►
A
Howdy
y'all,
while
we
wait
for
our
fearless
leader
to
join
us,
I've
dropped
a
link
to
the
agenda
notes
in
the
chat
please
sign
in
and
let
us
know
you're
here.
D
Hello,
everybody,
sorry,
I'm
a
touch
late.
It
is
challenging
to
get
back
to
work
after
vacation
almost
as
hard
as
working
while
you
feel
lousy.
E
Hey
I'll
go
vicki
knows
me,
so
brian
ingenito,
I'm
from
morgan
stanley,
I
kind
of
represent
our
ospo.
Amongst
other
things,
and
I'm
on
the
governing
board
of
finos.
E
I
thought
this
working
group
was
a
good
fit
for
me,
so
decided
to
join
well.
E
I'll
say:
hi,
I'm
brian
russell.
I
I'm
on
google's
open
source
security
team.
I
work
with
a
few
other
folks
and
a
couple
of
other
different
working
groups,
but
it's
my
first
time
attending
this
one
and
really
just
wanted
to
see
exactly
what
the
the
group
is
targeting
and
that
the
kinds
of
things
that
you
know
are
on
your
radar
right
now.
D
All
right
moving
along
can
I
have
someone,
offer
assistance,
inscribing
and
taking
notes
for
our
meeting
today.
E
D
D
D
That
is
a
low
priority
task
for
me,
so
I
will
try
to
be
more
up-to-date
in
keeping
track
of
our
current
frequent
offenders
so
to
speak
that
come
in
and
help
us
out
and
but
ultimately,
at
the
end
of
the
year
I
will
put
out
a
list
of
and
say:
hey
vicky
showed
up
to
24
of
our
26
meetings.
So
I
will
add
her
as
part
of
our
regular
cast
of
characters.
So
then,
then,
weekly
as
folks
come
in
and
out
we'll
adjust
the
list.
D
D
That's
right,
yeah
and
I'll
go
back
and
I
will
curate
the
list,
but
in
the
great
scale
of
things
I
donate
to
the
open
ssf.
This
doesn't
always
make
that
list.
D
D
D
Alrighty,
do
we
have
any
anyone
with
opens
today?
They
wanted
to
talk
about.
D
Just
give
me
a
second
and
we'll
talk
about
that
open.
We
will
talk
about
the
opens.
We
will
do
a
quick
call
for
any
of
our
member
projects
that
have
updates
they
want
to
share
with
the
team,
and
then
we
will
go
look
at
david's
one-page
document
and
the
one
page
for
developing
software,
and
then
we
will
hopefully
get
that
wrapped
up
and
then
work
on
to
the
evaluating
open
source
software,
which
the
last
call
the
team
had
a
lot
of
feels
on.
C
I
would
like
to
to
do
us
to
have
a
small
point
yeah,
as
some
of
you
remember,
I'm
leading
the
open
step
up
and
office
hours
and
I've
sent
I've
sent
the
doodle
to
come
with
first
date
and
for
now
I
just
have
two
answers
for
our
abilities:
yeah
not
too
many
to
start,
so
I'm
wondering
it
may
be
because
of
vacation
because
many
places
people
on
vacation
or
on
conferences
of
or
any
somewhere
else.
So
what
I'm
thinking
about
is
postponing
the
first
sessions
to
september.
D
So
to
provide
context
for
everyone,
the
foundation
is
providing
some
office
hours
for
maintainers
and
projects
to
come
in
kind
of
an
ask
us
anything
expert
hour
and
marta
is,
I
guess,
heading
that
up
awesome.
I
saw
your
note.
I
have
had
a
chance
to
respond,
so
I
will
channel
my
friend
arno.
D
I
think
august
isn't
a
great
time
to
have
anything
where
we're
gonna
get
a
lot
of
participation
and
I
would
vote
for
postponing
the
expert
hour
until
september.
That
would.
E
D
So
I
think
your
feedback
from
this
group
marta
would
be
postponed
and
do
you
have,
you
were
doing
like
a
a
doodle
or
something
to
or
something.
C
I'm
going
to
change
the
doodle
to
include
september
dates.
Basically
I
moved
to
september
and
we
resent-
or
we
send
it
of
the
days
thanks
for
the
thanks
for
the
feedback.
That's
what
I
was
thinking.
It's
the
right
thing
to
do.
If.
D
D
B
Sure
why
not?
I
I
knew
I
told
people
earlier:
hey,
be
cool
ads.
Some,
you
know
images
something
to
help.
People
understand
the
idea
and
we've
actually
added
one
added
one.
It's
a
little
race
cars
picture
to
show
give
an
idea
about
the
race
conditions,
so
haven't
had
a
chance
to
do
more,
but
at
least
we
can
now
say:
hey,
that's
pro,
that's
pretty
cool
so
and
we
can
go
from
there.
D
Great,
so
I
see
the
skf
folks
have
added
some
updates,
so
ricardo
or
glenn
do
you
want
to
chat
about?
What's
going
on
in
skf
world.
F
Yeah
sure
so
we
are
starting
to
implement
our
new
ux.
I
I
think
glenn
probably
showed
the
slides
for
the
whole
training
platform.
Yeah
awesome.
So
first
we
found
subby
somebody
who
wanted
to
integrate
the
ux
in
the
front
end,
but
sadly
he
dropped
the
project.
So
we
had
to
find
somebody
else.
We
found
somebody
else.
Luckily,
so
I
got
him
going
and
well
he's
working
on
that
house.
I'm
also
really
excited
for
that,
because
that
well
really
gets
the.
F
So
we
got
that
going
on
we're,
also
an
investigation
investigating
to
add
the
automation
framework
from
step
to
the
hack
os
labs.
You
know
the
the
apache
guacamole
thing
where
we
have
the
code
review
labs,
because
what
we
did
now
is.
F
So
that's
really
interesting.
So
we're
also
really
looking
into
that
well
to
keep
the
the
maintenance
of
the
automation
more
easy
and
we're
looking
into
adding
code
review
labs
to
the
hack
os,
because
the
the
fun
thing
with
the
hack
os
is.
We
already
have
like
the
environment.
F
Where
you
have
sublime,
you
can
read
the
code
we
can
install
the
tooling
and
what
I
find
is
we
really
want
to
make
some
practical
stuff
about
secure
code
reviewing
so
that
you
can
also
run
stuff
like
samgrap,
but
also
run
stuff
like
throner
cube
for
psychometric
complexity,
and
you
know
really
the
tools
that
you
would
need
to
deep
dive
into
doing
code
reviews
and
finding
vulnerabilities.
F
So
we're
kind
of
also
now
in
the
mix
of
looking
into
well
repositories,
that
we
know
that
have
known
vulnerabilities
which
give
really
interesting
cases
and
then
we
can
implement
them
in
the
hackos,
and
you
can
well
start
doing
the
code,
review
and
learning
more
hands-on
way
without
you
know,
because,
mostly
when
you
have
like
code
with
your
laps,
you
have
small
snippets
and
then
it's
fairly
straightforward.
F
D
For
those
of
you
that
don't
know
so,
this
group
we
have
our
edx
courses,
our
our
secure
coding,
fundamentals,
classes
that
david
and
others
helped
put
together.
So
that's
one
avenue
we're
providing
education
and
best
practice.
Information
for
folks
skf
is
another
member
project
and
that's
more
of
a
hands-on
tool
where
you
go
through
and
do
labs
and
actually
implement
the
ideas
that
you've
learned.
D
So
those
of
you
don't
know
we
have
an
education
sig
where
we're
focusing
in
on
actually
providing
training
for
people
and
classes
and
certifications
and
skf
will
be
part
of
our
strategy.
One
of
the
different
techniques
we
will
be
providing
education
for
so
we're
going
to
try
to
get
some
additional
augmentation
of
the
skf
project
and
hopefully,
some
additional
participants
for
you
all.
Oh.
D
E
D
D
So
if
anyone
has
knowledge
of
standards
like
nist,
853
or
pci
dss
these
types
of
things,
if
you
have
experience
working
with
these
different
security
frameworks,
the
cre
team
would
love
your
help
and
contributions,
helping
them
automate.
D
D
E
Yeah
sure
so
we
have
a
new
beta
version
of
scorecard
action
that
we
have
released.
So
with
this
new
version
we
have
the
scorecard
badges
that
can
be
enabled
and
also
we'll
have
a
scorecard
api.
So
basically
it's
a
rest
api
where
you
can
look
at
your
per
commit
data,
so
it's
a
beta
release
that
we've
done
and
we're
not.
We
are
rolling
out
to
early
adopters.
So
if
you
want
to
try
it
out
would
very
much
appreciate
the
feedback
here.
D
D
All
right,
let
us
move
on
to
the
existing
guidelines
for
developers.
One
pager
I
lost
the.
E
D
Let's
see
if
we
can
get
this
one,
this
project
put
to
bed
and
get
it
published
out
in
our
get
repo
so
david.
Where
do
you
think
we
are
in
regards
to
this?
The
one
pager?
Are
we
happy
with
it.
B
Okay,
yeah,
let's
see
here,
let
me
just
it's
it's
in
the
notes.
B
Yeah,
so
the
the
one
one-page
guide
for
developing
more
secure
software,
I
think
we're
in
pretty
good
shape.
The
only
thing
that's
been
changed
relatively
recently
is
the
addition
of
one
more
thing:
the
safe
code
document
lots
of
folks
are
referred
to
that.
So
I
don't
think
that's
gonna,
be
controversial.
B
Tried
to
tweak
up
the
continuously
improved
point
more
to
try
to
make
it
short
trying
to
keep
that
one
page
and
otherwise
I
think
this
one's
in
decent
shape.
I
mean
you
know,
I
I
think
if
people
are
expecting
us
to
coordinate
and
make
everything
around
the
world
all
consistent,
we're
not
trying
to
do
that.
We're
just
trying
to
point
to
the
materials
that
are
already
there
that
hey
help
me
get
started
here.
Let's,
let's
here's
some
material,
let
me
get
started
the
other
one.
B
The
quick
guide
for
evaluating,
which
is
kind
of
my
mind,
is
kind
of
a
companion
piece.
D
D
Eric
has
a
question
and
marta
has
a
some
feedback
for
you
as
well,
so
eric.
Why
don't
you
go
first,
please
yeah.
E
Mine
is
more
feedback.
I
think
there
are
a
few
things
I
kind
of
commented
on
the
document,
but
one
of
the
things
I
note
is
that
the
order-
maybe
we
could
consider
reordering
some
of
it
to
be
more
top-down
for
an
example.
You
know
you
have
the
best
practices,
badges
number
four.
E
A
number
of
these
items
are
required
to
actually
be
eligible
for
the
best
practice
badge.
So
while
I
understand
this,
isn't
you
know
a
document,
that's
trying
to
help
them
get
there.
You
know
if
they're
reading
this
from
the
top
down.
If
they've
addressed
everything
in
the
document
by
the
time
they
get
to
that.
Well,
then
they'll
understand
it
a
little
bit
better.
B
Yeah
that
was
actually
very
much,
not
the
intent
of
the
ordering.
The
ordering
was
very
much
the
hey.
What
should
I
work
on
next
and
the
theory
at
least
when
I
was
trying
to
do
the
order?
Was
you
know
if
something
was
a
quick
win?
Get
you
started,
go
put
that
early
and
the
badge
you're
right?
B
It
does
sweep
up
a
number
of
the
other
things,
but
they
can
start
or
much
earlier
and
get
a
lot
of
quick
wins
without
that,
but
we
we
could
move
it
around
absolutely
so
you
know
I
I
think
one
challenge
is.
It
may
be
very
hard
for
us
to
agree
on
an
order.
E
Yeah,
that's
fine.
I
mean
I
just
you
know
and
again
that's
it's
all
going
to
be
up
for
individual
judgment,
but
you
know
things
like
you
know.
Combination
of
tools
for
ci
monitoring,
don't
push
secrets
to
repository.
I
think
all
those
things
are
key
developer
activities
that
that
should
come
first,
but
again
to
your
point.
You
know
we
could
argue
that
all
day,
so
just
a
just
a
consideration,
some
kind
of
thing.
B
Right
right
no-
and
I
I
I
think
that
I
I
do
worry-
that
there's
probably
not
going
to
be
a
single
order.
Everyone
accepts,
but
on
the
other
hand,
we
if
folks,
want
to
reorder
it
around.
That's
awesome,
I'm
certainly
not.
You
know
if,
if
there's
a
better
order,
I'm
not
sure
how
to
how
to
work
out
a
better
order
as
a
group.
To
be
honest,
if
anybody
has
suggestions
on
that
on
that
approach,
that'd
be
that'd,
be
good
and
useful.
C
I've,
in
fact,
I
will
put
that
feedback
in
comments
in
the
document,
because
I
I
gave
the
document
to
a
group
of
developers
and
they
went
through.
They
had
a
lot
of
comments
and
I
need
to
summarize
okay.
B
Okay,
first
of
all,
thank
you
to
both
of
your
teams
really
appreciate
that
and
and
to
to
the
earlier
comment
about
ordering.
I
I
think
that's
that
is
very
much
worth
bringing
up.
I
guess
I'd
ask
the
question
back.
How
do
we
deal
with
that
because
just
other
comments
on
specific
points?
B
That's
pretty
easy
to.
Well,
if
it's
on
a
particular
point,
we
can
add
as
a
comment
or
suggestion:
that's
not
so
bad
reordering
for
multiple
people,
I'm
not
sure
how
to
handle
that
feedback.
We
earlier
had
just
put
at
the
bottom,
but
you
know
if
people
said
move
three
to
to
two
as
soon
as
you
did
one
of
them,
then
everybody
else's
comments
got
confusing.
B
D
If
somebody
has
a
cohesive
thought
about
how
to
reorder
things,
we
will
consider
that,
but
I
would
like
to
not
peace,
because
we'll
spend
now
until
2025
debating
moving
22
to
14
right
11
to
2..
So
I
would
like
to
try
to
see
if
we
can
get
this
out
the
door
at
least
initially
for
to
get
some
wider
review.
D
Let's
take
eric
and
marta's
team's
feedback
and
see
if
we
need
to
make
any
changes
before
we
publish,
but
if
anyone
has
a
thought
about
how
we
might
a
proposal
on
how
we
could
order
this,
if
there
was
a
methodology
or
phases
or,
however,
they
thought
might
be
better.
Please
put
that
proposal
under
the
comments
below
number
23
and
we
will
maybe,
by
next
meeting,
we'll
be
able
to
digest
marta
and
eric's
team's
feedback
to
see
if
we
need
to
make
any
substantive
changes.
D
H
So
yeah
he
kind
of
stole
a
little
bit
of
my
thunder
there,
which
is
fine.
I
I
know
I
think
first
thing
we
need
to
draw
a
line
in
the
sand
here,
and
I
think
end
of
august
is
a
is
a
good
goal
to
have
this
in
the
git.
We
can
always
update
it
and
make
changes
as
necessary.
H
We've
been
we've
been
kind
of
churning
on
this.
I
think
for
for
a
little
while,
so
my
suggestion
would
be
that
exactly
you
said:
let's
get
the
final
round
of
comments
in
here
from
eric
and
marta
anybody
else
says
anything,
and
let's
call
that
the
final
round
of
comments
we'll
go
through
one
last
review
and
the
content
will
then
be
done.
H
We
can
then
weigh
the
option
of
maybe
moving
some
stuff
around
based
on
probe
suggestion,
I
think,
is
a
good
one,
but
then,
let's,
let's
plan
to
have
this
in
the
get
by
the
end
of
this
month.
I
think
we
have
a
couple
meetings
between
now
and
then
to
get
through
those
couple
tasks.
But
you
know
perfection
is
the
enemy
of
good
enough.
D
B
Preamble,
this
is
not
a
constitution,
okay,
so
I
I
wasn't
able
to
participate
in
the
last
spirit
to
discuss.
I
understand
there
is
a
spirit
of
discussion,
I'm
grateful
for
it.
Actually,
let
me
re-post
the
link
to
the
guide
to
evaluating
in
many
ways.
This
is
the
comparison
document
it's
not
as
far
along,
but
I
think
most
folks
would
agree
that
both
of
these
tasks
are
important,
so
the
quick
guide
to
evaluating
open
source
software
has
a
list.
I
know
that
there's
been
some
discussions
about
ways
to
improve
this.
B
I
guess
maybe
I
should
just
open
it
up
for
for
questions.
So
how
do
we?
How
can
we
best
get
this
wrapped
up,
so
it
could
also
get
released.
Ideally,
these
two
be
at
release
at
the
same
time,
but
they
may
not
be.
That
may
not
be
a
reasonable
staging.
D
And
to
summarize
the
feedback
from
the
last
time
we
met,
while
you
were
convalescing,
the
group
thought
that
this
was
less
structured
and
organized.
It
was
a
nice
list
of
thoughts,
but
we
they
thought
we
might
want
to.
We
need
to
add
some
more
meat
to
it.
So,
for
example,
should
it
be
added
at
all
may
not
resonate
with
a
developer
if
somebody's
trying
just
gets
this
list,
so
we
may
want
to
think
about
how
we
want
to
do.
D
D
But
I
would
definitely
if
anyone
else
in
the
group
had
thoughts
on
it.
B
D
B
So
can
we
avoid
adding
it
at
all?
If
I,
if
we
rephrase,
let's
use
that
first,
one
as
an
exampler,
can
we
avoid
adding
it
at
all?
Would
that
help
address
some
of
that.
D
B
That
one's
hard
for
tooling,
but
I
mean
frankly,
searches
are-
are
the
searching.
If,
if
the
issues
can
use
your
existing
dependencies
basically
asks
you
to
search
your
existing
dependencies,
I'm
sure
anyone
aware.
B
That
would
be
later
but
yeah.
I
I'm
not
sure
that
we
need,
I
mean,
for
you
know
if.
B
D
What's
that
there's
a
a
principle
around,
not
including
software,
you
don't
need.
I
can't
recall
what
it
is
off
the
top
of
my
head,
randomly
yeah.
You
have
a
question
or
statement.
I.
E
B
B
Increases
the
number
of
dependency
of
the
the
attack
surface
through
dependencies.
D
So
is
number
one
clear
to
folks:
do
we
understand
what
we're
trying
for?
Do
we
like
how
that
is
coming
together.
A
B
D
G
I
think
it
also
really
depends
what
community
you
come
from
to
be
honest
with
you
as
far
as
because
I
think,
like
a
lot
of
communities
like
js,
does
not
really
tell
you
to
think
about
what
you
install.
So
you
end
up
with
like
700
dependencies
pretty
easily
and
that's
not
a
problem
for
js,
because
they
encourage
that
so
fuzzy's
a
js
developer.
So
you
could
tell.
I
I
So
you
know
we
kind
of
like
have
the
long-standing
joke
that
you
know
known
modules
is
probably
the
more
the
most
heaviest
object
in
the
known
universe.
You
know,
you
know
what
node
modules
off
the
folder
but
and
depends
and
dependency
chain
hell
can
grow,
but
it's
just
one
of
those
lack
of
awarenesses
and
it's
a
way
that
js
is
kind
of
structured.
Everything
is
modular,
so
the
more
modular
you
make
your
projects
and
your
packages.
B
Right
but
I
think
as
worded
it
can,
this
can
very
much
apply
to
node
as
well.
You
know
hey,
I,
you
know
you
brought
in
x.
It
brings
in
many
other
things.
Maybe
you
don't?
Maybe
you
can
reuse
what
you've
already
brought
in
instead
of
bringing
in
yet
another
different
module.
I
I
totally
agree
that
kind
of
awareness,
that
kind
of
like
education
and
sharing
of
institutional
knowledge
should
be
should
be
up
there,
especially
when
these
things
are
being
framed,
especially
for
those
kind
of
like
ecosystems
that
are
not
particularly
attuned
to
this
kind
of
conversation
or
narrative.
B
Actually,
that's
a
that's
a
good
point
and
I
went
this.
We
actually
perfectly
reasonable
have
a
little
blog
post
overall
summarizing,
hey
here's,
here's
something
new!
We
did
here's
some
of
the
points
and
it
could
at
least
briefly
explain
in
a
little
more
detail
a
few
and
then
you
could
go
back
and
have
later
blog
posts
dive
in
in
more
detail.
If
that
seems
appropriate.
D
D
Effort
yeah,
if
you
have
fuzzy,
there's
a
group
of
us
that
are
working
on
on
this
problem,
we'll
meet
tomorrow
at
9
00
a.m:
eastern
for
the
sig,
where
we're
working
on
the
mobilization
plan
and
as
I
alluded
to
with
skf,
that's
one
of
our
techniques.
E
D
Oh
back
at
red
hat,
every
container
contained
this
file,
a
supplementary
file
from
the
kernel,
and
that
was
included
in
every
container.
So
every
time
there
was
a
kernel
update,
every
container
was
flagged
as
vulnerable,
even
though
it
was
like
it
was
like
a
readme
file
type
yeah.
It
was
something
stupid
exactly
which
one
it
was,
but
you're
100
right
people
have
sloppy
container
practices.
G
Yeah
yeah
good
example
on
swift
about
this,
like
on
swift's
repo.
That's
where
I
read
that
they
they
have
a
like
a
thing
about
how
like
people,
don't
understand,
python
2's
installed,
and
that
has
a
bunch
of
issues
and
swift
will
flag
him
for
you.
So
but
yeah
like
it's
interesting,
because
throwing
that
in
there.
G
I
There's
also
the
other
thing
with
nodes:
it's
like
not
many
people
actually
know
how
to
utilize.
The
package
json
properly
understand
the
difference.
What
a
pure
dependency
is,
what
you
know,
what
is
the
dependency?
The
relationship
was
brought
through.
What
was
needed
in
the
project?
You
know
it's
like
a
lot
of
people
do
change
the
chain,
the
actual
developer
dependencies
into
the
dependencies.
B
You
know,
that's,
that's
a
that's
a
good
point,
although
I
will
say
I
I
I
can't
tell
the
number
I
I
have
filed
endless
reports
upstream
yeah,
I'd
love
to
use
this,
but
your
developer
dependencies
are
the
same
as
your
runtime
dependencies
and
that's
not
right
and
I've
actually
gotten
some
mate,
some
feedback.
Where
just
that
one
comment
and
a
couple
tweaks
and
my
potential
dependencies
got
reduced
in
half.
That
seems
like
more
of
a
one-page
guide
for
the
developer,
because
really
it's
it's
the
developer
of
the
thing
you're
thinking
about.
B
Depending
on
that
you
know,
minimize
dependencies
or
something
like
that
or
minimize
runtime
dependencies.
G
How?
Because
we
can
link
back
to
that
here,
you
know
in
terms
of
like
how
dependent
like
how
you
can
go
about
managing
your
dependencies
or
how
they
actually
work
and
where,
like
how
it
all
comes
together.
And
if
you
don't
understand
what
attack
surface
is,
then
you
can
go
over
there
and
understand
what
we
mean
by
attack
surface.
Just
an
idea.
D
All
right,
so
what
would
we
like
to
do
with
number
one
as
it
sits?
Do
we
need
to
think
about
it?
Some
more.
I
guess
david
with
this
document.
Are
we
going
to
constrain
ourselves
to
one
page
as
well,
or
that
was.
D
B
That
was
my
original
goal,
but
of
course
you
know
in
it
this
is.
I
don't
view
this.
As
my
document,
you
know
if,
if
making
this
two
pages
would
make
it
more
useful,
I
I
think
the
goal
really
is
in
the
title:
it's
intended
to
be
a
quick
guide.
What
we're
trying
not
to
do
is
make
the
50-page
report
for
no
other
reason
than
people
won't
read
it
so,
but
about
adding
a
little.
Why
and
a
little
context
would
make
it
more
useful
than
hallelujah.
B
Let's
do
that,
but
I
I
think
shortness
is
a
goal
because
otherwise
people
just
won't
use
it.
B
B
So
maybe
we
can
be
a
little
more
generous
on
this
and
make
this
two
pages.
F
E
B
I
Ideally,
if
the
it's
one
of
those
things,
if
there
was
a
unified
field,
theory
kind
of
situations,
isn't
it
there
was
a
way
that
we
could
actually
like.
I
I've
always
thought
about
this
when
it
came
to
known
modules
is
like
sneak
was
probably
the
closest
I
came
to
it
when
it
came
to
providing
a
package
score
right
and
told
you
whether
or
not
you
know,
there's
no
vulnerabilities
etc
with
this
package
and
how
to
in
the
command
line
the
next
steps
to
go
about
rectifying
those
issues,
and
normally
it
was
just
dash
dash
force,
etc.
But
you
know
it's
like
those
those
except
those
additional
next
steps.
You
know
those
what
I
keep
saying,
especially
in
the
astral
community.
I
The
way
that
I
got
the
support
team
going
is
that
yeah,
if
we're
going
to
throw
somebody
underneath
the
bus
be
prepared
to
pick
them
back
up
and
dust
them
off
afterwards.
You
know
it's
like
yeah,
just
you
know
like
if
you're
throwing
something
on
the
deep
end,
just
dump
in
afterwards
again
situation
and
design.
I
The
tooling
around
that
it's
like,
if
we're
giving
them
these
this
information,
they're
not
going
to
be
a
lot
of
problem
with
the
tooling,
is
that
the
information
is
presented
in
such
a
way
that
there's
no
cognitive,
there's
no
cognitive
way
to
differentiate,
what's
been
told,
was
important,
what's
important
and
how
to
action
on
that
you're
effectively
left
with
another
main
dump
that
you
have
to
then
discern
and
spend
extra
time
going
over.
I
D
Indeed,
so
do
we
want
to,
I
guess
homework
for
everybody
think
about
how
we
might
be
able
to
augment
number
one
with
some
additional
context
or
guidance.
As
you
know,
fuzzy
says,
let's
point
out
a
problem
and
then
provide
some
actionable
paths
that
people
can
take
to
get
out
of
that
situation.
B
All
right,
a
quick
general
question:
this
is,
I
think
this
is
the
right
time
to
raise
it,
which
is,
is
everyone
okay?
With
this
scope?
This
is
specifically
for
evaluating
open
source
software.
The
other
one
really
is
more
general
for
software
at
all,
but
a
lot
of
the
specific
things
we're
talking
about
in
this
one
is
really
more
like
open
source
software
and
being
able
to
look
at
the
commits
being
able
to
look
at
the
license.
B
So
I
I
think
this
one,
it's
okay,
to
focus
on
open
source
software,
specifically,
is
anybody
having
any
broad
objections
to
that
narrow,
narrower
scope.
B
Okay,
all
right,
I'm
going
to
remove
that
question
comment
whatever
you
want
to
call
that
again,
good.
Thank
you
all
right,
and
I
had
said
this
was
intended
to
be
one
page
but
sounds
like
folks
are
agreeing
that
that's
not
really
the
critical
thing
here.
So
let
me
quickly
add
a
comment
I'll
want
to
keep
this
short.
B
B
Well,
yeah,
not
yeah,
I'm
I'm
fully
aware
of
the
margin
games,
two-point,
fonts
and
so
on,
but
that
doesn't
make
it
necessarily
the
best
use
of
time
it
doesn't
have
to
be
one
page.
So
let
me
just
I'm
gonna
document
that
as
a
comment
and
that
way,
we'll
know
that
that's
what
we're
kind
of
shooting
for.
G
B
Is
it
easy
to
use
securely
and
gee
that's
hard,
but
hey.
You
know
the
the
two
points
underneath
it
basically
are
the
defaults.
B
H
G
One
that
I
would
add
is
determine
how
the
developers
test
their
software.
So
therefore,
like
you,
if
there's
no
default
way
of
using
the
software,
then
developing
how
they
test
it,
because
I
know
there's
a
lot
of
products
out
there
that
have
a
lot
of
different
ways
of
using
it,
but
there's
only
one
way:
that's
actually
tested
by
the
developers.
That
happens
pretty
often.
H
I
agree
with
that
hear
me
now:
yay,
all
right,
computers
are
hard.
I
agree
with
with
the
point,
but
I
think
it
might
belong
under
number
three.
H
As
far
as
the
developers
test,
how
do
the
developers
test
the
software,
and
I
think
that
vicky
suggested
that
maybe
swapping
number
two
number
three
in
the
order
might
make
sense,
because
number
three
kind
of
leads
into
answering
is
easy
to
use
securely.
B
B
Yeah
that
one's
harder,
yeah.
B
Yeah
we
could
ask
about
coverage,
you
know,
do
they
have?
Is.
E
B
And
and
I'm
fully
aware
that
you
have
good
test
coverage
and
lousy
tests,
but
the
converse
isn't
true:
if
you
have,
if
you
have
bad
task
coverage,
you
have
bad
test
coverage.
B
Yeah,
let's
see
here,
you
know
what.
B
Yeah,
I
want
to
add
a
comment
right
now
and
just
say:
put
easy
to
use
after
ev
evidence
developers
work
to
make
it
secure.
B
Yeah
and
as
far
as
the
interface
api
being
secure,
maybe
talking
about
map
parameterized,
maybe
ask
if
it
has
parameterized.
B
Have
what's
the
it
you're
referring
to
I'm
sorry.
B
G
That
some
like
have
they
have
it
published
in
their
docs
somewhere.
They
have
like
what
they
did
or
if
they
have
anything
at
all
published
in
their
docs
on
security,
specifically
on
how
you
could
use
it
securely.
I
guess
it
depends
on
the
project
too.
E
B
B
B
D
Yeah
eric
had
a
suggestion
in
the
chat
and
then
I
think,
fuzzy
had
another
good
suggestion
is
you
know?
Do
we
have
any
way
to
provide
templates
along
with
this?
I
think,
wherever
possible,
we
should.
G
Agreed,
I
think
you
have
some
templates
in
one
of
the
repositories
we
do
the
one
for
like
reporting
cohesively.
D
Yeah,
as
a
cbd
guide,
we
have
templates,
so
people
can
kind
of
wholesale
grab
that
and
use
what
they
need.
So,
if
we,
if
there's
opportunity
here,
if
we
can
make
it
easy
for
a
developer
to
copy
and
paste
that
would
be
beneficial
in
the
end.
D
B
All
right,
let
me
let
me
accept
that,
so
we
have
fewer
comments
and
just
do
the
move
and
oh.
B
All
right,
you
know
what
let
me,
let
me
undo
that
part.
I'm
gonna.
B
H
Had
a
question
or
comment:
yeah,
I
mean
one
of
the
first
things,
a
shortcut:
we
we
teach
people
with
open
sources.
Is
it
coming
from
a
well-governed
foundation
that
has
security
practices
in
place?
That
projects
must
follow,
including
cio?
Does
it
have
ci
in
place
with
these
testing
tools
and
things
like
that?
So
keep
thinking,
apache
foundation
and
other
things
like
that
they
have
these
things
in
place.
That
gives
some
level
insurance
to
start
with.
H
What's
your
first
indicator,
you
know
if
it's
something
at
apache
foundation
or
some
other
foundation
cncf
cd
foundation,
they
have
security
tags,
they
have
whatever.
And
if
you
build
your
software,
you
build
it
the
way
they
tell
you
to
build
it
which
has
scanning
in
which
has
these
things
they
tell
you
how
to
manage
your
keys
and
you
have
to
follow
those
practices.
H
A
Mark's
suggestion
and
say
a
big
minus
one
to
the
foundation's
recommendation.
There
are
hundreds
of
thousands,
if
not
millions,
of
open
source
projects
and
the
vast
majority
of
them
are
not
under
a
foundation
that
doesn't
make
them
insecure
and
furthermore,
it
doesn't
make
anything
under
a
foundation
more
secure
and.
H
A
My
experience,
rank
and
file
users
of
these
things
aren't
knowledgeable
enough
to
be
able
to
suss
out
what
looks
like
good
governance.
What
does
not,
and
so
I
don't
think
that
would
be
very
effective.
Also
in
my
experience,
people
will
conflate
projects
based
upon
certain
technologies
that
are
under
foundations.
A
A
They
may
think
that,
while
because
there's
no
foundation,
this
must
naturally
be
under
a
foundation
and
they
just
they're
they're,
just
not
sound.
H
If
you're
telling
people
to
do
this
to
check
every
project
themselves
and
they
have
a
thousand
dependencies
and
they
know
that
if
a
project
is
under
a
foundation,
if
the
foundation
has
those
practices,
npm
is
not
one
of
them.
So
I'm
saying
that
some
foundations
do
provide
that
set
of
governance
instead
of
rules
before
you're,
actually
an
approved
project,
not
I'm
not
talking
about
npm
package
or
python
package.
That's
not
what
I'm
talking
about.
A
Yeah,
but
I
still
fall
back
to
a
lot
of
users.
Aren't
they
don't
have
the
experience
to
be
able
to
tell
whether
that
foundation
has
those
rules
that
are
and
whether
those
the
project
is
even
under.
A
I
I
think
it
just
complicates
things
to
a
level
that
this
document
can't
support.
B
You
know
the
I
I
think
that
foundations
very
much
do
have
value,
but
vicki
is
absolutely
right
that
a
vassar
components
aren't
from
foundations
and,
as
long
for
j
is
shown
found
it,
it
turns
out
that
foundation
members
are
not
perfect
either.
H
I
think
I
view
it
like
kind
of
mechanic.
Problems
like
everyone
should
know
how
to
do
their
engine
change
their
oil
change.
Do
this
change
change
your
brake
pads.
All
these
things
it's
great,
but
everyone
can't
be
a
mechanic
on
every
part
and
every
car
and
not
every
mechanic's
the
same.
But
if
you
find
a
good
mechanic
and
you
can
verify
their
good
mechanic,
then
you
use
them.
People
go
to
them.
Yeah.
A
E
A
For
people
who
are
the
end
users
of
an
open
source
project
or
is
it
for
a
developer
who
is
bringing
in
the
dependencies?
Because
the
first
point
implies
that,
whereas
this
conversation
implies
the
former
and
I
do
need
to
drop
for
another
call,
so
I'm
gonna
also
drop
that
little
bomb
and
then
run
away.