►
From YouTube: OpenSSF Identifying Security Threats WG (March 16, 2022)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
B
A
So,
which
means
that
I
don't
have
currently
an
agenda.
B
Let's
make
up
an
agenda,
what
do
you
guys
want
to
talk
about?
You
can
go
through
kind
of
the
usual
suspects,
but
if
there's
anything
special
you
want
to
do.
Let's
do
it.
C
I
like
this
aggregate
sources
of
data,
metrics,
open,
ssf,
org
discussion.
C
A
A
A
Actually
well,
first
is
remembering
to
record,
and
how
do
we?
Why
don't
we
put
us
a
bullet
of
new
friends
and
while
people
put
in
their
names,
michael,
I,
if
you
don't
mind,
I'd,
propose
that
we
ask
anybody
who
hasn't
already
spoke
his
first
time
to
to
speak
up
and
introduce?
What
do
you
think
that,
okay,
let's
do
it
so
do
we
have
anybody
new.
D
Hey
guys,
I'm
new,
my
name
is
joseph:
I'm
working
at
check
marks
we're
developing
solutions
to
detect
and
and
research
supply
chain
security
attacks,
and
I
also
like,
if
you
don't,
have
a
defined
agenda
to
suggest
an
idea
for
a
project
I
would
like
to
to
initiate
under
the
open,
ssf
and
I'd
like
to
hear
your
opinions.
D
In
my
background,
I'm
a
software
engineer.
I'm
now
leading
an
engineering
group
and
research
group
and
that's
it
awesome.
Thank
you.
Yeah.
A
Yeah
and
we
absolutely
love
ideas,
so
you'll
put
that
just
before
the
other
business.
A
I'll
just
say,
project
proposal
and
we'll
we'll
we'll
find
out
what
it
is.
When
you
say
it.
E
Quick
hide
from
me
I'm
on
just
about
every
other
call
known
to
man
for
open
ssf,
but
this
is
my
first
time
here
because
I
usually
have
another
call
that
happens
at
this
time
and
it
did
not
today.
So
I
get
to
see
your
lovely
happy
shining
faces
instead,
my
colleague
eric
ties
from
wipro
often
shows
up
to
this
one,
but
he's
thankfully
on
vacation
today.
So
this
worked
out
perfectly
my
schedule
and
his.
So
I
get
to
see
you
all
and
say:
hi
hi.
G
G
Don't
tell
anyone
and
I'm
here
to
support
all
the
working
groups
and
the
community
as
we
sort
of
grow
and
become
what
I
think
will
be
the
best
open
source
community
on
the
internet.
So
yeah,
it's
great
to
see
your
faces.
H
I
I
can
jump
in
very
quickly.
My
name
is
christine
and
I
am
at
f5
and
f5
recently
joined
openssf,
so
I'm
just
kind
of
like
sitting
in
on
some
of
the
working
groups
and
just
basically
trying
to
learn
more
perfect.
Welcome
hi.
J
Yeah,
so
your
time,
I
also
participate
in
a
lot
of
the
other
working
groups
for
this
one.
I
usually
don't
get
to
10
as
well
time
zone,
kids,
showers,
conflict,
but
yeah
try
to
attend
where,
when
possible,
from
resilience
cyber
security
startup
based
in
israel,
dealing
with
vulnerability
management
and
validation,
etc.
L
M
I
N
I
just
wanted
to
quickly
also
chime
in
my
name
is
dorsey
clark,
I'm
the
engineering
manager
for
the
mpm
cli
and
the
gab
cli
teams
at
kf
have
been
trolling
the
open,
ssf
working
group
repos
recently
and
wanted
to
start
to
get
involved
and
potentially
have
folks
from
my
team
start
to
come
to
these
meetings,
hopefully
to
help
build
great
tools
here.
So.
B
All
right,
I
think
that
was
the
the
longest
new
friends
we've
ever
had.
So
that's
that's
awesome,
okay,
so
we
we
definitely
have
a
packed
agenda.
So
let's
get
right
into
it.
If
you
have
anything
else
that
you'd
like
to
add,
please
add
to
the
bottom
of
the
agenda
and
if
we
don't
get
to
it
today,
we
will
get
to
it
next
time.
I
like
that,
that
strategy
david,
harvard
census.
A
Yeah,
so
this
is
kind
of
a
quick
recap,
but
the
harvard
census,
2
has
been
everybody's,
been
waiting
for
it
for
a
long
time.
It
is
finally
out,
so
it
basically
does
analysis
to
find
out
which
ecosystem
well
language
level
packages
are
very,
very
widely
used.
If
you
want
details,
see
the
report.
A
That
is
the
plan.
Funny
enough.
You
you've
got
a
mirror
right
here.
Who
is
the
the
lead?
So
you
you,
you
can.
F
C
We're
going
to
use
the
census
data
as
well
as
all
the
other
available
data
and
the
qualitative
data
as
well
to
to
to
tailor
a
list.
Awesome
awesome.
B
Perfect
I've
got
a
point
on
that,
but
I'll
wait
until
the
alpha
mag
update.
Okay,
cool
awesome,
okay,
I
guess
next,
you
know
what
let's
I
feel
like
metrics
might
rattle
us,
so
I'm
going
to
put
that
one
down
below,
because
I
want
to
make
sure
we
get
to
insights
and
and
reviews.
If
that's
okay,
luigi
insights,.
O
Okay,
sorry,
yes,
I
have
shared
the
project
in
the
channel
of
open
ssf.
O
O
Then
I
will
invite
I
will
contact
the
responsible
person
in
the
scorecard
channel.
That
suggest
me
to
organize
a
meeting
with
the
project.
I
need
to
find
the
name,
because
I
don't
remember
now,
but
yes
with
another
project
that
is
interested
to
to
a
similar
implementation,
I
can
find
it
in
one.
Second,
why
is
lucky
so
slow.
O
They
said
me
that.
O
Emily
said
that
the
stag
sdh
meeting
probably
is
a
good
place
to
talk
about
this
project,
so
for
now
the
feedback
are
good.
In
addition,
I
have
had
some
comments
section
in
the
yaml
files,
so
if
you
have
a
threat
model
or
a
security
assessment
or
a
particular
ci
tool
or
similar
as
a
similar,
you
can
add
the
comment
in
a
human
friendly
way,
so
to
give
more
context
to
people,
so
not
just
the
url,
but
also
a
short
description,
slash
more
information
I
have
had.
O
Of
course
it
is
short
because
I've
decided
to
limit
number
character
so
560
like
for
tweets,
and
I
will
add,
also
the
expiration
date
in
this
way.
If
the
the
yaml
file
is
not
updated
for
more
than
one
year
like
security.txt,
the
scanner
can
just
decide
to
drop
it
without
considering
it.
This
should
force
people
to
maintain
it
updated.
Just
a
single
review
with
a
comment
is
a
good
update,
but
in
this
way,
if
there
are
a
maintained
project,
we
can
understand
this
also
from
this
file,
especially
if
it
became
a
standard.
O
And
yes
at
the
moment.
These
are
the
main
updates
that
I
have
I.
I
will
share
it
as
soon
as
possible
with
the
scorecard
team.
Again,
I
want
just
to
finish
to
do
that
model
that
will
be
public.
I
am
using
the
owasp
thread
dragon
tool
to
do
this.
So
probably
it
will
be
in
json
format,
but
you
can
visualize
it
using
the
tool
and
well
I
am
working
I'm
at
the
moment.
O
I
still
I
am
still
working
on
the
third
model,
but
probably
some
feedback
from
other
people
are
very
welcome,
because
it
is
quite
easy
to
miss
important
threats
during
the
model
during
the
niles
and
the
teams.
B
Perfect,
I'm
just
trying
to
find
a
link
to
the
to
the
side.
B
O
O
I
have
sent
the
link
in
the
in
the
chat
at
the
moment
is
still
on
my
personal
github,
but
after
the
thread
model,
probably
we
can
decide
to
move
it
in
the
open,
ssf
organization.
C
Hello,
no
significant
updates
on
the
security
reviews
repo.
I
did
see
somebody
put
here:
skit
s-c-I-t-t
integration-
I'm
not
too
familiar
with
that.
Personally,
so
I
guess
whoever
put
that
up
or
if
we
want
to
talk
about
it,
I'm
happy
to.
B
Yeah,
I
can
give
a
give
a
quick
update
so
so
have
you
heard
of
skim
if
you've
heard
of
skim?
Skit
is
the
new
word
for
skim,
because
too
many
people
have
chosen
skim
for
for
their
projects.
This
is
a
it's
intended
to
be
a
let's
say
assertion
database
effectively
of
claims
about
a
target,
so
the
simplest
would
be
a
github.
Action
has
asserted
that
code
scanning
was
enabled
and
ran
when
a
artifact
was
produced,
or
so
so
in
a
way
it's
it's
kind
of.
B
It
may
be
a
part
of
the
of
a
triad
between
like
scorecards
and
security
insights,
and
like
other
and
and
maybe
parts
of
I
don't
know-
I
don't
say
it's
part
of
s-bomb,
because
it's
not
it's
it's
a
super
set
of
of
s-bomb
s-bomb
would
be
one
such
assertion
david.
I
know
you're
clamoring
to
say
something.
B
It's
very
early,
it's
I
think
it's
it's
not
even
a
fleshed-out
design,
but
but
just
conceptually
the
idea
would
be
if
somebody
has
done
a
security
review
of
something
like
basically
the
metadata
that
that's
part
of
a
secure
review,
make
that
programmatically
consumable
and
make
it
so
that
you
can
express
policy.
So
I
will
only
use
open
source
that
has
had
a
secure
review,
but
you
know
expressed
in
in
a
skit
assertion.
C
I
mean
it.
It
certainly
makes
sense
conceptually.
That
was
one
thing
I
liked
about
the
metrics
database.
2
was
having
some
way
of
of
having
that
assertion
or
displaying
that
data
so
yeah.
I
think
it's
something
worth
exploring
further.
B
So
so
this
was
so
I'm
not
sure
at
the
moment.
So
I
believe
k
is
is
running
this.
B
I
thought
it
was
being
absorbed
into
the
the
work
that
the
open
sf
working
group
that
had
its
name
renamed.
So
I
guess
supply
chain
integrity.
So
this
is.
A
A
B
B
Okay,
future
of
metrics
that
opens
up
the
org.
Is
there?
Is
there
anybody
anybody
here
that
from
scorecards,
because
I
think
that
was
the
main?
So
so
this
conversation
we
had,
you
know
back.
I
think
we've
come
to
an
agreement
that,
like
the
implementation
of
metrics.openssf.org,
the
you
know,
the
the
database
and
the
the
importer
that
doesn't
import
very
well
and
the
the
dashboard
graphanda
dashboard
is
probably
not
the
right
long-term
implementation
of
it,
but
that
there
is
value
of
an
aggregated,
collector
and
provider
of
metrics.
B
We
talked
about
depths.dev.
We
talked
about
the
upcoming,
the
scorecards.dev
or
securityscorecards.dev
as
a
potential
potentially
using
that
to
aggregate.
We
also
talked
about
lfx
security
building
out
that
aggregation
platform.
I
don't
have
a
strong
feeling
anywhere
on
on
which
on
on
where
the
implementation
should
live.
I
think
it's
a
simple
enough,
like
you
know,
at
least
at
a
high
level.
Like
you
know,
you
have,
you
have
metrics
provided
by
different
sources.
B
Consumers
want
to
want
a
view
into
that
in
aggregate
to
get
better
information,
and
you
know
and
then
api
access
into
that
aggregation
so
that
they
can
build
tools
and
things
on.
On
top
of
that.
As
an
example,
you
know
the
npm
client,
it
would
be
super
useful
for
the
npm
client
when
you
install
a
package.
The
same
way
that
you
have
like
this
package
is
deprecated.
To
also
have
you
know
some,
I
don't
know
what,
but
some
you
know
this
package
is
unmaintained
based
off
of
a
signal
that
scorecard's
generated.
A
Yeah,
you
know
it
was
always
viewed
as
experiment.
Let's
get
going
and
frankly
I
think
you
know
from
the
view
of
an
experiment,
I
think
metrics
open
ssf.org
has
absolutely
shown
that
there's
value
in
aggregation.
So
I
don't.
I
personally
think
that
that
was
obvious,
but
but
seeing
it
is,
I
think,
is
is
very
helpful
for
the
argument.
A
Yeah.
I
think
the
main
issue
for
lfx
security
and,
of
course
you
know
from
the
lfs,
are
you
know
that
you
know
there
there's
good
value?
I
think
the
true
the
when
we
talked
with
shubra
and
tell
me
mike,
if
I'm
misunderstanding,
but
I
think
originally
they
were
thinking
about
always
doing
the
deep
dive
and
obviously
can't
do
that
with
every
single
open
source
project.
A
B
Right,
yeah
and-
and
that's
so
so
I
would
totally
happy
for
schubert
to
build
that
lfx
to
include
that
stuff.
I
didn't
in
the
conversations
I've
had.
I
haven't
heard
any
you
know.
No,
this
is
my
territory
like
don't
go
here.
I
think
everybody
was
like.
We
just
want
something
that
we
don't
like.
I
don't
think
anybody
really
cares
where
it
is.
I
hope
I'm
not
misrepresenting
that,
but
that
was
what
I
took
out
of
it,
but
I
think
the
important
thing
is
that
somebody
does
it.
B
So
we
can't
have
everybody
waiting
for
somebody
else
to
do
something
right.
I
would
like
to
get
metrics.openstaff.org
shut
down.
Like
you
know,
I
don't
have
any
particular
timeline
and
you
know
it's
it's
not,
but
can
I
request?
Don't.
K
A
Right,
in
fact,
if
there's
some,
if
there's
problems
getting
the
scorecards
data
into
metrics,
open,
ssf.org
and
there's
a
way,
we
can
fix
it
without
too
much
trouble.
I
would
say:
let's
do
it
so
that
there's
something
we
have
something
that
shows
the
value
of
aggregation
makes
it
clear
that
it's
doable
and
then
we
move
on
once.
We
have
that
that
next
step
running.
C
C
The
insights
lfx
insights
yeah,
so
I
wonder
if
I
mean,
if
there's
enough
overlap
there,
if,
if
that
makes
sense,
as
kind
of
like
the
de
facto
kind
of
metric
new
home
for
metrics
but
and
I
believe
the
insights
tool
is-
is
accessible,
meaning,
you
know
anyone
can
go
use
it
so
that
I
mean
that
seemed.
That
seems
to
make
sense,
I
mean
in
terms
of
overlap,
and
you
know
consistencies
with
what
the
goal
is
of
metrics
and
what
the
goal
of
of
this
insights
platform
is.
So.
D
B
B
B
A
It's
not
doing
it,
it's
not
aggregating
all
that
data
that
we've
been
working
with,
yet
I
don't
think
it's
quite
clear
it
could
it
just
isn't.
Currently
that's
why
I
want
to
push
back
on
shutting
it
down
until
the
replacement.
Oh.
E
There
we
go
so
yes
plus
one
two,
not
shutting
anything
down
until
there's
an
alternative
yay
and
when
there
is.
A
E
Alternative
you
know
redirect
metrics
to
that
alternative,
but
as
we're
talking
about
lfx,
I
think
a
limitation
might
be
the
fact
that
it
currently
only
covers
linux
foundation,
projects
right
and.
A
It
does
cover
some
more
than
linux
foundation
projects,
but
your
your
point
is
still
taken.
Historically,
it's
been
focused
only
on
linux
lf
projects,
and
that's
that's
the
issue
that
we
need
to
you
know
originally
when
it
was
developed.
The
theory
was
hey.
We're
work
on
these
for
lf
projects,
and
what
is
in
discussion
is
hey.
A
Why
don't?
We
provide
some
of
these
mechanisms
for
just
arbitrary,
open
source
projects,
and
that
requires
them
to
change
what
they're
doing.
In
order
to
do
that.
That
said,
it
makes
a
whole
lot
more
sense
to
build
up
something
once
that
has
you
know
all
these
different
tools
and
and
information,
and
all
your
fingertips
and
somebody's
actually
paid
to
work
on
the
ui
and
that
sort
of
stuff,
but.
A
E
Yeah,
absolutely
I
I
do
think
there's
again
as
as
has
been
mentioned
a
few
times,
there's
lots
of
value
in
aggregation
right.
It's
a
great
tool
certainly
should
exist
somewhere,
but
I
am
concerned
about
having
it
all
under
the
linux
foundation
umbrella
when
so
much
of
the
open
source
world
is
not
under
the
linux
foundation,
and
so
it's
not
that
I
distrust
the
linux
foundation
to
do
it.
It's
just
that
we
have
to
make
sure
that
everyone
else
is
on
board
with
that
right.
E
You
know
and
getting
apache
and
eclipse
and
everyone
under
software
freedom,
freedom,
conservancy
and
fsf,
and
all
these
other
projects
right
under
to
play
along,
and
so
I
think,
that's
something
we
need
to
consider
as
we're
having
these
conversations.
B
I
think
there's
also
a
fundamental
difference
between
the
opt-in
model,
where
lfx
needs
some
sort
of
permission,
something
into
a
repo
versus
the
current
model,
where
scorecards
doesn't
need
permission
to
scan
a
repo
metrics.
open.
This
up
the
door
doesn't
need
permission
for
anything.
So
if
lfx
goes
that
route,
then
it
simplifies
things
because
it
allows
them
to
scale
to
everything
it
may
limit
the
visibility
of
what
they
can
get,
but
you
know
as
a
trade-off
like
so
I
agree
completely.
B
It
should
be
an
intentional
decision
that
we
make
on
on
where
it
goes
and
and
lfx
would
need
to
buy
in
to
that
the
conversations
I've
had
made.
It
seem
like
they're
amenable
to
that,
but
we
should
continue
to
have
a
conversation.
K
Thank
you.
I
I
want
to
strongly
second
vicki's
concern
and
add
to
that,
and
this
is
something
I've
already
raised
with
brian,
and
I
forget
the
the
name
of
the
lead
pm
for
lfx.
K
I
have
some
significant
privacy
concerns
with
the
lfx
platform,
as
it
is
currently
being
designed
it
the
way
that
projects
any
project,
lf
foundation
or
otherwise
opts
in
the
way
data
is
gathered
and
then,
in
the
background
by
lfx
cross-referenced
between
repos
has,
should
we
say,
interactions
with
certain
privacy
laws
in
different
countries,
not
to
mention
some
community
members
might
find
it
an
invasion
of
their
own
personal
privacy,
even
if
it
isn't
illegal.
K
B
K
B
L
Yeah
thanks
so
from
my
understanding
in
the
last
meeting
right,
like
lf
security,
currently
can't
scale
up
to
the
all
the
open
source
projects
and
packages
right
like
a
so
that's
where
I
was
proposing
devs.there,
which
is
already
having
these
features,
and
I
believe
in
the
last
call
someone
from
google
mentioned
that
you
know
they
would
be
interested
to
consider
donating
dev
store
dev
to
open
ssf
right.
I'm
not!
I
don't
really
want
to
talk
on
behalf
of
google.
L
I
don't
know
if
anyone
from
google
who
can
comment
on
that,
but
currently
depth.contain
the
scorecard
data,
and
it's
contain
a
lot
of
other
useful
data
from
a
security
perspective
right
like
so
in
a
large
scale.
I
think
they
have
a
really
huge
amount
of
data
and
it's
absolutely
yeah.
It's
really
good.
So
far
from
a
user
experience
perspective.
B
Okay,
so
I
guess
so
so
for
our
next
step
here
I
will.
I
will
take
an
action
of
setting
up
something
again
with
originators
to
books
that
we
that
we
talked
to
last
time
from
google
and
scorecards
and
see
if
we
want
to
move
forward
on
a
you
know,
you
get
a
high-level
plan
together
and
then
run
it
by
everybody
and
see
what
everybody
thinks.
B
Okay,
next
alpha
omega
update,
so
we
had
a
webinar
about
a
month
ago.
Hope
most
of
you
were
able
to
attend.
Actually
I
think
there
were
like
about
400
people
on
the
qualifying,
maybe
300.
it
was.
It
was
more
than
I
expected,
so
I
was
happy
about
that.
We
got
job
postings
out
that
went
out
earlier
this
week,
so
it's
a
lead
pm,
a
software,
slash
security,
engineer
and
a
security
analyst
researcher.
B
All
three
roles
are
full-time
linux
foundation,
employees
who
will
be
effectively
well.
The
lead
pm
is
gonna,
be
essentially
the
full-time
driver
of
alpha
omega.
B
So
the
other
two
would
almost
certainly
report
to
that
that
lead
pm
and
then
the
current
folks,
michael
windsor,
myself
and
and
brian
would
be-
would
move
to
more
of
an
oversight,
oversight,
role
in
strategic
stuff
things
like
that.
So
if
you
know
anybody,
please
send
them
either
my
way
or
michael
windsor's
way
or
send
right
to
the
job
posting
happy
to
answer.
Questions
talk
about
that!
These
are
what
we're
looking
for
here
are
pretty
senior
highly
technical.
Like
you
know,
I
don't
see
trying
to
use
you.
B
You
use
the
right
word,
but
we're
we're
going
to
be
looking
hard
for
the
right
fit
for
this
and,
and
we
know
it'll
be
it
might
be
difficult
to
find.
But.
A
Quick
quick
note
just
having
dealt
with
some
of
the
legal
issues
on
hiring
in
the
past.
I
would
suggest
you
know
by
all
means
talk
to
the
michaels
and
anybody
else,
but
you
know
for
the
actual:
hey,
I'm
interested
in
the
job,
I'll
click
on
the
on
the
job
list,
job
posting
and
go
through
that
that
formal
process,
so
that
we
know
you
know
everybody's
considered
and
all
that
good
stuff.
A
We
we
want
to
make
sure
that
no
nobody
cries
foul
later.
The
goal
is
to
get
progress
forward.
B
Yep
cool
alpha
omega
is
also
going
to
be
starting
a
monthly
public
meeting,
and
I
think
that
that
that
starts
the
formal
detachment
of
alpha
omega
from
this
working
group,
so
our
first
will
be
on
the
sixth,
so
it'll
actually
be.
I
think
I
think
it's
wednesdays
a
couple
hours
after
this
after
this
meeting.
B
Well,
you
know
everybody's
welcome
to
welcome,
to
join
and
and
be
part
of
the
process.
B
A
B
And
it's
on
the
open,
ssf
calendar,
okay,
joseph.
D
So
I'll
picture
the
concept
I'm
looking
for
feedback,
and
I
I
truly
believe
in
this
in
this
project
as
a
tool
for
developers,
I
think
we
build
great
tools,
but
we
need
to
to
integrate
in
in
the
organic
flow
of
you
know,
problem
solving
of
software
engineers.
D
D
So
you
bump
into
of
your
first
result
you
land
into
stack
overflow,
and
we
can
talk
about
the
protocol
of
how
to
choose
the
right
answer
from
stack
overflow.
You
know
based
on
comments
and
and
the
the
age,
but
we
have
a
lot
of
data
here
donated
by
a
lot
of
people
are
smart
people
maintained
by
the
community
and
eventually
this
exploration
process
is
ended
up
in
okay,
I'll,
take
this
suggested
package
and
I'll.
D
Try
it
out
on
my
computer
and
and
I'll,
install
it
and
see
what
I
get
and
I'll
play
around
with
it
and
the
problem
is
we
expect
the
developers
like
to
use
a
great
tools
we
build,
for
instance,
devs.dev,
which
has
a
lot
of
insightful
information.
D
Maybe
my
organization's
policy
would,
you
know
forbid
me
for
using
this
package,
not
maintained
or
licensed
or
whatever
reason,
and
we
have
a
lot
of
great
tools,
such
as
open
source
insights
and
what
I
think
the
the
most
of
the
developers
are
not
doing,
is
jumping
into
these
tools
and,
I
think,
a
simple
browser
extension.
D
D
We've
like
a
summary
of
data
already
being
calculated
and
easily
in
my
opinion,
can
be
accessed
via
api
all
done
within
the
browser
not
saying
that
this
is
the
right
ux,
but,
like
the
concept,
is
creating
an
overlay
layer
of
of
information
not
only
for
security,
but
also
for
the
health
and
maintenance
of
the
package.
If
someone
would
like
to
see
the
full
information
full
reports,
maybe
we
can
integrate
more.
Like
advisor
websites
like
open
base
or
sneak
advisor
or
other
great
more,
you
know
it's
open
source.
D
This
is
the
idea,
and,
and
that's
it
that's
that's
that's
the
the
tool
I
would
like
to
suggest
to
be
hosted
and
and
be
part
of
open
ssf
like
to
hear
what
you
think.
A
There
would
be
some
way
to
indicate
oh
you're
looking.
It
seems
like
you're
looking
about
for
information
about
this
package.
Here's
some
more
data,
and-
and
I
imagine
you
also
do
this-
I'm
trying
to
think
of
the
websites
you
would
try
to
trigger
on
so
things
like
looking
at
stack
overflow
looking
at
various
repo
sites,
maybe
noticing
certain
urls.
That
link
to
a
package
is.
Is
that
kind
of
what
you
had
in
mind.
D
Yeah,
like
scraping
in
some
specific
websites
developers
tend
to
use
when
they
explore
and
research
for
packages,
and
whenever
you
have
a
suggestion
or
or
a
specific
page
of
a
package,
add
more
insights
or
in
this
case
in
stack,
overflow,
add
more
information
about
you
know
you
get
an
answer,
suggesting
you
to
install
a
specific
package.
D
We
can
take
some
insightful
information
for
let's
say,
odeps.dev
and
place
it
there.
So
you
know
the
developer
will
have
this
information
inside
of
his
organic
process.
All
he
has
to
do
which
I'm
not
saying
this
is
easy,
but
to
install
this
open
source
browser
extension
once
and
this
data
will
be
available
for
him
whenever
he
goes,
it
can
be
on
on
more
websites,
not
not
particularly
stack
overflow,
but
the
the
browser
logic
should
be
simple:
to
scrape
like
to
ins
to
understand
whether
okay,
this
is
a
package
reference.
D
B
I
I
really
like
this
idea,
I
mean
I'm.
Eighty
percent
of
me
loves
it.
The
other
20
says
yeah
you'll
never
get
enough
people
to
install
the
browser
extension
to
make
it
be
like
broadly
useful
and
just
get
it
in.
You
know
talk
to
stack
overflow
and
npm
and
nougat
and
all
those
to
get
it
embedded
in
the
site,
but
I
also
know
that
that's
that
that's
going
to
be
really
hard
to
do,
particularly
if
there's
not
like
obvious
demand
for
it.
B
So
maybe
the
browser
extension
is
the
way
to
test
that
demand
and
hone
it,
and
then,
when
it's
so
obvious
that
it
provides
value
that
they
would
say,
yeah
we'll
just
you
know,
iframe
it
or
embed
it
or
whatever.
I
think
it
as
a
way
to
experiment.
I
think
it's
great.
I
would
even
go
so
far
as
to
say
the
like
osv
dev,
like
include
the
vulnerabilities
and
or
you
know
to
more
than
just
scorecard,
but.
A
Yeah
I
it-
and
I
think
I
I
think,
you've
hit
the
nail
in
the
head
here.
You
know
how
do
we
encourage
develop
if
we
did
this,
because
I
think
there's
there's
a
there
there
in
this
I
in
this
example.
It
is
absolutely
true
that
the
easier
we
make
it
for
people
to
see
important
information,
the
more
likely.
M
A
Actually
use
it,
what
can
we
do
to
either
encourage
people
to
install
sun
extreme
extension?
If
we
did
this
or
remove
barriers,
I
will
say
the
latter
one,
the
barriers.
I
know
a
number
of
organizations
don't
like
installing
browsers
extensions,
because
they
can
they
can
do
bad
things
so
things
we
can
do
to
reduce
the
worry
about
that
might
help
a
little
bit.
But
you
know
if
there
are
things
we
can
do
positively.
A
D
I
think
when,
when
it's
open
source
and
when
it's
maintained
publicly,
you
know
the
concern
of
you
know
you
have
great
extensions
at
black
or
grammarly,
or
you
know
extensions
where
almost
everyone
uses.
So
so
you
have
those
extensions,
and
you
have
like
extensions,
that
you
have
less
reputation
and
I
agree
it's
scary
to
install.
But
while
it's
open
source,
I
think
the
I
think
you
can
go
for
it
easily
and
yes,
it's
hard
to
cause
and
to
sell
it
to
developers.
D
But
the
the
thing
is
when
you
know,
when
I
see
also
developers
on
my
engineering
group
and
and
they're
aware
of
the
security
issues,
but
their
mindset
and-
and
I
think
a
lot
of
friends
of
mine
is,
you
know
there
is
a
certain
flow
of
of
of
experience
when
you
search
for
problems-
and
you
experience
some
code
snippets
and
you
try
them
out
and
sometimes
forget
to
to
check
on
these
on
these
resources,
and
this
is
here
to
to
make
it
easy
for
you
in
the
organic
processing.
A
Yeah,
to
be
honest
with
you,
the
the
problem,
you
don't
need
to
sell
very
hard.
I
I
already
buy
it.
The
issue
is
whether
or
not
this
is.
This
is
a
this
is
worth
trying
out
and
I
think
that
really
comes
down
to
the.
What
can
we
do
to
get
people
to
install
it
I
mean
brandon.
Can,
I
think,
can
help
we
can
label
it
open,
ssf
or
lf,
or
something
like
that.
Sorry.
E
Yeah,
so
perhaps
I
I
missed
this,
I
had
to
to
multitask
for
a
moment
which
browsers
or
browser
does
this
target.
Is
it
purely
chrome,
for
instance,
because
edge
is
quite
popular?
We
have
firefox.
E
Some
of
us
are
safari
only
and
then,
of
course,
you
have
those
outliers
who
are
you
know,
pushing
rocks
uphill
on
linux
bless
their
hearts.
I
love
them
for
it.
E
So
what
are
we
talking
about
here,
because
I
agree
that
as
a
proof
of
concept
at
the
very
least,
finding
a
way
to
get
people
using
a
browser
plug-in
to
test
whether
this
will
help
raise
awareness
and
therefore
reduce
the
number
of
kind
of
potential
screw-ups
that
we
get
just
for
people,
don't
know
to
look
right
so
fixing
that
I
think,
is
a
great
idea.
I'm
I'm
with
david
here.
You
don't
have
to
convince
me
that
this
is
generally
a
good
idea
and
a
browser.
E
You
know
browser
plugin
yay
go
team,
but
you
know.
Are
we
just
thinking
one
browser,
because
I
think
that's
going
to
be
quite
limiting.
D
No,
all
of
them
I
mean
most
of
the
popular,
not
the
the
very
niche
but
the
firefox
home,
based
and
and
all
of
the
popular
it
shouldn't
be
a
problem
because
of
most
of
the
structure
of
browser.
Extensions
are
very
similar,
like
speaking
of
firefox
and
chrome,
almost
the
same
manifest
and
and
yeah.
A
E
E
But
I
think,
if
this
proof
of
concept
works
out
pretty
well,
then
working
with
the
browser
community
to
get
this
added
to
the
dev
tools.
Frankly,
for
each
and
every
one
of
the
browsers,
that's
just
going
to
boost
the
boost
availability
of
it
I'll
considerably.
I
think
that
would
be
great
and
that's
something
that
I
think
the
browser
teams
might
be
pretty
on
board
with,
because
they've
all
got
dev
tools
right
able
to
surface
this
information
could
be
really
super
useful.
A
Yes,
yeah.
Well,
I'm
going
to
add
that
you
know
plug-in
for
dev
tools.
You
know
things
like
the
edit
visual
studio,
vim
and
so
on.
Then,
you've
got,
of
course,
the
the
the
package
managers
themselves,
which
is,
although
by
the
by
that
time,
you've
probably
already
made
your
decision,
so
that
may
be
too
late.
B
H
Build
on
the
wording,
the
terminology,
proof
of
concept,
so
I'm
I'm
wondering
what
level
of
endorsement
you're
looking
for
and
what
what
the
expectations
are,
and
I'm
still
wondering
I
thought
that
was
evolving
discussion
around
what
the
term
incubating
would
mean
or
something
similar,
because
there's
there
seems
to
be
like
a
criteria
for
entry
to
be
labeled.
Something
I
don't
know
proof
of
concept
is
an
official
thing.
Please
help
me
attack
members
here,
but
but
I'm
saying
anybody
can
write
code
any
I
mean
I'm
all
for
any
100
proof
of
concepts.
H
The
question
is:
what
are
we?
We
know
what.
Why
are
we
even
being
asked
for
approval?
You
just
write
the
code
and
and
go
for
it.
I
mean
we're
either
the
tool
is
useful
or
not
or
provide.
I
mean
all
increases
access,
information
and
people
love
it
and
we
say
let
me
take
it
to
incubating
or
whatever,
but
I'm
just
wondering
what
classification,
what
what
kind
of
approval
we're
looking
for
here.
D
H
A
Well,
we
we
have,
we
have
in
the
past
labeled
these
sources
of
things
as
incubating.
H
But
yeah
I
was
asking
I
thought
carter
was
being
developed
for
incubating,
so
I
was
wondering
what
the
status.
A
H
A
I
don't
know
as
far
as
far
as
that
statement
go
sure.
Do
you
remember.
G
Okay,
so
I
unmuted
my
big
fancy
microphone,
but
not
the
tool,
that's
cool,
so
my
understanding
is
that
incubation
process
is
really
gonna,
apply
to
like
new
working
groups,
new
bigger
projects
that
the
open
ssf
wants
to
kind
of
like
incubate,
to
bring
up
to
contin,
potentially
bring
it
under
the
umbrella.
The
working
groups
still
have
the
autonomy
to
to
kind
of
decide
to
take
on
different
initiative.
G
Different
code
projects
different
things
of
that
sort
under
their
their
purview,
but
it
would
be,
I
think,
a
attack
decision
or
you
know,
a
consultation
with
attack
if
this
project
wanted
to
become
something
more
than
sort
of
an
initiative
under
the
the
working
group
umbrella.
That
is
my
understanding
of
the
direction
that
we're
moving
in
seeing
ava
nod
their
head.
So
that's
a
great
reinforcement
there,
so
so
by
all
means
joseph.
I
think
this
means
you
can
no
proceed.
K
Yeah,
I
will
add
a
little
color
to
that.
The
definitions
of
all
those
things
are
in
flight.
I
think
jory's
summary
was
fairly
accurate.
I
think
they're
for
project
code
coming
in
it
may
have
slightly
different
criteria
than
working
groups
and
for
an
apologies
for
kind
of
multitasking
and
missing
a
comment.
K
Perhaps
if
the
proposal
here
is
to
run
another
public-facing
service
a
website,
something
like
that,
there
may
be
separate
criteria
that
get
developed
to
judge
the
maturity
level
or
project
or
progression
policy
for
a
public
facing
service,
as
that
might
have
different
obligations
than
merely
saying
we're
hosting
some
code,
and
so
any
endorsement
of
it
or
description
of
its
maturity
level.
What
sla
it
has
like
an
sla
doesn't
apply
to
a
working
group
or
project
code,
but
it
does
apply
to
a
service.
So
we
need
to
work
out
those
sort
of
finer
points.
B
Yep
do
not.
L
L
The
idea
of
you
know
core
browser
feature
or
like
a
developer
extension
right,
so
we
don't
need
to
add
some
third-party
software
addition
if
the
browser
itself
is
supporting
that.
But
I
also
think
you
know
in
the
previous
code
I
mentioned
it's
also
good
for
a
github
or
whatever
the
source
code
hosting
place,
to
highlight
this
information
right.
Like
a
enterprise
like
us,
we
also
block
a
maven,
central
or
npm,
because
we
don't
want
people
to
directly
go
there
and
download
it.
B
So
there's,
I
think
what
might
be
a
good
next
step
is
to
talk
with
the
scorecards
folks,
and
maybe
the
security
tooling
working
group
to
kind
of
have
a
similar,
similar
conversations
to
see
kind
of
what
their
appetite
is
and
and
what
their
plans
are.
You
know,
how
can
we
help?
I
guess
is
really
the
you
know.
A
A
I
think
that
you
know
creating
some
first
step
code
is
one
thing
saying
hey:
this
is
a
here's,
an
extension
we
endorse
it.
You
know.
M
B
And-
and
I
would
I
would
I'm
fairly
certain
that
the
bump
to
get
from
here's-
here's
an
experiment
that
we
feel
good
about,
we'd
like
to
make
this
public
and
put
the
open
ssf
name
on
it
is
more,
is
going
to
be
a
lot
of
pro
forma
stuff
like
what
are
you
actually
promising
and
like
like
that?
That's
not
going
to
stop
the
project
so
right,
right.
A
Now
I
I
I
do
think
that
I
I
also
used
to
work
at
an
organization
where
oh
wait
you
want
to
install
an
extension
is,
is
of
great
concern
if
we
write
if
the
code
is
written
in
such
a
way,
that's
relatively
small
and
easy
to
audit.
That
would
help
you
know.
So.
Basically,
it's
a
relatively
simple
set
of
patterns
boom
and
here's
what
happens
when
the
pattern
matches
if
we
start
small,
also
those
organizations
wanted
people.
At
least
my
organization
wanted
people
to
review,
wait
a
minute
you're
bringing
in
code.
A
D
So
so
I
think
I'll
I'll
try,
michael
jackson,
suggested
pitching
into
scorecards
working
group
and
and
I'll
not
wait.
I'll
start
working
on.
You
know
on
some
coding
and
proof
of
concept
and
I'll
have
live
demos
to
to
show
it
as
a
progress.
A
D
D
A
Note
on
licensing,
apache,
2-0
and
mit
is
pre-approved
anything
else.
You
need
to
talk
to
the
pack
first,
actually,
the
governing
board,
but
through
the
pack.
B
Awesome
matt
heads
up.
H
H
I
don't
browser
extensions
at
all
for
those
type
of
things,
so,
if
I'm
told
to
use
a
package
from
a
source
like
stack
overload
or
whatever
I
go
directly
to
the
package
and
look
at
the
package
myself,
so
I'm
just
trying
to
figure
out
positioning
wise,
considering
the
fact
that
we're
wildly
successful
here
at
open,
ssn
and
if
you
know
our
scorecard
stuff
and
the
data
we
accumulate-
has
an
effect
on
package
managers
and
really
we're
just
looking
at
the
package
manager
playing
to
them
and
playing
overlay.
H
My
hope
is
that
over
time
that
our
information
becomes
first
order
from
metadata
on
on
those
package
managers.
So
the
question
is:
how
does
that?
How
does
this
plug-in
or
proposal
fit
into
that
future,
and
is
you
know
where's
that,
what's
the
need,
what
you
know
isolating
the
unique
value?
Add
of
it.
If
that
feature
is
indeed
realized,
this
will
let
you
go
first.
B
This
is
your
thing,
but
well
go
ahead,
go
ahead,
as
you
can
see.
If
this
gets
integrated
into
all
the
package
managers,
then
we
don't
need
the
browser
extension
and
if
the
browser
extension's
existence
helps
accelerate
that
or
make
that
happen,
then
everybody
wins
and
and.
G
A
A
You
know,
javascript
and
python
are
widely
used,
commonlist,
pascal,
not
so
much
so
I
could
easily
see
situations
where
we
have
really
put
some
resources
into
some,
but
this
may
help
catch
some
others.
So.
B
So
so
the
nice
thing
is,
we
have
folks
like
darcy
here
so
from
an
npm
perspective
like,
and
I
don't
know
how
npm
no.
No,
I
I'm
not
even
asking
for,
like
you
you'll
you'll,
hear
my
ask
later.
No,
the!
I
guess
the
question
is
what
credit
as
a
package
manager,
what
criteria
would
you
be
looking
for
when
trying
to
make
the
decision
of?
B
Should
I
add
this
new
feature
to
like
the
npm
website
and
is
that
because
understanding
that
criteria
may
help
the
project
go
down
a
direction
that
either
gets
closer
to
that
or
intentionally
doesn't?
And
I
don't
put
you
on
the
spot
because
we
have
30
seconds
left
in
the
meeting,
but
maybe
next
time
we'll
talk
about
that.
N
Yeah,
I
don't
have
what's
the
best
political
statement
I
can
make
right
now.
I
don't
have
any
specific
context
around
what
we
we
would
or
wouldn't
include
in
the
website.
N
There
was
historical
work
done
to
consider
like
publicly
consumable
widgets,
even
that
could
have
allowed
for
community
driven
insights
or
sort
of
plug-ins
or
usage
even
to
be
generated
by
the
community
and
and
consumed
and
showcased
on
package
pages,
so
that
was
at
least
something
that
was
potentially
an
avenue.
We
were
exploring
historically
but
yeah
in
terms
of
the
trust
model
of
the
information
and
the
type
of
heuristics
and
things
we're
looking
for
and
insights.
We
want
to
bubble
up
for
for
packages
and
and
their
integrity
and
security.
N
A
N
That's
why
we're
here
and
I'm
interested
as
well
the
mpmcli
tool?
Obviously
it
can
be
configured
with
any
third-party
registry.
So
what's
the
what's
the
you
know,
what
can
we
do
in
the
open
source
that
actually
is
available
to
all
all
folks
that
might
might
be
consumable
or
used
by
the
npm
cli?
So
we
have
a
whole
rc
process
and
like
a
very
open
product
development
cycle,
so
it's
nothing's
off
the
table
in
terms
of
adding
new
features
to
the
npmcli.
B
Thanks
we're
out
of
time,
thank
you
all
very
much
for
the
great
conversation
today.
I
hope
to
see
everybody
again
in
two
weeks
and
and
and
maybe
more
folks,
so
thank
you
all
stay
safe,
have
a
great
rest
of
your
week.