►
D
E
E
I'll
say:
hi,
I'm
brian
russell.
I
I'm
on
google's
open
source
security
team.
I
work
with
a
few
other
folks
and
a
couple
of
other
different
working
groups,
but
it's
my
first
time
attending
this
one
and
really
just
wanted
to
see
exactly
what
the
the
group
is
targeting
and
that
the
kinds
of
things
that
you
know
are
on
your
radar
right
now.
E
D
D
D
That
is
a
low
priority
task
for
me,
so
I
will
try
to
be
more
up-to-date
in
keeping
track
of
our
current
frequent
offenders
so
to
speak
that
come
in
and
help
us
out
and
but
ultimately,
at
the
end
of
the
year
I
will
put
out
a
list
of
and
say:
hey
vicky
showed
up
to
24
of
our
26
meetings.
So
I
will
add
her
as
part
of
our
regular
cast
of
characters.
So
then,
then,
weekly
as
folks
come
in
and
out
we'll
adjust
the
list.
D
D
D
D
Just
give
me
a
second
and
we'll
talk
about
that
open.
We
will
talk
about
the
opens.
We
will
do
a
quick
call
for
any
of
our
member
projects
that
have
updates
they
want
to
share
with
the
team,
and
then
we
will
go
look
at
david's
one-page
document
and
the
one
page
for
developing
software,
and
then
we
will
hopefully
get
that
wrapped
up
and
then
work
on
to
the
evaluating
open
source
software,
which
the
last
call
the
team
had
a
lot
of
feels
on.
C
I
would
like
to
to
do
us
to
have
a
small
point
yeah,
as
some
of
you
remember,
I'm
leading
the
open
step
up
and
office
hours
and
I've
sent
I've
sent
the
doodle
to
come
with
first
date
and
for
now
I
just
have
two
answers
for
our
abilities:
yeah
not
too
many
to
start,
so
I'm
wondering
it
may
be
because
of
vacation
because
many
places
people
on
vacation
or
on
conferences
of
or
any
somewhere
else.
So
what
I'm
thinking
about
is
postponing
the
first
sessions
to
september.
D
D
E
C
D
D
B
Sure
why
not?
I
I
knew
I
told
people
earlier:
hey,
be
cool
ads.
Some,
you
know
images
something
to
help.
People
understand
the
idea
and
we've
actually
added
one
added
one.
It's
a
little
race
cars
picture
to
show
give
an
idea
about
the
race
conditions,
so
haven't
had
a
chance
to
do
more,
but
at
least
we
can
now
say:
hey,
that's
pro,
that's
pretty
cool
so
and
we
can
go
from
there.
D
F
Yeah
sure
so
we
are
starting
to
implement
our
new
ux.
I
I
think
glenn
probably
showed
the
slides
for
the
whole
training
platform.
Yeah
awesome.
So
first
we
found
subby
somebody
who
wanted
to
integrate
the
ux
in
the
front
end,
but
sadly
he
dropped
the
project.
So
we
had
to
find
somebody
else.
We
found
somebody
else.
Luckily,
so
I
got
him
going
and
well
he's
working
on
that
house.
I'm
also
really
excited
for
that,
because
that
well
really
gets
the.
F
F
F
D
For
those
of
you
that
don't
know
so,
this
group
we
have
our
edx
courses,
our
our
secure
coding,
fundamentals,
classes
that
david
and
others
helped
put
together.
So
that's
one
avenue
we're
providing
education
and
best
practice.
Information
for
folks
skf
is
another
member
project
and
that's
more
of
a
hands-on
tool
where
you
go
through
and
do
labs
and
actually
implement
the
ideas
that
you've
learned.
D
So
those
of
you
don't
know
we
have
an
education
sig
where
we're
focusing
in
on
actually
providing
training
for
people
and
classes
and
certifications
and
skf
will
be
part
of
our
strategy.
One
of
the
different
techniques
we
will
be
providing
education
for
so
we're
going
to
try
to
get
some
additional
augmentation
of
the
skf
project
and
hopefully,
some
additional
participants
for
you
all.
Oh.
D
E
D
D
D
E
Yeah
sure
so
we
have
a
new
beta
version
of
scorecard
action
that
we
have
released.
So
with
this
new
version
we
have
the
scorecard
badges
that
can
be
enabled
and
also
we'll
have
a
scorecard
api.
So
basically
it's
a
rest
api
where
you
can
look
at
your
per
commit
data,
so
it's
a
beta
release
that
we've
done
and
we're
not.
We
are
rolling
out
to
early
adopters.
So
if
you
want
to
try
it
out
would
very
much
appreciate
the
feedback
here.
D
E
D
B
Yeah,
so
the
the
one
one-page
guide
for
developing
more
secure
software,
I
think
we're
in
pretty
good
shape.
The
only
thing
that's
been
changed
relatively
recently
is
the
addition
of
one
more
thing:
the
safe
code
document
lots
of
folks
are
referred
to
that.
So
I
don't
think
that's
gonna,
be
controversial.
B
Tried
to
tweak
up
the
continuously
improved
point
more
to
try
to
make
it
short
trying
to
keep
that
one
page
and
otherwise
I
think
this
one's
in
decent
shape.
I
mean
you
know,
I
I
think
if
people
are
expecting
us
to
coordinate
and
make
everything
around
the
world
all
consistent,
we're
not
trying
to
do
that.
We're
just
trying
to
point
to
the
materials
that
are
already
there
that
hey
help
me
get
started
here.
Let's,
let's
here's
some
material,
let
me
get
started
the
other
one.
D
D
E
E
A
number
of
these
items
are
required
to
actually
be
eligible
for
the
best
practice
badge.
So
while
I
understand
this,
isn't
you
know
a
document,
that's
trying
to
help
them
get
there.
You
know
if
they're
reading
this
from
the
top
down.
If
they've
addressed
everything
in
the
document
by
the
time
they
get
to
that.
Well,
then
they'll
understand
it
a
little
bit
better.
B
B
E
Yeah,
that's
fine.
I
mean
I
just
you
know
and
again
that's
it's
all
going
to
be
up
for
individual
judgment,
but
you
know
things
like
you
know.
Combination
of
tools
for
ci
monitoring,
don't
push
secrets
to
repository.
I
think
all
those
things
are
key
developer
activities
that
that
should
come
first,
but
again
to
your
point.
You
know
we
could
argue
that
all
day,
so
just
a
just
a
consideration,
some
kind
of
thing.
B
Right
right
no-
and
I
I
I
think
that
I
I
do
worry-
that
there's
probably
not
going
to
be
a
single
order.
Everyone
accepts,
but
on
the
other
hand,
we
if
folks,
want
to
reorder
it
around.
That's
awesome,
I'm
certainly
not.
You
know
if,
if
there's
a
better
order,
I'm
not
sure
how
to
how
to
work
out
a
better
order
as
a
group.
To
be
honest,
if
anybody
has
suggestions
on
that
on
that
approach,
that'd
be
that'd,
be
good
and
useful.
C
B
B
That's
pretty
easy
to.
Well,
if
it's
on
a
particular
point,
we
can
add
as
a
comment
or
suggestion:
that's
not
so
bad
reordering
for
multiple
people,
I'm
not
sure
how
to
handle
that
feedback.
We
earlier
had
just
put
at
the
bottom,
but
you
know
if
people
said
move
three
to
to
two
as
soon
as
you
did
one
of
them,
then
everybody
else's
comments
got
confusing.
B
D
If
somebody
has
a
cohesive
thought
about
how
to
reorder
things,
we
will
consider
that,
but
I
would
like
to
not
peace,
because
we'll
spend
now
until
2025
debating
moving
22
to
14
right
11
to
2..
So
I
would
like
to
try
to
see
if
we
can
get
this
out
the
door
at
least
initially
for
to
get
some
wider
review.
D
Let's
take
eric
and
marta's
team's
feedback
and
see
if
we
need
to
make
any
changes
before
we
publish,
but
if
anyone
has
a
thought
about
how
we
might
a
proposal
on
how
we
could
order
this,
if
there
was
a
methodology
or
phases
or,
however,
they
thought
might
be
better.
Please
put
that
proposal
under
the
comments
below
number
23
and
we
will
maybe,
by
next
meeting,
we'll
be
able
to
digest
marta
and
eric's
team's
feedback
to
see
if
we
need
to
make
any
substantive
changes.
D
H
H
We've
been
we've
been
kind
of
churning
on
this.
I
think
for
for
a
little
while,
so
my
suggestion
would
be
that
exactly
you
said:
let's
get
the
final
round
of
comments
in
here
from
eric
and
marta
anybody
else
says
anything,
and
let's
call
that
the
final
round
of
comments
we'll
go
through
one
last
review
and
the
content
will
then
be
done.
H
We
can
then
weigh
the
option
of
maybe
moving
some
stuff
around
based
on
probe
suggestion,
I
think,
is
a
good
one,
but
then,
let's,
let's
plan
to
have
this
in
the
get
by
the
end
of
this
month.
I
think
we
have
a
couple
meetings
between
now
and
then
to
get
through
those
couple
tasks.
But
you
know
perfection
is
the
enemy
of
good
enough.
D
B
Preamble,
this
is
not
a
constitution,
okay,
so
I
I
wasn't
able
to
participate
in
the
last
spirit
to
discuss.
I
understand
there
is
a
spirit
of
discussion,
I'm
grateful
for
it.
Actually,
let
me
re-post
the
link
to
the
guide
to
evaluating
in
many
ways.
This
is
the
comparison
document
it's
not
as
far
along,
but
I
think
most
folks
would
agree
that
both
of
these
tasks
are
important,
so
the
quick
guide
to
evaluating
open
source
software
has
a
list.
I
know
that
there's
been
some
discussions
about
ways
to
improve
this.
B
D
And
to
summarize
the
feedback
from
the
last
time
we
met,
while
you
were
convalescing,
the
group
thought
that
this
was
less
structured
and
organized.
It
was
a
nice
list
of
thoughts,
but
we
they
thought
we
might
want
to.
We
need
to
add
some
more
meat
to
it.
So,
for
example,
should
it
be
added
at
all
may
not
resonate
with
a
developer
if
somebody's
trying
just
gets
this
list,
so
we
may
want
to
think
about
how
we
want
to
do.
D
B
D
B
D
B
B
D
E
B
D
A
B
D
G
I
think
it
also
really
depends
what
community
you
come
from
to
be
honest
with
you
as
far
as
because
I
think,
like
a
lot
of
communities
like
js,
does
not
really
tell
you
to
think
about
what
you
install.
So
you
end
up
with
like
700
dependencies
pretty
easily
and
that's
not
a
problem
for
js,
because
they
encourage
that
so
fuzzy's
a
js
developer.
So
you
could
tell.
I
I
So
you
know
we
kind
of
like
have
the
long-standing
joke
that
you
know
known
modules
is
probably
the
more
the
most
heaviest
object
in
the
known
universe.
You
know,
you
know
what
node
modules
off
the
folder
but
and
depends
and
dependency
chain
hell
can
grow,
but
it's
just
one
of
those
lack
of
awarenesses
and
it's
a
way
that
js
is
kind
of
structured.
Everything
is
modular,
so
the
more
modular
you
make
your
projects
and
your
packages.
B
B
Actually,
that's
a
that's
a
good
point
and
I
went
this.
We
actually
perfectly
reasonable
have
a
little
blog
post
overall
summarizing,
hey
here's,
here's
something
new!
We
did
here's
some
of
the
points
and
it
could
at
least
briefly
explain
in
a
little
more
detail
a
few
and
then
you
could
go
back
and
have
later
blog
posts
dive
in
in
more
detail.
If
that
seems
appropriate.
D
E
D
Oh
back
at
red
hat,
every
container
contained
this
file,
a
supplementary
file
from
the
kernel,
and
that
was
included
in
every
container.
So
every
time
there
was
a
kernel
update,
every
container
was
flagged
as
vulnerable,
even
though
it
was
like
it
was
like
a
readme
file
type
yeah.
It
was
something
stupid
exactly
which
one
it
was,
but
you're
100
right
people
have
sloppy
container
practices.
G
Yeah
yeah
good
example
on
swift
about
this,
like
on
swift's
repo.
That's
where
I
read
that
they
they
have
a
like
a
thing
about
how
like
people,
don't
understand,
python
2's
installed,
and
that
has
a
bunch
of
issues
and
swift
will
flag
him
for
you.
So
but
yeah
like
it's
interesting,
because
throwing
that
in
there.
G
I
There's
also
the
other
thing
with
nodes:
it's
like
not
many
people
actually
know
how
to
utilize.
The
package
json
properly
understand
the
difference.
What
a
pure
dependency
is,
what
you
know,
what
is
the
dependency?
The
relationship
was
brought
through.
What
was
needed
in
the
project?
You
know
it's
like
a
lot
of
people
do
change
the
chain,
the
actual
developer
dependencies
into
the
dependencies.
B
You
know,
that's,
that's
a
that's
a
good
point,
although
I
will
say
I
I
I
can't
tell
the
number
I
I
have
filed
endless
reports
upstream
yeah,
I'd
love
to
use
this,
but
your
developer
dependencies
are
the
same
as
your
runtime
dependencies
and
that's
not
right
and
I've
actually
gotten
some
mate,
some
feedback.
Where
just
that
one
comment
and
a
couple
tweaks
and
my
potential
dependencies
got
reduced
in
half.
That
seems
like
more
of
a
one-page
guide
for
the
developer,
because
really
it's
it's
the
developer
of
the
thing
you're
thinking
about.
G
How?
Because
we
can
link
back
to
that
here,
you
know
in
terms
of
like
how
dependent
like
how
you
can
go
about
managing
your
dependencies
or
how
they
actually
work
and
where,
like
how
it
all
comes
together.
And
if
you
don't
understand
what
attack
surface
is,
then
you
can
go
over
there
and
understand
what
we
mean
by
attack
surface.
Just
an
idea.
D
D
B
That
was
my
original
goal,
but
of
course
you
know
in
it
this
is.
I
don't
view
this.
As
my
document,
you
know
if,
if
making
this
two
pages
would
make
it
more
useful,
I
I
think
the
goal
really
is
in
the
title:
it's
intended
to
be
a
quick
guide.
What
we're
trying
not
to
do
is
make
the
50-page
report
for
no
other
reason
than
people
won't
read
it
so,
but
about
adding
a
little.
Why
and
a
little
context
would
make
it
more
useful
than
hallelujah.
B
F
E
B
I
I've
always
thought
about
this
when
it
came
to
known
modules
is
like
sneak
was
probably
the
closest
I
came
to
it
when
it
came
to
providing
a
package
score
right
and
told
you
whether
or
not
you
know,
there's
no
vulnerabilities
etc
with
this
package
and
how
to
in
the
command
line
the
next
steps
to
go
about
rectifying
those
issues,
and
normally
it
was
just
dash
dash
force,
etc.
But
you
know
it's
like
those
those
except
those
additional
next
steps.
You
know
those
what
I
keep
saying,
especially
in
the
astral
community.
I
The
way
that
I
got
the
support
team
going
is
that
yeah,
if
we're
going
to
throw
somebody
underneath
the
bus
be
prepared
to
pick
them
back
up
and
dust
them
off
afterwards.
You
know
it's
like
yeah,
just
you
know
like
if
you're
throwing
something
on
the
deep
end,
just
dump
in
afterwards
again
situation
and
design.
I
D
B
All
right,
a
quick
general
question:
this
is,
I
think
this
is
the
right
time
to
raise
it,
which
is,
is
everyone
okay?
With
this
scope?
This
is
specifically
for
evaluating
open
source
software.
The
other
one
really
is
more
general
for
software
at
all,
but
a
lot
of
the
specific
things
we're
talking
about
in
this
one
is
really
more
like
open
source
software
and
being
able
to
look
at
the
commits
being
able
to
look
at
the
license.
B
Okay,
all
right,
I'm
going
to
remove
that
question
comment
whatever
you
want
to
call
that
again,
good.
Thank
you
all
right,
and
I
had
said
this
was
intended
to
be
one
page
but
sounds
like
folks
are
agreeing
that
that's
not
really
the
critical
thing
here.
So
let
me
quickly
add
a
comment
I'll
want
to
keep
this
short.
B
B
Well,
yeah,
not
yeah,
I'm
I'm
fully
aware
of
the
margin
games,
two-point,
fonts
and
so
on,
but
that
doesn't
make
it
necessarily
the
best
use
of
time
it
doesn't
have
to
be
one
page.
So
let
me
just
I'm
gonna
document
that
as
a
comment
and
that
way,
we'll
know
that
that's
what
we're
kind
of
shooting
for.
G
B
B
H
G
One
that
I
would
add
is
determine
how
the
developers
test
their
software.
So
therefore,
like
you,
if
there's
no
default
way
of
using
the
software,
then
developing
how
they
test
it,
because
I
know
there's
a
lot
of
products
out
there
that
have
a
lot
of
different
ways
of
using
it,
but
there's
only
one
way:
that's
actually
tested
by
the
developers.
That
happens
pretty
often.
H
B
E
G
B
G
E
B
B
D
D
D
B
H
Had
a
question
or
comment:
yeah,
I
mean
one
of
the
first
things,
a
shortcut:
we
we
teach
people
with
open
sources.
Is
it
coming
from
a
well-governed
foundation
that
has
security
practices
in
place?
That
projects
must
follow,
including
cio?
Does
it
have
ci
in
place
with
these
testing
tools
and
things
like
that?
So
keep
thinking,
apache
foundation
and
other
things
like
that
they
have
these
things
in
place.
That
gives
some
level
insurance
to
start
with.
H
What's
your
first
indicator,
you
know
if
it's
something
at
apache
foundation
or
some
other
foundation
cncf
cd
foundation,
they
have
security
tags,
they
have
whatever.
And
if
you
build
your
software,
you
build
it
the
way
they
tell
you
to
build
it
which
has
scanning
in
which
has
these
things
they
tell
you
how
to
manage
your
keys
and
you
have
to
follow
those
practices.
H
A
Mark's
suggestion
and
say
a
big
minus
one
to
the
foundation's
recommendation.
There
are
hundreds
of
thousands,
if
not
millions,
of
open
source
projects
and
the
vast
majority
of
them
are
not
under
a
foundation
that
doesn't
make
them
insecure
and
furthermore,
it
doesn't
make
anything
under
a
foundation
more
secure
and.
H
A
My
experience,
rank
and
file
users
of
these
things
aren't
knowledgeable
enough
to
be
able
to
suss
out
what
looks
like
good
governance.
What
does
not,
and
so
I
don't
think
that
would
be
very
effective.
Also
in
my
experience,
people
will
conflate
projects
based
upon
certain
technologies
that
are
under
foundations.
A
H
If
you're
telling
people
to
do
this
to
check
every
project
themselves
and
they
have
a
thousand
dependencies
and
they
know
that
if
a
project
is
under
a
foundation,
if
the
foundation
has
those
practices,
npm
is
not
one
of
them.
So
I'm
saying
that
some
foundations
do
provide
that
set
of
governance
instead
of
rules
before
you're,
actually
an
approved
project,
not
I'm
not
talking
about
npm
package
or
python
package.
That's
not
what
I'm
talking
about.
A
H
I
think
I
view
it
like
kind
of
mechanic.
Problems
like
everyone
should
know
how
to
do
their
engine
change
their
oil
change.
Do
this
change
change
your
brake
pads.
All
these
things
it's
great,
but
everyone
can't
be
a
mechanic
on
every
part
and
every
car
and
not
every
mechanic's
the
same.
But
if
you
find
a
good
mechanic
and
you
can
verify
their
good
mechanic,
then
you
use
them.
People
go
to
them.
Yeah.
A
E
A
For
people
who
are
the
end
users
of
an
open
source
project
or
is
it
for
a
developer
who
is
bringing
in
the
dependencies?
Because
the
first
point
implies
that,
whereas
this
conversation
implies
the
former
and
I
do
need
to
drop
for
another
call,
so
I'm
gonna
also
drop
that
little
bomb
and
then
run
away.