►
From YouTube: End Users Working Group (January 5, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
C
B
D
B
B
E
A
B
E
A
E
F
B
A
B
A
A
A
We
are
on
the
agenda
for
the
10th,
which
is
the
next
attack,
which
is
next
week,
Wednesday
I
think
so
we
should
be
good
to
go
and
attack
I'll
I'll
join
and
represent
and
go
through
the
proposals.
I
think
we've
gone
through
enough
times,
I
think
they're
in
good
shape.
Certainly
socialized
it
enough
would
would
welcome
other
support
if
people
would
like
to
join
attack
and
also
contribute.
A
That
would
be
fantastic,
but
I
think
that's
kind
of
the
pivot
point
where
hopefully
we
get
some
some
traction
there,
and
then
we
can
go
off
and
Implement
those
proposals
we
put
together
as
a
group
so
looking
forward
to
that
any
feedback
on
that
any
anyone
want
to
come.
I
think
we
need
to
add
additional
things.
A
Next,
one
was
an
action
that
I
think
I
think
I
took,
unfortunately,
I
think
with
the
end
of
the
year,
I
wasn't
sure
if
someone
else
was
taking
those
well
or
differently,
but
either
way
it
hasn't
been
set
up.
So
I'll
I'll
take
the
blame
for
that,
but
we're
going
to
set
up
a
a
call
with
different
groups
to
discuss
the
repository
of
threats
that
we've
been
discussing.
A
I'd
raised
it
I
think
two
meetings
ago,
and
the
idea
just
of
refresh
plus
memories,
was
basically
a
repository
where
we
collate
threats
that
have
been
a
supply
chain.
Attacks
that
have
been
identified
collect
any
material.
We
can,
whether
that's
source
code,
binaries
metadata
and
such
and
then
provide
that
as
a
way
of
analyzing
what
we're
experiencing
in
the
in
the
industry.
We
can
then
feed
that
into
a
validating
our
taxonomy
and
our
threat
models
and
also
do
some
additional
analysis
as
well.
A
G
A
H
H
A
A
Cool
all
right,
so
action
on
John
2
really
do
it
this
time
and
set
up
a
meeting.
I
think
I'll
go
for
the
next
week
or
the
week
after
to
get
people
together,
because
I
think
we've
talked
about
this
a
couple
of
different
ways:
I
I
really
do
think.
There's
there's
some
some
benefit
in
doing
that.
All
right,
I
will
do
that
next
point
we
had
was
the
suggested
deliverables
from
the
last
meeting.
I
just
want
to
validate
those
just
so
we
kind
of
set
ourselves
up.
A
A
The
architecture's
work-
and
this
refers
to
the
work-
was
really
our
proposal,
which
was
to
set
aside
multiple
architectures
for
not
really
small,
medium
and
large,
but
multiple
I
could
just
maybe
one
regulatory
end
user,
one
end
user
that
doesn't
actually
create
software
Define,
an
architecture
for
what
that
looks,
like
threat
model
that
architecture
and
then
align
that
to
our
taxonomy.
So
we
need
to
continue
with
our
work
and
I.
Think
at
the
moment,
I
think
it's
fair
to
say.
A
G
A
Absolutely
same
right,
so
that's
that
one
I
think
that,
as
the
proposal
gets
agreed,
we
can.
We
can
really
really
put
a
foot
down
on
that
one.
The
other
one
was
an
idea
around
a
space
for
others
to
share
experiences
experiences
and
how
they're
securing
their
supply
chain
leveraging
s-bombs
or
how
thinking
about
this
problem
I.
Think
Shaq.
You
proposed
that
one
if
I.
H
Possibly
I'm
just
just
waiting
for
the
fog
of
the
holiday
to
clear
and
tell
me
whether
or
not
I
did
that.
Yes,
oh
yes,
yes,
now
I
remember
it
was.
It
was
by
analogy
to
the
CNC
FN
user
working
group,
where
one
thing
they
do
very
regularly
is
folks
will
share
their
experiences
of
using
cncf
technology,
so
people
will
come
in
and
do
a
talk
about
Prometheus
and
how
they
use
it.
H
You
know
their
experiences
with
with
this
and
that
so
that
would
be
useful
for
them
for
end
users
to
come
in
and
say
we
tried
using
salsa
Providence
attestations
and
we
had
these
obstacles
and
people
can
ask
questions
or
say:
oh,
it
worked
really
well.
I
see
that
it's
it's
easier
than
I
thought
we
should
try.
It.
E
E
Them
to
what
level
of
public
are,
you
know
like
I'm,
always
I,
always
try
and
air
towards
things
being
more
public,
but
I
know.
In
some
cases
there
could
be
sensitivity
where
some
Enterprises
may
not
feel
some
people
in
Enterprises
may
not
feel
empowered
or
may
not
be
empowered
to
speak
publicly,
whereas
they
may
be
empowered
to
speak
on
a
on
a
you
know,
to
a
smaller
group.
A
Yep,
it's
got
my
vote.
Andrew
one
thing
I
was
thinking,
was
check,
marks,
you're,
right,
I,
think
they're
doing
some
great
great
Innovation,
but
but
also
getting
industry
literally
an
end
user
to
come
and
present
and
say
look.
This
is
what
we've
done
to
supplier.
This
is
how
we're
using
s-bombs
and
see
if
we
can
collect
some
data
on
that
I
like
the
idea
of
the
office
hours.
I,
guess
it's.
A
If,
if
we
get
the
best
practices-
and
we
understand
how
we
as
a
group
recommend
people
address
supply
chain
issues
as
we
mature
I
guess,
we
could
suddenly
provide
some
more
of
that
data,
even
as
it
stands
to
be
I.
Think.
Certainly,
we've
got
a
lot
of
experts
on
this
group
that
could
provide
some
feedback
to
those
individuals
as
it
stands.
Right
can
I
ask
how
people
got
participation
in
that
sort
of
office
hours
in
the
other
group.
Does
anyone
know?
I
A
A
H
Was
me
because
I'd
heard
an
anecdote
that
Auditors
were
already
starting
to
ask
about
questions
about
s-bombs
and,
and
so
yeah
like
it
would
be.
It
would
be
good
if
we
talked
to
Auditors
rather
than
the
feedback
loop
with
Auditors
being
it
takes
a
while
for
the
Auditors
to
pick
up
on
the
stuff,
and
then
they
show
up,
and
it
turns
out.
We
had
a
very
different
idea
of
what
how
the
Technologies
were
meant
to
be
applied
right.
A
H
It
was,
it
was
more
so.
My
concern
was
that,
like
the
anecdote-
and
it's
been
a
little
while
since
I
heard
it's
on
fuzzy,
but
the
anecdote
was
that
some
otters
has
had
already
started,
showing
up
at
places
and
saying
well,
where
are
your
s-bombs
and
this
sort
of
suggests
that
it
suggests
that,
like
the
possibility
that
the
things
that
we're
concerned
about
and
the
Technologies
we
want
to
promote,
we
want
to
make
sure
that
we
have
a
common
understanding
with
the
folks
who
will
be
relied
on
to
set
the
standard.
H
D
E
Yeah,
just
to
say,
I
have
heard
this
in
the
context
of
TCI
compliance
where
some
company
that
is
doing
the
PCI
you
know
like
working
to
establish
whether
or
not
somebody
is
PGI
compliant
sends
them
a
bunch
of
questionnaire,
or
you
know,
questions
and
one
of
them
being.
You
know,
I
haven't
either
that's
bombs
right
and
so
that
raised
a
red
flag
to
me
because
not
necessarily
red
flag.
E
A
A
D
This
is
an
nsa-driven
public-private
partnership
that
has
done
some
work
on
s-bomb
from
a
downstream
consumer
perspective,
but
it's
very
high
level
and
really
focuses
on
the
things
that
NSA
corporate
Partners
spend
their
time.
Thinking
about
I'll
paste
the
link
in
the
chat
because,
while
I
nominally
signed
off
on
it
for
my
agency,
it's
not
great
the
high
level
challenge
around
s-bomb
consumption
discussions
is
today.
D
No
one
has
piles
of
s-bombs
sitting
around
for
their
organization
with
a
few
exceptions,
and
so
we
don't
really
have
lots
and
lots
of
tools
or
indeed
standard
operating
procedures,
so
I
think
anyone
who
wants
to
start
that
and
say
Here's
a
broad
space.
We're
going
to
focus
on
this
chunk
would
be
very,
very
helpful
and
I
can
sort
of
loop
you
in
on
different
pieces,
so
I
put
further
down
on
the
agenda.
D
If
we
have
time
to
talk
about
it,
if
you
were
a
consumer
of
a
cloud
application,
what
do
you
want
from
your
service
provider
and
and
right?
The
difference
between
saying
I
need
BS
bomb
versus
I.
Need
you
to
show
I
need
you
to
attest
to
me
who
have
an
s-bomb
things
like
that.
So
all
of
that
is
to
say,
we
don't
have
anything
immediate
and
but
we
should
be.
D
It
is
tricky
if
we
set
out
a
very
ambitious
plan,
because
it
is
my
firm
hope
that
in
18
months,
s-bombs
will
be
integrated
into
standard
Vault
management
software.
Today
it
isn't,
and
so
what
kind
of
guidance
do
we
want
to
write
if
we're
hoping
that
that
the
world
looks
different
in
their
new
tools?
So
that's
oh
I'll
pause
there.
A
I
I
A
I
think
maybe
anecdotally.
Within
the
group
we
can
probably
start
to
collate
experience
on
what
people
are
doing
with
response
and
how
they're
leveraging
it
for
vulnerability
management
or
what
are
the
other
use
cases
I
mean
it.
It
kind
of
kind
of
seems
to
me
is
that
that's
the
tool
and
some
of
the
usages
we're
getting
out
of
that
capability,
and
we
also
have
the
the
major
problem
for
a
supply
chain
and
that's
how
we're
looking
at
the
threat
model,
the
different
attacks,
the
taxonomy
and
then
you
can
connect
well.
A
This
is
what's
going
on.
This
is
what
we're
getting
attacked
with,
and
this
particular
area
is
where
that
we're
help
we're
using
our
spawns
to
mitigate
some
of
those
controls,
and
maybe
it
gets
connected
to
that
way,
but
I
think
yeah
as
part
of
documentation
and
evidence.
That's
something
I'm
sure
we
can
look
at
any
other
major
pieces
of
work.
We
think
as
a
group
any
deliverables
for
for
the
next
next
short
time,
I've
added
one
in
the
chat,
but
I,
don't
wanna.
Thank
all
the
air.
A
All
right,
in
the
absence
of
anything
else,
I
will
take
only
and
then
I'll
start
to
you
know
please
chip
in,
but
one
of
the
things
that
I
wanted
to
do
was
was
really
raise.
The
awareness
from
an
end
user
perspective
on
this,
the
increasing
supply
chain
threat
and
the
the
increasing
amount
of
malicious
packages
and
software
that
we're
seeing
out
there
now
and
raising
awareness
that
as
end
users,
we
can
and
should
do
something
about
it.
E
A
H
I
have
a
diagram
that
I
used
when
we
were
standing
up
our
strategy
at
Shopify,
where
I
basically
showed
you
know
like
three
boxes
and
there's
production
and
then
there's
like
software,
that's
accidentally
vulnerable
and
software.
That's
deliberately
vulnerable
and
I
said
all
of
our
systems
are
currently
tuned
to
the
accidentally
vulnerable,
but
the
deliberately
vulnerable
is
something
we
need
to
think
about.
H
So,
yes,
I
think
that's
a
useful
distinction.
That's
what's
sort
of
led
to
all
the
work
that
we've
been
doing
focused
in
the
Ruby
ecosystem.
Obviously,
because
that's
our
bread
and
butter,
yeah
I,
think
I
I
want
to
sort
of
like
grasp
at
what
or
try
to
understand
where
you're
driving
at
Jonathan
like.
Is
it
that
you're
thinking
about
the
problem
of
raising
awareness
that
this
can
happen
and
that
you
need
to
prepare
for
it
or
is
it
around
specific
countermeasures?
A
It's
it's,
it's
definitely
well,
it's
both
obviously,
but
I
think
raising
awareness
to
start
with,
because
when
I
talk
to
other
end
users,
whether
I
talk
to
even
if
within
it's
the
ossf
or
different
conferences,
people
just
don't
seem
to
be
that
aware
of
that.
As
a
problem,
people
are
more
looking
at
hardening
a
Ci
or
asking
people
for
s-bombs
or
looking
at
vulnerabilities
in
software
they're,
not
looking
at
the
malicious
software
that
you
and
I
are
looking
at
Jack,
and
perhaps
people
in
school
are
looking
at.
A
It
really
isn't
on
it,
surprisingly,
not
but
doesn't
seem
to
be
on
as
many
pills
right
or
as
I
thought
it
would
be
and
I'm
seeing
you
know
with
some
of
the
reports
I
mean
from
the
from
the
sonotype
report.
You
can
see
the
the
increase
in
the
amount
of
malicious
software,
but
I
I'm
just
concerned
that
it's
not
being
discussed
for
some
reason
might
get
there
for
you.
It's
not
been
discussed
as
widely
as
it
should
be.
H
A
Yeah,
absolutely
absolutely,
but
but
and
I
think
exactly
your
point.
I
I
know
a
lot
of
us
know
about
that
and
a
lot
of
people
I
talk
to
in
supply
chain
know
that's
the
case,
but
when
I
talk
to
people
accidentally
I
haven't
looked
at
supply
chain,
yet
they
really
don't
see
again.
I
might
be
in
a
different
bubble,
but
they
don't
seem
to
notice
it
yeah
yeah,
Croke
I,
think
you
were
next.
I
Yeah,
so
I
have
four
points
and
I'll
start
with
the
one
Daniel
just
echoed.
First
and
foremost,
we
have
a
platform
through
the
openssf
blog
that
if
we
wanted
to
put
something
together,
we
have
a
great
panel
of
experts
here
that
had
a
lot
of
insight,
both
from
the
end
user
and
the
commercial
tooling
space
we
potentially
could
put
together
a
really
nice
kind
of
Kickstart
blog
talking
about
the
topic
0.2,
which
relates
to
one
of
the
items
I
put
on
the
agenda.
I
There
is
the
open,
ssf,
North,
America
conference
call
for
papers,
that's
open
another
opportunity
to
raise
awareness
and
get
out
and
engage
with
the
developer
and
consumer
Community
would
be
going
to
conferences,
so
we
might
want
to
think
about
putting
together
a
panel
or
education
sessions
for
that
conference.
It'll
be
in
Vancouver,
British
Columbia
in
May
and
I
expect
we'll
get
the
Europe
and
Japan
or
APAC
dates,
probably
in
some
time
in
the
spring.
I
I
We
put
together
a
guide
as
a
work
product
of
this
group,
so
maybe
an
initiative
that
this
working
group
might
want
to
adopt,
and
then,
lastly,
you
know
once
we
have
some
actual
Guidance,
the
education
Sig
is
working
on,
putting
together
a
plan
to
kind
of
address,
developer
and
cyber
security
concerns.
So
this
very
definitely
could
be
a
module
or
maybe
it
gets
baked
into
part
of
the
formal
training.
Maybe
it
becomes
a
podcast
or
a
webinar
that
the
education
Sig
helps
put
out
so
I
think
you
have
a
lot
of
outputs.
K
There
started
being
a
bit
of
interest
on
this
topic,
and
people
started,
proposing
very
cool
and
interesting
works
on
on
these
and
proposal
about
approaches
and
I
was
wondering
about
the
capabilities
that
we
have
so
far
of
of
what
we
have
as
malicious
samples,
because
it
could
be
just
an
impression
but
I
tend
to
see
often
malware
samples
or
malicious
packages
that
have
somehow
the
same
shape.
Somehow
low
effort
attacks
with
just
basic
obfuscation.
K
K
We
are
really
capable
to
detect
that
and
so
I
think
it's
a
Pity
to
lose
a
bit
of
the
big
picture
and
on
that
and
start
the
reasoning
on
the
possible
evasion
techniques
that
attackers
can
can
exploit
to
to
evade
the
possible
and
the
current
approaches
that
have
been
proposed
or
the
current
proposed
solution.
Just
just
that.
G
A
F
You
know
those
kinds
of
things,
and
so
we
we've
pretty
successfully
built
the
model,
understanding
what's
normal
and
then
flagging
the
things
that
are
abnormal.
That's
how
we've
chosen
to
do
it
and
the
the
best
use
case
that
happened.
We
were
launching
this
live
I,
didn't
know
how
well
it
was
going
to
work.
We
launched
it
at
the
same
time
that
I
forget
his
name,
the
guy
that
was
doing
the
dependency,
confusion,
research,
the
white
hat
stuff.
In
the
summer
he
launched
he
announced
it
like
in
but
February
March.
F
Something
like
that,
the
summer
preceding
that
he
was
doing
the
work
and
our
system
was
flagging.
Every
single
one
of
his
white
hat
attacks
before
the
world
knew
that
that
was
a
new
type
of
attack,
which
was
which
was
pretty
awesome.
So
that's
the
approach
that
we've
taken
to
do
that.
It's
unfortunately
not
easy
and
requires
massive
amounts
of
data
set
to
train
the
model
on
to
be
able
to
do
so.
I
just
figured
I'd
throw
that
out
there.
K
Just
just
a
question
on
this
point
because
I
mean
it's
also
true,
that
we
also
see
I,
think
two
types
of
malicious
packages,
the
one
that
only
contains
the
malicious
code
and
other
one
that,
let's
say,
have
are
a
pure
clone
of
an
existing
project
and
they
have
just
a
one
liner
inside
and
so
to
what
extent,
for
example,
than
trying
to
track
what
is
normal
will
detect.
You
know
just
this
needle
in
the
high
stack
inside
the
a
big
amount
of
code.
It.
F
C
F
That
required
higher
than
normal
version
numbers.
The
system
was
ultimately
recognizing
again
before
we
knew
a
heuristic
made
sense
here.
Projects
don't
start
out
publishing
things
with
super
high
version
numbers
as
their
first
release.
That
turns
out
that's
an
abnormal
behavior,
but
now
in
2023
it's
easy
to
write
a
heuristic
for
that,
because
we
recognize
it.
Why
I
think
it's
interesting
is
because
the
mlai
told
us
this
was
interesting.
You
know
almost
a
six
months,
nine
months
before
that
guy
published
his
research.
F
They
literally
just
won
a
typo
squat,
get
it
downloaded
and
run
their
back
door,
and-
and
you
know
when
I
when
I
talk
about
this
with
prospects,
I
remind
them
that,
like
okay,
if
you've
built
an
application
security
portfolio
around
scanning
things
before
you
put
it
into
production
or
you
release
it,
you
miss
that
this
happened
and
and
I
like
to
relate
it
back
to
the
90s
when
browsers
were
inherently
vulnerable
because
back
then
you
go
to
a
website,
you
get
hacked,
nobody
paid
attention
and
they
just
go
whoops.
That's
not
the
site.
F
I
meant
and
they'd
go
to
the
right
one,
and
in
these
instances
that's
exactly
what's
happening.
The
developers
get
the
wrong
thing,
their
build
blows
up,
they
figure
out.
Oh,
it's
an
underscore,
not
a
dash
and
they
move
on
and
and
then
the
the
supply
chain
tools
that
weren't
looking
at
what
was
happening
in
ingestion,
never
see
that
this
fact
happened
because
that
bad
component
never
got
checked
in
the
source,
control
never
ran
through
CI,
so
they're
completely
blind
to
it.
A
Yeah
look
I
I.
This
is
great,
I
I!
Think
there's
the
two
parts
right
there's
the
one
is:
let's
raise
awareness
and
there's
a
two
is
figure
out
how
to
get
even
better
at
mitigating
and
identifying
it,
and
you
know
I
think
the
the
landscape's
gonna
we
can
see
the
landscape
changing
a
lot
actually
quite
quickly
where
people
are
moving
to
different
attack,
pass
and
attack
approaches
at
the
moment
it
for
the
majority.
A
That
we've
got
up
front
at
the
moment.
Should
we
leave
it
there?
There's
a
cup
just
want
to
take
out
a
couple
of
actions
from
that
already
right.
So
one
action
is,
is
for
me
to
set
up
the
the
group
looking
at
the
repository
of
threats.
I'll
take
that
one
two
is
I'm
going
to
take
on
the
the
raising
awareness
of
the
the
different
malicious
attacks.
A
J
J
All
right,
let
me
give
me
a
second
and
I'll,
pull
out
his
Twitter
profile,
so
he's
got
a
company
that
he's
started
around
this
basic
idea
of
like
flagging.
This,
in
you
know,
developer
machines
that
also
flagging.
It
is
checking
that,
like
hey,
this
is
probably
a
typo,
squat
or
hey
this.
This
package
is
doing
this
weird
thing
in
their
pre-install
script
or
whatever,
whatever
so
and
and
yeah
there
we
go.
He
is
oh
socket,
security,
socket.dev.
F
A
Cool,
so
definitely
two
prongs
right.
One
is
the
raising
awareness
into
his
howl
and,
if
that's
in
the,
how
section
nowhere
that
one,
particularly
oh
well
I'll,
dig
into
that
thanks
a
lot
any
other
actions
we
had
from
from
the
little
little
session
there
there's
the
architectures.
We
need
a
session
on
that
I'm,
looking
like
the
next
week
or
two
to
start
moving
forward
with
this
stuff.
I
I
As
a
contributor
to
this
group
and
as
a
Tac
member
looking
at
the
end
users,
git
repo
I,
don't
know
what
this
group
is
about.
So
it
might
be
awesome
to
start
to
complete
this
and
get
this
in
order,
so
that
members
and
prospective
members
can
see
what
we're
doing
and
potentially
get
collaborating
on.
Some
of
these
awesome
ideas.
A
J
I
think
this
is
in
relation
to
probe's
question.
What
what
is
the
scope
of
the
end
users
like
I,
guess
end
users
is
a
very
large
term.
Is
it
end
users
of
software,
or
is
it
end
users
of
like
the
software
when
it
gets
chipped
and
delivered
to,
like
your,
you
know,
true
end
users
that
are
like
you
know
normal
people
that
don't
know
how
to
don't
don't
know
anything
about
software
at
all.
A
Yeah
I
think
we
we
do
have
a
charter,
that's
on
the
top
of
the
our
slack
group,
with
the
missions
and
goals
and
the
missions
and
goals.
I
think
does
speak
to
that
from
a
scope,
perspective,
Jonathan
but
I
think
to
try
and
recall
what
it's
at.
It's,
basically,
not
the
end
user
in
terms
of
someone
actually
holding
a
phone
that
has
software
within
it,
but
you
know
kind
of
at
the
sort
of
Enterprise
level
or
someone
creating
something
and
selling
something
like
a
hospital,
maybe
or
a
a
company
building
things.
A
B
A
Okay,
now
down
to
any
other
notes
from
working
groups,
this
is
the
standing
entry
we
have
that
we
go
through
each
time
now
the
reality
is
I.
Think
most
people
are
going
to
have
been
away
about
the
Christmas
Vacation,
but
is
there
any
I
think
from
the
notes
that
looks
like
it
was?
You
know
I
copied
from
the
previous
one,
but
any
additional
notes
from
any
user
groups.
Since
we
last
met.
I
I
added
a
couple
things
in
addition
to
the
call
for
papers
which
I
strongly
encourage
this
group
to
put
some
things
together
for
on
the
vulnerability
disclosures
working
group
is
working
on
a
CBD
guide
for
OSS
consumers.
We've
mentioned
it
here
before,
but
I'll
be
setting
up
a
doodle
to
try
to
find
a
time
to
collaborate.
So
if
anyone's
interested
I
will
also
tag
this
working
group's
mailing
list
when
I
get
the
doodle
set
up,
so
please
feel
free
to
contribute
to
that.
I
The
vulnerability
disclosures
working
group
also
put
forth
a
open
source
security
security
incident
Response
Team
plan.
It
is
now
sitting
with
attack
for
review.
This
is
creating
a
dedicated
group
of
Upstream
security
people
that
help
open
source
maintainers
on
coordinating
vulnerabilities.
So
if
this
group
has
any
requirements
of
how
they
think
end,
users
would
like
to
benefit
from
such
a
team.
You
can
get
that
information
to
me
or
put
a
comment
on
that
issue.
I
So
if
anyone's
interested
in
either
contributing
or
ingesting
the
output
of
those
things,
you
know
keep
an
eye
on
those
issues
and
then
finally,
the
diagrammer
society
has
created
several
pictures
of
how
the
foundation
is
laid
out
and
all
the
different
activities
most
recently
we've
working
with
a
mind
map
format
and
there's
actually
the
issue.
One
actually
has
the
attachment
to
the
Mind
map
file.
So
if
anyone's
curious,
you
can
open
that
up
and
kind
of
see
the
breadth
of
activities
that
are
currently
going
on
throughout
the
foundation.
I
A
I
Especially
with
the
international
constituents,
we
have
participating
that
the
like
the
diagrammers
group.
We
have
some
people.
We
ended
up
like
with
a
California
friendly
time,
but
I'm
setting
up
calls
with
all
my
working
groups
to
do
like
APAC
friendly
times
and
we're
going
to
try
to
shove.
The
actual
standing
calls
to
a
more
European
friendly
just
so
we
can
kind
of
capture
more
contributions,
but
you'll
see
that
across
the
foundation
folks
trying
to
adjust.
But
it's
challenging
when
you're
a
global
organization.
A
D
D
D
D
One
is
just
software
dependencies
right,
here's
a
component,
it's
in
there.
How
do
we
think
about
that?
And
even
that's
hard,
because
you've
got
infrastructure
as
code
you've
got
microservices.
You've
got
dynamically
generated
code,
so
we
we
want
to
start
out
by
like
at
least
saying.
This
part
is
easy.
This
part
is
tricky
two.
D
The
last
piece
that
may
be
of
interest
is
the
idea
that
hey,
if
it's
a
service
I
may
worry
not
just
about
the
component
dependencies
but
third-party
services
that
my
service
is
using
or
that
some
of
the
contracts
are
so
right.
I
use,
Chrome
service,
Chrome
service.
In
turn,
uses
Brian's
service
can
I
get
visibility
about
that
because
it
might
be
sensitive.
Data
I
may
worry
about
the
political
jurisdiction
that
Brian's
in
right
there's
a
lot
of
things
to
the
best
of
my
knowledge.
D
So
that's
going
to
be
one
of
the
bigger
picture
things
that
we're
gonna
be
trying
to
tackle,
but
I
don't
know
of
anyone.
Who's
got
anything
that
looks
remotely
like
a
scalable
solution
today,
so
didn't
mean
to
take
up
too
much
time,
but
those
are
the
different
moving
pieces.
I
want
to
start
with
a
and
that's
the
plan
for
this
year
is
to
sort
of
start
with
a
five-pager
saying
what
does
s-bomb
mean?
This
is
the
stuff
that
ports
easily.
D
A
E
Yeah,
it's
just
something
that
came
across
my
desk,
so
to
speak
over
the
holidays
and
I
just
thought
it
would
be
interesting
to
raise
here.
There's
I've
included
two
links.
One
is
a
link
to
a
post
which
links
to
a
blog
post,
which
is
from
an
open
source,
maintainer
who's,
talking
about
I'm,
not
a
supplier,
and
how
they
don't
really
see
themselves
as
a
supplier.
They
don't
really
like,
and
they
don't
really
agree
with
that
nomenclature.
The
whole
the
whole.
E
You
know,
framework
of
ideas,
that's
around
the
idea
of
software
supply
chain
and
and
there
and
by
extension,
s-bombs
and
like
we
built
a
kind
of
conceptual
framework
around
the
idea
of
software
supply
chain.
S-Bomb
is
one
example
where
we're
using
the
terminology
of
economics
and
supply
chain
in
you
know
as
a
way
to
communicate
how
software
dependencies
work
to
people
that
may
not
be
familiar
with
how
to
open
source
suffers
dependencies
work
and
it's
great,
and
it
really
does
it's.
It's
we've
all
latched
onto
it.
It's
really
great.
Here's.
E
E
Upstream
who's
using
my
thing,
there's
no
contractual
Arrangement
here
so
like
and
and
then
that
twigged
a
memory
rate
from
earlier
this
year
when
Daniel
Stenberg
who's,
somebody
who
is
the
maintainer
of
a
very
well-known
package,
the
curl
open
source
package
got
hit
by
letters
from
procurement
team
of
some
Fortune
500
company.
That
said,
you
know
like.
Can
you
immediately
tell
me
within
the
next
24
hours,
if,
if
your
code
has
log4j
in
it
and
blah
blah
blah,
it's
all
documented
in
the
blog
post
that
he
wrote
in
January,
which
is
great.
E
That
I
don't
know.
I,
don't
have
anything
more
sophisticated
in
my
mind
or
or
well
thought
through
in
my
mind
other
than
what
I've
just
said
other
than
I'm,
probably
going
to
write
a
blog
post
about
this
at
some
point,
but
I
just
kind
of
wanted
to
raise
it
here
and
get
the
bug
in
people's
ear.
I
see
some
some
nodding
from
grub
and
others.
So
maybe
this
is
a
good
thing
to
think
about.
D
E
Or
or
may,
or
maybe
we
we
need
to
think
about
things
as
a
spectrum
right
because
there
are
some
like
I
said
there
are
some
open
source
projects
that
that
do
fit
into
the
more
like.
Then
there
are
also
open
source
projects
that
are
produced
by
organizations
that
that
have
an
SLA
around
them
and
where
there
is
a
contractual
agreement
and
there,
and
then
there
there's
a
whole
risk
assessment
where
you
can
say:
okay
well,
this
particular
open
source
project
is
not
I.
E
Do
not
have
a
contractual
agreement
with
them,
however
they're
so
well
used
and
they're,
and
they
have
such
a
strong
track
record,
and
you
know
that
all
these
other
factors
are
are
in
place.
So
therefore,
it's
a
low
risk,
you
know
or
I
I
mean
I,
don't
know
what
what
and
I
it's
it.
It
kind
of
goes
beyond
the
security
aspects.
A
little
bit.
E
H
It
yeah
I
think
one
thing
that
stood
up
a
lot
of
the
mud
in
the
water
here
was
the
introduction
of
mandatory
MFA
by
npn,
Pi,
Pi
and
ruby
gems
for
top
maintainers.
There
was
a
line
of
argument
which
I'm
not
sympathetic
to
that
since
the
software
is
as
is,
then,
the
package
repositories
can't
impose
these
kinds
of
terms
that
you,
you
are
stealing
their
work.
Somehow
I'm
of
the
view
that
the
package
repository
is
providing
a
free
service.
H
Thank
you
very
much,
it's
private
property
and
they
can
do
whatever
they
like
with
it
or
not
do
with
it
whatever
they
like.
And
if
you
don't
like
it,
you
can
host
it
on
your
own
website
under
any
rules.
You
like,
but
I,
think
it's
that
event
that
started
people
down
the
road
of
like
what
are
the
obligations
on
package
maintainers.
H
In
this
case,
the
obligations
are
not
imposed
by
end
users
that
are
imposed
by
the
package
repositories,
acting
as
custodians
of
the
interests
of
the
end
users,
as
well
as
the
package
maintainers,
and
that's
the
argument
I
made
when
when
we
were
doing
it
for
ruby
gems,
which
is
that,
yes,
it
imposes
drag
and
inconvenience
on
the
package
maintainers,
but
for
a
package
maintainer
a
compromise
is
embarrassing
and
distressing
for
end
users.
It
is
potentially
catastrophic
and
there
are
far
more
of
them.
H
So,
just
on
a
very
brutal
you
know,
a
brutalist
concrete
poured
into
place
kind
of
utilitarian
calculus.
It
just
comes
out
for
the
users
I'm.
Sorry
we
have
to
do
it
so
I
think
that's
where
some
of
this
came
from,
like
that.
That's
that's
how
it
got
to
be
in
the
air
that
was
the
meteorite
impacted,
got
all
the
dust
up
and
it's
going
to
get
it's
going
to
get
much
bigger
this
year
because
of
GitHub
imposing
2fa
on
everybody.
H
I
I
think
this
group
could
provide
guidance
on
how
consumers
can
manage
the
risk
of
it
using
third-party
components
that
I
am
extremely
sympathetic
to
the
maintainer
developer.
That's
most
of
my
work
in
the
open
ssf
is
focused
on
providing
services
for
that
those
communities,
but
we
can
do
things,
provide
education
and
support,
and
you
know
things
like
the
great
MFA
distribution
where
a
couple
two
years
ago,
the
foundation
gave
away
multi-factor
tokens
to
maintainers
to
help
prevent
some
of
these
supply
chain
things.
So
we
can.
H
A
Yeah
excellent,
well
I
joined
to
close
a
little
bit
at
any
other
business,
any
any
thing
anyone
else
wants
to
race
before
we
close
the
call,
no
okay,
so
good
discussion
as
always
good
to
get
back
back
to
the
table.
I
think
there's
a
lot
of
actions
as
always
and
I.
Think
really,
you
know
one
of
the
things
I
was
thinking
about.
Was
this?
A
We
can't
just
Constantino
the
whole
thing
into
a
one
hour.
So
apologies.
If
there's
like
actions
coming
out
of
this
thing-
and
it
sounds
all
sort
of
formal
but
the
reality
is
this-
we're
doing
more
work,
I
think
as
a
group
than
one
hour
every
two
weeks,
which
is
which
I
think
is
really
beneficial,
so
great
work,
great
work,
everyone
I'm
looking
forward
to
a
pretty
awesome,
2023
and
you
know
we'll
work
from
the
group
thanks
very
much.
Everyone
talk
to
everyone
soon,
bye.