►
From YouTube: Alpha Omega Project Public Meeting (October 5, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
So
this
slide
deck
I
have
is,
is
just
the
Dublin
slide
with
public
meeting,
so
we
can.
We
can
talk
about
that.
We
can
talk
about
anything.
I
think
everybody
here
has
been
at
these
before
so
I.
Don't
know
that
we
need,
like
the
whole
introduction,
what
is
Alpha
Omega
if
you
guys
have
questions
this
this
is
you
know
this
is
for
everybody,
outside
of
the
core
team,
to
poke
and
ask
questions
and.
A
Sorry
about
that
Lauren
welcome.
We.
D
C
What
we're
not
I
I
think
I
got
the
gist
of
what's
going
on
in
it.
I
I
was
with
the
Linux
Foundation
I
used
to
run
kind
of
a
similar
work
group
that
was
related
to
the
core
infrastructure
initiative.
Oh.
C
C
Where
you're,
that's,
where
your
name
I,
think
David
is
David's
a
familiar
face
as
well
awesome,
so
yeah,
I,
I,
think
I
I
think
I
sort
of
get
what
you're!
What
you're
doing
here,
based
on
on
what
you
did
there.
B
Warren
I'm,
going
to
flip
this
right
back
around
I
would
love
to
hear
from
you
in
terms
of
your
experiences
and
and
how
you
were
able
to.
You
know,
get
things
done
or
where
you
were
frustrated
or
what
worked,
what
didn't
work
or
what
you
wish
you
knew,
then
you
know
we're
certainly
always
open
to
like
hearing
from
people
who
walked
down
various
roads
before
okay.
C
C
Yeah
I
figured
it
would
it
would
kind
of
rear
its
ugly
head
again
if
I
mean,
if
anything
that
was
frustrating
from
from
my
perspective,
it
was.
It
was
mostly
IBM
related,
but
you
know
I
think
the
the
work
that
we
had
done.
There
was
basically
for
those
who
don't
know
what
that
is,
and
I
like
I,
said:
I
think
Michael
and
David
are.
They
seem
familiar
faces
and
I
think
they
remember,
maybe
Vicki,
even
maybe
maybe
Vicky,
no
no
anyway.
C
So
what
what
we
had
done
was
I
had
put
an
effort
together
to
say
you
know
where:
where
could
we
Direct
funding?
That
would
be
the
most
effective
for,
for
the
industry
in
general,
was
the
basic
premise.
So
you
know,
obviously,
companies
like
IBM
and
and
Microsoft
have
gargantuan
portfolios
that
would
tend
to
run
over
smaller
companies.
So
my
premise
also
included
the
perspective
that
company
Size
Doesn't
Matter,
so
just
tell
me
what
your
top
top
10
I
think
I.
It
was
either
top
10
or
top
20.
C
open
source
problem.
Children
are-
and
that
was
you
know,
from
like
a
vulnerability
management
perspective
and
that
that
was
left
open-ended
on
intentionally,
because
I
saw
the
world
one
way
and
I
ass
and
I
think
some
other
companies
saw
the
world
a
slightly
different
way
in
terms
of
what
they
viewed
problem.
Children,
as
my
view
of
the
world,
was,
if
you
get.
If
you
get
one
vulnerability,
how
many
products
does
it
does
it
cause
you
pain
for
and
therefore,
what
is
your?
C
Other
companies
had
some
different
ideas
and
I
forget
who
had
who
had
what
ideas
at
this
point,
but
it
really
all
worked
out
in
the
end,
probably
the
biggest
struggle
that
we
had
for
quite
a
while
was
convincing
legal
teams
to
Pony
out
their
list
of
problem
children,
because
that
would
tend
to
give
you
some
sort
of
a
insight
into
you
know,
kind
of
where
the
weak
links
were
for
that
income
portfolio.
B
C
C
That's
and
that's,
and-
and
that
is
exactly
what,
where
we
went
with
this,
so
what
I
did
is
I.
You
know,
I
made
an
oath
to
all
the
all
the
companies
and
the
lawyers
that
my
interest
in
this
was
not
an
interest
solely
on
the
behalf
of
IBM.
Nor
was
it
an
interest
that
was
routed
in
in
any
competition.
It
was.
It
was
routed
in.
Let's
try
to
fix
this
as
an
industry
Consortium,
because
if
we
don't
band
together,
we
are,
we
are
going
to
fail.
C
I
mean
you
know,
I
forget
who,
who
some
of
you
work
for
I
mean
just
I'm
going
to
pick
on
Michael
here,
just
because
it's
it's
an
easy
target.
Obviously
Microsoft
and
IBM
in
various
circles
are
very
competitive.
On
the
other
hand,
we
both
are
using
infrastructure
that
is
virtually
identical
based
on
on
open
source.
You
know
so,
let's
you
know,
let's
go
Yak
here
for
a
while
about
container
deployment.
C
C
You
know
with
the
open
ssf
that
that
causes
me
a
little
bit
of
angst
because
yeah
sure
as
a
group
here
we
could
sit
down
and
talk
about
our
top
10
list
or
our
top
20
list
or
whatever
we
want.
And
that's
that's
great,
that's
not
not
a
bad
thing,
but
it's
the
log
for
Jays
of
the
world
that
get
you
you
know.
C
So
how
do
we
solve
you
know
when
when
edicts
come
down
and
says
you
know
you
really
can't
put
out
products
that
have
you
know
known
critical
and
high
vulnerabilities
in
them?
Well,
that's
that's
easy
to
say
in
practice,
but
when
you
get
down
to
it
and
you
say
well,
that
means
I
need
to
have
somebody
in
my
organization
that
has
the
ability
to
contribute
to
every
open
source
package
that
we
consume
and
I'd
be
shocked
if
you
guys
aren't
banging
on
the
same.
C
So
you
know
I
can't
possibly
have
you
know
I,
don't
forget
the
number
of
Open
Source
packages
IBM
consumes
in
their
product
portfolio,
but
it's
you
know
10
000
plus
it's
you
know
it's
ridiculous
and
I'm
sure
that
you
guys
run
into
that
same
kind
of
numbers.
It's
you
know.
So
how
do
we
go
solve?
That
problem
is
my
other,
my
other
little.
A
C
B
Know
on
my
side,
Warren,
it's
very
consistent
with
how
we've
been
experiencing
it,
both
sort
of
in
Alpha
Omega,
and
also
what
we're
doing
with
Google
and
I
think
others
experience
the
same
thing.
You
know
it's
very
easy
to
talk
about
the
most
critical
projects.
B
Almost
by
definition,
the
more
critical
those
projects
are,
the
more
eyes
are
paying
attention
to
them,
because
right,
yeah,
and
so
you
know,
we
have
I
mean
with
open
ssf
I-
think
we're
also
still
working
through
that
problem
with
Alpha
Omega
we
have.
B
We
have
found
leverage
in
looking
at,
like
essentially
other
organizations
that
have
plans
to
leverage
themselves,
so
they
can
go
off
and
apply
and
start
to
create
cultural
changes
across
a
broader
set
of
projects,
but
it
varies
dramatically
by
the
governance
model
of
the
project
or
by
the
you
know,
to
Governor's
model
the
foundation,
the
projects
in
that
Foundation
or
just
even
the
culture
within
a
particular
project.
It
can
vary
quite
dramatically.
C
Yeah
yeah
no
I,
you're,
absolutely
right,
I
mean
we
have.
We
have
variances
in
in
culture
within
our
Our
Brands
that
you
know
have
different
tolerances
for
different
things,
and
you
know
different
opinions
about
how
quickly
something
can
or
should
get
fixed
stability
versus
stability
versus
speed
of
of
of
action.
B
This,
and
instead
of
repeating
myself
from
selling
conversations
but
welcome
to
the
competition,
is
open.
B
Ssf
working
groups
are
designing
the
future
of
software
supply
chain
security
and
it's
an
important
future,
we're
looking
at
it
from
the
point
of
view
of
what
can
we
do
right
now,
some
which
will
bring
that
future
sooner
to
accelerate
adoption
of
key
things
and
somebody's
just
like
well,
what
can
we
do
to
make
a
difference
right
now
and
what
experiments
can
we
run
to
learn
from
that
that
can
feed
back
into
you
know
better
insights
moving
down
the
road
okay,
anyway.
Welcome.
Welcome
to
the
conversation
very
happy
to
have
you
here.
C
A
Awesome
yeah,
so
so
I
mean
it
in
like
60
seconds.
You
know
the
the
Distributing
kind
of
the
mission
of
the
vision
that
we
have
you
know
so
it
is
and,
as
like
I
said,
like
the
difference
between
Alpha,
Omega
and
other
things,
is
this
kind
of
direct
maintain
your
engagement
expert
analysis?
It's
not
about
improving,
like
we
wouldn't
work
on
like
a
standard
like
like
Vex
as
a
as
a
vulnerability
change,
but
data
standard.
A
If
that
came
across,
like
hatred,
Alpha
Omega
work
on
this,
it
should
be
a
resounding
no,
but
a
a
you
know
is
the
well.
If
you
look
at
the
alpha
engagements
that
we
have,
you
know
it's
clear.
A
It
should
be
clear,
culturally
that
the
the
types
of
work
that
we
fund,
why
we
do
it
and
you
know,
and
kind
of
kind
of
rolling
up
our
sleeves
and
and
getting
into
the
affecting,
like
real
security
change
in
real
projects
and
real
specific
projects,
so
the
division
that
we
have
is
that
you
know
these
critical
open
source
projects
are
secure.
It's
not
every
open
source
project.
It's
you
know
it
is
incredible
ones
for
Alpha.
A
It's
top
100
for
Omega,
the
top
10
000
ish
10
000
covers
quite
a
bit,
though,
of
like
the
risk
like
the
aggregate
risk,
landscape,
yeah.
C
That's
so
that's
why
actually
I
was
going
to
go
in
terms
of
asking
you
guys
have
you
have
you
looked
at
this
from
you
know,
I
know,
there's
plenty
of
discussions
out
there
that
talk
about
you
know
CVS
is
dead.
C
A
Kingdom,
so
we're
clarifying
not
we
so
so
two
different
axes
here:
one
is
critical
projects
being
projects
that
are
very
important
or
widely
used
or
foundational
or
platformy,
or
things
like
that,
you
could
argue
that
a
very
widely
used
project
that
has
one
or
zero
maintainers
and
is
in
a
atrophying
state
is
riskier
than
a
lesser
used
project
that
has
you
know
or
whatever,
like
yeah
sure,.
A
A
risk
access
of
the
project
itself,
how
much?
How
How
likely
is
this
to
cause
us
pain
in
the
future
right?
What
we
have
from
the
secured
and
critical
projects
working
group
is
the
list
of
critical
projects
now
in
in
their
list,
is
an
aggregate
list
of
other
lists.
Some
of
those
other
lists
have
included
some
elements
of
risk
I'm.
We
we
actually
actually
just
started
talking
about
this
just
recently
that
that
it
it
would
be
interesting
to
take
a
more
intentional
lens
over
that.
A
The
problem
that
that
I
think
we've
had
is,
as
an
industry
we've
had
years
and
years
and
years
of
hey,
someone
needs
to
come
up
with
a
risk
metric
on
open
source,
and
then
everybody
goes
away,
and
three
years
later
somebody
says
hey.
We
should
have
a
risk
metric
for
open
source
and
like
there's,
no
there's
no,
like
that
I'm
aware
of
like
definitive
thing
that
that
most
people
agree
on
yeah.
I
could
see
that
yeah
I'm,
also
okay
with
like
any
metric,
is
okay.
A
You
know
the
worst
that
we
would
do,
and
this
was
one
of
the
reasons
that
we
did.
We
haven't
blocked
anything
in
Alpha
Omega
on
answering
this
question
is,
let's
say
we're
wrong,
and,
and
we
we
wind
up
funding.
Well,
we
we
we
we're
funding,
python
and.
A
Do
the
whole
risk
metric
thing?
We
really
that
python
isn't
like
the
fifth
most
important
project
to
fund.
It's
like
the
50th.
Well,
it's
still
the
50th
out
of
you
know:
3
million
projects
so
yeah
it
almost
it
matters
less
to
get
the
prioritization
right
and
more
just
like
it's
clumpy
up
at
the
top.
Just
do
do
them
all.
Do
lots
of
them
learn
and
iterate.
C
E
C
E
And
different
people
are
going
to
have
a
different
set,
no
matter
what
we
do,
but
as
Michael
scavetta
noted,
you
know
whether
it's
number
50
or
number
five,
you
know
focused
investment
that
improves
it
will
improve
it,
improve
things
for
a
lot
of
people
and
a
lot
of
organizations,
and
you
know
the
goal
is
to
make
a
significant
Improvement
yeah.
A
It's
like
it's
like
the
top
10
movies,
like
if
you're
number,
seven
or
number
two
like
it
doesn't
matter
so
for
Alpha,
as
as
Michael
was
saying,
you
know,
we
are
intentional
about.
We've
been
intentional
so
far
about
this
kind
of
scaled
impact
and
leverage,
and
what
this
really
means
is
instead
of
working
with
individual
project
with
individual
maintainer
or
you
know,
individual
set
of
individual
maintainers.
A
We
look
for
places
where
we
can
affect
either
an
ecosystem
as
a
whole,
or
you
know
hundreds
of
important
projects,
because
we
feel
like
number
one.
We
just
from
a
bandwidth
perspective
on
our
side.
Some
of
this
was
just
pragmatic
that
we
didn't
see.
We
are
still
hiring
and
because
we
don't
have
anything
to
work
on
this
kind
of
full-time.
A
We
didn't
want
to
be
bottlenecked
by
just
bandwidth
that
we
had
so
we
figured
that
we
could
have
the
foundation
hire
someone
to
do
that
work
and
then
just
kind
of
report.
Summaries
back
to
us
I
think
that
that's
been
that's
been
pretty
good
and
then
on
the
Omega
side,
it's
all
about
Automation
and
triage.
This
is
the
remove
pollution
from
the
ocean
kind
of
kind
of
scenario
where
we
we
look
through
these
top
10
000
features
projects.
We
look
for
critical
vulnerabilities.
A
If
we
find
any,
then
we
report
them,
but
we
don't
pre-engage
maintainers
on
that.
It's
just
not
feasible
and
that's
been.
We
think
that
that
by
by
hitting
hitting
it
from
both
sides,
we'll
get
to
the
point
where
we
can.
You
know
like
affect
substantial
change
in
the
most
critical
projects
and
make
sure
that
the
the
rest
of
the
important
ones
are
have
some
degree
of
of
understanding.
C
About
them,
what
is
what
is
the
the
general
landscape
versus
stuff
in
Linux,
distros
intersection?
Look
like
I
mean:
have
you
been
paying
attention
to
Linux
distro
packages,
or
are
you
sort
of
letting
the
distros
kind
of
deal
with
that
and
looking
at
the
other
ecosystems
out
there
or
what?
What's
the?
What's
that
look
like.
D
C
B
I,
don't
have
a
great
answer
for
you.
I
have
sort
of
like
how
I
worry
about
it
right
now.
I
think
that
the
major
distros
have
like
Debian
has
done
a
lot
of
work
towards
reproducibility
on
builds,
and
that's
not
the
only
thing
that
matters,
but
it's
a
really
interesting
sort
of
progress.
Triplet
and
you
know,
I-
think
it
was
like
four
or
five
years
ago,
I
hosted
a
summit
at
Google.
B
I
invited
a
bunch
to
talk
about
sort
of
their
devops
world
and
various
things
and
I
started
talking
about
software
supply,
chain
security
and
vulnerability
management
across
their
space
and
to
a
person
that
we
have
like
50,
ctOS
and
Engineering
VPS
there,
and
all
of
them
were
like
I'm,
currently
very
busy.
Keeping
up
with
vulnerabilities
on
my
operating
attack.
I
have
operationalized
that
to
some
extent,
but
please
don't
tell
my
security
folks
about
language
package
problems.
They'll
shut
me
down,
and
so
I
think
that
for
all
that
there
are
real
problems
across
the
ecosystem.
B
B
And
and
I
don't
think
that
I
think
there's
almost
a
false
confidence
there.
It's
a
little
bit
dangerous
to
be.
You
know,
don't
get
cocky
kid,
you
know,
but
they're
sort
of
like
raging
pairs
of
bad
behavior
or
bad
practices.
Sorry
across
various
parts
of
the
ecosystems,
but
like
the
operating
system,
distros
have
really
had
to
get
their
stuff
together
right
and
they
have
intentionally
focused
on
it.
B
It's
what
they
do
and
they
are
curating
a
set
of
things
that
work
together
and
updating
them
when
vulnerabilities
are
found
like
that
is
the
operational
model
and,
honestly,
you
know
full
credits
and
Microsoft
who,
what
20
years
ago,
had
a
huge
problem
with
vulnerabilities
in
Windows
and
wandered
down
the
Hard
Road
of
getting
Windows
to
be
more
and
more
self-updating,
rather
than
waiting
for
users
to
do
it
themselves
and
then
the
balance
of
having
it
admins
not
have
the
system
change
underneath
them
when
it
was
being
secure
and
so
I
think
that
culture
of
operating
systems,
that's
taking
care
of
ourselves,
is
becoming
I,
wouldn't
say
fully
expected,
but
pretty
much
like
it'd
be
nuts
not
to
be
using
one.
A
I
I
do
think
that
you
know
in
addition
to
that,
the
I
don't
know
homogeneity
of
you
know.
So,
if
you
take
Debian,
there's
a
way
to
build
an
arbitrary
Debian
package,
it's
like
a
very
pretty
well
defined
thing
and
similar
I
believe
for
practically
all
the
all
the
major
distros
that
that
the
fact
that
it's
so
standard
means
that
tools
could
be
more
tools
could
be
applied.
More
and
better
tools
could
be
applied
in
the
right
places
so
like
as
an
interesting
experiment.
A
It
would
be,
it
would
be
interesting
to
reach
out
to
Debian
or
a
bunch
of,
or
somebody
and
say
you
know
what.
How
would
you
feel
about
like
running
static
analysis
as
part
of
your
ingestion
Pipeline?
And
what
would
you
want
to
look
for
and
things
like
that,
or
at
least
give
visibility
over,
what's
already
being
done,
as
opposed
to
some
of
the
the
the
larger
ecosystem
where
things
are
kind
of
all
over
the
map?
And
there
isn't
a
natural
single
choke
point
for
yeah.
C
A
Right
now,
I
work
for
Gen,
2
and
I'm,
a
maintainer
of
Homebrew,
so
I
have
some
insight
here,
but
we
we
don't
run
security
tools
and
I
think
that
most
of
the
people
I
work
with
would
be
heavily
against
that
in
in
a
way
that
that
they
would
not
want
a
let's
just
say,
a
garbage
tool
blocking
or
making
their
life
more
complicated,
because
it's
it
it
spits
out
kind
of
nonsense.
A
Or
so
it
depends
right
because,
like
for
example,
in
Gen
2,
a
lot
of
our
e-builds
like
Arch,
will
Source
a
lot
of
their
stuff
on
our
stuff
and
then
like
Debian,
sort,
they're
kind
of
strange
and
the
re
debian's,
not
a
good
example.
Just
so
you
know
because
they
have
a
very
tainted
relationship
with
Upstream,
so
yeah,
but
it
just
it
kind
of
depends,
but
regardless,
like
most
distros,
but
Debian
will
not
take
security
into
consideration.
In
other
words,
we
kind
of
take
whatever
Upstream
wants,
will
enforce
type
of
stance.
A
Debian
will
switch
packages
and
we'll
have
like
they'll
actually
modify
things
so
that
they
work
more
in,
like
a
Debian
form
and
the
reason
that
I,
that
I
said
they
have
a
tainted
relationship
with
Upstream,
is
because
one
of
the
most
irritating
things
that
like
gnome
has
going
on
is
when
they
get
issue
tickets,
that
they
didn't
cause
that
were
caused
by
divion's
modifications.
And
then
it
turns
into
this
finger-pointing
contest.
That'll,
get
real
political
and
pretty
much
starts
a
holy
war
or
can
start
a
holy
war.
I
I
guess
the
the
question.
A
A
However,
like
in
Homebrew,
for
example,
we
we
have
this
saying
that
is
Homebrew
should
be
your
last
line
of
defense
and
should
not
be
dependent
on.
It
is
not
a
security
tool
yeah
and
like
yeah
like
they
will
be.
They
will
be
hard
on
that
stance.
If
that
makes
sense,
yep.
A
C
A
A
What
I
didn't
know
that?
That's
that's
interesting
yeah
they
like,
if
you
actually
start
going
into
like
the
dev
container
environments.
They'll
offer
hey.
Do
you
want
to
install
Homebrew
so
yeah,
which
it
makes
sense
right
because
I
mean
like
what
they're
trying
to
do,
but
yeah
like
like
Debian
would
be
interesting.
It
would
be
interesting
to
get
their
their
point
of
view.
You
see
I'm
very,
like
I'm,
highly
against
politics
and
like
turning
everything
into
religion,
so
yeah
I
do
think
their
point
of
view.
A
I
I
wonder
if
if
this
is
a
good,
so
so
some
folks
are
putting
together
a
virtual
Summit
for
maintainers
or
critical
software
projects
and
I
wonder
if
we
should
be
intentional
about
getting
inviting
folks
from
you
know,
Debian
and
you
know
obviously
Gentoo
and-
and
you
know
other
distros
to
kind
of
represent
that
perspective
at
the
summit.
A
D
Do
you
have
information
about
that
Summit
for
the
record
I
do
think
it's
very
smart
to
start
at
least
inviting
the
people
from
the
distros
whether
they
choose
to
be
there
or
not.
Is
you
know
up
to
them,
but
making
sure
that
I.
D
To
be
heard
and
to
share
their
perspectives
because
that's
they
really
are
very,
very
important.
Yeah.
A
The
the
there's
a
channel
and
slack
called
virtual
Summit,
it's
obvious,
like
the
the
name,
but
there
should
be
links
in
there
to
the
docs
that
we're
working
on
and
and
all
that
can.
D
One
of
the
Michaels
dropped
that
a
link
to
the
doctor
into
the
chat
for
those
of
us
who
don't
use
this
Slack.
This
slack.
A
B
A
D
D
A
That
would
be
awesome,
even
the
very
obscure
ones,
because
I
yeah,
so
if
you
want
I,
can
try
to
get
all
nine
parent,
distros
and
Homebrew,
because
I
do
consider
them
important,
even
though
they're
not
considered
apparent
distro,
yeah
I
think
anything
that
that
gets
more
problem
solvers
to
the
table
and
and
and
for
the
record
I,
had
an
action
item
from
this
meeting
from
last
time.
To
talk
to
Mike
and
I
did
get
a
chance
to
talk
to
them,
but
I
think
maybe
I
should
we.
B
A
Cool
so
there's.
A
A
Frozen
something
so
we
we
have
gotten
some
stuff
done
with
with
Al
over
the
past,
because
we've
been
been
around
for
eight
I
think
we
just
hit
eight
months.
A
So
first
we
have
a
a
PM
to
join
our
team.
This
is
Anna
from
from
City.
D
E
Yes,
I'm
here,
yes
I'm
here,
this
is
David
wheeler,
Michael's,
Frozen,
very
inopportune
time.
Sorry,
Michael
Michael!
If
you
can
hear
us,
you
might
want
to
try
turning
off
your
video
cameras.
Sometimes
that
helps.
E
D
A
A
So
in
recent
news,
I
wonder
what
welcome
Anna
from
City
to
the
alpha
omega
team
she's,
helping
us
from
the
PM
side,
just
kind
of
get
things
done
and
stay
organized
and
keep
things
moving
as
we
do
more
outfit
engagements,
the
you
know
the
the
work
to
just
maintain
and
keep
up
on
what
we're
already
doing
in
status,
and
things
like
that
goes
up.
So
it
is
awesome
that
that
we
have
Anna
on
our
team
and
John
can't
hear
this
but
John
Meadows
from
from
city.
A
Thank
you
so
much
for
supporting
us
and
and
essentially
lending
us
Anna
for
for,
however
long
we
meet
her
so
I,
you
know,
so
we.
C
A
About
this
at
the
at
The
Summit
in
Dublin,
but
you
know
we're
really
want
to
focus
on.
Like
you
know,
we've
been
doing
this
for
eight
months.
Have
we
actually
helped
the
world
be
as
straight
for
a
better
place?
A
And
you
know,
while
eight
months
is
not
super
long,
you
know
we
can
talk
about
the
some
of
the
impact
that
we've
had.
You
know
so
far,
so
you
know
April
we
gave
300K
to
no
to
you,
know
essentially
higher
well
they're
contractors,
but
they're
they're
doing
doing
security
things
for
another.
They
wouldn't
have
been
able
to
do
otherwise,
so
they've
been
able
to.
You
know
they
rely
primarily
on
a
volunteer
model
for
like
vulnerability
tree
yeah.
She
was
kind
of
burning
them
out,
so
they
have
a
contractor.
A
Now,
that's
that's
helping
to
do
this
stuff
they've
been
issuing
fixes
they've
reactivated
the
node
security
working
group,
which
I
think
ended
in
maybe
2018,
but
don't
quote
me
on
that
that
includes
doing
a
you
know,
security
process
improvements,
threat
model
for
node.
A
They
just
released
a
permissions
that
experimental
permissions
model
for
node.
My
understanding
of
this
is
that
it
lets.
You
say
you
know:
I
am
left
pad,
I
need
nothing
other
than
compute.
A
If
I
I,
none
of
my
dependencies
should
require
anything
more
than
compute
either,
which
means
that
if
someone
takes
over
a
sub
dependency
of
left
pad,
you
can't
like
get
more
permissions
for
it.
So
it's
an
interesting
approach,
obviously
like
mobile
apps,
tend
to
rely
a
lot
on
capabilities
and.
A
Applying
that
in
a
to
note,
I
think
is
a
is
a
really
interesting
experiment
and
then
just
you
know
doing
things
like
you
know:
adding
phone
checking
to
the
node.jsci
and
things
like
that
they've
been
great
they've,
been
providing
monthly
updates
back
on
what
their,
what
they've
accomplished
and
I
think
that
that
that
kind
of
set
the
model
for
the
other
for
the
other
engagements,
so
we
announced
400k
to
Eclipse.
A
Was
actually
early
to
mid-july
that
they
started
actually
like
working
on
this
stuff,
but
they
were,
they
ran
scorecard
across
every
Eclipse
project
and
it
gets
like
200
and
170
of
eclipse
projects
I
believe
they
found
some
dangerous
workflows
and
they
came
up
with.
Essentially,
just
from
that
part,
you
know
a
list
of
a
basically
a
backlog
of
security
work
to.
E
A
You
know
enabling
dependabot
Branch
protection
things
like
that
I
think
the
big
one
of
the
big
benefits,
I
think
is
is
going
to
be.
You
know
getting
projects
to
enable
static
analysis.
Eclipse
has
a
model
of
you
know
how
projects
interact
with
the
eclipse
Foundation,
which
is
a
bit
different
than
how
it
works
in
Apache
and
some
other
organizations,
so
we're
we're
trying
to
learn
and
use,
see
Eclipse
as
like
a
test
bed
of
like
well.
A
What
works
for
foundations
like
this,
so
they've
been
they've,
been
great
to
work
with
and
expecting
some
more
updates
in
in
October
from
them.
A
Similarly,
python
another
400k
hiring
a
full-time
security
Captain.
We
want
to
see
a
security
audit
of
Pi
Pi
the
infrastructure
and
then
more
generally,
you
know
understanding
security
issues
across
see,
Python
and
and
Pi
Pi
and
getting
them.
You
know
addressed
in
some
ways,
so
essentially
just
being
able
to
accelerate
and
put
more
oomph
behind
Security
in
these.
In
these
important
foundations,.
A
We
did
also
announce
rust.
Last
month
there
was
a
article
that
people
were
arrest,
I
think
it
was
so.
This
was
a
joint
between
Alpha,
Omega
and
jfrog.
A
A
So
these
are
the
examples
are
good
because
they
are
that
leveraged
celebrities,
where
we
work
with
the
foundation,
the
foundation
figures
out
exactly
what
to
do
and
I
think
that
that's
that
they
should
have
mentioned
earlier.
When
we
engage
these
these
foundations
and
we
talk
to
Russ
the
conversation,
wasn't
hey
Russ,
we
would
like
you
know.
We
we've
thought
about
your
problems
and
we've
written
down
this
list
and
we'll
give
you
money
to
make
this
list
better.
It
wasn't
that
way
at
all.
A
What
kind
of
security
work
like
keeps
you
up
at
night
that
you
would
like
to
work
on,
and
if
you
had
funding
you
could
you
could
do
more
of
so
the
in
each
of
these,
the
activities
were
almost
exclusively
I
mean
there
was
some
conversation
back
and
forth,
but
they,
it
primarily
came
from
the
foundations
themselves
and
I.
Think
that's
one
of
the
the
benefits
of
doing
it.
A
C
Quick
way
to
fail
what
what
sort
of
strikes
me
here
is?
Is
you
know
each
one
of
these
is
slightly
different,
not
surprising,
but
how
could
we
take
what
was
successful
and
and
sort
of
offer
a
set
of
recommendations
to
a
broader
set
of
Foundations
to
say?
Well,
this
this
worked
really
well
over
here.
This
worked
really
well
over
here
and,
yes,
we
can't
give
everybody
460
000,
but.
A
I
think
the
the
yeah,
so
so
there
is
like
kind
of
a
meta
lessons
to
be
learned
and
if
I
were
to
guess
the,
what
we
will
learn
is
that,
having
a
full
like
having
a
full-time
security,
captain
or
champ
or
whatever
you
want
to
call
them
within
the
organization
that
is
responsible
for
thinking
about
these
things
and
then
trying
to
drive
them
is
like
one
important
part.
A
So
if
there's
nobody
that
has
a
security
hat,
First
Step
One
is
get
somebody
with
a
security
hack
and
then
beyond
that,
though,
it
is
different
for
each
one
and
and
I
think
that's
why
it's
important
to
have
to
move
the
security
hat.
Where
you
can
say
our
biggest
problem
is
our
building.
Ci
infrastructure
is,
you
know,
has
is,
is
kind
of
the
the
bottom
is
rotting
out
from
underneath
it
we
need
like.
That's,
that's
the
high
order
bit
and
how
does
that
impact
security,
and
things
like
that.
C
What
seems
like
in
the
case
of
rust
I
mean
certainly
this
you
know,
prepare
a
threat
model
of
the
rust
ecosystem
would
be
a
very
encompassing
and
important
step
for
everything,
not
just
rust,
but
you
know
I'm
a
big
proponent
of
understanding.
What
your
threats
are.
That
way
you
can
do
that
risk
analysis
about.
Where
is
the
biggest
weed?
I
need
to
go
chop
down.
C
A
D
Especially
pleased
to
see
that
you
all
have
done
this
with
Russ
I
I,
when
I
heard
this
I
immediately
thought
man
what
if
someone
had
done
this
for
C,
like
you
know
30
years
ago,
so
now
that
Russ
is
shipping
in
the
kernel
and
it's
becoming
much
much
more,
a
part
of
the
overall
ecosystem
and
just
growing
at
an
incredible
rate.
Getting
it
at
this
point
and
helping
at
this
point
is
just
going
to
have
Ripple
effects
that
you
know
in
10
years.
We're
going
to
look
back
at
this
and
go.
C
D
You're
killing
it
Michaels.
Thank
you.
Thank
you.
So
much
so
you
know
huge
props
to
the
team
for
being
able
to
get
in
there
and
work
with
the
rust
Community.
For
this.
A
Thank
you,
yeah
I,
appreciate
that
and
and
to
be
honest,
like
I,
don't
take
too
much
credit
because,
like
the
the
this
was
practically
all
on
the
rest
side,
you
know
this
was
a
conversation
that
they
they
kind
of
started.
We,
it
was
very
easy
to
work
with,
and
you
know
we're
I
mean
kind
of
the
easiest.
Part
of
this
is
like
finding
the
money
to
give
them.
A
It's
like
all
the
all
the
all
the
listings
on
their
side
so,
but,
and
and
that's
actually,
one
of
the
things
that
I
want
to
be
able
to
do
better
in
the
future
is
have
resources
within
openssf
that
can
augment
this
stuff.
A
So
you
know,
does
it
make
sense,
for
you
know
rust
to
hire
a
security
Assurance
person
who
is
just
like
all
about
threat,
modeling
full-time
like
no,
probably
not
it's,
probably
a
three-month
exercise,
and-
and
maybe
money
can
do
that,
but
maybe
there
are
folks
with
an
open,
ssf
and
and
the
organizations
that
we're
a
part
of
that.
A
So
we
we
are,
we
we
talked
about
this
in
in
Dublin.
We
were
talking
to
jQuery.
We
think
that
the
jQuery
is
placed
in
the
ecosystem
warrants
a
an
engagement
here.
A
Jquery
is
also
different
and,
and
I
think
you
know
picked
up
on
this,
like
most
of
our
engagements
are
different
than
the
other
ones,
and
some
of
that's
intentional,
like
some
of
it's
not,
but
this
one
at
least
is
intentional
that
we
wanted
to
work
with
a
project
as
opposed
to
a
foundation
of
projects,
and
so
we're
we're
currently
talking
about
like
so
actually
the
those
plans
probably
are
going
to
be
what
what
winds
up
shaking
out
of
this,
but
we
probably
have
at
least
another
couple
weeks
before
before
this
is
kind
of
final
and
we're
we're
good
to
go.
A
But
essentially
it's
you
know.
Jquery
has
interesting.
You
know
it.
Jquery
is
interesting
because
it's
ubiquitous
so
I
think
77
of
the
top
million
of
the
top
10
million
sites
use
jQuery
and
the
number
of
books
using
a
very
old
version
of
jQuery
is
very
significant.
A
So
you
know
you
have
that
kind
of
social
problem.
How
do
you?
How
do
you
encourage
folks
to
upgrade,
and
is
it
even
worth
it
and
like
like?
What's
the
ROI
on
that
and
all
the
what
stuff
and
how
do
you
target?
You
know
the
blog
that
I
wrote
in
2014
that
I
still
have
hosted
and
I've
long
forgotten
about,
in
addition
to
the
fact
that
jQuery
doesn't
rev
versions
very
often,
but
the
the
way
that
they
distribute?
A
So
it
is
a
just
an
interesting
point
on
the
I.
Don't
know:
threat
landscape.
C
A
I
would
so
it
depends
some,
so
ostiff
ostif
tends
to
do
a
lot
of
these
order.
I'm
not
saying
the
word.
A
Definitely
positive,
but,
like
you
know,
their
their
methodology
is
usually
kind
of
start
with,
like
understanding
the
the
the
the
the
design
and
the
parameters
and
the
the
edges
of
the
thing
and
then
go
and
look
at
the
code
so
and
we
we
do
think
that
you
know
looking
at
jQuery
source
code
perspective
is
interesting,
but
I
think
the
larger
threat
model
of
how
is
it
used
the
plug-in
ecosystem
around
jQuery
is
really
interesting
and
I.
A
Think
that
should
be
part
of
part
of
that,
but
it's
it
would
be
tailored
for
for
the
engagement
and
yeah.
E
To
gross
yeah
to
grossly
oversimplify
the
look
of
the
design
that
helps
them
figure
out,
which
code
to
look
at
because
it
takes
too
long
to
look
at
everything.
But
if
you
don't
look
at
some
code,
there's
a
problem
because
obviously
a
bad
implementation
can
lead
to
disaster.
A
That
was
all
Alpha
side.
On
the
Omega
side.
We've
done
a
bit
of
stuff.
We
have
hopefully
two
hires
starting
soon
to
kind
of
make
this
real.
So
this
has
all
been
kind
of
in
the
in
the
spaces
in
between
kind
of
kind
of
work,
but
we
did
release
an
analysis
tool
chain
so
Microsoft.
We
contribute
this
to
openssf.
So
it's
out
there
on
our
on
the
GitHub
site,
but
this
is
code
ql
and
a
bunch
of
other
tools,
kind
of
orchestrated
together.
D
A
It's
been
pretty
successful,
we
found
a
I,
think
11,
I,
think
11
or
12
now
vulnerabilities.
Most
of
these
are
I.
Think
most
of
these
are
either
like.
So
it's
like
the
node
one
is
a.
It
looks
for
an
openness
to
self-configuration
in
some
non-existent
directory,
but
if
it
does
exist
in
your
system,
then
it
would
load
load.
The
default
open,
SSL
config
from
there
moment
is
to
rce
things
or
at
least
code
execution
things.
A
Js
hint
is
code
execution,
but
in
a
script
that
isn't
used.
So
some
of
these
you
know
have
CDE
some
of
them.
Don't
we're
not
really
worrying
too
much
about
like
you
know
they
have
to
have
a
cve
or
anything.
D
A
That
we
just
really
want
to
get
the
get
the
problem
fixed
and
kind
of
move
on,
but
we've
also
been
doing
these
kind
of
fully
automated
particular
reviews
where
we
run
the
tools
against
the
Target
and
if
the
results
come
back
completely
clean,
then
we
assert
that
that
cleanliness
in
in
a
in
the
form
of
a
Security
review.
A
So
essentially,
if
these
six
checks
come
back
with
with
nothing
significant,
then
we
we
publish
something
into
District
reviews,
openssf
project,
it's
an
experiment.
I,
don't
know
if
this
is
the
right
way
to
do
it
going
forward.
I
would
I
would
think
some
sort
of
more
of
a
formal
assertion
or
skit
Ledger.
My
Bob
thing
would
be
the
right
long-term
thing
to
do,
but
we
wanted
to
to
be
able
to
express
that,
like
that
at
least
a
tool
looked
at
this
and
didn't
find
anything.
A
So
goals
for
the
next
six
months,
we
want
to
do
more
Alpha
engagements,
so
we
we've.
We
have
not
spent
all
the
money
that
we
have
we
need
to.
We
need
to
do
do
better
at
spending
more
of
the
money
so
that
we
can
get
more.
A
We
want
to
have
more
impact
through
vulnerabilities
that
we
find
through
Omega,
realistically
I
want
to
have
a
list
of
the
top
10
000
and
a
check
box,
or
an
X
next
to
the
ones
that
we've
looked
at
or
on
the
backlog
or
whatever,
to
show
that
that
these
have
been
had
at
least
some
level
of
looked
at-ness
is.
C
A
So
I
honestly,
you
haven't
because
we
don't
have
the
staff
yet
so
so
the
two
folks
that
we're
hiring
are
to
work
specifically
on
Omega.
So
one
of
the
things
that
they'll
figure
out
is
like
what
that
should
look
like
we've.
A
What
we,
the
easiest
answer,
would
be
to
just
take
the
critical
score
open,
ssf
project,
which
has
the
top
hundred
thousand
ranked
by
criticality
and
just
top
ten
thousand
of
that
problem,
and
that's
that's
convenient
because
I
believe
that
list
is
I,
think
those
are
all
GitHub
projects,
so
they're
easy
to
just
kind
of
go
with
and
and
analyze
from
there.
A
But
because
this
is
this
is
a
scaled
thing.
I,
don't
see
any
reason
not
to
nominate
projects
or
have
a
button
I'm
just
like.
Please
include
me
or
or
something
like
that,
because
it
should
be
the
the
cost
of
the
criminal
cost
of
getting
one
more
projects
should
be
should
be
kind
of
trivial
there.
A
A
Want
that
to
be
more
more
diverse,
as
I
mentioned,
we
want
better
connective
tissue
between
openssf
security.
Vendors
like
we
want.
We
want.
We
want
this
all
to
be
as
effective
as
possible
and
whatever
Avenue
means
that
you
know
would
really
just
be
more
effective.
A
We
want
to
do
that
and
then
we
have
an
annual
report
that
we
are
drafting
now
that
I
am
targeting
to
get
public
by
the
end
of
the
month
which
we'll
talk
about
you
know
what
we've
accomplished,
what
our
plans
are,
what
year
two,
we
want
to
look
like
and
just
kind
of,
a
discussion
on
on
that
stuff.
What
we've
learned.
C
Is
the
is
the
amount
of
of
funding,
Microsoft
and
Google
are
putting
to
this
public
of
public
record
yeah
two.
A
And
there's
a
I
mean
I.
Think
there's
like
an
official
in
the
call
for,
like
other
other
organizations,
to
join
at
that
level
and
be
part
of
that.
We're
certainly
willing
to
accept
less
in
a
especially
in
a
undirected
kind
of
put
money
in
the
pot
to
have
us.
You
know
just
do
more
of
what
we're
doing
yeah.
A
So
yeah,
so
the
the
the
the
final
slide
that
we
usually
end
with
is
like.
How
do
you
get
involved,
and
you
know
we've
been
kind
of
for
for
up.
A
Months
ago,
like
our
answer
was
like
just
get
involved
in
the
working
groups
like
the
way
that
Alpha
Omega
works
kind
of
transparently
is
through
meetings
like
this.
The
slack
Channel
places
like
that.
So
everybody's
you
know,
welcome
to
come
and
talk
about
whatever
at
these,
but
the
decision
making
in
in
you
know
Alpha
Omega
is,
is
this
kind
of
more
core?
A
You
know
mostly
private
group,
that
that
kind
of
makes
it
makes
these
decisions,
but
for
anyone
out
there,
like
you
know,
the
analysis
tool
chain
is
out
there,
so
folks
can
run
it
and
improve
it
and
we'll
check
PRS
and
all
that
stuff.
A
You
know
if,
if
folks
have
an
idea
of
like
that,
they
would
like
to
work
with
us
on
something
like
by
all
means.
Please
get
you
know
get
in
touch
we're
the
at
the
end
of
the
day.
If
we,
you
know,
if.
A
Projects
are
more
secure
and
if
vulnerabilities
are
found
and
fixed
faster,
we're
happy.
So
whatever
gets
us
to
that
road,
is
you
know
something
we'd
be
interested
in
in
talking
about
slide
that.
A
It's
been
interesting,
so
look
looking
forward
to
continuing
it
and
you
know
being
able
to
hey,
because
I
should
well
we'll
shut
that
out.
One
of
the
risks
I
think
that
we
have
going
out,
maybe
two
or
three
years,
is
that
by
us
providing
the
funding
for
the
security
work,
particularly
on
the
alpha
side,
that
these
foundations
become
dependent
on
us,
and
that
itself
is
a
risk
that
we
we
don't
want
to
like
create
unnecessarily.
A
So
as
we
as
we
move
forward,
I
think
one
of
the
things
that
we're
going
to
try
to
be
more
intentional
about
is
working
with
these
foundations
to
build
up
the
essentially
the
funding
from
other
disparate
sources
to
take
on
more
security
work,
so
the
same
way
that
the
foundation
should
be
you
know,
have
they
have
budget
for
infrastructure
or
legal
support
or
whatever,
like
security,
should
be
one
of
those
and
then,
however,
they
get
funded
with
the
other
ones
like
how
to
expand
that
to
influence
security,
and
the
reality
is
that
today,
a
lot
of
these
foundations
are
not
are
funded
far
less
than
folks
on
the
outside.
A
Would
you
know,
might
imagine,
and
so
maybe
the
maybe
the
way
that
Alf,
that
that
we
work
with
them
is
to
essentially
lend
our
voice
to
the
chorus
of
you
know,
particularly
Enterprises
that
are
highly
dependent
on
projects
from
these
foundations
should
put
their
money
where
their
mouth
is
and
fund
the
organizations
in
order
to
make
that
happen.
So
we're
not
looking
to
like
provide
security,
help
and
then
like
pull,
pull
the
rug
away
from
under
them.
A
But
as
we
as
we
move
forward,
I
think
we're
going
to
be
more
intentional
about
encouraging
encouraging
them
to
build
up
the
muscle
on
their
own
so
that
they
can.
They
can
be
sustainable
over
time.
A
Awesome
well
that
is
it.
Let's
get
three
minutes
back.
I
really
appreciate
everybody's
time
and
terrific
conversation
today
and,
let's
look:
let's
keep
it
going,
I'm,
particularly
interested
in
the
moving
forward
with
the
you
know,
what
do
we
do
about
Linux,
distros
and
in
the
virtual
Summit
I
think
would
be
great,
so
I
will
Randall,
look
just
and
try
to
make
something
happen.
There.