►
From YouTube: Alpha Omega Project Public Meeting (July 5, 2023)
Description
https://github.com/ossf/alpha-omega
No public meeting notes.
B
C
B
B
In
the
the.
A
Meeting
note
the
link
to
the
meeting
notes
are:
are
in
the
invite.
So
if
you
want
to.
A
Your
welcome
to
and
just
got
some
updates
on
AO
as
usual
lots
of
open,
open
discussion,
we'll
just
kind
of
see
where
things
see
where
things
take
us.
A
Let's
get
started:
welcome
everybody
to
the
July
5th
Alpha
Omega
public
meeting
for
those
of
you
in
the
US
I
hope
you
had
a
nice
Fourth
of
July
for
everybody
else.
I
also
hope
you
had
a
nice
Fourth
of
July,
so
that's
I,
just
really
rough
notes
on
on
some
updates,
I'm
hoping
since
we
have
lots
of
folks
from
AO
on
the
call
or
Associated.
A
If
you
you
know
not
to
put
you
on
the
spot,
but
if
there's
any
updates
you'd
like
to
give
that's
that's
what
we're
here
for
and
for
everybody
else.
Obviously,
if
you
have
questions
or
comments
or
whatever
you
are
welcome
to
do
so,.
A
So
a
couple
of
days,
so
we
have
lots
of
things
going
on.
First,
on
the
mentorship
side,
you
said
you
would
like
to
give
an
update
on
on
that
or
were
any
other
mentees
on
the
call
like
to
give
an
update
or
Jonathan
or.
D
D
We
are
underway,
so
I.
Think
next
week
is
week,
six
and
we'll
be
starting
to
do
our
demos.
Our
Midway
demo,
statuses
with
the
mentees
I,
can
speak
for
the
engineering
side,
which
are
the
two
that
fall
under
me.
Our
software
requirements
document
and
clean
test
cases
and
security
cases
have
been
complete.
D
D
The
one
for
the
analyzer
is
ready,
but
Andres
is
on
vacation.
So
once
he
comes
back,
we'll
push
that
out
we'll
be
working
on
getting
connectivity
from
the
analyzer
to
the
triage
portal
via
an
API
so
modifying
the
API
that
it
accepts
a
token.
It
could
be
a
JWT
token
or
whatnot
checks
to
verifies
the
checksum
of
the
serif
file.
That
would
be
uploaded
to
the
triage
portal
API
to
make
sure
that
the
results
haven't
been
modified
and
then
the
data
is
going
to
be
stored
into
the
triage
portal.
D
Splitting
between
the
stair
file
can
include,
as
well
as
the
assertion
framework
data
results.
So
that's
going
to
be
stored
in
their
individual
databases.
That's
just
a
high
level
I'm
going
to
call
on
calendar
because
I
saw
shows
on
it
to
see.
If
she
wants
to
say
anything
if
she
doesn't,
she
doesn't
need
to
and
then
before
I
pass
it
over.
Our
triage
portal
is
officially
live.
D
C
I
said
really
like
the
the
overall
arch
of
what
we
want
to
accomplish.
What
I
can
add
today
is
that
this
week,
I
was
able
to
fix
some
of
the
issues
that
I
was
getting
with
the
get
source
code
and
the
get
files
method
that
the
findings
tab,
uses
and
and
also
are
able
to
fix
some
of
the
problems
that
I
have
with
redis
and
right
now.
I
am
currently
on
the
works
of
implementing
graphql
into
the
triage
portal
and
starting
to
develop
the
the
API
endpoint.
So
yeah.
A
Jonathan
anything
how
about
the
on
the
the
researcher
end
of
of
of
the
mentorship.
D
E
Checked
out,
I've
been
traveling
for
a
wedding
and
for
holidays.
So
on
the
researcher
side
we
are
something.
I
was
working
on
expanding
the
open
recipes
for
XML
xxe
and
trying
to
get
that
set
up
for
our
campaign
that
we
can
openly
run
and
then
Aaron
is
actively
working
on
expanding
open,
rewrites
data
flow
and
control.
E
Well,
primarily,
currently,
data
flow
analysis
apis
to
support
multi-file
data
flow
analysis
from
there
we
on
yes,
so
that
that
will
help
us
be
able
to
tackle
more
complex
vulnerabilities
on
my
side.
E
I
am
working
on
some
deliverables
from
inside
of
the
vulnerability
disclosure
working
group,
autofix
Sig
I'm,
actively
working
on
a
disclosure
pipeline,
State
machine
for
handling
automating
vulnerability,
disclosures
to
maintainers
and
bulk
pull
request
generation,
so
Trio
are
both
handling
the
issue
tracking
the
issue,
disclosure
request
process,
as
well
as
an
email
disclosure
request
process
and
all
of
the
state.
You
know,
interactions
involved
in
that
flow.
A
A
Okay,
cool
yeah,
so
I
think
the
mentorship
program,
I
think
is
going
great
and
I'm
just
really
excited
to
see.
A
You
know
progress
and
things
happening
and
all
that
any
questions
on
that
before
we
move
on
to
the
next
topic.
A
Wonderful,
so
next
one,
the
open,
SSL
3.1
security
audit
kicked
off
managed
by
by
ostip.
So
we
have
a
maker
I,
don't
think
I'll
say
anything,
but.
B
All
right,
hello,
everybody
yeah,
we're
very
excited
to
kick
off
the
open,
SSL
3.1.
B
Still
very
very
early
stages,
but
just
getting
to
that
start
line
is
always
an
accomplishment.
So
we're
very
happy
about
that
and
I'll
continue
to
keep
the
group
updated
on
how
that's
going.
A
Awesome
similarly,
I
think
we
may
even
announced
this
last
month.
So
if
I,
if
I'm
repeating
myself
I
apologize,
but
we
we
provided
funding
to
isrg
through
over
acrosimo
to
improve
this
state
of
rust
within
the
Linux
kernel,
as
well
as
Feature
work
for
Russell's.
The
the
rust
cryptographic
Library
leading
the
both
of
these
have
kind
of
long-term
kind
of
systemic
improvements
to
the
availability
of
memory,
safety
and
memory
safe
crypto.
A
So
we're
excited
to
start
getting
updates
from
them,
we'll
probably
start
getting
updates
from
them.
I
think
next
month
would
be
kind
of
reasonable
I
think
we
I
think
we
signed
it's
like
six
weeks
ago.
So
it's
a
little
bit
early,
but
we
want
to
start
seeing
progress
there
on
the
python
side.
Welcome
Seth
an
episode:
do
you
just
go
by
Seth
or
Seth
Michael
I
wanted?
Yes,
just.
F
Just
Seth
is
fine
yeah.
The
reason
I
have
to
do
the
full
name
is
because
unfortunately,
my
name
without
the
middle
name
has
someone
else
on.
The
planet
has
better
SEO
than
me,
and
it's
not
a
very
good
person.
So.
A
F
You
yeah,
hey
everybody,
I
I'm,
Seth
I've
been
doing
python
for
a
while
very
interested
in
supply,
chain
security
and
so
just
feel
like
I'm
living
the
dream.
At
this
point,
yeah
I've
been
providing
I'll
I'll,
be
providing
like
weekly
updates
on
my
own
blog
and
then
obviously
monthly
updates
here.
So,
if
you're
interested
in
just
following
along
and
what's
happening
in
the
python
ecosystem,
that
would
maybe
be
a
good
place
to
do
it
and
yeah
I've
only
been
here
for
one
full
public
week.
F
So
there's
been
some
amount
of
movement.
It's
mostly
been
just
meeting
people
and
kind
of
figuring
out
what
their
problems
are
and
what
they
think
is
interesting
and
what
is
currently
in
flight,
because
there's
already
lots
of
stuff
in
Flight
2
and
that's
been
mostly
what
I've
been
doing
so
awesome
lovely
to
be
here
and
just
happy
to
collaborate
with
you
all.
A
Very
cool:
let's
see
next
on
the
agenda
disclosure
check.
I
think
this
was
also
something
I
probably
talked
about
last
last
month,
but
disclosure
check
is
the
underlying
tool
that
I
think
well.
Jonathan
and
open
refractory
are
using
going
to
use
to
figure
out
how
to
best
report
a
vulnerability
privately
to
a
to
a
maintainer
given
just
like
a
package
URL.
A
A
Urls
mailing
lists
jira,
whatever,
whatever
the
the
project,
whatever
process
the
project
would
like
the
intent
of
the
tool
is
to
discover
that
and
and
hopefully
be
automated
to
the
point
that
you
know
it's.
It's
actually
just
the
part
of
a
larger
pipeline
so
that
that's
available
under
under
ossf,
just
as
a
tool.
A
I
don't
see
manoir
here,
but
we
agreed
with
with
open
refactory
to
provide
funding
for
them
to
go
out
and
look
through
the
I
think
they're
going
to
do
500
a
month
running.
You
know
automated,
tooling
and
kind
of
owning
the
the
full
process
of
you
know
scanning
discovering
triaging
reporting
and
getting
fixed
on
the
whole
the
whole
pipeline
for
those
projects
for
the
next
six
months.
A
I
think
they
just
I
think
they
probably
just
started
today
or
it
was.
It
starts
at
the
beginning
of
July.
So
we're
really
looking
forward
to
both
the
you
know
the
actual
like
core
output,
which
is
you
know,
fixed
vulnerabilities,
but
also
the
learning
so
that
we
can
adopt
adapt
and
you
know,
adapt
and
adopt
it
within
within
our
tool
and
final
final
update
that
I
had
well.
A
I
should
have
two
more
a
great
repository
audit
Sig,
so
Jonathan
I,
don't
know
if
you
want
to
give
an
update
on
this.
I
can
certainly
give
an
update
from
like
why.
A
So
so
purpose
of
great
repository
audit
Sig
is
your
package.
Ecosystems
are
among
the,
if
not
the
most
critical
parts
of
the
open
source
ecosystem,
because,
where
you're
going
to
go
for
your
python
packages
other
than
pipei
or
ruby,
gems
or
npm
or
wherever
so
the
software,
both
the
client
side,
the
server
side,
the
infrastructure,
the
people,
the
process
and
all
that
other
stuff
that
like
makes
up
that,
are,
are
critical,
critical
parts
of
that.
These
things
are,
these
ecosystems
are
often
they're.
A
Most
of
the
ecosystems
have
not
had
a
security
audit
in
Forever,
and
you
know,
funding
is
is
a
perennial
challenge,
so
we
think,
with
you
know,
turning
money
to
security.
It
makes
sense
for
AO
to
fund
periodic
security
audits
against
those
against
those
ecosystems.
Obviously
these
would
be
Alpha
engagements
with
the
ecosystems
full
buy-in
and
support
and
collaboration.
This
isn't
a
I.
Don't
think.
This
is
something
that
we
are
going
to
do
at
them.
A
Something
we'll
do
with
them,
and
you
know
a
lot
of
this
came
from
from
well.
A
This
completely
came
from
Jonathan's
work
in
kind
of
advocating
for
a
you
know,
for
an
audit
of
each
of
the
major
ecosystems
and
to
really
get
it
to
the
point
so
that
consumers
can
understand
whether
the
ecosystems
that
they
rely
on
are
like
meet
their
expectations
and
meet
best
practices
and
and
and
all
that
stuff
part
of
what
what
AO
can
also
do
here
is,
in
addition
to
finding
the
audit
but
funding
the
the
audit
is
funding
the
remediation
work
that
that
you
know
would
probably
tail
in
at
the
end
of
that
I'm.
A
Assuming
that
there
are
critical
things
found
so
I'm.
You
know
we
haven't
AO,
hasn't
committed
formally
to
funding
this
work,
but
it's
definitely
something
that
we're
actively
talking
about,
and
it
would
be
a
great
idea.
So
you
know
Jonathan
if
I
miss
anything.
E
A
E
So
no
yeah,
just
high
level
goal
of
goal
of
the
great
artifact
repository
audit
is
to
you
know:
let's,
let's,
let's
walk
before
we
can
run
let's
like
determine
that
the
industry
has
solid
security
practices
around
the
security
of
the
artifact
Supply,
the
artifact
servers
that
are
supplying
the
entire
industry
supply
chain
and,
let's,
let's
work
with
the
maintainers
of
those
hosts
to
address
any
vulnerabilities
identified
there
yeah
if
you're
curious
and
want
to
learn
more.
E
There
is
I,
don't
have
my
right,
Chrome
window
up,
but
I
will
post
a
link
in
the
chat
for
the
great
artifact
repository
audit
for
you
all
to
review,
and
then
we
can
yeah,
there's
also
the
the
the
great
there's,
also
the
security
software
repositories,
slack
Channel.
If
you
want
to
have
the
chat
there,
but
I'll
post
a
link
to
the
chat
or
to
the
document
in
the
chat
shortly.
B
E
You
know
it's
on
It's
the
Great
artifact
repository
audit
is
on
Mondays
at
1pm.
B
Okay,
which
time
zone
is
that
Eastern.
E
Yeah-
it's
just
it
wasn't
this
week
because
we
had
Fourth
of
July
and
the
third
of
July
and
nobody
was
gonna
be
around
for
that.
So.
A
E
A
different
meeting:
that's
the
vulnerability,
disclosures
autofix
Sig.
Oh.
A
Sorry,
you're
right,
yeah,
I'm
running
two
cigs,
it's
okay
cool.
The
last
episode
that
I
had
Michael
Windsor
is
back
as
a
contractor
starting
this
week,
working
on
strategy
execution
and
just
generally
accelerating
our
work
expecting
to
be.
You
know
visible
and
available.
You
know
certainly
next
month
and
on
a
slack-
and
you
know
all
that
stuff,
so
you'll
you'll
start
to
see
him
around
again.
So
I'm
super
happy
to
happen
back
and
with
that
I.
Don't
think
that
was
my
last.
That
was
my
last
update.
A
Would
actually
be
good
to
have
more
than
just
from
a
bus
Factor
perspective
more
than
just
me
yeah
code
base,
certainly
if
anybody
else
on
the
call
would
like
to
like
contribute
or
maintain
or
whatever,
like
you
know
it,
it's
definitely.
You
know
I
think
it's
useful,
but
it's
not
very.
Very
it's
not
AO
specific.
So
it
you
know
it's
a
good
general
purpose
tool,
I
think,
but
otherwise.
E
Anybody
wants
to
just
gonna
write
some
code
I'm,
currently
working
on
the
disclosure
pipeline,
State
machine
thing,
I
would
I
would
love
to
collaborate
with
someone
to
write
Integrations
for
Gmail
and
stuff
like
that
and
I
can.
If
somebody
wants
to
like
is
looking
for
an
open
source
project
to
write
some
code
with
ping
me
and
we
can
sit
down
and
discuss
requirements.
D
If
you
have
a
GitHub
issue,
I
can
share
it
on
social
and
see
if
we
can
find
some
volunteers,
yep,
okay
and
then,
if
anyone
else
is
looking
for
any
kind
of
contributions
check
out
the
F
Omega,
the
Omega
triage
portal,
the
Missouri
client
and
then
the
auto.
D
A
Is
there
anything
else
anything
else
on
people's
minds?
If
not,
we
can
it's
cool
for
this
to
be
a
short
one.
A
All
right,
then,
thank
you
all
very
much
appreciate
your
time
and
attention
and
if
you
have
any
questions
in
the
meantime,
please
find
us
on
the
alpha,
omega
slack,
Channel
or
purchase
an
email
or
find
us
somehow,
and
next
update
will
be
next
month.
So
everybody
enjoy
your
summer
and
stay
safe,
bye.