►
From YouTube: OpenSSF Identifying Security Threats WG (April 12, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Yes,
cool
welcome
everybody
to
the
identifying
security
threats
working
group
meeting.
We've
got
a
couple
fun
things
to
talk
to
today,
but
also
we'll
leave
time
for
open
discussion.
I
will
share
my
screen.
B
And
everybody
should
be
seeing
the
notes
now
so
got
a
couple
couple
updates
from
last
time.
So
last
time
I
I
went,
went
away
and
and
realized
I
needed
to.
B
It
should
be
in
the
meeting
invite
as
well
but
again
who
knows
anyway.
Let
me
let
me
just
jump
into
the
demo.
So
so
we
got
so.
I
basically
rebuilt
the
dashboard
new
infrastructure.
I
basically
burned
the
old
thing
down
and
and
redid
it,
but
we
redid
it
better.
So
so
here's
what
we
have
it's
a
new
url,
here's
where
we
start.
So
what
we
had
before
was
this
kind
of
hodgepodge
of.
B
B
B
If
you
click
on
a
link
here,
you
go
to
oh,
and
I
know
the
color
scheme
is
awful
and
it's
like
intentionally
awful,
so
someone
who's
better
at
this
says
like
please.
Let
me
let
me
fix
your
your
your
color
scheme.
This
is
obviously
not
my
superpower,
but
so
any
of
these
will
go
to
grafana
and
any
of
these
links
will
go
to
the
api,
so
the
api,
because
everything
is
now
just
a
plain,
simple,
like
django
front
and
postgres
back
it
makes
things,
makes
things
a
lot
easier.
B
So
the
api
doesn't
work
because
I
don't
know
the
difference
between
underscores
and
dashes
totally
sympathetic,
yeah,
it's
like
the
worst.
So
everything
is
based
off
of
you
providing
a
package
url.
We
could
do
a
searchy
thing
too,
but
you
start
with
the
package
and
basically
it's
just
a
giant
list
of
of
metrics.
B
The
metric
keys
are
like
kind
of
these
well-defined
things
that
are
per
data
source,
so
open
ssf
is
you
know
it's
an
open.
Criticality
is
an
open,
ssf
project
and
then
anything
within
raw
is
like
whatever
the
data
source
gives
me
I'll,
jsonify
it
and
put
the
data
in
so
for
this
one
in
particular,
there's
really
just
those
we
do
calculate
a
couple
metrics
when
we,
when
we
load,
which
is
mostly
like
urls
like
like
urls
to
additional
data,
but
that's
not
really
that
fun.
So,
let's
go
to.
B
B
B
B
One
has
good
data
wow.
This
has
stuff
for
just
about
everything,
yeah,
so
criticality.
So
all
the
data
comes
in
the
you
you're
looking
at
this
and
you're
like.
Why
is
this
one
blue
and
this
one
is
red
it
it
shouldn't
be
they
should
be
the
same,
but
yeah
like
check
mark
is
good.
X
is
bad
things
like
that
scorecard
overview.
I
removed
the
github
specific.
B
I
I
just
haven't
ported
it
over
yet
so
we
can.
We
can
decide
what
we
want
to
do
with
that.
These
are
all
live
links.
So,
if
you
want
to
see
what
I
was
thinking
is,
if
you
wanted,
if
we
wanted
to
include
other
sites
that
could
just
like
tell
me
about
kubernetes,
you
could
do
that
and
then
is
it.
Maintained.Com
thinks
that
it
is,
you
know,
provides
some
additional
stuff,
so
that's
fun.
B
The
nice
thing
about
this
is
because
I'm
loading
these
these
existing
giant
data
dumps.
So
I
have
106
000
projects
in
here
right
now.
The
bulk
of
the
data
is
criticality,
but
there's
a
there's,
a
good
number
of
other
ones
too,
and
we
can
just
iterate
on
that
data's
reloaded
every
day.
B
B
D
Awesome
so
I
mean
it's
obviously
your
work
in
progress,
but
we
have
talked
about
maybe
even
putting
this
on
metrics
openssf.org.
D
I
I
sent
our
query
about
that,
like
it
somehow
mutated
into
the
you
know,
who?
How
does
this
all
get
paid,
which
I
thought
was
a
separate
question,
but
yeah
I
mean
it's
they're,
not
unrelated,
but
I
it
seems
to
me
that
we
can
start
by
ju
instead
of
the
mystery
url,
that
you've
got
slip
it
on
the
metrics
open
ssf.org.
D
B
D
Okay,
all
right,
so
so
I
in
that
case
I
have
a
bag
from
you,
michael,
which
is
tell
me
what
you
want
the
dns
records
to
say
for-
and
I
will
I
I
have
discovered.
Apparently
one
of
my
superpowers
is:
I
can
file
jira
tickets
and
there's
a
jira
ticket
for
creating
dns
entries.
B
That's
that's
terrific,
okay,
so
I
need
help
from
folks
on
the
line,
because
I'm
I
I
meant
to
look
this
up
or
refresh
so
right
now.
This
is
the
url
and
ignore
the
broken
shirt.
If
I
want
when
metrics.openssf.org
types
metrics.openssf.org.
B
To
to
get
to
here-
and
I
want
to
do-
I
don't
want
to
do
a
redirect
like
I
won't
want
it
to
look
like
that.
Do
I
need
a
c
name,
or
do
I
need
an
a
name
or
is
it
like?
Is
it
a
c
name
to
open
ssf
dash
metric
db,
dot,
blah
blah
blah
blah,
or
is
it
an
a
name
to
the
ip
address
of
this
and
are
those
both
equivalent.
D
A
c
name
it
kind
of
as
a
canonical.
Let
me
just
kind
of
think
this
through
because
I'm
not
you
know
a
cname
creates
a
canonical
name
and
it
will
let
you
immediately
redirect
to
that.
B
A
D
B
Okay,
so
I
want
a
c
name,
so
so
the
quest
so
for
now.
Let's
I
mean
that
looks
as
production
as
it's
gonna
get
so
I'll,
just
type
it
here.
You.
A
Need
to
if
you
have
credentials
on
this
thing
to
log
in
if
you
use
a
c
name
and
the
cookie
is
bound
to
that
specific
dns
name
for
the
microsoft.com
address
good
point.
You
are
going
to
need
to
redefine
what
those
are
bound
to
and
you
should
make
sure
you
limit
the
scope
and
yada
yada
yada,
but.
B
B
And
django
will
probably
drop
a
cookie
anyway.
Just
so
you
get
a
session
thing
on
the
back
end.
We
can
fix
both
of
those.
But
that's
that's
a
good
point.
Oh.
D
Yeah,
beware
of
just
arbitrarily
trusting
the
that
what
the
client
sends
you.
B
B
It
wouldn't
I
mean
it's
yeah
if,
if
django
or
grafana
in,
I
think
in
both
no
in
in
graffana,
you
define
the
host
name
in
django,
you
can
say
these
are
the
allowed
hosts.
So
it's
obviously
the
list.
If
I
donated
to
the
list,
you
get
a
narrow,
page,
yep
good,
good,
good,
yep,.
D
Yeah
we
may
need
to
do
some.
I
I
suspect
we're
going
to
need
multiple
passes
on
the
dns
in
order
to
make
https
happy,
because
I'm
guessing
we're
probably
going
to
use
let's
encrypt,
but
you
know
we
can.
I
think
step
one
is
yeah.
David
will
help
with
this,
in
the
sense
that
you
tell
me
what
dns
records
you
want,
I
will
request
them.
Okay,
if
it
turns
out
they
don't
work,
then
I
will
send
more
requests.
Okay,
so.
D
Okay,
okay
and
its
value
is
going
to
be.
You
know
to
okay
to
that
thing:
okay,.
D
All
right,
you
know
what
there's
a
way
to
find
out.
D
Yeah-
and
you
may
have
to
do
some
changes
on
the
on
the
software
itself,
because
you
know
oh
look,
you
know
you
haven't
used
it
that
way
before,
but
that's
okay,
too
yeah
yep.
B
Cool
okay,
nice.
I
think
that
was
the
main
demo
that
I
had.
B
There
is
a
caching,
there
is
a
local
caching
layer.
We
can
move
that
over
and
you
know
use
more
sophisticated
caching
as
needed.
D
Yeah,
I
I
think
the
key
right
now
is
just
thinking
about
caching
as
you
develop,
but
in
fact
that's
a
mistake.
I
made
the
ci
best
practices
badge.
Had
I
known
what
I
know
now
I
would
have
made
it
so
that
login
pages
logged
in
pages
were
almost
exactly
identical
from
not
logged
in
pages,
because
every
time
you
make
a
difference,
suddenly
you
can't
cache
that
just
whole
card
yep.
So
if
you
can
make
the
pages
as
I
you
know,
you
know
hey,
you
know.
D
B
Sorry
so
it's
interesting,
so
grafana
does
cash
itself,
but
it
is
its
cash
and
I
don't
know
how
I
would
tie
that
up
to
an
ex
to
to
like
a
really
external
one,
yeah,
we'll
we'll
optimize,
where
there
are
hot
spots.
D
Yeah,
I
I
I
don't
know
right
now.
If
how
much
it's
worth
doing,
certainly,
I
think
I
think
most
most
sites
actually
have
tiered
caches.
So
it's
quite
what
you're
doing
is
quite
normal,
but
just
as
my
experience
has
been
the
more
you
can
make
things
identical
so
that
the
whole
thing
can
be
cached
out
to
a
cdn,
the
yeah,
the
they
just
so
much
easier.
It
is
to
scale
out
to
crazy
yeah
exactly.
B
Yep
and
we
can
also
scale
the
the
box
itself
so
right
now,
because
it's
all
docker
compose
it's
all
it
all
is
runnable
from
a
local.
B
D
Now
one
thing
I
noticed
is
that
when
you
started
typing,
it
was
starting
to
show
all
the
results.
Does
that
mean
it's
actually
sending
all
the
list
of
all
possible
packages
out
to
the
user,
or
is
that
some
sort
of
communication.
B
D
And
forth,
that's
a
good
question
because
I
mean
right
now:
that's
perfectly
fine!
That
will
not
scale
well.
E
B
B
A
I'm
just
kind
of
curious
if
you
have
any
insights
into
what
our
current
traffic,
what
the
current
traffic
on
these
sites
are
like.
Not
that
not
this
this
app
but
like
in
general
what
the
traffic
tends
to
be
on
the
sites
because,
like
you
know,
I
plan
for
what
should
traffic
you're
actually
getting
like,
but
slightly.
D
B
I
mean
I
I
would.
I
would
be
surprised
if
it's
a
heavy
heavily
trafficked
site
unless,
like
a
package
manager,
decides
to
link
like
their
per
project
pages
to
this,
which
would
be
interesting,
and
if
that
happens,
we'll
we
can.
D
Yeah,
I
think
we
we
want
it
to
be
trafficked.
Obviously,
but
I
I
here's
what
I'm
thinking,
I'm
thinking
that
this
we
want
people
to
consult
this
every
time,
they're
thinking
about
adding
a
package
to
their
larger
system
or
thinking
about
deploying
it
within
their
environment.
D
B
Yep
I
mean
it
may.
D
B
Be
be
interesting
to
kind
of
do
this
kind
of
like
a
well
way
past,
where
we
are
now
but
some
sort
of
an
alerting
thing
where
I
can
watch
a
project
and
as
the
metrics
deviate
over
time,
I
get
notified
because
that's
probably
more
what
I
want
is
like
you
know,
I'm
I'm
using
django
today
if
django
becomes
abandoned
in
a
month
like
I'd
like
to
find
out
at
some
point.
D
B
Yes,
yeah,
so
metro,
metrics.openssf.org.
A
Can
I
select
the
topic
of
the
conversation
and
deviate
from
this
in
about
two
minutes?
Just
let's
do.
B
A
Think
we're
just
kind
of
all
right,
so
I
got
a
couple
of
topics
to
discuss
that.
I
think
this
working
group
could
potentially
own.
So
this
is
like
identifying
security
threats
for
the
ecosystem
right.
So
one
of
the
things
that
I,
as
a
person
working
for
gradle
and
like
being
I
I'm
not
representing
gradle,
but
I'm
here
thinking
it
from
the
perspective
of
gradle
right.
There
doesn't
seem
to
be
a
great
intel
feed
on
like
threat
actors
existing
in
the
supply
chain.
A
There's
no
real
information
about
potential,
like
you
know,
places
where
there
are
risks
that
exist
in
the
supply
you
know
like
who
who's
actively
going
after
the
supply
chain
or,
like
you
know,
there's
I
I
get
my
own
feed
of
news,
but,
like
both
the
discussion,
slash
like
you
know
here
are
threats
that
you
need
to
be
aware
of
that
are
like
active
players
either,
like
you
know,
identifying
kind
of
groups
of
people
that
are
that
are
playing
in
this
space.
I
mean
one
of
the
examples
of
the
things
that
came
up.
A
I
mean
this
was
very
cheesy
right.
What
was
there
was
the
the
the
php
incident
right
from,
I
think
within
the
past
two
weeks,
but
there
was
also
like
you
know,
the
the
the
dependency
confusion
stuff
that's
been
going
on.
You
know
other
thread
actors
that
may
be
like.
A
You
know,
publishing
malicious
packages
into
I
mean
I
was
talking
to
adam
baldwin
a
few
months
ago
and
he's
like
yeah
north
koreans,
just
keep
loving
to
throw
crypto
miners
into
p
into
npm
packages,
because
that's
you
know,
like
so
kind
of
more
awareness
of
like
who's
who's,
doing
what
and
then
also
potentially
getting
more
of
the
packaging
ecosystem
maintainers
into
the
conversation
trying
to
like
reach
out
to
create
a.
D
A
And
the
people
that
work
that
do
yarn
right
because
I
don't
know
if
npm
and
yarn
are
the
no
packaging
uses
in
yarn-
are
coupled
together
other
like
valuable
places
where
registries,
where
the
registry
owners
and
the
people
making
the
packages
packaging
ecosystems
may
be
different,
I
mean
java
right.
We
have.
We
have
gradle
maven,
we
have
sbt
and
then
there's
also
like
buck
basil
right,
like
those
groups
so
pulling
in
kind
of
like
player
or
and
then
there's
jcenter
and
and
jfrog
right
pulling
players
together.
A
I
mean
maybe
starting
at
the
level
of
packet
like
all
of
the
packaging
ecosystems
discussing
together
and
then
maybe
if
it
gets
too
big,
breaking
it
out
into
individual
ecosystems,
as
as
that
becomes
relevant.
A
But
I
think
that,
like
being
aware
of
security
threats
discussing
security
threats,
that
kind
of
space
sounds
like
the
the
domain
of
the
open
ssf
as
like
a
framework
to
throw
it
into,
because
I
was
thinking
about
doing
that
myself
with
gradle,
but
I
couldn't
get
enough
political
will
and
I
don't
really
have
the
energy
right
now,
but
yeah
does
this?
Do
these
kind
of
things
speak
to
the
people
that
are
interacting
with
this
group.
D
Yes,
it
certainly
speaks
to
me.
I
mean
at
least
in
some
of
the
communities
that
I'm
familiar
with.
We
would
call
that
a
threat
briefing.
D
And
now
there
are
organizations
which
are
specifically
you
know.
If
you
pay
them
pounds
of
money,
they
will
focus
and
give
you
a
focused
threat.
Briefing
on
your
specific.
D
You
know
focus
area,
but
I
I
think
that
you
wouldn't
be
that
bad
to
combine
and
say
hey.
You
know
this
is
what
we're
seeing
the
last
few
years,
based
on
publicly
available
information
I'll
point
to,
for
example,
the
backstabbers
knife
collection
has
some
nice
data
and
sonotype,
and
some
others
also
have
some
general
open
ss
open
source
software.
B
So
I
I
think
that
that's
that's
great.
On
the
consumption
side,
I
think
jonathan,
you
look
thinking
more
like
the
like
15
minutes
after
the
php
thing
was,
you
know,
let's
say
made
public
like?
Was
there
anyone
in
open,
ssf
kind
of
having
that
dialogue
on
like
has
like?
Has
this
fit
into
the
larger
picture?
Is
this
interesting
or
is
it?
Is
you
know
just
kind
of
a
vulnerability
of
the
day
kind
of
thing
I
mean.
A
That
there's
also
the
topic
that
may
be
at
play
around.
Like
you
know
there
I
mean
the
the
the
the
php
one
was
clearly
like
you
know:
cheesy
right
like
that
was,
you
know,
probably
not
a
probably
sophisticated
actor,
but
you
know
other
cases
where
the
openness
is
out
like
there's
a
there's,
an
open
source
supply
chain,
breach
right
and
the
open
ssf's.
Here's
the
news
about
it
and
says
you
know:
hey
like
we
have
an
incident
response
firm
that
has
been
lined
up
for
open
source
security
incidents
like
this.
A
We
can
deploy
them
to
make
sure
they
didn't
get
anywhere
else
in
your
infrastructure
right
like
we,
we've
already
paid
them
here,
here's
a
resource
that
is
available
for
you
to
to
utilize
to
determine
how
how
compromised
you
are.
That
would
also
be
a
real,
valuable
value.
Add
that
is
super
interesting.
B
So
is
funding
with
like
real
dollars
is
still
kind
of
a
work
in
progress
as
soon
as
that
happens,
though,
having
you
know
folks
on
call
to
be
able
to
like
go
in
and
help
fix
vulnerabilities
as
well,
as
do
you
know,
ir
and
everything
else.
I
think
that
that's
all
interesting
and
worthy
of
kind
of
deep
discussion
on
on
what
openssf's
play
is.
B
B
Because
I
right
now
like
a
lot
of
it,
goes
into
general,
but
I'm
also
sure
that
not
everybody
on
this
call
uses
slack.
So
if
you
don't
you're
welcome
to
to
join
the
the
open
slash,
I
mean
we
could
take
it
a
step
further
and
think
about.
B
A
Yeah,
so
I
don't,
I
think,
that
being
the,
I
think
that
offering
the
resources
is
more
valuable
than
being
the
you
know
like
offering
the
resources
and
the
structure
like
for
an
intel
feed
for
discussions
like
a
place
for
discussion
for
the
packaging
ecosystem.
A
There's
more
value
there
than
needing
to
like,
as
an
organization,
have
an
active
stance.
Yet
right,
like
I
mean
maybe
later
but
like
for
right
now.
I
think
that
the
easier
slash
earlier
more
important
state
statement
is
just
creating
the
space
for
that
and
then
also
creating
the
resources.
I
think
you
know
I
I
I
think
you
know
some
of
the
incidences
that
have
occurred
in
the
past
right
around
eslint
and
like
things
like
that,
right,
there
there's
a
potential
for
you
know
instant
response.
A
Like
you
know,
you
have
instant
response
for
the
companies
that
are
impacted
by
those
things,
but
there's
no
instant
response
for
the
open
source
maintainers.
I
I
think
that
making
sure
that
those
capabilities
and
those
resources
are
available
would
be
would
be
like
you
know,
the
connections
that
the
contacts
the
like
you
know
we
can
get
you
the
help.
A
You
need
sort
of
things
and
then
also
the
discussions
of
the
active
things
that
are
going
on
as
they
as
the
news
is
breaking
to
make
sure
that
everybody's
aware
of
the
risks
that
exist.
D
Yeah,
if,
if
you
want
what
I
had
listed
earlier,
was
a
very
generic,
you
know
hey.
These
are
the
kinds
like
you
know,
typo
squatting.
Well,
I
think
one
of
the
interesting
things
that
you
get
from
the
back
cybers
knife
collection
paper
is
that
type
of
squatting
is
a
big
thing.
If
you
were
not
if
you're
develop
code,
but
you
you're
not
really
familiar
with
how
attackers
work.
You
might
not
be
aware
of
the
prevalence
of
type
of
swap
squatting
and
that's
something
you
don't
need
a
lot
of
funding
or
insight.
F
B
B
Sharing
in
some
way
would
be
appropriate.
It.
A
But
I
think
that
I
think
there's
another
important
pers
not
bit
of
knowledge
to
know
about
this.
I
think
that
of
all
the
packing
ecosystems,
I
think
that
npm
being
owned
by
github,
probably
has
the
biggest
security
team,
maybe
maybe
the
microsoft
for
nougat,
but
like
java,
the
gradle
gradle,
I
don't
know
what
sonar
type
every
time
I
email
security
at
sonotype,
I
keep
getting
their
cso
or
you
know,
so
I
don't
think
that
they
have
a
huge
security
response
team.
A
I
I
think
that
the
ruby
people,
I
think,
that's
like
one
person
right
python.
I
think
it's
one
person
right
so,
like
the
the
the
a
lot
of
these
packaging
ecosystem
maintainers,
which
are
driving
the
entire
industry
supply
chain,
are
protected
by
one
person
right
like
that's,
and
so
you
know
giving
them
more
resources.
A
More
contact
more,
like
you
know,
like
we
had
something
that
happened
at
gradle,
where
we
got
a
crypto
miner
dropped
on
one
of
our
machines,
and
you
know
I
was
operating
solo
pretty
much
and
I
just
said:
hey
adam
adam
baldwin,
who
is
the
vp
of
the
vice
pres,
vice
president
of
security
at
npm,
and
I'm
like
I'm
way
out
of
my
league
here
like,
and
he
jumped
on
a
video
call
and
just
helped
right
help
me
out
with
that
incident
and,
like
you
know,
I
had
that
because
I
had
the
connections
and
contacts
but
like
had
I
been
not
known
adam,
I
would
have
been
you
know,
kind
of
alone,
and
not
knowing
what
the
hell
I
was
doing.
B
That's
a
good
point
so
so
I
I
think
I
think
these
two
are
separate.
I
think
we
could.
We
can
approach
them
separately,
since
we
I
mean
so
back
when
we
did
the
package
manager
summit,
we
at
least
had
some
some
connections
to
each
of
the
the
the
major
ecosystems.
I
guess
I
know
there
has
been
some
turnover
like
I
know.
Adam
is
no
longer
with
npm,
but
you
know,
I
think,
either
having
those
organizations
be
part
of
openssf
or
at
least
building
out
that
contact
list.
B
So
all
the
security
people
that
each
of
the
ecosystems
know
all
of
the
other
security
people
of
the
other
ecosystems
and
then
it's
just
like
we'll
just
kind
of
take
it
from
there
and-
and
you
know
I
don't
know
that
we
need
a
ton
of
structure
there,
but
yeah
I
mean
that
seems
like
that.
Would
that
would
solve.
You
know
at
least
some
things,
yeah,
okay,
so
so
so,
let's
do
that
so
so.
B
One
is
gonna,
be.
B
I
think
this
is
like,
I
know
the
folks
at
github
as
they
set
that
up
probably
still
have
those
connections.
I
mean
obviously
like
we
have
like
the
dl
that
that
that
invite
went
to
I'll
I'll
try
to
make
some
progress
on
this
and
see.
If
I
thought
that
kay,
I
think
I
thought
that
k
had
had
approached
the
package
managers
around
open,
ssf
but
I'll
I'll
double
check.
A
Can
you
make
sure
that
you
reach
out
to
gradle
formally,
because
I
only
have
I
just
like
I
can
do
my
push
once
I
have
a
request,
but
I
can't
like
pivot
directly
in
like
if
we
get
something
directly
from
externally
and
then
coming
internally,
I
can
take
the
email
and
talk
to
my
manager
about
it,
but
I
can't
do
it.
I
mean
I
know
it's
my
idea,
but
I
can't
even
put
it
so
yeah
that
would.
B
A
Yeah
yeah,
I
mean,
I
think,
that
I
think
that
just
a
presence
right
and
like
you
know,
we'll
bi-weekly,
you
know
once
a
month
sort
of
meetings
of
like
we're
all
coming
together.
Discussing
things,
there'd
be
a
lot
of
value
in
there,
like
just
understanding
like
sonotypes,
got
a
bunch
of
blog
posts
that
they
post
about
and
but
like
I,
I
don't
have
enough
time
to
read
all
of
them.
A
I
re
I
get
whatever
as
much
security
news
as
I
can
shoved
into
my
head
right,
but,
like
you
know,
those
meetings
would
be
really
valuable,
like
you
know,
brain
dumps
from
them,
because
they
have
a
lot
of
people
writing
posts.
You
know
stuff
stuff
like
that
that
and
like
other
people
that
are
involved
in
that
space,
there
would
be
a
lot
of
value
in
in
that
mindshare.
B
Yeah
makes
sense
and
then
we'll
see
about
just
creating
a
slack
channel
for
like
open
discussion
on
vulnerabilities
of
the
week.
If
you
think
I
mean.
D
You
know,
okay,
you
know
you
know
you're,
not
you
don't
have
several
million
dollars
for
a
to
fire
somebody
to
do
a
threat
briefing,
what's
the
overall
status
on
on
the
threats
on
on
open
source
software
and
basically,
if
nothing
else,
maybe
just
pointing
off
to
a
list
of
some
of
the
papers
on
the
topic,
you
know
I
listed
three
I
mean
you've
got
backstabbers
knife
collection,
sona
type
synopsis,
I'm
sure
there's
more,
but
you
know
make
a
little
make
make
a
little.
D
You
know
with
and
now
I'd
say,
with
a
with
a
brief
summary
and
links
to
relevant
papers.
There
we
go
by
the
way,
michael
I'm
being
trying
to
do.
Do
you
know,
pat
my
head
and
rub
my
tummy.
At
the
same
time,
we
got
your
cname
already
set
up
really
yeah,
here's
the
downside,
let's
it
it'll
work
for
http,
but
not
for
https.
D
D
We
we
need
to,
you,
know
yeah,
and
you
may
be
able
to
just
do
a
quick
config,
but
if
that
doesn't
work
we
can.
We
will
just
need
to
drill
further,
no.
B
We're
I'm
sure
that
it
will
just
work.
A
Is
there
value
in
adding
a
dedicated
slack
channel
to
packaging
packaging
ecosystem
threats
as
they
like,
or?
Is
that
not
not
yet
necessarily.
D
C
D
B
I
mean
do
we
and
we
could
think
about
this
a
little
bit
harder
like
do.
We
just
want
open,
ssf
members
to
contribute,
or
do
we
want
this
to
be
more
of
a
quasi-public
forum?
Where
I
mean
you
should
just
start
small
and
just
have
it
be,
and
we
could
do
slack
or
mailing
list,
I
mean
we
could
just
have
the
openness
of
mailing
list.
Although
for
me
I
almost
well
actually
I
batch
up
the
mailing
list
stuff,
so
we
could
do
that.
B
D
Yeah,
it's
not
a
crazy
idea,
but
I
I
think
the
idea
of
where
do
I
go
to
ask
to
get
where
do
I
go
to
get
help
is
a
reasonable
idea.
I
I
just
we
need
to
make
sure
that
if
we
say
that
we
have
there's
somebody
on
the
other
end,
you
know.
A
I'm
just
thinking
about
the
like
the
cloud
flare
like
if
you
go
to
cloudflare.com,
they
have
an
under
attack
button
with
a
question
mark
and,
like
you,
click
that
button.
If
you're
like
getting
ddos
like
getting
yeah
so
like
you
know,
it
sounds
like
we
want
something
similar
like
you
know,
yeah
right
right,
basically,
yeah.
D
You
know
it
not
a
bad
yeah,
okay,
that's
different
than
what
we
were
originally
talking
about.
I
like
I,
I
I
think
both
make
sense.
Hey.
You
know,
here's
some
information
before
you
know
to
get
help.
You
understand
the
situation
and
then
oh,
my
gosh,
I'm
under
attack.
Here's
the
button.
C
B
B
You
know
basic
info
link
to
join
slack
channel,
which
is
like
the
help
me
and
it's
basically
kind
of
a
open
forum.
Like
you
know
you
you,
you
have
a
problem,
we'll
try
to
help
and
if
we
get
overwhelmed
or
spammed
or
whatever
we
can
deal
with
it
then,
but,
like
I
don't
know,
I
mean
the
problem
is
marketing
like
how
do
we
get
people
to
know
about
this
thing?
But
you
know.
D
B
Well,
I
mean,
but
at
the
same
time
I
think
if
more
more
people
knew
about
it,
more
people
would
be
fielding
questions.
So
maybe
you
know
we'll
never
know
unless
we
try
it.
I
think
these
are.
These
are
all
interesting
ideas.
B
D
That
the
supplier
is
going
to
fix
it
yeah,
I'm
not
sure
anyone's
asked
them
that
question.
To
be
honest,
I
mean
we
could
ask
our
folks
and
just
see
what
they
thought
about
that
I
suspect
they'd
be
a
little
afraid
of
doing
that
they're
already
overwhelmed
as
it
is,
so
that
doesn't
make
it
a
bad
idea.
B
I
mean
nobody,
that's
why
they're
concerned
security,
consulting
firms.
If
you
could
get
this
for
free,
you
know
you
wouldn't
need.
You
wouldn't
need
a
lot
of
these.
These
orgs
yeah.
D
And
to
be
fair,
I
think
a
lot
of
projects.
You
know
they,
you
know
if
you
just
if
you
reported
a
a
serious
problem,
I
mean
patch,
is
welcome.
Otherwise
they'll
fix
it
and
they'll
fix
it
themselves.
In
many
cases,
the
bigger
problem
is
when
there's
nobody
home,
but
I
don't
know
how
often
it
hits
where
I
see
a
problem,
but
I
have
no
idea
how
to
fix
it.
I
mean
that
must
happen,
but.
B
Like
perhaps
something
that
that
took
a
month
to
to
roll
out
could
have
been
done
in
15
minutes
had
the
person
had
the
the
resource
to
just
say:
oh
no,
just
flip
the
bit
from
you
know
zero
to
one
and
then
at
the
same
time,
though,
like
if
it's,
if
it's
real
work,
then
it's
something
that
we
should
be
staffing
and
paying
people
to
do.
A
Or
get
an
organization
to
join
like
an
ir
team
to
join
and
off
like
instead
of
them
offering
money
they
off
offer
billable
hours
totally.
That's
a
good
idea.
F
I
have
a
question
on
this
one.
If
you
get
it
for
free,
would
they
would
anybody
trust
ourselves.
B
If
they
got
it
for
free,
would
they
well?
These
are
open
source
projects,
so
they
are
not
going
to
be
able
to
pay
for
it
anyway,
most
likely
so
their
their
choice
is
free
or
nothing
from
their
perspective.
The
fact
that
we're
paying
the
bill
for
it
in
in
hours
or
dollars.
F
I
hope
that
is
the
most
usual
practical
practice,
but
if
we
are
going
to
give
it
free
that
this
kind
of
information,
would
anybody
be
trusting
on
that
and
acting
on
up
on
it?
That
that
is
a
big
question
for
me,.
E
B
Most
some
all
like
I,
I
don't
think
that
many
organizations
do
do
security
due
diligence
on
open
source
when
they
use
it.
I
think
the
the
most
that
the
vast
majority
of
organizations
will
do
is
a
cve
check,
which
means
that
anything
else
that
we
provide
on
top
of
that
is
goodness,
but
I
think
what
we're
really
look.
B
What
we're
talking
about
in
this
particular
case
is
you
know
a
a
horrible
vulnerability
is
found
in
this
super
critical,
open
source
project
that
is
maintained
by
one
person
and
is
feeling
overwhelmed
at
the
moment
in
the
pressure
to
get
a
fix
out
and
it's
you
know.
It's
been
three
years
since
I
touched
this
code
and
I
don't
remember
how
this
works
and
you
know
for
whatever.
Whatever
reason
they
have
it's,
knowing
that
they
have
someone
that
they
can
turn
to
for
help.
C
But
a
tool
like
this
could
promote
more
organizations
to
join
initiatives
like
open,
ssf
and
you
know,
and
as
a
result
fund
things
like
this
at
a
higher
level.
So
maybe
not
the
end
user
is
paying
for
it.
But
you
know
if
it
garners
more
awareness
and
more
organizations
to
join
openssf
and
contribute.
Then
you
know
then
more
tools
like
this
could
be.
You
know,
incentivized
or
developed
yeah.
B
Okay,
so
how
about
this?
We
have
about
four
minutes
left,
so
so
number
one
is
easy.
I
think
number
two
is
easy
to
number
three
is
easy.
This
fourth
one
is.
This
is
hard.
Would
someone
like
to
take
point
in
kind
of
thinking
about
this
more
and
coming
up
with
kind
of
a
recommendation
on
on
how
we
might
want
to
do
this.
A
A
A
You
somebody
needs
to
reach
out
like
saying,
like
you
know,
or
talking
to
contacts
at
fill
in
the
blank
ir,
firm
right
or
fill
in
the
blank
whatever
and
say
like
hey,
like
you
know
at,
would
you
would
your
corporation
be
willing
to
contribute
hours
to
the
ossf
like
as,
like
you
know,
if
we,
if
we
said
like
hey
this
incident
arose
but
like
you
know
that
the
attack
is
kind
of?
A
How
does
that
get
managed?
Is
that
like
does
the
company
say
yeah,
we'll
give
you
100
hours
and
like
that
just
stands,
or
does
that
need
to
get
recorded
as
like
a
a
thing
on
on
a
because?
That's
like
I
guess
that
they
want
to
get
a
tax
write-off
for
that
right,
they're
going
to
want
to
get
a
tax
write-off
for
those
100
hours
or
whatever
yeah.
B
Yeah,
I
I
think
sorry,
I
guess
what
I'm
looking
for
is
someone
to
kind
of
own
this
problem
from
our
working
group's
perspective
and
basically
come
up
with
a
a
high
level
proposal,
talk
to
tac
and
figure
out.
If
this
thing
has
legs.
A
I
would
if
I
was
in
a
better
mental
state,
but
I'm
dealing
with
depression
and
my
own
mental
stuff.
So
I
yes,
I
would,
but
I
can't.
B
That's
fine:
how
about
this
we
can
table
this
wait,
so
everybody
can
go
back
and
think
about
this
and
we
will.
We
can
talk
in
two
weeks
at
the
next
next
meeting
and
if
maybe
we'll,
have
some
different
thoughts
and
and
all
that
so
cool
awesome.
B
Thank
you
all
very
much
for
your
thoughts
and
participation
and-
and
everything
else
see
you
guys
again
in
about
two
weeks
and
hopefully
by
then
the
website
will
be
up
and
then
we
can
get
moving
on
the
on
a
kind
of
announcement
and
all
that.
So
thanks
everybody.