Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
OpenSSF / Alpha-Omega / 5 Jul 2023
OpenSSF / Alpha-Omega / 5 Jul 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Alpha Omega Project Public Meeting (July 5, 2023)

Description

https://github.com/ossf/alpha-omega

No public meeting notes.

A

Folks, can you guys see my see my screen? Zoom is zoom is crashy today.

B

Give.

C

It.

B

Like.

A

One more minute.

B

In the um the.

A

Meeting note the link to the meeting notes are: are in the invite. So um if you want to.

B

Go in and add yourself, your.

A

Your welcome to and um just got some updates on AO as usual lots of open, open discussion, um we'll just kind of see where things uh see where things take us.

A

Let's get started: welcome everybody to the July 5th um um Alpha Omega public meeting for those of you in the US I hope you had a nice Fourth of July for everybody else. I also hope you had a nice Fourth of July, so that's um I, just really rough notes on on some updates, I'm hoping since we have lots of folks from AO on the call uh or Associated.

A

If you you know not to put you on the spot, but if there's any updates you'd like to give uh that's that's what we're here for uh and for everybody else. Obviously, if you have questions or comments or whatever you are welcome to do so,.

A

So a couple of days, so we have lots of things going on. um First, on the mentorship side, uh you said you would like to give an update on um on that or were any other mentees on the call like to give an update or Jonathan or.

D

Anybody yeah I'll, give a start for uh the update. I have a cat, that's very particular with my camera right now. So if you see it move or just go black, it's just him.

D

um We are underway, so I. Think next week is week, six and we'll be starting to do our demos. Our Midway demo, statuses with the mentees um I, can speak for the engineering side, which are the two that uh fall under me. Our software requirements document and clean test cases and security cases have been complete.

D

um The one for the triage portal has been updated on the alpha omega repo, so I can share the links and those are ready for review.

D

um The one for the analyzer is ready, but uh Andres is on vacation. So once he comes back, we'll push that out um we'll be working on getting connectivity from the analyzer to the triage portal via an API so modifying the API that it accepts um a token. It could be a JWT token or whatnot um checks to verifies the checksum of the serif file. That would be uploaded to the triage portal API to make sure that the results haven't been modified and then the data is going to be stored into the triage portal.

D

uh Splitting between the stair file can include, as well as the assertion framework data results. So that's going to be stored in their individual databases. That's just a high level I'm going to call on calendar because I saw shows on it to see. If she wants to say anything if she doesn't, she doesn't need to and then before I pass it over. Our triage portal is officially live.

D

I have to set up a start, so you can enter the admin. Nobody has credentials but myself, but once we get a login screen that is available, so I'll go ahead and pass it on to Glinda.

C

I said um really like the the overall arch of what we want to accomplish. uh What I can add today is that um this week, uh I was able to fix some of the issues that I was getting with the get source code uh and the get files method that the findings uh tab, uses and and also are able to fix some of the problems that I have with redis and right now. I am currently on the works of implementing graphql into the triage portal and starting to develop the the API endpoint. So yeah.

A

Awesome awesome.

A

um

A

Jonathan anything how about the on the the researcher end of of um of the mentorship.

E

um Sure can you hear me yep yep, um on the research side, um sorry my brain's been.

D

Very.

E

Checked out, I've been traveling for a wedding and for holidays. um uh So on the researcher side um we are uh something. I was working on um expanding um the open recipes for XML xxe and um trying to get that set up for our campaign that we can openly run and then Aaron is actively working on um expanding open, rewrites data flow and control.

E

Well, primarily, currently, data flow analysis apis to support multi-file data flow analysis um from there um we uh on yes, so that that will help us be able to tackle more complex vulnerabilities um on my side.

E

I am working on some deliverables from inside of the vulnerability disclosure working group, autofix Sig I'm, actively working on a uh disclosure pipeline, um State machine for handling um automating vulnerability, disclosures uh to maintainers and bulk pull request generation, so Trio are both handling the issue tracking the issue, disclosure request process, as well as an email disclosure request process and um uh uh all of the state. You know, interactions involved in that flow.

A

Awesome.

A

Okay, cool uh yeah, so I think the mentorship program, I think is going great and I'm just really excited to see.

A

You know progress and things happening and all that um any questions uh on that before we move on to uh the next topic.

A

Wonderful, um so next one, uh the open, SSL 3.1 uh security audit kicked off um managed by by ostip. So we have a maker I, don't think I'll say anything, but.

B

All right, hello, everybody um yeah, we're very excited um to kick off the open, SSL 3.1.

D

Security audit.

B

um Still very very early stages, but um just getting to that start line is always an accomplishment. So we're very happy about that and I'll continue to keep the group updated on how that's going.

A

Awesome uh similarly, I think we may even announced this last month. So if I, if I'm repeating myself I apologize, but we um we provided funding to isrg through over uh acrosimo uh to uh improve this state of rust within the Linux kernel, uh as well as uh Feature work for Russell's. uh The the rust um cryptographic Library um leading the both of these have kind of long-term kind of systemic improvements to the um availability of memory, safety um and memory safe crypto.

A

uh So we're excited to start getting updates from them, we'll probably start getting updates from them. I think next month uh would be kind of reasonable I think we I think we signed it's like six weeks ago. So it's a little bit early, but we want to start seeing progress there um on the python side. uh Welcome Seth an episode: do you just go by Seth or Seth Michael I wanted? Yes, just.

F

Just Seth is fine yeah. The reason I have to do the full name is because uh unfortunately, my name without the middle name has uh someone else on. The planet has better SEO than me, and uh it's not a very good person. So.

A

Understood, oh thank you um yeah. So a welcome matter. If you want to say anything, but you know if you wanted to.

F

You yeah, hey everybody, I I'm, Seth I've been doing python for a while uh very interested in supply, chain security and so just feel like I'm living the dream. At this point, um yeah I've been providing I'll I'll, be providing like weekly updates on my own blog and then obviously monthly updates here. uh So, if you're interested in just following along and what's happening in the python ecosystem, that would maybe be a good place to do it and yeah I've only been here for one full public week.

F

um So there's been some amount of movement. It's mostly been just meeting people and kind of figuring out what their problems are and what they think is interesting and what is currently in flight, because there's already lots of stuff in Flight 2 and that's been mostly what I've been doing so awesome lovely to be here and just happy to collaborate with you all.

A

Very cool: um let's see next uh on the agenda disclosure check. I think this was also something I probably talked about last last month, but um uh disclosure check is the underlying tool that uh I think well. Jonathan and open refractory are using going to use um to figure out how to best report a vulnerability privately to a to a maintainer given just like a package URL.

A

um So the idea is, you know, looking through security, MD and availability of um GitHub um private vulnerability reports.

A

um Urls mailing lists jira, whatever, whatever the the project, uh whatever process the project would like the intent of the tool is to discover that and um and hopefully be automated to the point that you know it's. It's actually just the part of a larger pipeline so that that's available under under um uh ossf, um uh just as a tool.

B

An open, refactory.

A

uh I don't see manoir here, um but we uh agreed with with open refactory to provide funding uh for them to go out and uh look through the I think they're going to do 500 a month um running. You know automated, tooling and kind of owning the the full process of you know scanning discovering triaging reporting and getting fixed on the whole the whole pipeline um for those projects for the next six months.

A

um I think they just I think they probably just started today or it was. It starts at the beginning of July. So uh we're really looking forward to both the you know the actual like core output, which is you know, fixed vulnerabilities, but also the learning so that we can adopt adapt and you know, adapt and adopt it uh within uh within our tool uh and final final update that I had well.

A

I should have two more um a great repository audit Sig, um so Jonathan I, don't know if you want to give an update on this. uh I can certainly give an update from uh like why.

E

Don't you start and I'll fill in the gaps? Okay,.

A

So so purpose of great repository audit Sig is uh your package. Ecosystems are among the, if not the most critical parts of the open source ecosystem, because, where you're going to go for your python packages other than pipei or ruby, gems or npm or wherever um so the software, both the client side, the server side, the infrastructure, the people, the process and all that other stuff that like makes up that, um are, are critical, critical parts of that. These things are, these ecosystems are often um uh they're.

A

Most of the ecosystems have not had a security audit in Forever, um and you know, funding is is a perennial challenge, so we think, with you know, turning money to security. uh It makes sense for AO to fund um periodic security audits against those um against those ecosystems. Obviously these would be Alpha engagements with the ecosystems full buy-in and support and collaboration. This isn't a um I. Don't think. This is something that we are going to do at them.

A

Something we'll do with them, um and um you know a lot of this came from from well.

A

This completely came from Jonathan's work in kind of uh advocating for a um you know, for an audit of each of the major ecosystems and to really get it to the point so that consumers can understand whether the ecosystems that they rely on are like meet their expectations and meet best practices and and and all that stuff um part of what what AO can also do here is, in addition to finding the audit but funding the the audit is funding the remediation work that that you know would probably tail in at the end of that I'm.

A

Assuming that there are critical things found um so I'm. You know we haven't AO, hasn't committed formally to funding this um work, uh but it's definitely something that we're actively talking about, and uh it would be a great idea. So um you know Jonathan if I miss anything.

E

Excuse.

A

Me.

E

um So no um uh yeah, just high level um goal of um goal of the great artifact repository audit is to um you know: let's, let's, let's walk before we can run let's like determine that the industry has solid security practices around the security of the artifact Supply, the artifact servers that are supplying the entire industry supply chain and, um uh let's, let's work with um the maintainers of those hosts to address any vulnerabilities identified there um yeah uh if you're curious and want to learn more.

E

um There is I, don't have my right, Chrome window up, but I will post a link in the chat for the great artifact repository audit um uh for you all to review, and then um we can yeah, there's also the uh the uh the great there's, also the um security software repositories, um slack Channel. If you want to have the chat there, but I'll post a link to the chat or to the document in the chat shortly.

A

Awesome any questions any questions around around any of that.

B

um Jonathan, can you remind me again when the uh group meets to talk about this? um The great repository, Sig I, think it's.

A

Later today, right.

E

You know it's on um It's the Great artifact repository audit is on Mondays at 1pm.

B

Okay, um which time zone is that Eastern.

E

Yeah- it's just it wasn't this week because we had uh Fourth of July and the third of July and nobody was gonna be around for that. So.

A

That's great for some reason: I. So when I had it on my calendar for today for later today, that's.

E

A different meeting: that's the um vulnerability, disclosures autofix Sig. Oh.

A

Sorry, you're right, yeah, I'm running two cigs, it's okay cool. um The last episode that I had um uh Michael Windsor is back as a contractor starting this week, um working on strategy execution and just generally accelerating our work um expecting to be. uh You know visible and available. You know certainly next month and on a slack- and you know all that stuff, so you'll you'll start to see him around again. uh So I'm super happy to happen back and uh with that I. Don't think that was my last. That was my last update.

A

um Is there anything else anyone would like to talk about foreign.

E

Check repo or yeah is that Alpha mag or is that one of the disclosure working group? Nobody.

A

Else picked it up so so full back is Is AO, okay,.

B

Yeah, so it.

A

Would actually be good to have more than just from a bus Factor perspective more than just me um yeah code base, um certainly if anybody else on the call would like to like contribute or maintain or whatever, like you know it, it's definitely. uh You know I think it's useful, but it's not very. Very it's not AO specific. So it you know it's a good general purpose tool, I think, but otherwise.

E

Anybody wants to um just gonna write some code I'm, currently working on the um disclosure pipeline, State machine thing, um I would I would love to collaborate with someone to write Integrations for Gmail and stuff like that and I can. If somebody wants to like is looking for an open source project to write some code with uh ping me and we can sit down and discuss um uh requirements.

D

If you have a GitHub issue, I can share it on social and see if we can find some um volunteers, yep, okay and then, if anyone else is looking for any kind of contributions check out the F Omega, the Omega triage portal, um the Missouri client and then the auto.

D

um What is it the open, auto disclose for any of the first good issues or help wanted labels? um And if you have any questions, feel free to reach out to me.

A

Is there anything else anything else on people's minds? uh If not, we can uh it's cool for this to be a short one.

A

All right, then, uh thank you all very much appreciate your time and attention and if you have any questions in the meantime, uh please uh find us on uh the alpha, omega slack, Channel um or purchase an email or find us somehow, um and uh next update will be next month. So everybody enjoy your summer and uh stay safe, bye.

B

All.

D

Thanks.

B

Everyone thanks Michael. Thank you. Everyone.