►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
C
A
A
A
A
A
Awesome
there
is
a
meeting
notes,
doc
linked
from
the
meeting
invite
it
should
be
an
edit
link,
so
you
should
be
able
to
go
there
and
you
know
add
yourself
and
keep
notes
or
whatever
you
want
in
there.
But
it's
kind
of
a
shared
group
group:
okay,.
A
So,
let's
see
top
level
stuff
I,
don't
have
anything
kind
of
ossf
wide
I
know
David.
We
don't
have
anything,
we
don't
have
like
a
town
hall
or
anything
coming
up
scheduled.
A
So
we
can
go
with
project
updates
or
there
are
other
topics
you
know
we
can
we
can
as
usual.
We
can
do
this.
Whatever
way
you
all
want,
if
you
want
to,
if
you
want
to
add
a
topic,
just
add
into
the
meeting
notes
or
just
talk
and
we'll
we'll
discuss
anything
there,
but
the
default
would
be
let's
go
through
on
Project
updates,
so
we
have,
let's
see
start
with
virtual
maintainer
Summit.
C
C
A
Know
what
it's
just
Luigi
since
you're
here?
How
is
security
insights,
going.
F
Yeah,
okay
from
the
last
from
the
previous
meeting,
I
have
an
updates.
Unfortunately,
but
I
have
a
three
open
pool
requests.
They
are
in
draft
because
I
need
to
understand
how
we
want
to
proceed
with
some
compliance
in
open
ssf.
For
example.
Not
all
the
projects
have
a
security
MD
and
technically
we
can
enable
it
easily
as
organization
in
GitHub,
but
at
the
moment
we
have
a
hit,
and
another
question
is
for
just
the
most
important
project.
F
Maybe
it
is
more
for
the
attack
and
it
is
a
question
that
I
don't
know
if
you
Michael-
or
someone
has
said
that
usually
is
in
the
tagmit
it
can
ask,
but
we
want
to
have
a
sort
of
bug,
Bounty
program
for
the
most
important
project
that
we
have
or
not,
because
at
the
moment
for
sure
the
scorecard
is
quite
popular
now,
but
also
some
other
collateral
projects
in
open,
ssf
RB
becoming
popular,
and
maybe
we
want
to
have
a
bounty
program.
F
So
the
pull
requests
are
in
draft
in
three
repository
and
I
am
in
cocktail,
with
the
maintainer
and
I
hope
to
merge
them,
but
in
particular,
I
cannot
merge
them
if
they
don't
have
a
security.md,
because
it
is
a
requirement
of
the
security
inside
specification
having
at
least
a
short
text
file
with
contact
for
security.
F
Or
just
a
sort
of
security
policy,
so
this
project
doesn't
have
I
mean
at
least
one
of
these
projects.
Don't
have
a
security
policy
yeah.
Maybe
we
want
to
have
it
at
least
for
the
wrapping
up
in
ssf.
F
Mean
if
you
really
need
somebody
like
yeah
exactly
if
it
is
a
documentation
project
is
not.
Maybe
you
don't
need
the
security
insights,
but
we
are
talking
about
project
where
there
is
a
code
base.
I
mean
I
need
to
double
check,
but
for
sure
that
is
called
I
have
a
check
that
give
one.
Second
I
can
link
you
the
three
project
that
I
have
give
him
a
second
or
maybe
they
are
in
the
meeting
notes
yeah
in
the
previous
meeting
notes.
F
There
is
a
there
are
a
link
to
Slacker
with
all
the
three
projects
where
I
opened
the
pull
request,
and
one
is
a
packet
analysis.
F
And
you
can
see
that
sometimes
not
so
easy
to
identify
the
security
testing,
and
maybe
we
will
we.
We
are
interested
to
have
some
standards
also
for
that.
This
bomb
is
not
still
in
a
lot
of
open
source
project
in
open
ssf
and
another
problem
is
I
need
to
find
it
security
control.
Oh
this
one,
it
is
the
first
introspector
I,
don't
know
if
it
is
a
documentation
project
from
but
from
the
code
base
it
it
doesn't
seem
so
I
have
the
link.
Where
is
zoom
here.
F
This
is
the
pull
request,
and
this
is
the
project.
I
mean
I,
don't
know
if
we
can
Define
it
popular,
but
it
has
more
than
200
stars
and
there
is
the
opens
open.
Ssf
Score,
Card
7.5.
So
if
you
have
the
open,
SS
scorecard
I,
don't
think
you
are
a
documentation
project.
You
are
definitely
a
project
yeah,
a
software
project,
yep.
A
Yeah
I
mean
I,
I
would
I
would
even
go
so
far
say,
even
if
you
are
just
a
documentation
project
having
having
a
security
MD
it
for
consistency,
especially
for
ossf.
As
an
organization
like
you
could
have
a
separate
organization
that
says
that
documentation
projects
should
not
get
security.
Md
I
would
respect
that
opinion,
but
for
our
organization,
I
think
a
blanket
every
every
repo
gets
a
security
MD
I
think
is,
is
reasonable
and
does
the
default
template
that
we
have
so
there's.
F
Like
this
is
the
other
question,
I
mean
checking
the
project.
I
have
seen
three
interesting
points.
One
is
that
more
than
one
years
ago,
if
you
remember
when
we
implemented
the
first
version
of
the
security
dashboard,
Apache
Foundation
enabled
the
security
team
for
all
the
repo
in
gitabo
using
the
security
tab,
because
the
in
the
score
cards
in
the
scorecard
slash
romantic
dashboard,
their
security
policy.
F
That
was
not
the
security.md
that
was
a
external
link,
was
not
classified
like
a
security
policy,
so
they
show
us
that
we
can
enable
the
security
policy
slash
security
MD
in
all
rep
of
the
organization.
Even
if
you
don't
add
the
file
in
the
repo,
because
there
is
the
security
tab
that
link
every
project
or
less-
and
maybe
we
can
do
this,
so
maybe
some
project
can
have
the
security.md
and
other
can
have
just
the
security
tab.
F
That
is
still
a
valid
security
policy,
and
the
other
point
is
that
yeah
we
don't
have
a
a
standard
for
the
security.md.
We
have.
The
scorecard
have
a
security.md
that
is
very
short
and
it
points
to
a
Google
group.
The
email
address
is
a
Google
group.
If
I
remember
correctly
and
I,
don't
know
if
we
want
to
have
an
open,
ssf
contact
and
not
just
a
Google
group,
I,
don't
know
so.
Okay,
it
is
a
compliance
topic.
Maybe.
A
Yeah
I
I
would
I
would
defer
that
question
out
to
the
team,
I
I
think
I,
don't
I,
don't
think
we
want
to
like
run
a
central
incident
response
team
for
reports
of
anything
ossf
wide,
I,
I
think
so
from
what
I
can
tell
the
GitHub
security
tab
like
set
up
a
security
policy
thing
is
just
a
convenience,
wrapper
to
create
your
own
security.md
file
and
commit
it
into
the
root
of
okay
of
the
project.
A
So
I
think
I
think
it
would
be
very
reasonable
to
maybe
go
through
all
of
the
ossf
projects
and
for
any
of
them
that
don't
have
a
security,
MD
file
open
up
a
security
issue.
Saying
hey
you
should:
could
you
create
a
security,
MD
file
and
also
added
to
the
project
template
so
that
new
repos
as
they
get
created,
get
One
automatically?
A
And
then
we
can
find
a
reasonable
template
to
start
and
suggest
that
if
you
know
so,
people
don't
have
to
make
it
up
on
this.
You
know
from
yeah.
F
I
think
that
would
that
would
be
super
useful,
yeah,
exactly
because
I
mean
at
the
moment
that
requests
that
didn't
laugh
just
for
this
reason,
because
I
don't
want
to
bypass
the
security
and
size
requirement
at
the
same
time,
I
think
it
is
a
good
idea
to
solve
this
issue
to
an
organizational
level
and
the
same
for
the
Bounty
I
mean
enough.
You
can
say
I
mean
the
organization
can
say
just
know,
and
it
is
acceptable
for
sure.
F
But
if
there
is
budget,
at
least
for
some
project
can
be
from
a
community
perspective,
a
nice
idea,
I
mean
the
the
the
Bounty
can
be
I
mean
they
yeah.
The
Bounty
can
be
some
others.
Work
can
be
something
that
is
very
easy
and
not
expensive,
but.
C
D
D
F
I
totally
agree,
I
mean
technically
I.
Don't
ask
that
the
project
has
a
security.md
in
the
main
folder
they
can
have
in
a
subfolder
also
in
external
website,
but
I
mean
I
need
to
be
able
to
find
it
in
the
redmi.
You
can
adjust
for
the
security
policy
and
link
to
an
external
link.
The
security
insights
don't
require
a
security.
It
requires
a
link
to
a
security
policy.
Just
this
right.
D
Right,
but
you
know,
I
I
think
you
know
trying
to
make
it
so
there's
enough
flexibility
so
that
people
who
complain
about
one
can
get
the
other,
but
you
can
find
it
I
think
that's
the
key.
It's
got
to
be
automatically
findable
exactly.
F
The
point
is
that
the
security
inside
can
help
you
to
easy,
easily
easier,
find
everything
that
at
the
moment
has
no
standard
or
just
people
don't
like
in
the
main
folder
or
they
don't
like,
or
they
use
docs
or
dock
or
Point
dock.
So
we
don't
have
standard
for
this
kind
of
stuff.
A
scanner
can
try
to
improve
to
find
document,
but
it's
not
so
easy.
Yeah,
no.
D
But
I
think
Docker
docs.
We
we
use
doc,
but
I
think
most
people
are
now
using.
Docs
is
pretty
common
and
conventional.
At.
A
D
G
Yeah
I
wanted
to
know,
did
Luigi
consider
the
community
health
files,
like
the
GitHub
feature
where
you
could
just
have
one
organization
with,
like
you
name
it
like
dot
whatever
and
you
put
like
security
MD,
and
they
get
linked
to
all
your
repos
I
can
send
you
an
example.
If
you'd
like.
G
F
Yeah,
this
is
great,
I
mean
this
was
the
my
main
idea,
but
I
didn't
know
that
GitHub
support
this
video
yeah.
G
A
G
E
F
B
Just
for
quickly
ask
questions
some
work
I'm
currently
doing
with
Argo
CD,
which
is
around
using
treasure
to
threat
model
their
their
ecosystem.
I
was
just
wondering.
Would
this
be
a
super
place
to
put
in
the
docket
at
GitHub
as
well,
or
it's
first
time,
I've
actually
heard
of
this
dot?
He
GitHub
so
I'm
quite
excited
about
it,
but
would
that
maybe
happen
like
PDFs
and
PDF
of
the
risks
and
also
the
data
flow
chart?
Would
that
be
somewhere
where
we
could
put
stuff
like
that?
No.
G
F
Yes,
technically,
there
is
also
space
to
link
it
to
the
attack
model
yeah.
So.
B
F
You
have
a
third
model
in
everywhere
in
S3
bucket
in
the
home
page
or
your
website.
Another
repo
you
can
just
link
to
it.
A
Awesome
any
anything
else
on
security
insights
is
there
anything?
Is
there
any
help
that
you
need
from
us.
F
Yeah
the
help
is
that
it
would
be
great
to
have
a
sort
of
organization
level
or
at
least
for
the
rapper,
where
I
have
opened
Apple
request
a
security
policy
or
some
or
linked
with
something,
and
probably
it
is
attack,
decision,
I,
guess
and
I
need
to
help
to
communicate
with
attack
group,
especially
because,
for
some
reason
usually
when
they
have
the
meeting
I
cannot
join
the
meeting.
So
if
someone
can
move
or
escalate,
this
problem
can
help
me,
especially
because
probably
we
need
an
approval
by
the
management
at
the
board
and
also.
F
And
that
is
also,
it
will
be
interesting
to
know
if
we
want
to
adopt
this
bomb
for
our
project,
because
something
that
it
seems
to
be
important
for
open,
ssf,
the
SB
om
file,
but
the
time
I
mean
I
would
like
to
see
the
adoption
of
our
current
standard
that
we
proposed
to
the
community.
So
people
can
use
our
repo
as
an
example,
and
we
can
continue
to
improve
yeah
how
we
work
thanks.
Hope.
A
Okay,
a
question
for
s-bomb
and-
and
it's
just
my
my
own
ignorance
here-
are:
are
s-bomb
files
intended
to
be
committed
to
source
code,
or
are
they
intended
to
be
the
output
of
a
build
that
gets
attached
to
a
release
like?
Would
they
be
in
releases?
You
know
Foo,
1.2.3.zip
or
actually
committed
into
into
Source.
F
It
is
a
good
question
at
the
moment
there
is
no
standard
checking
online
I
have
seen
that
someone
added
in
the
search
code.
Someone
has
a
page
or
a
folder
in
the
website
of
the
project
where
they
added
the
difference,
but
for
every
version,
so
I
think
that
at
the
moment
there
is
no
a
real
stand-up.
Okay.
Let's
say
why
we
need
to
put
it
hi,
David.
D
Hey
funny,
you
should
ask
this
question
because
in
fact,
there's
people
who've
been
discussing
this,
so
this
turns
out
to
be
slightly
more
complicated
and
for
good
reasons.
D
It
turns
out.
Less
people
have
been
discussing
a
lot
about
s-bombs.
There
are
really
different
kinds
of
s-bombs.
We're
called
what
law
folks
are
calling
s-bomb
types:
okay,
some
s-bombs
are
generated
from
the
source
code.
Some
are
generated
during
the
build
environment.
D
Some
are
generated
after
the
fact
by
analyzing,
a
bunch
of
bits
by
tools
which
work
very
hard
to
use
a
lot
of
heuristics
to
guess
what
might
be
in
their
baby
so
and
then
there's
other
s-bombs
that
are
determined
at
runtime
to
see
what's
running
now.
So
the
the
short
answer
is
that
very,
very
soon
I'm
thinking
within
a
two
weeks
time,
so,
hopefully,
by
the
next
time,
we
gather
there's
going
to
be
a
document
out
that
a
number
of
us
have
been
working
on
to
identify.
D
Well,
what
are
these
different
types
of
s-bombs
and
a
particular
s-bomb
might
be
actually
a
merge
of
more
than
one
case
like
you
might
have
a
sources
bomb
and
then
add
build
information
or
whatever,
but
the
answer
to
that
question:
where
do
you
store?
It
depends
a
lot
on?
How
did
you
create
it?
Basically,
what
type
of
s-bomb
it
is
yeah
if
it's
something
that
is
essentially
derived
from
the
source
code,
I,
don't
think
it's
insane
to
make
it
part
of
the
source
code
checked
in
that
means.
D
You
have
to
update
it
when
you
check
in
your
source
code,
which
usually
you
want
to
generate
instead
of
just
having
this
part
of
the
source
code.
But
it's
not
a
crazy
thing
to
do
for
the
build
type
stuff,
though,
that
really
doesn't
make
much
sense,
which
you
probably
want
to
do,
is
have
a
way
to
point
from
the
source
code.
D
How
do
I
get
the
build
information
for
the
various
builds
and
then
say
when
you
download
a
particular
build
package,
the
metadata
of
that
points
off
to
the
s-bomb,
so
so
so
I
think,
there's
a
reason
for
your
G
I'm,
not
sure
and
there's
a
variant,
because,
as
people
have
gotten
into
this
they're
realizing
that
there's
different
cases
for
different
circumstances.
Okay,.
A
Cool,
so
I
I
think
it
would
make
sense
to
to
focus
on
security
MD
as
a
something
concrete
progress
on
short-term.
We
shouldn't
forget
about
s-bomb,
but
but
yeah.
A
Cool
okay,
going
back
to
virtual
maintainer
Summit,
any
updates.
E
Hey
this
is
my
number
hey
Michael,
so
we
have
right
now
sent
the
emails
to
the
potential
participants.
We
have
done
it
twice.
The
second
round
went
this
Monday.
However.
So
far
we
have
only
received
I
think
for
acknowledgments,
so
it's
kind
of
like
we
have
a
raised
heartbeat
at
this
point,
as
in
like
okay,
what's
happening,
how
So
the
plan
is
to
now
personally
Reach
Out.
Many
of
these
participants
are
people
who
we
know
so
personally,
reach
out
and
kind
of
coerce
them
into
participating.
E
Something
like
that.
So,
for
example
like
here,
let
me
do
that
to
Rando
I
think
whom,
who
has
received
probably
one
of
the
emails
but
yeah
I
mean
if
you
have
not
acknowledged.
Please
do
that
because
again,
like
that,
it's
not
good
for
our
heart
to
have
like
five
people
at
this
point,
so
so
yeah
I.
G
Have
a
very
funny
story
to
what
happened
when
I
actually
thought
I
brought
this
to
Homebrew
with
Jay
and
Michael
and
David
might
already
know,
but
but
we
could
talk
about
it
later,
but
I
do
think
that
there
is
some
interesting
feedback
that
happened
there,
that
we
don't
have
to
talk
about
on
this
phone
call,
but
yeah
I,
it's
not
like
I,
didn't
pass
it
along.
It's
just
that
yeah
there's
certain
opinions
than
like
things
that
happened
so
yeah.
G
Maybe
you
should
be
aware,
when
you're
dealing
with
the
communities
and
asking
people
to
attend
to
this.
E
E
I
am
not
so
maybe
I
will
connect
with
you
separately
and
find
out
so
yeah.
It's
always
interesting.
I
mean
we're
doing
people
engineering
here,
so
that's
yeah
I'll
get
that
feedback
from
you
on
the
side,
but
yeah.
So
that's
what
it
is.
We
have
also
sent
emails
to
the
panelists
this
week.
This
and
this
was
sent
on
I,
think
Tuesday,
but
I
mean
with
the
families
there's
only
a
few.
E
We
have
already
pre-communicated
with
them,
so
the
only
thing
that
they
have
to
do
is
to
adjust
their
date,
which
was
January
25
before
and
now
acknowledged
to
the
February
22nd
date.
So
that
is
not
something
that
we're
too
much
worried
about.
So
the
next
steps
are
basically
creating
structure
as
in
who's
doing
during
the
actual
event,
who's
conducting,
which
part
like
that
we'll
figure
out
among
ourselves
and
then
we'll
also
coordinate
with
the
people.
There's
there's
a
round
of
survey.
E
There's
a
set
of
survey,
there's
a
survey
that
we
created
that
to
try
like
ask
different
question
about
security
practices
existing
in
that
community
of
that
that
particular
community.
So
that
gives
us
some
data
point
that
we
can
share
during
the
conference.
This
goes
out
a
week
before
the
conference,
that's
something
that
has
already
been
done.
It's
just
like
ready
to
go
out
to
the
people
who
have
accepted
to
participate
in
that
event.
E
So
that's
what
we're
waiting
for
other
than
that
yeah
I
mean
so
that's
the
status
so
right
now
we're
really
want
to
praise
the
like
increase,
the
count
of
people
participating
and
that's
that.
E
And,
and
also
like
this
thing,
I
I
don't
know
what
Randall
is
talking
about,
but
third,
these
issues
that
grew
and
like,
for
example,
recently
there's
the
slack
storm
that
you
have
seen
like
that,
like
there's,
of
course,
that
Jonathan
created
and
then
there's
like
100
email
like
messages
back
and
forth
regarding
there
are
these
open
issues
that
are
coming
out
of
the
experimentations
that
we
are
doing
on
the
side
and
it's
just
like
it's
a
community's
perspective
and
it
may
not
be
reflective
of
the
entire
Community,
but
I
mean
it's
a
good
start.
H
Just
Randall,
please
Mona
were
include
me
in
that
call,
because
I'm
also
interesting
to
know
why
we
have
this
reaction
in
the
community,
because
we
do
need
to
talk
to
people
from
the
community
to
invite
them.
I
really
have
them
in
this
event.
So
just.
G
H
A
Sure
awesome
moving
on
security
metrics,
anything
on
that
front.
Okay,.
I
I
Narav
had
a
couple
of
conflicts,
so
we
were
able
to
touch
base
with
that
over
the
last
couple
of
means,
but
that's
all
we're
waiting
on
right
now
to
to
get
to
get
a
good
sink
back
with
those
features
and
and
those
additions
that
we
talked
about
at
the
end
of
last
year,
once
we
get
those
and
as
a
as
a
Sig
review
them
and
and
opine
on
them
and
then
agree
on
them.
I
D
A
Cool,
oh,
wait
did
I
bring
up
office
hours
because
I
was
I
was
pinged
on
this
earlier
yesterday
and
I
was
wondering:
do
we.
A
Sorry,
the
the
the
office
hours
experiment
that
we
tried
La
whenever
we
try
to
November.
B
D
I
think
the
question
to
be
asked
is:
why
did
no
one
sign
up?
I
mean
we
had
several
people
sign
up
to
answer
questions,
but
we
didn't
have
anybody
sign
up
to
ask
questions
so
the
question
to
be
asked
is
why
not
now,
maybe
it
was
just
bad
timing,
inadequate
warning
or
maybe
people
are
really
afraid
to
air
their
dirty
laundry
questions
in
public,
in
which
case,
maybe
we
need
to
take
a
different
tack.
A
We
just
didn't
have
enough
to
you
know
on
average
it
was
about
zero,
but
you
know
that
fell
into
that,
but
but
I
think
there's
probably
a
separate
thing,
which
is,
if
I
knew
that
every
okay,
so
so
the
maintainer
that
would
have
gone
to
this
would
have
gone
to
office
hours
would
have
been
someone
that
had
a
security
challenge
right
then
that
they
didn't
have
a
solution
to,
and
then
they
heard
about.
A
So
it
was
like
a
subset
of
a
subset
of
subset
of
a
subset
if
we
advertise
at
this
office,
hours
was
available.
A
A
If
we
wind
up
getting
so
much
attention
that
we
do
need
to
like
cue
it,
and
then
there
were
sensitive
topics,
so
we
need
to
like
pre-register
like
I,
think
that's
a
problem
that
we
can
solve
once
we
have
the
demand
for
it,
but
I'm.
My
my
gut
is
that
perhaps
we
limited
demand
by
making
it
a
little
too
hard
or.
A
Maybe
maybe
it
would
have
been
more
effective,
it
was
just
a
completely
open,
we're
gonna
run
it
for
three
months
and
if
nobody
shows
up
after
three
months
and
we're
talking
about
it
and
advertising
over
time,
then
we
realize
that
this
is
a
a
solution
that
for
which
there
was
no
problem
and
that's
fine.
We
cancel
it
and
move
on,
but
I
feel
like
I
feel,
like
folks
would
show
up
if
they
knew.
This
thing
was
always
available
and
they're
like
I,
can't
make
it
this
week,
but
I
can
do
it
next
time.
G
I'm
sorry
I'm
having
multiple
conversations
but
I
can
substantiate
what
David
has
said
from
other
Lindy's
communities.
I'm
involved
with
that
many
people
are
not
entirely
clear
what
openssf
is
to
start
with
so
much
less
show
up
to
office
hours
that.
G
You
want
another
observation:
it's
everything
too
thin
2018
like
prior
to
2018.
They
kind
of
have
no
idea
so
like
containers,
because
I
kind
of
think
like
the
year
of
Docker,
was
2018.
so
like
I,
think
like
everything
prior
to
that
kind
of
feels,
very
marginalized.
By
like
open
ssf
in
general,
like
gnome,
distros
and
yeah.
G
Well,
I
I
don't
want
to
get
too
finger-pointy
on
like
no
no
yeah
but
but
like
basically
yeah
like
like,
even
like
a
lot
of
really
big
Old-Timers
that
are
in
kernel,
project
and
Gen,
2
and
gnome,
and
things
like
that.
I
have
no
real
idea.
What
problem
we're
trying
to
solve?
They
think
that
we're
just
a
lot
of
Croft
and
if
you
guys
want
to
stay
after
so
we
can
get
into
The
Homebrew
call
there's
some
really
interesting
feedback
that
comes
out
of
that
call,
because
the
word
strong
arming
came
up
several
times.
A
G
G
A
So
so,
let's
have
this
conversation
some
other
time
understood
in
general,
though
I
think
if
openness
and
stuff
is
doing
something
wrong,
that
is
pushing
against
what
an
open
source
Community
thinks
is
the
right
thing
to
do.
That's
a
that's!
The.
A
Yeah
and
and
I
do
kind
of
expect
that
most
most
problems
are
are
perception
and
communication,
but
we'll
we
can.
You
should
not
forget
about
that.
Look
let's
follow
up
on
that
cool,
so
so
the
question
on
on
office
hours
do
we
think
that
we
should
kind
of
continue?
This
change
change
the
approach
slightly?
A
Maybe
I
I'm
I'm,
not
really
exactly
sure,
but
I
want
to
throw
it
out
there
as
a
something
that
we
should
that
we
should
think
about
and
and
either
do
it
or
say
we're
not
going
to
do
it
but
kind
of
put
in
what
one
of
the
two
buckets.
A
A
You
know
this
is
this:
is
great
I
mean
having
doing
doing
more
security
Audits
and
getting
into
into
security,
because
I
think
would
be
great
I
am
we
are
starting
to
experiment
on
the
alpha
omega
side
with
kind
of
end-to-end?
A
We
can
do
it
a
lot
of
different
ways,
but
one
of
the
ways
that
we
can
do
it
is
like
automated
analysis
against
a
piece
of
Open
Source,
generate
assertions
based
off
of
that
run,
policy
against
those
assertions,
saying
no
critical
vulnerabilities
found
by
any
of
these
tools
or
whatever,
and
then
those
things
become
reviews
that
get
uploaded
to
the
security
reviews,
repo
and
that's
kind
of
like
what
we
did
like
I,
don't
know
if
it
was
eight
months,
I
think
about
eight
months
ago
with
a
bunch
of
npm
projects.
A
So
we
had
fully
automated
reviews
that
popped
out
and
I
think
that's.
While
it's
fundamentally
different
than
like
a
a
real
code,
audit
or
security
assessment
I
think
it
provides
more
visibility
or
more.
A
It
gives
consumers
of
that
project
some
Assurance
as
to
that
something
was
done
so
I
think
we
should
continue
to
talk
about
this.
A
little
bit
early
I
probably
need
another
couple
weeks
to
talk
clearer
about
what
that
would
look
like,
but
we're
thinking.
A
Could
best
practice
badge
link
automatically
into
scooters
sure
yeah
the
best
practice?
Badges
is
just
a
magic
URL
that
includes
the
project
name.
Oh
no.
It's
like
the
project.
Id
right,
David,
yeah,.
D
Yeah,
here's
here's
the
challenge
that
I've
got
I'd
like
to
actually
I
I
can
modify
the
best
practices
badge
to
link
to
the
Security
reviews
and
in
fact,
I'd
I'd
like
to
the
challenge
I've
got
is
I,
have
a
name
like
of
the
get
and
I
have
a
GitHub
repo.
What
I
need
is
a
way
to
link
like
the
home,
page
or
GitHub
repo
automatically
to
a
place
in
the
security
reviews
repo.
D
B
D
Know
and
basically
I
mean
if
we
could,
you
give
me
a
little
Json
file
or
CSV
file
with
that
with
that
provides
that
data,
and
you
know,
I'm
fully
capable
of
loading
such
files
and
doing
stuff
with
them.
Yep
yeah,
parse.
A
A
Side
so
so
we
already
have
most
of
that
in
the
script
that
I
think
Dylan
wrote
to
create
the
home
page,
the
the
next
table.
Okay,
so.
C
D
That
links
just
as
I
said
you
know
from
the
best
practices
badge
we
have.
We
ask
for
people's
repo
URL
and
the
homepage
URL,
which
are
sometimes
the
same.
D
B
D
Yep
yep,
that
is
actually
all
I
need,
that'd,
be
great,
that
other
folks
could
and
I
bet
once
you
have,
that
other
folks
could
have
that
too.
And
then,
if
we
reorg
that's
okay,
if
we
reorg
the
the
markdown
files,
that's
okay,
because
if
you
pull
off
the
index,
it
won't
matter
yep
cool
that
works.
Okay,
who
do
I
talk
into
doing
that.
D
Cool
yeah,
so
so
how's.
This
I'll
commit
that.
If,
if
somebody
can
give
me
that
I
can
add
a
little
button
or
something
when
that's
present
dude
okay,
you
know
link
off
to
it
and,
and
you
know
what
we
you
know,
I
can,
if,
if
people
are
okay
with
me,
loading
that
file
once
a
day,
it
means
that
there
could
be
as
much
as
a
24-hour
delay
before
you
link.
D
I
I
think
we'll
live
yeah
just
for
those
who
don't
know
the
best
practices
batch,
it
actually
restarts
every
day.
It's
just
simpler
that
way,
so
smart.
A
All
right
is
there
anything
else.
Anybody
would
like
to
talk
about.
F
Yes,
I
have
added
a
link
in
the
well
technically
other
topics.
Now
is
on
the
top
sorry,
because
yeah
moving
stuffing
yeah
darkest
weird
but
the
first
one
is
a
issue
that
you
have
a
sort
of
reopen
before
Christmas.
Yes,
and
maybe
it
is
interesting
if
we
want
to
update
the
or
do
a
I
mean
document,
1.3,
I
guess
for
the
security
threats,
and
there
is
a
list
of
new
threats,
none
I
mean
two
or
three
I,
don't
remember
now.
This
means
that
the
first
version
was
good
enough
and
I.
F
A
So
sorry,
it's
the
so
so
in
looking
through.
Some
of
the
later
comments
in
the
thread
is
the
is
the
question
like:
do
we
actually
need
more
more
content
or
have
things
changed
enough
that,
like
what
we
said
in
2019
is
like
wrong
or
not
complete,.
C
F
I
mean
the
comments
in
the
GitHub
issue
or
I
mean.
The
point
is
that
maybe
we
can
update
the
document,
adding
some
attack
that
we
have
seen
in
the
last
two
years:
multi-factor
authentication,
fatigue,
attack
or
conditional
stuff
from
pie,
pies
another
interesting
scenario
and
similar,
and
the
other
point
is
that
about
it.
Is
this
document
good
or
not,
I
mean
it.
It
has
if
the
document
help
other
people
and
projected.
F
My
answer
is
that
the
document
is
very
good,
so
I
continue
to
use
it
to
press
I
mean
I,
continue
to
present
this
document
to
people
that
have
an
open
source
project,
usually
especially,
if
they
ask
me
hey
what
what
are
the
risks
and
how
we
can
mitigate
I
say.
F
Okay,
if
you
need
something
read
this
document,
it
is
at
least
the
first
step
that
you
can
do
to
improve
the
security
in
your
project,
but
my
question
is
I
mean
according
to
numbers,
we
have
seen
that
in
the
last
two
years
that
okay,
the
last
year,
were
very
particular
but
they're
attacking
the
open
source
project
in
the
concept
of
supply
chain.
We
I
mean
we
can
Define.
What
is
supply
chain,
but
definitely
increases,
so
it's
not.
F
It
doesn't
depend
by
our
how
we
spread
awareness,
but
for
sure,
if
we
spread
more
awareness
about
how
to
ensure
that
your
open
source
project
is
safer,
we
can
help.
This
document
is
very,
very
good.
It
is
the
first
document
that
I
share
when
I
need
to
share
something
about
open,
open
source
security,
but
yeah.
Maybe
we
are
not
sharing
it
enough.
Maybe
we
should
present
in
a
different
way
or
super
bright
Blockbuster
or
something
so.
C
A
F
No,
no
I,
we
can
do
a
refresher
and
add
the
more
data
that
maybe
we
have
collected
I
mean
that
other
company
collectedly.
We
can
update
the
data
that
we
have
arrived,
the
in
the
document
and
we
can
add
the
more
data.
If
we
have,
we
can
see
what
changed
in
the
last
two
years,
for
example,
yeah
the
scenario:
the
scenarios
that
we
described
in
the
document
are
still
valid,
but
maybe
some
scenario
are
more
validant
holders
or
just
more
common
than
others,
and
this
kind
of
reviews
become
something
that
we
can
start.
A
Yeah
cool,
so
yeah
I
mean
it
sounds
like
do
other
folks
find
this
interesting
and
would
like
to
what
would
like
to
kind
of
join
in
and
participate
on.
This.
A
Perfect,
what
might
make
sense
is
to
just
spin
this
off
as
a
separate
B
Team
meet
a
couple
times.
Have
you
know
it's
it's
just
marked
down.
What
I
would
suggest
is
like
as
much
as
I
like
the
pdf
version,
formatting
better
than
markdown
markdown
is
just
easier
to
it's
should
just
just
use
the
markdown
and
then
I'll
just
I'll
create
a
copy
of
it
in
a
new
directory.
A
Call
it
the
1.2
or
V2,
and
then
just
PR
into
that
as
as
as
changes
happen,
but
that's
probably
the
the
easiest
way
to
go
about
this
yeah
and
then
that
and
that
that'll
be
good,
because
it'll
give
us
something
to
announce
in
you
know
whatever
April.
D
Okay
of
you
know.
D
Okay,
yeah,
as
far
as
formatting
stuff
out,
let
me
I'm
going
down
here.
You
know.
Markdown
is
really
you.
You
can
always
insert
arbitrary
HTML
GitHub
doesn't
like
certain
HTML,
but
you
can
still
insert
it
and
create
a
nice
pretty
PDF
out
of
it.
Yeah.
A
Yeah
I
mean
we
yeah.
We
can
definitely
like
get
booked
or
whatever
and
make
it
make
it
prettier,
okay,
cool,
so
Luigi
did
you
want
to
lead
this
work
or
just
participate.
F
C
F
Of
the
project,
so
definitely
it
is
the
the
source
of
trust
that
they
need.
A
Perfect
so
we'll
do
it
asynchronously,
but
feel
free
to
jump
in
I'll
post
a
link
to
the
place
where
PR
should
come
in,
because
I
think
we
want
to
keep.
You
know,
keep
the
historical
version
and
then
have
a
you
know,
a
new
version
that
that
we,
that
we
added
foreign
cool
anything
else.
A
Awesome.
Thank
you
all
very
much.
It's
great
great
conversation
see
everybody
again
in
two
weeks
and
enjoy.