OpenSSF End Users, 6 Jul 2023

Previous Meeting

Next Meeting

⏯

youtube image

►

From YouTube: End Users Working Group (July 6, 2023)

Description

Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I

A

Good morning and.

B

Afternoon, everyone, hello.

A

Oh, how was your fourth of July.

C

I'm sorry, it was a lot of fun.

A

Don't be for it sorry, you know we're.

B

Happy and they did it.

D

Back I feel like Fourth of July. Lets me make the joke that Americans are so innocent.

D

Mindy, if you want to talk about something that causes, causes a war, Neverland taxation- let's let's talk about that. Stumping, oh yeah, and there goes.

A

That genuinely isn't Cricket, that's just not cricket.

D

Wikileave is not a thing: Nate, an international test, Cricket grow up.

A

We don't get time and we'll give it a minute and then kick off.

A

um As usual, if people can take a look at the uh notes and add in their name, that'd be great, if you guys that don't have the notes, let me drop into the chat.

A

Sufficient Jack in there.

A

Right so, let's kick off, um so we start with a scribe. It's anyone, anyone willing to take notes during the call all right thanks Jack. Thank you very much.

A

um I see you can only make the spot no worries um right, any new friends. Anyone new to the call would like to say.

E

Hello, yeah I'm I'm new to the call Ian Walker Smith, all right. Where are you from oh yeah? Let's do the whole introduction thing yeah, so I uh I, work at city and I am a cloud threat. Modeler.

B

A

Welcome back, it's me a minute since I've seen um any anyone else new to the call.

A

No all right! So, let's move on. We have a couple of bits um of um of work that we've uh updated over the last couple of weeks. We would be useful, I think just to review just down on the call he's not um so I wonder if we can bring up the technical Charter, because I I believe Dan did some update work. It was one of the issues that we had last time and Dan made some updates to it and it got merged appropriately.

A

So I think. If you take a look now, we do have a new brand new Charter Quick Share, just the giggles.

A

So there we go. Oh.

D

I, don't like the color.

A

You don't like.

D

The color we make it move.

A

All right, if you want to raise a pull request for a move, a technical chart that'd be awesome, but um thanks very much for to Dan for uh spending a lot of time and effort into updating our Charter. We are now chartered so we'll just write that one off the list I'm not sure if anyone else contributed to that. um But if you did thank you very much.

C

Jonathan yep, we almost have a new Charter. uh There needs to be an adoption date put into it.

A

Doing deep correct, do we need to make a vote if I, when we've adopted it could today be the day? Crow is.

D

That, today could be the day we can. We can just do a voice, Vote or call for objections.

A

Anyone object to that current shelter going once going twice. Thrice, we're done all right. We've adopted it as of today.

A

So if someone wants to raise a pull request to uh adopt said Charter, otherwise, I'll nip in and update it Happy Days uh right. The next one um is issue: five, the ingestion Manifesto. So there were quite a lot of uh updates to that and I think it was discussed uh in a fair bit of detail last time around um I've just checked and it it isn't in move. uh It is actually you know, Humanity right, Church,.

A

uh So I believe we have merged the pull requests that were out there. I think.

A

There was quite a few I think down the bottom from them correctly, but this one adoption of tooling uh I've dated that as well I think that was discussed and a lot of looks good to me is coming through.

A

um So we are now clear of all requests on the ingestion Manifesto we're running through pull quests and issues at PACE.

A

um So the next thing is um well what we actually do with that right. So uh I know that I'm personally interested in uh in uh signing up to that from a personal perspective um and I think there was a suggestion to reach out to the ossf leadership to see if they would be interested in getting behind. That is that is that correct any other thoughts of moving that forward.

C

I would suggest, since if the group is happy with this, that you arrange to show up at a future, Tech call and share it with them, and then we can arrange things like a blog or socials or whatever, um and we would, if you to do that, I would need you to fill out a issue of attack repo to get on the agenda.

C

B

C

Hurry up and do that before my morning tomorrow, you could be talking on Tuesday about this.

A

Excellent: um let's do that I'm actually wearing vacation, but does anyone want to take the lead on that one yeah I actually have a vacation. um I know a number of people are interested in pushing that forward. I certainly am, but not alone.

A

Is that something anyone else on the call wants to take up um for next week at the tech, otherwise I'll do it when I come back from vacation.

C

The next call would be the 25th of July.

A

Yeah, which is when I, come back from vacation.

D

If no one else can do it, I can do it, although with the asterisk that I wasn't as involved in this one, so I may not be the best representative.

A

Okay, um maybe I can reach out to a couple of people offline and see if they could support that check. um I think useful to get a couple of friends when you're presenting that right.

D

A

All right so Jeff Bryan I might reach out to you in due course.

A

Okay, so a Blog article I think that'd be quite cool um and um yeah need that one.

A

Can I ask maybe Jeff O'brien if, um in terms of moving it, Forward I mean blog article moving it through the tech um additional people signing up and and backing it? Is there anything as you put it Forward initially any other thoughts that you had to or places to take that.

F

I think those are the only ones we discussed um in the past, but I don't know. If you have any suggestions. I know I have a a draft blog that needs to be updated, based on all the feedback and changes we have here, but it sort of just covers the impetus all the stuff we've talked about, which I think makes sense um and go from there and I'm happy to be available, I'm not available on the 25th, um but can help form shape anything we need to put together. You know I want to talk about.

F

So just let me know.

A

The next tech probe is next Tuesday. Is that right, if we get in super early.

C

uh July 11th at.

C

uh Hold on at 11 at 11, A.M Eastern, so uh an hour from now next Tuesday.

A

Are you, okay with that Jeff? Can you make that yeah.

F

Yeah, it could certainly be all right. Just let me know what I need to I haven't been involved in any of those. So let me know what I need to help produce, or um you know I can work with whomever is who's going to lead it? Nice.

A

Check you have a friend crew.

B

What's your comment about moving into the GB like? Are we still in a world with a GBS to approve every blog post or something I'm, not.

C

Sure um but since we are uh asking people to embrace this, um we may want to ask the GB if they would like to make a public statement, but no we're not asking for their approval. Yeah group approved it. That's.

B

C

They use informed sure.

B

A

Very good all right progress, um so I will certainly close the tech Charter issue. uh I guess we're kind of getting there with the ingestion Manifesto issue, but I think uh you know. Maybe we get it to the tech and then then close that one all right anything else to raise on the ingestion Manifesto before we move on.

A

You know cool all right: Issue, Number, Nine uh threat, modeling, uh so Henrik you and I have been talking Centric on the call.

G

A

Rick, you and I've been talking about threat, modeling uh and continuing that. um Is there a any update from the actually the last meeting was canceled? Wasn't it.

G

Right, this week's meeting was canceled, it should have been, should have taken place on the Tuesday, but because of uh to drive fourth, that we decided to drop that next Edition we'll follow. The new schedule happens on uh Mondays, a half past I, think it's half past six European Time, and then you can do the math, where it takes time in your time zone um other than that I.

G

um So last meeting was two weeks yeah one and a half weeks ago we added a couple of more details to some of the identified threads, but still on a slow pace from my taste. I think we discussed also um but I.

G

Don't can't remember whether this was during one of the threat modeling you know sessions or during actual Dentures of work meeting to publish this both as kind of um as uh maintained this at some point in time um in in git and create with markdown, but also produce a pdf version of that um I mean the overall or kind of a repeating question I see when discussing these is the level of details and granularity what we want to get into and as soon as we start discussing individual Technologies, we go down those rabbit holes, those kind of half an hour one hour on discussing a single technology which is progressing, which, of course, kind of slows down the progress on the document as a whole.

G

So I think here. This is a recurring observation. Let's say.

G

That's all for my side, I think.

A

I guess a little bit of update on my involvement as well on that I, so I have um gone through a couple of additional threats: I think I've got another 10 or so to add um just need to update that document.

A

um My sort of take on it would be that the realities is probably going to be multiple threat models.

B

A

You can move any level of granularity. You want it's still useful at the granularity it's at and allows us to look at the different um supply chain standards that are out there and map them to that architecture with that level of threats. Clearly, when we drop lower down and we select, perhaps a um product like a CI product, there'll be a whole host of additional threats and different medications that are product specific and maybe that's a later time.

A

Someone wants to put that together, but I think the the usage where it was originally envisaged is focusing on those viable threats and identifying where we have potential gaps in terms of Standards or approaches where we're looking to align ossf projects I think it's I think it's a reasonable start.

A

um I guess I'm also concerned about how long it's taking and the the pace um but I think um we just need to keep at it. Unless we get to a point, we're going to need to put a um time limit on it and move forward, but I I don't think we're there yet.

A

I think the other comment is really still looking for additional additional assistance on that one. That's definitely one where helps needed if we do have any additional threat. Modelers I know there's a couple from City coming in to help, um but if we do have additional threat, modelers or people interested in assisting that's definitely a place, we want to dive into.

D

Is that yours did you read that no okay I didn't pay attention to who the author is I? Just never heard enough? Oh okay, well, I didn't realize that or I would have taken them more seriously. Oh I kind of tune out on the Star Wars thing.

C

D

C

Threat, modeling with through the lens of Star Wars. It's a good book, interesting.

A

It is a good book. I've got my copy here as well, and it's actually very cool.

D

All right, I'll add that to the short list of two or three hundred books that go next.

A

That's why I'm going on holiday, so I can start reading.

A

Very good all right so definitely appreciate assistance on the thread. Modeling side I think that's going to be one of the key deliveries.

A

We've got ingestion manifest festo being one of the first all good, all right um now, I'd, add a I did a third issue, uh an additional issue issue 13, sorry, um and it was really just in the back of a lot of work that we've been doing around the throat modeling and looking at ingestion um and it sort of struck me I, haven't heard from the S2 c2f group in a while and I was gonna see if there was interest from the working group and getting an update from s2c2f and where they're getting uh where they're at.

H

And I'm here, so, if you, if you did, want an update, um you know every every uh meeting, I try to put a rallying call out to uh join the Sig and and becoming more more involved in this progression. We got some really great feedback lately and uh we're making uh great improvements to the to the spec. um So if the group does one an update of a formal of day, we could definitely put something together.

H

I know we're looking at putting something together: a slider two for the um supply chain, Integrity working group for the for the attack next week, but we'd be more than happy to come here to this working grouping provide the same update, um but of course the call will always go out to having people from this work who come into the sake and um and put your hands uh put your hands in the spec there as well, because it just improves it uh for for the ecosystem, so yeah yeah.

H

If you want to update, please let me know we'll be happy to oblige.

A

My main reason around that was just as I was sitting there doing the the threat modeling for for that may not um architecture. I was just sat there on the ingestion piece for quite some time, coming up with threats, as I said a whole whole through them and then highly likely. There is a part where it starts to speak to the s2c2f stuff, so it kind of kind of connects yeah.

H

That would be wonderful. Are we actually? uh We actually have two additional threats that we've actually written uh or written into the spec based on feedback over the last couple of months, so Jonathan anything else, you got by all means, uh bringing the board have people come and bring that stuff in, uh because we're always looking to, of course, improve so yo Happy. For that kind of information.

H

A

Me do that in both directions.

A

I am on holiday for two weeks, but um let me see how that goes, uh and certainly afterwards I'll do that and we can feedback.

A

uh All right, um so next one up is reports from other working groups. um I appreciate that quite a lot of them have been canceled and quite a few people are still off due to the Fourth of July, uh any updates from any any other groups. People want to race or anything else in the supply chain, industry that it would be useful for end users to think about Jack.

D

The um great repository audit is still taking shape and moving forward um for those who don't know the the basic concept is that Alfa Omega would stand up some money for uh audits inspections. What have you of large repositories of software, so ruby, gems, IPI and the like, um and also provide funding for remediation for anything that was found so that we're not just dumping stuff in people's laps and uh yellowing way?

D

um So that's that's in progress um last I heard it was. It was basically uh formed up enough that it could go to the folks with the money in Alfa Omega land and that's the last I heard that they were that they were going to do things so I'm expecting to learn more about it next week uh because, uh as was the case with many things, July 4th uh cause things to be held off for the week.

A

Very cool all right, looking forward to that uh offer Omega still a great ossf project and uh abashay you've.

I

Got your hand up yeah thanks, ah so a quick update from the memory safety Sig. um We are currently working on a I just pasted the our repository we are currently working on a uh we, uh the re-architecting, the text from the mobilization plan around memory safety. We are interested in hearing from end users about the challenges that they have in adopting memory safe languages. We are currently also approaching uh distributions operating systems uh distributions uh to get their support in also supporting memory safety, language natively in the os's.

I

So if anyone here has any issues or challenges that they'd like to raise, we also invite you to our Sig meeting, which is today two hours from now two and a half hours from now.

A

Very interesting, thank you very much thanks any other updates. Anyone wants to raise.

A

No I think one just general one um I've been reading up on the um Cesar s-bomb working groups on the back of the yes bomber armor some time ago. um Some interesting work coming through from them, particularly around the s-bomb generation and usages at different times within the sdlc.

A

um Something I've been looking at for obviously quite a while, but it's um you know starting to get to be the point where it's some really good documentation in there now so uh recommend taking a look. I, don't have a link to hand unfortunately, but uh recommend take a look.

C

Grobe I participate in the Vex working group within the uh the larger s-bomb efforts and if you'd, like my partner in crime, art Manion, is also very heavily involved across all the different CC groups. So if we want, we could try to petition art, maybe to come in and give us a readout of all the working group activities from CSA side to kind of give us a state of the art of s-bomb. If that'd be useful to this group, art is not shy. He likes to talk.

C

He also has the best hair in infosec.

A

I look forward to seeing that um sounds good to me. I think chops uh sounds good to me. I think um you know. S1 has been a huge Focus right and I think. Whilst there's a lot of challenges still out there it'd be good to get a bit of a readout.

A

Anyone else is interested, but sounds good all right, uh We've rattled through our agenda, so any other business appreciate people are still probably pull to the brim of barbecue from Fourth of July. Whenever you Americans do on Fourth of July, but I think it's barbecue related.

A

Any other business anyone wants to raise.

A

No, why we will have a very early stop, then give people some time back, hooray we'll, go and go back and do some threat, modeling and reading the showstop book. Excellent. All right thanks very much. Everyone thanks. Thank.

D