►
From YouTube: OpenSSF Identifying Security Threats WG (March 31, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
And
ray
hello
good
morning,
good.
B
Good
morning,
I
I
learned
of
your
group
from
john
speedmeyer's
at
inquitel,
and
so
I'm
just
attending
to
learn
a
little
bit
more
about
what's
happening
with
the
open
ssf.
A
Perfect
awesome,
okay,
so
I
I
hope
you
all
can
see
my
screen.
I've
got
a
little
bit
of
a
demo
and
and
a
little
bit
of
progress
from
last
time,
yeah,
so
maybe
we'll
just
kind
of
just
get
into
it
and
we'll
kind
of
go
from
there.
A
So
the
the
backdrop
here
last
time,
we
built
out
a
proof
of
concept
dashboard
which
kind
of
worked,
but
in
all
honesty
it
was
a
bit
of
kind
of
duct
tape
and
and
wd-40
kind
of
making
the
thing
work.
It
was
really
hard
for
anybody
for
any
new
developer
to
like
come
in
and
set
up
the
environment
because
it
was
like
build
the
universe
from
scratch,
so
made
some
progress
here.
So
I'll
show
you
what
I
have.
A
So
I'm
on
the
coding
side,
I'm
not
gonna.
It's
not
gonna,
be
a
coding
exercise
today,
but
it's
all
docker
compose
now.
So
each
thing
is
a
separate
container.
There
is
grafana
running
in
one
there's
postgres
running
in
one
nginx
and
a
really
simple,
django
app.
That
is
kind
of
the
front
end
there's
some
caching
stuff,
but
we
actually
don't
need
it.
I
can
just
delete
it
so
when
everything
loads
up.
A
It's
just
I
mean
it's
just
normal
plain,
docker
compose
what
you
wind
up
getting
is.
A
This
is
kind
of
the
the
older
ui,
I'm
not
a
ui
person.
Obviously,
so
we
can.
We
can
make
this
make
this
lecture
look
nice,
but
the
idea
is,
you
can
add
a
project
and
you
get
the
list
of
projects.
Obviously
we
need
to
paginate
and
all
that
stuff.
A
But
if
you
go
to
what's
the
kubernetes,
because
I
know
kubernetes
has
data,
then
it
bounces
you
over
to
grafana
on
the
same
host
pre-selected
for
the
the
project
that
you
did
and
actually
there's
no
data
for
this
one.
Yet
this
one
nervous
so
the
so
this
date
is
coming
from
the
badge
project.
A
I
think
this
one
is
badge
project
project
as
well.
I
need
to
move
over
all
of
the
actual
metrics
definitions,
the
other,
the
I
don't
know
previous
version
of
this.
This
is
essentially
the
stuff
that
I'll
move
over
so
it'll
have
have
all
this
all
of
all
the
stuff
built
out
here
within
a
you
know,
day
or
two.
A
So
the
advantage
here
is
that
it'll
give
it'll,
let
everybody
you
know
I
want
to
have
it
so
that
you
can
basically
download
compose
file
or
clone
the
repo
and
hit
build
five
minutes
later.
You
have
a
thing
that's
running
and
you
can
immediately
start
populating.
It.
A
A
Their
management
commands
to
do
things
like
reloading
scorecard
data
and
best
practices
data
we
need
to,
and
this
is
really
just
for
dev
time
stuff,
just
to
make
a
little
bit
easier
to
load
to
to
reload
things.
We
have
all
sorts
of
conversations
to
have
about
how
to
you
know.
Do
we
want
all
collectors
running
on
all
projects?
Do
you
need
to
be
able
to
like
disable
them
on
a
per
project
base
like
how
much
complexity
do
we
do?
A
We
want
to
add
here-
and
I
would
say
as
little
as
possible,
at
least
for
the
for
the
mvp,
I'm
thinking
these
would
just
get
run
periodically.
A
So
I
actually
have
some
notes
in
here
about
the
mvp
like
minimal,
minimal
features
that
we
need
to
to
kind
of
go
out
and
say
that
we
have
something
for
others
to
look
at.
So
I
think
getting
the
domain
alias
would
be
good.
I'll,
probably
put
it
on
the
same.
A
A
C
I
have
a
request
and
believe
it
or
not.
I
think
this
belongs
in
the
mvp.
You
mentioned
publicly
accessible
via
a
simple
url.
Can
we
include
a
simple
way
to
to
identify
a
package
and
directly
go
you
know
in
within
the
url
and
directly
go
to
that
package?
C
D
C
A
C
You're
using
package,
url
ci
best
practices
doesn't
have
package
urls.
That
is
something
we've
talked
about:
yeah,
okay,
how.
A
C
C
C
Quick
email
to
the
attack
to
to
ryan,
and
then
I
guess
I
can
find
out
from
the
lfit
what's
required.
E
Okay,
so
I
will
we
want
sorry,
we
won't
have
the
only
way
to
easily
find
a
package
or
we
want
to
offer
of
also
a
way
to
compare
two
or
more
packages.
A
I
I
think,
for
the
mvp:
let's
stick
to
just
one:
okay,
we
absolutely
need
the
comparison
thing,
but
then
it's
harder.
C
Yeah
how's
this.
What
I'd
propose
is
you
know
for
the
mvp?
Don't
if
you
want
to
do
a
comparison,
you
could
tweak
the
syntax
and
just
say
hey.
If
you
start
with
an
a
a
square
bracket,
then
instead
of
a
single
package,
is
the
leo
so
package
url
equals
open
square
bracket
list
of
urls.
C
C
Yeah
set
up,
I
mean
there's
two
different
issues,
which
is,
I
think
I
can
talk
to
it
but
lfit,
but
I
think
the
first
step
oh
to
provide
the
destination
static.
Oh
okay,
so
you
instead,
you
just
want
them
to
set
up
a
a
link
over
to
it
if
they.
A
C
Got
it
okay?
Okay,
once
you
send
me
afterwards
what's
necessary
and
I
don't
know
if
we
need
any
any
approval
wider
than
this
group.
But
since
it's
visible,
openness
is
so.
E
C
I
think
we
at
least
we
at
least,
should
ask
the
tack
watch
what
actually
since
you're
the
sincere
the
chair
mike.
Why
don't
you
just
send
an
email
to
the
attack
and
just
say:
hey
we
want
to
do
this.
Is
that
okay,
I
would
be
shock
shock
shocked
if
they
said
no,
but
at
least
at
least
they've
been
informed.
C
C
C
C
Yeah,
I
don't,
I
don't
think
they
I
think.
Actually
I
can
tell
you
part
of
it.
The
open
ssf
group
needs
to
approve
and
then
the
lf
does
the
work
perfect.
But
but
the
problem
is,
I
can
talk
to
the
I.t
folks,
but
I'm
not
really.
I
don't
want
to
do
that
until
I've
until
there's
some
agreement
that
the
open
ssf
is
okay
with
that.
C
So
oh
wait,
wait.
I
don't
see
anything
changing
what
oh
and
there
it
is.
C
All
right,
I
would
do
the
actual
work
comma,
but
needs
a,
but
it
needs
to
make
sure
the
open.
Ssf
is
okay
with
this
and
and
I
would
think
you're.
Okay,
all
on
board.
Okay,
yeah.
There
you
go
yeah.
I
think
I
I
think
technically
as
long
as
this
working
group
is
okay
with
it,
I've
heard
no
objections.
We
can
do
it,
but
this
is
probably
also
a
good
excuse.
C
A
Wonderful
cool
all
right,
so
we
got
that
landing
page
with
basic
info
about
the
project
and
links
to
the
dashboard.
A
We
probably
need
a
little
bit
more
than
this,
but
I'm
not
sure
how
much
more
like
I
don't
know
if
clicking
on
a
project
here,
should
keep
you
in
this
frame
with
some
basic
information
like
like
the
stuff
that
would
be
up
here:
okay,
project
description,
stuff,
because
that
might
be
kind
of
more
interesting
at
a
top
level
landing
page,
and
that
way
we
get
a
like
libraries,
I
o
and
a
lot
of
other
sites
have
a
you
know,
per
project
like
here's,
a
snapshot
and
then
there's
like,
I
think,
there's
for
some
of
them.
A
There
are
details
beyond
that.
I
don't
know
I'd
love
it.
If
somebody
else
just
told
me
what
to
make
it
look
like.
C
B
A
C
Okay,
I
I
have
a
very
specific
suggestion,
but
you
know
what
we
can
I
already
snuck
in
as
an
as
a
sub
agenda
item
a
little
later,
when
we
talk
about
scaling
out
yeah.
Do
you
want
to
just
talk
about
that
now
or
let's
do
it?
Okay,
so
a
little
later
on,
you
said
running
on
a
single
server
is
okay,
but
the
individual
components
must
be
able
to
scale
out.
C
I
have
a
recommendation
on
the
scaling,
basically
make
each
of
your
different
projects,
a
different
url,
so
that
you
can
identify
them
as
a
for
this
project.
Here's
the
url
and
then
we
can
probably
use
the
linux
foundation's
fastly
account.
Now
I
don't
know
if
you've
ever
worked
with
a
cdn,
but
cdns
are
miraculous
for
turning
simple
servers
into
scale
out
and
be
in
a
beastly
way.
They
also
make
it
really
fast
for
users.
A
So
the
okay:
what
do
you
mean
by
component?
Do
you
mean
that
z,
lib
and
left
pad
are
two
different
components,
or
do
you
mean
okay.
A
So
the
problem
with
that
is
graphi,
I
I
don't
know
how
well
griffana
plays
with
under
a
cdn,
because
if
you-
and
I
don't
know
this-
I'm
we'll
see
if
this
is
true
or
not
kind
of
changing
this,
I
believe
yeah.
This
is
all
dynamic,
dynamic
queries
going
back,
so
unless
the
cdn
is
super
smart
and
can
intercept
that
and
return
back,
the
right
stuff
you're
only
going
to
be
cdnning
static
data,
which
mo
like
almost
nothing
here,
is
static.
Data.
A
You
we
could
absolutely
cdn
this
view
and
if
clicking
on
here
opened
up,
you
know
linux
gsm
as
a
full,
full
page
here.
In
this
view,
which
was
static,
then
yes,
absolutely
we
could
cdn
that,
but
once
you
go
to
graphana,
I
think
you
have
to
let
because
it's
between
graphana
and
the
database
at
that
point
and
I'll
see
that
that's
the
that's
the
heaviness
of
it.
A
What
I
was
thinking
on
on
separating
the
components
was,
we
need
to
be
able
to
put
postgres
on
a
beefier
server
if
we
need
and
grafana
on
a
you
know,
separate
server,
and
I
don't
know
if
we
need
to
move
to
like
kubernetes
or
something
more
than
docker
compose
for
that
I'm
not
a
docker
compose
guy.
So
I
it
works
great
for
one
server,
conceptually
they're,
all
they
all
think
of
themselves
as
separate
infrastructure
and
docker.
Does
the
you
know
magic
between
them.
D
If
there
are
stuff
that
are
so
graphana
that
like
post
and
get
requests,
those
that
those
can
be
heavily
cached,
especially
if
you
have
them
so
this,
there
may
be
slight
improvements
that
we
could
make
to
graphana
to
improve
its
capability
behind
a
cdn,
especially
because
a
lot
of
it's
a
lot.
What
it
does
is
like
cdns,
usually
have
pretty
well
defined,
like
you
know,
for
these
sets
of
headers.
These
are
considered
the
cache
key
and,
like
you
know,
if,
if
you
return
the
right
headers,
then
you
can
say:
oh
this.
D
This
thing
can
get
cached
as
a
response,
and
so
it
doesn't
actually
need
to
render
it.
So
you
might
want
to
explore
that
a
little
bit
more
than
just
saying
just
because
it's
dynamic
actually,
even
though
it's
dynamic,
it
can
still
probably
be
cdn
protect.
You
know
I
mean.
C
I'll
give
a,
for
instance,
for
for
the
ci
best
practices
patch,
where
the
badge
the
little
images
are
are
cached
with
the
cdn
most
of
the
json
files
are
cached.
If
you,
the
actual
user
interaction,
is
not
because
the
what
you
see
varies
depending
on
whether
or
not
you're
logged
in
and
is
who
so
those
are
not
handled
by
the
cdn,
but
because
the
badgers
are
the
ones
that
get
hit
the
most
just
caching,
some
things
has
a
spectacular
improvement,
even
if
you
don't
cache
everything.
D
I'm
laughing
because
we've
run
the
gradle
plug-in
portal
and
it's
one
one
one
server
running
on
a
heroku
and
it
serves
like
two
petabytes
worth
of
data
every
month,
just
from
one
one,
one,
one
heroku
server
right
like.
C
Yep
we,
the
ci
best
practices
badge,
is
one
heroku
server
running
on
ruby
on
rails,
which
is
not,
which
is
not
a
fast
language,
but
it
doesn't
matter
because
the
user
experience
is
fast
and
that's
what
matters
yep.
E
C
A
F
C
Yep,
okay,
going
back
sorry
to
sorry
to
to
sideways,
but
I
think
not
so
good.
We
we
want
to
make
it
so
that
it
will
become
able
to
grow.
Even
if
it,
the
current
version
doesn't
need
to
be
yep.
A
Okay,
so
yeah,
so
we've
got
the
landing
page
with
basic
info.
We
need.
A
Adding
a
new
project-
that's
just
there's
a
list
of
projects
and
the
the
refresh
will
just
be
look
at
all
of
the
oldest
projects
and
refresh
those
and
just
kind
of
churn.
That
way,
we
should
periodically
refresh
everything
I'm
thinking
weekly,
but
you
know
some
sort
of
we
could
just
finish
and
then
restart,
and
that
way
that
would
probably
be
more.
C
And
it'll
be
shown
when
the
data
was
was,
was
captured
right.
A
Yeah,
so
right
now
this
is,
you
know
up
last
updated.
So
what
I
would
imagine
is
that
you
know
if
you
kind
of
sort
by
last
updated
the
the
first
end
will
be
updated
last
or
first
or
you
know
what
I
mean.
A
Okay,
data
sources,
so
this
is
this-
is
really
the
guts
of
it.
So
right
now
the
badge
and
the
json
and
scooter
reviews
I
have
code
for
all
that
I
have
releases
for
github.
Adding
npm
would
be
not
a
problem,
and
that
would
make
it
look
similar
to
to
this.
G
C
No,
it's
not,
but
I
meant
I
meant
the
security
scorecard,
not
the
the
there's,
a
scorecard
and
there's
a
criticality
score.
G
Yes,
yeah
the
score
card.
Is
it's
like
a
pass
fail
check
that
checks
for
a
a
bunch
of
kind
of
main
security
practices
and
yeah.
A
Yes,
so
so
what
what
I
grabbed
from
the
score?
So
so
so
google
publish
or
the
scorecard
project
publishes
a
flat
json
file
with
like
5000
or
whatever
projects
kind
of
continuously
updated.
So
the
the
main
import
is
that
giant
file,
which
is
where
you
you
get
all
these
and
you
wind
up
getting
the
you
know
this,
you
know,
does
that
does
does
linux
gsm
have
signed
releases?
The
answer
is
false,
and
these
are
the
details.
A
C
E
A
C
C
Cool,
okay;
okay,
so
that
actually,
that
sounds
like
a
good
could
go
into
the.
A
C
A
Oh,
I
I'm
sure
you
could
the
was
it
the
the
the
folks
that,
like
revived
geocities,
I'm
sure
there's
like
a
trillion
of
them
on
there.
C
But
whether
or
not
we
have
an
animated
gif,
I
think
that's
the
adding
a
disclaimer
yeah.
This
is
not
the
final
version.
This
is
a
very
early
version,
we're
just
trying
to
get
something
up:
okay
and
there's
no
badge
scorecard
reviews,
criticality
score,
hooray.
A
A
C
C
A
Totally,
in
fact,
that
would
go.
C
Yeah
yeah
put
that
as
an
mvp
data
source
is
a
link
to
I
actually
want
to
just
you
know
I'll
pitch
this.
You
know
link
to
repo
repos
statistics,
and
here
I'm
thinking
about
the
github
get
lab
page
page
for
that
project.
E
C
And
then
they,
you
know,
hey
you
go
here
and
then
you
can.
You
know
I,
I
think,
what
we're
trying
to
get
people
to
do
and
please
help
me
if
this
is
not
your
understanding.
Is
you
if
somebody
wants
to
know
hey,
I'm
thinking
about
adding
this
package?
Should
I
worry,
then
I
want
them
to
be
able
to
quickly
come
to
a
spot
and
click
out
to
other
things
and
get
a
lot
of
information
in
a
hurry
to
help
them
make
that
decision.
Yep.
A
We
have
links
so
you
know,
follow
the
link.
If
you
want
right
right.
A
Easy
yep
awesome
yeah
I
like
that
cool
yeah,
so
the
metrics
will
show
will
be
that
and
we
will
just
iterate
on
on.
Specifically,
you
know
what
to
show
and
how
to
show
it
and
when
there's
two
different
metrics
that
are
both
similar,
you
know,
do
we
show
them
both?
Do
we
just
show
one?
You
know
what
we
do.
I
don't
think
we
need
to.
We
don't
need
to
finalize
that
for
mvp.
C
C
You
know
what
can
we
can?
We
talk
about
the
metrics
that
you're,
showing
and
just
kind
of
talk
about.
Are
there
any
that
people
have
heartburn
or
things
that
you
really
are
missing?
Let's
do
it
yeah
yeah,
so
I
I
have
concerns
about
the
health
ones,
in
particular,.
C
I
mean
the
number
of
contrib
contributors,
money
and
so
on
are
great.
I
am
dubious
about
the
pers
percentage
of
issues
open
or
the
average
issue.
Duration,
I'm
also
a
month
since
last,
release
okay
months
months
per
last
release.
Is
that
what
that
means.
A
G
E
C
D
Average
issue
duration,
that,
like
I
feel
like,
is
going
to
be
heavily
dictated,
but
between
whether
or
not
they
have
stale
bot
installed
in
the
repository
or
not
right,
like.
C
A
So
so
maybe
what
we
should
do
is
just
delegate
that
if
somebody
else
comes
up
with
a
because
you
could
probably
say:
okay,
if
the
issue
is
open
for
more
than
six
months,
it's
a
long-term
thing
or
if
it's
tagged
in
a
certain
way,
it's
not
the
same
as
like
hey
I
gotta,
I
found
a
bug.
Are
you
gonna
fix
this
and
the
project
either
ignores
it
or
or
does
something
with
it
right.
C
F
E
C
A
You
know
yeah,
you
know,
so
I
would
say
for
anything
that
they're,
that
that
I
mean
if
we
are.
If
we
have
this
many
questions
about
any
of
these,
we
should
definitely
not
include
it,
because
we'll
only
create
more
more
questions,
rather
than
the
dashboard
be
go
out,
and
people
like,
oh
that's,
super
clear,
yeah.
C
So
I
would
say
for
the
moment
I
wouldn't
bother
with
those
two
I
think
they
will.
They
will
raise
more
questions
than
they
answer.
The
other
ones
make
sense
to
me.
You
know
number
of
months
since
last
release
assuming
it's
something.
That's
released,
there's
a
there's,
a
fun
thing,
but
I
think
that's
a
for
most
projects.
That's
not
a
question.
F
I
got
I
got
a
quick
thing
that
I
was
a
little
curious
about
if
you
guys
don't
mind
for
the
for
the
security
reviews.
What
like
is
the
expectation
to
have
like
a
set
of
like
links
towards
because
right
now
it
just
kind
of
shows
like
a
review
like
whatever
review
it.
Just
like
some
random.
I
think
it's
just
like
the
first
one
or
the
last
one.
I
can't
remember
what
it
was
and
it's
nice
to
kind
of
just
have
information
like
in
your
face.
F
A
C
C
F
F
Yeah,
but
so
when
it
does
find
a
review
or
say,
there's
like
10
reviews
in
the
in
the
repo
for
that
particular
package,
url
it
just
like
right
now,
it
just
shows
like
a
review.
That's
like
the
logic
it'll
just
show
like
the
full,
the
description
all
that
stuff.
E
F
C
I
mean,
I
understand,
somebody's,
probably
not
gonna,
read
20
reviews,
but
I
might
read
five.
E
G
But
you
bring
up
a
good
point,
I'd
say
other
metrics
that
we
could
potentially
track.
Are
you
know
if
they're
all
time
stamped
the
date
since
the
last
review?
You
know
if
it's
something
that
was
reviewed
10
years
ago
or
something
that
was
reviewed
recently,
I
think,
would
help
and
that's
the
only
one
I
got
for
the
time
being.
C
F
C
C
A
Cool,
I
think
that's
good,
okay.
Moving
on
for
a
moment
api,
what
a
propose
a
super,
simple
api.
You
get
back
to
all
of
the
data
for
a
particular
project,
so
you
would.
It
would
be
something
analogous
to
this.
A
A
Maybe
maybe,
as
we're
doing
this,
this
is
like
you
know,
you
know,
show
it
and
then.
A
Or
or
show
yeah
or
show.json,
or
something
like
that,
yeah,
although
we
may
want
to,
and
now
you
know
what
I
like
that,
because
if
we,
if
we
want
multiple,
we
really
want,
is
metrics
dot,
open,
ssf
api,
you
know
version
one.
A
A
C
So,
for
example,
the
query
can
just
do
a
redirect
to
the
actual
data,
and
then
you
cache
the
actual
data.
C
We
don't
need
to
design
it
right
now,
but
I
think
the
goal
there
is,
you
know
maybe
due
to
redirect.
So
I
think
the
goal
here,
though,
is
a
way
to
quickly
and
easily
specify
a
uri
that
turns
around
and
gets
you
the
data
in
either
json
or
pretty
format.
F
E
A
Okay,
so
we
talked
about
performance
and
stuff
like
that:
multiple
dashboarder,
that's
just
grafana
everything
in
github.
We
can
export
the
the
dashboard
definition,
which
should
be.
I
just
need.
I
need
to
double
check
it,
but
it
should
be
transferable
between
grifana
instances.
Don't
forget
about
caching
and
new
dev
yeah
and
that's
all
cool.
A
Okay,
so
from
last
time,
I
think
we
got
got
through
most
of
this
stuff.
A
Threat
paper
yeah,
so
mary
you're
gonna
start
looking
at
this.
I
did
open
up
the
issue
on.
A
The
guy
who
daniel
the
curl
daniel,
I
thought
it
wrote
an
interesting
article
here
on
on
backdooring
curl,
just
kind
of
a
nice
threat
model
that
would
be
good
to
make
sure
that
we're
covering,
I
think
we
do,
but
that
we're
covering
all
those
kind
of
different
scenarios,
but
in
general,
but
more
more
generally.
A
Just
if
other
people
have
thoughts
on
threats
that
we
should
take
into
account
or
or
news
or
whatever
just
I
mean,
maybe
just
post
them
into
as
a
comment
to
the
issue
and
we'll
keep
track
of
them
in
one
place.
A
Do
you
mean
the
so
the
notes
are
all
in
here,
the
recordings
of
them
I
have
most
of
them.
I've
been
posting
them
to
a
youtube
channel.
I
need
to
get
them
into
the
open,
ssf
youtube
channel.
I
will
take
a
note.
I
will
give
that
to
my
thing.
A
Yeah,
I
also
feel
like
this
probably
would
be
a
good
opportunity
to
like
I
I
don't
know
what
a
better
way
of
managing
this
is,
it
seems
like
github,
doesn't
seem
to
be
like
the
best
vehicle
for
like
managing
changes
to
documents.
I
mean
it
feels
like
it
should
just
work.
If
it's
not,
we
can.
We
can
find
something
better,
but,
like
you
know,
version
versioning
like
docs.
It
would
be
nice
to
be
able
to
like
export
this
to
a
like,
a
really
clean
nice
looking
pdf
and
want
to
publish
it.
C
Well,
it
depends
on
what
you're
trying
to
accomplish,
but
if
and
also
what
kind
of
what
kind
of
document
it
is.
If
it's
a
relatively
straightforward
document,
pandoc,
does
a
great
job
of
turning
mark
down
into
pretty
pdfs.
C
And
well,
you
don't
need
to
do
it,
I
mean
markdown,
you
know,
one
hash
is
having
one
two
hashes
heading
two
and
all
you
need
is
to
tell
pen
doc,
make
it
a
little
pretty
but
you're
not
actually
changing,
I
mean
well,
you
might
change
the
a
little
bit
in
the
markdown,
but
not
very
much,
okay,
all
right,
so
so
that
I
mean
that
would
be
if
you
want
to
eventually
generate
a
pretty
looking
dock.
That's
one
way
to
do
it.
A
H
Yeah
from
this
side
the
same,
I
would
like
to
think
how
you
guys
think
or
how
you
guys
are
really
thinking
about
this
to
to
to
that,
to
then
jump
in
and
try
to
to
to
make
some
some
additions.
But
I
it's
been
great
this
meeting,
I
I
think
I
I'm
starting
to
understand
more
deeply.
What
are
you
trying
to
achieve
so
I
hope
that
the
next
meetings
are
going
to
be
be
able
to
help
in
like
introducing
new
insights
or
trying
to
help
you
elaborate,
the
insights
that
you
already
have
so
perfect.
C
Since
this
is,
you
know,
since
you're
new,
I
think
the
general
approach
for
this
working
group
has
been
there's
always
already
been
a
lot
of
work
on
attempting
to
identify
some
metrics.
There
is
no
magic
metric
that
resolves
everything
so
we're
much
more
focused
right
now
on
an
mvp
of
here's,
some
metrics,
a
number
of
people
think
would
be
helpful.
C
Let's
create
a
system,
so
you
can
see
those
metrics
and
then
I'm
hoping
that
we're
going
to
go
back
and
think
more
deeply
about
trying
to
identify
more
better
metrics
to
help
people
make
decisions,
but
it's
hard
and
there
is
no
magic
metric
people
working
on
directly
measuring
security
for
decades
and
have
so
far
failed
miserably.
H
And
I'm
sorry:
what
do
you?
What
do
you
think
that
are
the
main
stakeholders
of
those
metrics?
You
know,
because,
depending
what
public
are
we
are
trying
to
to
to
get
to?
Probably
I'm
gonna
be
able
to
like
think
about
different
type
of
magics,
which
is
the
pop,
the
public
that
you
think
that
we
are
aiming
to
in
the
first
place.
C
I
I
can
tell
you
for
me,
which
is
not
necessarily
everybody
else,
which
is
I
I'm
viewing
this
primarily
for
I'm,
a
software
developer
or
an
organization
that
is
about
to
use
some
open
source
software
component,
and
I
want
to
answer
the
question:
how
risky
is
this
expecting
things
have
zero
risk
is
ridiculous,
but
expecting
you
know,
but
some
projects
are
a
whole
lot
riskier
than
others,
and
so
I
want
to
you
get
some
metrics
to
give
me
some
sense
of
the
risk
I'm
taking
on
and,
for
example,
if
it's
high
risk,
maybe
I'll
avoid
it.
C
A
I
think
the
one
thing
I'd
add
to
that
is
you:
you
want
to
use
that,
but,
as
a
let's
see
as
a
security
team,
you're,
probably
using
like
10
000
projects,
what
are
the
10
that
you
should
worry
about
the
most
so
kind
of
doing
that
aggregation
and
sorting,
which
is
a
perfect
segue
to
something
that
I
meant
to
talk
about
final
grade.
A
I
know
this
one
is
always
touchy.
C
I
think
we
should
do
that,
but
not
yet.
Okay,
you
know
what
you
you
know
what
you
could
do
as
a
as
a
cheeky,
you
could
put
a
big
a
box
in
the
in
the
interface
that
says
final
grade
and
just
underneath
it
say
tbd
to
tell.
F
A
But
as
we
I
mean
it
probably
would
be,
I
mean,
since
we
have
like
four
and
a
half
minutes.
I
think
it
might
be
useful
to
start
thinking
about
what
what
a
final
grade
could
be
based
off
of,
and
I
think
just
naively
you
know
some
sort
of
a
combination
of
you
know
some
weighted
score
of
the
other
things
and
you
know
then
you
bucket
it
and
there
you
are
you're
you're
you're,
an
a
minus.
A
B
A
C
H
No,
I
just
laid
in
the
chat
one
way
that
I
think
it
has
been
useful
for
in
a
way
to
understand
how
to
choose
a
library.
What
topics
we
can
use
like
to
start
thinking
about
this
this
this
final
grade.
What
topics
can
we
start
seeing
about
specific
levels?
It's
not
like
of
a
huge
one.
It's
like
a
deep
dive
metric
of
deep
that
view
of
how
to
what
topics
do
you
need
to
start
thinking
about
when
you
choose
libraries,
for
example?
H
I
think
this
was
a
good
idea
that
there
was
like
I
think,
sneak
was
trying
to
achieve.
I
think
that,
but
maybe
we
can
like
discuss
around
this
this.
This
kind
of
thing,
because
I
using
the
company
and
it's
quite
clear
for
for
developers,
are
the
main
users
about
this
to
to
try
to
understand.
I
think
that
we
can
do
a
better
work,
but
we
can
like
wrap
things
up
like
this.
I
don't
know
what
are
your
thoughts
about
this.
A
Look
at
it
and
learn
from
it
and
you
know,
have
our
have
our
spin
on
it.
Trying
to
think
there's
anything
here
that,
like
I
would
love
love
to
see
like
how
they're
calculating
some
of
these
things,
but
obviously
some
of
its
secrets.
You
know
it's
their
special
sauce,
so
we're
not
just
gonna,
you
know,
do
the
same
thing.
C
Yeah-
and
you
know,
I
think
that
right
now
is
not
the
right
time,
because
I
think
that
we're
probably
going
to
be
adding
some
more
metrics
before
we
want
to
even
calculate
a
final
grade.
A
Yeah
so,
for
example,.
C
So
you
know
so
not
you
know,
I
don't
know
if
you
want
to
put
this
now,
wait
wait.
You
know,
wait
until
we
have
some
more
metrics
we've
discussed
and
I'll.
Tell
you
what
let
me
yeah.
Let
me
add
to
the
not
mv
oops,
no,
not
not
mvp
data
source
data.
C
C
Oh,
my
goodness
I
feel
like
I
should
know
this.
Yes,
I
think
we
have
actually,
but
you
may
not
remember
this
yeah.
We
talked
about
I'm
pretty
sure
we
talked
about
this,
but
it's
been
a
while.
So
basically,
if
you
have
a
dependency
on
a
component,
okay
and
it's
you
know,
and
let's
say
you
have
a
dependency
on
a
component,
it's
version,
one:
okay,
yeah
version,
two
came
out
version,
t
three
came
out
version
three
came
out
and
in
fact
the
version
you've
got
is
two
years
older
than
the
current
version.
C
C
Exactly
well,
yes,
it
can
work,
yes,
exactly
so,
usually
it's
transitive
but
yeah
transitive
and
then
transitive,
and
then
you
can
both
sum
and
average.
I
personally
think
that
average
is
is
more
useful
yeah,
because
if
you,
if
you
have
a
big
graph,
your
number's
going
to
be
big
yeah
your
number's,
getting
that's
right.
C
If
you
depend
on
a
thousand
components,
it
will
be
large,
no
matter
what
you
do,
but
if
it's
average
is
small,
that's
not
so
bad
average
is
c
average,
especially
so
I
think
that's
that
is
a
wonderfully
simple
yeah.
It's
it's
one
of
those
there's
actually
a
website
that
pitches.
This
thing
and
I've
never
heard
of
it.
A
couple
I
like
two
years
ago-
and
I
read
it-
this
is
a
remarkably
simple
measure.
Why
didn't
we
talk
about
this
before?
So?
I
think
that's
you
know.
Is
it
reproducible?
C
A
Trust
but
verify
I
don't
know
how
like
hard
it
tries,
but
it
does
attempt
to
build
and
then
does
a
compary
thing,
but
only
for
npm.
A
All
right,
good,
we
we
are
over
time,
I'm
sure
everybody
has
other
stuff
to
do
too.
Thank
you
cool.
Thank
you.
All
very
much
I'll
see
you
guys
again
in
about
two
weeks.