►
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I/edit#heading=h.v07d658tnyfp
The End Users Working Group (WG) represents the interests of public and private sector organizations that primarily consume open source rather than produce it.
The mission of the End User Working Group is to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of OpenSSF.
A
A
All
right
yeah,
but
you
also
have
this
heat
wave
right.
So
we
have
I'm
not
sure
whether
you
follow
the
the
fires
and
in
Greece
and
so
I'm
going
I'm
going
to
fly
out
of
my
vacation
into
basically
the
hot
spot
of
the
Heatwave
to
Sardinia.
So
looking
forward
to
44
degrees,
starting
this
Thursday,
but
yeah
looking
forward
to.
A
Nothing
much
so
the
the
room
has
air
conditioning.
There
is
a
pool
breakfast
included,
so
yeah
I,
yeah
I
will
I
think
I
will
nevertheless
enjoy
all
right.
So,
let's
get
into
let's
get
into
it.
If
you
don't
mind,
I
was
hoping,
John
can
made
it,
but
let's
see
maybe
he
shows
up
in
a
second
and
just
the
two
of
us.
Maybe
we
could
be
incredibly
productive
if
we
go
through
the
to-door
items
that
I
came
up
with
that
I
keep
for
a
little
bit
of
time
as
well.
So
I'm.
A
A
The
first:
do
you
see
my
screen
now,
yes
looks
like
maybe
I
can
also
zoom
in
right.
So
the
first
comment
I
wanted
to
discuss
is
I.
I
really
hesitate.
You
know
clicking
away
comments
and
input
from
others
all
right.
This
is
why
I
really
prefer.
Having
discussed
this
I
mentioned
this
at
least
to
one
single
person,
so
you're
the
lucky
one
today,
so
you
just
need
to
not
and
then
I
then
I
improve
the
comments
and
changes
or
the
lack
of
changes,
because
I
think
what
how
it
was
before
was
better.
A
A
Oh
okay,
good,
and
so
he
he
made
some
comments
about.
A
My
answer
to
this
is
I
mean
it's
driven.
It's
driven
out
of
the
end
user
work
group
and
we
were
saying
in
the
very
beginning
we
will
try
to
model
different
architectures
for
different
kind
of
commercial
end
user
so
and
if
he
was
coming
a
little
bit
late.
Providing
this
comment
so
my
feeling
is,
we
can
keep
Enterprise
and
you
know
stick
to
what
what
we
started
with
and
defined
or
kind
of
assumed
in
the
beginning,
yeah.
B
A
B
A
A
A
Basically
reject
the
suggestion
here:
how
can
we
improve
this
here.
B
It's
maybe
something
in
here:
I
I'll
take
an
action
to
do
a
suggestion,
but
I
would
insert
you
know
we're
focused
in
on
end
users.
You
know
the
you
know,
small
to
large
Enterprises
that
use
and
consume
open
source
and
third-party
software.
A
B
Right
I'll
take
that
action
and
then
so
I'm
helping
lead
the
security
tool
belt
efforts
for
the
foundation,
and
that
is
a
more
holistic,
open
source
supply
chain
focus
and
I.
Eventually,
I
want
to
kind
of
deputize
some
of
the
people
that
show
up
here
to
help
out
with
that
larger
threat
model,
but
I
think
this
one.
We
need
to
focus
in
on
I
like
the
fact
that
we're
trying
to
add
value
to
Consumers,
okay.
A
I
kind
of
write
this
you
volunteered
to
yes
further
shop
and
the
objective.
A
Okay
right,
then,
there
was
a
very
valid
comment
made
by
Jan
Walker
Smith
right.
He
was
basically
saying
here:
he
typically
likes
to
think
of
assets
only
of
data,
so
Secrets
personally
identifiable
information,
maybe
other
other
stuff
that
is
relevant
in
this
PCI
regulatory
context.
A
Right
for
this
credit
card,
Handling,
Systems
and
I
think
this
is
right
and
we
discussed
in
the
beginning
also
to
Define
systems
or
compute
as
one
or
Computer
Resources,
as
one
asset
to
be
protected
and
I
think
this
ended
up
here,
mostly
because
of
some
malicious
packages.
A
Trying
to
you
know,
run
crypto
miners
on
the
CI
CD
environments
of
commercial
software
providers.
This
happened
many
years
back
to
Tesla,
maybe
can't
remember,
and
so
that
that
is
a
valid
threat.
Let's
say,
but
maybe
in
our
specific
context,
this
is
more
of
a
niche,
especially
we
were
saying
in
the
beginning.
A
We
focus
on
integrity
and
confidentiality
of
the
proprietary
software
component
as
the
main
thread,
because
this
is
I
think
the
more
more
urgent,
more
problematic
thing,
because
once
that
commercial
software
is
infected,
that
has
a
wider
impact
on
Downstream
users
compared
to
you
know
the
systems
being
used
for
crypto
minor,
it's
bad
for
that
company,
but
it's
nobody
else
is
suffering
from
that.
So
I
would
agree
to
delete
this
I.
B
I
agree
and
I
just
spent
the
morning
rereading
about
solarwinds,
so
it's
so
fly
chain
attack,
it's
kind
of
fresh
in
my
mind,
attacking
the
infrastructure,
all.
A
Right
so
we
delete
this.
It's
only
really
about
confidentiality
and
integrity
of
the
source
code,
not
about
systems
or
Computing
resources,
oops
and
gone.
It
is
all
right.
There
was
also
a
question
around
trust
boundaries,
which
we
did
not
explicitly
include
here
in
the
diagram.
A
There
is
kind
of
One
Trust
boundary
kind
of
highlighted
by
all
this
reddish
errors,
arrows
that,
where
we
download
third
party
and
open
source
stuff
on
all
kind
of
systems
right
so
there's
definitely
one
separating
the
internal
systems
from
external
distribution
platforms.
So
that
is
an
obvious
one,
and
we
can
put
this
in
I
also
think
there
is
a
another
trust
boundary
between
the
developer
machine
and
all
the
other
shared
systems
right.
A
So
the
source
code
management,
build
system,
staging
production
systems
and
stuff
because
because,
as
we
discussed
multiple
times,
those
developer
machines
are
used
for
a
wide
variety
of
things
and
there
have
been
Maybe
attacked,
subject
to
phishing
attacks,
and
so
there
would
be
some
malware
running
on
it.
So
I
I
think
that
is
also
a
good
trust
boundary
to
have
and
I
see
that
you
agree
here.
A
B
B
I
I
think
that's
too
detailed
for
this
level
that
we're
looking
we're
looking
kind
of
at
a
higher
level
as
opposed
to
somebody.
You
know
looking
at
somebody's
actual
reference
architecture-
and
you
know
saying
you
know
this
server
talks
to
ad
This
Server
talks
to
ldap.
You
know,
or
you
know,
an
OTP
service.
A
But
of
course,
I
mean
this
level
of
detail
would
be
far
too
implementation
specific
right,
no
depending
on
how
they
implement
the
SSO,
but
knows
what,
but
but
but
for
the
but
for
the
general
flow
of
data
between
source
code
management
and
build
system
and
build
system
and
QA
and
production
or
the
distribution
platform.
Even
here
you
would
say
there
is
no
trust
boundary
required,
I'm,
I,
I,
don't
really
know
I'm
at.
B
The
bank
I
worked
at,
we
had
three
different
ldaps,
so
we
had
a
test,
a
QA
and
then
a
production
ldap.
So
we
did
segregate
things
so
I
would
imagine
other
organizations
might
do
that
as
well.
But
again,
that's
an
implementation
detail.
We
we
can
say
generically.
You
know
the
developer
has
some
relationship
with
their
development
environment
and
then
the
source
code
and
build
systems
and
that's
kind
of
okay.
It.
A
B
A
B
A
There
are
some
kind
of
best
practices
that
people
need
to
apply
and
which
hold
true.
Basically,
for
all
you
know
across
the
board
across
all
the
threads.
So
there's
it
reminds
me
a
little
bit
of
I
think
what
sites
are
also
did
there
are
some
sites
are
General
safety
use,
security
measures
around
least
privileged
and
hardening
all
the
systems
so
and
and
network
segregation
goes
into
the
same
bucket.
I
feel
yeah
all
right,
so
I
update
the
diagram
to
add
to
trust
boundaries,
good.
A
Okay,
yeah
I
mean
this
was
about
okay.
This
is
not
so
relevant.
I
mean
he
was
coming
back
to
Insider
thread,
saying
they
would
be
in
scope,
I
agree,
but
not
in
the
first
version.
We
struggle
too
much
anyhow
to
to
progress
on
the
document.
They've
reopened
this
box.
It
will,
it
will
only
become
more
difficult.
B
A
Yeah
there's
some.
This
is
a
comment
that
is
more
generally
related
to
aligning
this
with
the
miter
my
tree,
even
though
I
must
say
the
little
I
mean
at
least
what
they
have
in
terms
of
supply
chain
compromises.
The
second
one
is
super
high
level.
It's
basically
covering
just
everything,
and
so
my
so
linking
it
to
the
my
tree
would
mean
to
by
means
of
saying
we
refine
what
they
only
said
on
a
high
level.
A
A
They
are
right
here,
supply
chain
compromise
of
software
can
take
place
in
a
number
of
ways,
including
manipulation
of
source
code,
manipulation
of
opt-out
distribution
mechanisms,
replacing
compiled
releases
with
a
modified
version,
which
is
just
everything
and
everything,
maybe
but
a
lot,
and
so
I
think
this
is
exactly
where
we
we
want
to
provide
added
value
by
refining
this
ability.
So.
B
A
Yeah,
this
is
kind
of
what
I
answered
in
my
comment,
but
I
think
this
is
something
that
we
can
highlight
a
little
bit
on
the
top
already
so
because
this
is
a
question
that
people
will
come
up
yes
very
early
in
the
process
of
reading
the
document,
and
the
same
holds
true,
probably
also
for
salsa
and
the
software
component
verification
standard
and
the
Microsoft
effort.
So
I
think
that
there's
there
should
be
kind
of
a
lit,
related
okay.
A
B
That's
the
what
they
donated
to
the
supply
chain
group.
It's
a
consumer
supply
chain
framework,
so.
A
A
B
Now
they're
sisa
just
did
release
some
new
guidance
around
CI
CD.
There
might
be
something
in
there.
I
haven't
had
the
chance
to
look
at
it
yet,
but
that's
I
I'm
pretty
sure
they
probably
lean
it
heavily
into
the
miter.
A
Yeah
yeah
there's
a
lot
of
I
have
the
feeling
and
it's
really
difficult
to
keep
to
keep
on
top
of
the
things
there
is
so
much
overlap
between
all
those
initiatives
and
referencing
each
other.
It's
hard
to
to
understand
at
times
all
right,
very
good
I.
You
know
what,
but,
but
still
I
think
he
has
a
valid
point
so
that
this
should
not
only
be
discussed
in
the
beginning
of
the
document,
but
were
possible
also
in
the
single
threads
agreed.
B
A
A
A
Okay,
good
right,
I,
also
I,
think
we
should
have
something
like
references
here.
A
All
right,
I
believe
that
comment
open
to
not
forget
it,
then
what
else
that
is
a
one
specific
example,
but
I
wanted
to
go
into
more
I
had
some.
Before
going
to
the
other
comments,
I
would
like
to
discuss
other
stuff
with
you.
One
is
I
mean
we
added.
It
was
easy
to
add
a
table
property
likelihood,
but
then
it
turns
out
it's
anything
but
easy
to
fill
it
so,
and
so
we
only
did
it
a
few
times
right.
B
A
A
So
every
everybody
could
you
know
was
very
positive
about
this
being
a
high
likelihood,
but
for
many
others
we
don't
have
anything.
Maybe
we
have
it
there
I
remember
we
have
it
once
I
mean
if
she's
committed,
we
added
another,
all
right
so
yeah.
We
have
it
a
couple
of
times
but
I.
Really
it's.
B
A
B
B
A
B
We
may
we
look
at
epss
the
exploitability
scoring,
so
you
know
what
can
we
find
where
these
attacks
have
been
exploited?
You
know,
then
that
would
be
kind
of
evidence
that
this
was
more
probable
or
not.
B
A
B
Done
any
kind
of
prediction
or
analysis
on
historic
supply
chain
attack
be
on
a
listing
of
here's
20
bad
things
that
happened
in
the
last
10
years.
A
You
know
cases
such
as
I,
don't
know
for
for
Equifax
the
data
breach,
maybe
or
also
for
solar
winds,
and
maybe
also
for
the
supply
chain
attack
in
2017.
What
was
it
again
yeah
exactly
not
pitch
on
this
Ukrainian
bookkeeping
software
or
so
so
for
those
high
profile
things
you
have
some
numbers,
but
those
numbers
are
probably
completely
exaggerated
or
and
and
I
wonder
how
how
well
they
have
been.
A
You
know
researched
so
for
Equifax
I,
remember
numbers
like
oh,
the
overall
cost
for
the
company
to
overcome
the
the
problem
in
their
struts
framework
was
more
than
one
billion,
but
that
included
a
bunch
of
things.
Also,
you
know
all
the
lawyers
for
any
litigation,
basically,
all
the
expenses
they
had
for
investigating
the
problem.
They
also
included
counting,
you
know
the
restructuring
or
we
rebuilding
their
security
framework.
So
there
is
a
lot
of
stuff
that
just
came
together
and
I.
B
So
maybe
we
provide
kind
of
a
summary
towards
the
top.
You
know
when
you
are
considering
the
likelihood
and
impact.
These
are
some
of
the
factors
that
could
be
put
into
your
accounting
and
you
know
for
costs
you're
going
to
have
potential
regulatory
fees
you're
going
to
have
legal
fees,
potentially
some
type
of
incident
response
fee.
B
A
All
right
right,
I,
just
I,
try
to
figure
this
out
here.
Where
can
I
put
this,
so
this
would
be
kind
of
yeah
kind
of
in
the
introduction
right
where
we.
B
A
And
then
here
should
come
a
section
or
a
sentence
saying
we
do
not
quantify
any
likely
put.
A
B
Yeah
incident
response
costs
so
you're
going
to
have
an
instant
Handler
you're
going
to
have
cyber
Insurance
costs.