►
From YouTube: End Users Working Group (March 30, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
A
A
And
Jeff
I
think
there
was,
we
didn't
add
it
to
the
agenda,
but
I
think
it
was
a
bit
of
a
double
tap
on
the
manifesto
request.
To
do
so
is
that
right,
yep.
B
C
A
That
in
thank
you
so
just
for
a
future
reference
for
everyone
in
the
slack
chat
at
the
top,
we
have
bookmarks
the
end
user
notes
and
Omission
goals,
Zoom,
etc,
etc.
All
right!
So
if
if
people
can
add
themselves
to
the
notes,
document,
I'd
appreciate
it.
Well,
let's
kick
off
so
Dan.
Thank
you
for
being
subscribed
start
with
any
new
friends
joining
us
today.
A
D
Yes,
so
yes,
there
we
go
sorry
a
little
slow.
This
morning,
I
had
committed
to
having
a
spreadsheet
out
I
apologize.
If
the
last
two
weeks
have
included
our
fiscal
year
end
spring
break
travel,
vacation
and
illness,
so
I
apologize
for
that,
but
I
will
get
it
out.
I
know
Jonathan.
You
had
mentioned
that
I
think
ADP
is
interested
in
participating.
That's
awesome.
D
I've
also
received
commitments.
I
thought
Morgan
was
going
to
be
here
today,
but
I
don't
see
that
they're
they're
on
the
call
I,
don't
think
Morgan,
Stanley
and
Mercedes
has
committed,
so
I'm
really
excited
about
them
them
participating.
They
are
freeing
up
the
right
right
person,
but
they
re
they
committed
last
week
to
joining
this
group,
as
has
Boeing.
So
we've
got
some
other
some
other
high
regulated
industries
that
are
joining
so
I'm
really
excited
about
that.
D
Also
briefly,
it's
it's
not
membership.
Hopefully
it
will
be
membership
after
the
activity,
but
I
want
to
talk
a
little
bit
about
open
ssf
day
at
the
Linux
Summit
North
America
Vancouver,
so
I
had
two
presentations
accepted
there.
D
Well,
one
is
a
panel
that
I'm
doing
with
IBM
and
Comcast
Ann
Morgan
Stanley,
actually
on
just
a
kind
of
an
overall
topical
view
of
openssf
and
the
state
of
cyber
security,
and
so
on
and
nithya
Ruff
is
joining
us
who's,
chairman
of
Linux
Foundation
on
the
panel,
so
we're
excited
to
have
her
her
participate
and
then
the
other
one
I
submitted
I
wanted
to
have
a
panel
of
members
here.
D
But
what
I
found
out
at
the
last
second
literally
four
hours
before
the
deadline
is
that
any
and
every
panel
presentation
must
have
a
female
participate
and
also
someone
from
a
a
you
know,
kind
of
a
underserved
class
and
so
I
didn't
have
all
my
panelists
committed.
So
I
kind
of
rewrote
the
presentation,
as
as
a
presentation
on
on
openssf
end
user
activities
with
Jonathan
and
myself,
and
that
was
accepted.
Also
so
I'm
excited
to
do
that.
But
I
would
still
like
to
see
if
we
can
turn
it
into
a
panel.
D
So
I
am
so
Jonathan
and
I
are
kind
of
reaching
out
we'd
like
to
find
out
if
there
are
going
to
be
any
female
attendee.
These
are
participants
from
this
working
group
being
at
or
in
in
person
at
the
event
in
Vancouver
or
if
we
can
Network
within
our
organizations
to
try
and
find
someone
who
can
participate.
A
To
me,
I'll
be
should
be
in
Vancouver.
Obviously,
I
think
we've
raised
this
a
couple
of
times
before
many
other
people
are
going
to
be
in
Vancouver
are
able
to
make
the
trip
yeah
I'm,
not
sure
how
many
people
are
going
to
make
it.
This
time
see
well
be
glad
to
have
you
across
there
yeah
I'll,
be
there.
A
Excellent
Jane
well
I
think
when
we
get
there
we'll
we'll
see
if
we
can
catch
up
with
people,
I
think
it'd
be
I,
think
it'd
be
great
to
catch
up
over
a
beer
or
two
and
start
to
talk
about
some
of
the
end
user
group
work
very
cool,
all
right
Andrew.
Thank
you
very
much
and
it
sounds
like
some
good
progress
there
on
the
on
the
commitments.
Hopefully,
you
can
get
people
attending.
A
They
do
they've
done
they've
done
the
initial
easy
part
yeah.
Let's
see
all
right,
very
cool
right.
So
next
item
in
the
agenda
was
a
request
from
Mike
scavetta
around
the
Omega
Assurance
framework,
something
that
I've
been
cooking
up.
Sounds
it's
interesting
from
the
alpha
omega
group.
Of
course,
then,
like
awesome,.
E
Go
through
the
deck
super,
quick
look,
it'll
be
demo
and
a
couple
of
questions
and
whatever
so
Assurance
assertions.
E
The
the
the
goal
is
is
provide
stakeholders
consumable
data
that
they
can
use
to
describe
the
security
quality
of
a
thing.
This
is
very
related
to
and
I
don't
want
to
get
too
far
into
the
well.
What's
the
risk,
what's
a
you
know,
vulnerability?
Is
it
General?
Is
it
for
me,
like?
Those
are
all
really
good
things?
I!
E
Don't
want
this
this
to
be
about
that
or
this
this
topic
today
to
be
about
that,
but
it's
basically
more
than
you
know,
give
give
stakeholders
enough
information
to
make
informed
decisions
themselves
about
whatever
they
they
believe
the
riskiest
aspects
of
it
to
be
are,
for
example,
right
today
we
have
things
like
you
know,
scorecard
metrics,
which
is
mostly
around
I'll,
say
Health
security
configuration
things
like
that
of
a
repo.
E
It
doesn't
do,
for
example,
static
analysis,
it'll
do
like
cve
checks,
so
a
lot
of
organizations
use
are
pretty
limited
to
kind
of
those
two
types
of
things
when
they
evaluate
a
piece
of
Open
Source,
most
organizations,
I,
would
dare
say
practically
all
of
them.
Don't
crack
into
the
open
source
like
code
itself
to
see.
E
Is
this
thing
safe
and
that's
because
it's
expensive
and
it's
hard
so
we're
trying
to
lower
the
bar
there
in
a
way
that
just
kind
of
moves,
the
needle
like
one
one
notch,
one
notch
up
it's
supposed
to
complement
everything
else.
This
is
not
intended
to
overlay
on
top
or
extended
to
complement
a
guac
score
cards,
depth,
Dev
a
lot
of
other
things
so
context,
most
open
sources
never
gone
undergone
any
kind
of
security
validation.
E
Like
you
know,
I'm
saying
looking
at
the
code,
the
real
you
know
the
the
lowest
level
stuff
because
it's
expensive,
but
we
need
that.
We
need
this
data
available.
So
the
Insight
that
kind
of
led
to
this
I
think
is,
if
you
run
the
best
security
tools
on
a
piece
of
Open
Source
and
it
doesn't
find
any
SQL
injection.
E
For
example,
you
could
make
a
statement
that,
to
the
best
of
the
state
of
the
art
that
that
project
does
not
have
any
SQL
injection
and
then
others
can
rely
on
that,
knowing
that
you've
done
your
best
to
to
make
that
statement
factual.
E
So
after
that,
it's
basically
I'm
just
going
to
skip
through
most
of
this.
So
there
are
two
parts
of
this
there's
assertions
and
policies.
An
assertion
is
a
fact.
Example.
Assertions
I
was
able
to
rebuild
this
package
from
this.
The
source
code
repository
as
of
this
moment
it
is,
it
is
marked.
It
is
associated
with
these
CDs.
It's
actively
maintained
based
off
of
scorecard.
E
It
has
these
aggregate
findings
from
coql
or
semgraph,
or
pick
your
favorite
tool.
A
code
review
was
completed
by
this
organization.
A
security
expert
looked
at
this
tool
and
said
it
looks
good
to
me.
It
implements
crypto.
It
contains
Pearl.
E
These
are
all
things
that
should
be
factual
and
objective.
We
can
precisely
Define
what
these
things
mean
and
it
shouldn't
be
an
argument
over
like
what
what
they
you
know,
whether
they're
like
what
they,
what
they
imply
that
they're
they're
just
a
fact.
E
These
things
are
expressed
as
Json.
It's
Loosely
in
Toto
we're
gonna
snap
to
the
in
Toto
attestation
spec
as
that
as
that
matures,
but
for
now
it's
you
know
it's
it's
supposed
to
be
readable
with
the
just
enough
information
to
convey
what
what
it's
supposed
to
there
is
evidence
included
in
it.
E
So
if
you
actually
don't
trust
our
assertion,
you
can
go
a
little
bit
deeper,
so
this
is
example
of
a
you
know,
one
based
off
of
scorecards
and
then
so
that
that's
assertions
and
then
you
have
policies
and
the
policy
is
where
you
add,
like
your
value,
your
judgment,
your!
What?
What
do
you
want
to
see?
So
you
as
an
organization
you
know,
I,
would
like
all
the
packages
that
that
my
organization
consumes
to
be
actively
maintained.
E
I,
don't
think
that
any
npm
modules
should
be
implementing
crypto,
meaning
like
the
math
within
that
within
the
module.
I.
Just
don't
think
that's
appropriate,
for
example,
like
so
I
can
express
the
policies
like
that
in
terms
of
something
that
executes
against
one
or
more
assertions
and
then
comes
out
with
a
pass
fail.
E
So
we
can
you
know,
policy,
you
know
we
create
lots
of
assertions,
lots
of
policies
and
then
you
can
kind
of
choose
which
ones
are
good
for
your
organization
or
make
up
your
own
high
level
architecture.
You
know
we
do
some
analysis.
E
The
important
thing
here
on
this
slide
is
that
there's
no
human
in
the
loop.
So
while
you
could
have
an
additional
assertion
that
I
as
a
security
expert,
you
know
like
I
review,
left
pad
I
said
I
think
it's
all
good,
so
I'm
going
to
to
sign
off
on
that.
That
can
be
an
additional
assertion.
Maybe
that
has
a
lot
of
value
for
you
or
maybe
you
don't
trust
me
that
has
no
value
for
you.
E
That's
an
important
part
of
this
is
that
trust
comes
from
the
consumer,
so
all
of
us
could
be
providing
similar
assertions
into
a
common
data
store
and
when
you
know
you
consume
from
that
data
store
and
make
policy
decisions
based
off
of
that,
you
can
choose
who
to
trust.
You
don't
have
to
trust.
You
can
trust
openssf.
You
could
not
trust
openssf.
E
You
could
have
a
private
store
that
that's
you
know
you
store,
you
keep
yourself,
you
could
use
the
public
ones,
you
could
use
our
policies,
you
could
write
your
own
policies,
it's
all
open
source
and
fun,
and
you
can
just
just
add
your
own
API
surface
is
pretty
simple.
It's
you
know.
You
generate
an
assertion
with
this
kind
of
input,
this
type
and
then
you
analyze
it
meeting
running
all
the
assertions
and
then
on
the
consumption
part
it
you
know
similar
similar
API
service.
You
get
out
of
pass
fail.
A
Yes,
I
I,
just
we
talked
about
this
before,
but
just
trying
to
set
some
context
of
as
an
end
user.
You
know
we're
consuming
software
and
we're
trying
to
validate
software
and
get
a
secure
place
for
people
to
build
and
test
software
and
we
can
consume.
A
That
is
the
idea
behind
this
to
provide
the
additional
sort
of
security
attestation
on
top
of
that,
so
we
can
then
make
those
policy
decisions
and,
if
that's
really,
where
we're
going,
who
are
you
suggesting
the
ossf
for
Alpha
Omega,
is
gonna,
perhaps
start
to
create
these
assertions
I'm
just
trying
to
figure
out
where
that
trust
boundary
is
going.
You
know.
E
Yes,
so
so
I
I
do
think
that
well,
I
I
think
it'll
be
more
obvious
from
the
from
the
webview,
which
I
think
is
is
coming
up.
Yeah
I
think
that
that's
all
I
have
for
the
for
the
deck.
Here's,
the
the
demo
site
or
not
them
I
mean
it's.
It's
a
real
site,
so
you're
welcome
to
click
around
the
links
in
the
docs,
but
so
this
is
the
npm
Cheerio
module.
E
E
I
mean
these
are
all
no
Clan
AV
results,
so
the
assertions
again
just
just
the
facts:
the
policies
that
I
don't
think
there
should
be
any
malware
or
viruses
detected,
and
this
is
really
just
a
pass
fail,
because
this
is
the
execution
of
that
that
policy
against
those
those
assertions.
E
E
I,
don't
know,
check,
npm
Cheerio
of
the
command
line
and
come
up
with
you
know,
policy
a
fail,
pass
pass,
pass,
or
just
the
failed
ones
or
whatever,
but
it
could
just
just
call
this
API
and
and
and
and
do
this
you
could
also
restrict
things
to
a
particular
policy
set.
I
intend
to
make
it
so
that
you
can
create
your
own.
E
You
know
through
the
website
and
stuff
like
that,
but
you
know,
but
essentially
you
have
this
thing
and
then
Jonathan
after
our
previous
conversation,
you
mentioned
like,
would
be
cool
to
have
like
the
dependency
view.
So
this
is
Cheerios
dependency
tree.
You
know,
directs
and
indirects
and
how
they
all
fare.
So
obviously
demo
site,
we
don't
have
a
I,
don't
have
a
lot
of
data,
but
I
do
have
some.
E
So
this
is
showing
that
you
know
no
viruses
or
malware
were
detected
in
Don
Handler,
Dom
utils
and
you
know
the
rest
of
them,
but
like
this
one
over
here
blue
base
is
not
actively
maintained.
E
You
know
yet
Cheerio
is
so
like
that's
an
interest.
That's
that
that's
that's
interesting
in
some
way.
So
what
else?
What
else.
G
So
Michael
sorry,
you
mentioned
on
the
slides
that
the
trust
will
be
kind
of
like
placed
on
the
on
the
end
user.
To
really
take
that
decision
right.
Are
we
gonna
kind
of
like
go
with
that
path
without
any
guidance
or
how.
E
No
I
would
I
would
say
so
for
no
for,
for
normal
people,
I
would
say
the
default
would
be
trust,
open,
ssf
and
if
there's
another
organization,
if
we
want
to
do
kind
of
a
a
a
formal
relationship
with
another
organization
that
creates
lots
of
these,
then
maybe
that
would
be
part
of
the
default.
E
E
So
as
part
of
the
assertions,
I
I
run,
sem
grep
and
and
code
ql
would
say
you
don't
like
those
tools.
You
only
want
to
rely
on
coverity,
you
run
coverity
yourself
generate
assertions
somehow
get
them
into
a
common
pool
of
assertions,
so
you
only
want
to
trust
static
analysis
results
that
come
from
coverity.
So
that
would
be
another
example
where
it's
not
so
much
the
signer.
E
But
the
attributes
of
the
of
the
assertion
that
that
you
trust
because
policy
evaluation
is
the
default,
is
just
open
policy
agents
which
is
Rego.
You
can
slice
and
dice
the
assertions
in
whatever
way
you
want
to
decide
whether
or
not
you
you
you
want
to
evaluate
them
so
I.
We
should
come
here
with
an
opinion,
but
we
should
be
flexible
enough
that
if
you
have
different
opinions,
you
can
ignore
hours
and
just
use
the
framework
as
a.
G
Right,
I
guess
just
as
a
follow-up
in
terms
of
guidance
right.
So,
for
example,
right
now
you
have
on
the
policies,
no
bureaus
or
no
virus
or
malware
detected
right,
but
there
is
no
clear
hi
guys
reference
of
how
this
was
evaluated
right.
So.
E
E
D
Cool
so
Michael
it'd
be
interesting
to
understand
how
you're
going
to
actually
the
language
used
to
describe
that.
So,
for
example,
if
you
said
that
we
ran
this
through
XYZ
tool
and
no
virus
was
detected,
I,
don't
think
that
those
those
vendors
who
whom
are
described
may
want
their
their
name
mentioned
for
liability
reasons
right.
So
how
are
you
going
to
create
instead
of
metadata
or
how
are
you
going
to
actually
describe
it?.
E
Well,
so
so
a
couple
things
the
right
now,
the
only
AV
vendor
that
I'm
using
is
is
clam
AV,
so
I
feel
pretty
comfortable
with
using
that
I
also
feel
comfortable.
That
expressing
facts
like
I
ran.
I
I
am
I'm,
saying
that
I
ran
this
and
it
came
out
with
zero
results.
And
here
are
the
here
are
the
here's.
The
output
like
we're,
not
saying
that
the
tool
is
good
or
bad,
or
things
like
that,
but
I
totally
get
that.
E
There's
a
liability
thing
there
before
we
especially
reference
commercial
tools
and
what
they
found
or
did
not
find
we
we
need
to
have
that
conversation
with
I,
guess
LF
legal
to
you
know,
find
the
right
balance
of
the
two,
but
I
also
don't
want
to
water
down.
So
much
that
we
can't
say
anything
useful
for
fear
of
offending
somebody.
H
Question
Check
Yes:
this
is
going
to
sound
a
lot
like
an
I'm,
an
academic,
giving
a
speech
and
reply
at
a
conference.
But
have
you
had
a
chance
to
read
my
requirements
for
Universal
asset
graph
before.
H
I
already
check.
Oh
thank
you
very
funny.
Of
course,
I
I
bring
it
up
just
because
there's
overlap
with
guac
is
doing,
and
they
they
took
some
inspiration
from
their
paper
and
I'm
sort
of
concerned
about
proliferation
of
different
things
that
store
similar
data.
I.
E
Would
I
so
we've
already
I've
had
some
preliminary
conversations
with
guac
I
didn't
it
would
totally
make
sense
for
me.
You
know,
from
my
perspective,
for
these
to
be
attributes
living
within
a
guac
breath
now
whether
they're
also
accessible
in
through
different
UI
surface,
because
I
think
the
UI
surface
like
right
now,
relying
on.
E
At
the
moment,
lower
end
queer
yeah
yeah,
but
conceptually
yeah.
The
two
are
totally
complementary
and
it
would
be
silly
for
guac
not
to
be
able
to
surface
this
data
through
its
its
API
surface.
So
I
totally
intend
for
that
that
those
to
align
I
just
didn't
want
to
get
into
the
walk
train
before
I
knew
what
the
like,
what
it
would
look
like.
Yeah.
H
B
Yeah,
so
just
so
I
understand
the
intention
here
or
what
is
being
built
is
a
Linux
Foundation,
hosted
platform
that
will
have
this
kind
of
web
interface
and
also
an
API
that
will
enable
people
to
query
this
information,
both
the
assertions
and
the
and
the
the
assertions
and
the
policies
about
certain
projects
right,
so
that
that,
if,
if
that's
the
case
is
there
is
the
is
the
idea
that
other
third
parties,
either
members
of
open,
SF
or
or
or
whatever
would
be
able
to
query
this
information
and
incorporate
that
into
their
own
products,
and
if
which,
in
which
case
is
that
explicitly?
B
Is
that
data
explicitly
licensed
in
a
way
that's
compatible
with
that?
And
you
know
I'm
thinking
specifically
of
we
have
a
product
called
sneak
advisor
or
somebody
types
A
package
name
into,
and
we
give
them
information
right.
You
know
we're
looking
to
incorporate
scorecard
data
into
that
I'm
thinking
as
you're
presenting
this,
we
should
be
in
corporate
operating
this
data
into
it
as
well.
Is
that
is
that
kind
of
part
of
the
vision
so.
E
So
funny
so
I,
actually
you
know
I
I
do
have
sneak
code
running
in
the
back
end,
but
I
don't
expose
that,
and
one
of
the
reasons
is
because
there
is
I.
Would
we
I
need
less
ambiguity
in
terms
of,
like
am
I
allowed
to
like
publish
like
the
snake
code
output
from
running
against
a
piece
of
Open
Source,
and
unless
the
answer
is
like
resounding,
of
course
you
are
like
I'm
gonna
tread
really
lightly.
You
know
toward
that,
but
I
think
the
conceptually
I
would
like.
E
Yes,
this
should
be
a
platform
and
when
I,
what
I'm,
what
I'm
describing
is
like
either
this
as
a
physical
platform
or
via
guac,
you
know
and
or
risk
dashboards
I
think
is
a
place
right
there
too,
but
whatever
it
is,
LF
will
have
a
place
where
you
can
go
and
you
can
say
for
npm
cheerio.
E
Give
me
give
me
interesting
information,
and
one
of
the
part
of
some
of
the
results
should
be
the
execution
of
these
policies
for
the
policy
execution
results
here,
including
the
results
of
static
analysis
tools
and
things
like
that.
E
The
the
one
one
place
where
I'm
I
I
just
I,
just
don't
know
where
the
balance
is
is:
do
we
give
the
raw
static
analysis
results,
knowing
that
there
are
going
to
be
critical
vulnerabilities
in
those
results
and
does
that
help
the
attacker
too
much
you
know,
or
do
we
just
give
aggregated
results
like
I
found
three
critical
vulnerabilities
here,
I'm
not
going
to
tell
you
what
they
are
but
like
there's
there
is
risk
here
in
this
box.
E
G
Yeah
Michael:
do
you
mind
going
to
the
dependencies
section?
Please
of
course
right
so
I
guess
we
are
putting
version
in
there,
but
so
I
brought
up
this
before
with
other
people,
and
not
every
single
technology
makes
sure
that
our
the
versioning
is
unmutable.
So
is
that
something
that
we
can
kind
of
like
pin
down
in
this
information
in
kind
of
like
this
plate,
even
programmatically
as
well.
E
E
If
I
have
data
on
the
columns,
I
I
am
not
sure
how
depths.dev
knows
that
this
version
of
cheerio
it
has
Dom
Handler
503,
because
if
it
was
a
version
range
and
504
came
out,
would
it
have
been
504
like
it?
So
was
it
a
point
in
time,
I
I,
don't
think
you
can.
You
can
determine
these
things.
Statically
from
you
know,
from
a
I
mean
if
it
has
a
package
lock,
maybe
you
can
so
we
can
provide
more
information
here.
E
I'm
also
not
like
some.
A
lot
of
the
policies
are
version
agnostic,
so,
like
is
the
is
the
project
actively
maintained
will
hold
true
for
every
version
of
that
project
and
is
there?
Is
there
a
better
way
of
conveying
that,
rather
than
treating
everything
as
a
you
know,
tied
to
a
specific
version
and
I.
A
So
so
Michael
thanks
for
presenting
is
there
anything
that
you're
looking
for
from
the
group
or
is
there
are
areas
where
we
can
keep
in
touch
and
see
how
this
is
progressing.
E
Both
I
mean
certainly
feedback.
You
know
always
super
useful.
You
know,
I
I
do
I,
do
I,
mean
I,
think
it's
I
think
I've
gotten,
like
the
major
features
that
I
that
I
wanted
done.
So
at
this
point
it's
I
I
just
need
to
find
find
Cycles
to
really
connect
deeply
with
guac
and
in
Toto
those
those
are
I.
Think
the
two
at
the
the
top
of
my
list
to
align
there
but
I
also
want
to
just
you
know
gut
feel
like
is,
is
this
kind
of
information
useful?
E
Is
it
something
that
you
would
like
make
a
decision
on
or,
like
you
know,
I
don't
want
to
build
this
just
because
you
know
I
think
it'd
be
useful,
so
think
about
it.
You
know
feedback
always
good,
especially
if
it's
like
this
part's
okay.
But
this
part
like
no
value
to
see
the
assertions
like
or
you
know,
the
policy
language
is
just
way
too
limited
to
make
a
you
know,
make
any
interesting
decisions
on
it,
but.
A
I
think
you
and
I
you
and
I
had
a
conversation
about
it.
I
I
think
it
to
me:
it's
useful
information
to
get
those
out
of
stations.
It
depends
on
who's,
creating
the
attestations
and
whether
or
not
I
trust
them,
or
it's
interesting
information
that
we
could
then
validate.
I.
Think
one
of
the
things
I've
been
thinking
about
is
the
work
that
goes
through
Alpha
Omega,
perhaps
other
entities.
A
If
we
can
get
some
of
that
security
testing
completed
and
then
evidenced
in
a
testable
way,
yeah
and
I
can
make
a
call
on
whether
or
not
I
want
to
truly
trust
that,
or
at
least
use
that
as
an
information
guideline
of
what's
happening
and
then
perhaps
write
those
destinations,
myself
will
get
a
different
vendor.
Perhaps
to
do
it,
but
that's
my
sort
of
personal
view.
I,
don't
know
if
anyone
else
has
anything
to
share.
A
E
A
Thanks
very
much
good
stuff
looks
really
cool
right.
Next
up
is
Jeff.
Coming
back
to
us
on
the
supply
chain,
Manifesto
award
that
was
brought
up
a
couple
of
weeks
ago,
I
think
a
month
ago,.
C
Yeah
I
think
it
was
a
couple
weeks:
yeah
I
had
a
spring
break
with
the
kids
and
then
I
think
we're
off
a
meeting
meeting
week
so
yeah
so
quick
update.
C
You
know,
thanks
for
all
the
feedback
from
everyone
after
conversation
with
Jonathan
O'brien,
a
number
of
others,
especially
around
trying
to
simplify
this
and
not
get
it
mixed
in
with
some
of
the
good
work
you
know
being
done
with
Frameworks
and
the
security
development
Covenant
work,
we've
sort
of
trimmed
it
down
a
bit,
so
I
have
a
new
version.
The
previous
version
exists
as
well,
so
I
can
put
that
there
I'll
put
it
the
new
version
in
the
chat
here
as
well.
C
Let's
send
the
doc
I'll
say
again.
Welcome
all
feedback
questions
comments
things
you'd
like
to
see
us
do
regarding
that.
For
those
that
that
aren't
aware
this
is
sort
of
something
in
the
spirit
of
the
agile
Manifesto
in
you
know
how
we
can
encourage
organizations
to
to
solve
the
really
big
gaping
hole
today
around.
You
know,
consumption
of
Open
Source,
and
you
know
what
they
can
do
at
a
broad,
a
broad
view.
C
C
Up
sooner
rather
than
later,
I
think
that
really
comes
down
to
Brian
Brian
Fox.
He
has
a
few
I
think
conversations
with
some
some
of
the
leadership
and
spreading
it
around
open,
ssf
as
well.
We
have
a
blog
post
and
draft
as
well,
but
we've
been
we've
been
incubating
on
this
for
a
number
of
weeks,
so
I
think
you
know
we
got
to
a
pretty
good
point,
at
least
with
comments
on
the
last
draft.
I,
don't
think,
there's
there's
nothing
shocking
in
this.
C
A
Got
it
pretty
cool,
pretty
cool
all
right,
so
it's
information
purposes
if
people
want
to
reach
out
and
sign
up
to
that
or
provide
feedback,
yeah
all
right,
pretty
cool,
all
right!
Thank
you
and
moving
on
to
the
next
element,
which
was
the
architecture
and
threat
modeling
piece
of
work
that
we've
been
doing
for
a
couple
of
weeks
now.
Abdullah.
Do
you
want
to
bring
up
page?
A
Yeah,
let
me
maybe
do
that
you
pinged
it
to
me.
Didn't
you
yep,
give
me
two
seconds:
let's
see
if
I
can
bring
that
up
thanks.
G
A
Work
from
home
all
right,
just
sharing
updates
so
since
the
last
call
Henrik
Abdullah
and
myself
got
together
for
for
a
a
good,
a
good
session
or
two
looking
through
the
architecture
we
took
in
the
additional
feedback
we
had
from
the
previous
sessions
and,
to
be
honest,
I
think
we've
got
to
the
point
now
where
for
a
single
architecture,
the
large-scale
in-house
development
architecture,
I
think
we've
we've
got
to
a
point
where
we're
pretty
much
finished
on
this
one.
A
We've
I
think
there's
a
couple
of
conversations
about
the
distribution
platforms.
We
split
that
out
into
proprietary
versus
open
source.
Remember
that
was
a
particular
focal
point.
There
was
conversations
about
the
maintenance
of
the
architecture
and
what
we
sort
of
suggested
was
really
up
here.
We're
highlighting
there's
multiple
different
use
cases
of
that
architecture,
and
rather
than
clutter
that,
in
that
same
architecture
with
multiple
different
duplicative
diagrams
and
arrows,
we
put
them
up
separately
as
not
the
main
flow
of
the
data.
A
There
are
definitely
people
that
would
be
working
on
that
as
well
and
I.
Think
we've
gone
through
it
to
the
point
that
now
we're
starting
to
look
through
the
and
start
to
do
some
fairly
lightweight
threat,
modeling,
so
we're
starting
to
identify
key
assets
within
that
architecture.
That
we'd
need
to
protect
particularly
secrets
and
keys
throughout
pretty
much
multiple
different
elements
of
that
stlc,
the
source
code
and
binary
flowing
through
pretty
much
each
individual
system
as
well
and
so
forth.
A
One
of
the
things
that
we'd
also
discussed
was
whether
or
not
to
include
Insider
threat
as
one
of
the
the
threat
actors
and
our
suggestion
was
not
to
initially
and
perhaps
look
at
that
subsequently,
just
in
the
interests
of
time
and
actually
trying
to
get
some
value
out
of
this
rather
than
bike
shedding
the
thing
to
death.
Thinking
about
everyone
is
an
act,
an
attacker,
so
that's
kind
of
our
approach.
A
We
have
held
off
doing
the
small
scale
architecture
clearly
because
we
still
can't
find
sufficient
input,
let's
say
from
people
and
companies
that
are
in
that
smaller
scale,
I
think
we
were
discussing
amongst
ourselves
and
the
reality
hit
that
not
really
you
know,
none
of
us
are
from
a
small
scale
or
a
small
in-house
development
shop,
we're
from
a
large
institutions
or
even
startups-
in
inverted
commas-
that
have
100
people
working
for
them,
which
now
arguably
that's
not
exactly
the
smallest
of
small.
So
rather
than
suggest,
don't
worry
about
it.
A
G
I
think,
just
in
terms
of
next
steps
right,
you
mentioned
that
we
have
started
with
a
light
thread
modeling,
but
the
next
stage
is
to
actually
yeah
blow
that
up
and
be
able
to
Define
properly
every
single
threat.
A
Yeah,
so
we're
going
through
the
taxonomy
that
was
presented
last
time
in
absence
of
anything
else,
particularly
although
I
know
those
conversations
still
going
around
the
taxonomy
and
then
we'll
start
to
look
at
given
the
architecture,
given
the
threat
models
around
it,
where
do
the
different
standards
fit?
Where
does
salsa
fit?
Where
does
ssdf
S2
c2f
fit
within
that,
and
then
perhaps
look
at
how
this
could
lead
to
a
sterling
tool
chain
or
some
form
of
tool
chain
that
would
link
all
of
this
together?
That's
really
the
next
part
of
it.
A
So
those
sort
of
sessions
will
continue.
We
can
certainly
talk
through
it
a
little
bit
more
today
if
that's
of
Interest
we'll
move
on
to
any
other
business,
but
I
think
we
just
need
to
keep
plotting
on
and
adding
additional
sessions
to
the
calendar
for
people
who
are
interested
in
digging
into
this
yeah.
A
All
right,
one
of
the
things
that
I've
been
particularly
bad
at,
but
we've
managed
to
get
through
it
anyway,
is
actually
putting
additional
meetings
on
the
community
calendar.
Although
we
have
informally
got
everyone
together
and
done
it
anyway,
I
think
I
think
it
is
something
we
need
to
take
as
an
action
or
something
if
anyone
else
could
take
it
as
an
action
since
I
failed
twice
already
in
doing
so,
of
putting
a
community
action
or
community
calendar
appointment
in
there
I'll
leave
that
to
the
to
others
all
right.
G
I
guess
John:
it
will
be
a
good
time
to
ask
people
that
if
they
know
someone
in
some
company,
that's
relatively
small
to
just
kind
of
like
ask
them
to
show
up
a
little
bit.
So
we
can
get
that
feedback
right
at
the
end
of
the
day,
we're
still
kind
of
like
winging
it.
A
I
think
that's
in
general,
right,
I
think
as
an
end
user
group,
we
have
more,
you
know
and
as
Andrew's
working
through
the
membership,
we're
trying
to
get
additional
members
to
attend
as
well
as
just
consume
the
output
when
going
through
that
in
a
sort
of
prioritized
order.
But
if
people
do
find
smaller
team
members
or
smaller
companies,
I
think
that
would
really
be
beneficial.
F
F
C
Yeah
sorry
yeah
no
absolutely
open
to
open
to
any
alternatives
as
well,
so
feel
free
to
put
that
at
the
top
add
a
comment
like
I
say
it's:
it's
meant
to
be
Community
sourced,
so
totally
totally
understand.
A
I
I
A
This
was
so
from
the
mission
statement
we
had.
It
was
more
end:
users
like
consumers
of
end
products,
Enterprises
things
like
that
as
end
users,
known
as
much
on
the
maintainer
side,
but
I
could
be
speaking
out
to
him.
Okay,.
I
Well,
I
I
have
a
topic:
that's
about
maintainers
as
end
users,
I,
don't
know.
If
that's
I,
don't
know.
If
you
want
to
hear
about
it,
then
at
that
point,
but
I'll
run
it
by
you
and
if
you're
like
nah,
we
leave
us
alone.
This.
I
Not
in
scope
and
then
then
then
that's
fine
and
I
will
I.
Will
I
will
take
my
take
my
tail
and
go
elsewhere,
I'm
working
on
A's
under
the
vulnerability
disclosure
Sig,
which
is
not
yet
a
Sig,
because
we
need
a
couple
more
meetings,
but
it's
a
Sig
focused
on
auto
fixing.
So
basically
the
work
that
I've
been
engaging
in
the
past
past
year
and
change
has
been
automating.
I
The
fixing
of
widespread
common
security
vulnerabilities
across
open
source
and
generating
bulk
pull
requests
to
fix
those
vulnerabilities,
and
it's
kind
of
in
just
me
and
my
work
and
then
some
other
researchers
followed
on
my
footsteps
and
did
it
again
did
it
as
well
and
because
this
work
is
becoming
more
normalized,
generating
polar
aggressive
scale
and
the
potential
negative
reactions
of
maintainers
I
mean
a
lot
of
maintainers
are
like
you
know:
thanks
great,
merge
it
and
then
go.
You
know
it.
I
You
know,
that's
it,
but
there
are
some
maintainers
that
have
more
negative
knee-jerk
reactions
to
an
automated
bot
or
automated
tooling,
not
really
a
bot
but
automated
tooling,
generating
a
pull
requests
to
fix
their
code.
I
The
there's
a
specification
that
I've
written
up
for
defining
what
is
an
open
source
security,
Foundation,
compliant
automated
vulnerability,
fixed
campaign
and
I,
don't
know
if
this
is.
If
this
is
of
interest
to
the
group
there's
there
are
Sig
meetings,
every
Wednesday
every
two
weeks.
Sorry,
every
two
weeks
on
Wednesday
at
4
pm
discussing
this
topic.
I
One
of
the
topics
in
particular
is
this
topic
of
pull,
request
generation
flow
and
you
know
whether
or
not
there
is
whether
or
not
we
should.
For
you
know
this
specification
is
not
just
so
so.
I
This
work
of
automating,
both
across
generation,
will
be
not
just
something
that
Alpha
Omega
does,
which
is
where
I
work,
I'm
I'm
part
of
Alpha
Omega,
but
also
the
idea
of
the
specification,
is
defining
it
so
that
this
is
something
that
any
organization
can
implement
it
in
such
a
way
that
they
are
compliant
with
what
the
open
ssf
defines
as
as
a
as
a
standard
for
this
practice
so
yeah.
So
it's
a
it's
a
discussion
of
you
know
what
are
the
best
practices?
What
do
we
expect
of
the
people?
I
You
know
out
of
people
doing
this
work.
You
know
topics
like
is
there
an
expectation
that
this
is
done
privately?
If
so,
how
does
it
get
done?
Privately
GitHub
doesn't
have
a
way
VIA
an
API
to
create
a
private
issue
or
a
private
security
advisories,
but
they
are
adding
that
within
the
next
two
well
they're
shipping,
something
today
and
then
they're
adding
support
for
it.
In
two
weeks,
however,
get
a
private
vulnerabilities
closure
still
opt
in
by
maintainers,
so
you
can't
so
yeah
large
topic.
I
Are
people
interested
in
learning
more?
You
want
me
to
go
away.
You
know
yeah,
that's
that
Spiel,
though.
H
I
I
think
it's
interesting
I,
don't
know
that
it's
within
our
usual
scope,
yeah
just
that
we're
usually
on
the
consuming
side
of
Open
Source,
rather
than
the
producing
side.
I
Yeah,
this
is
the
spec
and
then
the
meeting
notes
are
using
the
vulnerabilities
closure
working
group
meeting
notes.
So
if
you
are
interested
in
in
following
meeting
notes,
go
have
a
look
at
that
they're
also
recorded
and
also
uploaded,
as
probably
just
under
the
vulnerability
closure
working
group
got.
A
A
Software
Integrity
one
or
any
CC
ones.
This
week,
nope
I
can
give
a
quick
update
on
The
s-bomb
Forum,
which
Tom
Ulrich
runs
and
a
number
of
others.
A
Definitely
an
interesting
Forum
they're
discussing
potential
changes
to
nvd
and
such
and
looking
at
how
the
you
know
with
some
changes
to
the
the
the
data
schema,
perhaps
it'll
be
possible
to
get
a
better
end
result.
So
I
think
some
interesting
things
coming
out
from
Tom
and
team
I'm,
not
sure
how
much
of
that
has
been
presented
publicly
but
I
think
there's
some
good
blog
articles
that
Tom's
putting
out
there
might
be
of
interest
to
the
group
all
right
other
than
that
anyone
got
any
other
any
other
business.
B
Yes,
Dan
Murphy
Jonathan.
How
plugged
together
is
that,
with
the
s-bomb
everywhere
work
stream-
that's
happening
in
here
in
up
in
Southland.
A
Clear
Dan
I'll
reach
out
and
let
them
know
it's
a
more
of
a
general
conversation
in
that
group.
So
you
know
I,
think
they're
just
talking
about
that
for
that
last
week,
as
opposed
to
anything
or
formal
but
I'll
reach
out
to
them
as
well.
B
Yeah
that
conversation
is
happening
in
the
security
tooling
working
group
and
I've
been
plugged
into
that,
and
one
of
the
things
that
we're
doing
there
is
putting
together
a
use
case
document
and
talking
about
different
user
needs
around
s-bombs
and
there's
a
lot
of
good
discussion
happening
there.
Just
I
mean
I'm,
not
officially,
you
know
whatever
appointed
or
anointed,
to
give
an
s-bomb
everywhere
update.
B
So
I
wouldn't
stick
my
hand
up
and
pretend
to
be
doing
that,
but
it
does
sound
like
something
that
you
might
want
to
check
out.
Yeah
thanks.
B
Yeah
Josh
Brussels
is
sharing
that
that
effort.
A
No
all
right
well,
I,
think
we're
going
to
be
heading
into
holiday
season
fairly
soon.
So
if
people
aren't
available
next
week
or
the
week
after
I
have
a
good
vacation
and
we'll
see
people
when
they
come
back
other
than
that,
we
will
somehow
get
this
architecture
meeting
on
the
community
calendar
by
hooker
by
crook,
but
it's
good
to
see
that
we're
making
some
progress
there.
So
thanks,
Abdullah
and
Rick,
you
know
Cynthia
we'll
get
some
work
done,
so
pretty
cool
all
right!
Thanks
a
lot!
Everyone
thanks
for
your
time,.