►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
C
D
E
F
F
C
I'm
here
I'm
surprised
you're,
not
at
the
LF.
You
know
in
Tahoe.
F
No
after
Detroit
kubecon,
which
was
an
absolutely
great
conference,
I
just
needed
a
break
from
traveling,
so
didn't
make
it
out
to
Napa
cool.
C
Awesome
I'll
give
maybe
one
more
minute
but
in
the
meantime
feel
free
to
throw
yourself
in
the
meeting
notes.
If
you
have
anything,
you
want
to
talk
about,
throw
them.
E
C
Is
there
any
project
updates
the
one?
One
thing
that
I
would
like
to
spend
a
little
bit
of
time
on
are
kind
of
attestations
and
and
kind
of
what.
C
For
is
a
is
a
is
a
few
volunteers
to
help
kind
of
drive
that
work
forward,
yeah
more
on
the
like
the
V
team
assembly,
whatever
you
want
to
call
it.
So
we
can
chat
about
that.
The
mvsr
is.
C
In
the
meeting
notes,
it's
kind
of
describes
at
a
high
level,
what
we're
trying
to
do
and
I
think
we're
at
we're
like
a
week
or
two,
maybe
away
from
a
proof
of
concept.
C
C
Cool
okay,
so
I
guess
we
can
just
kind
of
go:
go
down!
Project
updates,
Luigi,
not
not
withstanding!
Your
previous
comment
is
there
anything
you
wanted
to
chat
about
in
terms
of
the
security
insights.
A
I
have
another
particular
update
honestly,
but
I
know
what
I
want
to
do.
I
want
open
issue
in
the
repo
of
open,
ssf
I
introduce
people
to
a
security
Insight
this
week.
This
is
my
goal
for
the
next
weeks.
B
C
I
thought
it
would
actually
also
be
interesting
to
use
well
we'll
we'll
get
to
it
when
we
talk
about
attestations,
but
just
just
occurred
to
me
that
we
could
use
security
Insight.
So
if
scorecard
doesn't
adopt
insights
anytime
soon,
we
can
use
insights
ourselves
to
kind
of
get
to
the
same
point
in
terms
of
making.
C
Based
off
of
that
information,
we
can
chug
about
a
little
bit,
though
so
for
office
hours.
So
the
first
office
hours
was
so
I.
Don't
want
to
like
make
any
decisions
without
without
Marta,
which
actually
is
nothing
I
need
to
talk
about,
which
is.
C
I
think
the
the
the
last
so
it
was
held
I
think
on
the
28th.
Well,
it
was
scheduled
to
be
held
on
the
28th.
There
was
a
registration
sign
up,
nobody
signed
up,
so
it
was
nothing
to
do
so.
I'm,
not
sure
what
what
Marta's
thinking.
D
C
You
know
what
what
the
next
step
there
is.
I
I
still
think
that
there
is
a
opportunity
here.
Maybe
it's
just
you
know,
lack
of
marketing
around
it
or
people
didn't
really
want
to
do
the
pre-registration
thing.
I
I,
don't
know
how
much
of
a
you
know
how
much
that
filters
out,
maybe
just
having
it
be
open,
I,
don't
know,
but
we'll.
A
I
was
generally
interested
to
that
project.
In
the
last
week,
I
was
just
not
able
to
join.
D
C
I
know
she
I
mean
she
does
she's
active
on
the
slack
channel.
So,
okay.
C
C
F
C
Think
we
can,
we
can
tweak
some
things.
I
I
wanted
to
I
didn't
want
to
do
a
lot
of
prep
work,
because
then
it
would
be
more
of
a
lecture
and
less
of
a
stream
of
Consciousness
right
and
I.
Think
the
stream
of
Consciousness
is
provides
a
lot
of
value
there,
but.
C
Know
an
hour
of
conversation
and
your
real
time
looking
at
a
thing
really
screen
resolution
probably
needs
to
be
a
little
bit
more
more
amenable
and
things
like
that.
But
I
think
we
should
do
it
again.
Maybe
pick
a
simpler
or
less.
C
Less
important,
less
important
but
less
used
component
on
the
idea
that
you
know
it's.
G
C
D
And
then
have
someone
else
drive
it
shouldn't
the
first
one
was
me,
but
you
know
you
know
other
folks.
Do
it
too.
F
Foreign
yeah
I
had
a
quick
thought
here.
Do
I'm
sorry
for
my
night,
I
haven't
been
able
to
join
the
last
couple
meetings
but
I'm
looking
through
the
notes
here,
and
is
this
essentially
like
a
a
video
of
an
assessment
of
a
of
a
project
of
a
project
security
posture?
Yes,.
C
F
C
It's
not
it's
not
a
it's,
not
a
walkthrough
of
the
results.
It's
a
walk
through
of
like
if,
if,
if
I
said,
like
you
know,
Amir
Django
go
and
we're
gonna
video
you
as
you're
like.
Oh,
where
is
that
let
me
get
it
okay.
Let
me
look
like
everything
that
you
would
do
and
kind
of
talking
out
loud
through
it
that
that's
kind
of
what
we're
what
we're
thinking?
Okay,.
F
Okay,
yeah
I
could
probably
provide
some
insights
here.
I
I
just
worry,
calling
it
a
Security
review
is
I
would
almost
want
to
just
call
it
like
a
security
posture
assessment
because
of
typically
when
I,
when
I
think
of
Security
review
I.
Think
of,
like
a
you
know,
a
formal
manual
code
review
by
like
an
independent
expert,
and
it.
C
Is
a
code
review
I
mean
it
is
supposed
to
be
that
kind
of
like
running
the
tools
looking
at
the
output
looking
at
the
code
being
like.
Oh,
this
thing
has
an
off
function.
That's
interesting!
Let's
look
at
like
so
so
not
a
it's,
not
a
run
score
card
or
sees
this
project
active
or
does
it
have
any?
You
know
publicly
known
vulnerabilities?
C
It
is
intended
to
be
a
in-depth
thing
now.
I,
don't
know
how
much
like
to
time
box
that
to
an
hour.
That
is
a
trade-off,
but.
C
F
C
That's
exactly
why
we
want
to
do
this
because
we
want
to.
We
want
to
demystify.
You
know
it,
and
you
know,
like
none
of
none
of
the
activities
that
take
place
are
like
these
magical
bestowed.
C
You
know
only
five
people
are
have
this
knowledge
at
any
given
time
like
anybody
can
do
this,
and
but
the
it's
kind
of
like
do
it
like
I,
but
the
way
I
look
at
it
is
it's
not
doing
a
threat
model
being
in
a
threat
modeling
session
with
people
that
are
really
good
at
this,
uncover
things
that
wouldn't
you
know
that
often
wouldn't
otherwise
be
be
found,
but
you
could
emulate
that
by
being
in
the
room
with
them
and
see?
C
C
Maybe
the
ultimate
like
end
of
this
is
a
more
codified
written
down
approach
to
how
one
does
a
Security
review
and
what
to
look
for
and
then
why
you
chose
certain
things,
but
in
the
meantime,
like
I,
don't
I
don't
know
of
a
resource
like
that.
That
already
exists
so
I
figured.
Let's
do
these
and
then
have
that
kind
of
get
distilled
down
into
something
more
consumable.
F
It's
a
cool
concept,
absolutely
yeah,
so
I'd
say
it's
worth
exploring
yeah.
C
F
Yeah,
if,
if
I
don't
have
any
existing
meetings
at
that
time,
I
I
wanted
to
make
it
on
Monday,
but
I
had
a
partner
meeting,
but.
C
C
Cool
then
I
will
get
another
one
scheduled
out
and
we'll
I'll
doodle
it
and
find
a
time
that
hopefully
works
for
everybody
cool,
see
virtual
Summit
maintainers.
Is
there
anybody
that
can
talk
about
where
this
is
and.
B
C
I
would
just
ping
Jay
to
make
sure
that
you
are
I
I
I
get
Smithy.
Well,
let's
see
wait
because
I
thought
I
thought
all
the
invites
were
on
the
public
calendar
and
the
hopefully
should
be
using
the
slack
Channel
like
it
shouldn't
be
there
shouldn't
be
any
like
private
mailing
lists
for
for
that.
B
Oh
no
I
thought,
oh
anyway,
I'll
check
that
I'll
check
the
channel.
Okay,
perfect.
C
F
F
No,
because
I
remember
using
the
metrics
dashboard
it
kind
of
had
that
nice
little
visual
of
the
different
scorecard
checks
and
I
haven't
been
able
to
find
that
anywhere
else.
So
I'm
wondering.
C
F
C
Yeah
and.
G
C
Is
also
security,
scorecards.dev.
C
C
I
could
be
completely
wrong
here,
but
I
thought
the
one
of
the
intentions
was
to
still
keep
collecting
the
the
the
the
data
in
somewhere
in
in
bigtable
or
one
of
these
and
have
an
API
surface
through
scorecards.
That
Dev,
where
you
could
say
just
give
me
the
Json
for
scorecards
for
Project,
X
and
and
get
the
stuff.
D
D
Show
over
that,
where.
G
D
But
but
services.
B
C
Okay,
EU
time
for
for
work
group
meeting
I
did
this
once
and
I
thought
that
we
set
it
up
to
be
a
recurring
calendar,
invite
it
was
not
so
it
only
happened
once
and
then
because
I'm
asleep
to
my
calendar,
I
got
a
sight
out
of
mind.
So
what
I
think
we
did?
I
really
want
to
do
this
again.
C
So
we'll
do
like
week,
one
us
week,
two
EU
week,
three
us
week,
four
block,
so
it's
the
same
thing
that
we
have
now,
except
in
one
of
the
meeting
weeks
that
we
don't
meet
every
month,
will
also
have
an
EU
meeting,
and
this
will
be
at
like
I.
Don't
know,
10
p.m,
Pacific
time
so
it'll
be
not
I!
Think
that
I
think
that
was
the
time.
That's
like
not
completely
awful
in
in
Europe.
C
If
we
have
to
do
you
know
we'll
we'll
keep
playing
with
this
I
think
the
last
time
nobody
showed
up
so
I
wasn't
sure
that
it
was
needed,
but
I'll
only
give
it
a
couple
more
couple
more
tries
before
abandoning
it,
don't
feel
obligated
to
come
to
the
EU
time
if
that's
not
convenient
for
you.
C
C
If
anybody
changes
their
mind,
stop
me
and
say:
hey:
can
we
talk
about
X
instead
and
I'll?
Say
yes,
okay,
so
there
is
an
mvsr
here.
So
I
encourage
you
to
take
a
look
at
that
this
and
and
I'm
not
gonna
like
read
it
or
go,
go
through
it
in
a
lot
of
detail,
but
I'll
try
to
explain
the
problem
that
we're
trying
to
solve
and
I
think
it's
actually
two
two
problems.
C
One
is
very
Tactical
for
Omega,
so
for
Mega
we
will
run
some
tools,
we'll
we'll
do
a
thing
against
against
left
pad
and
if
we
find
something,
then
we
will
communicate
with
the
maintainers
of
left
pad
and
we'll
get
the
issue
fixed
and
all
that
that
whole
remediation
process
will
kind
of
happen
like
behind
the
screens
and
then
a
new
version
of
left
pen
will
pop
out
and
there'll
be
a
cve
or
GitHub
advisory
or
whatever
and
we'll
get
you
know
mentioned
in
there
and
the
whole
world
was.
You
know
one
one
bit
safer.
C
If
we
look
at
right
pad
and
we
see
no
problems
at
all,
then
we
just
move
on,
and
the
question
is
what
should
Omega
provide
to
the
world
to
let
the
world
know
that
we
look
at
both
left
pad
and
right
pad,
and
the
reason
that
I
think
that's
important
is
number
one.
C
The
well
part
of
it
is
like
the
the
scope
of
Omega
is
like
the
top
10
000,
most
critical,
open
source
projects.
Someone
should
be
asking
us
like,
so
how
many
have
you
done?
How
how
close
are
we
like
is
ten
thousand
like
you
know?
C
This
is
where,
where
we
we
started
this,
we
got
to
a
different
place.
The
different
place
that
we
got
to
is
Assurance
activities,
so,
whether
it's
running
code
doing
a
manual
secure
review,
checking
the
scorecard
data
checking
for
public
vulnerabilities
checking
to
see
if
it's
reproducible
checking
to
see
if
this
thing
implements
crypto
or
anything
else
that
you
could
think
of,
as
that
would
be
an
indicator
of
a
project
or
a
packages,
security
quality.
C
Let's
say
right
now
today
your
choice
of
what
to
do
about
that
is,
you
can
look
for
public
vulnerabilities,
which
is
just
like
one
small
slice
of
that
or
you
can
do
a
whole
bunch
of
work
yourself,
some
of
it's
easier
because
you
can
just
like
run
scorecards,
but
some.
D
C
It's
It's
much
harder
and
wouldn't
it
be
cool
if
there
was
a
public
Repository
of
statements.
Essentially,
Omega
ran
code
ql
and
some
grep
against
a
thing
didn't
find
anything
didn't
find
anything
significant.
Well,
they
found
something,
but
it
turned
out
to
be
false,
positive
or
we
tried
to
reproduce
it
and
we
could
reproduce
it.
It
was
fine
or
any
of
these
other
kind
of
assurance
activities.
C
C
You
automate,
you
know,
98
of
it
and
you
dump
the
results
into
a
repository
registry,
whatever
you
want
to
call
it
and
then
and
then
they
sit
there
and
then
you
as
a
consumer.
You
write
a
policy.
The
policy
you
write
and
I
made
a
technical
policy,
not
a
documentation
policy.
C
C
So
if
these
assertions
and
we're
going
to
we'll
call
these
things,
assertions
because
you're
asserting
that
you've
you've
done
something
you
you
you
you,
you
have
this
giant
registry,
for
you
know
millions
of
these
assertions.
You
have
policy
that
that
references,
those
and
queries,
those
and
executes
against
them
and
then
comes
back
with
a
left,
pad
pass
right
pad
foul
and
then
you
as
a
consumer
can
decide
what
to
do
with
that.
I
can
say
Well.
C
It
failed
because
it's
not
reproducible
and
you
can
decide
is
that
you
know
what
do
you
want
to
do
about
that?
But
you
know
you
defined
the
policy,
you
you,
you,
the
consumer,
okay,
I!
Think
that's
the
that's
like
the
100th
Floor
elevator
pitch.
What
do
you
think.
A
A
Because
I
mean
the
Scandal
part,
it's
very
interesting,
my
opinion.
We
know
the
Scandal
level
a
lot
of
false
positive
right,
but
I
mean
the
vulnerability.
Scandal
cannot
work
so
usually
I.
Don't
trust
so
much
if
first
kind
of
say
that
there
are
some
dependencies
that
have
vulnerabilities,
but
it's
more
interesting.
For
example,
the
result
by
the
linter,
for
that
is
not
security,
but
give
me
more
information
than
every
rabbit
scanner,
for
example,
sure.
C
So
and
the
the
way
that
I
was
thinking
about
this
isn't
a
it's
it's
not
about
having
the
results
of
scans
in
a
day
in
a
public
database.
C
A
derived
result
from
those
scans
available
in
that
database
and
and
I
think
that's
important,
because
if
it's
a
vulnerability
scanner,
it's
going
to
have
a
bunch
of
unfixed
vulnerabilities.
Now
they
may
be
in
the
middle
of
a
much
larger
pile
of
false
positives
and
noise
and
and
garbage,
but
they're
still,
but
they're
still
there
and
there's
I
think
an
argument
to
be
made
that
we
don't
want
to
give
the
attackers
like
you
know
too
much
advantage
so,
but
at
the
same
time
you
have
to
balance
that
with,
like
you
know
the
point.
C
This
is
to
give
consumers
a
you
know
better,
better
insight
into
the
risk
that
they
have
today
and
so
I.
The
the
what
you
do
about
code
scanners,
I
think,
is
like
one
of
the
harder
ones
on
like
what
do
you
actually
provide?
C
Okay,
so
somewhere
down
here,
there's
an
example
of
okay.
So
so
this
is
what
an
access
station
against
shredding
into
the
question.
Are
there
any
security?
Advisories?
And
you
know
this
came
from
devs.dev.
So
the
important
thing
here
is
the
subject.
So
this
was
run
against
npm,
Express
4.4.3,
and
the
content
of
the
assertion
is
that
there
were
two
medium
security
advisories
found,
and
we
also
happen
to
embed
the
evidence
which
you
know
of
that
number
one
because
for
depths.dev,
it's
ephemeral.
C
So
you
know,
if
you
query
it
again
tomorrow,
it
may
have
have
a
you
know:
different
content,
it's
not
it's
not
really
reproducible!
So
that's
why
they
reproducibility
is
is
temporal,
but
the
the
idea
being
that
that
you
can
write
a
policy
then
to
say
that
for
every
component
that
you
use,
you
want
to
make
sure
that
there
is
a
recent
security
advisories.
You
know
assertion
assertion
generated
by
by
that
generator,
with
security,
advisories
content
of
nothing
critical,
let's
say,
or
nothing
critical
or
high
or
whatever.
C
However,
you
want
to
express
that
and
then.
A
Okay,
this
is
interesting.
A
The
ideas
especially
for
I
mean
it's
remind
me,
but
maybe
I'm
wrong.
I
haven't
Scandal
honestly,
so
you
have
for
every
package
that
you
check
the
cve
or
the
GitHub
security
alerts
or
something
similar,
but
sometimes
we
are
not
interested
to
all
the
security
vulnerability
of
packages.
Maybe
the
low
level
informational
are
not
important,
and
so
the
ground
right
is
important
and
at
the
same
time
it
would
be
great
if
you
can.
A
C
I
I.
Yes,
so
there
is
a
incredibly
important
topic
and
a
sem
group
came
out
with
a
here's,
a
Blog
article,
maybe
or
not
something
r2c,
I
guess,
but
maybe
three
three
or
four
weeks
ago
saying
that
when
you
trace
basically
Trace
control
and
data
flow
from
a
app
through
all
of
its
open
source
dependencies.
And
then
you
compare
that
against
which
ones
have
quote
known
vulnerabilities
that
the
vast
majority
of
the
vulnerabilities
don't
impact
the
final
product.
So
you're.
C
Your
time
by
upgrading
all
these
things,
because
you
know
you
you've,
you
haven't
actually
improved
your
security
posture.
You've
improved
your
compliance
posture,
but
from
from
a
security
side,
it
doesn't.
C
And
and
frankly,
with
that,
that's
that
that
bears
out
research
that
we've
done
like
it's
it
it's
hard
to
do
it's
hard
to
do
that
that
analysis,
but
if
you
do
it
yeah
most
most
vulnerabilities
in
open
source,
don't
have
an
impact
on
the
applications
that
use
them.
Yeah.
A
My
question
is:
if?
Because
this
is
a
process
that
I
think
I
have
no
data
at
probably
not
enough
for
a
machine
power
to
collect
this
data,
but
sometimes
the
graph
can
be
very
deep.
You
can
have
a
lot
of
levels,
but
the
hypothesis
I
am
not
totally
sure,
of
course,
is-
is
that
the
lowest
level,
probably
even
if
they
have
medium
vulnerability,
are
not
so
exploitable?
A
Usually
so,
if
you
have
a
vulnerability,
I
I
think
that
can
be
exploitable
in
the
the
primary
dependencies
and
in
the
second
level
of
the
transitive
dependence
it
may
be
the
third
level,
but
no
and
this
this
idea
I
mean
the
project
that
you
are
sharing
now
can
could
be
used
to
say
after
this
dependency
level,
please
increase
or
disagreement
decrease
absolutely.
C
Yeah,
so
if
you,
the
consumer,
you
have
that
hierarchical
list
of
dependencies,
you
can
I
mean
you
can
run
a
policy
against
each
one
and
then
temper
that
policy
or
elevate
it
depending
on
where
you
are
on
the
graph
and
it
lets
you
build
out
these
systems
on.
On
top
of
it
and
and
just
just
for
for
FYI
like
we
do,
we
do
actually
have
this
in
the
Omega
tool.
So
this
is
all
this
is
all
public,
but
the
the
way
that
we
do
this
for
code
ql.
C
Is
you
get
the
the
output
of
the
of
a
code
ql
scan
for
no
for
an
npm
module?
One
of
the
files
is
the
list
of
all
dependent
modules
that
control
flow
ends
up
in.
So
if
you
include
webpack,
if
you
scan
webpack,
you
get
a
list
of
like
you
know,
35
or
50,
or
whatever
it
is
other
components.
And,
interestingly,
there
are
lots
of
components
that
get
installed
when
you
do
an
npm
install
webpack
that
are
not
in
that
list,
which
means
yeah.
C
Those
are
imminently:
clearable,
so
yeah,
so
yeah
that
that
that's
a
new
tool
chain,
but
but
yeah.
So
so,
having
this
like,
having
these
attestations
be
I
mean
here's
the
other
thing.
You
could
also
create
the
attestation
that
you,
you
know,
attest
that
control
flow
does
not
pass
from
webpack
to
food
and
you
so
you
publish
that
as
an
assertion
and
then
your
your
organization.
D
C
Organization,
whoever
can
then
rely
upon
that
if
they
choose
to
to
make
decisions
based
because
so
basically
shortcut.
So
the
purpose
of
all
these
assertions
is
to
shortcut
expensive
work.
So
expensive
work
gets
done
once
by
someone
that
you
trust
in
some
way,
and
then
you
don't
have
to
redo
that
work
in
order
to
get
the
same
Assurance
the
whole.
The
whole
purpose
of
any
of
this
is
to
is
to.
D
C
Shortcut
this
and
for
those
of
you
that
are
thinking
well,
how
do
we
make
sure
the
attackers
don't
add
the
stuff,
so
we
have
to
figure
out
like
exactly
what
the
enveloping
format
and
there's
the
Sig
store
or
skit
or
in
Toto
access
stations
or
something
else
like
regardless
of
what
those
things
are.
This
will
be
the
payload
inside
of
that
and
you
would
be
able
to
root
your
trust
based
on.
What's
In,
what
what
the
envelope
says.
So
you
know
you
could
like
Luigi.
C
Both
you
and
I
could
could
provide
assertions,
and
you
could
say
that
left
pet
is
is
terrible
and
I
could
say,
left
pad
is
awesome,
and
you
know
you
know
Amir
you
as
a
consumer,
you
could
the
only
trusting
Luigi
and
then,
when
you
evaluate
your
policy,
you
see
that
you
know
left
pet
is,
is,
is
terrible
and
and
not
trusted,
so
the
the
the
way
that
you
would
but
establish
those
trusts
we'll
do
that
as
an
exercise
to
the
reader,
but
like
we'll,
you
know
that
obviously
needs
to
get
figured
out
before
this
is
before
this
is
real,
and
the
other
thing
is
that
the
because
the
way
I'm
imagining
this
is
because
of
all
these
assertions
would
be
in
some
sort
of
a
registry,
Repository
transparency,
log,
something
that
organizations
could
run
their
own
private
ones
with
additional
data
or
different
data
or
whatever
they
want
then
use
a
consumer
could
choose.
C
A
A
If
this
approach
of
this
product
or
this
project,
if
we
want
that
it
is
used
by
people,
probably
people
can
in
the
set
of
people,
you
can
have
also
malicious
one.
So.
C
But
well
so
so
the
those
who
are
malicious
would
not
be
able
to
sign
signs.
I'm
saying
sign
in
the
most
General
sense
sign
something
as
someone
who
is
trustworthy,
you
could,
you
know,
add
in
your
own
assertion
and
for
those
that
consume
if
you
consume
from
anybody.
Well,
you
know:
that's
you
you
should
we
we
should.
We
should
do
our
best
to
prevent
that
that
from
from
happening.
But
but
if
you
know,
if
you
trusted
the
attacker,
then
then
you
trust
the
attacker,
I
I.
C
Think
so
I
think
there's
a
couple
different.
There's
like
an
there's
a.
How
do
you
ensure
that
all
the
assertions
that
you
rely
upon
are
worthy
of
your
Reliance
and
I?
Think
that
there's
the
I
think
there
were
different
ways
that
we
could
we
could
get
to
that
and
then
there's
the
are
you
providing
so
much
information
in
the
assertion
clear
text?
So
it's
not
even
about
do
you
trust
it.
C
It's
just
like
download
them
all
and
look
at
them
all
that
you're,
providing
a
leg
up
to
an
attacker
based
off
of
that
and
and
and
I
I
think
for
some
of
these
assertions.
So
imagine
this
an
assertion
of
you
know:
is
it
actively?
Is
it
being
actively
maintained
or
is
it
does
it
have
a
publicly
known
critical
vulnerabilities
today
or
is
it
reproducible
or
you
know,
what
are
the
you
know,
the
security
scorecard?
You
know
data.
C
These
are
all
things
that
they're
kind
of
they're,
not
vulnerabilities,
they're,
kind
of
postury
kind
of
statements.
The
security
findings
are
going
to
be
the
harder
one
like.
What
do
we
actually
provide,
but
I
think
that
if
we
keep
it
to
like
aggregate
numbers,
yeah.
A
Exactly
I
agree:
I
agree
on
the
aggregate
numbers,
so
you
can,
you
can
say
you
can
use
a
Boolean,
so
there
is
not
a
it's
a
present.
This
molarity
is
present
or
not
this
kind
of
vulavity.
Of
course,
without
giving
more
information
at
least
for
extra
time
period
Then.
Maybe
you
can
decide
to
to
disclose
it
in
some
way
because
it
can
be
interesting,
yeah,
but
and.
C
I
think
I
mean
they're
also
opens
up
where
you
can
say,
like
this
project
has
42
untriaged,
potentially
critical
security
findings,
yeah.
C
I
think
you
say
the
number
of
triaged
ones
is
well
either
there
has
not
been
a
triage
or
there
have
been
two
different
people
that
have
triaged
them
and
both
of
them
have
provided
an
assertion
that
took
that
number
from
42
down
to
zero
and
maybe
maybe
there's
a
trustworthiness
or
a
Reliance
level.
That's
that's
different!
So
if
it's
untriaged
you
tools
are
tools,
so
maybe
you
don't
care
at
all.
You
only
care
about
the
triage
ones.
A
Yeah
I
think
this
is
a
good
approach.
The
I
mean
especially
the
idea
to
have
antriage
bug
in
general.
There
are
helpful
also
for
fasting
or
something
similar.
Then
the
fact
that
you
can
find
a
lot
of
bug,
but
this
not
doesn't
mean
that
there
are
security
back
yeah
and
it's
very
difficult
to
read
some
time.
The
fact
how
to
understand
really
I
mean
I
use
the
very
basic
approach.
A
D
C
Beyond
security,
so
someone
someone
on
Twitter
or
Mastodon
or
somebody
recommended
you
know,
including
the
characteristics
of
the
of
the
code.
You
know
so
we
started
out
we'll
do
like
programming
languages
and
file
extensions
as
an
assertion
and
then
we'll
do
like
implements
crypto
or
is
a
you
know,
looks
like
a
web
service
or
uses
unsafe
in
in
rust
or
whatever.
D
C
Like
you
know,
we
could,
we
can
think
of
and
I
think
we're
the
direction
I'm
leaving
is
like
you
know,
storage
of
assertions
is
cheap.
Production
of
assertions
is
cheap,
so
let's
just
create
lots
of
them
for
for
all
these
things
and
then
have
the
policy
consumption.
The
policy
engine
and
consumption
side
filter
out
what
it
what
it
wants
and
what
it
cares
about,
and
that
way
it's
kind
of
future
future
proof
in
some
way.
C
Yep
so
so
imagine
the
of
bombs
since
I'm
already
sharing
so.
D
Yeah
these
abuse.
C
Essential,
so
what
would
that
look
like
so
so?
Npm
one
policy
default,
something
like
that
and
then
you
see
a
left
pad
violates
policy.
C
C
But
then,
if
phone
work
wants
to
make
up
their
own,
they
can
do
whatever
they
want
and
the
only
thing
that
they
need
to
have.
Maybe.
A
Yes,
in
this
way,
it's
very
easy
to
implement
in
the
CI
I
think
I
mean
at
the
moment
I'm
working
on
guitar,
but
also
SQL,
CI
and
Jenkins
and
other
product.
You
can
have
an
easy
way
to
monitor
your
packages
periodically
or
when
you
push
something
new
I.
Don't
know
I
mean
this
is
a
choice
by
the
consumer,
but
yeah.
A
Something
that
I
want
to
have
it's
just
an
output
and
a
human
output.
If
you
want
to
have
a
one
just
to
read,
yep.
C
So
what
I
was
thinking
before
with
security.
C
Is
you
know
you
could
have
a
so
these?
You
could
have
an
assertion
as
the
assertion
is
being
generated,
so
you
have
different
assertions
that
you
can
generate.
One
of
the
assertions
you
could
generate
could
be
a
get
me.
The
security
insights
data
for
this
project,
and
so
so
it
reaches
out
to
the
repo.
It
looks
for
the
file
grabs.
It
essentially
wraps
it
time
stamps
it
signs
it
and
sticks
it
in
an
assertion.
Maybe
parses
out
the
stuff.
So
it's
a
little.
C
We
converts
it
to
Json
or
whatever,
but
then
that
so
then
the
policy
can
say
you
need
to
have
a
security
is
security.md5,
but
what
that
really
means
is
you
can
either
have
a
security,
MD
file
detected
by
scorecard
or
defined
in
security
insights.
So
the
you
know
it
provides
additional
information
by
which
policies
can
be
accurate
in
in
kind
of
intent.
D
G
D
C
What
do
you
think
of
a
better
name,
though
Verde
I
had
salsa
on
my
mind,
as
I
was
I.
C
But
the
other
thing
is
so
I
I
guess.
The
most
important
thing
is
like
I
know
that
I'm
I'm
playing
in
one
end
of
the
pool,
and
then
the
other
end
is
salsa
and
skit
and
Sig
store
and
in
Toto
and
lots
of
other
players
and
I
want
to
make
sure
that
I
don't
unknowingly,
either
duplicate
what
they
are
doing
or
compete
unnecessarily
with
what
they're
doing
or
things
like
that
I.
C
Don't
think
that
I
am
here,
I
I
think
that
all
of
this
is
within
the
innermost
predicate
in
in
Toto
language,
or
you
know,
within
the
envelope
from
skit
perspective,
but
I'm
not
100
sure
there,
and
you
know
I
just
want
to
be
be
conscious
of
this-
that
this
is
not
intended
to
be
an
alternative
to
anything
that
already
exists.
C
Cool
any
other
thoughts
on
this
or
anything
else.
E
I
think
that
it
was
so
important
to
keep
in
mind
the
users
rather
than
the
organizations
that
will
use
that
they
would
have
to
understand
what
from
the
ossf.
E
C
C
Could
I
just
say:
let's
just
treat
this,
as
you
know,
a
Sig
store
and
dump
it
in
in
recore,
I
I,
don't
I,
don't
know
enough
about
like
if
that
makes
sense
to,
but
but
let's
suppose
that
where
that
was
a
totally
reasonable,
like
course
to
go,
then
okay,
maybe
we
do
that
and
then
you
just
consume
it
from
record
like
everything
else
and
and
you
make
decision
there,
but
maybe
that's
maybe
I'm
completely
misunderstanding
like
what
what
actually
goes
in
recore
and
it's
like.
Well,
no,
that's
just
a
signed
hash
in
record.
C
What
you
need
to
do
is
you
need
to
store
the
actual
assertion
in
pick
a
play.
You
know
in
something
else,
in
which
case
all
right
now
we
need
to
to
solve
that
and
and
all
that,
but
I
think
conceptually
if
you're,
if
you're.
So
if
an
organization
is
consuming
scorecard
directly
today
they
have
a
project.
They
they
either
run
scorecard
or
reach
out
somewhere
and
get
scorecard
data
from
some
from
from
somewhere
and
then
a
value
and
then
look
at
it
and
say:
oh
I
care
about
actively
maintained.
C
C
E
Ndc
also
a
commercial
kind
of
a
strategy
behind
this.
What
I
mean
is
like
wooden
organizations
such
as
the
I
don't
know,
Red
Hat
provide
attestations
of
Their
Own.
C
Yep
I
would
say
like
so
so
if,
if,
if
if
organization
Foo
does
not
trust
openssf
to
generate
assertions
because
you
know
whatever
reason
or
they,
they
want
all
these
assertions
to
be
generated
in
Secure
enclaves
and
we're
not.
C
Secure
enclaves,
because
it's
too
expensive,
then
then
red
hat
or
anybody
else
can
can
can
do
that,
in
which
case
you,
as
a
consumer,
can
decide
I
only
Trust,
Red
Hat
to
generate
my
assertions
or
the
US
government,
or
anybody,
but
the
US
government,
or
whatever
like
it,
doesn't
matter
like
so,
and
those
assertions
can
either
be
commingled
in
the
same
repository
because
they're
just
that's
fine
or
they
can
be
in
private
repositories.
C
Even
to
the
point
that
you
know
so
suppose
you
had
a
this
security
findings
kind
of
assertion
and
from
an
open,
ssf
perspective.
We
decide
that
aggregated
results
is,
is
all
we're
going
to
do
we're
just
going
to
say
you
know
this
is
on
triaged
and
it's
for
medium.
C
But
you
as
an
organization
for
your
internal
use.
You've
decided
that
you
know
what
I
want
my
my
developers
to
to
see
the
details,
because
we
want
them
contributing
and
contributing
faces
back
and
to
have
like
they
can't
really
do
anything
with,
like
medium
four
other
than
kind
of
worry
a
little
bit
so
you're
going
to
create
an
assertion
that
kind
of
overlays
on
top
of
the
existing
one.
That
says
you
know
medium
for
evidence
and
then
the
raw
details.
C
That
makes
sense,
but
as
far
as
would
we
open
ssf
or
Alpha
Omega
like
commercialize
like
how
to
do
this,
like
you
know,
we
want
this
to
be.
You
know,
free.
C
Cool,
well,
you
guys
get
four
minutes
back.
Thank
you
very
much
appreciate
the
the
conversation.
Please
throw
your
comments
in
either
the
doc
or
the
GitHub
issue,
hoping
that
before
the
end
of
the
year
end
of
the
calendar
year,
we
have
something
kind
of
nicely
demoable
and
something
we
we
feel
feel
pretty
good
about.
But
let's
see
where
it
goes.
If
you
want
to
participate
like
actively
feel
free
to
reach
out-
and
we
can
do
that
thanks,
everybody
have
a
good
one.
See
you
in
two
weeks,
bye.