►
From YouTube: Alpha Omega Project Public Meeting (February 8, 2023)
Description
A
C
D
D
B
C
All
right
well
welcome
everyone
to
the
February,
8th,
Alpha
Omega
public
meeting,
as
you
can
tell
my
voice
is
a
little
bit
hoarse
today,
but
we're
going
to
get
through
it.
So
as
as
usual
q,
a
there's
lots
of
questions,
I
think
like
force.
Two-Thirds
of
the
folks
on
the
call
are
directly
on
the
project.
So
if,
if
you
run
out
of
questions,
we
can
give
everybody
time
back.
If
not,
we
can
just
chat.
C
No,
don't
start
with
me
it's
too
early
in
the
morning,
so
the
the
first
you
know,
major
change
that
we
want
to
talk
about
was
Michael.
Windsor
is
no
longer
at
Google
and
it's
no
longer.
D
C
Position
that
he
was
on
Alpha
Omega,
so
Bob
Calloway
who's
been
well
Bob
and
Brian
are
both
from
Google
they've.
Both
been
it's
just.
You
know
involved
in
open
ssf
for
a
long
time.
Bob
is
the
like
appointed
single,
like
personal
contact
for
Google,
for
Alpha
Omega,
going
forward
Brian's
supporting
him,
so
I
feel
good
about
this.
I
don't
feel
like
it.
It
doesn't
change
the
mission,
it
doesn't
change
the
focus.
C
We
still
have
really
smart
people
doing
like,
hopefully,
really
good
things
but
just
want
to
be
be
transparent
there
Alpha
engagements,
so
we
still
have
the
same
same
five
engagements
that
we've
that
we
talked
about
last
month.
C
We
are
looking
at
a
couple
more
for
if
I
were
to
guess,
I
would
say
possibly
by
the
end
of
March.
We'd
have
something
to
announce
similar
similar
in
these,
but
we
don't
want
to.
You
know,
talk
about
them
until
we're
we're
further
along
in
the
process,
but
that
does
actually
raise
an
interesting
point
on
like
are
we
like?
Do
we
have
the
right
funnel
to
consider
the
right
consider
the
right
projects
so
right
now?
It's
a
combination
of
us
reaching
out
to
projects
and
projects
reaching
out
to
us.
C
If
there's
you
know,
if
you
know
any
of
you
on
the
on
the
call
have
thoughts
on
places
in
the
ecosystem,
where
investment
would
have
outsized
impact
like
throw
them
over
to
us.
C
Yeah
you
open
up,
I
mean
email
would
be
easiest,
but
you
know
anyway,
just
get
in
contact
with
us
and
you
know
give
us
a
you
know,
give
us
the
list,
give
us
a
pitch,
give
us
whatever,
but
we
definitely
want
to
make
sure
that
we're
focused
on
the
right
things
and
and
a
lot
of
times
I
what
I'm,
where
I'm
thinking
is
like
we
all
know
about
like
node
and
eclipse
and
rust
and
and
python,
but
in
the
in
the
idea
of
like
live
Nebraska
like
are
there?
C
E
Yeah
I'm
sorry
I
can't
answer
that
question.
Even
though
I
I
can
kind
of
confirm
that
this
is
a
very
interesting
one.
I
was
just
wondering,
like
you,
have
these
engagements
they're,
basically
on
on
Foundation
level,
so
I
think
all
of
them
have
potentially
tons
of
different
projects
underneath
so
I
don't
know
if
that
is
part
of
the
the
updates
that
you
host
on
GitHub.
E
So
sorry,
if
I
didn't
read
up
on
that
before,
but
how
do
you
pick
individual
engagements
on
for
for
one
of
or
a
particular
project
for
one
engagement
like,
for
instance,
in
the
eclipse,
Foundation
context,
sure
I'm,
just
curious
and
yeah.
C
So
so
the
reason
so
so
Eclipse
you
know
they're
at
the
beginning,
you
know
they're
all
slightly
well,
they're
all
very
different
from
one
another
part
of
the
reason
for
like,
for
instance,
for
jQuery,
one
of
the
reasons
for
jQuery
like
Beyond,
like
it
on
the
surface
being
a
critical
project,
and
all
that
was
because
it
was
different
than
the
others.
All
the
others
were
Foundation
supported,
I
mean
notice,
probably
in
a
similar
category
as
jQuery,
but
like
Eclipse.
C
One
of
the
reasons
we've
talked
to
we
were
interested
in
in
Eclipse
was
you
know
because
they
cover
140
different
projects,
I
think
if
memory
serves
so
by
investing
essentially
like
one
unit
of
investment,
you
could
improve
the
security
for
a
wide
swath
of
projects,
as
opposed
to
saying
you
know
targeting
this
investment
to,
like
you
know
the
Eclipse
IDE
or
the
C
plus
plus
toolkit
for
eclipse
or
C
python.
C
Specifically,
it
said
it's
no
it's
to
the
python
foundation
and
because
they're
in
better
position
to
know
where,
where,
where
that
that
focus
should
be
to
have
the
the
most
impact
we
kind
of
you
know,
we
work
with
them,
but
mostly
we
defer
to
them
to
to
have
that
that
insight
and
allocate
that
in
that
way,
if
there's
a
separate
question,
which
is,
why
do
we
choose
Eclipse,
rust
and
Python
and
not
Foundation
a
b
and
c,
and
that
you
know
part
of
it
is
the
critical
projects
working
group.
C
We
were
kind
of
informed
by
that
the
list
that
they
have
of
the
top
hundred
most
of
I,
don't
say
most
that
if,
if
you
look
at
that
list
and
look
at
the
list
that
we've,
you
know
the
list
here
on
the
screen,
there's
a
big
overlap.
So
they
kind
of
make
sense
like
we
aren't.
You
know,
I,
don't
I
hope
we're
not
choosing
projects
that
don't
matter,
but
there's
a
huge
list
of
projects
that
really
do
matter.
C
So
could
we
have
invested
in,
you
know,
take
out
rust
and
put
in
another
one
sure
it
would
have
been
in
a
similar
boat
and
and
that's
why
I
think
that
the
the
goal
for
2023
number
one
is
to
like
continue
making
more
Investments.
We
do
one,
we
don't
want
our
portfolio
to
just
be
five.
C
We
want
it
to
be
I,
don't
know
50
or
25
or
some
number
more
than
five,
but
in
order
to
scale
that-
and
this
comes
comes
down
to
like
the
the
strategy
that
we
have,
which
is
help
help
these
foundations
build
capacity
themselves
on
an
ongoing
like
budgetary
base.
So
we
had
an
off
site
last
week
and
we
were
chatting
about.
You
know
some
of
the
ways
that
we
could
do
this
and
we
talked
about
like.
C
Could
we
do
matching
funds
so,
instead
of
giving
you
know
the
full
amount,
we
say
we
will
give
75
of
whatever
you
get
elsewhere
up
to
some.
You
know
capped
amount
or
something
just
to
kind
of
put
start,
putting
a
gentle
pressure
on
these
foundations
to
diversify
their
inbound
fundraising
for
security,
because
at
the
end
of
I,
don't
know
2025.
If
we
have
25
critical
projects
that
every
year
their
security
depends
on
us,
writing
them
a
check.
I
think
we've
failed
the
ecosystem,
so
I
I.
C
Definitely
don't
want
to
be
in
that
in
that
position
where
we
wind
up,
you
know
creating
that
that
hard
dependency.
C
Yeah
and
then
there
are
updates
on
the
I
just
merged
a
couple,
but
there
are
updates
on
the
the
the
site
here
on
on
under
Alpha
Omega,
so
I
think
we
have
ones
from
each
of
the
five
now
and
a
couple
couple
just
as
of
as
of
this
morning,.
B
Don't
mind
I
probably,
should
rephrase
that
question
okay,
yeah,
I
I
agree
with
that
with
everything
you
said,
I
I
think
also
in
in
at
least
some
of
the
discussions
that
we've
already
had.
That
has
been
interesting.
Yes,
do
find
and
fix
specific
vulnerabilities
that
that's
important,
that's
a
good
thing,
but
also
you
know
trying
to
help.
You
know
make
changes
to
that
their
own
processes
automatically
detect.
You
know
it
basically
help
them
make
changes
so
that
future
similar
problems
can't
ever
happen
in
the
first
place.
B
I
I
love
what
the
what
the
airline
industry
does,
where
every
time
there's
not
just
an
accident,
but
something
that
is
a
that
that
could
have
if
other
things
had
gone
wrong,
become
an
accident
step
back
and
ask
what
happened.
Why
and
we're
not
here
to
beat
up
people
we're
here
to
figure
out
how
we
can
change
things
to
make
that
even
less
likely
in
the
future
and
if
we
just
if
we
all
as
a
larger
Community,
do
that
these
these
problems
are
just
going
to
slowly
be
squished
out.
C
Yep
I
absolutely
agree,
I
mean
I,
think
the
problem
that
a
lot
of
these
foundations
or
larger
projects
have
in
general,
not
just
the
foundations,
is
you
know
they,
and
this
is
true
for
organ
for
commercial
companies
too.
They
tend
to
be
in
kind
of
jumping
from
crisis
to
crisis.
So
a
a
big
vulnerability
happens.
It's
scramble
like
the
first
order.
C
Businesses
get
the
thing
fixed
that
that,
like
longer
root
cause
analysis,
let's
steer
the
ship
in
a
slightly
different
direction
so
that
so
obviously,
since
in
the
future,
it's
there's
that
it's
the
I
don't
know.
Cobbler's
son
is
the
right
right
there
and
that,
but
it's,
but
it's
like
it.
That
is
always
second
tier
to
either.
You
know
Feature
work
like
actually
doing
the
thing
that
you're
in
business
to
do-
or
you
know,
responding
to
crises
and
I.
C
Think
one
of
the
things
that
I
I
hope
this
funding
through
through
Alpha
gives
is
some
a
little
bit
more
breathing
space
so
that
you
know
someone
can
like
and
I
think
I
think
almost
all
of
the
engagements
we
have
included
a
specific
bullets
on,
like
you
know,
learn
about
the
security
with
a
gaps
within
the
processes
and
then
work
to
change
that
and
improve
that.
C
So
so,
in
addition
to
just
kind
of
making
security
releases
and
Bug
Sexes
and
and
vulnerability
detection
and
installing
code
scanners,
it's
like
the
the
look
at
it
holistically
and
and
improve
things
over
time
and
I.
Think
eclipse
is
the
one
that
comes
to
mind
in
particular
that
you
know
with
a
lot
of
what
they've
done
with
you
know,
running
scorecard
looking
for
I
think
they've
already
started
on
salsa.
C
C
So
that
was
the
major
update
that
I
had
I
think
the
next
slide
is
just
is
just
q.
A
I
mean
we're
working
on
a
lot
of
other
things,
so
you
know
we
have
Yesenia
and
Jonathan
that
I'm
sure
could
be
happy
to
talk
about.
C
There's
University
outreach
program
that
we're
that
we've
are
working
with
the
education,
the
EI
Sig
on,
essentially
that
we're
continuing
this
kind
of
grand
experiment
and
some
things
are
going
to
work
great
and
some
things
aren't
and,
of
course
we
learn
the
better
and
we
can
iterate
and
and
all
of
that,
so.
C
F
F
C
We
absolutely
need
to
do
that
if
animals
on
the
call
I
would
I
would
ask
her
to
like
make
sure
that's
highlighted
on
the
Trello
board,
I
mean
because
so
so
some
of
the
tools
are,
let's
see
so
so
the
the
analyzer
is
definitely
usable
to
the
point
that
a
video
demo
and
some
better
better
docs
on
how
to
use
it
would
be
helpful.
We
should
absolutely
do
that.
We
should
do
that
like
really
soon
actually.
D
F
Yeah,
because
we
can
also
integrate
tooling,
that
was
kind
of
why
I
wanted
that.
Why
it
came.
F
F
I
know
that
we
talked
with
the
end
User
Group,
about
like
an
executive
perspective
and
different
perspectives.
There
so
yeah.
C
E
F
B
If
I
can
make
a
quick
response
to
Randall
as
well.
B
Yeah,
so
you
know
first
I
I
agree,
you
know,
you
know
to
training
on
tooling
sounds
great.
If
it's
just
a
video
I
mean
you
know,
I
think
that
would
be.
B
You
know,
I'm
always
big
on.
You
know
a
small
cost,
big
benefit
stuff.
So
a
short
video
showing
you
know
something
you
decide
to
do.
It
can
be
a
big
win.
I'll.
Add
that
you
know
if
you're
an
existing
security
researcher,
a
number
of
security
researchers
already
have
some
tools
that
they're
comfortable
with
awesome.
If
that's
helpful
and
those
kinds
of
videos
to
help
them
understand
and
use,
new
tools
is
really
really
helpful.
Also.
B
B
Well,
there's
always
a
lot
to
do
more
generally,
if
I,
if,
as
soon
as
you
find
a
topic,
you
find
a
thousand
things
that
are
worth
doing.
B
But
let
me,
let
me
just
add
a
quick
plug
in
addition,
though,
for
many
many
software
developers,
they
really
don't
know
they
struggled
to
use
some
of
these
tools,
not
because
the
tools
are
necessarily
hard,
but
they
can't
they
don't
really
understand
what
the
tools
are
trying
to
accomplish.
They
don't
really
understand
what
vulnerabilities
are
in
general
and
so
for
in
a
lot
of
cases.
What
they
need
is
not
just
here's
how
to
use
a
tool.
B
You
know
mechanically
or
here's
some
tricks,
how
to
use
the
tool,
but
more
broadly
education
on
you
know:
hey
what
is
security?
What
are
common
kinds
of
problems
and
those
sorts
of
things
and
I
hear
that
there
are
courses
from
the
the
the
open,
ssf,
secure
development
project.
I
hear
about
this
thing
called
SKF
Randall.
You
may
also
have
heard
of
it.
B
So
I
I
laugh
for
those
who
don't
know.
I
I
led
development
of
the
of
the
open,
ssf
and
Randall
leads
on
the
it's
at
least
a
part
of
SKF
project,
and
we
work
together
so
so
I'm
just
pointing
out
that
in
many
many
cases
it's
not
just
education,
the
tools,
it's
you
know
the
basics
of
security,
and
we
can
point
off,
thankfully,
to
existing
materials.
F
And-
and
let
me
also
add
this
for
your
guys's
knowledge-
so
there's
been
a
lot
of
talks,
and
this
actually
somewhat
will
have
to
do
with
the
secret
meeting
later
the
covert
meeting,
but
basically
SKF
in
a
lot
like
so
we've
been
talking
about
getting
absorbed
into
LF
and
talks
are
pretty
Advanced.
F
That
I
could
talk
about
certain
things,
but
SKF
is
really
embracing
the
framework
part
of
the
the
F
part
of
the
of
the
SKF,
because
it's
kind
of
turning
into
something
like
a
ecosystem,
where
we're
going
to
offer
wide
array
of
free
courses
tooling
and
all
sorts
of
things
like
it's
gonna,
be
like
a
whole
ecosystem
because
essentially
we're
the
fact
that
all
of
our
courses
are
free
will
not
fly
as.
D
F
Think
sorry,
that
SKF
is
growing
a
lot
because
we're
becoming
more
of
a
framework,
so
there's
going
to
be
more
tools.
There's
going
like
we've
talked
to
project
discovery
about
potentially
doing
stuff
with
SKF
I.
F
Don't
know
if
you
guys
know
project
Discoverer
Jonathan
probably
knows
who
they
are
but
but
stuff
like
that,
so
we're
kind
of
turning
in
and
then
we
have
obviously
we're
working
on
our
own
Kali
Linux,
which
is
the
hack
OS,
which
we
think
is
going
to
be
a
major
marketing
tool,
so
yeah,
so
we're
working
on
a
lot
of
really
cool
things.
That
is
not
just
the
platform.
If
you
will.
C
A
Randall
I
can
help
you
with
the
Omega
training
videos,
because
that's
something
I
would
like
to
do
is
like
have
a
an
entry
point
for
new
contributors
more
on
like
the
brand
new,
maybe
college
students
or
folks
that
are
just
entering
the
fields
but
like
David
mentioned,
don't
even
know
what
security
is
so
I'll
be
happy
to
have.
F
D
B
F
So
we're
we're
going
through
all
that
and
yeah
and
then,
as
I
said
there's,
so
a
lot
of
the
secret
meeting
has
to
do
with
OAS
and
basically
there
are
things
happening
at
oauth
that
yeah,
where,
where
that
tooling
side
of
things
might
get
real
a
lot
more
interesting.
Real
fast
is
all
I'm,
saying,
I'll,
say
more
in
the
secret
meeting,
but
I
thought
that
being
Alpha
and
Omega
you
guys
would
be
interested
because
part
of
this
is
so
I
I.
F
C
B
I,
don't
know
all
right,
so
we
have
to
be
careful
here
when
we
yes,
I
can
stop
recording.
However,
all
the
rules
involving
openssf
are,
you
know,
still
valid
in
terms.
D
D
B
On
okay,
so
I'm
gonna
stop
per
request.