►
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I/edit#heading=h.v07d658tnyfp
The End Users Working Group (WG) represents the interests of public and private sector organizations that primarily consume open source rather than produce it.
The mission of the End User Working Group is to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of OpenSSF.
A
B
C
D
A
B
A
A
And
discussing
this
with
John
turns
out
that
he
sees
a
little
bit
of
a
larger
scope.
So
basically,
it's
true
that
those
consumption
of
Open,
Source
components
and
third-party
components
is
just
one
way
of
getting
malicious
software
on
the
respective
systems,
which
can
do
some,
oh
I
quote,
which
can
do
some
damage
there,
but
according
to
John,
he
sees
that
even
if
such
malware
comes
into
a
network
by
other
means
that
would
be
still
in
scope.
And
the
question
is:
what
could
those
malware
do
with?
A
You
know
the
source
code
or
the
binary
code
of
the
different
systems
right,
so
the
scope
is
a
little
bit
larger
than
what
we
were
focusing
on
the
past
few
sessions.
I
found
this
very
important
because
in
the
last
you
know,
meeting
I
had
kind
of
the
feeling.
Well,
if
we
only
talk
about
those
reddish
data
flows,
we
end
up
always
with
the
same
problem,
which
is
okay.
A
So
even
if
the
example
I
think
we
discussed
this
a
couple
of
times,
even
if
there
was
kind
of
a
phishing
email,
phishing
attempt
on
the
administrator
of
the
git
server,
the
question
would
be,
if
those
guy,
if
this
guy
gets
a
malware
on
his
computer,
what
can
this
malware
do
with
the
git
server?
Considering
that
it
has?
It
is
acting
on
behalf
of
the
admin
of
the
git
show
right,
so
I
find
this
very
important,
which
will
you
know,
change
a
little
bit
how
we
discuss
the
threads
first
first
thing.
A
The
second
thing
is,
and
I
was
discussing
this
quickly
with
Amanda
already
I
would
like
to.
He
was
suggesting
or
asking
whether
we
can
change
the
schedule
to
another
time
frame,
because
John
finds
this
whole
topic
very
important,
but
he
cannot.
He
cannot
really
attend,
and
so
it
was
just
raising
the
topic
whether
there
is
any
possibility
of
getting
it
to
some
other
place.
E
A
A
Yeah
yeah
perfect,
thank
you
right
and
then
the
last
topic
so
I
think
it
would
be
nice
to
have
somebody
kind
of
in
the
past.
Editions.
I
was
kind
of
running
us
through
the
diagram
right
and
with
the
taxonomy
and
all
the
different
ways
to
inject
malware
into
open
source
projects.
I
definitely
have
some
some
background
there,
but
I'm
not
sure
I'm,
the
right
guy
for
really
moderating
a
threat.
A
Modeling
Workshop
I
participated
in
a
few,
but
I
wasn't
I
was
never
a
moderator
which
is
kind
of
a
different
and
slightly
different
skill.
So
it
would
be
nice
if
we
find
somebody
who
has
more
experience
in
really
running
and
moderating
this
whole
business
I'm
happy
to
contribute
and
run
through
diagrams
and
but
I'm,
not
sure.
I
can
really
be
the.
You
know
the
lead
moderator
in
this
thread.
Modeling
Workshop,
wanted
to
raise
this
as
well.
E
E
Does
so
I'm
going
to
be
luring
him
into
this
call
to
help
collaborate
with
us
and
talk
through
some
of
these
problems,
so
he's
got
like
30
years
of
developer
experience
in
about
15
years
of
security,
coach
experience,
so
I
think
he'll
be
a
good
asset
for
us,
and
then
you
know
for
the
moderator
I
can
help.
It's
been
a
long
time
since
I've
led
a
threat,
modeling
Workshop
about
a
decade,
I'm
a
little
rusty
but
I'll
do
whatever
I
can
to
help
out
and
I
agree.
E
A
Perfect
all
right,
that
being
said,
I
following
our
last
week's
session,
I
cleaned
up
a
little
bit
the
diagram.
So
I
added
this.
You
know
other
data
flow
that
was
missing
so
now
it
is
making.
It
is
becoming
more
clear
that
there's,
of
course,
also
a
lot
of
Open
Source
third-party
stuff,
ending
up
on
the
git
server
and
I
cleaned
up
a
little
bit.
The
notes
as
well
that
I
took
during
the
last
session
a
clarify
scope.
Right.
A
A
It
maybe
in
the
document,
but
I,
will
just
delete
this,
because
it
means
that
it
is
out
of
scope
because
we
don't
have
any
of
such
apps
in
indicates
right.
Let
me
just
open
open
up
the
page,
oh
yeah,
and
then
maybe
you
can
for
the
you
remember
last
time
we
had
this
quick
boil
during
the
next
work
meeting
on
how
people
run
git
in
their
environments,
not
sure
whether
you
had
the
opportunity
to
run
this
poll.
A
No
because
in
our
you
remember
there
was
this
discussion
raised
by
I.
Think
that
the
coin
was
raised
by
Victor.
He
said:
okay,
how
do
software
development
organizations
operate
git
internally?
My
suspicion
is
most
of
them
run
it
by
convention
in
a
central
fashion,
where,
just
by
definition,
one
of
the
git
instances
is
the
the
master.
Even
though
this
is.
This
is
only
through
convention,
not
through
kind
of
setup
or
configuration.
E
I
think
when
Scott
comes
he'll
give
us
some
good
feedback
on
that
I
can
reach
out
to
some
other
folks.
We
also
can
lean
into
Tracy.
Reagan
is
a
big
participant
in
the
foundation
and
she
works
with
the
continuous
delivery
Foundation,
which
is
like
a
sister
foundation
of
the
open
ssf
and
they
focus
on
CI
CD.
E
C
E
C
E
C
A
Yeah
but
but
I
think
we
will
probably
end
up
with
what
we
have
speculated
about
last
time,
which
is
most
people
will
run
it
that
way
and
the
and
the
Linux
kernel
is
very,
very
exceptional
project
in
many
different
ways,
I
suppose
all
right.
Having
said
this,
no
time
for
the
poll,
maybe
we
can
re-visit
and
extend
a
little
bit
on
those
on
the
threats
that
we
have
started
with
last
time
on
the
source
code
management.
A
Yes,
this
is
the
right
one.
Yes,
exactly
now
go
just
to
the
source
code
management
system
below,
and
this
is
where
we
basically,
where
I
added
my
scribbling
and
notes
last
time,
I
think
just
to
to
make
this
I
will
select
this
to
be
removed
out
of
scope.
This
is
kind
of
some
notes.
I
took
related
to
using
Linea
app
in
GitHub
Enterprise
to
configure
through
webhooks
or
other
or
GitHub
application,
and
these
kind
of
notes
on
that
there
are
different
kinds
of
applications.
A
I
kept
it
in
because
I
didn't
want
to
silently
remove
stuff
but
stuff
from
the
document,
but
now
that
we
have
discussed
this
I
think
it's
okay
to
remove
this
other
than
that
I
would
like
to
discussing
those
threads.
So
we
ended
up
saying
last
time
that
possible
problems
here
on
the
source
code
version
control
system
could
be
kind
of
wrongly
configured
instances
get
instances
that
would
allow
unauthorized
people
and
considering
what
we
have
said
in
the
beginning.
A
Basically,
any
kind
of
attacker
who
got
into
your
network
could
install
other
stuff
could
extend
your
git
instance.
Right
that
could
be
plugins
could
be
first
commit
drugs
of
the
thing
or
such
things
right.
This
is
the
one.
The
second
one
is
The
Not
So,
overly
exciting
thread
that,
basically,
you
should
take
care
what
to
install
on
those
git
instances,
because
you
could
also
consume
malicious
components.
A
A
Now,
with
with
what
we
have
said
in
the
beginning,
what
are
what
are
other
possible
ways
that
an
attacker
who
gained
access?
Who,
who
entered
your
network
or
who
entered
an
organizations
Network,
could
tamper
with
the
versioning
control
system
in
order
to
kind
of
either
exfiltrate
or
maybe
change
your
source
code
managed
by
that
system?.
A
I,
don't
that
I'm
I'm,
not
so
I,
think
one
way
probably
would
be
to
perform,
commits
impersonating
either
the
yeah
well.
This
would
be
more
probably
a
thread
on
the
developer
machine
right.
So
if,
if
the
developers
end
up
malware,
then
that
malware
could
impersonate
the
developer
and
include
commits
on
sbrf
right.
So
maybe
let
me
add
this
here:
I.
E
A
A
A
A
E
A
A
F
A
E
E
E
C
A
In
the
first
case,
this
would
be
just
silently
committing
stuff,
while
this
is
very
visible
in
a
kind
of
explicit
right
asking
basically
prompting
showing
a
prompt
apparently
to
the
user,
as
as
they
do
in
these
ransomware
attacks
asking
him
to
to
do
this
and
that
commit
something
malicious.
Otherwise
it
will
be
all
I,
don't
know
encrypted
deleted,
or
so
I
I've
never
seen
such
a
thing,
but
or
I
mean
so
so
this
would
basically
be
okay,
I.
E
A
C
C
D
A
A
All
right,
but
here
for
the
threads
and
for
the
threats
on
the
source
code
management
system,
I,
just
wonder
I
mean,
of
course,
any
malware
or
any
attacker
ending
up
in
the
in
the
in
this
in
the
network
could
also
try
to
exploit
any
vulnerabilities
of
such
repositories.
Right
and
I.
Think
they're
very
couple,
not
sure
I
didn't
look
I,
never
looked
up
kind
of
a
cve
database
or
vulnerability,
whatever
vulnerability
database
for
git
or
other
of
my
career
or
other
version
control
systems,
but
I
guess
this
is
also
a
very
feasible
direction
to
take.
E
E
And
you
can
look
to
see
what
the
relationship
is
with
lowercase
git
to
GitHub
gitlab
like?
Is
there
a
any
kind
of
lag
between
if
the
git
software
has
a
vulnerability?
Does?
Is
that
inherited
by
the
kind
of
clones
or
not,
then
there
might
be
a
lag
between.
You
know
how
quickly
those
security
teams
could
ingest
foreign.
A
C
A
Another
thing
I,
just
thought
of
I
mean
one
one
possibility
of
course,
is
to
kind
of
make
a
commit
on
behalf
of
a
legitimate
get
user,
but
let's
say
they
run
Garage
on
top
of
git.
In
order
to
have
this
approval
workflows,
what
have
you
another
scenario
would
be
that
the
malware
is
basically
approving
something
on
behalf
of
another
git
user,
so
Suppose
there
is
these
four
eye
rules
for
for
commits
flowing
into
the
into
the
main
branch,
or
so
one
could
be
basically
doing
the
commit
and
the
other
one
could
deprove.
A
F
A
I
think
the
Nano
service
was
something
that
we
we
said
in
the
very
beginning,
I,
remember
a
statement
from
the
Jacques
saying
that
then
we
we
happen
to
need
to
care
for
all
the
crazy
events
that
could
eventually
result
in
an
unavailability.
So
we
kind
of
excluded
availability
from
the
the
goals
or
the
properties
to
con
to
to
consider.
A
E
Yeah,
potentially
you
could
change
the
workflow
or
you
could
even
just
read
the
data
and
get
a
sensitive
business
process
or
intellectual
property
information.
It's
something
that's
part
of
the
work
as
part
of
your
unique
workflow.
They
might
be
able
to
get
extra
intelligence
about
the
network,
potentially.
E
A
A
E
A
F
E
Because
your
code
is
in
the
code,
you're
gonna
talk
about
the
roles
for
authorization,
so
you'll
be
able
to
potentially
see
that
information
that
you
know
every
cashier
has
up
to
500
approval,
but
they
need
if
they
need
to
go
higher
than
that
has
to
go
to
a
manager.
So
that'll,
be
in
your
business
logic.
So
they'll
be
able
to
see
that
information
as
part
of
the
authorization
lists.
C
A
Just
thought
of,
if
you,
if
you
happen
to
have
access
to
Garrett
and
can
read
configuration
information
from
its
from
its
database,
maybe
you
see
even
kind
of
unprotected
branches,
and
this
is
maybe
where
you
can
commit
something
to
without
any
review
and
so
forth.
So
there's
a
lot
of
you
know
through
the
information
that
can
be
used
for
a
second
stage
later
activities.
C
F
D
D
E
A
E
A
That's
fair
I
just
wondered
in
the
same
sense
that
those
approval
workflows
can
be
maybe
circumvented
in
order
to
make
something
enter
the
production,
Branch
or
the
main
branch
of
the
repository,
maybe
in
the
same
way
it
can
be
circumvented
such
that
something
is
deployed
automatically
in
production
just
because
it
is
passing
certain
workflows,
but
maybe
this
is
more
relevant
than
later
on
for
the
the
versioning
control
system.
I,
guess
sorry
for
the
build
server
and
build
pipeline,
not
so
much
for
the
versioning
control
system.
A
E
A
A
C
A
A
Yeah
I,
like
I
like
very
much
the
idea
to
to
basically
crawl
through
workflow
management
systems.
In
order
to
understand
your
development,
your
developer,
Workforce
right,
because
that
that
will
also
that
will
also
be
that
would
also
help
you
to
identify
individuals
that
you
can
attack
in
very
different
other
ways
right
so
for
a
spear,
phishing
attacks
and
or
maybe
real
life,
blackmail,
attacks
and.
F
A
Yeah
I
wonder
I
mean
the
there
was
this
discussion,
whether
you
can
basically
rewrite
to
get
commit
history
right.
So
I
wonder
whether
this
is
one
because
one
as
you
and
I
I
came
across
this
in
the
context
of
leaked
credentials.
As
you
say
this,
they
happen.
They
end
up
far
too
often
in
repositories
and
what
developers
or
people
typically
do
is
they
just
you
know,
invalidate
their
respective
credential.
A
They
deactivate
the
API
key,
whatever
it
is,
but
another
way
of
getting
rid
of
those
is
you
can
rewrite
the
history,
but
the
problem
with
this
is
that
it
is
basically
invalidating
everybody
who
cloned
the
repository
before
God
is
clone
corrupted
and
corrupted,
but
it
cannot
work
any
longer
on
the
on
the
Clone.
But
maybe
this
is
not
so
maybe
this
is
this.
Doesn't
matter
so
much
and
and
still
it's
a
feasible
thing,
you
could
do
on
once
you're
on
the
git
server
on
the
leading
instance
or
to
say
so.
C
E
With
any
kind
of
attack
you
know
typically,
the
bad
guy
wants
to
clear
their
tracks.
I
don't
know
about
what
the
capability
within
git
is.
If
you
can
rewrite
or
modify
the
log
in
a
compensating
control
would
be.
Ideally,
you
have
off
Server
Like,
A
syslog
or
something
you're
exporting
to
Splunk
or
something
out
off
the
Box.
So
you
would
have
a
another
copy.
Yeah.
A
Basically,
I
think
it
means
to
rewrite
past
commits
on
a
previous
state
which
is
giving
you
new
new
new
and
unique
commit
identifiers
again,
which
is
rewriting
then,
and
then
this
history.
But
then
suppose
this
is
happening
in
a
big
organization.
Maybe
some
developers
just
track
their
shoulders
and
say
well,
something
happened
here,
maybe
just
clone
from
from
start,
and
this
is
where
I
continue.
A
A
E
A
E
A
From
I
know
that
one
company
basically-
but
they
were
again-
this
is
again
GitHub
Enterprise
and
basically
they
have
a
push
push
lock,
so
they
basically
lock
who
pushed
stuff
to
the
to
GitHub
and
from
which
IP
addresses,
and
so
this
push
push
unlock
or
push
lock.
Whatever
the
name
is,
has
been
fed
into
Splunk,
I
think
but
but
I'm
not
I.
Don't
I,
don't
recall
that
they
use
really
at
the
history
of
commits
I.
Don't
think
so.
A
A
A
E
D
E
E
E
Consumer-Focused
supply
chain
review
and
they
they
that's
Jay
White
and
a
bunch
of
other
folks
work
on
that,
and
they
actually
did
a
pretty
exhaustive
review
and
they
have
suggestive
controls.
They
map
to
a
couple
industry,
Frameworks,
so
yeah.
We
could
take
a
look
and
see
if
they
have
anything
around
the
source
code,
management,
protection.
E
E
A
They
had
I
think
we
we
not
when
we
created
this
taxonomy,
but
I
think
John
pointed
us
to
one
of
the
guys
at
the
cncf
and
we
went
together
through
an
Excel
sheet
and
were
able
to
map
most
of
the
threads
that
they
have
identified.
Two
different
vectors
in
the
taxonomy
as
well.
I
could
look
this
up,
but
yeah.
There
was
an
exercise,
but
who
was
the
guy
again,
but.
D
F
E
A
E
C
C
E
A
E
E
And
then
we
don't
have
a
mailing
list
for
this
particular
group
right,
but
we
have
one
for
the
larger
end:
User
Group,
yes,
so
I
would
send
a
note
to
the
end
user
working
group
mailing
list
saying
you
know:
we've
made
some
progress.
We'd
like
additional
sets
of
eyes.
Could
you
look
through
and
provide
suggestions
or
comments
if.
A
I'm
not
sure
it's
in
a
in
a
shape
that
can
be
reviewed
easily.
To
be
honest,
maybe
yeah,
maybe
maybe
crop
you
can
if
you
in
general
I
like
the
idea
but
I'm
not
sure
whether
again
the
write-up
is
good
enough
to
be
shared.
Maybe
you
can
have
a
look
and
read
through
it
and-
and
you
know,
make
an
assessment
of
that.