►
From YouTube: OpenSSF Identifying Security Threats WG (March 3, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Everybody
to
the
march
third
identifying
security
threats
working
group
meeting.
We
have
a
couple
well
just
one
new
folk
on
the
on
the
line.
John
hi
welcome,
would
you
mind
doing
just
a
quick
intro.
While
I
share
screen
and
we'll.
B
Sure
absolutely
hi
john
meadows
in
devsecops
engineering
cloud
security,
engineering
from
citibank.
A
Awesome
welcome,
since
we
only
have
like
there's
like
seven
people
on
the
line.
Maybe
we'll
just
do
a
quick,
a
quick
round
for
for
john
everybody
else.
Okay,.
C
Why
don't
you
declare
who
speaks
next,
because
otherwise
it's
confusing
there,
you
go
david,
you
win!
Okay,
all
right!
So
I'm
I
win
win,
see
the
see
the
scare
quotes
so
david
wheeler.
I
work
at
the
linux
foundation
and
my
task
really
is
to
try
to
help.
My
overall
task
is
I'm
trying
to
help
open
source
software
be
more
secure
in
the
context
of
open
ssf
and
this
group
I'm
trying
to
provide
support
where
it's
helpful
from
a
technical
viewpoint,
anywhere
from
convincing
to
writing
code
and
so
on.
C
Among
the
things
that's
relevant
in
this
context,
I
also
I
lead
the
ci
best
practices
badge,
which
is
one
of
the
data
inputs
to
this
cool
thing.
That
michael,
has
been
kicking
off
here.
C
D
E
Yep,
it's
I'll
test
here,
hi
everybody!
I
work
with
the
security
compass
just
joined.
I
assume
we're
doing
introductions.
Is
that
what
this
is
great
cool,
so
welcome.
You
know
I
mean
I
just
love
to
see
everybody
here,
we're
very
interested
in
the
whole
space
of
security
and
coding.
I
see
some
familiar
faces
here
as
well,
so
just
looking
forward
to
contributing
thanks.
A
Awesome
dan.
F
G
Thanks
dylan,
hey
everyone
yeah,
my
name
is
dylan.
I
am
a
fourth
year
engineering
student
at
uc,
berkeley,
former
intern
with
mike,
and
I've
been
yeah
really
interested
in
and
kind
of
working
on
all
this
open
source.
You
know
open
source
and
security,
space
and
yeah.
H
And
I
am
a
security
engineer
and
I'm
working
in
this
group
from
where
some
months
I
think
and
yes,
I
like
open
source
ecosystem
and
I
think
we
need
to
improve
the
security.
So
I
have
to
contribute
to
this.
To
this
goal.
H
Awesome
ready.
A
You
come
back
ryan.
A
Cool,
I
think
I
think
we're
good
super,
so
here's
the
agenda
for
today,
although
let's
talk
since
we
were
talking
about
metrics
dashboard,
let's
look
at
the
top.
I
do
want
to
talk
a
bit
about
the
dependency
confusion,
attacks
that
have
been
that
have
been
going
on
and
talk
a
little
bit
about
what
we
can
actually
do
about
that
since
identifying
security
threats
is
in
our
working
group
name.
A
Maybe
we
should
be
doing
some
identifying
security
threats
and
then
talk
a
little
about
the
security
reviews,
project
and
current
state
and
the
the
blog
that
we
were
going
to
publish
and
just
kind
of
kind
of
go
from
there.
If
you
guys
have
anything
else
that
you
want
to
talk
about,
please
edit
to
the
topics
list.
If
you
don't
have
access
to
this
I'll
I'll
shoot
a
link.
A
F
C
Okay,
well,
hopefully,
it's
the
hopefully
it's
the
okay
to
post
and
not
the
disaster.
The
post.
J
A
Metrics,
dashboard
david,
you
you
were,
you
were
on
a
roll,
so
I'd
want
to.
C
C
I
think
that
that
front
page,
that
top
page
needs
to
make
it
clear
that
this
is
an
early
proof
of
concept.
I
mean
I
don't
have
any
trouble
with
turning
the
proof
of
concept
into
the
real
thing,
but
just
you
know
to
help
people
understand
that
you
know
this
is
not
the
final.
This
is
it's
early
work
in
progress.
You
can
see
it
be
getting
cooked.
C
I
think
we
need
to
set
that
front
page
to
a
project
that
you
know
makes
you
know
like
the
real
real
kubernetes
would
be
great
set
the
set
the
search
set,
the
component
name.
I
assume
you
can
do
that
yeah
yeah,
I
don't
know,
and
it
was
just
what
was
in
there
last
one.
I
saved
it
right
right,
but
I
I
think
we
need
to.
C
I
think
it's
important
to
set
them
on
a
page
just
so
they
can
get
an
idea
of
what
this
is
and
then,
let's
I
I
think
we
can
just
set
a
redirector
from
metrics
openssf.org
to
point
to
this,
and
then
somebody
can
type
in
metrics
open,
ssf,
org,
poof,
okay,
it's
not
done
it's
really
early,
but
you
can
see
what
we're
trying
to
accomplish
and
I
think
that
would
be.
I
think
that
would
be.
C
A
True
yeah:
do
you
think
we
should
have
kind
of
a
base
landing
page
that
you
kind
of
have
a
learn
about
the
project
and
like
here
like
get
involved
and
then
click
on
the
dashboard
to
actually
see
it
and
then.
C
A
A
Actually,
like
messing
with
the
grafana
like
internals,
that
there's
a
wizardry
about
that
that.
C
Okay
yeah,
I
like
a
little
a
little
front
page
that
explains
what
it
is
and
then
a
click
that
says
hey.
You
want
to
see
some
examples.
Click
here
to
see
kubernetes
click
here.
To
do
that,
I
imagine
that
you
can
set
within
a
url
the
search
value
and
the
component
selection.
C
Cool
yeah,
I
I
I
want
to
balance
between.
You
know
I.
If,
if
we,
if
it's
too
rough
people,
go
it's
ridiculous,
but
yeah,
it
doesn't
have
to
be
done.
Really,
I
think
you've
you
already
have
something:
it's
no
longer
a
concept,
you're
actually
showing
real
data,
and
I
could
be
using
this
now
there
I
I
do
have
you
know
as
we
talked
about
before.
C
I
have
complaints
about
some
of
the
data
you're
collecting
and
I
don't
know
why
it's
not
showing
90
day
number
of
contributors
on
kubernetes,
because
I
know
it's
got
them
so
so
there
are
things
to
fix,
but
I
I
guess
you
know
we
got
to
balance
the
if
we
fix
it
forever
and
we
never
post
anything
we're
not
going
to
get
that
that
that
influx
of
folks
and
interest-
and
it
takes
an
incredible
amount
of
time
to
get
people
aware
of
stuff.
C
A
So
we
do
need
to
talk
about
like
long-term
ownership
of
the
infrastructure,
because,
right
now
this
is
in,
like
my
some
test
azure
subscription
that
I
have,
which
is
fine.
For
now,
it's
not
going
to
go
anywhere,
but
I
personally
should
not
own
the
the
infrastructure
for
this
long
term
right
right,
okay,
so
so
us
on
the
landing
page.
Who
is
there?
Anybody
on
this
call
that
can
that
is,
is
willing
to
and
capable
of
building
the
ux.
C
A
I
C
So
ryan's
gonna,
okay
and
then
mike.
If
you
wanna,
write
the
initial
text
because
I'm
sure
you
have
specific
text
in
mind,
I
would
be
happy
to
to
to
bits
it.
Otherwise.
I
will
write
the
text
and
do
that.
C
A
Perfect
perfect,
I
know
I
know
we
talked
about
this
a
couple
times.
I'm
sure
it's
in
the
notes
here
somewhere
on
who
to
talk
to
to
to
make
this
happen,
I'll
I'll,
dig
that
out
and
do
that
maybe
refresh
frequency.
I
just
will
make
it
a
a
week.
A
Target
project
we'll
just
start
and
we'll
do
the
we'll
continue
to
do
this
cii
best
practice,
sorry
best
practices
and
score
card
yeah.
We
still
haven't.
C
B
J
C
Yeah,
okay,
yeah.
I
I
think
we
need,
I
think
we,
I
I'm
looking
forward
to
more
people,
knowing
how
to
find
this
and
looking
at
it,
because
I
do
think
that
people
are
going
to
have
that
reaction.
The
yeah
we
know
there's
things
to
be
fixed,
but
you
know
it's
clearly
moving
on
and
I
think
that's
actually
one
of
the
other
things
is
on
the
text:
hey
it's!
This
is
preliminary.
We
would
love
your
feedback.
A
Cool
okay,
anything
else
on
the
metrics
dashboard
side,
so
I
think
I
think
our
goal
will
be
in
the
next
two
weeks
to
I
think
we
can
have.
A
I
think
we
can
have
all
the
stuff
well,
but
I
don't
know
what's
involved
in
the
metrics
cname
thing
either
way
with
or
without
the
the
the
c
name.
We
should
be
able
to
have
this
done
in
the
next
two
weeks.
So
I.
C
Think
yeah
and
mike,
if
you
have
any
problems,
let
me
know
because
I'd
be
happy
to
you
know,
to
contact
the
I.t
folks
and
make
things
happen
so.
A
Wonderful
okay,
so
next
up
is
the
dependency
confusion.
Attacks.
Is
anybody
not
aware
of
this?
Whatever
you
want
to
call
it.
A
Absolutely
and
and
yeah
so
so
yeah,
so
it's
been,
it's
been
busy
over
the
past,
literally
like
12
hours
after
the
blog
article
went
out.
There
was
just
another
article
that
I
just
saw
this
morning.
That's
on
a
type
sonotype
found
something
like
700
of
these
we've
been
so
we
built
tooling
that
that
we've
been
scanning
since
a
couple
weeks
before
it
went
public
and
we
found
I
mean
we're
up
to
6000
packages
removed
and
a
larger
number
of
projects
that
have
not
yet
been
removed,
so
who's
the
hour
work.
A
I
I'm
sorry
yeah,
I
should
so
as
part
of
oh.
I
didn't
even
introduce
myself,
I'm
sorry,
john,
so
I
run
open
source
security
team
at
microsoft.
We
do
proactive
security
reviews,
build
tooling,
generally
try
to
push
push
the
organization
in
the
right
direction
and
do
things
like
this,
with
open,
ssf
and
and
another
safe
code
and
some
other
orgs
on,
let's
say
advancing
the
state
of
open
source
security
generally.
A
So,
as
part
of
this,
we
run
we
build
a
lot
of
tools.
One
of
the
tools
is
looking
for
these
kind
of
dependency,
confusion
attacks.
So
we
look
for
packages
that
have
been
registered
internally,
that
don't
appear
in
the
public
and
then
all
of
a
sudden
whoop.
They
appear
in
the
public
and
then
we
use
that
to
kind
of
then
we
then
we
dig
in
and
see
what's
going
on.
A
So
as
a
result
of
this,
we
found
lots
and
lots
and
lots
and
lots
and
lots
and
lots
of
packages
most
of
them
have
been.
In
fact,
I
can
show
you
some
of
them.
Most
of
them
have
been
michael.
H
Go
ahead
a
question
about
these
packages:
do
you
think
that
microsoft
will
share
some
data
or
information
about
these
malicious
ecosystem
packages?
I
mean
I
like
the
name
or
the
file,
the
yes,
the
malicious
code
that
they
usually
use
and
similar
information,
because
maybe
microsoft
has
worked
on
pi,
pi
and
npm,
but
maybe
same
similar
packets
can
be
found
in
a
other
ecosystem,
and
maybe
information
in
data
open
data
about
these
microsoft
research
can
help.
How
does
to
identify
malicious
packages?
Do
you
think
this
possible
shared
data
or
not?
H
H
A
So
so
I
I
would
like
to
share
as
much
like.
Obviously
I'm
not
going
to
share
anything
until
the
package
is
taken
down,
but
then
the
and
honestly,
if
you've
seen
like
three
of
them,
you've
seen
them
all
like
they're,
not
so
different
that
you
need
to
see
like
every
single
one.
In
fact,
most
of
them
are
just
it's
just
a
template,
but
we
published
this
this
security
review,
which
isn't
hasn't
been
merged
yet,
but
this
is
one
of
the
first
ones
that
came
out
and
where
is
it?
A
Oh,
you
know
what
I
do
not
include
the
source
code
of
the
actual
thing
in
this.
Yes,
we
can.
I
think
we
can
provide
more
information.
I
want
to
work
with
the
npm
team
and
and
pi
pi.
If
I
can
to
kind
of
I
mean
I
think
there
should
be
some
sort
of
a
joint
like
response
to
this
and
get
all
this
information
out
the
yeah
yeah.
These
are
kind
of
sterilized.
H
Because
I
am,
I
don't
know,
maybe
it
is
only
my
concern,
but
pipe
I
and
mpm
are,
from
some
point
of
view,
our
solid
ecosystem
and
sorry,
the
package
packet
manager,
if
we
can
call
them
so,
but
for
harder
languages
that
are
used
usually
in
the
backend
like
golang.
H
Now
there
is
a
there,
isn't
a
solid
ecosystem,
so
I
think
similar
attacks
can
be
easier
in
for
some
languages
like
go
because
it
is
new,
it
is
a
young
and
yes,
it
is
growing
now
and.
C
Yes,
whether
or
not
it's
new
or
not,
I
don't
think
it
matters.
I
think,
for
the
dependency
confusion,
what
matters
is
the
package
managers
have
to
in
the
long
term
build
in
the
counter
measure
so
that
this
I
would
say
fundamentally
defense.
I
I
would
argue
dependency.
Confusion
is
a
vulnerability
in
certain
packing
package
managers.
B
C
Need
to
fix
and
it's
going
to
take
a
while,
because
that's
going
to
require
changes
for
a
lot
of
folks,
but
in
the
long
term,
that's
the
only
winning
game
in
this,
because
if
we
expect
people
to
always
be
perfect,
that
is
never
going
to
work.
If
the
package
managers
automatically
say
wait
a
minute,
I
don't
know
which
repo
that
is.
I
please
fix
this,
then
you're
going
to
be
fine.
A
C
To
no,
no,
no,
you
don't
need
a
global
name
space.
There's
no
requirement
for
a
global
namespace.
There's
a
requirement
when
you
say
load
package
x,
there's
only
one
repo
you
go
to
it
doesn't
have
to
be
global.
It
could
be
local
to
that
package.
Sure,
but
whatever
it
is,
there
must
not
be
more
than
one
option
and
there's
a
million
ways
to
solve
it.
A
Right,
correct
yeah,
so
so
so
what
we're
seeing
in
these
attacks
is
like,
like
this
is
one
that
there
were
50
5300
packages
that
were
published
in
pipe
they've
all
been
removed,
but
this
this
was
they.
They
all
look
like
this,
so
this
is
an
attack.
A
The
name
lab
is
it
was
the
package
name,
and
it's
just
you
know
doing
this.
It's
it's
just
pinging
the
service,
the
the
this.
Presumably
this
is
you
know
the
the
researcher
or
attacker
or
whatever
we're
gonna
call
them
owns
that
that
ip,
certainly
so
that's
that's
one
and
and
so
the
way
that
I
would
categorize
what
I've
seen
so
far
is
that
they
fall
into
one
of
like
three
or
four
categories.
One
is
that
they
just
do
a
ping
and
is
this?
Is
this?
Is
this
malicious?
Well,
not
really
I
mean
it's.
A
It's
certainly
designed
to
break
something
to
call
attention
to
something.
So
if
your
service
goes
down
as
a
result,
I
think
you'd
be
pretty
upset,
but
it's
not
like
doing
anything
other
than
than
doing
that
ping
and
then
the
next
level.
Up
from
this,
they
is
what
what
I
wrote
about
here,
what
they
do
is
they
exfiltrate
the
it's,
usually
the
host
name,
the
username
and
a
local
path.
A
This
was
done
a
lot
for
bug,
bounty
money,
so
you
know
they'll
even
say
it
in
the
thing
that
I'm
I
made
this
package
to
collect,
bug,
bounty
money
from
hacker
one,
and
you
look
and
he's
like
well,
okay,
so
username
and
local
path.
There
could
be
something
sensitive
in
there
and
at
that
point
you're
like
I,
I
think
I
think
that
that
point,
in
my
opinion
at
least
crosses
the
line
of
like
you
know.
This
should
be.
A
This
should
definitely
be
taken
down
and
then
one
level
up
from
there,
exfiltrates
environment
variables
or
other
sensitive
files,
and
I
think
that's
what
the
I
didn't.
I
didn't
read
the
full
sonotype
article,
but
from
the
first
paragraph
it
seemed
like
that's
that's
what
those
were
doing
and
then
we'll
level
up
from
there
is
like
full
reverse
shell,
like
real
ex.
You
know,
pulling
down
random
code
and
running
it
and
and
all
that
stuff.
So.
C
Yeah,
I
think
the
problem
is
the
the
weaker
ones
may
be
just
tests
for
the
later
ones.
I
mean
solar.
Winds
was
a
wonderful
example
of
that
the
attack
actually
was
much
earlier.
Well,
the
the
subversion
was
earlier,
but
it
didn't
do
anything
and
it
seems
to
have
been
a
test
to
see
if
they
could
get
it
through.
Absolutely.
A
And
and
because
they
they're
since
they're
counting
installs,
they
know
which
ones
are
being
used
and
by
whom,
so
they
can
they
can.
You
know,
there's
it.
It
is
super
dangerous
to
have
these
things
out
there.
So
I'm
you
know,
I
feel
like
we're
playing
whack-a-mole
and
and
seeing
new,
like
the
the
general
pattern,
is
pretty
easy
just
to
spot
the
specific
patterns,
change,
they're,
always
sending
it
to
different
servers
and
things
like
that.
A
But
what
we
do
have
is-
and
maybe
this
is
an
opportunity
for
for
kind
of
a
tooling
thing
here,
so
we
do
have
a
tool
that
looks
specifically
for
back
doors,
and
this
is
a
public
tool
that
that
has
been
out
there
for
for
for
quite
a
while,
and
it's
it's
just
regex's,
so
you
know
as
an
example.
This
is
one
that
we've.
You
know
if,
if
I
see
the
word
dot
user
info
anywhere
in
anything,
it'll
it'll
pop
out
now,
there's
gonna
be
false
positives.
A
Obviously
in
powershell,
if
you
invoke
and
then
you
have,
the
environment
variable
specified
on
the
same
line,
that'll
that'll
pop
out,
so
all
of
these
are
are
meant.
You
know
to
to
catch
the
needles
at
the
expense
of
you
having
to
look
through
a
little
bit
of
hay.
You
know,
but
I'm
I'm
planning
to
expand
these
rules
a
bit
with
what
we
learned
from
from
all
of
this,
so
at
least
it'll
catch.
Like
the
comet,
you
know
all
the
common
patterns.
A
C
By
the
way,
the
open-
I
I
typed
in
a
little
later
on
the
text,
the
open,
ssf
security
and
critical
projects
working
group
has
been
also
working
on
some
things.
In
particular,
they've
got
two
projects,
package
feeds
and
package
analysis
package
feeds
monitors
the
various
repos
to
report.
Oh,
look,
this
package
got
updated
or
this
package
just
got
and
then
packaged
analysis
is
one
program
to
analyze
and
I
think
they're
theorizing
that
you'll
be
plugging
in
many
different
analyzers.
A
No,
no,
no,
this
predates
open
ssf
by
a
bit
okay,
but
but
yes,
it
should
be
able
to
plug
in,
and
we
also
released
the
the
type
of
squatting
detection
one
as
well.
So
given.
C
Actually,
you
know
it
might
not
be
bad.
It's
it's
probably
unique.
A
Yeah,
probably
yeah,
so
what
it
does
is
it
is,
it
takes
left
pad,
finds
all
the
permutations
and
looks
for
each
permutation
in
the
in
the
package
manager.
So
it's
kind
of
it's
not
super
smart,
but
the
generator
tends
to
find
some
good
some
good
things.
We've
found
a
bunch
of
like
malicious
type
of
squatting
using
this
so
cool.
A
Contributions
are
always
welcome
partnership,
whatever
I
think
we,
I
think,
we're
still
in
the
position
where
we
need
more
better
tools.
So,
however,
however,
all
this
works
is
is
great,
and
also
I
should.
I
should
just
give
a
a
shout
out.
A
Thank
you
to
libraries
io,
which
has
been
invaluable
their
their
api
for
listening
to
the
ecosystem
as
new
packages
get
published,
there's
a
api
search
where,
if
you,
if
you
search
for
basically
everything
and
sort
by
latest
publish
date,
you
can
kind
of
keep
your
thumb
on
the
stream
of
new
publishes
going
by
which
has
which
is
awesome.
I
don't
know
how
I
would
replicate
this
without
something
like
that.
So.
C
A
C
A
That
they
do
pretty
pretty
okay
is,
is
normalizing
data
between
different
package
managers,
we're
kind
of
using
that
as
inspiration
for
the
oss
metadata
project,
which
is
intended
to
be
just
give
me
the
metadata
in
a
fully
normalized
by
you
know
between
the
different
ecosystems
view
of
something.
A
So
I
can
compare
apples
to
apples
so
doing
things
like
give
me
all
the
authors
of
all
packages,
you
know
call
whatever
foo
across
you
know,
cpan
through
go
or
github
or
anything
else,
so
we're
trying
to
make
it
this
kind
of
swiss
army
knife
of
oss
tools.
C
A
Cool
hi
art,
I
see
see
you
joined,
welcome.
A
Yeah,
let's
do
it
so:
oh,
it's
a
security
reviews,
so
blog
announcement,
so
yeah
so
for
everybody
that
has
contributed
or
done
anything
with
with
the
security
reviews
project.
Thank
you.
I
think
we're
we're
off
to
a
good
start.
I
may
have
been
a
little
bit
over
optimistic
on
how
fast
we
would
be
able
to
like.
C
Stick
data
in
well-
and
I
noticed
ostaff's
put
in
a
few,
but
I
I
know
austin
has
more
and
my
understanding
is.
Microsoft
also
has
some
more,
I
mean
frankly,
just
between
ostep
and
mike
and
microsoft.
That's
that
should
be
a
pretty
hefty
list.
D
F
D
That
there's
a
pull
request
now,
michael,
so
if
you
need
me
to
do
anything
with
that,
just
let
me
know.
C
C
A
So
I'll
give
you
my
perspective
I
want
to.
I
think
the
first
couple
are
going
to
be
hard
because
we're
still
trying
to
answer
the
question
like
what
should
be
in
it
well
yeah
like
is
this:
is
this
a
list
of
vulnerabilities
that
have
been
fixed?
Is
this
like
exactly?
I
know
a
point
came
up
that
I've
been
I've
been
struggling
to
to
write
like
rationalize
in
my
head.
Like?
Should
we
just
be
giving
good
news?
A
C
I
mean,
I
would
have
said
that
about
openssl
about
five
about
six
seven
years
ago.
You
know-
and
yes,
it's
you
know
there
are
there.
Are
there
are
things
you
can
complain
about
it
now,
but
it's
far
better
than
it
was.
A
So
so
do
you
think
so,
if
you
so
so?
If
let's
say,
if
you
as
a
maintainer
or
an
open
necessity,
not
a
third
party
researcher
looked
at
openess
what
was
called
food.
You
looked
at
foo
and
you
said,
foo
is,
is,
is
just
garbage
like
nobody
should
be
using
foo
it
in
the
word
like.
Are
we.
A
Is
there
a
difference
fundamentally
between
third-party
assessments
like
like
amir,
like
push
putting
the
one
that
astiff
did
independently
and
linking
to
it
or
the
zliv
one
from
trailer
bits,
or
things
like
that
and
ones
that,
like
somebody
like
looks
at
foo,
makes
it
comes
to
some
decision
on
and
some
thoughts
on,
foo
and
then
types
out
their
thoughts
and
adds
that
as
a
first-party
review
that
doesn't
have
any
other
resources
linked
to
it.
First-Party
review
review.
You
mean
review
of
of
yourself.
A
C
A
C
C
If
somebody
just
says
I
don't
like
it,
I
don't
think
we
want
that
in
there
we
said
curated,
but
I
think
by
curated
we
we
have
been
a
little
vague
and
maybe
that's
the
real
problem
you
asked:
when
is
the
right
time
to
announce
this?
I
think
the
right
time
to
announce
this
is
one.
We
have
some
examples.
We
got
that
frankly
and
two.
I
think
we
need
to
lay
out
much
more
specifically.
C
C
You
may
not
come
to
the
same
conclusion,
but
the
facts
are
unassailable
right,
so
so
so
I
think
I
think
that
right
now
is
the
blocker
for
the
blog
announcement
is,
I
mean
we
could
always
improve
what
the
reviews
are,
and
I
think
we
should
have
more.
I
think
we
should
add
some
more.
You
know
austin's
already
working
on
that
you
have
something
left
to
add,
but
I
think
the
other
main
thing
is
here
is
what
we
include.
This
is
what
we
allow.
This
is
what
we
just
allowed.
C
Yeah
must
have,
you
know
it
must
have,
I
would
say
not
be
must
not
be.
First
party
must
not
be
review
yourself,
yeah
yeah.
It
must
be
third
party
review,
not
yourself.
A
Right,
well,
actually,
so
so
that
that's
actually
interesting,
because
one
of
the
things
that
we
say
here
in
the
quick
start
page,
which
I
need
to
change
over
to
dylan's
dylan's
version
of
this,
that
looks
a
lot
nicer
is
what
is
your
association?
A
So
if
you,
I
think,
if
you
are
a
contributor
or
it's
somehow
related
to
the
project-
and
I
think
it
gets
so
so
so
much
in
a
gray
area
because
who
that
is
you're
right,
it's
disclosed,
I
think
it's
okay
and
also
a
compensation
source,
and
I
I
I
really
don't
like
these
words,
but
I
couldn't
come
up
with
better
words
to
mean
kind
of
this
like
if
you
choose
like.
A
I
don't
think
we
should
force
anybody
to
to
declare
a
compensation
source
but
like
if
you
were
paid
by
the
project,
to
do
a
security
review
of
it,
like
that's
relevant
to
your
review,
and
if
you
were
paid
by
a
different
organization,
I
think
that's
relevant.
You
know
for
a
different
way.
I'm
actually
not
sure
what
to
put
for
like.
A
C
D
Yeah,
I
think
it
is
important
to
note
that,
because
it
could
reveal
some
information
and
it's
funny-
you
bring
that
up,
because
that
was
actually
one
of
the
main
reasons
we
started.
Ostif
was
to
have
kind
of
like
a
third
party
independent
objective.
Almost
you
know
party
that's
separate
to
be
involved
because
sometimes
yeah
it
could
be
yeah.
We
we
chose
the
auditor
we
paid
for
it
and
we
and
they
and
we
think
everything
is
okay
and.
C
Well,
let's,
let's
go
down
to
brass
tacks,
because
I
think
there
are
some
examples
that
make
this
potentially
complicated,
but
I
think
it's
fine.
As
long
as
it's
revealed,
the
linux
foundation
includes
the
linux
kernel
project.
The
linux
foundation
is
paying
astif
for
two
well
for
multiple
and
external
evaluations.
Okay,
is
there
a
relationship?
Yes?
C
B
C
B
D
G
One
quick
thing
I
just
want
to
kind
of
jump
in
and
mention
is
I
I
do
think
it's
a
little
important
just
like,
while
we're
considering
this
in
terms
of
like
the
content
that
we're
kind
of
you
know,
while
we're
kind
of
figuring
that
out
right
now
that
this
does
kind
of
directly
reflect
on
the
project.
Metrics
project
right
like
like
what
we
do.
What
we
right
here
will
like
potentially
be
showing
up
as
like
a
potential
section
there
right.
A
Yeah
and
this
kind
of
goes
back
to
like,
should
we
include
like
the
npm
advisories
as
reviews,
and
should
we
kind
of
sync
them
somehow
and
I'll
say
I'm
going
back
and
forth
on
that
yeah.
A
A
It's
only
bad
things,
so
maybe
the
metrics
dashboard
should
should
provide
a
view
into
publicly
known
vulnerabilities
coming
from
multiple
sources
and
not
kind
of
shove.
Everything
into
the
security
reviews.
G
C
Yeah
I
mean
right
now
we
haven't
talked
about
this,
but
the
idea
of
the
metrics
connecting
into
like
the
national
vulnerability
database
yeah.
I
don't
know
if
we've
talked
about
that,
but
I
think
that
might
be.
That
might
definitely
help
connect
metrics
dashboard
with
I'll
spell
it
out
national
vulnerability
database
and
dvd
as
well.
A
D
Yep
going
along
with
that
point,
would
it
be
a
good
idea
to
have
consistent
categories?
Then,
if
it's
feeding
different
data
points
to
kind
of
structuralize,
you
know,
was
it
a
source
code
review
or
was
it
like
an
ancillary
review?
You
know
or
something
like
that,
to
kind
of
standardize
the
categories
in
a
way.
A
Yeah,
so
so
I
tried
to
do
that
with
this.
I
know
that
there
aren't
enough
categories
here,
but
at
least
I
thought
that
if
this
was,
if
I
was
just
referring
to
something
you
know
cure53
did,
I
would
probably
just
call
it
an
external
review,
but
if
it
was
something
that
yeah,
but
by
the
way,
if.
C
I
can
having
bearing
some
past
scars.
If
you
can
try
to
avoid
creating
categories
instead
create
a
bunch
of
yes
no's
did
this?
Did
this
review
source
code?
Did
this
do
fuzzing?
You
know
check
the
boxes,
because
otherwise,
what
you're
going
to
find
is
that
I
have
five
categories
and
half
of
the
project.
Half
of
the
reviews
don't
fit
a
category
because
they
well.
This
one
did
a
source
code
review
this
one
didn't
and
this
one.
C
Totally
cool
okay,
so
so
I
think
for
the
blog
announcement,
I
don't
I
I
think
I
I
think
we
I
mean
we've
actually
quietly
mentioned
this
in
several
things.
I
think
I
mean
how
long
will
it
take
for
microsoft
and
ost
if
at
least
to
add
what
they've
done?
I
mean
at
that
point
once
for
sure.
You've
got
that.
A
That
would
be
fine.
I
think
my
I
would
like
to
see
more
diversity
of
organizations
that
contribute
and-
and
maybe
it's
caught
before
the
horse
and
you
have
to
announce
it
in
order
for
people
to
know
to
come
to
the
party.
What
I'm,
what
I'm
a
little
afraid
of
is
only
you
know,
whatever
three
three
organizations
contribute
and
everybody
else
just
looks
at
and
says,
cool
thanks
and
that's
and
there's
no
like
either
incentive
or
peer
pressure
or
whatever
to
to
get.
A
You
know
to
keep
the
resource
building,
and
maybe
maybe
it's
just
too
early
to
to
have
that.
I
should
just
be
quiet
and
just
just
move
on.
I
I
think
it's
a
legitimate
concern.
C
But
I
I
I
think
that
in
some
sense
the
easy
way,
I
think
the
easy
thing
to
do
is
start
by
announcing
the
party
yeah.
B
C
I
I
don't
think
your
concern
is
unreasonable.
I
think
it's
very
very
reasonable,
but
before
we
try
to
try
to
solve
the
problem,
let's
try
to
do
the
easy
we
may.
We
may
not
need
to
solve
the
problem
because
the
problem
will
be
solved,
but
but
you
know
if,
if
it
turns
out
that
we've
added
all
this
stuff,
we've
put
it
out
and
keep
announcing
it
and
there's
no
additions.
Now
I
will
say
that
lf
does
intend
to.
C
You
know,
fund
more
audits.
I
know
that
there's
been
some
discussions
within
the
openssf,
like
the
critical
working
group,
to
eventually
find
a
number
of
audits.
Should
that
happen,
my
expectation
is
that
every
single
one
of
them
will
end
up
here.
So
if
nothing
else
they'll
be,
I'm.
A
I
I
I
would
be.
I
would
be
happy
yeah
that
that
that
sounds
good.
Let's
just
do
it
yeah
and
then
okay,
so
so
for
the
actual
blog
our
announcement
amir.
I
think
you
have
the
the
current
version.
Would
you
mind
posting
a
link
to
that
in
here
and
folks
on
on
the
you
know,
on
the
call?
A
Please
give
feedback
and
let's
kind
of
polish
this
off,
I
think
from
a
workflow
perspective,
we
need
to
give
it
to
the
governing
board
or
the
steering
code
or
whatever
the
recovery
board
you
give
to
the
government.
If
it's
an
announcement,
yes,
yes
and
then
governing
board,
I
think
either
meets
fridays
or
every
other
friday
or
at
some
point,
they'll
they'll
review
it
they'll,
give
it
a
thumbs
up
and
then
it'll
go
out.
So
there's
probably
like
a,
I
don't
know,
eight
or
ten
day
lead
time.
Yeah.
C
B
C
Going
to
want
to
do
an
email
vote
so
and
that
just
you
know,
there's
a
time
period
to
give
everybody
a
chance
to
read
it
but
yeah
it.
I
don't.
I
don't
expect
an
issue
they'll,
be
delighted.
Okay,.
A
So
then
do
we
do
we
want
to
plan
for?
Let's
see
our
next
meeting,
I
think,
is
the
15th.
Do
we
want
to
plan
for
a
blog
article
if
the
blog
article
to
go?
I
I
don't
know
what
day
of
the
week
is.
The
right
is
the
better
day.
I
know
I'm
sure,
there's
a
bad
day.
I
think
friday's
probably
a
bad
day
so
maybe
monday,
maybe
the
22nd.
C
I
would
I
would
actually
talk
if
you
want,
like
I
can
talk
with
our
publicity
folks
to
make
sure
that
it
goes
out
on
good
times
yeah
and
in
fact,
if
you
want
we
can
I
don't.
I
don't
know
if
this
is
a
good
thing.
C
C
So
I
think
just
go
as
an
announcement
as
a
blog
post
and
but
yeah,
but
I
I
think
it's
very
important
that
we
nail
down
on
the
website,
not
just
in
the
blog
post,
the
criteria
for
what
it,
what
is
required
to
be
included.
Do
you
think
we've
got
that
I'm
not!
Last
I
looked
I.
I
think
it
was
a
little
sparse.
A
So
we
think
so
we
do
have
a
quality
bar
and
then
this
is
really
like
instructions
for
the
pr
reviewer,
which
is
really
the.
What
does
it
take
to
get
it
to
get
it
in
here?
So
you
know:
there's
some
a
week
of
kind
of
time
for
others
to
review.
We
need
two
project:
maintainers
need
to
approve
it
before
it
gets
merged.
C
Okay,
I'm
looking
at
ossf
slash
security
reviews.
Oh
sorry,
are
you
seeing
my
screen?
I
thought
I
I.
What
I
was
interested
in
was
the
what
the
web
page
actually
says
so
yeah.
I
can
go
back
to
your
screen,
but
I
I
was.
I
was
way
more
worried
about
what
this
you
know.
If
somebody
just
shows
up
what
are
they
going
to
see?
Oh.
C
C
C
The
problem
is
that
the
wiki's
not
maintained
is
the
same
yeah.
It's
it's
associated
with
and
it
is
version
controlled.
I
know,
but
it's
it's
different
yeah
it's
different
and
it's
not
very
visible,
yep
yeah
cause.
I
because
for
you
know,
let's
see
here.
So
let's
look
ahead
and
walk
through
this
thing.
C
Let's
see,
I
guess
I've,
I
can
click
on
a
wiki
myself.
Oh
wait
home
disclosure
policy,
nope,
the
third
one.
What
pr
review
process
yeah
see!
That's
exactly
wrong.
In
my
opinion,
that
tells
me
a
process.
C
F
C
C
C
C
A
C
A
F
A
Okay,
we
only
have
we
have
like
30
seconds
left
in
the
meeting.
I
would
really
like
to
get
an
owner
to
refactor
the
readme,
wiki
and
kind
of
make
that
much
easier
to
read
and
understand
and
put
it
all
in
the
reading
on
the
front
page
and
move
things
around
and
kind
of
just
do
a
general
polishing.
C
Yeah
and
I
I
would
be
happy
to
to
help
as
well
my
day
today
is
a
little
crazy,
but
if
you
give
me
a
day
or
two,
when
I
don't
have
back
to
back
meetings,
you
know
I
could
take
a
shot
at
this
tomorrow.
G
D
A
A
C
Well,
how's
this
mike
your
job
is
to
review
as
quickly
as
possible
and
if
you
like,
it,
merge
it
fast
so
that
we
have
fewer
merge
conferences
that
works.
But
but
I
I
think
you
asked
hey
what.
When
can
we
announce
and
I
think
that's,
the
key
is
putting
that
information
front
and
center.