►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
All
right,
everybody
one
more
time,
just
in
case
I
missed
it
I'll
post
the
link
to
our
agenda,
as
is
tradition
on
the
march
15th
edition
of
the
open,
sss
developer,
best
practices
working
group.
Do
we
have
any
new
friends
who
wanted
to
introduce
themselves
today.
C
Yeah
hi,
this
is
varun
here.
I
think
this
is
the
first
time
I'm
joining
this
meeting.
I've
attended
some
of
the
other.
C
A
D
Hey
ricardo
here
I
see
that
I'm
iphone
12
for
some
reason,
so
I
identify
as
an
iphone
12.
Now
I
guess
I
have
a
small
update
on
behalf
of
glenn
because
he
couldn't
make
it
today
because
he's
giving
a
training
and
well
I'm
feeling
a
lot
better
since
my
burnout,
so
I
probably
also
be
joining
more
often
than
not
these
days.
D
So
I
want
to
share
a
little
link
in
the
chat
so
for
the
box
that
glenn
made
for
the
learning
platform.
So
I
think
you
probably
already
thought
about
the
the
apache
guacamole
docker
image
that
he
was
building
on.
So
that's
well
getting
more
and
more
concrete
from
ing
they're
now
building
on
the
java
labs
and
also
all
the
test
cases
for
zap
proxy
that
we
can
automate
security
tests
on
the
code
and
the
fixes
on
the
code
in
the
guacamole
box
and
stuff.
D
So
that's
all
taking
shape
and
looking
good.
A
Excellent,
any
questions.
A
E
We
created
the
alpha
version
of
the
graph,
so
you
can
see
all
the
integrations
and
all
the
data
we
have
in
a
visual
format
rather
than
a
list
of
lists
which
might
be
better
for
some
people.
Our
next
steps
is
to
drastically
improve
performance.
There
is
a
pr
open
and
many
more
coming
and
we
have
a
pr
open
for
miscellany
importing
miscellaneous
git
projects
via
url,
and
you
could
expect
this
to
land
and
extensive
documentation
on
this
by
the
end
of
this
month.
E
F
Thank
you
very
much,
okay,
so
two,
a
couple
quick
things:
best
practices
badge,
as
has
happens.
Occasionally
we
vulnerable
dependency,
was
reported.
We
quickly
updated,
which
really
just
shows
that
hey
getting
reports
about
vulnerable
dependencies
and
having
a
fast
update
process
can
actually
work
what
an
amazing
construct
yeah,
who
knew
and
probably
more
importantly,
I've
unfortunately
had
I've
been
away
for
a
bit
but
for
personal
reasons,
but
the
plan
is
to
start
soon,
switching
to
best
practices.dev
and
if
we
can
ever
get
some
consensus,
a
new
logo.
F
So
it
may
be
that
the
move
the
website
happens.
First,
so
we'll
see
about
that
logos
are
hard
on
the
edx
course
there's
some
discussions,
maybe
making
their
certifications
free
details.
Tbd.
That's
I
don't
think
that's
a
certainty
yet,
but
we
want
more
people
to
get
certifications.
So
that's
in
in
discussion
the
broader
issues.
We
want
more
people
to
be
certified
because
we
want
to
have
a
way
to
for
people
to
show
that
people
know
at
least
the
basics:
the
fundamentals,
okay,
very.
A
G
So
hey
hi,
so
it's
not
listed
in
the
project,
but
I
have
an
update
on
the
mfa
distribution.
G
G
G
Well,
all
of
them
had
either
sms
or
app
method
to
use
mfa,
and
I
don't
know
how
many
of
them
actually
switched
to
to
the
physical
key,
so
actually
how
many
of
them
use
them,
but
I
mean
we
can
assume
if
they
ordered
them
and
they
had
already
activated,
we
can
assume
that
they
use
them.
Basically,
so
yeah,
that's
that's
it.
G
G
G
B
G
F
More
directly,
that'd
be
great
because
the
ub
keys
don't
have
the
time
limit
that
we
that
the
other
ones
had.
So
you
know
it's
perfectly
fine
as
far
as
I'm
concerned,
unless
somebody
objects
to
dribbling
drabs,
the
goal
is
to
get
things
out
and
crow.
Maybe
maybe
I
I've
been
the
distributor.
Maybe
I
should
find
you
or
somebody
else
to
be
a
co-distributor.
So
I'm
not
I'm
not
the
hold
up,
because
I
don't
that
that
was
an
unfortunate
personal
problems.
Yeah.
A
A
G
C
Just
to
give
a
you
know
bit
of
a
background
about
this,
this
project
and
the
reason
for
it
you
know
so
the
reason
for
it
is-
and
you
know
to
give
the
demo
I'll
be
using
this
this
repository.
So
it's
called
supply
chain
code,
but
it
essentially
lists
down
some
of
the
past
threats
related
to.
C
You
know
essentially,
compromise
build
to
build
tools
and
dependencies
and
and-
and
you
know,
harden
runner
is
a
way
to
detect
these
and
prevent
you
know
prevent
exfiltration
of
credentials
and
so
on.
So
what
it
does
is
what
it
is
is
essentially
a
security
agent
for
the
github
hosted
runner
to
monitor
the
build
process.
C
You
know
so
when,
when
you
run
a
github
actions,
essentially
there
is
a
virtual
machine
that
gets
created
and
what
this
github
action
does.
Is
it
installs
an
agent
onto
that
worship?
Virtual
machine
starts
to
monitor
the
you
know,
file
activities
essentially
file
rights
and
network
connections,
and
you
know
so
that's
just
a
bit
of
a
background.
I
think
it'll
become
clearer,
as
I
give
the
demo
so
in
order
to
give
the
demo
what
I'll
do
is-
and
you
know
feel
free
to
ask
questions.
C
So
let's
say
we
have
this
workflow,
you
know
it's
I'm
going
to
change
it
in
a
bit,
but
essentially
it's
just
doing
some
checkout
with
the
code
and
you
know
running
test
and
then
uploading
coverage
and.
C
C
And
I'll
go
ahead
and
change
this,
so
you
that's,
how
that's
how
developers
can
can
add
it
to
their
workflow
file
it.
It
gets
added
as
the
first
step
and
let
me
go
ahead
and.
C
So
when
this
you
know
when
this
workflow
runs
now
what's
going
to
happen
at
at
this
point,
there
is
a
new
vm,
you
know
being
being
sort
of
allocated
and
all
of
the
actions
that
run
essentially
do
have
sudo
access
on
that
vm,
and
so
this,
this
action
uses
that
you
know
sudo
access
in
order
to
install
an
agent,
and
one
of
the
goals
is
to
install
it
in
less
than
five
seconds.
In
this
case
it
took
six
seconds,
but
you
know
the
goal
is
for
it
to
be.
C
You
know
fast
in
terms
of
installation,
so
people
don't
complain
about
it
taking
too
long,
and
so
you
know
in
this
step.
This
is
where
it
downloads
installs
it
and,
and
it
starts
to
monitor
the
rest
of
the
steps,
and
once
it's
finished,
you
know
there's
this
link
that
you
can
click
and
it
gives
a
view
into.
You
know
what
happened
in
each
of
those
steps,
and
you
know
this
is
the
idea
is
to
give
sort
of
a
process
monitor
view
that
you
know
when
you
did
an
action,
slash
checkout.
C
This
was
the
process
that
was
called
and
it
made
an
outbound
call
to
github,
and
you
know
this
was
a
process
that
was
called
it.
You
know
wrote
to
the
source
code
and
when
you
you
know
had
a
step
for
upload
coverage
to
code
call,
it
made
an
outbound
call
to
code.I.
Oh,
and
you
know
it's
basically
monitoring.
It's
actually
running
a
dns
proxy
in
there
and
then,
as
after
this,
you
also
get
a
recommended
policy
based
on
these
endpoints,
and
you
can
say
that
you
know
now.
C
I
want
to
block
traffic
and
only
allow
these
end
points,
so,
let's
say
go
ahead
and
copy
this
there's
also
an
option
where
you
can
disable
telemetry,
because
all
of
this
telemetry
is
being
sent
right
now
and
so
for
block
mode.
You
can
also
say
that
I
want
to
disable
telemetry.
C
F
F
Not
a
problem,
I
my
hat's
off
to
everybody
who
who
challenges
the
demo
gods.
G
C
C
What
will
happen
you
know
as
a
next
step
is
that
I
was
just
going
to
add
another
call
and
it
would
get
blocked
and
it
would
show
in
an
annotation.
Actually,
what
I
could
do
is
just
show
show
one
of
the
previous
runs
like
in.
In
this
case.
C
F
Have
you
thought
about
adding
other
runners
like
circleci.
C
C
Issues
before
trying
to
you
know,
implement
implemented
for
other
other
environments
that
one
person
had
used
it
for
a
github
posted
scenario
where
it
was
hosted
on
kubernetes,
because
you
can
also
run
github
actions
on
a
kubernetes
thing
on
your
own,
and
you
know
it
wasn't
working
there.
So
there's
definitely
opportunity
to
have
it
run
in
more
scenarios,
but
I
guess
the
first
step
is
just
to
you
know,
sort
of
get
more
adoption
and
which
is
which
is
by
the
you
know.
C
The
reason
I'm
doing
these
demos-
and
I
had
done
one
the
scorecards
meeting
and
also
in
this
working
group
and
and
other
working
groups-
is
to
try
to
make
this
into
an
ossf
project.
C
F
No,
no
cat
pictures.
I
I've
got
a
dog
though,
but
I
I
guess
the
one
I
I
it's
not
really
a
complaint.
It's
an
observation,
but
maybe
it's
the
you
know.
First
step
of
of
using
the
agent
is
to
install
the
agent,
which
makes
complete
sense
to
me.
But
you
know,
I'm
you
know:
hey,
hey,
install
a
random
agent
in
order
to
improve
security.
F
Always
has
me
a
little
worried.
I
I
think
that's
a
it's
reasonable.
We
just
need
to
find
a
way
to
provide
confidence
that
adding
this
agent
will
help
and
not
hurt.
F
So
I
think
that
might
be
worth
thinking
through
as
well
as,
of
course
improving
what
it
can
do,
but
that
seems
like
that
would
be
a
challenge.
I
don't
I'm
not
sure
exactly
how
to
do
that,
but
that
seems
like
a
something
we're
thinking
about
to
to
increase
the
likelihood
of
its
use.
G
So
I
like
the
idea
I
had
exactly
the
same
question
as
david
at
the
beginning.
Do
you
want
to
to
extend
that
to
other
to
other
cis
to
address
david's
point?
I
think
that,
yes,
if
this
tool,
this
agent
is
kind
of
sanctioned
either
by
the
by
the
by
the
ci
products
themselves,
data
actions,
crc,
circulation,
etc.
That
could
be
a
solution
or
if
it's
sanctioned
by
our
working
group,
perhaps
saying
hey
as
a
best
practice
you
you
could
include
that
to
yourself.
F
Yeah
and
frankly,
maybe
pointing
off
to
hear
some
evidence
about
why
we
believe
that
this
you
know
how
we've
protected
this
this
thing's
chain,
so
that
you
know
I
realize,
there's
a
turtle's
all
the
way,
all
the
way
down
kind
of
problem.
But
at
least
you
know,
there's
some
evidence
that
this
thing
isn't
an
attack
itself,
so
we've
hardened
it
up
and
so
on,
so
that
people
feel
confident
about
using
it.
C
Yeah,
I
mean
you
know
in
in
typical
virtual
machine.
You
know
like
a
cloud
vm
security.
There
are
agents
that
are
run
but
a
lot
of
times.
The
the
developer
is
not
really
aware
of
them.
You
know
aware
of
these,
and
in
this
case
the
situation
is
that
there's
this
vm,
but
you
want
to
get
this
agent
installed.
You
want
to
get
it
done
before
other
steps
run,
and
you
know
the
only
way
that
I
could
think
of
it
was
to
have
it
as
a
first
step
but
yeah.
F
C
Be
critical,
yeah,
it's!
I
think
it's
a
valid
point
and
I
think
that's
why
you
know
having
it
as
a
as
a
open,
ssf
project
or
like
another
sanctioned
project,
would
could
give
more
there'll
be
more.
You
know,
people
who
would
be
looking
at
it
from
a
contributions
perspective,
and
you
know
I
need
to
give
more
confidence
to
people
about
it.
That
has
gone
through.
Some
sort
of
you
know
writing
process
and
so
on.
A
H
So
I'm
wondering
you
know
this,
you
know
if
you're,
not
using
into
container
d
or
an
approved
oci
container
runner,
you
probably
won't
have
those
features,
so
maybe
that's
that's
valuable
for
those
spaces,
but
I,
but
I'm
just
wondering
about
this
again
as
david,
you
said.
Is
it
consider
this
a
mutation
and
most
of
my
customers
wouldn't
want
to
install
things
like
this
into
into
their
into
their
application
space?
So
yeah.
F
H
Yeah
well,
and
then
docker
leverages,
you
know,
is
leveraged
part
of
container
d.
So
I
think
that
that
the
entire
container
space
in
most
things
are
running
containers
in
terms
of
cloud.
I
have
to
say
unless
you're
writing
very
model
vms
and
you
have
lockdown
things
there
at
the
vm
level
hypervisor
level.
So
you
have
alternatives
in
the
cloud
space.
C
Yeah,
so
I
would
definitely
I'll
go
back
and
read
more
on
the
container
t
stuff
in
in
the
case
of
github
actions.
So
what
happens
is
that
there
is
this
ubuntu
vm
which
is
set
up,
and
you
know
the
different
actions
you
can
either
implement
as
a
node
action
or
as
a
container.
Actually,
in
fact,
most
of
them
are
implemented
as
node
actions
because
of
the
time
it
takes
to
download
the
container
image.
C
So,
in
fact,
even
if
you
look
at
the
you
know,
github
actions
around
check
out,
you
know
the
one
that
actually
checks
out
the
code,
that's
implemented
as
a
node,
actually
not
as
a
container.
H
Yeah,
I
mean
anything
that
is
essential
to
running
something
in
the
application
space
we're
looking
to
lock
down
in
an
image
itself
that
we
sign
and
verify.
So
we
would
never.
I
think
that
anything
in
the
security
space
wouldn't
we
would
not
pull
in
as
a
separate
application
from
from
a
github
action.
Those
type
of
things.
H
F
H
C
And
just
ip
tables
for
the
firewall
stuff,
yeah.
F
Yeah
that
that
said,
I
I
I
agree
yeah
so
many
three.
I
agree
with
ava.
On
the
other
hand,
you
know
taking
that
data
and
then
turning
it
into
actionable.
Please
insert
this,
I
think,
is
the
is
the
trick
going
on
here.
B
Yeah
morning,
oh
so
this
is
currently
based
in
github
actions
and
obviously
that's
a
logical
place
to
start
at
the
moment.
Let
me
put
my
hand
down
now
before
I
forget,
but
I'm
wondering
what
the
plans
are,
whether
there
are
any
plans
actually
to
support
other
cicd
type
systems
rather
than
purely
focusing
on
github,
because
so
many
projects
do
not
use
github
actions,
and
so
if
this
is
something
that
does
gain
adoption,
I'm
sorry
david.
I
missed
that.
It's
not
that
I'm
ignoring
you.
C
No,
I
think
it
certainly
can
be
done
because
you
know
essentially
a
lot
of
the
cic
providers
just
provide
a
vm
and
once
you
have
a
vm,
you
know
you
can
sort
of
do
the
same
sort
of
thing,
but
there
are
also
some.
You
know,
differences
in
terms
of
apis
and
stuff
like
that,
for
the
cic
like
when
it
does
the
correlation,
it
actually
uses
the
api.
C
You
know
from
github
in
order
to
do
that
correlation,
so
it
it
can
be
done,
but
you
know
I
guess
the
first
step
is
to
just
get
more
adoption
with
bit
of
actions
to
understand
how
you
know.
What's
what
should
the
developer
experience
be
and
what
are
some
of
the
pain
points
and
stuff
like
that,
and
once
it
gets
more
adoption
you
know,
then
I
guess
the
folks
were
using.
It
would
probably
start
making.
These
asks
to.
C
You
know,
make
it
available
in
yeah
other
like
circle
ci,
and
you
know,
maybe
even
ci,
and
so
on.
B
So
is
this
more
of
a
proof
of
concept
at
this
point,
or
is
it
actually
live
then
and
being
used
by
you
keep
saying
more
more
adoption?
What
adoption
do
you
have
so
far
and
what
are
you
hearing
about
it.
C
So
they
are,
you
know
there
are
about
20
25
odd.
Some
of
them
are
just
forks
and
stuff
like
that.
You
know.
There's
this
another
one!
That's
using
this
one,
it's
it's
being
used.
It's
been
used
both
in
audit
and
block
mode.
C
You
know,
and
there's
also
good
good
sort
of
feedback
which
I've
written
as
testimonials,
but
at
the
same
time
the
adoption
is
not.
You
know
not
like
in
the
thousands.
A
We
really
appreciate
you
coming
here
today:
varun,
hopefully
you'll
won't
be
a
stranger.
You
can
stop
back
in
the
future
or
we're
the
technical
advisory
committee
for
the
open.
Ssf
is
working
on
a
process
around
ingesting
and
kind
of
donation
of
new
projects.
So
that's
in
flight,
that's
not
ready!
A
So
if
you
were
looking
to
potentially
turn
this
over
to
the
foundation,
we're
not
there
yet,
but
I
can
follow
up
with
you
in
a
few
weeks
a
month
or
so
once
that
process
has
been
developed
to
kind
of
point
you
to
how,
if
you
wanted
to
do
that,
you
could
petition
to
go
through
that
process.
A
F
Sure
I
I
if
I
can
quickly
I'm
going
to
experiment,
usually
we
have
people
kind
of
try
things
out
or
look
at
it
before
we
bring
in,
but
if
it's
pre-existing
so
I'm
gonna
try
to
slip
it
into
the
ci
best
practices
badge
most
of
our
stuff
is
in
circle
ci,
but
we
do
have
some
github
actions.
So
I'm
going
to
slip
that
in
and
I'm
looking
forward
to
giving
you
a
whirl
as
kicking
the
tires
as
it
were.
So
thank
you
so
much.
A
All
right
next
up
david,
has
something
exciting
to
talk
about
a
survey.
F
Well,
I
don't
know
how
exciting
it
is.
Yet.
I
had
some
personal
issues
I
had
to
to
deal
with
recently,
so
I've
been
out
for
a
little
bit,
but
I,
when
I
came
back
yesterday,
I
discovered
that
elf
research
is
working
on
some
sort
of
survey.
F
I'm
and
says:
oh
tell
me
more,
so
I'm
going
to
try
to
convince
them
to
at
least
let
folks
here
take
a
gander.
I've
told
them
about
this.
This
group
and
pointed
them
to
you
know
maybe
through
maybe
through
a
posting
on
the
mailing
list,
but
you
know
I
isis.
It
sounds
like
they
want
to
get
something
out
quickly.
So
look
for
that
and
they
may
have
a
short
deadline
when
they,
when
they
post.
A
F
Yeah,
I
think
this
is
more
of
a
survey
for
practices
used
in
development
as
opposed
to
vulnerability
disclosures,
but
but
if
they
focus
more
on
vulnerability,
disclosures
then
yeah.
I
totally
agree
that
would
be
the
right
revolving.
G
Yeah,
I
I
put
something
in
the
in
the
dust
tool,
because
we
we
we,
we
run
a
survey
for
a
research
ourselves
in
the
security
lab,
but
it
it
was
specifically
focused
on
the
disclosure
process
and
on
the
the
interaction
between
between
between
the
two
population.
G
F
Okay,
that'd
be
awesome,
you
know
I'll
just
I'll
shoot
an
email
to
at
least
connect
to
each
other.
G
F
A
Thank
you
david
appreciate
it
did
anyone
have
any
additional
opens,
they
wanted
to
talk
about
with
the
group.
A
I
would
I
would
like
to
carve
off
the
majority
of
the
next
call,
if
possible,
to
talk
about
the
newbies
view
or
security
coding
practices
to
maybe
start
to
get
some
momentum
on
that.
Unfortunately,
we
missed
the
linux
foundation's
security
summit,
call
for
papers
that
would
have
been
a
nice
place
to
potentially
formally
talk
about
the
group,
and
you
know
things
like
how
to
get
more
access
to
developers.
A
B
That
it
would
be
nice
to
lay
out
before
what
we
are
going
to
do
next
time,
so
that
we
can
prepare
it
a
bit
and
not
just
come
in
at
this
day.
A
I
will
talk
to
glenn
to
get
the
graphic
kind
of
laid
out
just
so
we
can
kind
of
use
that
as
a
straw
man
to
poke
at
and
then
we
can
up
try
to
put
together
an
outline
to
talk
us
through
the
conversation
next
time
that
sound
okay.
A
All
right
with
that,
I
will
bid
you
all
a
good
day
enjoy
a
free
time
of
40
minutes
on
your
20
minutes
on
your
calendar.
Go
hide
from
work.
Thank
you
all
for
coming.
Thank
you
to
varun
for
presenting,
and
we
will
talk
to
you
all
in
two
weeks
have
a
great
rest
of
your
day.