►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
You
good
good
having
a
gorgeous
Indian
summer
here
late
summer.
It's
just
been
gorgeous
every
day
and
trying
to
take
advantage
of
it.
Yep.
A
I
hear
you
I'm
getting
close
to
saying
I'm
sick
of,
like
the
over
90
degree
weather
all.
C
B
Hey
Luigi
I,
like
your
I,
like
your
filter,.
D
D
E
All
right
somewhere,
we
probably
have
an
actual
meeting
with
an
actual
agenda
and
I
gotta
find
it.
E
C
A
E
I
yeah
are
we:
are
we
ready
to
start
and
like
welcome
new
members
if
we
have
any,
let's.
A
C
Cool
yeah,
certainly
I,
don't
know
if
I
introduced
myself
before
I'm
sorry
I'm,
not
on
camera,
but
I'm,
Roderick,
I,
work
with
Microsoft
and
just
happy
to
be
a
part
of
the
team
and
I.
Also
I,
don't
know.
If
he's
on
the
call
right
now,
I
have
a
mentee
of
mine
who
yeah
he's
on
I
will
be
joining
with
me.
Sometimes,
and
that's
that's
Greg
he's
here,
he'll
be
working
with
me
on
whatever
projects
I
worked
on,
awesome
welcome.
A
You're,
good,
okay,
so
for
look
everybody
to
the
August
31st,
identifying
security
threats,
working
group
meeting
I'll
be
your
host
first
order
business
meeting
time,
update
I,
know
so.
I
sent
it
out
a
doodle
poll
to
try
to
find
a
more,
let's
just
say
in
the
APAC
friendly
time
as
it
turns
out.
There
would
have
only
been
like
three
of
us
on
the
call,
though
I'm
not
convinced
that
canceling
this
meeting
time
and
doing
that
it
would
be
a
kind
of
a
net.
A
You
know
we
we
get
we'd,
add
three
and
lose
nine.
So
what
I'm
thinking
is
keep
both
of
these
times,
but
in
one
of
the
off
weeks,
also
having
a
meal
time.
So
it's
a
net.
A
So
so
it's
three
meetings
every
four
weeks
that's
the
best
I
can
think
of
as
as
to
how
to
do
it
we'll
try
that
for
a
little
bit
and
if
that
doesn't
work,
we'll
try
something
else,
but
I
didn't
want
to
I
didn't
want
to
take
away
from
the
momentum
that
we
have
in
this
meeting
by.
A
You
know
canceling
this
yeah
this.
You
know
half
of
the
half
of
the
meetings
that
sound
reasonable
to
anybody.
Does
that
sound
unreasonable
to
anybody.
A
Meeting
invite
next
one
will
be
for
the
seven
it'll
be
10
p.m.
Pacific
time
don't
feel
obligated
to
if
you're,
of
course
welcome
and
we'll
kind
of
take
it
from
there.
E
A
I
would
say
particularly
for
that
meeting.
We
will
be
diligent
in
capturing
the
Salient
discussion
in
the
in
minutes,
so
we
knows
and
then
will
it'll
of
course
be
recorded.
So.
A
Probably
not
for
the
first
time,
but
maybe
for
after
that
we'll
try
to
have
a
specific
agenda
like
that.
Will
you
know
because
I'd
say
no
I
think
I
think
Market
will
will
be
able
to
talk
about
office
hours
more
more
from
that
that
meeting
so
do
I
want
everybody.
E
A
Cool
open,
ssf
day
is
coming
out.
You
should
have
started
getting
the
registration
invites
out.
I
saw
a
couple
of
those
going
out.
So
if
you
haven't
seen
that
open
ssf.org
I,
don't
know
that
we
have
an
agenda
yet
for
that,
or
at
least
a
public
agenda
for
that.
Yet.
A
And
the
meeting
I'm
sure
everything
will
be
recorded
and
thrown
on
YouTube
couple
weeks
afterwards,
I
am
planning
to
be
there
in
person
to
talk
with
Windsor
again
about
Alpha
Omega.
So.
A
Like
kind
of
re-announce,
so
so
we
just
signed
with
Eclipse,
so
there
was.
There
were
a
couple
tweets
about
that
earlier
from
Mike
over
there,
and
then
there
was
also
some
updates
from
npm.
A
They
gave
an
August
update,
so
we'll
do
that.
We've
got
one
other
one
that
we're
going
to
at
least
one
of
the
one
that
we're
gonna
formally
announce
so
that
that'll
be
good
and
then
we'll
just
go
through
all
the
com
stuff.
For
that,
so
making
should
have
a
should
have
a
packed
list
of
stuff
to
talk
about
so
that'll
be
good.
Yeah.
E
If
I
can
interrupt
real,
quick
Mike,
please
yeah,
so
you
know,
unsurprisingly,
one
of
the
challenges
has
been
hey.
You
got
to
send
it
through
all
the
lawyers,
so
I
actually
think
that
we're
gonna
get
better
at
this
over
time.
As
we
keep
running
through
gauntlets
of
lawyers,
yeah.
A
E
No,
but
but
like
this
last
one,
we
there
was
a
a
wording
change
because
of
European
tax
law,
yeah
yeah
right
and
it's
nobody
objected
in
fact.
The
other
word
they
suggested
was
probably
the
better
word,
but
the
kind
of
thing
that
you
only
you,
you
probably
only
notice
once
you
try
to
do
it
right
right.
B
Yes
and
I
can
attest
to
that.
It
does
get
easier
once
you've
done
the
song
and
dance
a
couple
times
and
get
a
couple
good
contracts
kind
of
worded
out
and
hammered
out
a
lot
of
times.
They
can
be.
You
know
just
altered
for
other
use,
so
it
definitely
does
get
easier
cool.
A
Okay,
so
I
get
more
more
of
an
update
on
Alpha
Omega
later
on,
but
I
want
to
make
sure
we
get
to
all
the
other
projects.
So
if
there's
there's
nothing
else
better,
maybe
we'll
just
move
to
project
updates
and
a
mirror
any
I
see
throwing.
B
Yes,
thank
you
to
David
for
uploading
the
notes
that
I
was
gonna
put
in.
So
thank
you
for
beating
me
to
it,
but
yeah.
It
seems
like
we
need
to
do
a
little
bit
of
work
on
the
repo
I.
Don't
know
how,
but
it
seems
like
the
automated
check.
Just
consistently
fails.
B
I've
tried
a
number
of
things
and
I
met
with
Dylan
last
week
to
try
and
debug
that
a
little
and
so
I
think.
Maybe
if,
if
I
don't
know
if
it
makes
sense
to
to
take
out
meeting
workout
meeting
time
for
it,
but
if
we
could
spend
a
little
bit
of
time
just
kind
of
debugging
that
and
seeing
what
is
causing
the
automated
failure,
then
we
can
fix
that.
B
Do
the
pull
request
that
David
had
mentioned
and
I
I
have
a
new
security
audit
that
we
just
published
about
yesterday.
Monday
so
I'd
love
to
upload.
That
too,
but
thought
I'd
wait
until
we
get
the
get
the
repo
kind
of
figured
out
perfect.
E
Much
more
about
we,
we
got
this
problem
once
we
resolve
this
I
mean
common
criteria
has
problems,
but
they
do
have
real
reviews
and
I.
Think
it's
another
data
source,
but
we
gotta
think
we
gotta
fix
this,
this
necklace
so
that
things
get
resolved.
Yeah.
B
Yeah
and
if
I
could
suggest
maybe
I
mean
I,
definitely
see
the
value
in
having
some
kind
of
automated
check.
You
know,
because
we
do
want
to
make
sure
no
one's
uploading
zero
days
or
you
know,
information
or
data
that
could
you
know,
cause
reputational
risk
or
what
have
you,
but
at
the
same
time
it
has
to
be
very
seamless
and
yeah.
You
know
not.
A
lot
of
people
spend
an
hour
trying
to
figure
out
what
they
did
wrong
to
upload.
Something
well.
A
So
so,
if
the
I
would
say
the
quick
start,
the
the
HTML
page
that
generates
the
the
ammo
and
stuff,
if
that
generated
incorrect
or
if
that
generated
yaml
that
didn't
validate
like
that's
clearly
a
bug
in
one
or
the
other,
this
should
be
easy
enough
to
debug.
Let
me
I'll
I
will
I
promise
you.
This
will
be
fixed
today.
Sure.
B
And
and
if
I
can
help
in
any
way,
please
let
me
know,
and
if,
if
you
wanna,
if
you
want
me
to
jump
in
on
a
call
or
something
I'm
happy
to
to
kind
of
Shadow,
to
see
what
happened
to
so
you
know,
I
can
be
of
more
help.
So.
A
B
E
Awesome
so
so,
specifically
in
this
case,
the
validator
basically
suddenly
crashes,
with
an
exception,
Trace
back,
which
is
probably
not
ideal.
Yeah.
A
E
Right
yeah,
but
I
I
I,
think
the
problem
is
in
the
validator
are
not
in
the
input.
So
no.
B
And
Shout
out,
thank
you
to
Dylan,
who
took
some
time
with
me
after
the
meeting
last
time
to
to
debug
producing
debugging
so
big.
Thank
you
to
him,
foreign.
A
Does
it
make
sense
to
do
another
round
of
that
like
do
you
think
that,
provided
any
value
and
I
think
maybe
the
answer
is?
Is
anybody
like
who
were
who
are
the
consumers
of
of
Security
reviews,
and
is
there
an
automated
like
foreign.
C
B
Have
some
thoughts
but
I'd
love
to
hear
if
the
group
has
any
feedback
first.
B
No,
no,
no
I
this.
This
would
be
the
the
automated
reviews
that
part
of
I
believe
that
was
throughout
through
Omega
yeah.
A
B
Created
that
tool
that
did
kind
of
like
an
automated
check
and
produced
a
a
kind
of
like
a
readout
of
that
result,
so
I
I
think
it's
good.
My
only
caveat
there
or
thing
to
to
think
about
would
be
just
being
really
clear
of
that
this.
It
was
kind
of
like
an
automated,
because
I
don't
think
calling
it
a
Security
review.
Does
it
justice
I
mean
not
that
there
are
very
formal
definitions
out
there,
but
we
think
of
Security
reviews
or
audits.
B
As
you
know,
these
kind
of
intensive
code
review
type
things
and
not
that
automated
tooling
isn't
used,
but
I
would
just
maybe
put
like
a
little
note
in
there
that
you
know
this
was
generated
using
this
and
maybe
laying
the
the
parameters
of
that
so
that
just
to
ensure
I
guess
like
a
a
quality
bar,
I,
guess
sort
of
like
what
a
Security
review
is
and
stuff.
How.
A
About
this
would
a
read
me
within
the
Omega
directory,
because
everything
is
is
channeled
into
that
one
directory,
so
it's
not
spread
out
all
over
and
in
there
describing
a
highly
you
know
in
a
readable
way
kind
of
what
what
to
expect
in
there
would
that
be
an
improvement.
I
would.
B
Say
so
yeah
because
I
think
it's
and
I
again
I'd
love
to
hear
from
the
group,
but
I
mean
it
is
important
to
I.
Think
have
this
information
and
disseminate
it
so
I
think
yeah,
including
that
extra
bit
of
information
would
be
really
helpful
like
of
what
exactly
it
is
that
they're,
seeing
and
and
what
it
means
and
so
forth.
C
C
D
D
The
common
Library
ties
the
mandatory
question
and
then
the
optional
one
and
I
am
evaluating
to
write
it
in
typescript,
probably
because
the
npm
ecosystem
support
button
yaml,
then
python
I
fixed
some
minor
typo
in
the
schema
and
I
think
the
schema
is
ready
now
for
at
least
for
the
first
version,
there
are
support
to
the
just
bomb
files
that
I
see
that
now
are
quite
important
for
the
open
source
community,
at
least
for
a
part
of
the
open
source
community,
the
Enterprise
one
probably-
and
that
is
so.
D
The
next
step
are
try
to
write
a
better,
tooling
typescript,
especially
because
maybe
having
something
that
can
be
added
to
a
front-end
could
be
a
good
idea
and
try
to
convince
people
to
adopt
this
specification.
Yes,
because
well,
it
contained
a
lot
of
information
that
can
be
a
crawler
by
scanner.
A
Nice
there
there
is
a
link
as
a
friend
of
a
link
to
security
insights
from
the
awesome
software
supply
chain,
security.
D
I
have
seen
that
someone
added,
probably
I,
missed
some
slack
message
in
the
last
week.
Sorry,
but
someone
has
added
a
GitHub
action
to
our
repo
to
sign
off
the
comment,
and
it
is
great.
Oh,
that's
awesome.
Yes,
yes,
I
think
that
it
is
having
a
GitHub
action
that
explains
also
how
to
do.
It
is
definitely
better
if
you
are
alone
and
you
need
to
sign
off
a
commit
that
you
have
already
pushed
the
and
you're,
not
it's
crazy.
So
the
detection
give
you
all
the
steps
to
do
it.
Nice.
A
Yes,
I
did
have.
There
was
a
note.
I
saw
on
adding
what
was
this
about.
This
was
adding
to
scorecard
the
ability
to
recognize
one
fuzz,
which
is
Microsoft's
fuzzer
infrastructure
through
a
like
dot.
One
fuzz
file
in
repo
and
I
was
like
hey.
You
should
really
put
this
in
security,
insights
and
so
I
guess
two
questions
is:
is
I'll
refer
them?
A
D
This
is
a
good
question.
It's
depend
by
this
card
team.
Probably
I
need
to
improve
my
communication
with
them
now.
Definitely
because
I
think
that
having
the
support
by
the
score
Captain
is
definitely
something
that
can
help
yeah.
D
Yeah,
probably
every
time
to
jump
in
that
channel
for
a
while
I
try
to
convince
them
to
add
the
support.
I
think
it
can
be
helpful,
especially
because
there
are
a
lot
of
information
that
can
be
useful,
but
not
so
related
to
just
the
code.
Yeah,
for
example,
link,
and
my
hope
is
that
the
similar
file
can
be
a
sort
of
a
source
of
traffic
for
especially
for
LinkedIn
domain,
that
in
pipei
or
Marvin
or
similar
can
expire
and
no
one
update
them.
D
But
if
you
have
a
file
in
the
main
repo,
probably
you
update
them
and
then
other
website
and
Source
can
just
probably
the
information
or
copy
the
information
directly
from
your
with
the
app
repo.
A
C
A
Understood
if,
if
you
need
any
help,
let
me
know
we
can
jump
into
it
together:
okay,
metrics
dashboard.
A
And
jam
the
line
and
also
wait:
I
have
I.
F
I
think
we
don't
have
Christine
here
but
I.
Think
yeah
is
that
yeah.
So
we
didn't
have
any
meetings
after
that
last
meetings,
Yet
Michael,
so
but,
as
you
mentioned,
I
think
you
have
more
update
than
us
so
yeah!
Yes,.
A
This
no
so
so
this
is
oh
I
for
metrics
dashboard,
so
so
for
metric
stash.
What
we
were
talking
about
was
essentially
what
do
we
want
to
do
and
we're
still
kind
of
you
know,
spinning
on
the
does.
This
become
part
of
LF
LFX
in
some
way.
Is
that
a
long-term
thing
is
that
something
we
should
like
make
progress
on
now?
Do
we
just
kind
of
put
the
lights
on?
A
Do
we
change
it
in
terms
of
making
it
more
of
a
dynamic
query
rather
than
a
database,
in
which
case
it
could
be
a
lot
simpler
and
just
work,
and
then
we
talked
about
whether
or
not
an
integration
or
alignment
or
merging
or
whatever
with
depths.dev
would
make
sense.
A
The
depths.dev
angle
is
kind
of
closed
for
now
we
can
revisit
in
the
future,
but
that
that's
not
something
that
is
is
going
to
happen
in
the
you
know,
next
weeks
or
months,
so
I
think
LFX
security
would
be
a
long-term
thing,
I'm,
probably
in
favor,
of
simplifying
the
site,
making
it
more
Dynamic
queries
and
just
show
the
data
but
I'm
fine
with
with
anything,
and
there
was
someone
that
was
going
to
start
working
on
a
prototype
of
that.
E
Well,
okay,
I
mean
maybe
maybe
this
is
something
that
should
be
re-raised
again.
You
know
because
because
obviously
there
was
the
start
of
the
discussion
and
then
Schubert
died
and
you
know
all
sorts
of
things
basically
got
tossed
up
in
the
air
yeah
and.
E
I
I
think
I
I
would
suggest,
let's
at
least
briefly
re-engage
I
I
think
there
are
many
options,
but
at
least
raising
the
hey.
Let's
start
talking,
I
I
think
would
be
the
right
thing
in
I
think
it
would
be
really
helpful
in
the
end
to
be
able
to
tell
people
hey,
you
want
to
learn
more
about
a
project.
Push
this
button
and
depths.dev
sort
of
gives
that
for
a
limited
cases,
but
not
really
L
of
X
gives
it.
E
In
some
cases,
metrics
dashboard
doesn't
in
some
cases,
but
would
sure
be
nice
to
just
hear
everybody.
Here's
the
story
right.
A
Right
so
so
vinat
do
you
want
to
reach
out
to
nurav
feel
free
to
include
me,
but
project.
F
F
E
Yeah,
okay,
so,
let's
see
here
now
now
I
got
to
figure
out
avanad's
email
address,
so
the
nod
no.
E
A
Cool
so
I
think
next
up
office
hours.
March
is
not
here,
but
she
did
post
in
the
office
hour,
slack
Channel
and
a
couple
others.
So
this
is
moving
ahead.
There
is
a
doc
I
will
link.
A
A
Okay,
there's
a
form
there
in
the
in
the
beginning
of
this.
We
need
Security
Experts
to
be
part
of
the
security
office
hours.
Otherwise
it's
just
gonna
be
an
empty
room.
So,
if
you
feel
like
this
is
something
that
you
can
do,
please
stop
the
form
if
you
haven't
already,
but
not
to
know
your
availability
again
we're
going
to
try
it
out
for
a
couple
times.
A
It
works
great,
we'll
continue
it
if
it
doesn't
we'll
stop.
So
it's
not
a
long-term
commitment,
you're
you're,
just
for
like
two
one-hour
meetings
or
something
like
that
over
there.
A
A
So
I
had
I
had
one
other
idea:
I
don't
have
a
name
for
this
one,
but
this
was
in
I.
Think
this
went
to
General.
Yeah
I
was
thinking
about
doing
a
virtual
Summit
Workshop,
whatever
for
OSS
maintainers.
So
sorry
maintainers
of
critical,
open
source
projects,
so
we
go
after
the
top
200
or
300
projects
or,
however
many
we
need
in
order
to
get
a
center
of
massive
accepts.
We
essentially
say
you
know
hello
people,
you
collectively,
you
know
author
and
maintain.
You
know
in
really
sizable
part
of
the.
A
We
don't
say
hand
holding
but
like
we
really
want
to
engage
them
and
understand
them.
Listen
to
them.
Talk
about.
You
know
what
their
challenges
are
and
where
openssf
you
know
could
help,
or
even
if
it's
things
that
we
can't
help
with.
But
you
know
it
would
still
be
helpful
to
listen
kind
of
do
that
and
make
that
maybe
an
orderly
thing,
but
first
we'll
just
try
it
once
and
yeah.
That
was
those
kind
of
a
good
way,
I
think
of
hearing
from
the
a
targeted
Community
as
opposed
to
list.
A
The
first
one
I
mean
in
theory,
we
could
co-mingle
it
with
with
an
event,
but
you
know
the
ecosystems
are
so
different
like
if
we
can't
do
it
at
like,
like
a
javascripty
kind
of
event,
because
then
the
python
folks
would
have
been
there
and
vice
versa.
A
F
F
F
C
A
C
C
The
just
to
note
I
think
somebody
from
my
company
signed
up
for
one
of
the
slots.
The
feedback
was
that,
could
we
have
some
slots
that
are
slightly
more
Europe
friendly
yeah,
because
this
particular
person
is
based
in
Israel
and
it's
even
more
difficult
for
them?
So
so,
if
we
even
if
we
could
just
make
it
a
few
hours
earlier,
yeah
that
would
be
better
I
will
provide
that
for
Mexico
for
Mexico
yeah,
perfect.
A
C
A
If
you
want
to
give
that
feedback
direct
the
the
office
hours
slack
channel
is
where
that
discuss,
but
I'll
make
sure
that
that's
represented
as
well.
Okay,.
E
If
I
may
observe
just
in
general
for
trying
to
deal
with,
you
know,
there's
always
time
zones
that
are
unfriendly
for
somebody,
I
notice
that
some
working
groups
have
had
like
alternating
meeting
times
and
that
sort
of
thing
we
just
can't
make
a
time
zone.
That's
always
perfect
for
everybody,
but
we
can
do
things
to
spread
the
pain
a
little
bit
and
make
it
a
lot
better.
Because.
E
B
Oh
yes,
sorry
let
me
do
that.
First,
okay,
yeah
I
I,
like
the
idea.
One
thing
that
immediately
came
to
mind
was
I,
remember
reading
in
the
census
2
report,
something
I
was
just
looking
through
it
to
see
if
I
could
find
it,
but
it
was.
They
had
a
really
good
statistic
in
there.
I
think
it
was
something
like
80
or
90,
or
80
of
projects
are
I,
think
it
was
like.
There
was
like
a
hundred
maintainers
for
like
80
percent
of
the
infrastructure.
B
Something
like
that
was
a
very
good
statistics,
statistic
showing
that
you
know
there's
these
people
exist,
there's
not
that
many
of
them
so
I
wonder
if
census
2
would
be
able
to
give
some
insight
as
to
like
maybe
who
those
maintainers
are
or
if
they
already
have
the
data
on
who
those
maintainers
are.
That
could
make
this
a
lot
easier.
B
Potentially
so
just
a
thought,
David
might
have
more
insight
on
that,
but
I
just
remember
reading
it
somewhere
in
the
report.
It
said
it
basically
said
that
exact
thing
you
just
said:
it's
like
a
very
large
number
of
projects
are
run
by
something
like
150,
maintainers
and
I
mean
if
there's
any
insight
as
to
who
they
are
to
find
out.
You
know
that
number,
then
that
would
be
super
helpful.
I.
Think.
C
What
am
I
hey
so
just
had
one
feedback
about
this
it.
It
may
not
help
the
project,
but
I
mean
there's
been
people
in
the
Academia
who
has
been
working
on
like
doing
empirical
studies
on
these
open
source.
Maintainers
I
happen
to
know
a
few
of
them.
It
might
be
useful
to
actually
involve
them
as
well,
because
they
actually
can
bring
in
some
insight
that
that
has
been
done
like
collectively
and
so
on.
So
I
I
will
make
sure
that
I
will
connect
a
few
people
in
this
thing.
A
Perfect,
so
back
to
the
you've
been
on
your
question
on
like
is
this
a
is
this
a
learning
session?
Is
this
a
listening
session?
Is
this
a
talk
about
all
the
wonderful
things
they
can
do
by
using
the
stuff
that
open
ssf
produces
I?
Think
initially
it's
a
it's
a
listening
session.
It's
there's,
there's
no
agenda,
we're
not
pushing
anything,
but
we
want
to
talk
about
like
the
challenges
that
you
have
and
then
as
follow-up
to
that
we
can
say.
Listen.
A
A
You
know
what
would
the
next
step
be
here,
like
you
know,
would
you
like,
like
an
officey
hours?
Kind
of
assistance?
Is
this
enough?
Is
this
like
what
is
it
but
but
kind
of
go
in
there
less
about
like
Hey
we're
putting
on
a
little
conference,
and
you
know
the
only
people
that
are
invited
are
these
kind
of
you
know
these
maintainers,
but
more
of
a
hey,
you're
really
important
to
this?
A
Is
there
anything
we
can
do
to
help
like
tell
me
about
your
your
challenges
and-
and
you
know,
let
us
just
kind
of
learn
and
because
we
may
learn
things
that
frankly,
surprise
us
about
what
what
they're
actually
feeling
I
know
some
of
the
conversations
with
I'm
growing
up
blank
on
the
person's
name.
A
But
but
this
person
is
a
pretty
prolific
author
in
the
in
the
in
the
JavaScript
ecosystem
and
some
of
the
challenges
that
he
was
describing
to
me
were
not
ones
that
would
have
been
near
the
top
of
my
list.
So
maybe
first
we
have
to.
We
have
to
learn
what
we
don't
know
we're
not.
F
Yeah
again
again,
great
idea,
always
from
you
Michael,
so
I
I,
think
that's
a
good
strategy,
but
my
humble
opinion
is
to
when
we
approach
this
kind
of
maintenance.
I
think
we
may
need
to
partner
with
the
like
package
ecosystems
and
not
to
scare
people,
some
randomly
someone
contact
from
the
Surfers
saying
that
they,
you
know
you're
a
main
day.
You
know
a
critical
project.
Maintainer
you're
invited
to
join
this
and
stuff
like
that.
F
Right,
like
that,
that
means
sometimes
may
have
negative
impact
and
positive
impact,
so
I
think
we
should
definitely
figure
it
out
how
we
can
communicate
in
a
better
way.
Or
you
know
we
do
have
the
all
the
package
management
teams
joining
other
working
group
right.
Maybe
we
can
partner
with
them
or
get
or
ask
them
to
contact
for
us,
or
something
like
that
like
so
that
people
won't
get
panicked,
even
people
who
are
getting
panic
when
they
go
to
pipe
by
email
and
start
like
they're
still.
A
Think
we
probably
also
need
to
be
careful
not
to
make
it
seem
like
because,
statistically,
if
you
are,
if
we
announce
anything
publicly
about
this
who
was
ever
reading,
it
will
not
be
among
the
group
that
will
be
invited
to
this.
So
it
kind
of
makes
everybody
feel
a
little
bit
sad.
A
So
we
should
be
careful
in
in,
like
you
know
this,
it
doesn't
have
to
be
done,
it's
not
a
secret,
but
it's
not
something
that
like
will,
will
ever
get
to
the
folks
that
we
want
there
by
by
blogging
about
it,
or
things
like
that.
So
we
have
to.
We
have
to
do
one-on-one
kind
of
stuff.
F
G
That
was
exactly
my
point.
I
was
going
to
ask
like
do
we
have
the
channels
of
communications
to
make
this
invitation
as
approachable
and
as
inviting
as
possible,
and
if
not,
we
have
the
information
about
who
to
contact,
because
sometimes
what
who
is
published
in
a
certain
repository
may
be
not
the
person
that
it's,
the
the
one
doing
the
most
public
relationships
or
meetings,
kind
of
person
and
I
know
several
project
leads
that
do
have
like
person
dedicated
for
that,
and
sometimes
it's
not
in
the
in
the
in
the
readme
of
the
people.
Yeah.
A
I
I,
think
and
I
didn't
mention
this,
but
I
think
the
other
advantage
of
doing
this
and
and
I
don't
know
how
this
would
work
online
as
a
virtual
thing
this
this
really
it
might
need
to
be
done
in
person,
but
I
would
love
to
have
like
I
mean
imagine
a
a
rumor,
Conference
Center
or
something-
and
it's
like.
A
Okay,
if
you
know
all
the
all
the
npm
folks
over
here
and
all
of
the
you
know
and
kind
of
learn
from
your
peer
group,
whom
you
statistically
probably
don't
know
about,
but
but
you're
all
you
know
are
probably
facing
similar
challenges.
So
have
it
be,
you
know
even
even
more
workshoppy,
rather
than
openssf
kind
of
give
and
take
to
the
Collective
maintainers.
A
The
other
nice
thing
is
if
it's
virtual,
it's
effectively
free.
It's
just
it's
just
time
that
that
folks
are
willing
to
put
in
to
kind
of
organize
it
and
reach
out
and
things
like
that,
but
we
can
get
them
swag
and
things
like
that.
But.
F
Yeah
I
just
want
to
yeah,
you
already
covered
the
swag
I
think
right,
but
I
was
thinking.
Maybe
we
should
approach
first
with
the
swag
or
nice
things
for
them
to
thank
them
like
a
for
maintaining
those
projects.
Like
then
trying
to
you
know
it's
a
nice
way
of
asking
them
teacher.
This
is
their
valuable
time,
so
you
know,
let's
try
to
influence
on
that.
They
will
join
and
maybe
proactively
sending
a
thank
you
letter
or
I.
Don't
know
some
gift
card
or
something
like
that.
Maybe
Cloud
credits
whatever
it
is.
F
A
C
A
So
so
so
right
now
the
way
that
this
this
works
or
worked,
is
you
know,
post
a
message
to
slack
you're
like
hey
I
got
an
idea
on
a
thing:
people
some
people
like
yeah,
it's
a
good
idea.
That's
it
so
to
make
it
happen,
someone
needs
to
drive
it
and,
like
figure
out
what
the
next
steps
are
and
engage.
A
I
guess
LF
to
make
this
kind
of
official
and
come
up
with
like
a
plan
and
who
we're
going
to
reach
out
to,
and
how
do
you
like
all
that
stuff
and
you
can
have
lots
of
help
from
other
people
to
get
that
stuff
done,
but
I've
learned
that
I'm
only
a
bottleneck
when,
until
my
my
strategy
is
let's
more
than
enough
opportunities
here
for
everyone
to
lead
a
thing
so
I'm
asking
for
like
later
thing
make
it
happen.
G
A
Is
there
is
there
anybody
else
that
would
like
to
partner
on
particularly
on
that
management?
Do
you
get
you
know
side
or
just
a
Coley
or
whatever,
like
whatever
you
want
to
call
it.
C
Okay,
so
I
have
organized
academic
workshops
before
I
mean
if
that
considered,
but
I
mean
we
do
need
to
probably
coordinate
with
somebody
inside
open
ssf.
Who
is
going
to
actually
do
the
logistics
stuff,
as
in
like
actually
saying.
A
The
logistics
part
is
easy
yep,
so
so
that
will
be
probably
kahil
now
either
way.
That's
covered
that
that
one's
easy
I
can
I
can
make
sure
that
that
that
all
happens.
Okay.
G
B
Yeah,
if
you
need
it,
one
more
I'd
like
to
help.
If
there's
anything,
I
can
help.
G
Thank
you,
Alex
I
will
create
then
in
this
black
Channel
or
something
okay.
A
A
This
was
the
SIM
for
the
open
source
ecosystem
to
listen
to
events,
particularly
like
malware
and
other
kind
of
bad
things
that
that
can
happen
and
then
to
have
an
incident
response
team
that
triages
the
results
if,
if
needed
and
and
gets
notices
back
out
to
the
ecosystems
to
get
these
packages
taken
down.
A
So
this
work
today
is
being
you
know,
some
of
it's
being
done
by
some
of
the
vendors
I'm,
not
aware
of
any
open
source
or
sorry
open,
sourcey,
like
organizations
that
do
this
without
a
kind
of
commercial
company
like
under
them
I.
So
we
talked
about
this
two
weeks
ago,
I
said
I
would
I
would
follow
up
with
the
incident
response,
work
stream
I
had
that
conversation
yesterday
it
was
a
good
conversation,
but
they
were
not
are
not
ready
to
take
on
this.
A
So
you
know:
I'll
follow
back
up
with
them
in
a
couple
months
to
see
if
anything
changes,
but
it
is
that
that
Avenue
is
probably
not
going
to
go
anywhere.
So
I
have
two
choices.
Well,
actually,
I
have
like
four
choices.
We
could
go
to
the
securing
software
repos
working
group
so
because
this
has
npm
and
Pi
Pi
and
all
of
those
there
anyway,
they
stand
the
most
to
gain
by
getting
the
pollution
out
of
the
ecosystem,
at
least
in
in
theory.
A
A
It
probably
I
mean
it
might
have
to
be
a
ceph
because
we're
asking
for
money,
maybe
well
actually.
No,
it
definitely
does
not
need
to
be
a
sip
because
we're
asking
for
money,
it
may
make
sense
to
do
it
as
a
Sith,
because
it's
independent
of
a
working
group-
or
this
is
the
the
thought
I
had
yesterday
was
the
name
of
this
working
group
is
identifying
security
threats.
This
is
definitely
identifying
security
threats,
so
it
fits
pretty
well
where
it
is
and
we
can.
We
can
just
match
the
project
ourselves.
A
We
would
need
to
probably
ask
for
money
in
order
to
fund
someone
to
be
kind
of
going
through
the
results
and
contacting
the
ecosystems
and
updating
the
rules
and
all
that
stuff,
but
I
think
that
would
be
relatively
low
risk
stuff.
We
could
contract
that
out,
I
think
pretty
easily
or
the
last
part
is.
We
could
say
you
know
what
it's
a
good
idea,
but
other
ideas
are
better.
C
A
Is
let's
say,
malware
in
a
in
a
loose
loose,
loose
definition,
malware
back
doors,
anything
malicious,
even
if
it's
not
like
an
emergency
malware
I
mean,
like
all
the
dependency
confusion,
attacks
that
we
had
last
year.
Those
count
if
you
are
installing
a
package
and
you're
Excel
trading
data
yeah.
If
you
are,
if
your
package
that
says
it
does
you
know
it's
left
Pad,
but
it
really
is
a
crypto
Miner.
That's
yes,
that
too
those
types
of
things
it
would.
It
does
not
cover.
We
just
found
a
vulnerability.
A
Let's
leave
that
to
Omega
sorted.
F
I
I
think
there
there
are
so
many
commercial
vendors
in
this
space.
Who
is
doing
you
know
this
kind
of
analysis
from
a
SCA
perspective,
or
even
just
focusing
on
this
domain.
There
are
some
new
vendors.
There
are
also
some
free
kind
of
sources
where
you
can
kind
of
get
similar
kind
of
information,
but
I
think
one
of
the
big
challenges
that
there
is
a
not
a
standard
way
of
communicating
this
information
and
the
standard
schema
like
vulnerability,
may
have
so
I
I
think.
F
Maybe
we
need
to
start
with
the
standard
scheme
of
us
then
trying
to
similar
to
osv
approach
for
vulnerability
similar
to
that
for
a
Malaysia
packages
right
rather
than
just
focusing
on
vulnerability.
So
maybe
I
was
thinking,
maybe
start
with
the
standard
schema
and
see
if
these
vendors
will
adopt
it
or
can
start
whatever.
You
know,
centralized
similar
to
osp.dev
or
something
like
that,
and
they
encourage
others
to
do
the
same.
Okay,.
A
Do
you
see
that
that,
as
a
predecessor
to
this
or
those
kind
of
orthogonal
like
like
the
the
reporting
methods,
we
have
today
kind
of
work
too
they're?
Not
you
know.
Thank
you.
F
C
F
Perspective
like
there
won't
be
any
Silver
Bullet
source
for
any
of
these
right,
like
you
need
to
use
multiple
vendors
or
multiple
intelligence,
but
that
challenge
you
to
the
end
user.
Is
they
can't
help
each
and
everybody
is
their
own
language
or
schemas?
And
things
like
that
which
is
going
to
make
it
difficult
and
to
use
it
so
I.
A
Yeah
this
would
be
a
closed,
a
closed
loop
between
and
this
this
occurs
with
Sonic,
you
know
so
so.
Sonic's
hyper,
J,
frog
or
somebody
does
analysis,
finds
a
thing
contacts,
Pi,
Pi
or
npm
or
rubygems,
or
whoever
the
thing
gets
evaporated
and
the
world
is
better
off.
No
end
user
really
needed
to
know
anything
about
that.
They
just
so.
A
Right
so
so
you
know,
at
the
same
time,
though,
you
know
there's
there's
a
lot
of
a
lot
of
things
still
get
published
out
there.
So
it
is
definitely
not
a
solved
problem,
but
I
want
to
make
sure
that
that
Jane
Roderick
have
a
chance
to
to
talk
to.
C
Yeah
I
think
I
owe
you
I.
Think
I
owe
you
a
response
to
your
last
email,
I'm,
not
even
sure,
if
we,
if
either
Sarah
or
I
I'll
responded
to
you
so
I
owe
you
a
response
to
that.
But
you
know
the
the
tactical
nature
of
of
assimilation.
C
Aside
I
think
we
need
to
take
a
take,
a
step
back
and
put
more
put
more
thought
into
the
Strategic
nature
of
it
because
I'm
not
terribly
sure
it.
It
should.
Should
it
probably
live
here
sure
but
I
think
I
think
it's
a
lot
larger
than
just
one
I
think
it's
a
lot
larger
than
just
a
project
in
this
working
group.
I
think
this
might
be
something
that
has
that
has
meat
on
it
that
could
be
looked
at
across
this
working
group.
C
The,
secure
software
repos
working
group,
you
know
I
I,
think
I
think
there
might
be
a
a
bit
of
a
a
bit
of
meat
under
to
chew
on
for
for
for
a
few
for
a
few
for
a
few
of
us,
so
I
think
we,
you
know,
take
a
look
at
it
and
and
and
then
see
see
about
maybe
see
how
we
pitch
and
how
we,
how
we
bring
it
in,
like
I,
said,
that's
stuff
that
we
could
talk
about
offline,
though
yeah,
but
but
that,
but
that's
my
general
thought
anyway,
so
that
all
that
being
said,
I
owe
you
a
response
and
and
enough
to
talk
about
talk
about
the
particulars
from
there.
A
C
Yeah
well
I
I,
think
I
was
just
gonna
say
if
we
are
going
to
move
forward
with
trying
to
do
our
own
thing.
I
would
like
to
engage
on
that.
You
know
and
whatever.
So.
However,
this
moves
forward
is
something
I
would
like
to
participate
in.
One
two
I
did
have
the
question
of.
If
the
incident
response
working
group
isn't
ready
to
take
this
on
exactly
how
would
we
be
so?
There
was
a
question
there.
A
Yeah
outline
two
scenarios
at
a
high
level,
and
one
is
basically
this
is
volunteers
or
voluntolds
from
open,
ssf
members
that
get
another
hat
and
the
hat
is
you
know,
kind
of
going
through
the
output,
but
with
a
cone
of
silence
on
that
they
can't
tell
their
employer,
because
these
are
zero
days
and
things
like
that
and
the
the
other
scenario
is
just
hire
a
contractors
to
do
this,
and
that
way
we
have
a
you
know,
an
agreement
that
you
know
this
is
this
is
what
we
do,
but
like
it's
not
spread
throughout
open
ssf
members
that
have
sometimes
could
have
a
yeah.
A
Yeah,
so
so
it
wasn't
a
a
it
was
a.
A
We
agree
in
principle
that
this
is
that
this
would
be
a
good
thing
that
we
we
being
the
is
it
responsible
work
stream
is,
is
focused
on
other
things
right
now,
essentially
getting
off
the
ground
and
figuring
out
like
what
are
the
biggest
challenges
around
that
and
how
they're
gonna
like
go
address
that
so
they
have
preliminary
work
to
do,
which
is
going
to
take
some
number
of
months,
and
then
you
know,
as
that
wraps
up,
like
I
I
hope
they
kind
of
change
their
mind
on
this.
A
But
I
don't
know
that
like
I
I'm,
not
sure
that,
like
they
don't
have
to,
they
don't
have
to
align.
It
doesn't
have
to
be
in
that
in
that
group.
It
would
it's
nicer
if
it
was,
but
you
know
it's
fine,
either
way,
I'm
more
concerned
with
getting
something
and
learning
and
getting
better
at
it
and
making
this
something
that
you
know
the
the
techniques
that
we
use
feeding
those
back
to
the
package
management
ecosystems
themselves,
so
that
Pi
Pike
gets
better
at
spotting.
A
These
things
as
packages
are
being
published
and
then
pm2
Etc,
so
that
ultimately,
the
the
the
well
dries
up
would
be
the
best
best
scenario
here.
A
Cool
any
other
a
couple
Hansel
rays,
but
any
any
other
comments.
F
I
think
the
you
know
the
point
with
the
55
and
PM
they
have
some
security.
I
would
say:
design
flaws
with
their
package
management,
so
that
I
mean
why
they
are.
You
know
why
they
have
this
kind
of
challenges
compared
to
some
of
other
package.
Management
Systems
20
thing
is
better
to
push
them
to
resolve
that,
rather
than
trying
to
I
mean
I
feel
like
this
is
going
to
be
major
challenge.
F
You
know
the
pre-install
script
problems
and
similar
with
the
Pi
Pi,
but
in
my
opinion,
we
should
try
to
push
them
to
improve
those
areas
to
reach
up
to
some
maturity
level
in
terms
of
security
of
a
package
manager
yeah,
there
were
similar
effort
in
awas
project
to
back
man,
I,
don't
recollect
the
project
name
so
which
is
kind
of
a
comparing
different
package,
ecosystems
and
security
features
they
offer
if
they
offer
2fa,
if
they
do
pre-installed
type
of
things
that,
like
it's
just
putting
out
there
and
making
it
public
itself
kind
of
maybe
opening
up
the
eyes
of
the
package
management
teams
and
trying
to
please
the
same
maturity
right
or
it's
not
Mitchell
I
mean
the
security.
F
A
And
I
think
those
those
discussions
are
absolutely
worthy
and
you
know
we're
funding
some
of
that
through
Alpha
and
we
need
to
do
more
and
more
Focus.
There
is
great-
and
you
know,
I'm,
just
not
seeing
the
and
obviously
I'm
biased
here
so
take
everything
with
the
grain
of
salt
that,
like
Mike,
is
biased
but
I'm,
not
seeing
that
as
I'm,
seeing
those
as
like
two
separate
paths
that
we
can
go
down
both
simultaneously
toward
a
better
end.
A
One
is
you
know,
strategic
make
the
problem,
you
know,
I,
don't
know
plant
a
garden
that
you
know
it
gets
much
better
in
the
in
the
future
and
the
other
one
is
like
well
the
shed's
on
fire
right
now.
So
let's
get
some
water
and
try
to
try
to
put
out
the
fire.
A
So
I
don't
know
I'm
I'm.
Let's
continue
this
discussion.
We
are
slightly
over
time,
I,
thank
everybody
for
their
feedback
and
comments
and
engagement
and
everything
and
and
all
that
so
really
appreciate
it.
I
hope
everyone
has
a
great
rest
of
your
Wednesday.