►
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I/edit#heading=h.v07d658tnyfp
The End Users Working Group (WG) represents the interests of public and private sector organizations that primarily consume open source rather than produce it.
The mission of the End User Working Group is to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of OpenSSF.
A
B
A
I
said,
let's
wait
a
few
more
minutes
if
wanted
to
suggest
moving
this
to
the
Wednesday
late
afternoon
in
Europe
time.
A
So
I'm
I'm
in
Paris
Central
Central
zero
time.
C
D
A
B
A
All
right
so
I'm
not
sure
whether
many
more
people
will
join
so
I
have
a
I've
had
a
discussion
earlier
on
with
John
Meadows
videos
or
Metals
needles,
I
think,
and
that
is
what
I
wanted
to
start
sharing.
So
the
first
is
regarding
kind
of
what
we
looked
at
so
far.
A
And
discussing
this
with
John
turns
out
that
he
sees
a
little
bit
of
a
larger
scope.
So
basically,
it's
true
that
those
consumption
of
Open,
Source
components
and
third-party
components
is
just
one
way
of
getting
malicious
software
on
the
respective
systems,
which
can
do
some,
oh
I
quote,
which
can
do
some
damage
there,
but
according
to
John,
he
sees
that
even
if
such
malware
comes
into
a
network
by
other
means
that
would
be
still
in
scope.
And
the
question
is:
what
could
those
malware
do
with?
A
You
know
the
source
code
or
the
binary
code
of
the
different
systems
right,
so
the
scope
is
a
little
bit
larger
than
what
we
were
focusing
on
the
past
few
sessions.
I
found
this
very
important
because
in
the
last
you
know,
meeting
I
had
kind
of
the
feeling.
Well,
if
we
only
talk
about
those
reddish
data
flows,
we
end
up
always
with
the
same
problem,
which
is
okay.
A
You
should
take
care
of
what
you
consume,
which
is
kind
of
evident,
and
so
you
should
have
approval
processes,
and
maybe
you
check
the
signatures
and
God
knows
what,
but
that's
about
the
same
thing,
no
matter
where
those
components
flow
into
and
and
so
he
sees
the
scope
a
little
bit
larger.
A
So
even
if
the
example
I
think
we
discussed
this
a
couple
of
times,
even
if
there
was
kind
of
a
phishing
email,
phishing
attempt
on
the
administrator
of
the
git
server,
the
question
would
be,
if
those
guy,
if
this
guy
gets
a
malware
on
his
computer,
what
can
this
malware
do
with
the
git
server?
Considering
that
it
has?
It
is
acting
on
behalf
of
the
admin
of
the
git
show
right,
so
I
find
this
very
important,
which
will
you
know,
change
a
little
bit
how
we
discuss
the
threads
first
first
thing.
A
The
second
thing
is,
and
I
was
discussing
this
quickly
with
Amanda
already
I
would
like
to.
He
was
suggesting
or
asking
whether
we
can
change
the
schedule
to
another
time
frame,
because
John
finds
this
whole
topic
very
important,
but
he
cannot.
He
cannot
really
attend,
and
so
it
was
just
raising
the
topic
whether
there
is
any
possibility
of
getting
it
to
some
other
place.
A
Obviously,
this
has
to
be
kind
of
a
decision
by
a
larger
Group
by
the
participants,
and
so
yeah
I
wanted
to
to
raise
this
topic
this
one
here
or
the
other
one
at
10
o'clock
right
so
for
those
people
that
attend
the
majority
of
the
opennesses
have
meetings
are
the
available
slots.
E
Yeah
I'm
perfectly
fine
participating
at
a
different
time.
We
historically
have
done
like
a
doodle
poll
to
make
sure
that
everybody
is
interested,
gets
a
chance
to
express
what
their
best
time
is.
Availability
is
I'm.
A
E
Then,
like
this,
the
C
and
C
plus
plus
compiler
group
I,
don't
see
aside
from
avishay
and
myself
I,
don't
see
a
lot
of
overlap,
but
yeah
put
the
poll
out
I'll
be
glad
to
vote.
A
Yeah
yeah
perfect,
thank
you
right
and
then
the
last
topic
so
I
think
it
would
be
nice
to
have
somebody
kind
of
in
the
past.
Editions.
I
was
kind
of
running
us
through
the
diagram
right
and
with
the
taxonomy
and
all
the
different
ways
to
inject
malware
into
open
source
projects.
I
definitely
have
some
some
background
there,
but
I'm
not
sure
I'm,
the
right
guy
for
really
moderating
a
threat.
A
Modeling
Workshop
I
participated
in
a
few,
but
I
wasn't
I
was
never
a
moderator
which
is
kind
of
a
different
and
slightly
different
skill.
So
it
would
be
nice
if
we
find
somebody
who
has
more
experience
in
really
running
and
moderating
this
whole
business
I'm
happy
to
contribute
and
run
through
diagrams
and
but
I'm,
not
sure.
I
can
really
be
the.
You
know
the
lead
moderator
in
this
thread.
Modeling
Workshop,
wanted
to
raise
this
as
well.
A
E
I
have
an
open
I
talked
with
a
good
friend
of
mine,
who
is
a
developer
security
coach
for
a
large
Bank
in
the
US.
So
he
deals
with
this
in
a
large
Enterprise
kind
of
like
Jonathan.
E
Does
so
I'm
going
to
be
luring
him
into
this
call
to
help
collaborate
with
us
and
talk
through
some
of
these
problems,
so
he's
got
like
30
years
of
developer
experience
in
about
15
years
of
security,
coach
experience,
so
I
think
he'll
be
a
good
asset
for
us,
and
then
you
know
for
the
moderator
I
can
help.
It's
been
a
long
time
since
I've
led
a
threat,
modeling
Workshop
about
a
decade,
I'm
a
little
rusty
but
I'll
do
whatever
I
can
to
help
out
and
I
agree.
E
A
Perfect
all
right,
that
being
said,
I
following
our
last
week's
session,
I
cleaned
up
a
little
bit
the
diagram.
So
I
added
this.
You
know
other
data
flow
that
was
missing
so
now
it
is
making.
It
is
becoming
more
clear
that
there's,
of
course,
also
a
lot
of
Open
Source
third-party
stuff,
ending
up
on
the
git
server
and
I
cleaned
up
a
little
bit.
The
notes
as
well
that
I
took
during
the
last
session
a
clarify
scope.
Right.
A
We
were
saying
we
could
we
focus
only
on
open
source,
versioning
control
systems,
in
particular
git,
and
we
ignore
all
those
Enterprise
Commercial
versioning
systems,
which
basically
also
frees
us
to
think
of
you
know
GitHub
apps
of
those
different
kinds
of
so
I.
Think.
A
It
maybe
in
the
document,
but
I,
will
just
delete
this,
because
it
means
that
it
is
out
of
scope
because
we
don't
have
any
of
such
apps
in
indicates
right.
Let
me
just
open
open
up
the
page,
oh
yeah,
and
then
maybe
you
can
for
the
you
remember
last
time
we
had
this
quick
boil
during
the
next
work
meeting
on
how
people
run
git
in
their
environments,
not
sure
whether
you
had
the
opportunity
to
run
this
poll.
A
No
because
in
our
you
remember
there
was
this
discussion
raised
by
I.
Think
that
the
coin
was
raised
by
Victor.
He
said:
okay,
how
do
software
development
organizations
operate
git
internally?
My
suspicion
is
most
of
them
run
it
by
convention
in
a
central
fashion,
where,
just
by
definition,
one
of
the
git
instances
is
the
the
master.
Even
though
this
is.
This
is
only
through
convention,
not
through
kind
of
setup
or
configuration.
E
I
think
when
Scott
comes
he'll
give
us
some
good
feedback
on
that
I
can
reach
out
to
some
other
folks.
We
also
can
lean
into
Tracy.
Reagan
is
a
big
participant
in
the
foundation
and
she
works
with
the
continuous
delivery
Foundation,
which
is
like
a
sister
foundation
of
the
open
ssf
and
they
focus
on
CI
CD.
E
C
E
C
E
Guess
Jonathan
also,
we
probably
could
ask
him.
Can
we
talk
with
your
source
code
management
Folks
at
the
bank?
Potentially
that's.
C
E
And
we
probably
need
somebody
that
isn't
in
a
bank
like
a
insurance
company
or
a
retailer
Maybe.
A
Yeah
but
but
I
think
we
will
probably
end
up
with
what
we
have
speculated
about
last
time,
which
is
most
people
will
run
it
that
way
and
the
and
the
Linux
kernel
is
very,
very
exceptional
project
in
many
different
ways,
I
suppose
all
right.
Having
said
this,
no
time
for
the
poll,
maybe
we
can
re-visit
and
extend
a
little
bit
on
those
on
the
threats
that
we
have
started
with
last
time
on
the
source
code
management.
A
And
I
interrupted
link,
please,
okay,
sorry
I
didn't
see
the
chat,
share,
copy
link
again.
A
Yes,
this
is
the
right
one.
Yes,
exactly
now
go
just
to
the
source
code
management
system
below,
and
this
is
where
we
basically,
where
I
added
my
scribbling
and
notes
last
time,
I
think
just
to
to
make
this
I
will
select
this
to
be
removed
out
of
scope.
This
is
kind
of
some
notes.
I
took
related
to
using
Linea
app
in
GitHub
Enterprise
to
configure
through
webhooks
or
other
or
GitHub
application,
and
these
kind
of
notes
on
that
there
are
different
kinds
of
applications.
A
I
kept
it
in
because
I
didn't
want
to
silently
remove
stuff
but
stuff
from
the
document,
but
now
that
we
have
discussed
this
I
think
it's
okay
to
remove
this
other
than
that
I
would
like
to
discussing
those
threads.
So
we
ended
up
saying
last
time
that
possible
problems
here
on
the
source
code
version
control
system
could
be
kind
of
wrongly
configured
instances
get
instances
that
would
allow
unauthorized
people
and
considering
what
we
have
said
in
the
beginning.
A
Basically,
any
kind
of
attacker
who
got
into
your
network
could
install
other
stuff
could
extend
your
git
instance.
Right
that
could
be
plugins
could
be
first
commit
drugs
of
the
thing
or
such
things
right.
This
is
the
one.
The
second
one
is
The
Not
So,
overly
exciting
thread
that,
basically,
you
should
take
care
what
to
install
on
those
git
instances,
because
you
could
also
consume
malicious
components.
A
A
Now,
with
with
what
we
have
said
in
the
beginning,
what
are
what
are
other
possible
ways
that
an
attacker
who
gained
access?
Who,
who
entered
your
network
or
who
entered
an
organizations
Network,
could
tamper
with
the
versioning
control
system
in
order
to
kind
of
either
exfiltrate
or
maybe
change
your
source
code
managed
by
that
system?.
A
I
guess
yeah
thanks.
A
I,
don't
that
I'm
I'm,
not
so
I,
think
one
way
probably
would
be
to
perform,
commits
impersonating
either
the
yeah
well.
This
would
be
more
probably
a
thread
on
the
developer
machine
right.
So
if,
if
the
developers
end
up
malware,
then
that
malware
could
impersonate
the
developer
and
include
commits
on
sbrf
right.
So
maybe
let
me
add
this
here:
I.
E
A
So
again
happening
on
the
developer
system
is
the
exfiltration
of
the
launch
repository
basically.
A
Okay,
so
so
this
right,
so
this
is
not
any
longer
the
source
code,
but
here
you
talk
about
basically
test
data
which
is
or
also
test
data
that
is
on
this
version
controlled.
This
is
what
you
say.
A
A
E
A
A
F
A
Good
so
I
wonder.
A
E
A
Think
it
was
I
think
that
was
the
problem
was
that
the
git
was
configured
such
that
you
could
you
use
it
authenticate
using
SSH
and
https
and
and
then
only
one
was
properly
success
controlled,
and
so
the
attackers
managed
to
basically
commit
something
and
change
something
Indiana.
E
Was
going
to
say
since
we're
talking
about
the
developer
workstation?
What
if
it
is
a
extortion
attack,
somebody
it
does
ransomware
on
the
developers,
PC
and
coerces
them
to
do
malicious,
commits.
E
C
A
In
the
first
case,
this
would
be
just
silently
committing
stuff,
while
this
is
very
visible
in
a
kind
of
explicit
right
asking
basically
prompting
showing
a
prompt
apparently
to
the
user,
as
as
they
do
in
these
ransomware
attacks
asking
him
to
to
do
this
and
that
commit
something
malicious.
Otherwise
it
will
be
all
I,
don't
know
encrypted
deleted,
or
so
I
I've
never
seen
such
a
thing,
but
or
I
mean
so
so
this
would
basically
be
okay,
I.
E
A
C
C
D
A
A
All
right,
but
here
for
the
threads
and
for
the
threats
on
the
source
code
management
system,
I,
just
wonder
I
mean,
of
course,
any
malware
or
any
attacker
ending
up
in
the
in
the
in
this
in
the
network
could
also
try
to
exploit
any
vulnerabilities
of
such
repositories.
Right
and
I.
Think
they're
very
couple,
not
sure
I
didn't
look
I,
never
looked
up
kind
of
a
cve
database
or
vulnerability,
whatever
vulnerability
database
for
git
or
other
of
my
career
or
other
version
control
systems,
but
I
guess
this
is
also
a
very
feasible
direction
to
take.
E
E
And
you
can
look
to
see
what
the
relationship
is
with
lowercase
git
to
GitHub
gitlab
like?
Is
there
a
any
kind
of
lag
between
if
the
git
software
has
a
vulnerability?
Does?
Is
that
inherited
by
the
kind
of
clones
or
not,
then
there
might
be
a
lag
between.
You
know
how
quickly
those
security
teams
could
ingest
foreign.
A
I
guess
this
is
this:
is
the
the
usual
business
when
it
comes
to
vulnerabilities
and
patching
vulnerabilities
right?
So
so
there
will
be
this
race
for
unpatched
vulnerabilities,
yep.
C
A
Another
thing
I,
just
thought
of
I
mean
one
one
possibility
of
course,
is
to
kind
of
make
a
commit
on
behalf
of
a
legitimate
get
user,
but
let's
say
they
run
Garage
on
top
of
git.
In
order
to
have
this
approval
workflows,
what
have
you
another
scenario
would
be
that
the
malware
is
basically
approving
something
on
behalf
of
another
git
user,
so
Suppose
there
is
these
four
eye
rules
for
for
commits
flowing
into
the
into
the
main
branch,
or
so
one
could
be
basically
doing
the
commit
and
the
other
one
could
deprove.
A
A
F
A
I
think
the
Nano
service
was
something
that
we
we
said
in
the
very
beginning,
I,
remember
a
statement
from
the
Jacques
saying
that
then
we
we
happen
to
need
to
care
for
all
the
crazy
events
that
could
eventually
result
in
an
unavailability.
So
we
kind
of
excluded
availability
from
the
the
goals
or
the
properties
to
con
to
to
consider.
A
E
Yeah,
potentially
you
could
change
the
workflow
or
you
could
even
just
read
the
data
and
get
a
sensitive
business
process
or
intellectual
property
information.
It's
something
that's
part
of
the
work
as
part
of
your
unique
workflow.
They
might
be
able
to
get
extra
intelligence
about
the
network,
potentially.
E
A
E
If
another
bank
figured
out
a
faster
way
to
approve
loans
that
potentially
could
siphon
away
customers
if
it's
kind
of
a
a
business.
A
E
A
E
Because
your
code
is
in
the
code,
you're
gonna
talk
about
the
roles
for
authorization,
so
you'll
be
able
to
potentially
see
that
information
that
you
know
every
cashier
has
up
to
500
approval,
but
they
need
if
they
need
to
go
higher
than
that
has
to
go
to
a
manager.
So
that'll,
be
in
your
business
logic.
So
they'll
be
able
to
see
that
information
as
part
of
the
authorization
lists.
C
A
Just
thought
of,
if
you,
if
you
happen
to
have
access
to
Garrett
and
can
read
configuration
information
from
its
from
its
database,
maybe
you
see
even
kind
of
unprotected
branches,
and
this
is
maybe
where
you
can
commit
something
to
without
any
review
and
so
forth.
So
there's
a
lot
of
you
know
through
the
information
that
can
be
used
for
a
second
stage
later
activities.
C
F
D
D
E
A
E
A
That's
fair
I
just
wondered
in
the
same
sense
that
those
approval
workflows
can
be
maybe
circumvented
in
order
to
make
something
enter
the
production,
Branch
or
the
main
branch
of
the
repository,
maybe
in
the
same
way
it
can
be
circumvented
such
that
something
is
deployed
automatically
in
production
just
because
it
is
passing
certain
workflows,
but
maybe
this
is
more
relevant
than
later
on
for
the
the
versioning
control
system.
I,
guess
sorry
for
the
build
server
and
build
pipeline,
not
so
much
for
the
versioning
control
system.
A
E
Would
you
quantify
this
scenario,
so
a
bad
actor
is
able
to
get
a
developer
to
commit
malicious
code
that
Alters
the
production
configuration
so
that
it's
easier
to
attack
once
once
it
is
actually
live
and
can
access
production
data?
How
would
you
quantify
that
type
of
attack.
A
A
C
A
A
Yeah
I,
like
I
like
very
much
the
idea
to
to
basically
crawl
through
workflow
management
systems.
In
order
to
understand
your
development,
your
developer,
Workforce
right,
because
that
that
will
also
that
will
also
be
that
would
also
help
you
to
identify
individuals
that
you
can
attack
in
very
different
other
ways
right
so
for
a
spear,
phishing
attacks
and
or
maybe
real
life,
blackmail,
attacks
and.
F
A
Yeah
I
wonder
I
mean
the
there
was
this
discussion,
whether
you
can
basically
rewrite
to
get
commit
history
right.
So
I
wonder
whether
this
is
one
because
one
as
you
and
I
I
came
across
this
in
the
context
of
leaked
credentials.
As
you
say
this,
they
happen.
They
end
up
far
too
often
in
repositories
and
what
developers
or
people
typically
do
is
they
just
you
know,
invalidate
their
respective
credential.
A
They
deactivate
the
API
key,
whatever
it
is,
but
another
way
of
getting
rid
of
those
is
you
can
rewrite
the
history,
but
the
problem
with
this
is
that
it
is
basically
invalidating
everybody
who
cloned
the
repository
before
God
is
clone
corrupted
and
corrupted,
but
it
cannot
work
any
longer
on
the
on
the
Clone.
But
maybe
this
is
not
so
maybe
this
is
this.
Doesn't
matter
so
much
and
and
still
it's
a
feasible
thing,
you
could
do
on
once
you're
on
the
git
server
on
the
leading
instance
or
to
say
so.
C
E
With
any
kind
of
attack
you
know
typically,
the
bad
guy
wants
to
clear
their
tracks.
I
don't
know
about
what
the
capability
within
git
is.
If
you
can
rewrite
or
modify
the
log
in
a
compensating
control
would
be.
Ideally,
you
have
off
Server
Like,
A
syslog
or
something
you're
exporting
to
Splunk
or
something
out
off
the
Box.
So
you
would
have
a
another
copy.
Yeah.
A
Basically,
I
think
it
means
to
rewrite
past
commits
on
a
previous
state
which
is
giving
you
new
new
new
and
unique
commit
identifiers
again,
which
is
rewriting
then,
and
then
this
history.
But
then
suppose
this
is
happening
in
a
big
organization.
Maybe
some
developers
just
track
their
shoulders
and
say
well,
something
happened
here,
maybe
just
clone
from
from
start,
and
this
is
where
I
continue.
A
It's
not
so
I
don't
find
this
so
unrealistic.
Okay,
so
rewrite
it's
history
on
Central
I
feel.
Sooner
or
later
somebody
will
come
back
to
this
Central
git
instance
saying.
A
E
A
E
And
thinking
about
this
for,
like
a
sock
security
operations
center
perspective,
do
large
Enterprises,
ingest
and
track
this
kind
of
stuff.
So
is
there
somebody
watching
for
like
a
malicious
rewrite
of
the
commit
log.
A
From
I
know
that
one
company
basically-
but
they
were
again-
this
is
again
GitHub
Enterprise
and
basically
they
have
a
push
push
lock,
so
they
basically
lock
who
pushed
stuff
to
the
to
GitHub
and
from
which
IP
addresses,
and
so
this
push
push
unlock
or
push
lock.
Whatever
the
name
is,
has
been
fed
into
Splunk,
I
think
but
but
I'm
not
I.
Don't
I,
don't
recall
that
they
use
really
at
the
history
of
commits
I.
Don't
think
so.
A
A
A
E
We
probably
could
lean
into
salsa
and
s2ctf
to
see
like
s2ctf
did
a
kind
of
a
has
some
threats
and
controls.
We
might
be
able
to
also
take
a
peek
at
that
and
see
if
they
have
any
other
ideas
around
SCM.
D
A
So
what
was
it,
what
is
the
other
acronym
again
is.
E
That's
a
so
salsa
is
focused
on
kind
of
the
Factory
The
Open
Source
Factory,
of
how
the
software
is
made.
S
suit.
S2
c2f
is
focused
on
consumer
consumption
of
Open
Source,
so.
E
Consumer-Focused
supply
chain
review
and
they
they
that's
Jay
White
and
a
bunch
of
other
folks
work
on
that,
and
they
actually
did
a
pretty
exhaustive
review
and
they
have
suggestive
controls.
They
map
to
a
couple
industry,
Frameworks,
so
yeah.
We
could
take
a
look
and
see
if
they
have
anything
around
the
source
code,
management,
protection.
E
Yeah,
that's
something
we
can
take
a
peek
at
and
see.
Is
there
any
other
anything
we
haven't
thought
of
yet.
E
Because
I
know
when
you
were
when
you
first
were
talking
to
about
the
taxonomy,
did
you
and
the
team
talk
with
the
cncf?
Did
they.
A
They
had
I
think
we
we
not
when
we
created
this
taxonomy,
but
I
think
John
pointed
us
to
one
of
the
guys
at
the
cncf
and
we
went
together
through
an
Excel
sheet
and
were
able
to
map
most
of
the
threads
that
they
have
identified.
Two
different
vectors
in
the
taxonomy
as
well.
I
could
look
this
up,
but
yeah.
There
was
an
exercise,
but
who
was
the
guy
again,
but.
D
F
F
There's
a
newly
formed
repository
architect,
type
of
a
group
working
group
just
formed
a
couple
weeks
ago
in
the
app
delivery
tag.
F
Find
that
meeting
link
yeah
awesome.
Thank
you.
E
A
I
mean
this:
is
this:
after
the
end,
I
think
this
is
the
the
overall
goal
of
the
exercise
that
we
try
to
see
where
our
gaps,
where
do
we
miss
such
guidelines
and
activities
and
whatnot?
So
so
this
hints
at
the
versioning
control
system
is
fairly
covered
by
existing
activities.
E
And
the
the
best
practices
group
isn't
thinking
about
it
from
a
threat
perspective,
but
there
there
might
be
something
there.
We
said,
oh
well,
why
do
you
have
this
control?
But
it's
it's.
This
attack
vector.
C
C
E
A
E
E
And
then
we
don't
have
a
mailing
list
for
this
particular
group
right,
but
we
have
one
for
the
larger
end:
User
Group,
yes,
so
I
would
send
a
note
to
the
end
user
working
group
mailing
list
saying
you
know:
we've
made
some
progress.
We'd
like
additional
sets
of
eyes.
Could
you
look
through
and
provide
suggestions
or
comments
if.
A
I'm
not
sure
it's
in
a
in
a
shape
that
can
be
reviewed
easily.
To
be
honest,
maybe
yeah,
maybe
maybe
crop
you
can
if
you
in
general
I
like
the
idea
but
I'm
not
sure
whether
again
the
write-up
is
good
enough
to
be
shared.
Maybe
you
can
have
a
look
and
read
through
it
and-
and
you
know,
make
an
assessment
of
that.
E
B
All
right,
Hendrick
I
had
a
question
for
you.
Do
you
mind
if
I
pull
this
threat
model
into
the
open,
ssf
Google
Drive.
A
Yeah,
no,
not
at
all
I,
was
asking
crop
for
such
a
thing
at
some
point
in
time.
Yeah,
bye-bye!