,
it's
it
will
be.
It
will
be
available
very
soon.
It's
just
bugs
at
this
point
in
in
trying
to
get
trying
to
get
it
available.
Although
you
said
I
think
Suraj
is
chatting
with
you
later
today
as
well.
So
yes,
hopefully
imminently
it,
will
some
something
will
be
available
to
start
kind
of
playing
with
and
then
at
that
point
we
would
love
your
input
and
presumably.
G
A
B
A
It
like
locally
now,
if
you
want,
but
yes,
you
know,
we
definitely
would
like
it
to
be
as
end
to
end
as
possible,
like
I
I.
Ideally
I
would
love
the
report
it
button
at
the
end
of
it
and
have
it
do
whatever
magic
is
needed
behind.
You
know
behind
the
scenes
to
get
things
out
and
then
track
it,
and
all
of
that.
E
So
we
were
planning
to
actually
like
deploy
it
like
next
next
week
or
so
around
that
time,
because
I
I
was
also
thinking,
I,
I,
don't
I
haven't
looked
into
that,
but
we're
also
thinking
that
it's
publicly
available,
so
it
could
be
deployed
and
so
on.
In
a
lot
of
setup
and
the
the
question
that
I
was
referred
to
is
like
at
that
point
like.
If
we
have
some
feature
requests
and
Etc,
where
do
we
go
to
do
that?
So
we
just
like
file
issues
in
the
in
the
repository
or.
G
C
A
To
to
David's
question
the
relatively
new
effort,
so
open
S
is
okay,
so
yeah.
So
so
we
have
a
couple
things
that
we're
going
to
be
announcing
next
week.
I'll
give
you
the
preview
preview
number
one
is:
we
will
be
funding
a
security
audit
of
openssl
three,
a
3.1
technically
it'll
include
a
pretty
good
scope
in
terms
of
you
know:
Jonathan
you've
turned
into
a
keyboard
and
you
are
mute,
but.
D
E
A
A
So
I'm
I'm
excited
about
that.
That's
what
we're
doing!
We
have
a
couple
other
say
alpha-ish
engagements
that
were
that
we're
discussing
some
of
them
are
around.
You
know
better
vulnerability,
reporting.
You
know
kind
of
scaling
out
what
we
do
some
of
the
last
mile
stuff
in
terms
of
reporting
things
like
that.
C
C
So
our
candidates
could
have
details
when
was
it
May,
24th
or
something
so
at
least
there's
a
week
to
get
paperwork
and
documentation
signed.
It
is
a
12-week
program
where
you're
going
to
be
working
with
myself
and
Jonathan
on
on
the
engineering
side,
which
is
what
Michael
was
mentioning
earlier:
just
kind
of
formality
the
formalities
operationalizing
the
workflow
between
the
different
components.
C
Getting
you
know
once
you
analyze
a
package
being
able
to
send
that
package
up
to
the
triage
portal
and
then
the
the
researchers
able
to
assigned
and
move
forward
and
Report
the
issue
if
it's
needed
and
then
on
Jonathan's
side
of
some
of
this
security
researching
and
I'll.
Let
him
talk
about
that
piece
if
he's
done
with
the
his
keyboard,
so.
G
F
To
work
with
me
on
recipes,
toothpicks
vulnerabilities
of
scale,
and
we
interviewed
a
yeah,
so
we're
just
just
we're
just
we're
just
yeah
we're
going
to
the
process
of
interviewing
mentees
and
hopefully
going
to
find
some
people
that
maybe
have
a
mix
of
security
background,
but
I'm
predominantly
looking
for
compiler
knowledge.
So
yeah
yep.
D
A
A
A
A
Assurance
assertions
and
I
think
I
mentioned
this
last
time
if
you'll
have
not
seen
it
and
are
interested,
I
can
do
a
demo
or
whatever.
If
not,
here
is
the
the
link
to
it
again.
The
purpose
is
provide
facts
in
a
policy
framework
about
the
security
quality
of
a
particular
package
so
that
you
can
set
up
your
own
gates
to
flag
disallow
or
make
make
whatever
decisions.
A
F
A
That
would
be
really
hard
question
to
answer
today
without
building
up
effectively
Assurance
assertions.
So
that's
part
of
AO
we're
kind
of
looking
for
at
least
I'm.
Looking
for,
like
you
know,
volunteers
and
use
cases
and
hey
I
really
want
to
use
this.
Can
it
just
do
X
in
that
kind
of
that?
That
kind
of
thing
like
turning
it
from
a
proof
of
concept
into
something
real?
A
I
Hi,
so
how
do
you
envision
seeing
this
youth?
Is
this
I
I'm
just
checked
out
a
package
and
I
thought
I'd
look
at
a
kubernetes,
so
I
typed
in
kubernetes
to
search
and
I
came
across
several
things
that
mentioned
kubernetes
and
I
was
thinking
all
right.
Well,
how
would
I
make
use
of
this
I
see?
Some
of
these
are
not
actively
maintained,
which
is
helpful.
A
A
It
would
be
a
reasonable,
like
organizational
policy
to
say
I,
don't
want
to
use
any
packages
that
aren't
being
maintained
or
I
want
to
pay
special
attention
to
them,
or
something
like
that.
So
you
know
the
fact
that,
like
you
know
so
so
for
this
one
you
know
eight
so
I'll
post
a
link
to
the
one
that
I'm
I'm,
obviously
looking
at
here,
actually
now
I'll
just
share
it
and
then.
A
You
know
number
one
being
able
to
see
that
as
a
you
know,
through
an
API
means
that
you
can.
You
know
you
can
suck
this
in
and
do
this
in
whatever
whatever
systems
you
want.
But
more
importantly,
you
know
having
the
underlying
assertion.
So
this
is
the
latest
assertion
that
I
have
so
that.
So
this
is
just
scorecard
data,
but.
I
E
C
F
A
Playing
the
long
game
yeah,
so,
okay,
so
let's
just
give
it
this
way
the
Lincoln
chat,
oh
yeah,
I
already
posted
it
the
so
you
got
okay.
So
to
answer
your
question,
how
do
I
see
this
being
used?
I,
see
this
organizations
to
set
up
a
policy
that
says
of
all
the
open
source
that
I
used
I
want
to
rank
them
in
some
way
or
I
want
them
to
pass
this
these
things
and
they
can
they
can
organizations
can
make
up
whatever
policies
they
want.
I
A
So
I'm
gonna
put
some
link
to
one
with
more
data,
which
is
might
be
more
interesting,
so
this
is
so
you
know.
A
couple
of
these
we've
made
sure
was.
Was
you
know
fairly
complete
this
Cheerio
package?
You
know,
in
addition
to
you,
know
like
okay,
so
it
was
scanned
for
for
malware
critical
findings
with
static
analysis
and
then
for
each
of
its
dependencies
in
that,
in
that
second
tab
showing
you
know
how
of
the
dependencies
that
we've
analyzed
how
they
fare
against
the
different,
the
different
policies.
A
G
A
I
A
A
D
F
F
No
to
answer
your
last
question:
first,
no,
the
idea
is
that
you
should
always
generate
code
that
doesn't
fail.
Ci,
hopefully
right
I
mean
so
I've
been
using
a
technology
called
open
rewrite,
which
is
a
format
preserving
abstract,
syntax
tree
Transformer,
and
the
idea
behind
it
is
that
we
can
generate
security,
fixes
that
manipulate
the
underlying
AST
and
generate
new
code
that
match
the
surrounding
formatting.
F
So,
even
if
the
CI
build
has
something
like
a
style
linter
on
it,
you
should
theoretically
pass
that
because
you're
generating
code
that
matches
the
surrounding
formatting
and
then
ideal
I
mean
the
one
thing
that
I've
run
into
issues
with
in
this
work
is
like
I.
Will
bulk
generate
several
thousand
pull
requests
to
fix
a
vulnerability
and.
F
Thank
you.
So
much
can
you
can
you
contribute
a
unit
test
and
my
answers
generally?
No,
it's
really
hard
to
generate
code
to
fix
your
vulnerability.
I
can't
also
understand
your
code
well
enough
to
also
include
a
unit
test
to
verify
the
change.
It's
like.
That's
a
that's,
an
even
more
complicated
problem.
So
in
general
it's
pretty
easy
to
fix
the
code
and
do
so
in
a
way
that
well,
okay,
it.
E
E
It's
Java
python
on
Google,
but
off
topic
off
topic.
One
other
interest
to
me
is
I.
I
just
found
a
YouTube
video
just
yesterday.
Somebody
doing
a
bulk
fix
on
zip
slip,
vulnerability
and
also
receive
like
five
thousand
dollars
of
bug.
Bounty
and
I
thought
it
was
you,
but
it
wasn't
so
I'll
share
the
video
with
you.
Yes,.
E
A
Foreign,
everybody
gets
eight
minutes
back
now.
Don't
thank
me
all
at
once.
Thank
you.
All
very
much
I
appreciate
the
conversation
looking
forward
to
next
month.
If
you
guys
will
be
in
if
you,
if
any
of
y'all
will
be
in
Vancouver
next
week,
I
will
be
there
for,
for
the
day
on
I'm
on
Wednesday,
so
hope
to
see
you
there
otherwise
see
you
around
thanks.
Paul
thank.
H
H
So
so,
basically
I
mean
I,
think
I
I,
don't
know
if
it's
formally
called
a
c
synthesis,
but
we
got
a
letter
from
a
lawyer,
I
think
technically
legally
we
could
fight
it
because
we're
not
using
it
that
way,
but
we
decide
you
know
what
in
general,
we
try
to
work
with
folks.
We
try
not
to
you
know.
Unless
there's
some
strong
reason
we
try
to
be
cooperative,
and
so
yes,
we,
the
plan,
is
to
change
the
name.
H
But
since
that
decision
was
made,
Wednesday
I'm,
sorry
I
think
that
was
decision
was
made
two
days
ago.
Yeah,
you
know,
I
mean
you
know
we
we
just
we
we
just
got
it
I
think
we
were
I.
Think
we
got
the
letter
on
Monday.
We
decided,
you
know,
that's
not
worth
fighting
and
we'll
change.
The
name.
I
may
not
be
getting
the
dates
right,
but
I
mean
we're
talking
a
few
days
so
so
give
us
a
couple
of
days.
H
H
H
F
I
F
H
F
D
H
F
G
H
D
H
F
H
So
you
know
interesting
yeah
and
that
this
actually,
though,
does
bring
in
the
issue
that
we
talked
about
earlier,
which
is
just
because
it
ends
in
openssf.org.
That
does
not
necessarily
mean
that
we
control
the
service
behind
it.
Slack
openssf.org
is
a
great
example
of
that,
where
correct
we
use
slack,
but
obviously
we
cannot
just
say:
hey
go
attack
slack,
even
though
we
use
it
I
mean
that
doesn't
I'm
kind
of
hoping
that
that's
kind
of
obvious
anyway,
really
you
hope.
F
H
F
H
F
G
H
F
H
That's
dangerous
because
if
you
go
out
of
scope,
you're
going
to
accidentally
appear,
you
know,
I,
I
I!
Think
it's
you're
better
off
doing
it
in
a
way
that,
if
it,
if
it
goes
out
of
date,
which
is
going
to
be
a
certainty
it
will
it
no
matter
what
you
will
make
a
mistake,
making
it
so
that
your
mistake
is
likely
to
lead
to
not
bad
behavior
I
think
is
the
important
part,
but
basically
the
default
should
be
the
safe
answer
where
you.
H
Well,
that's
you
know
what
I
have
heard
the
I've
heard
that
you're
right,
but
it's
in
a
pain
in
the
ass
a
whole
lot
in
my
life,
so
yeah
and
you
know
what
way
we
can
find
ways
to
automate
this
more
I
think
that
would
be
entirely
plausible
but
yeah,
but
let's
but
anyway,
let's
keep
that
conversation
going,
but
not
right.
Now,
right,
right,
no
I,
agree
all
right!
I'll
talk
to
you
later,
oh
play.
Please
do
take
care
bye.