►
From YouTube: Best Practices for Open Source Developers (June 7, 2022)
B
A
B
A
A
C
A
A
D
B
D
B
B
As
you
know,
as
we
are
trying
to
encourage
all
projects
to
do
we
get
reports
when
there
is
a
vulnerable
dependency
detected,
we
got
a
vulnerability
reporting,
particularly
in
our
web
server
called
rack
and
we
updated
and
fixed,
and
so
on,
probably
more
interesting
on
the
course
kind
of
two
things.
I
don't
think
I've
mentioned
this
before,
but
an
rit
actually
she's
a
sophomore.
A
student
has
offered
to
give
us
a
hand.
B
Her
name
is
olivia
just
has
started
interacting
kind
of
looking
over
and
just
basically
right
now,
just
walking
through
the
whole
course
proposing
editorial
changes
she's.
As
long
as
we
go
that
you
know
different
style,
but
I
believe
already
some
of
her
changes
are
actually
already
deployed,
so
you
know
we,
although
you
know
right
now,
we're
much
more
focused
she's
jumping
into
the
pool.
So
right
now
it's
much
more
focused
on
tech
edits,
but
you
know
what
you
get
enough:
improved
tech
edits
that
makes
the
document
and
the
material
easier
to
understand.
B
We
want
maximum
ease
of
understanding,
for
this
is
at
least
related
to
the
fundamentals
course
I
own
on
openssf
day,
going
to
be
giving
a
short
talk,
half
an
hour
talking
about
education,
talking
about
stream
one
in
general,
but
I'm
working
on
that
presentation
right
now,
so
I
don't
know
exactly
what
it's
going
to
say
yet,
but
I'll
I'll
find
out
soon
and
I
do
plan
to
make
a
secret
announcement.
I
have
mentioned
that
earlier.
So,
oh
it'll
be
good,
it'll
be
good.
B
D
D
D
D
E
We
already
had
like
10
interactive
laps
that
people
could
do,
but
now
we
also
have
all
the
material
around
it
and
explaining
basically
the
infra
and
altery
part
of
why
and
how
you
should
do
things
with
nice
examples.
If
you
don't
how
easy
it
will
be
for
the
offensive
side
to
actually
abuse
those
type
of
misconfiguration
and
vulnerabilities.
E
This
is
also
quite
important
because,
after
that,
we
can
actually
work
on
the
yeah,
the
gathering
of
the
metrics
of
who
did
what,
how
many
time
they
spent
in
doing
labs
or
gathering
security
requirements
yeah.
So
that
was
also
very
nice
that
you
know
the
the
people
from
github
panel
are
yeah
going
to
help
and
assist
us
a
bit
in
that.
So
we
can
move
some
yeah
some
ground
there,
a
bit
quicker.
E
B
B
B
It
would
be
better
to
leave
the
changes
in
for
now
after
and
we
can,
during
or
after
this
meeting
you
know,
go,
accept
all
and
see
what
nonsense.
We
have.
I
mean
part
of
the
challenges
here.
We
really
want
to
try
to
make
this
short.
I
know
the
one
page
constraint
is
somewhat
artificial,
but
I
think
it's
helpful
because
it
sure
is
easy
to
move
on
to
many
many
pages
with
this
stuff.
B
So
in
that
spirit
shortened
up
the
top,
you
know,
and
it
already
said
who
it
was
for,
but
sounds
like
some
people.
It
wasn't
so
obvious.
So
now
it's
the
intro
is
just
one
sentence:
here's
a
quick
guide
for
software
developers
for
developing
more
secure
software
throughout
development
building
distribution.
B
B
B
B
A
B
A
A
B
That
all
right
all
right,
so
I
so
let
me
just
verbally
point
out
some
of
the
things
that
are
common.
One
was
the
don't
pushing
secrets.
Really
there
isn't
an
argument
whether
or
not
this
is
a
good
thing
to
do.
The
issue
is
we
already
have
a
number
five,
a
user
combination
of
tools
pointing
to
the
guidance
on
security
tools
from
the
open,
ssf
tools,
working
group
and
that
one
already
mentions
the
secret
storage
stuff
and
tools
for
looking
at
it.
B
C
D
B
B
D
B
B
So
I
I
really
hate
I
mean
you
know
it
takes
a
different
tact,
but
that's
not
a
bad
thing,
so
I
don't.
I
don't
think
we
want
to
do
the
third
party
audit
if
you
can
afford
it.
I
think
that
that's
a
caveat
I
mean
you
know,
that's
really
the
only
reason
I
think
everybody
should
do
a
third
party
audit.
The
only
problem
is
funding
resources,
not
whether
or
not
it's
appropriate.
A
My
my
reading
from
the
perspective
of
someone
who
is
not
reading
the
security
domain
is
that
they
will
understand
the
things
that
are
on
the
beginning
and
then
you
have
abbreviations,
abbreviations,
abbreviations,
abbreviations.
If
you
do
not
know
this
stuff,
you
will
say
I
don't
know
what
is
I
don't
know
what
it
is.
I
don't
know
what
it
is.
Okay,
let's
throw
it
away.
B
B
Right
right
now,
I
agree
with
you
that
the
scope
should
be
here.
I
don't
know
of
any
case
where
it's
not
here.
Asvs
applies
to
everybody.
Third
party
applies
to
everybody.
If
you
can
afford
it,
cncf
I'm
going
to
argue
applies
to
everybody.
I
know
that
some
of
it
is
cloud
specific,
but
not
the
whole
thing.
Lfx
security
is,
if
you're
an
lf
if
you're
an
lf
project,
did
I
miss
anything.
B
D
And
potentially
I
I
would
imagine
that
once
we
publish
this,
we
will
work.
You
know
with
the
tack
on
the
governing
board,
maybe
do
a
blog
to
announce
it
and
we
can
provide
some
additional
context
saying
this
is
a
great
beginning
point
and
there's
a
lot
of
other
resources.
We
refer
here
to
blah
blah
show
up
at
the
working
group.
If
you
have
questions.
A
B
C
I
don't
know
I
mean
if
we
have
to
tell
you
to
follow
links
that
are
pretty
obviously
links.
Then
I
have
to
wonder
either
a
whether
you've
existed
on
the
web.
Yet
maybe
you
have
it
or
b
it's
possible
that
our
css
is
messed
up
and
things
don't
look
like
links,
so
we
can't
necessarily
blame
the
reader.
B
C
B
Sure
I'm
stretching
yeah,
okay,
all
right
so
so
so
mark.
I
I
agree
that
we
need
to
make
it
clear
when
they
apply.
I
think
that
we
did
that
and
if
not,
let's,
let's
circle
back,
you
know
because
obviously
we're
just
kind
of
running
through
the
document
real
quick.
So
I'm
gonna
claim
that
we
did
that.
But
if
you
re-look
at
it-
and
you
find
a
place
where
we
didn't
do
that-
please
re-raise
okay,
does
that
seem.
Does
that
seem
reasonable.
B
A
B
Okay,
yeah
absolutely
yeah.
The
trick,
of
course,
is
we're
trying
to
do
this
in
one
page,
so
we're
not
going
to
get
into
grand
details
but
yeah.
If
it's
only
applies
to
alex
projects,
then
we
should
say
that
let's
see
here,
what
are
the
other,
I'm
looking
at
the
yellow
text?
Oh
wait
a
minute!
You
know
what
I'm
going
to
quickly
look
over
at
our
friends
who
have
clicked
on
the
hey.
Please
let
me
edit
button.
So
if
everyone
can
give
me
just
a
moment
or
maybe
stall
for
me
and.
A
A
There's
a
lot
here
and
I
think
it
might
get
greater
attraction
with
people
if
you
organize
it
a
little
bit
in
terms
of
it,
looks
like
there's
things
that
you're
telling
people
not
to
do
and
then
there's
things
that
are
just
sort
of
you
know
enable
this
throw
this
switch.
You
know
start
using
this
tool,
so
just
sort
of
one-time
actions
of
turn
on
dependable
or
avoid
doing
these
things
anti-patterns
and
then
you
know,
start
auditing
your
projects
for
this
and
start
implementing.
You
know
new
doing
new
practices
going
forward.
A
B
I
don't
okay,
I
don't
think
we
can
do
that.
One
page.
I
think
that
is
not
possible.
What
we
should
do
is
organize
it,
though
I
totally
agree.
Last
time
we
had
agreed
that
we
would
organize
this
more
or
less
by
the
expected
order
of
events
that
people
will
do
so.
Basically,
some
of
the
easy,
quick
wins
and
then
you
know
the
things
that
we
would
kind
of
hope.
You
know
if
you're
gonna
do
steps
one
through
ten
do
one
first,
then
two
but
here's
the
problem.
B
If
I
tried
to
do
that
with
the
current
document,
then
you
can't
see
the
other
changes,
because
when
you
move
stuff
around
it's
a
delete
of
everything
and
an
insert
of
everything.
So
there
was
no
way
to
see
the
other
changes
made.
So
what
I
would
propose
is,
let's
do
some
quick
fixes,
accept
all
and
then
between
now
and
next
gathering
try
to
work
out
an
order
and
then
hopefully
we
will
can
declare
this
thing
sort
of
a
victory
group.
I
mean
yeah,
I
mean
yeah
exactly
exactly.
B
C
I
never
have
anything
to
say
I
know
I'm
so
quiet
demir.
No,
I
think
that
your
idea
to
to
accept
everything
to
kind
of
clean
up
the
doc
and
then
move
forward
is
you
know,
spot
on
diego
team.
Let's
do
that,
but
then,
after
that,
I
in
particular
would
love
to
have
a
pass
of
a
writing
professional
who
also
is
comes
from
the
education
background,
so
cara.
C
I
would
very
much
value
your
input
on
this
afterward
to
especially
since
you
know
this
is
what
you
do
right
and
if
so,
you
were
able
to
take
our
really
great
first
pass
and
see
what
you
can
do
to
make
it
more
accessible
to
the
audience
and
while
also
perhaps
staying
to
that
one
page.
Definitely
that's
our
that's
a
hard
goal.
C
Anything
you
could
do
to
make
that.
I
would
think
that's
amazing.
I
mean
seriously.
I
cannot
understate
how
thrilled
I
am
that
you're
here
we
don't
see
enough
tech
writers
in
in
these
in
these
working
groups,
so
you're
you're,
like
a
unicorn.
Your
solid
gold
unicorn,
is
what
you
are
for
me
right
now.
B
Awesome
and
we
do
have
tech
editors
at
the
alf-
also
that
I
can
sick
this
on
and
having
multiple
eyes
is
awesome.
So,
let's
yes,
so
let's
do
that
the
problem
with
our
tech
cars
in
our
end
is
they
may
not
have
the
technical
background.
I
mean
that's
always
the
challenge.
So
you
know
karen
particularly
sounds
like
you've
got
some
overlap
and
that's
be
awesome.
We'd,
love
to
and
we'd
love
to
have
all
your
input.
So
thank
you.
B
Yes,
okay,
whoops,
and
I
think
the
last
comment
was
deleted
and
I
accepted
a
whole
bunch
of
edits.
So
I'm
kind
of
hoping
that
everybody
can
now
see
the
state
so
are
we
are?
Are
we
good
enough
to
accept
all
changes
and
then
we
can
bicker
about
improvements
from
there
and
maybe
reorders
and
and
draft
improvements?
Are
we
close
enough
for
that
and,
as
I
said,
I
want
at
least
let
people
see
the
changes
that
were
made
to
the
text.
D
D
D
B
No,
we
do
not
this.
These
links
should
be
hey,
you're,
reading
this.
Here's.
What
to
do
next
alpha
omega,
isn't
a
do
next!
Okay,
because
alpha
omega
is
looking,
you
know,
because
otherwise
they'll
be
overwhelmed
with
everybody
thinks
they're
important,
and
you
know
what
everybody's
important
everybody
we
got
that,
but
for.
B
B
Now
I
guess
we
could
point
them
to
sos.dev,
but
that's
not
going
to
be
enough
to
do
a
code
review
in
most
cases.
That's
going
to
be
you
know,
those
are
for
small
amounts
of
small
focused
activities,
all
right
so
somewhere.
I
will
find
the
button
that
says
accept
all
and
then
what
I'm
going
to
ask.
Is
everybody
please
review
the
new
how
to
in
the
world.
B
D
B
Okay,
fair
enough
all
right
somewhere,
I'm
going
to
find
this
accept
all
button.
I
haven't
found
it
yet,
but
while
we
move
on
to
something
else,
but
I
think
we've
made
big
progress.
Folks
and
now
the
other
document
which
is
kind
of
supporting
doctor
is
the
evaluation.
I
did
work
to
try
to
start
to
clean
that
up
and
shorten
it.
I
think
for
time
I
mean
we
can
take
a
look
if
there's
nothing
else,
for
this
working
group
that
we
want
to
do
today.
B
A
So,
just
before
you
move
on,
I
mean
I
think
you
know
I
I
was
the
one
saying
last
time
we
shouldn't
get
to
the
one
page
by
just
using
a
smaller
font,
but
I
see
dave
actually
said
on
on
the
chat.
There's
a
very
big
margin
now-
and
I
agree
with
that.
So
maybe
we
can
change
that
margin
a
little
bit
and
get
to
the
one
page.
I
think
that
would
be
reasonable.
B
I
I
to
be
honest:
I
was
teasing,
I
wasn't
serious,
but
you
know
what,
if
a
small
margin
change
in
the
end
is,
you
know
solve,
makes
things,
so
this
is
a
good
result
really.
What
I
want
is
a
good
result,
and
you
know
what
I'm.
What
I'm
fearful,
though,
is
that
it's
so
easy
to
move
into
the
300
page
documents,
and
this
isn't
that
the
goal
of
that
so
having
an
arbitrary
one,
page,
really
forces
us
to
throw
away.
You
know
to
prioritize,
I
would
say.
B
B
C
B
B
All
the
pink
went
away.
The
document
is:
oh,
my
gosh.
It's
one
page
a
miracle
occurred,
so
we
don't.
We
might
not
have
to
do
the
page
margin,
games
or
the
or
or
the
I
mean,
there's
actually
a
whole
lot
of
games,
the
indent.
How
much
do
you
indent
when
we
have
to
do
kerning
adjustments?
That's
when
things
are
have
gotten
scary,
all
right.
So
why
don't?
I
don't
go
below
and
say
proposed
orderings,
okay,
and
that
way
we
won't.
A
B
Yeah
I
mean
seriously
if
there's
something
that
needs
to
be
re-added
great,
but
we
are
trying
to
keep
this
pretty
darn
short
with
links
to,
and
the
thing
is
we're
not
really
removing
information,
because
we
can
just
link
to
other
stuff
with
more
of
the
details,
but
we're
trying
to
give
people
that
that
starter
place.
Okay.
So
if
you
look
on
the
number
three,
it
says
evaluate
code
before
selecting
it.
B
A
B
A
B
Okay,
in
some
ways,
of
course,
this
is
a
pair
and
you
know
I
will
note
that
one
of
the
bullet,
one
of
the
points
is,
is
there
evidence
that
the
developers
work
to
make
it
secure
and
then
it
links
back
to
the
first
document.
So
both
these
documents
link
to
each
other
and
I
think,
that's
reasonable.
When
you're
developing
you
evaluate
software
to
bring
it
in
when
you're
evaluating
software
you're
looking
for
would
are
they
doing
the
same
sort
of
things
that
you
should
be
doing
yourself.
B
For
those
who
aren't
familiar
with
how
this
document
was
created,
the
idea
the
group
discussed
creating
a
quick
guide
and
the
problem
was
well.
What
do
we
start
with,
and
so
I
copy
pasted
material
from
the
course
on
how
to
develop
secure
software,
which
has
some
information
about
evaluation.
Now
it's
a
different
context
and
they're.
Not
it's
not
worried
about
one
page.
B
So
now
there
is
a
slight
variance
here.
The
first
page
is
about
developing
software
at
all.
This
one
is
focused
only
on
evaluating
open
source
software
under
the
premise
that
most
the
times
when
you're
reusing
software
you're
reusing
open
source
software.
It's
not
always
true.
It's
not
always
true
got
that.
I
mean
if
you're
running
on,
if
you're
running
on
windows,
you
are
technically
reusing
the
windows
operating
system.
It
is
not
open
source
software
got
it.
B
So
the
theory
here
was
that
for
for
purposes
of
trying
to
get
this
done
within
our
lifetimes
focus
a
little
bit,
and
since
this
is
the
most
common
case,
focus
on
common
case
does
that
seem
especially
given?
This
is
the
openness
up
all
right.
So,
as
you'll
note,
what
has
happened
here
is
basically
attempts
to
really
cut
out
a
lot
of
the
texts.
B
Frankly,
I
have
not
quite
succeeded
in
shortening
this
down.
I
didn't
spend
as
much
we
haven't
spent
as
much
time
on
this
doc
as
the
other
one.
So
really,
I
think
the
question
here
is:
we've
made
a
start
at
this:
it's
it's
not
done,
and
it's
not
as
good
as
shape.
We've
got
a
bunch
of
deletions,
but
I
wanted
to
show
those
before
we
actually
perform
them.
B
If
anybody
had
any
issues,
I
mean
we
can
again
just
accept
all,
and
so
it's
not
quite
so
messy
and
then
repeat,
just
like
we
did
with
the
other
document,
but
I
don't
want
to
do
that
without
at
least
giving
folks
a
chance
to
have
looked
at
it
and
if
you
want,
we
want
to
accept
all
later
to
give
more
people
time
to
review
it.
That's
great,
too
vicky.
C
B
D
B
A
B
B
All
right,
if
you'll,
if
you'll,
take
the
action
to
talk
to
jory.
I
suspect
this
is
a
quick,
easy
fix,
but
just
we'll
we'll
get
this
to
we'll.
Let
let's
get
this
done
for
now
and
yeah.
Let's
work
out
the
long-term
solution
to
make
things
better.
Okay,
so
same
way
have
any
opening
comments
about
kind
of
the
you
know
I
mean
I
realize
this
isn't
quite
as
further
along,
but
on
the
least
the
direction
we're
going.
It's
basically
the
same
kind
of
process.
B
You
know
we're
taking
some
materials,
we're
adding
it
down
to
try
to
shorten
it
up.
There
are
maybe
things
that
are
missing.
Please
add
them
a
couple:
people
added
things
that
were
kind
of
duplicates
or
belonged
in
certain
categories,
so
I
tried
to
move
them
so,
for
example,
the
review
last
commit
and
its
date
revealing
the
last
date
of
the
commit
is
all
part
of
the
reviewing.
B
You
know
whether
or
not
it's
maintained
and
reviewing
the
last
commit
and
the
install
scripts
are
all
part
of
the
evaluation,
the
software
itself.
So
it's
it
shows
it
as
deleted.
Number
three:
it's,
but
in
fact
what
happened
is
that
moved
into
the
various
sections
that
hopefully
to
try
to
give
it
a
little
structure.
B
B
D
B
A
B
It's
okay.
I
mean
if,
if
you're
the
one
who
made
the
changes
and
accepted
it
in
we,
we
didn't
say
do
not.
You
know
only
make
suggested
changes.
Maybe
we
should
have.
I
try
to
usually
do
that,
but
we
didn't
make
it
a
hard
rule
or
anything.
So
you
know
at
this
point,
I'm
afraid
to
go
backwards
because
multiple
people
have
edited
it,
and
I
don't
know
frankly
that
sounds
like
a
dangerous
game,
undoing
other
people's
changes
so
fail.