►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Cool,
okay,
so
welcome
everybody.
So
we
do
have
some
some
new
folks.
If
you
guys
want
to
kind
of
introduce
yourself
real,
quick
everybody
else,
and
we
could
do
a
super
quick
like
three
minutes
through
everybody,
because
we,
I
think
we
have
a
lot
to
talk
about
today,
so
chalice.
Your
control.
C
Sure,
hey
I'm
silas
cutler.
I
I
do
a
lot
of
different
things.
I
work
full
time
at
well,
not
a
startup
anymore,
called
crowdstrike,
doing
security,
research
and
reverse
engineering
on
malware
run.
A
project
called
mount
share,
which
is
a
large
malware.
Repository
worked
at
a
couple
places
in
the
past
worked
at
chronicle,
which
became
google
worked
at
secureworks
and
a
tier
one
isp
back
in
the
day.
C
B
Welcome
yeah,
I
guess
I
guess,
let's
just
go
down
the
line.
D
Dan
sure,
looking
for
the
enemy
button,
there
yeah
I'm
dan
lawrence,
I'm
an
engineer
at
google
in
the
security
org
and
I'm
involved
in
this
one
and
a
couple
other
working
groups
here
at
the
open,
ssf.
E
A
David
david,
a
wheeler,
I
work,
the
linux
foundation
been
working
on
open
source
software
security
for
a
long
time.
B
Cool
awesome,
dylan.
F
Cool,
my
name
is
dylan.
I
am
a
fourth
year
engineering
student
at
uc
berkeley
and
I
I
interned
with
microsoft.
With
mike
last
summer.
I'm
gonna
be
starting
again
starting
up
full
time
in
the
fall
and
yeah
got
it.
B
Awesome
for
gosh.
G
Hello
hi,
my
name
is
prabhas.
G
I
used
to
work
a
little
bit
on
security,
maybe
three
four
years
ago,
for
about
seven
years,
but
now
I
am
not
working
in
security
anymore,
so
I
joined
this
group
to
just
keep
my
knowledge
up
to
date.
Yeah
awesome.
E
Good
morning
I'm
ryan
haning.
I
work
at
microsoft
in
msrc
focused
on
open
source
security.
B
Cool
and
silas-
I
don't
know
if
you
introduced
before
or
after
I
started
recording.
So
if
you
wouldn't
mind,
don't
you
want
me
to
turn
again?
Oh
I'm!
I'm
sorry!
No
sorry!
No
we're
all
good.
I
was
thinking
ben.
H
Ben
would
you
mind
oh
yeah,
hi
ben
stoltz,
I'm
a
former
googler
zoogler
working
in
platform
security.
B
Awesome
cool
and
I'm
mike
scaveda.
I
do
security
things
and
open
source
security
things.
At
microsoft,
I
run
a
team
that
does
proactive
security,
reviews
of
open
source
rights
tools,
stuff,
like
that
I've
been
doing
security
for
20
15
years,
something
like
that
and
then
engineering
before
that.
So
I'm
super
happy
to
be
to
have
new
new
folks
on
the
call
today
and
we'll
kind
of
talk
through
some
of
the
things
that
we're
doing
and
I'm
gonna
be.
I've
got
I've
got
a
hat
out.
B
Looking
for
for
donations,
so
be
be
prepared
for
some
for
some
pressure.
So,
first
of
all
the
projects,
the
the
security
metrics
project
is
the
the
link
that
you
see
here.
This
is
a
it's
a
public
project
in
in
on
the
oss,
reaper
and
osisoft.
B
You
know
thing
in
in
on
github,
we
switched
over
from
kind
of
a
django
based
implementation
to
like,
let's
just
make
it
really
simple
and
get
something
out
soon,
so
it's
grafana,
so
you
can,
for
those
of
you
haven't
seen
it.
I
can
give
you
the
quick
dashboard
thing
which
I'm
hoping
this
is
going
to
load
like
instantly.
B
While
that's
loading,
the
the
purpose
here
is
to
gather
metrics
from
different
sources
that
already
like
produce
them,
but
also
have
the
ability
to
produce
custom,
metrics
feed
them
all
into
a
database,
and
then
grafana
just
makes
the
database
pretty
so
right.
Now
we
grab
things.
B
What's
a
good
one
is
badge
program,
so
this
is
the
the
the
ones
down
here
are
all
from
the
oss
best
practices,
but
the
badge
program,
the
ones
on
the
right
is
the
oss
ossf
scorecard
metrics,
the
things
that
are
generated
automatically
by
google,
so
dan.
Thank
you-
and
this
is
a
scorecard-
is
where
these
metrics
are
coming
from
these
ones.
Here,
in
the
middle,
we
generate
ourself
and
the
description
and
things
we
grab
from
the
best
practices
stuff.
B
So
this
is
just
barely
proof
of
concept.
We
want
to
move
this
forward,
or
or
at
least
we
want
to
have
the
discussion
on.
How
should
this
move
forward.
B
So
that's
super
high
level.
What
the
metrics
project
is,
so
there
were
discussions
last
time
on
what
it
really
takes
to
move
this
forward
in
terms
of
like
manpower
like
do,
we
have
folks
that
are
passionate
about
this
and
want
to
do
this,
meaning,
like
literally
like
configuring,
grafana
and
like
figuring
out
like
what
metrics
makes
sense.
Where
and
oh
this
thing
is
duplicative
of
this
and
oh,
we
could
really
pull
this
other
metric
in
so
I'll
write
a
connector
for
this.
B
B
I
don't
care
really
where
like
who
does
it,
but
I
do
think
that
in
something
like
this,
because
we're
trying
to
get
it
off
the
ground
and
it's
a
relatively
small
group,
that's
kind
of
driving
this
the
design
and
the
implementation
are
super
tightly
coupled.
So
if
we
take
the
implementation-
and
we
just
move
the
implementation
out
to
someone
else-
then
there
will
be
constant
traffic
back
and
forth
to
whoever
is
doing
the
design
which
doesn't
really
save
the
designer
time
and
by
the
designer
I'm
kind
of
meeting.
B
So
I've
been
doing
most
of
the
the
the
the
implementation
work
on
this,
so
that's
kind
of
the
driver.
So
there's
anybody
in
the
call-
that's
super
passionate
about
this,
and-
and
you
think
this
is
something
that
you
would
like
to
learn
more
about
to
see.
If
it's
something
that
you
want
to
volunteer
for,
I
would
love
to
to
to
hear
that.
But
you
don't
need
to
speak
up
now,
because
I've
got
other
things
to
ask
for
too,
but
but
so
as
essentially
we
are.
B
We
we're
active
concept,
and
now
we
need
to
decide
how
we
jump
from
proof
of
concept
to
whatever
mvp
or
whatever
you
want
to
call
call
v1
I'll
stop
talking
for
a
second
any
questions,
thoughts.
Anything.
A
Well,
I
I
will
jump
in
briefly.
I
I
think
I
have
some
of
the
same
problem
that
you
have
that
I
have
too
many
things
on
the
plate,
but
I
would
absolutely
be
willing
to
help
out.
I
think
it
cannot
be
just
me
or
and
probably
not
just
you
either,
but
but
but
but
I
can
certainly
you
know
put
in
some
scripts.
I
can
you
know,
try
to
help
identify
what
metrics
are
important.
A
I
do
think
that
we
ought
to
allocate
a
call
like
a
whole
call
on
just
all
right.
Let's
go
down
to
brass
tacks.
We
have
a
quick.
We
have
a
very
early
version.
What
mexi
should
we
toss?
What
metrics
should
we
try
to
get
in
and
not
just
hey?
Let's
talk,
abstracts,
let's
talk
about
exactly
what's
measured
and
how
it's
presented-
and
maybe
maybe
my
guess,
is
that
this
meeting,
because
it
looks
like
you've,
already
got
a
longer
agenda
anyway,
but
maybe
on
our
next
meeting.
A
A
But
but
they're
they're,
you
know-
and
so
I
think
very
much
discussing
here
and
looking
for
others-
I
mean
you
know
more,
the
merrier
really,
but
there
you
know
I
I
don't
think
you
need
to
say.
Oh
my
gosh,
we
can
close
up
shop
here.
You
know.
We've
got
several
irons
in
the
fire
to
try
to
to
to
move
it
forward.
Yeah.
B
Cool
that
makes
sense
so
yeah,
so
so
I'll
next
meeting
in
two
weeks
will
be
the
just
just
super
detailed,
we'll
have
yeah
we'll
do
just
kind
of
talk,
details
and
hopefully
out
of
that
we'll
come
up
with
like
oh
it's
actually,
not
that
big
of
a
deal
or
like.
Oh
my
god.
This
is
like
really
like.
No,
we
need,
like
you,
know,
40
hours,
a
week,
kind
of
work.
A
A
B
B
A
I
test
I,
I
guess
the
answer
is
yes,
yeah,
no
data,
no
data,
no
data.
I
guess
the
sad
thing
is
we
can't
see.
I
guess
we
can
guess
what
what
it
would
say
if
it
had
something.
B
So
so
it's
there
is
no
reason
why
I
should
not
document
what
these
things
actually
mean.
I
will
document
what
they
mean.
A
Okay,
awesome
yeah,
just
you
know:
if
we're
going
to
discuss
what
it
should
say
versus
what
it
should
have
versus
what
it
has
it's
helpful
to
know
what
it
has,
and
I
understand
that
you
were
doing
a
a
quick.
What
can
I
do
quickly
and
I
think
it's
really
awesome
for
that,
so
let's
figure
out
how
to
refine
it.
Yep.
B
Cool
yeah
and
then
like
none
of
these
are
like
months
since
last
release
just
a
month
since
last
release.
Now
you
is
it
a
release,
it
is
a
tag.
Is
it
a
commit
that
that's
what
we'll
give,
but
it's
none
of
them
are
like
lots
of
logic
behind
the
scenes,
or
at
least
none
of
these
up
here
are
like
super
complicated
cool.
What
else?
Okay,
so
moving
on.
F
Sorry,
real
quick,
I
just
want
to
jump
in
and
and
say
that,
well
that
I'm
happy
to
jump
in
and
kind
of
allocate
whatever
time
I
I
have
to
like.
If
you
have
like
action
items
here
and
there
you
want
to
knock
off
your
list
or
whatever
it
is
david,
I'm
happy
to
meet
with
you
later
too.
If
you
wanna,
I
know
you
don't
have
much
time,
but
kind
of
just
you
know.
Have
you
know,
maybe
a
couple
more
checkpoints
here
and
there
at
least
between
these
these
meetings
and
see.
F
If
we
can
get
some
some
some
things
that
we
want
kind
of
knocked
off
our
list,
then
yeah.
I
just
want
to
jump
in
here
and
kind
of,
let
you
guys
know
that
so
yeah,
I
don't
know.
That's
awesome.
Helpful.
Just
keep
me
posted
with
with
things
I
could
help
out
with.
F
A
D
A
I
I
guess
I
I
I
I
don't
know
if
you
want
to
have
this
as
a
separate
topic,
but
you
know
one
is
we
need
to
have
some
code
that
runs
and
the
other
is.
We
need
a
place
on
the
web
where
it
lives.
G
A
B
Let's,
let's
do
that
as
a
separate
topic
as
we
get
closer
to
mvp
or
even
like
ga,
I
mean
we,
we
can
certainly
start
talking
about
it
as
soon
as
possible,
but
I
don't
think
we
need
to
land
on
that
until
we're
we're
closer
to
kind
of
saying
this
is
a
real.
E
G
Michael,
I'm
sorry,
but
since
I'm
new
I
I
I
still
I'm
not
able
to
follow
what
is
the
value
that
we
are
going
to
provide
and
what
is
the
objective
of
this
security
metrics?
I
tried
to
search
it
in
the
git
and
there
is
nothing
message,
so
it
more
talks
about
the
technical
aspect
of
it,
but
I
I
am
not
able
to
grasp
why
we
are
doing
this.
B
Sure
so
the
the
main
purpose
by
the
metrics
project
is
when,
when,
when
someone
is,
there
are
a
couple
different
stakeholders
that
we
have
in
mind,
one
of
them
is
the
developers
themselves.
Like
am
I
doing
everything
that
I
could
be
doing
in
order
to
have
a
successful,
secure,
open
source
project
there
are
consumers
of
of
the
open
source.
Is
the
open
source
that
I'm
using
trust,
say
trustworthy
from
a
from
from
multiple
angles.
You
know,
is
it
maintained,
does
do
they
find
and
fix
security
flaws?
B
Do
they
follow
just
generally
best
practices,
compliance
teams
that
have
you
know
ten
thousand
or
a
hundred
thousand
different
components
in
use
across
their
org,
and
they
wanna
understand
either
for
themselves
or
for
compliance
regimes
or
whatever
that?
What
they're
using
you
know
meets
the
bar.
We
could
take
the
stance
that
we're
going
to
define
out
a
bar,
but
then
we
kind
of
become
a
compliance
like
group.
I
don't
think
we
want
to
do
that,
so.
Instead
we
want
to
convey
these
metrics.
B
Some
groups
are
already
so
so
we
started
out
saying,
let's
just
start
collecting
metrics,
so
we
were
going
to
go
from
like
fundamentals
and
then
there
were,
you
know
there
were
some
really
good
points
about
hey
other
other
projects
are
already
collecting
things,
but
they're
collecting
a
small
subset
of
things.
Can
we
just
bring
those
all
together
and
have
an
all
up
view?
B
So
what
the
current
dashboard
has
now
is
a
collection
of
data
from
four
sources.
You
know
basically
github
the
the
best
open,
ssf,
best
practices,
the
open,
ssf
scorecard
and
security
reviews,
and
that's
that
gives
a
snapshot
of
a
particular
project.
B
There's
a
separate
view
that
we
that
we
had
talked
about-
and
I
think,
is
still
important,
which
is
the
all
up
for
a
collection
of
projects.
What
does
this
look
like?
Where
are
the
hot
spots?
So
it's
it's
a
yeah
that
that's
kind
of
the
what
it
is.
I
hope
that
that.
A
Okay,
but
mike
I
actually
tried
to
type
in
some
things
while
you're
talking.
I
agree
with
what
you
said,
but
I
would
add,
there's
I
think,
one
more
group.
Besides
the
developers
of
the
projects
and
the
users
of
the
projects
and
that's
the
downstream
users,
I
have
ended
up
with
a
project.
A
G
I
mean
thank
you
very
much,
yeah,
I'm
a
bit
clear
now,
but
now
to
I
have
another
question:
when
you
were
explaining
to
me
before
me,
I
would
like
to
ask
it
is:
how
would
a
person
who
is
developing
something
with
open
source
would
come
be
qualified
in
this
process?
Does
he
have
to
apply
for
it,
or
is
it
automatic
retrieval
from
all
the
projects
in
github?
B
In
the
fullness
of
well,
the
openness
of
best
practices
is
opt
in
the
scorecard
metrics
right
now
are.
We
are
only
showing
the
ones
that
are
like
automatically
collected
and
like
exportable,
like
a
giant
json
file,
but
we
can
run
it
on
it.
Whatever
we
want,
the
rest
of
the
data
is
pulled
directly
from
github.
We
to
answer
your
question.
B
It
should
not
be
opt-in,
because
the
most
of
the
people
that
are
getting
the
value
out
of
this
are
not
the
developer
themselves,
like
the
the
developer
of
the
open
source
component,
so
other
folks
have
more
of
a
stake
in
the
game
than
than
the
developer
does
so
so
it
should.
I
don't
think
it
should
be
opt-in,
but
does
that.
I
also
don't
think
that
we
can
arbitrarily
make
this
any
project
out
there.
Just
from
a
scaling
perspective.
B
A
Disagree
with
you
right,
okay,
think
big.
If
it's
an
open
source
project,
it's
in
scope,
it
might
be
on
github,
it
might
be
on
get
lab,
it
might
have
its
own
repo
if
it's
open
source,
it's
in
scope.
Now
I
would
agree
with
mike.
That
is
not
where
we're
going
to
start,
but
the
last
numbers
that
I
had
and
granted
it's
a
couple
years
old.
We
counted
up
about
two
mil
a
little
over
two
million
active
open
source
projects.
A
A
A
G
A
Stop
there,
if
it's,
not
legal,
it's
not
open
source,
by
definition,
we're
able
to
download
it
we're
able
to
analyze
it
now
you're
right.
It
would
not
be
legal
to
download
arbitrary
closed
source
programs,
but
we're
we're
not
trying
to
do
that,
so
we're
intentionally,
avoiding
that
legal
morass
and
I
think,
for
good
reason.
G
Is
it
based
on
some
license
qualification
of
the
source
code
that
you're
going
to
qualify.
B
Although
I
would
be
clear,
there
are
closed
source
things
on
things
like
nougat
and
I'm
sure
all
the
other
package
matters
so
so
sure
you
need
to
be
a
little
bit
careful
in
the
products
that
we
choose,
that
we
do
ensure
that
it
has
an
open
source
license
or
otherwise
have
the
lawyers
figure
it
out
to
make
sure
that
what
we're
doing
for
those
types
of
projects
are
are
okay,
but
I
think
that's
just
you
know
we'll
figure
that
out.
A
G
Yes,
that
was
one
and
the
other
one
was
just.
This
is
a
thought
in
my
mind,
correct
me:
if
I'm
wrong
they,
why
not
make
it
as
a
opt-in
mechanism?
Maybe
it
is,
it
shows
a
lot
of
problems
for
us
on
the
legal
front.
G
A
A
G
Well,
now
yeah,
I
I'm
sorry
for
a
pardon
for
my
lack
of
vocabulary.
Yeah,
as
you
said,
why
not
make
it
opt-in
process
then
than
pulling
every
code
from
github
or
anything,
so
it
wouldn't
that
be
easy.
While
we
start
small,
then,
while
while
while
as
per
the
eurovision
of
thinking
big,
you
know
I'm
in
a
manner
where
we
gradually
grow.
B
I'm
I'm
just
not
sure
that
there's
any
advantage
to
opting
in
versus
us
choosing
a
small
number
of
projects.
I
I
I
think
the
opt-in
nature
means
now.
We
need
a
marketing
campaign
to
go
out
and
get
people
to
to
try
to
do
this,
and-
and
I
yeah
I-
I
don't
see
an
advantage
to
I
mean
I
agree-
absolutely
start
small,
but.
B
A
Yeah
I
mean
right
now:
it's
there's
a
list
of
projects
and
then
on
a
periodic
basis.
It
goes
out
and
grabs
the
things
on
the
list.
The
cia
best
practices
badge
is
opt-in.
There
really
is
no
one
other
way
around
it,
because
it
asks
a
series
of
questions,
but
I
think
for
this
I
agree.
I
don't
see
any
advantage
of
opt-in.
A
I
think
the
only
issue
will
be
possibly
you
know
hey
if
you've
got
somebody
who
thinks
that
public
data
can't
isn't
public,
I
okay,
but
all
the
projects
that
we're,
including
are
known
to
be
open
source,
they're
known
you
know,
they're
like
and
therefore,
by
definition,
if
it's
a
known,
open
source
project,
you
are
allowed
to
download
it.
That's
part
of
the
definition
of
it.
G
Thank
you
very
much.
I
I
don't
want
to
talk
a
further
about
this,
but
there
could
be
legal
problems
on
this
one.
That
is
what
I
was
worried
about
continuing
contributing
as
a
personal
and
if
you
can
give
a
conclusive
analysis
from
if
ossf
has
lawyers
and.
A
We
have
a
whole
bunch
of
lawyers.
My
boss
is
a
lawyer
and
I
I
I
I
want
to
be
careful
because
some
you
know
we
have
to.
If,
if
we,
we
obviously
want
to
make
sure
we
do
things
legally.
A
But
if,
if
there's
an
actual
legal
issue,
we
need
to
identify
what
the
legal
issue
is
and
address
it.
You
know
if
it's
open
source
by
definition,
you're
allowed
to
down
anyone's
allowed
to
download
it
anyone's
allowed
to
use
it
for
any
reason.
A
So
if,
in
those
cases
there
is
no
issue
now,
if
there's
other
legal
issues,
that's
great,
I
certainly
would
agree
that
if
we
tried
to
put
trademarks
up
and
claim
that
we
were
authorized
by
somebody,
we're
not
authorized.
That
would
not
be
okay,
but
I
don't
think
we're
going
to
do
that.
Yeah,
okay,
yeah,
so
we've
got
lawyers.
If
you
see
a
legal
issue,
please
let
us
know,
but
I
I
don't
see
any
and
I
and
I'll
we'll
I'll
talk
with
our
lawyers,
but
I
don't
see,
I
don't
think
they'll
see
any
issues
either.
G
I
I
value
experience
because
I'm
sure
you
you
better
than
me,
you
are
a
better
person
to
charge
on
this.
So
it's
fine.
This
is
just
a
new
person
just
asking
some
questions.
Sorry
sure.
B
Okay,
okay,
I
shuffled
around
the
agenda.
I
just
really
wanted
to
get
to
to
these
two
okay,
so
security
reviews.
So
last
time
we
talked,
I
showed
a
quick
demo
thing.
We
now
have
a
repo.
We
have
a
template.
We
have
oh
wait,
I'm
gonna,
as
I'm
talking
about
that.
Let
me
find
the
thing
that
I
actually
wanted
to
show.
J
Hey
mike,
this
is
kay
I'm
joining
a
little
late.
So
forgive
me-
and
I
have
you
know
first
comment.
I
have
as
a
is
a
nitty
kind
of
one.
Do
we
do
we
have
kind
of
a
standard
for
how
we
name
projects,
I'm
noticing
that
for
this
group
we've
been
naming
it,
you
know
uppercase
project
dash,
something
something
and
for
some
of
the
other
ones
the
other
working
groups
are
are
creating,
it
doesn't
say,
project
in
front
and
things
are
all
lowercase.
J
J
A
Okay,
all
right,
I
have
a
minor
preference
to
lower
case
simply
because
on
case
sensitive
systems,
it's
yet
something
else
you
have
to
remember,
but
life
will
continue
if
we
don't.
B
Okay,
so
this
this
is
the
the
template
that
I
came
up
with.
This
is
the
one
for
for
left
pad
is
my
sample
like
one
that
I
always
use,
so
I'm
not
going
to
go
into
super
detail
on
any
of
this
stuff,
but,
like
this
is
all
the
metadata.
B
It
is
now
like
officially
like
yaml,
so
it's
partiable
between
the
comments,
but
it's
also
view
the
rest
of
it
is
viewable
as
markdown.
So
it's
this
frankenstein
thing.
I
don't
love
it,
but
I
couldn't
forget
another
way
of
making
it
like
viewable
on
github,
but
also
like
reasonably
easy
to
look
at
look
at
and
update
the
metadata
for,
but
and
also
parse,
there's
a
better
way.
We
can
do
a
better
way,
but
this
is
the
least
bad
way
I
could
find
it
so
yeah.
It's
it's
a
list
of
package
urls.
B
This
is
what
was
done
by
whom
the
access
being
this
is
public,
and
this
is
to
allow
at
least
for
for
my
team.
We
will
have
private
ones
that
we
will
have
in
an
internal
repo
that
we
will
then
mirror
outside
when
they
are
okay
to
be
made.
Public
publications
state
this
is
just
like
is
it
you
know?
Is
this
fully
baked
what
was
reviewed
in
this
so
implementation,
full
implementation,
partial
or
non-implementation?
For,
like
you
know
the
the
author
has
abandoned
the
project,
it
would
be
like
a
non-implementation
scope
review
severity.
B
If
there's
a
problem,
if
the
opinion
is
not
secure,
then
the
severity
should
say
well
how
not
secure
and
then
the
summary
in
the
details
of
the
of
the
finding.
So
we
want
to
keep
it
as
like
super
simple,
so
this
so
this
is,
as
far
as
I
think
I
want
to
go
in
terms
of
structure
and
mandates,
but
as
as
any
good
project
first
thing
you
do.
Is
you
write
the
test
case,
which
I
did
so
there's
a
validator
that
goes
in
and
actually
makes
sure
that
things
are
covered?
B
So
what
I
was
envisioning
was
we,
you
know
you
you
do
one
of
these.
You
you
create
it.
You
issued
it
as
a
pull
request.
It'll
validate
it,
make
sure
that
it's
good.
We
look
at
it.
B
B
B
If
you
miss
one
it'll
tell
you
and
then
it
pops
the
the
mark
down.
Yes,
would
be
easier
if
it
just
like
added
it
to
the
thing
but
baby
steps.
So
you
take
this
copy
that
and
move
it.
A
For
for
licensing
the
the
template,
which
and
kay
can
tell
us
all
about
the
joys
of
that
in
general,
we've
been
telling
folks
to
use
for
documentation,
creative
commons
attribution
cc
by,
I
don't
know
if
you
have
a
preference
or
I
mean
yeah,.
B
That
is
a
really
good
point.
Yes,
because
I
don't
want
as
much
as
I
want
this
to
be
free,
I
don't
want
it
to
be
ripped
off
and
then
sold
as
their
own,
so
whatever
the.
A
I
yeah,
I
think,
that's
the
thing
I
don't
mind
somebody
throwing
including
it
in
a
larger
document
as
long
as
they
give
us
credit
right,
absolutely
yeah.
So
if
you
just
copy
the
creative
commons
attribution
reference
and
you
don't
need
a
cc,
it's
cc
by
yeah.
B
Yeah
probably
could
yeah,
I
guess
we
could
include
that
in
each
one.
That
would
probably
be
the
best
way,
yeah
and
probably
a
link
back
to
the
master
repo,
so
that
people
know
where
it
actually
came
from
within
that
within
that
text
it
would
be
somewhere
somewhere
down
here.
You
know
I've
also.
B
I
we
totally
need
a
lawyer
to
like
look
at
that
and
make
sure
that
that
is
sufficient
to
cover
us,
because
I
really
don't
want
to
get
in
a
situation
where,
like
open,
ssf
or
me
or
somebody
else
said,
this
thing
was
totally
cool
and
all
of
a
sudden,
like
you
know,
things
are
catching
fire
and
they're
like
okay.
You
know
what
gives
I
have.
K
A
shaky
hi,
I
had
a
question
regarding
this,
so
we
have
in
your
template,
like
things
like
static
analysis
and
dynamic
analysis,
checkboxes
right,
so
I
think
many
of
these
tools
is
more
like
for
continuous
testing.
So
at
first
I
thought
security
reviews
is
more
like
code
audits,
that
somebody
does
one
time
I
feel
like
tools
might
be
better
tracked
with,
let's
say
the
metrics
dashboard
you
had
or
the
scorecard
stuff,
because
these
tools
need
to
be
done
continuously
like
you
cannot
just
electronic
one
time
and
say:
hey
everything
is
good.
K
Well,
I
don't
know
that's
one
idea.
Yeah.
B
Yeah,
so
so
the
review
will
always
be
point
in
time,
as
opposed
to
the
process,
which
needs
to
be
kind
of
eternal.
I
I
think
it
is
just
my.
B
Yeah
but
but
like
yeah,
so
so
yes,
you
absolutely
want
tools
to
run
on
a
continuous
basis,
but
you
know
left
pad
version,
1.3.0
number
one.
That
code
will
never
change
for
1.3.0
and
yes,
the
tools
could
advance
and
they're.
We
have
thought
a
little
bit
about
like
at
what
point.
Do
these
reviews
kind
of
expire
just
from
age?
B
I
don't
have
a
super
strong
feeling
on
when,
but
I
feel
like
there
should
be
an
expiration,
but
I
do
think
that
the
the
the
two
advantages
here
is
that
this
is
the
culmination
of
there
was
some
static
analysis
run.
I
looked
at
the
results.
The
results
showed
x.
B
This
is
x
and
maybe
I
did
a
code
audit
as
well,
and
I
did
some
other
stuff-
and
this
is
this-
is
out
of
my
brain
onto
paper
at
this
point
in
time
for
this
particular
project.
B
B
Most
of
the
time,
most
tools
are
only
accessible
to
the
development
team
themselves
and
for
re
for
good
reason,
usually,
but
the
people
that
are
incurring
the
risk
are
not
the
kind
of
everybody
except
for
the
developer,
usually
so
this
is
to
give
me
the
consumer
of
left
pad
or
you,
the
consumer
of
left,
pad
some
assurance
that
you
know
what
someone
has
looked
at
this,
and
this
thing
actually
looks.
B
Okay
or
someone
has
looked
at
elasticsearch
and
said
the
code
is
fine
but
like
don't
expose
it
to
the
internet
or
whatever
things
like
that,
that
it
allows
us
to
go
beyond
like
code
level
flaws
into.
You
know,
hey
just
make
sure
you
don't
like.
B
K
Yes,
I
get
the
understand
I
understand,
like
I
think
it's
tied
to
versions,
that's
what
I
did
not
understand
before,
but
okay
like
if
there
is
some
way
to
at
least
indicate
like
integration
with
the
tools
itself
that
would
be
nice
to
have.
I
would
I
would
love
that.
A
Yes,
so
yeah,
I
just
added
that
to
the
notes.
I
I
think
I
think
there's
a
useful
point
here,
which
is
one
of
your
review
comments
could
be
what
tools
are
they
using
in
their
ci
process?
Yes,
yes,
which
is
a
review
of
process,
but
nevertheless
gives
you
some
indication.
I
do
think
that
running
tools
independently
still
has
value.
For
example,
I
tell
everybody
when
they
add
tools
to
their
ci
process.
If
it's
not
a
new
project,
you
have
to
basically
tune
them
way
down.
A
B
Yeah,
okay,
so
this
this
is
the
point
where
I'm,
where
I'm
gonna
ask
for
for
help.
In
order
for
this
thing
to
be
valuable,
we
need
reviews
to
be
done.
I'm
making
some
assumptions
that
other
organizations
out
there
are
doing
these
are
doing
reviews,
maybe
ad
hoc,
maybe
informally,
maybe
formally,
or
simply
that
you
are
so
passionate
about
the
space
that
you
want
to
to
to
contribute
something
tangible.
This
is
something
super
tangible.
B
So
what
I'm?
What
I'm
asking
for
are
volunteers
to
conduct
some
of
these
reviews
just
conduct
five
or
whatever,
and
submit
them,
and
let's
test
out
the
process,
make
sure
that
it
works,
and
you
know
hopefully
in
the
next,
maybe
in
the
next
two
weeks
we
can
get
a
couple
more
in
you
know
I
we
have
so
so
my
team.
B
We
do
a
lot
of
these,
so
we
have
a
lot
to
donate
and
and
put
in
here
and
that's
fine,
but
this
has
to
be
a
community
project.
It
can't
just
be
you
know
if
every
one
of
these
is
like
done
by
the
microsoft
security
team,
like
that's,
not
not
not
a
community
thing.
H
Apprenticeship
program,
it's
often
helpful
to
bring
somebody
up
in
the
art
of
this
about
having
them
sit
alongside
people
who
are
actually
doing
the
reviews.
B
F
Are
these
reviews
gonna
be
built
kind
of
like
from
the
ground
up
or
can
we
take?
Can
we
kind
of
like
take
a
look
at
like
existing
like
things
out
there
and
like
like
review,
like
I
don't
know
like
how
this
is
reviewed
elsewhere
and
and
see
their
credibility,
kind
of
and
and
attach
to
that
and
stuff?
I'm.
B
To
put
in
about
10
of
them
later
this
week
that
are
of
varying
levels
of
depth
and
things,
but
I
I
I
don't
want
to
prescribe
exactly
what
the
right
level
is,
because
I
think
it'll
depend
right
and
structure
wise.
You
can
use
this,
but
it
still
doesn't
say
like
well
how
detail
of
a
summary
like
do.
I
have
to
go
like
issue
by
issue
and
why
I
think
it's
a
thing
or
not,
or
is
it
just
like
your
thumbs
up,
looks
good
to
me.
Yeah.
A
I
A
H
So
david,
could
you
talk?
Could
you
schedule
a
meeting
to
talk
through
some
of
these
reviews,
david.
A
I'm
volunteering
to
post
lf
ones
that
I
did
that
we've
done.
B
So
I
I
will
set
up,
I
can
set
up
a
meeting
to
like
jointly
do
some
of
these.
H
Together,
you
know
to
go
over
ones
that
have
already
been
done.
This
is
this
is
what
we
did.
This
is
how
we
did
it.
Okay,
this
is,
I
mean
winds
up
in
the
review.
H
A
Okay,
mike,
do
you
want
to
schedule
something
like
that?
Okay,.
B
I
can
do
something
next
week
for
yeah
I'll
I'll
set
that
up
for
and
maybe
we'll
just
maybe
we'll
record
that
so
everybody
else
who
can't
make
it
can.
E
B
Cool
okay,
so
that's
secure
reviews.
So
what
I
think
we
should
do
is
you
know,
wait
until
we
get.
You
know,
n
of
them
done
in
the
repo
and
then
flip
the
bit
to
public,
and
then
we
can
start
talking
about
it.
I
think
that
will
generate
some
some
interesting.
It's
not
public,
yet
I
won't
be
able
to
see
it.
It
is
no!
No
sorry!
You
should
be
able
to
see
it
because
you're
part
of
the
ossf
thing,
but
still
a
private
repo.
B
You
know,
I
think
there
should
be
something
in
there
before
we
talk
about
it.
I.
F
Cannot
see
it
at
all,
I
I
believe
I
joined
the
the
ossf
kind
of
registered
and
all
that
I
believe,
but
I
I
don't.
Okay.
B
Yes,
okay,
okay,
cool,
okay
and-
and
the
last
thing
that
we
want
to
get
to
is
the
anyway
package
feeds
or
some
analysis
of
it
dan.
This
this
one
was
yours
right.
A
But
basically,
this
is
another
open,
open,
ssf
project.
What
they're
trying
to
do
is
just
analyze
them
and
gather
data
and
then
try
to
have
different
folks.
Look
at
that
data
to
try
to
identify
malicious
packages
if
there's
a
way
that
we
could
take
either
the
package
feeds
directly
or
the
results
of
somebody's
analysis.
Of
that
to
identify
the
riskiness
of
the
of
something
being
potentially
malicious,
I
think
that'd
be
great,
is
dan's
on
the
call,
so
dan
thoughts.
B
No
yeah
I
mean
I
I
I
I
need
to
look
into
this
more
to
see
exactly
what
this
is,
but
I
mean
so
so
in
transparency.
So
we
so
we
use
the
library's.
I
o
api
to
kind
of
do
what
it
seems
like
the
feeds
part
of
it
does
where
it
consolidates
everything
into
one
stream,
and
we
just
we're
just
have
our
pulse
on
the
you
know
what
is
newly
published
and
we
do
have
plans
in
the
works
for
doing
deeper
analysis
of
each
one
as
they
come
in.
B
So
I
think
if
it
makes
sense
to
consolidate
that
work
and
have
it
be
part
of
the
open
ssf,
I'm
in
principle,
fine
with
that
so
I'll
dance,
dance,
driving
up
package
feeds.
A
Yeah
I,
but
I
I
can
tell
you
what
they
do.
Basically,
they
look
for
the
pack
at
the
package
registries
when
there's
something
that's
changed:
they
act,
they
grab
it,
they
download
it.
They
watch
what
happens
when
you
install
it.
I
think
they've
they
mentioned
it
might
even
do
more
than
just
the
install,
but
at
least
yeah.
It
turns
out
a
number
of
malicious
well,
there
are
very
smart
actors
and
then
there's
what
I
would
call
the
amateurs.
A
A
lot
of
amateurs
have
create
malicious
software
where
they'll
do
the
attack
right
during
the
install,
for
example-
and
you
know
we
we'd
like
to
at
least
be
able
to
detect
the
amateur
militia
software
yeah
totally,
and
so
you
know
being
able
to
report
hey.
We
didn't
find
anything
or
oh,
my
gosh.
Look
at
this
not
sets,
don't
use
it.
Yeah.
F
Love
it
if
this
detects
updates
or
like
things
that
go
wrong
and
like
updates
to
these
packages
then
like
do
you
think
that
could
be
helpful
for
kind
of
helping
determine
like
what,
like,
in
terms
of
like
expiry
and
stuff,
like
that,
if,
like
like
to
tell
when
things
are
like
packages,
or
I
don't
know
like
how
that's
going
to
be
quantified
but
or
I
don't
know,
is
that
it.
A
A
A
No,
no,
it
basically
does
the
install
and
you
know
oh,
look
it's
trying
to
to
look
for
your
password
file
and
send
it
to
this
other
place
or
it's
trying
to
run
a
a
bitcoin
miner.
Maybe
you
didn't
want
that.
G
C
G
A
question
on
this:
the
reviews
that
you
we
are
going
to
do
will
they
be
reviewed
by
somebody
else.
I
mean
who
reviews
the
review
on
this.
B
Yes,
so
the
pull
request
would
be
the
so,
especially
after
this
goes
public.
We
would
expect
that
anybody
can
submit
a
pull
request
and
I'm
I'm
open
to
suggestions
on
what
the
approval
workflow
should
be,
and
I'm
actually
not
sure
exactly
how
configurable
the
like
requirements
for
like
do.
We
need
one,
you
know:
can
we
set
it
up
with
so
that
there
were
two
different
approvers?
B
Obviously,
the
requester
is
not
one
of
them,
or
just
one
or
whatever
you
want
to
have,
but
yeah
it
would
be
through
the
through.
You
know
this
kind
of
approved
and
merged
and
stuff
to
to
get
it
in.
So
yes,
there
would
be.
There
would
be
one
other
set
of
eyes
on
it.
B
The
problem
with
security
reviews
in
general
is
that,
in
order
to
val
like
it's
one
thing
to
to
be
like,
oh
whatever
this
person
said
is
just
total
garbage,
but
if
the
person
made
a
mistake,
the
effort
to
determine
that
they
made
a
mistake
is
comparable
in
effort
to
the
effort
to
do
the
original
review.
So
we
can't
do
each
review
twice,
which
is
why
I
mean
the
there.
There
definitely
are
some
landmines
here
that
we
need
to
be
aware
of.
B
One
is
that
we
just
totally
get
it
wrong,
but
I
think
we
can
correct
it
another
one.
Is
someone
submits
a
pr
with
like
a
serious,
you
know
zero
day.
I
don't
know
how
to
mitigate
the
risk
of
that
other
than
with
texts
on
the
you
know,
on
the
issue
and
pull
request
form,
I
think,
there's
a
plural
question
saying
like
don't
disclose
anything
like
that's,
not
public.
A
Yeah,
I
I
think
you
just
make
that
one
clear
I
mean
there's
two
different
ish
there's
several
issues.
One
is
you
know,
but
I
think
from
the
from
our
point
of
view,
we
need
to
make
sure
that
the
project
is
not
at
risk.
The
the
open,
ssf
or
linux
foundation
or
the
people
involved
in
this
particular
working
group
are
not
at
risk.
If
somebody
posts
a
a
vulnerability
a
zero
day
and
we
told
them
not
to
it's,
not
our
fault,
that
they
didn't
follow,
directions.
G
Yep
I
mean
security
is
a
matter
of
probability.
I'm
not
sure
how
many
of
you
will
agree
with
me,
but
there
will
be
false
positives
and
false
negatives,
even
in
our
reviews.
Right.
I
G
When
you
encounter,
for
example,
you
want
you're
going
to
certify
a
module
as
gold.
A
recent
example
of
the
us
government
data
hacks.
The
modules
were
certified
as
gold,
but
they
were
hacked
through
right
and
what
kind
of
measures
that
we
have
for
that
kind
of
situation.
A
G
Michael
told
me
that
he's
willing
to
pay
people
to
do
reviews
and
also
he
is
looking
into
certifying
if
they
pay
us
or
something
like
that.
So
that's
where
my
vocabulary
of
certification
came
from.
A
B
Is
up?
Thank
you
all
very
much.
I
really
appreciate
everybody's
time.
I
hope
this
was.
This
was
useful
if
you
so
think
about.
B
If
you
want
to
get
involved
in
the
metrics
dashboard
project,
please
just
post
your
name
or
or
note
or
email
me
or
whatever
in
the
you
know,
to
and
I'll
make
sure
that
you're
on
that
and
scooter
reviews
I'll
set
up
a
meeting
next
week,
I'll
send
out
to
everybody
if
you
can
attend
that
would
be
terrific,
we'll
talk
through
the
talk
to
all
that,
but
then
please
think
deeply
about
what
you
can
contribute
to
this,
because
this
is
a
this
is
a
working
group.