►
From YouTube: Alpha Omega Project Public Meeting (December 7, 2022)
Description
A
The
meeting
notes
are
in
the
or
in
the
invite,
if
you
wouldn't
mind,
adding
yourself
to
the
attendance
unless
you
object,
in
which
case
you
don't
have
to
and
if
there's
any
topics
that
you'd
like
to
talk
about,
feel
free
to
add
them
in,
like
usual,
this
will
be
hopefully
mostly
just
kind
of
a
q,
a
and
discussion
a
couple
couple
updates
to
give.
But
you
know
this
is
public
forums,
though.
A
A
A
We
have
first
welcome
Yesenia
who's
on
the
call
who
joined
us
a
couple
weeks
ago,
as
our
first
hire
to
the
alpha
omega
team,
Yesenia
will
be
focusing
on
engineering,
but
because
we're
a
small
team
it'll
be
on
kind
of
everything,
so
we're
really
looking
forward
to
making
a
lot
of
progress,
particularly
on
the
Omega
side,
that
in
2023,
so
welcome.
Welcome
Yesenia.
If
you
want
to
say
anything,
put
me
on
the
spot,
but
you're
welcome
to
if
you'd
like.
C
A
A
A
No,
it
must
have
been
earlier
earlier
in
2022
and
that's
like
I,
don't
know,
maybe
70
complete,
so
that'll
that'll
make
its
way
and
get
merged
soon,
but
I
think
that
that'll
be
a
good
repo.
To
put
all
of
you
know,
we
developed
scripts
for
fuzzing,
We'll,
add
them
in
there.
We'll
just
kind
of
you
know
continually
like
use
the
things
that
we
developed
for
our
own
use.
That
are,
you,
know,
somewhat
usable
outside
we'll
just
kind
of
keep
pushing
that
into
the
repo.
A
Happy
to
talk
more
about
assertions,
but
if
there's
other
topics
that
you
all
would
say,
I
realize
I
talked
about
this
a
bit
last
month
and
so
I
don't
want
to
keep
I.
Don't
anybody
to
have
to
hear
the
same
story
like
end
times?
So
if
there
are
things
that
you'd
like
to
talk
about
more,
we
can
do
that.
Joshua
I
see
yakuto
and
AO.
We
can
chat
about
that.
A
D
So
we
have
started
drafting
like
a
document
where
we
I
effectively
pitch
for
an
alpha
engagement
in
terms
of
improving
the
security
of
Yorkshire
projects,
establishing
more
processes
around
like
CV
updates.
So
sorry,
I
should
probably
step
back.
The
Octo
project
may
not
be
familiar
to
everyone,
so
your
actual
project
is
an
embedded
Linux
distribution
like
tool.
D
So
there's
a
bunch
of
places
that
are
running
custom,
lightweight,
embedded,
Linux
distributions
and
geoto
project
is
like
a
tool
for
building
those
embedded
building
and
maintaining
those
distributions.
So,
instead
of
like
once
upon
a
time,
people
would
do
things
like
take
Ubuntu
and
rip
out
a
bunch
of
bits
and
stick
it
on
like
a
Wi-Fi,
router
or
a
like
carrier
grade
Linux
device
or
something
and
and
then
not
be
able
to
update
it
in
a
reasonable
way
or
recreate
the
environment
or
for
a
new
product.
D
So
your
project
is
focused
on
solving
that
problem.
It's
got
this
really
neat
like
cross-compiling
rebuildable
reproducible
tool
chain,
so
you
can
like
create
your
customized
Linux
distribution,
and
then
you
can
say
recompile
it
for
a
different
Hardware
architecture
with
just
a
configuration
change
or
you
know,
pulling
in
a
bunch
of
updates
and
generate
a
newer
image
or
an
update
like
package
for
a
an
existing
image
or
all
of
those
kind
of
cool
things,
and
it's
an
LF
project
with
a
relatively
small
team
of
core
contributors
and
they.
D
The
way
they
are
able
to
handle
security
and
like
responding
to
CVS
and
things
like
that
today
are
on
a
kind
of
ad
hoc
basis
that
pulls
resources
away
from
the
clock.
Contributors
said:
they'd
love
to
effectively
have
an
alpha
engagement
and
bring
someone
in
to
help
do
some
automation
and
Define
new
processes
and
pull
together
a
team
from
the
like
existing
contributors
and
the
contribution
companies,
and
and
establish
some
security
processes.
D
And
then
the
other
thing
that
the
project
architect
is
Keen
on
is
that
the
this
is
a
a
build
system
effectively
and
one
of
the
things
that
we
had.
We
did
with
the
project
in
the
past,
but
it
isn't
done
so
much
nowadays,
we
could
like
take
like
we
could
track
gcc's
gitree
and
pull
that
in
and
do
builds
and
see
how
those
changes
might
affect
the
recipes.
B
D
To
do
like
these
Leading
Edge
builds
and
do
integration
testing
and
like
functional
testing
at
scale
of
things
as
they
are
developing,
rather
than
waiting
for
release
to
be
able
to
like
do
that.
Kind
of
testing
so
with
I
mean
I'm
gonna
stop
and
give
some
special
questions
in
a
minute
but
effectively.
The
reason
I'm
here
is
to
try
and
figure
out
like
if
either
of
those
things
are
something
that
Alpha
Omega
is
interested
in
and
what
the
best
way
to
move
forward
is
with
like
trying
to.
A
A
So
if
you
know
assuming
that
that
there
there
is
a
like
in
in
any
case,
the
first
thing
we
got
to
look
for
is
like
you
know.
What
is
the
risk
today
and
it
is,
would
applying
money
to
security
like
noticeably
change
that
risk.
So
you
know
it
sounds
like,
like
yakto
does
impact
some
fairly
critical
systems
that
don't
have
a
lot
of
great
other
options.
A
So
understanding
you
know
like
how
we
can
help
and
how
we
can
know
that
we
helped
is
is
great.
There
I
mean
it's
also
an
experiment
so
like
this
is
interesting
because
we
haven't
done
another
one
of
these.
So
that
sounds
great.
You
know
the
I
am
a
little
tiny
bit
cautious
about
AO
spending
money
with
LF
projects
so
and-
and
this
isn't
yakto's
fault
so
so
I
think
it's
it's
and
I
think
it's
something
we
can
just
manage.
A
But
you
know
we
we
funded
node,
which
is
openjs,
which
is
LF.
We
funded
jQuery,
which
is
openjs,
which
is
LF
and
I.
Don't
want
I'm,
I
I
haven't
heard
the
objection,
but
if
you
know
I
was
on
the
outside
and
I
looked
at
this
I
would
say:
hey.
Are
we
just
like
funneling
money
within
ourselves
and
but
but
at
the
same
time,
though,
like
I
I'm
sure
there's
like
a
really
good
convincing
answer
to
like
put
that
argument
to
rest
so
I
don't
want
that
to
at
all.
A
You
know,
influence
you
know
how
we
go.
I
think
the
way
to
get
started.
You
know
shoot
Michael,
Windsor
and
I
an
email
or
on
PING
us
on
slack
or
whatever,
we'll
just
set
up
some
time
chat.
It
doesn't
have
to
be
super
formal.
It's
really
just
a
you
know,
discussion
and
kind
of
spitballing
ideas
back
and
forth,
and
then
you
know
we
we
land
on
something.
That's
like
yes
for
the
next
six
or
12
months.
You
know
these
are
the
outcomes
that
you'd
like
that.
A
We
think
are
that
we
think
are
reasonable
and
attainable
and
all
that
and
then
you
know
this
is
approximately
what
it
would
cost
and
just
kind
of
do
it.
You
know
I
do
think
that
that
there's
a
comment
from
from
Sal
you
know
any
anything
kind
of
s-bomb
related
is
good.
Just
because
s-bomb
has
a
lot
of.
A
Over
and
above
what
the
core
you
know,
GCC
or
whatever,
like
components,
might
and
that
might
get
you
into
a
place
where
you're
building
this
like
weird
Frankenstein
thing
that
isn't
really
compatible
because
you've
like
done
things
to
it,
but
at
least
exploring
that
option
I
think
is
the
is
a
great
place
for
Alpha
to
play
for
Omega
on
the
you
know,
kind
of
understanding
how
complex
systems
interact,
and
you
know,
staying
at
you
know
bleeding
edge
I.
Think
that's
I,
think
that's
interesting.
A
It
might
not
be
a
good
fit
right
now
for
Omega,
just
because
we
have
this
giant
list
of
like
you
know
the
actual
released
versions
of
things,
and
you
know
as
we
as
we
develop
tooling.
What
we
should
keep
in
mind
is
how
do
we
like?
Can
we
can
we
pay
now
to
prevent
future
problems
rather
than
just
constantly
being
in
a
whack-a-mole
situation
and
I?
A
D
D
A
A
E
Yeah
so
hello,
everyone
I,
think
I've
met
some
of
you
before
I
had
an
opinion
on
the
Octo
thing,
because
I'm
a
cloud
computing
engineer,
but
I
work
with
a
lot
of
hardware
openstack
and
like
build
route
like
that
entire
side
right,
build
root,
yocto
at
that
side,
the
hardware
level
it's
just
like
totally
ignored
the
security
level,
and
we
really
need
way
more
help
there
and
also
on
the
AI
side.
But
that's
going
to
take
time.
E
So
what
I
wanted
to
talk
about
was
one
to
kind
of
say.
Thank
you
because
we
ran
a
lot
of
the
last
like
two
months:
a
security
slam
within
cncf,
and
we
got
some
funding
from
Google,
which
was
a
little
off
of
Omega
inspired
and
we
were
able
to
give
diversity
scholarships
out
through
cncf
for
every
cncf
project
that
got
to
100
security.
E
So
I
want
to
I
care
a
lot
about
figuring
out
how
we're
going
to
really
fix
this
problem.
At
the
language
level
after
we
also
help
Hardware
kind
of
first
place.
It's
a
concern
for
me,
but
what
I'd
like
to
propose
is
now
that
we
have
some
of
these
relationships
in
place.
Right
we've
got
node
if
we
can
cover
like
a
build
root
area.
If
we
can
cover
I
know
that
we've
got
a
ruby
relationship
in
place.
E
And
secondarily
to
that,
we
are
submitting
our
final
sort
of
request
from
the
U.S
federal
government
for
a
cyber
security
training
mobilization
plan,
for
which,
over
the
next
two
years,
we
will
be
implementing
security,
best
practices,
training
for
each
of
the
languages.
So
I
wanted
to
really
put
that
seed
out
there
that
as
we're
at
the
perfect
time
right
now
to
be
able
to
make
sure
that
that's
in
place
that
that's
just
a
necessary
part
of
engaging
with
Alpha
Omega
is
also
training.
Maintainers,
broadly
in
that
space.
A
And
that's
super
interesting,
so
I
would
love
so
so
you
you
mentioned
that
there's
a
that
that
getting
to
100
on
a
security
thing
is
a
very
is
a
strong
predictor
of
the
lack
of
future
vulnerabilities.
Is
that
anecdotal,
or
is
there
a
date
because
I
would
love
to
be
able
to
refer
back
and
say,
like
oh.
E
E
Research,
I
just
moved
from
them
to
a
new
director
of
Open
Source,
but
in
20
or
2022
statistics
show
us
the
most
predictive
elements,
and
this
is
one
of
them
yeah,
and
so
now
we
have
the
ability
we
worked
with
cncf
to
sort
of
like
test
this
theory
in
practice
by
you
know,
once
we
have
that
data
of
what
was
predictive,
we
just
take
a
cohort
and
get
them
over
the
Finish
Line
in
two
months,
so
we're
demonstrating
that
now
and
it
seems
to
be
true
so
I'll
put
a
link
in
this.
That's.
A
A
There's
a
ton
of
work
in
open,
ssf
around
you
know
Education
and
Training,
and
and
that's
a
kind
of
a
core
going
to
be
a
core
part
of
the
2023
kind
of
strategy.
Let's
say
we're
also
kicking
off
some
work
and
sending
if
we
want
to
give
a
quick
synopsis
of
the
University
thing,
I,
don't
know
that
it
quite
fits,
but
it's
kind
of
interesting
I,
don't
again
put
you
on
the
spot,
but.
B
Yeah
definitely
take
the
spotlight
real,
quick
from
you,
so
one
of
our
programs
are
trying
to
start
driving
and
kind
of
Designing.
Is
a
university
Outreach
we'll
have
a
list
of
vulnerabilities
that
essentially
we
find
and
kind
of
work
with
teams
in
the
universities
to
help
kind
of
triage
and
water
money
from
start
to
finish,
with
reporting
mitigation
steps,
as
well
as
training
and
helping
the
University
students
kind
of
get
on
board
and
understand
that
space,
as
well
as
being
able
to
knock
off
some
of
those
vulnerabilities
on
our
list.
E
Yeah,
we'll
set
up
a
separate
call
and
have
a
discussion
here,
because
I
think
it's
like
what
it
is
entirely
is
a
tandem
approach,
and
so
we're
going
to
have
specific
hires
covering
each
language
and
I
just
want
to
make
sure
that
we
get
security,
best
practices
transferred
over
from
Alpha
Omega.
Anything
that
we
learn,
especially
right
when
we're
like
putting
a
security
immune
system
around
rust.
Right
now,
that's
never
been
done.
There's
genuinely
new
findings
that
need
to
be
distributed.
E
F
Reported
back
to
the
maintainers
for
13
or
14
of
them
were
like
have
been
patched
so
far,
I
think
12
were
passed
like
right
away
within
a
week
or
so,
but
I
mean
so
essentially
what
at
this
point,
we
are
expanding
upon
the
project
as
in
like
Beyond,
like
going
beyond
the
top
200
projects.
Doing
doing
that
more.
So
our
approach
is
more
head-on
than
what
the
like
the
alpha
omega
is
building
the
tools.
Also,
there's
the
effort
on
assertions
tooling.
F
We
are
taking
over
a
vertical
like
type
I
in
this
particular
case
specific
tools.
We
can
actually
include
the
other
tools
that
are
in
the
Omega
tool
chain
as
well,
and
we
would
like
to
see
what
can
we
find
then
report
back
and
then
manage
that
thing.
I
was
not
aware
of
this
like
University
initiative.
This
is
a
great
idea.
The
the
critical
resource
here
is:
how
can
we
scale
this
for
hundreds
of
projects
and
and
so
on?
F
So
that's
where
and
but
at
this
point
in
order
for
us
to
expand
upon
this,
we
are
kind
of
like
so
we
need
to
support
specifically
one
is
that
there's
some
infrastructure
board,
because
running
this
thing
on
at
scale
also
requires
Cloud
resources
and
so
on.
So
so
that's
that,
but
more
importantly,
it's
the
like
the
the
endorsement
that
open
ssf
is
affiliated
with
that,
because
when
we
are
reporting
the
bugs,
if
it
is
coming
from
a
third
party
vendor
versus
if
it
is
coming
from
so
from
open,
ssf
is
Alpha.
F
A
A
You
know
it
seems
like
every.
There
were
a
lot
of
attempts
at
different
approaches
here.
I
know
you
know.
Github
now
has
private
issues
I.
That
feels
like
a
game
changer
to
me
in
terms
of
the
process,
because
a
lot
of
what
we've
had
to
do
has
been
this
like
work
around
the
fact
that
you
know
it's
hard
to
contact
the
maintainer
privately,
unless
they've
like
set
up
a
thing
for
it
and
there's
no
way
to
discover
that
at
scale.
I
know
Jonathan.
C
My
my
response
on
this
is
thank
you
so
much
Kate
and
the
GitHub
team
for
adding
this
feature.
It
doesn't
have
an
API,
so
I
can't
use
it
when
I'm
reporting
vulnerabilities
at
scale.
So
you
know
it's
it's
better
than
nothing.
It's
also
opt-in,
so
we'll
see
how
Lively
gets
adopted.
You
know
you
know,
I,
think
that
I
respect
get
a
decision
about
not
making
it
opt-in
to
begin
with.
I
also
think
that
that
it
needs
to
be
not
that
way.
Eventually.
So
we'll
see,
I
think
that
I
think
I
don't
mind.
F
So
yeah
Jonathan
and
I
we
were
participating
like
we
were
of
like
participants
or
not
participant
magazine
like
we
were
speaking,
but
we
were
observing
the
panel
that
they
had
at
GitHub,
and
several
people
raised
that
issue,
but
I
mean
GitHub
at
this
point
is
not
going
Beyond.
Opt-In,
but
I.
All
like
initially
I
also
thought
that
this
is
a
great
initiative
and
so
on
it
is,
but
it
is
what
it
essentially
does
is
it.
F
It
basically
does
coordinated
disclosure,
but
within
GitHub
and
like
coordinated
disclosure,
has
several
problems
as
in
the
non-response
ETC,
making
it
within
GitHub.
There
are
promises,
but
it
doesn't
necessarily
like
solve
the
problems
like
all
the
problems
as
in
like,
if
so
so,
most
of
the
time
like
when,
when
some
third
party,
like
there's
a
reporting,
there's
no
activity,
that's
been
going
on.
F
So
there's
no
initiative
or
or
anything
that
that
this
would
expedite
the
thing,
although
that
that,
because
that's
so
just
to
give
a
case
in
point,
a
recent
Apache
common
States
vulnerability,
which
was
reported
in
October.
This
was
identified
by
the
GitHub
security
team
in
March
of
this
year,
so
be
between
March
and
October.
That's
that's
how
long
it
took
for
the
common
Apache
common
stakes
in
order
to
like
complete
that
coordinated
disclosure
process.
F
So
there
tends
to
be
a
very
long
process,
most
of
the
time
and
like
initially
when
I
heard
of
it
I
thought
like
okay
yeah.
If
is
that
they're
going
to
be
fixed,
but
apparently
there's
I
mean
the
the
component.
The
wave
is
described,
it's
it.
Doesn't
it
fix
that
particular
problem?
So
that
was
another
thing.
There
was
a
little
let
down.
Okay,.
A
I
mean
I
think
there
were
also
interesting
like
long
poles
in
the
tent,
which
are
like
Apache
is
all
volunteers
like
you,
you
you
will
you
will
you
know
at
any
project
that
is,
you
know,
volunteer
driven
volunteer
maintained
like
there
should
be
I
think
you
could
make
an
argument
that
there
should
be
no
expectations
about
them
ever
fixing
it,
because
there
was
no
contract
there
there's?
No,
they
have
you
haven't
given
them
anything
in
exchange
for
their
their
time
and
attention.
A
You
know
at
the
same
time,
you're
under
no
obligation
to
use
their
thing
and
I.
Don't
know
that,
like
it's
hard
because
the
security
part
of
me
wants
to
say
like
fix
it
fix
it
fix
it.
When
are
you
gonna
fix
it
and
then
the
the
other
side
of
me
is
like
who
are
you
demanding
this
of?
Like
you
know,
I
I
have
I,
have
side
projects
that
I
do
and,
and
you
know
someone
reporting
to
me-
a
thing
is
usually
pretty
low
on
my
list
of
things
to
fix
so.
E
C
B
E
We
need
to
develop
a
new
class
of
cyber
security,
aware
contributors,
slash
sort
of
I,
I,
see
realistically
sort
of
cross
project,
maintainer
class
that
are
security,
aware.
Otherwise
we're
going
to
keep
running
into
this
problem,
but
both
of
those
are
different
conversations,
and
it
does
sound
to
me
just
as
they
concern
citizen
on
the
internet.
I
would
like
to
have
that
information
process
in
place.
A
I
I
would
too
yeah
like
we
very
quickly
run
up
against
I.
Think,
like
unsolved
people,
problems
like
how
do
you
incent,
you
know
cyber
security
researchers
to
go
and
like
sprinkle
the
security
goodness
over
over
projects
like?
Are
they
getting
paid
to
do
this?
Is
it
their
job
or
are
they
doing
this?
Out
of
you
know,
altruism
or
interest
or
whatever,
in
which
case
like
I,
think
you'll
always
like
we've
had
that
like
altruistic,
you
know
forever,
but
the
scale
of
the
problem
has
far
outpaced.
C
Don't
keep
them,
they
don't
pay
your
salary
unless
you're
like
doing
it
as
like,
like
you
have
to
be
going
for
bigger
programs
or,
like
you
know,
even
the
get
up
security
lab
bug
money
program.
I
was
looking
at
the
math
on
like
how
you
could
obtain
100
000
a
year
salary
and
you
need
to
come
up
with.
C
You
know:
10
big
queries
in
a
year
and
they
have
to
all
be
criticals
and
like,
and
then
you
have
to
use
those
to
all
like
you
know,
or
you
like
and
and
the
problem
with
that
is
like
it,
the
yeah,
the
math,
the
math
there
just
doesn't
work
out
because,
like
it
takes
more
time
to
write
the
queries,
it
disclosure
takes
a
long
time,
90
days
per
report,
or
you
know
standard
it
yeah.
So,
but.
A
D
A
Is
a
fund
that
that
you
know
we
have
to
pay
either
maintainers
or
non-maintainers
to
do
security
improvements
to
anything,
that's
like
important
to
open
source
and
there's
there
was
a
a
cutoff
described,
but,
let's
suppose,
there's
enough
projects
above
that
that
that's
like
an
infinite
pool.
The
uptake
on
that
is
pretty.
C
A
A
E
A
E
Job
that's
right
but
like
for
this,
they
denied
them
because
of
their
threat.
Modeling.
So
I
looked
up
all
of
the
graduated
projects
who
had
worse
threat
models,
I
submitted
a
thread
dial
which
is
a
like
Top
Class
model,
and
we
finally
got
it
through
there's
no
standardization
of
best
practices
here,
I
just,
but
we
had
submitted
right.
So
we
went
and
had
everyone
become
100
security
compliant
complete
to
submitting
s-bonds,
which
they
have
to
do
somewhat.
E
A
E
A
So
if
you
want
to
hook
us
up
with
whoever
is
like
actually
on
the
other
end
and
I'll
ping
on
our
end,
well,
there's
no
reason
why
that
should
be.
That
should
be
getting
stuck.
I
know
it
is
kind
of
like
we're
trying
to
figure
out
like
how
to
make
it
more
operationally
like
scaled
in
2023,
and
if
that
means
we
need
to
put
money
into
it.
That's
great.
C
Cool
in
my
experience,
the
other
one
that
exists
is
the
internet
bug
Bounty
program
I
haven't
submitted
anything
to
them
for
a
while,
but
in
my
experience
they
are
unwilling
to
issue
bounties
if
you
have
received
bounties
from
other
spaces
so
like.
If
you
did,
some
research
like
I,
did
a
bunch
of
research
and
found
the
use,
like
you
know,
eliminated
the
use
of
HTTP
across
the
job
ecosystem.
I
got
like
five
thousand
dollars
in
bounties
from
various
different
organizations.
C
Reporting
to
that,
and
then
the
internet
bug
money
program
wouldn't
issue
me
an
additional
reward
because
they
said
well.
You
got
paid
for
from
some
of
these
other
programs,
even
though
I
did
a
lot
of
work.
That
was
not
focused
on
just
the
organizations
that
are
part
of
the
vulnerabilities
to
oh
God,
so
that
was
that
was
interesting.
I
don't
know.
Is
there?
Is
there
any
relationship
with
the
IBB
with
this
group
or
the
ossf.
A
A
A
A
B
A
A
Happy
with
with
anything
so
the
motivating
example
is,
you
know
right
now,
most
organizations,
if
they're
lucky
they're
checking
for
CVS
but
executives.
I
think
like
that.
That
is
an
implementation
detail
that,
like
the
security
department
or
the
open
source,
the
the
the
the
open
source
programs
office
might
might
be
interesting.
A
A
It
doesn't
have
cves
because
that
is
still
important,
but
it
doesn't
do
like
weird
things
like
Roll-Ups
on
crypto,
here's
a
dashboard
of
it.
We
monitor
this
stuff
continually
and
can
see
where
our
risk
is
now
we
may
not
be
funded
or
motivated
or
whatever
to
address
that
risk,
but
at
least
we
understand
it
and
I
think
that
it's
really
hard
to
get
resources
to
fix
a
problem
if
you
can't
articulate
it
so
that
this
is
the
motive.
A
The
motivation
behind
this
there's
also
a
much
more
practical
and
tactical
reason,
which
is
that
as
Omega
does,
you
know,
goes
through
and
runs
tools
across
lots
of
things
we're
going
to
find
a
lot
of
stuff.
We
need
to
keep
track
of
that
in
a
way,
and
we
also
want
that
to
be
public
and
in
which
case
like
I
I,
don't
want
to
just
put
it
in
a
in
a
on
a
spreadsheet,
so
we
did
something
better
than
that.
It
kind
of
evolved
into
this.
A
The
mission
of
assurance
assertions
as
it
says
here
is
to
provide
stakeholders
consumable
data.
They
can
use
that
describe
the
security
quality
of
the
open
source
they
use.
There
is
nothing
about
this
that
is
actually
open.
Source
like
like
I
mean
the
the
reference
implementation
is
open
source,
but
the
target
is
just
software,
it's
just
it's
not
even
sulfur.
It's
just
a
thing:
it's
it's!
The
the
schema.
I
guess
is
the
only
like
thing.
A
There
is
concrete,
because
we
want
stakeholders,
meaning
organizations,
users,
compliance
departments,
whoever
to
be
able
to
make
these
these
decisions.
You
know
with
the
right
information
in
an
efficient
way,
based
objectively
so
I,
don't
want
folks,
just
relying
on
cves
or
even
worse,
cves
with
s-bombs,
because
I
think
that
provides
more
information
that
doesn't,
but
our
biggest
badass
bombs,
I
I
think
we
can
go
a
step
or
two
up
above
what
what
those
can
do.
A
A
Do
do
this,
but
they
usually
don't
share
the
results.
We
tried
sharing
the
results
through
the
secure
reviews,
openssf
project,
that
you
know
it
is
really
hard
to
scale.
We
did
some
automated
Security
reviews
through
there,
and
that
was
actually
that
was
another
kind
of
a
thread
that
made
its
way
into
this.
So
if
we
can
run
or
we
can
run
tools-
and
we
can
generate
a
thing
that
you
can-
you
know
that
that
says
that
this
project
is
safe
or
not.
A
So
let's
just
look
at
the
actual
thing.
So
so
the
goal
is
take
a
bunch
of
Open
Source
projects.
Take
some
really
good
tools,
run
the
tools
against
the
projects
and
there's
some
output.
You
take
the
output
and
you
essentially
distill
that
into
an
assertion
that
states
the
essence
of
what
was
what
was
learned
there.
So
as
an
example,
this
package
was
reproducible.
A
Anything
that
is
kind
of
objectively
that
can
be
objectively
pulled
out,
can
go
into
an
assertion
and
the
assertion
is,
you
know,
signed
and
all
that
that
you
know
stuff
around
it,
but
the
core
of
it
is
a
fact
that
should
be
pretty
non-controversial,
so
we
so
we
we
have
this
process
to
create
these
things.
We
have
a
continuous
process
at
this
point.
We
just
throw
CPU
at
it
and
we
we
run
it
across
like
every
package
or
the
top
10
000
of
the
top
million.
A
Then
you
have
a
con,
the
consuming
end
of
it,
where
you
have
a
policy
and
your
policy
can
say
something
like
I.
Don't
want
any
JavaScript
functions.
Implementing
crypto
I
want
every
package
to
be
reproducible.
I,
don't
want
any
untrue,
even
even
though
they're
untriaged
I
don't
want
any
critical
findings
from
code
ql.
A
The
assertions
are
where
you
give
your
opinion.
Sorry,
the
policies
are
where
you
give
your
your
opinion
and
you
can
be
as
like,
reasonable
or
unreasonable
as
you
want
it's
just
you
you're
saying
these
are
the
these.
Are
the
laws
that
I
I
want
in
my
in
my
universe,
so
each
organization
creates
their
own,
can
create
their
own
policies
will
provide
a
sample
set.
A
You
can
even
create
the
assertions
yourself
and
store
them
in
your
own
repository
behind
your
firewall.
You
don't
need
to
share
them
with
anyone
else,
because
at
the
end
of
the
day,
the
consumption
process
is
just
a.
You
know
give
me
all
the
assertions
for
packaged
food
and
then
you
do
this
and
you
get
a
you
get
a
result.
A
A
So
you
know
all
the
stuff
on
the
left
is
the
scorecard
stuff
all
the
stuff
on
the
right
is
the
let's
say
the
wrapper
around
it,
and-
and
this
goes
into
a
you
know-
into
into
a
repo
of
some
sort.
So
we
have
a
well
I'll
get
to
that
in
a
sec.
So
that's
the
example
of
an
assertion.
Sample
policies,
as
I
said:
npm
modules
should
not
be
implementing
crypto.
A
You
can
even
get
really
detailed
if
you
want
so
no
untrashed
findings
for
command
injection,
specifically
because
if
you
feel
that
that's
a
particularly
interesting
type,
the
policies
are
like
can
be
arbitrary,
it
can
be
arbitrarily
complex.
So
you
can,
you
know,
bring
your
own
logic
and
and
do
your
own
thing.
So,
the
let's
see
architecture,
that's
kind
of
what
it
looks
like
you
have.
A
package
gets
analyzed
assertions,
there's
some
evidence
that
gets
joined
to
that
it
gets
put
someplace.
A
And
then
you
have
a
policy
that
runs
against
it
and
you
get
a
pass
fail
at
the
end,
so
we
have
a
reference
implementation.
This
is
in.
Actually
the
source
code
is
now
just
available
in
Maine
now
so
we,
the
we
generate,
I,
don't
know
eight
or
nine
different
types
of
assertions
and
we're
going
to
generate
more.
A
We
can
store
the
assertions
you
know
in,
like
the
local
file
system
and
Azure
blob
storage
and
a
web
API
and
sqlite
and
they're
they're
kind
of
easy
to
store
wherever
you
want
policies
are
either
open
policy
agent
or
just
an
arbitrary
command.
So
you
can
that's
where
you
can
kind
of
run
whatever.
Whatever
logic
you
want
and
then
we're
gonna
generate
assertions
for
a
whole
bunch
of
projects,
and
you
know
kind
of
put
this
out
there
and
iterate
and
and
stuff
like
that.
A
So
when,
because
this
is
going
to
be
a
public
repository
of
assertions,
you
could
say
well
who
gets
to
put
assertions
in
the
Repository,
and
you
know
at
some
point
like
practically
speaking
like
we
wouldn't
make
it
like
right.
Oh,
you
know
right,
you
know
right
available
for
the
world,
but
there's
no
reason
why
we
couldn't
do
that
from
a
like.
A
You
know
if
we
wanted
to,
because
what
you
would
say-
and
this
is
why
the
whole
signing
and
wrapper
stuff
is
important.
You,
the
consumer,
could
say
I
only
trust
assertion
generated
by
openssf,
so
we'll
have
some
sort
of
a
signing
key
or,
and
we
need
to
I'm
gonna
I'm
gonna
hand
wave
around
like
how
that
would
work,
but
you
would
you
would
you
you
would
explicitly
say,
like
I
trust,
you
know
X,
Y
and
Z
for
my
assertions
and
therefore
everything
else
you
know.
A
A
A
A
A
So
this
is
super
like
it's.
You
know
15
minutes
into
a
45
minute
bake,
so
it's
still
still
kind
of
wobbly,
so
we'd
love
to
get
feedback.
We
are
talking
to
guac
I'm
gonna,
try
to
try
to
get
with
them
next
month
to
kind
of
see
how
to
align
and
and
whatnot,
also
reached
out
to
the
in
Toto
folks,
because
of
some
for
some
time
there
but
love
to
take
questions
feedback.
Anything
like
that.
E
E
Are
you
gonna
do
that
once
a
day
once
every
12
hours
once
a
month
and
then?
Secondly,
to
that
within
an
ecosystem?
If
I'm
thinking
as
a
malicious
actor,
you
can't
run
those
all
at
one
time,
because
then
I'm
gonna
know
that
over
a
12
24
or
one
month
period,
I
know
exactly
what
point
in
time
projects
are
going
to
think
they
are
most
secure
when
I've
had
the
maximum
amount
of
time
to
inject.
A
A
C
How
is
this
distinct
from
scorecard
because
it
seems
like
like
scorecard
and
best
practice?
Well
best
practices
is
a
little
different,
but,
like
the
same,
this
seems
like
it's
like
in
that
same
sort
of
vein,
in
that
same
sort
of
like
ecosystem,
same
sort
of
like
reporting
World,
but
just
like
aggregated
data
right.
C
A
First,
because
we're
experimenting-
and
you
know
it's
easy
to
kind
of
experiment
in
in
isolation
and
like
iterate
a
bunch
of
times
and
then
and
then
see
where
it
goes
scorecard,
isn't
so
much
policy
based
it's
more
of
it's.
It's
like
the
the
you
could
look
at
the
assertions
as
spiritually
in
the
same
category
as
as
the
scorecard,
but
the
consumption
of
it.
You
know
I
I,
think
you
know
scorecard's
gonna
say
here.
E
Yeah
I
think
if
we
take
a
more
numbers
approach
to
it,
like
the
the
most
predictive
thing
is
how,
like
the
mean
time
to
update
from
the
packages
that
they
ingest,
like
you,
really
do
have
to
think
about
it,
like
that's
kind
of
the
core
problem
of
yeah
I'm,
not
asking
people
to
set
on
the
bleeding
edge,
but
also
even
like
the
top
four
back
maintained
releases.
One
of
those
is
likely
to
go
stale
within
the
next
three
year
period
right
and
yep.
That's
what
I
need
to
get
there
as
soon
as
possible.
A
B
B
A
Fast
and
worry
less
about
the
think
things
that
tend
to
get
these
things
bogged
down
like
you
know,
the
formal
schema
and
you
know
expanding
out,
use
cases
far
beyond
like
open
source
I'd.
Rather,
you
know
I'd
rather
delay
those
types
of
things
until
we
have
something
that
really
works
core
with
open
source
and
just
kind
of
go
from
there.
But
if
anybody's
interested
this
is
in
the
Apple
Omega
repo
you're
welcome
to
try
it
out
there.
The
breed
me
should
be
correct.
F
You
have
a
small
feedback,
which
is
for
the
for
the
first
iteration
I
mean
when
you're
talking
about
or
giving
examples
of
assertions.
There
are
very
many
things
that
you
can
assert
too,
but
since
this
is
Alpha
Omega,
it's
about
tools,
results
that
maybe
like.
We
should
really
narrow
the
scope
of
that
I
mean
obviously
like
the
language
that
we
are
using
or
the
underlying
schema
that
we're
using
like
the
in
total
it.
It
gives
you
a
lot
of
flexibility
and
doing
stuff,
but
for
our
project
or
this
particular
project.
F
A
A
I
the
the
goal
is,
you
know
you
hit
a
button
and
then
you
come
back
next
week
and
you
have
a
whole
pile
of
assertions
for
a
whole
pile
of
projects
whether
or
not
we're
yeah.
We
could.
We
could
argue
about
like
what
the
what
the
right
set
of
initial
assertions
is,
but
having
more
assertions,
only
cost
CPU.
You
can
just
not
have
it
reference
in
a
policy
in
which
case
it's
it's.
You
know
it
doesn't
mean
anything
to
you
cool.
We
are
out
of
time.