►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Now
that
you've
hit
record
just,
let
me
quickly
recap
this
big
ssf
announcement
and
I've
posted
the
press
release
in
the
chat,
basically
about
the
raising
10
million
dollars.
B
Okay,
that
is
a
terrific
announcement.
I'm
really
looking
forward
to
helping
to
to
get
to
get
this.
This
balance
off
our
books.
A
Yeah
now
we
got
now
we
gotta
take
the
money
and
turn
it
into
actual
work
and
that's
an
awesome
problem.
B
B
B
Cool
all
right,
so
let's
do
this
for
today
we'll
do
talk
about
vanessa,
seth,
timmy,
oldman,.
B
Nice
cool,
so
we
covered
the
first
one,
if
you
guys
have
anything
else
to
add.
Just
just
add
them
in
oh
and
sergio
welcome
if
you
wanna
you
don't
have
to,
but
if
you'd
like
to
introduce
yourself,
we
can
just
kind
of
real
quick
say
who
we
are.
B
E
I'm
starting
well,
I
was
a
software
engineer
at
arena
world,
but
right
now,
I'm
just
like
doing
my
own
thing
and
previously
I
contributed
to
the
brave
browser
and
I
also
contributed
to
like
pixar,
open
timeline,
io
and
I'm
here
just
to
learn
more
about
security.
B
Awesome
awesome
welcome
I
get
since
there's
only
five
of
us.
We
can
just
do
a
quick
roundtable.
My
name
is
mike
scaveda.
I
lead
this
working
group,
I'm
I
lead
a
open
source
security
and
tooling
team
at
microsoft,
and
I
I
just
have
my
fingers
and
a
lot
of
pies
related
to
open
source
and
security
and
trying
to
agitate
organizations
to.
B
A
So,
david
a
wheeler,
I
work
at
the
linux
foundation.
My
official
title
is
director
of
open
source
supply
chain
security,
but
what
that
really
means
is
that
I
run
around
to
different
groups
like
this
one
and
try
to
be
helpful
and
supportive
and
try
to
help
out
doing
various
things.
I've
been
working
on.
You
know
securing
software
or
open
source
software
for
literally
decades.
A
And
by
the
way
you
mentioned
sergio,
you
mentioned
you're
interested
in
learning
more
about
security.
The
openssf
actually
has
a
training,
a
little
training
course
on
edx
that
you
might
want
to
check
out.
I
will
post
a
link
in
the
notes.
The
cost
is
hard
to
beat.
It
is
literally
free.
A
So
if
you're
interested
in
how
to
develop
secure
software
go
take
that
course.
Hopefully,
you'll
learn
good
stuff.
F
I'm
dylan,
hey
guys.
My
name
is
dylan.
I
am
a
software
engineer
at
microsoft
and
I'm
very
involved
in
the
security
space
there
and
also
enjoy
kind
of
learning
more
about
and
exposing
myself
to
the
open
source
space.
I
think
I
joined
this
group
about
a
year
ago
now
and
yeah
my
short
steal.
B
Awesome,
luigi
or
amir,
whoever
can
come
with
me
at
first.
C
Okay,
I'm
luigi
a
security
engineer
in
as
with
startup.
Previously
I
have
worked
in
arduino
an
open
source
company
based
in
italy,
and
I
joined
this
project
more
than
one
years
ago
and
I
am
generally
interested
in
security
for
open
source
ecosystem.
D
B
Cool
awesome,
okay,
so
we
did
the
welcome
we.
We
talked
about
the
open,
ssf's
announcement
today,
which,
which
is
which
is
terrific
luigi.
Do
you
want
to
give
an
update
on
security,
ammo.
C
Yes,
I
prefer,
or.
B
C
I
try
because
I
am
on
linux.
This
is
the
first
time
that
I
share
the
screen
so.
C
Okay,
you
can
see
everything,
and
this
is
okay.
I
have
in
the
last
two
weeks
I
have
tried
to
formalize
the
introduction
and
especially
the
problem
statement.
In
particular,
I
have
used
a
user
story
approach
to
define
the
statement
for
our
problems,
so
we
have
a
different
person
or
potential
interested
person
in
the
yaml
file.
We
have
the
security
researcher.
We
have
the
generic
user.
That
can
be.
C
This
means
a
developer
that
want
to
use
a
particular
packages,
for
example,
or
open
source
project,
or
this
means
also
the
cto
that
wanting
won't
implement
a
particular
technology
for
the
next
year.
In
a
company
we
have
the
maintainer,
I
prefer
I
have
preferred
use
a
maintainer
instead
of
outer,
because
sometimes
I
mean
the
outer
or
the
outers
are
the
people
that
create
the
first
comment
for
a
new
project,
but
and
they
cannot
change,
you
are
the
outer
particular
project.
Maintainer
can
change
over
time.
C
That's
why
I
prefer
to
use
maintainer,
and
I
have
tried
to
define
some
requirement
for
the
yaml
in
particular.
I
might
forward
me
a
good
tweet,
with
a
good
input
for
the
yaml
related
to
how
the
maintainers
of
a
particular
resource
project
can
receive
the
record
without
receiving
too
much
spam.
C
So
probably,
we
need
to
understand
how
to
define
thread
modeling
for
a
particular
open
source
project,
and
there
are
some
open
questions
at
the
moment
if
you
want
to
add
comment
and
contribute
feel
free
to
do
because
there
are
literally
open
questions
at
the
moment.
I
have
no
solution
and
the
next
step
are
formalized.
Some
odd
comments
that
that
are
in
the
document
and
create
a
first
example
of
a
sort
of
template
for
the
yaml
file.
C
A
This
is
interesting,
although
it
it
actually
is
very
different
than
the
information
that
I
was
emphasizing.
I'm
not
sure
I
would
say
no
to
this,
but
it
doesn't
include
the
primary
purpose
of
this
tool
of
this
document
that
I
thought
that
I
had
in
mind.
That's
okay.
That
means
that
we're
clarifying
through
this
process
the
difference
in
my
notion.
The
primary
purpose,
was
to
provide
automated
tools
like
scorecard
information
about
how
the
project
counters
attacks,
and
I
think
that's
basically
another
bullet
I'd
like
to
add
it
to
the
top.
B
I
the
way
that
I'm
reading
this
is
that
they're.
Actually,
the
same
is
that
if
the
answers
to
these
questions
were
machine
readable,
then
the
scorecard
can
take
advantage
of
them.
So
if
the
scorecard
wants
to
see
that
static
analysis
is
used,
and
one
of
these
fields
is
like
static
analysis
and
colon,
we
use.
A
But
but
I
think
that
that's
I
mean
as
a
user,
I
want
to
know
well
actually
as
a
tool.
I
think
at
least
noting
that
tool
you.
That
tools
are-
and
we
do
say
it's
automatically
extractable
but
at
least
noting
near
the
top
that
and
then
saying
basically
answering
the
questions
as
listed
below
the.
C
Bullet
points
are
not
ordered
at
the
moment
technically,
so
there
is
no
priority.
I
have
just
mean
I
ever
write
your
point,
so
I
have
used
your
notes
and
I
just
rewrite
your
point
using
the
user
story.
I
have
added
some
new
points,
for
example
based
on
feedback
that
we
have
received
on
twitter
and
yes,
the
minimum
viable
product
need
to
need
to
have
a
file
for
the
scorecard.
C
The
security
scorecard
need
to
have
information
related
to
the
vulnerable
disclosure
policy
or
security
md,
and
I
have
added
the
maintainer
contacts,
because
maybe
you
want
to
have
a
contact
for
for
a
particular
project
and
but
I
suppose
that
these
files
can
be
useful,
but
for
the
maintainers
and
but
for
the
user
or
researcher
or
other
people
that
want
to
have
information
related
to
the
project
in
the
next
step.
C
A
But
by
the
way,
it's
already
possible
to
record
project
maintainers
through
other
ways.
I
don't
know
if
we
would
consider
those
adequately
maintainable
automatically
extractable.
I
mean
there
is
the
security.txt,
but
this
that
only
applies
to
websites.
A
C
There
is
a
for
example,
I
in
the
problem
statement.
I
have
defined
a
lot
of
history,
a
lot
some
history,
some
story
related
to
the
user,
but
at
the
same
time
I
know
that
it
is
difficult
to
convince
people
to
follow
best
practice.
For
example,
security.60
is
a
really
easy
file
with
the
tree
line
with
the
easy
template,
but
only
few
websites
implemented,
especially
if
we
check
the
top
200
on
alexa
or
on
google
shop.
C
So
probably
the
first
version
of
this
demo
need
to
be
really
easy
and
totally
automated,
but
based
on
the
scorecard
and
other
two
or
three
entries,
I
suppose
it
is
just
a
an
hypothesis,
so
people
can
start
to
usually
to
use
it
to
implement
it
in
the
project
without
having
too
much
friction
too
many
friction,
and
so
I,
like
the
idea
related
to
the
security
dot
txt,
but
probably
for
an
open
source
project
is.
C
It
is
not
enough,
for
example,
if
a
scorecard
can
have
a
lot
of
false
positive
result,
and
maybe
it
is
not
so
easy
to
automate
it.
And
if
you
want
to
share
what
are
the
tools
that
you
use
to
link
the
code
or
to
scan
the
code.
Probably
it
is
a
manual
task
for
the
maintainers,
because
sometimes
scanner
cannot
identify
the
right
tool
and,
and
so.
B
I
I
wonder:
if
a
github
app
does
it
get
it?
Would
it
have
that
do
github
apps
have
their
own
ui?
No,
they
probably
don't.
I
don't
know
a
thing,
but
but
a
thing
that,
like
scans
your
code
and
says
hey,
this
is
what
we
this
is.
What
we
found
like.
Does
this
look
right
and
like
have
the
user
go
through
kind
of
this
wizard
process
that
the
output
of
kind
of
like
what
we
do
for
the
security
reviews,
the
output
of
which
is
a
file
that
they
commit
back
to
their
repo.
C
Exactly
there
is,
there
is
a
comment
in
the
document.
For
example,
we
have
a
quick
start
for
the
security
review.
I
need
to
formalize
that
this
part
still
and
yes,
we
need
to
offer
a
standard,
so
the
schema
for
the
yaml,
because
technically,
if
I
want-
I
don't
think
so.
But
if
I
want
I,
I
can't
technically
write
it
manually
and
at
the
same
time
we
need
to
offer
tool
to
to
how
to
generate
it
and
to
link
it
also.
C
F
This
may
be
obvious
actually,
but
it's
like
out
of
curiosity,
it's
the
main
use
case
for
scorecard
to
kind
of
add
additional,
like
information
to
it
or
to
kind
of
like
correct
information
that
may
be,
like
you
know,
upset
people
who,
because
do
you
guys
remember
how
we
had
like
certain
like
metrics
in
the
metrics
dashboard
that
people
complained
about
like
so?
Is
it
like
necessarily
a
fix
certain
things
or
is
it
to
add
new
things
or
some
kind
of
combination,
I
suppose
doesn't
matter
either
way?
It's
helpful
very
helpful.
C
I
mean
it
is
a
good
question
at
the
moment.
Technically,
the
scorecard
offer
more
results
than
the
results
showed
in
the
metric
dashboard.
C
So
probably
initially
we
can
offer
the
same
value,
but
over
time
we
can
add
the
other
entries
or
the
fields
in
the
jumble
file,
and
so
we
can
really
use
the
security
scorecard
that
offer
a
lot
of
information
related
to
the
security
project.
C
So
probably
it
can
be
different
from
the
security
from
the
from
the
metic
dashboard.
The
metric
dashboard
offer
the
same
value
for
all
project,
but
the
scorecard
has
more
scanner
that
we
are
not
using
at
the
moment
in
the
in
the
api.
We
have
the
video
but
not
showing
the
website
in
the
front
end
for
the
user.
B
I
I
I
I
think,
dave
though
just
to
riff
on
on
a
part
of
your
question.
I
think
it
could
go
either
way,
but
I
think
the
better
approach
is
that
the
scorecard
as
part
of
their
calculation
they
say,
does
the
project
have
more
than
two
maintainers
or
two
recent
contributors
look
so
supposedly
that
was
one
of
the
metrics
and
they
didn't
find
any
evidence
for
or
against
that
or
was
ambiguous
or
whatever.
B
If
they
programmatically
read
ossf
security
and
they
saw
that
there
were
four
maintainers
listed,
they
could
use
that
as
part
of
the
calculation.
Similarly,
for
do
you
use
static
analysis,
I
don't
see
any
static
analysis
in
your
repo,
but
osf
security
says
that
you
are
so.
I
will
provisionally
say
you
are
something
like
that
right.
A
Right
and
the
the
tools,
one
both
for
the
sas
and
das
tools,
as
in
in
my
mind,
kind
of
the
original
genesis
of
this
little
project,
because
we're
trying
to
measure
you
know
you
know
things
like
do
you
have
tools
and
the
problem
with
like
the
static
analysis
tools?
Is
it
turns
out
to
be
incredibly
hard
to
answer
that
question
I'll
I'll
I'll
point
to
a
particular
case
I
know
of,
but
just
just
a
a
data
point.
Ci
best
practices
badge
uses
several
static,
analysis
tools,
but
we
use
circle
ci.
A
We
use
tools
like
breakman,
which
you
know
and
the
scorecards
doesn't
know
anything
about
circle.
Ci,
it
doesn't
know
anything
about
break
man,
and
so
therefore
it
doesn't
find
it.
It's
not
that
doesn't
exist.
It's
just
that
figuring
out.
All
the
cases
turns
out
to
be
really
hard
so
having
a
way
to
automatically
provide
the
otherwise
missing
information.
A
B
Is
it
the
center,
then
the
the
logic
of
like
how
do
you
figure
out
if
circle
ci
has
static
analysis
integrated
or
whatever
that's
written
in
one
place?
The
information
goes
here
and
then
everybody
else
scorecard
and
all
of
its
other,
you
know
all
of
its
peers
can
pull
from
that
one
place
yeah.
Maybe
we
should
be
the
center
of
the
universe
and
that's
fine
too,
but
like.
A
I
don't
even
think
you
have
to
claim
center
of
universe.
It's
basically,
I
you
know
for
scorecard,
I
would
say
as
much
as
possible
try
to
automate.
However,
we
know
that
some
areas
are
notoriously
hard
to
automate,
so
here
is
an
automatic
way
to
overcome
those
limitations.
A
So,
yes,
if
you
have,
if
scorecards
can,
can
automatically
get
all
the
information
it
needs
that's
great,
but
here's
the
escape
hatch.
I
I
viewed
this
openness.
This
yaml
file,
as
kind
of
the
escape
hatch,
to
provide
information
when
you
can't
figure
it
out
any
other
way.
A
B
A
A
I
think
that's
I.
I
don't
think
that
we
can
hide
that.
I
think
we
need
to
address
that
head-on
and
you
know,
and
for
example,
I
could
easily
see.
Maybe
tools
might
might
want
to
have
two
outputs.
Here's
with
this
information
and
here's
the
information
that
we
can
independently
confirm,
yeah,
and
I
I
I
think
I
I
think
that's
going
to
be
one
of
the
most
obvious
counters
to
this
whole
approach.
A
You
know
I
will,
while
we
just
start
I'll,
try
to
quickly
type
that
in
and
then
people
can
convince
about
that.
But.
B
What
I
think
that
that
totally
makes
sense,
I
think,
where
you
get
into
into
the
validation
of
it.
So
if,
if
you
take
skim
or
at
least
the
concept
of
skim,
you
know
you
so
you
have
this,
you
know
databasey
thing
of
claims
and
assertions
and
backing
you
know,
integrity,
flags
and
metadata
and
whatnot.
B
That
says
you
know
you
can
trust
this,
because
it
really
really
really
came
from
github
running
this
on
the
project
and
you
trust
github,
so
that
that
that
kind
of
thing
well,
what
kind
of
assurance
does
the
author's
own
statement
that
they
pinky
swear
to?
Do
the
right
thing
mean?
Well,
the
answer
is
it's
something:
it's
certainly
not
as
much
as
some
other
ones.
B
F
I
had
a
thought
on
and
I
apologize
if
I
repeat
the
most
stuff
mike
just
said,
I
was
kind
of
like
thinking
about
what
I
was
just
about
to
say
and
I
might
have
missed
the
exact
same
thing
I
don't
know,
but
so
I
was
just
thinking
of
like
you
know.
What
would
like
make
me
more
inclined
to
like
take
a
pinky
swear
from
someone
just
in
more
of
like
a
social.
F
You
know
just
very
generic
sense
right,
so
I
think
so,
like
a
few
of
the
things
I
thought
about,
and
you
know
some
of
these
could
be
worse
than
others,
but
you
know
if
there
are
any
things
that
we
can
like.
We
can
add
a
bunch
of
logic
to
kind
of
help
ourselves
out
here
like,
for
example,
if
there's
any
things
that
you
know
that
were
promised,
obviously
that
we
can
somehow
that
are
more
verifiably
wrong
in
some
kind
of
automated
sense.
That
should
be
a
red
flag.
F
If
there's
you
know,
if,
if
someone
has
nine
out
of
ten
things
with,
you
know
great
verified
reviews,
oh
they
use
this
tool
and
this
tool
and
this
tool
in
this
tool
and
then
just
the
temp
tool.
Like
say
you
know,
they're
saying
we
do
this,
but
we
can't
confirm
this.
You
know
it's
that
that
I
would
say
that's
a
lot
better
than
having
these
squares
across
the
boards.
Unlike
all
of
their
metrics
saying
we
do
all
these
things.
You
know,
oh.
F
There's
just
like
one
thing
that
it
was:
you
know
we
don't.
We
couldn't
really
follow
through
with
here
and
then
the
last
one
was
yeah
and
then
I
think
mike
might
have
said
this,
but
if
there
is
some
kind
of
metric
or
a
final
output
in
the
scorecard
that's
kind
of
in
between
like
no,
we
know
nothing,
and
this
is
a
very
good
like
they
definitely
use
this.
F
There
could
be
like
some
kind
of
you
know-
probably
good,
but
not
verified,
like
you
know
that
doesn't
have
the
final
check
or
doesn't
get
the
bonus
points.
The
extra
extra
good
grade
like
that.
So
there's
like
a
lot
of
ways.
I
think
you
can
either
just
like
make
yourself
a
lot
more
confident
in
that
piggy
square
or
just
like
convey
to
the
very
end
user.
This
is
a
pinky
square,
so
that's
kind
of
my
hand
it
on
this
long
aggression
but
yeah,
there's
a
pinky
square
at
the
end
of
the
day.
A
Yeah,
let's
see
here
now,
I
can
tell
you
how
I
lead
the
cio
best
practices
badge
project,
where
we
do
take
assertions
from
projects
usually,
but
what
we
do
for
every
for
a
couple
questions
where
we
can
verify
that
the
claim
is
false.
We
don't
care
what
the
user
says
we'll.
A
In
many
cases,
though,
we
can't
you
know
as
assure
ourselves
of
this.
So
in
that
case,
what
we
do
is
we
ask
for
justification,
which
is
basically
text
that
that
includes
the
rationale
and
ideally
with
urls
that
point
to
the
evidence
I
would
suggest.
Maybe
that
might
be
a
good
for
all
of
these
things
and
heck
I'll
even
go
further.
A
So
michael,
we
we
talked
about
this
earlier,
but
it's
not
really
recorded
here
in
this
document
one
you
know
we
we've
talked
about
the
use
of
of
one
tool,
which
is
you
know
these.
These
tools
include
okay,
scorecard
and
the
cia
best
practices
badge.
A
A
C
So
david,
I
want
to
be
sure
that
I
write
let
this
do
you
want
to
offer
a
tool,
a
linter
or
something
to
generate
these
them
will
find
sort
of
in
sort
of
wizard
or
automatic
way.
You
want
to
have
us,
the
output
from
scorecard
cii
best
practice
to
give
the
cia
best
practice
for
the
cia
best
parties,
but
at
the
same
time
a
tool
can
generate
a
false
positive,
for
example,
a
tool.
C
The
scorecard
sometimes
cannot
recognize
that
there
is
a
github
workflow
to
check
the
code
and
if
the
maintainers
give
evidence
in
the
yemen
file
with,
for
example,
a
link
to
the
github
action,
the
yaml
file
is
valid
and
we
can
they
can
receive
the
page
or
a
particular
approval
by
linux
foundation
or
openssf.
It's
right.
C
G
G
So
what
what
we've
always
done
is
we
have
a
manual
process,
that's
well
documented
and
if
you
and
basically
requires
different
tiers
or
separated
reviews
manual
process.
So
maybe
there
could
be
like
a
third
party
attestation.
So
if
you
hit
the
indeterminate
stage
or
a
manual
process,
maybe
we
can
have
a
processor.
You
can
go
through
a
third
party
at
station
and
cessation
document
gets
put
in
place.
That
can
be,
you
know
validated
from
a
transparency
log
or
something
right
like
a
six
storey.
Transparency
log,
for
example,
that'd,
be
awesome
right.
A
G
But
I'm
saying
that
I'm
saying
that
I'm
I'm
yeah,
I
think
I'm
getting
bulldozed
over
here
a
bit
I'm
I
just
wanted
to
get
feedback
on.
Maybe
re
reusing,
some
of
the
componentry
that's
being
developed
in
open
source
to
help
solve
this
problem,
saying
that
you
know
attestation
records
don't
have
to
be
generated
through
automated
fashion.
They
could
also
be
generated
through
a
manual
process
and
still
be
valid
and
still
be
referenceable
from
these
configuration
files.
G
So
then,
then
there
could
be
a
you
know
there
be
a
documentary
process
if
it's
indeterminate
that
somebody
could
be
hired
or
look
at
independently,
maybe
even
somebody
from
ossf
to
go
through
and
do
it
and
then
actually
sign
off
that
they
that
more
than
one
person
from
oss
signed
off
and
attested
to
it.
That's
a
signed,
recommend
a
record
that
is
publicly
verifiable,
then
that
they
can
slap
into
their
into
their
ammo.
B
I
actually
really
like
that
idea
of
a
even
if
it's
just
you
know
signed
off
by
and
and
the
the
gobbledygook
that
means.
I
guess
it
would
be.
The
signature
of
the
previous
document.
A
All
right,
so
I
think
we
let
me
try
to
split
this
up.
We
have
various
problem
statements.
You
know
the.
I
think
the
other
direction
is
probably
worth
recording
as
well,
but
it's
almost
its
own
thing.
You
know
we'd
also
like
for
the
various
tools.
G
Yeah,
so
I
mean
what
we
have
like
in
ibm
is
like
it's
mainly
for
clearance,
because
it,
but
so
basically
we
have
segregated
teams
segregated
legal.
We
have
a
systems
manager
which
is
at
like
kind
of
like
a
a
brand
level,
and
then
we
have
you
know
an
independent
security
person
and
one
person
each
of
these
segregate
all
have
to
sign
off
on
certain
parts
of
the
checklist,
and
so
it's
not
one
person
signing
off
and
that
checklist
gets
signed
and
attached
to
you
know
approved
for
clearance
approved,
for
you
know
whatever
so.
A
G
Hoping
it
confirmed
how
it
could
translate
into
this
space,
but
you
know
again,
it
would
be.
You
know:
we'd
have
to
have
a
process
in
place
that
we
described
where
we
have
at
least
two
eyes
that
are
segregated
from
two
different
companies:
two
different
parts,
maybe
ossf,
and
maybe
their
partner,
org
or
two
different
parts
of
openness,
stuff
things
where
a
deal
is
not
going
to
be
cut,
you
know,
or
people
are
going
to
be.
This
looks
good
to
me
on
the
pull
request.
You
know
we
don't
want
that
to
happen
right
so.
B
I
guess
my
my
my
fear
in
this
is
that,
like
no
organization
will
be
able
to
scale
to
do
this
at
scale,
we
also
want
to
become
a
a
bottleneck
or
a
you
know,
especially
from
a
perception
perspective.
We
don't,
we
don't
perceive
as
a
gatekeeper
to
to
open
source.
So.
G
Now
this
this
provides
like
what
we
see
at
other
other
groups,
where
you
know
independent
auditors
can
be
brought
in,
or
you
know,
as
long
as
you
create
a
a
system
where
people
can
get
certificates
and
get
their
identities
approved
as
approvers.
Whatever
you
know,
you
do,
you
manage
it
in
an
open
source
manner,
right.
C
But
adding
a
saw
a
sophisticated
and
structured
process
and
procedure,
maybe
I
mean
if
for
this
document
or
this
animal,
it
should
be
a
sort
of
standard
for
open
source
project
if
the
procedure
are
too
complicated
to
a
big
friction
for
the
maintainers,
maybe
a
lot
of
open
source
project
that
don't
follow
us,
and
so
the
standard
cannot
be
a
standard.
Well
I'll
tell.
A
Putting
things
in
the
c
in
ci
is
you
you,
you
generally
have
me
agreeing
when,
when
you
have
the
phrase
and
put
it
in
the
ci
pipeline.
G
In
general,
this
is
the
problem.
I
even
have
a
hard
time
describing
to
people
when
I
in
ibm
right,
because
people
are
used
to
the
manual
process.
They've
been
doing
for
a
decade
two
decades
right.
So
it's
basically,
we
can
all
they
understand,
automating
the
build
stuff
and
some
of
the
test
stuff
and
the
scanning
stuff.
They
understand
that
they
understand
that
the
security
holes
then
wait
way
before
that.
It's
all
the
stuff,
that's
brought
into
the
building
system
and
you
have
to
work
backwards.
G
I
love
that
word.
One
of
the
other
calls
that
guys
used
last
week
holistically
when
it
is
produced
in
careers
with
the
artifact
the
container
the
jar
file,
what
you're
producing
at
the
end
of
the
build
those
documents
are
carried
and
related
to
the
artifact,
so
yeah.
B
I
think
this
conversation
has
been
awesome.
We
should
try
to
get
to.
I
at
least
want
to
get
to
the
security
reviews
update
from
amir
today.
B
Good
conversation,
we
should
yeah,
I
hate
being
being
time.
Police.
D
Mirror
you're
up
okay,
so
I
made
just
a
suggestion
to
the
security
reviews
repo
one
of
the
things
that
we
talked
about
was
speaking
of
the
term
holistic
kind
of
having
a
broad
picture
view
of
everything
that's
on
there.
So
the
main
thing
that
I
added
was
a
new
markdown
file
called
overview
of
all
reviews.
It's
probably
not
the
best
name
or
let
me
share
the
link
here.
D
So
it's
it's,
as
I
mentioned
an
overview,
so
a
table
that
has
everything
that
we've
collected
so
far,
and
something
that
I
or
anyone
in
this
work
group
can
maintain
or
update
I'm
happy
to
update
it
over
time.
I
actually
have
a
couple
that
will
hopefully
be
adding
soon
here
so
yeah.
What
we
have
is
the
the
overview,
so
anyone
can
kind
of
get
an
idea
of
of
what
is
in
this
repo
and
have
a
direct
link
to
the
report
or
the
post.
D
That
goes
into
detail,
and
one
thing
that
kind
of
came
out
of
doing
this
exercise.
That
kind
of
ties
into
a
thought
is,
I
kind
of
like
these
two
fields
funded
by
and
facilitated
by.
D
Oh,
oh,
shoot,
I'm
so
sorry,
okay,
no!
I'm.
F
G
D
So
yeah,
so
this
is
again
just
to
show
a
holistic
view
of
the
repo
and
everything
that's
in
there.
It's
chronological
essentially
going
backwards,
so
all
the
most
recent
stuff
will
be
at
the
top
and
yeah.
The
idea
was
to
just
kind
of
have
an
overview
of
everything
in
the
repo
kind
of
shown
in
one
kind
of
easy
place.
D
E
D
To
automate
this
with
with
the
metrics
dashboard,
that
would
be
cool
too.
That
actually
ties
into
my
next
point
nicely
that
in
doing
this,
I
I
like
these
two
fields
that
I
think
you
know
as
more
organizations
and
different
groups
get
involved.
You
know
they.
D
A
big
thing
that
you
want
is
you
know,
recognition
for
the
work
that
that
your
organization
is
funding
and
who's
facilitating
the
work,
so
I
would
want
to
suggest
potentially
putting
that
as
a
as
a
data
point
in
the
metrics
dashboard
under
security
reviews,
if
possible,
to
kind
of
give
a
good
snapshot
here
in
the
dashboard
to
kind
of
give
people
more
information
on
the
security
reviews.
A
E
A
Like
something
that
we
should
automate
and
if
there
are
fields
that
we
need
to
make
this
table
work,
we
should
add
those
fields
and
our
draft
add
it
to
our
list
of
things
for
the
future
and,
let's
just
automate
the
heck
out
of
this
table,
because
I
agree
that
table
you
know
we
should
link
the
heck
to
that
table,
because
that
is
so
much
simpler
than
our
current
approach.
D
Cool
yeah-
I
I
totally
agree,
I
think
yeah,
especially
as
this
scales
up.
It
would
definitely
make
sense
to
to
automate
it
and
have
it
feed
into
the
other
data
points
too.
I'm
I'm
I'm
a
visual
person,
so
I
always
start
with
what
I
can
so
I
just
kind
of
threw
the
table
together,
but
yeah,
I'm
totally
open
to
that
idea.
We
want
to
work
on
that
together
as
a
work
group.
I'd
love
suggestions
on
how
to
make
that
work.
A
C
I
don't
know
if
we
can
add,
for
example,
a
label
in
the
yaml
where
people
add
the
the
link
to
the
security
review.
So
we
can
automate
in
this
way
the
metric
dashboard
and
we
can
connect
the
metric
dashboard
with
the
yaml.
And
yes,
there
are
some
projects
that
we
scan
with
our
scanner
and
the
same
time
for
minor
project
that
maybe
we
cannot
scan
in
every
day.
We
can
use
the
data
from
the
yaml
that
is
based
on
the
same
format
that
we
use
so
technically.
C
D
C
D
The
future
yeah
some
of
that
is
already
being
done,
so
we
can
definitely
iterate
build
on
it.
But
if
you
do
have
a
review
in
the
repo-
and
it
shows
up
in
the
dashboard
it'll
link
directly
to
the
post
in
the
repo-
which
you
know
ideally
will
be
posting
all
the
reports
in
the
repo
as
well.
So
I
think
we're
definitely
on
to
something
here
and
yeah.
D
If
we
want
to
work
more
on
automating
this
table,
maybe
even
making
it
a
little
prettier,
I'm
I'm
happy
to
collaborate
with
with
anyone
on
that.
So
I.
D
I
think
it's
on
a
google
sheet
somewhere.
Let
me
see
if
I
can
find
it.
B
What
what
you
could
do,
I'm
not
saying
you
have
to
do
it,
but
the
the
github,
by
like
the
github
pages,
seems
like
a
natural
place
to
publish
this
and
then
as
part
of
publishing
that
it
goes
through
parses
the
markdown
files
and
does
the
thing
creates
the
table
then
just
dumps
it
dumps
it
flat,
so
it
so.
It's
like
a
static
site,
generator
thing:
okay,
as
one
possible
option.
D
Okay
yeah.
I
I
would
just
probably
need
a
little
bit
of
direction
in
that,
but
yeah.
A
Where's
this
where's,
the
google
doc
that
that's
what
inquiring
minds
want
to
know.
A
My
main
I
mean
I
can
sit
down
and
quickly
write,
walk
through
the
the
various
files
and
try
to
generate
a
table.
That
looks
like
this.
Probably
neither
marked
down
or
probably
just
generate
html
and
declare
victory.
And
then,
as
I
said,
you
know,
then
we
can
use
the
static
once
it's
generated.
We
can
use
the
static
site
generator
and
post
on
github.
F
D
F
A
Happy
too,
but
you
know
what
I
have
enough
work,
so
if
you
want
to
contribute
a
a
little
script
to
run
this
through
this,
this
is
that
definitely
it
looks
like
one
of
those
relatively
easy
things
to
whip
through.
I.
F
Agree
does
seem
like
a
you
know,
probably
like
a
half
hour
python
and
I
don't
mind
sitting
down
and
having
some
fun
filled
with
that
yeah.
We
can.
A
So,
who
is
volunteering?
I'm.
F
A
Yeah,
okay.
I
will
probably
misspell
your
name,
but
let
me
just
put
that
in
the
notes
here
so
dylan.
F
I
I
think,
by
the
way
I
understand
all
the
like
automatic
generating
of
the
table.
I
wasn't.
I
don't
think
I
caught
all
of
what
you're
saying
about
the
github
pages,
but
that's
all
right,
I'll
I'll
think
up
afterwards
I'll
I'll
excuse,
I'm
gonna.
A
Okay,
dylan
we'll
make
out
we'll
create
a
python
script
to
generate
html
table
from
existing
security
reviews
using
and
where's
this
google
using
and
let's
see
here,
amir
where's,
okay,
that
that's
that
I'm
gonna
copy
and
paste
that
euro
because
remember
chat
all
the
chat
stuff
disappears.
Once
are
you
using
amir's
example
as
a
starting
point?
A
All
right,
I
think
the
key
there
is
when
you
generate
it.
You
know
include
generation
of
a
hyperlink
from
the
from
the
row
or
at
least
the
entry
in
the
row
to
the
details.
A
F
D
Yeah
I
mean
a
lot
of
people
are
talking
about.
You
know
it's
important.
I
mean
it's
just
as
important
to
disseminate
the
information,
disseminate
the
data
and
have
it
in
a
way
that's
easily
digestible,
and
you
know
if
we
plan
on
cranking
out
a
lot
more
of
these.
I
would
love
a
lot
more
eyeballs
on
them,
so
yeah.
Thank
you
really
appreciate
that
and
appreciate
you
taking
on
the
the
python
part
of
it.
B
Awesome
we
are,
we
are
out
of
time
at
the
top
of
the
hour
quick,
alpha,
omega
update
things
are
moving
forward,
I'm
hoping
to
get
final
approval
from
the
governing
board.
On
the
5th
of
november,
I'm
working
with
shubra
in
the
linux
foundation
and
abishak
at
google
and
a
couple
others
to
formalize
the
operating
plan
for
for
calendar
2022,
more
information
to
come.
B
Hopefully
the
next
in
the
next
two
weeks,
we'll
we'll
have
this
in
a
place
ready
to
go,
but
I
want
to
let
everybody
know
that
things
are
moving
forward,
so
we're
looking
good
there
awesome
thanks.
Everybody
have
a
great
rest
of
your
wednesday
retweet.
The
open
ssf
announcement
have
a
good
one.
Everybody
thank
you.
Thank
you.
Everyone.