►
From YouTube: OpenSSF Identifying Security Threats WG (May 26, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Actually,
actually
we
we,
we
could
just
wait
because
I
think
amir
and
luigi,
I
think
we're
still
waiting
for
you
as
well.
Oh
no,
amir
you!
We
we
have
you
john,
thank
you,
but
maybe
luigi.
If
you
wouldn't
mind
doing
that,
we
can
just
kind
of.
B
Okay,
I
love
them.
David
you've
been
putting
out
some
awesome
stuff
around
the
executive
order.
Well,
thank
you.
I.
B
I
I
posted
a
note,
I
think
somewhere
in
slack
or
somewhere
was
like
hey
look,
this
sweet
zd
net
article
on
on
this
and
then
I
was
like,
and
then
I
saw
your
thing
I
was
like
there's
a
lot
of
the
same
content.
I
think
this
is
david's
thing.
A
You
know
what,
if,
if
people
are
pulling
out
and
quoting
from
something
I
wrote
that
is,
that
is
what
an
author
hopes
to
account.
I
hopes
to
accomplish
so
I'm
I'm
delighted.
Let's
see
here.
A
So
I
am,
I
am
trying
to
at
least
attempt.
I
can't
attend
everything
every
time,
but
I'm
trying
to
make
it
so
that
my
schedule
makes
it
possible
for
me
to
attend
these
things.
Yep.
A
B
Yeah
cool,
if
folks
have
anything
else
they
want
to
add
to
the
agenda.
Now
is
a
sweet
time
for
that.
A
All
right,
you
know,
I'm
probably
holding
up
things,
so
I
will
have
to
fill
in
the
doodle
poll
later.
I
I've
just
I'm
struggling
I'm
struggling
to
do
two
things
at
once
and
all
right,
so
just
fyi
michael.
I.
A
I'll
cancel
this
yeah
you'll
cancel
the
the
meaning
of
of
this
sequence
yeah.
So,
let's
see
here.
I
do
eventually
want
to
just
note
the
cii
audits
for
the
security
reviews.
A
C
A
A
Yeah-
and
I
I
acknowledge
you
know
you
know,
for
the
arctic
thing
that
you
had
to
have,
I
think
10
stars,
but
you
know
it
was
just
a
cutoff
of
at
least
somebody
cared.
They
weren't
trying
to
do
a
you
get
up,
wasn't
trying
to
do
a
you
know.
20
stars
is
not
as
good
as
30
stars,
because
we
don't
know
that.
E
B
Cool
okay,
see
what
you're
writing
on
the
chaos
thing:
yeah
yeah,
so
I
I
attended
two
weeks
ago,
their
their
previous
one
was.
I
thought
that
was
a
really
good
group
and
it
was
a
good
good,
open,
substantive
conversation
on
lots
of
topics.
B
B
So
I
think
they
they
do
seem
to
have
more
rigor
than
we
are
putting
on
metrics
definitions
and
things
like
that
and
I
think
that's
totally
fine,
but
I
think
we
can
learn
from
them
and
they
can
learn
from
us.
So.
A
Yep,
I
I
think
that's
the
big
distinctor,
the
the
good
news
is
the
chaos
folks
are
really
big
on
rigor.
The
bad
news
is
the
chaos.
Folks
are
really
big
on
rigor,
so
they
they
move
a
whole
lot
more
slowly
and
that
has
led,
I
think,
to
some
people
being
frustrated.
A
On
the
other
hand,
they
want
to
be
you
know
more
rigorous
and
thorough.
You
got
a
lot
of
academics
so
and
the
rigor
is
not
a
bad
thing,
so
so
you
know
working
with
each
other.
I
think
with
for
this
group
by
far
and
away
the
most
relevant
is
the
risk.
I
guess
it's
really
a
sub
working
group
within
them.
A
They
meet
thursdays.
I
will
miss.
I
usually
show
up
to
their
meetings,
though
I'll
miss
this
one,
so
they're
certain
people
are
certainly
welcome
to
attend
that
too
they're
they're
at
a
very
nascent
level.
I
mean
they're,
still
they've
been
learning
about
what
dependencies
are
and
what
that
means,
and
so
on.
So
you
know:
we've
been
talking
about
measures
like
lib
years
and
counting
up
how
many
dependencies
there
are.
A
So
that's
a
that's
a
very
early
stage
for
that,
but
also
definitely
relevant
related
to
this
group,
and
I
have
made
each
I've
made
them
aware
of
you
and
and
hopefully
as
you'll
recall,
I've
made
you
aware
of
them.
So.
B
Perfect
yeah,
I
know
david.
I
I
feel
like.
I
knew
this
at
one
point,
but
I
don't
anymore.
Does
chaos
have
a
kind
of
a
working
online
like
like
kind
of
like
we
did
like
the
metrics
dashboard?
Do
they
have
the
equivalent
or
are
they
just
publishing
software.
A
Well,
they
have
talked
for
a
long
time
about
posting
data.
They
do
have
a
little
bit
if
you
look
in
their
site,
they
basic,
but
what
they
post,
I'm
gonna,
I'm
gonna
over
somebody
who's,
even
more
involved
with
them
than
I
am
probably
could
better
give
a
better
description.
But
let
me
attempt-
and
if
somebody
has
better
information-
I
I
would
welcome
you-
know
clarifications
improvements.
A
A
A
Now
I
have
mentioned
you
before
maybe
running
some
of
that
would
get
you
some
additional
metrics
data
that
could
be
useful
and
they
can
grab
data
from
lots
of
different
sources,
not
only
github.
However,
if
I
recall
correctly,
it
requires
more
effort,
so
they
they
go
deep,
but
not
wide.
So
if
you're
trying
to
find
out
hey,
I
want
to
know
a
little
bit
about
arbitrary,
open
source
software,
at
least
so
far.
That's
not
been.
A
A
Now
that
may
have
changed
yeah,
but
folks
at
peturgia
do
a
lot
with
them
yeah
they
have
lots
of
cool
data.
If,
if
you
are.
F
Have
a
look
at
cauldron,
I
think
it
might
be
a
bit
more
of
what
you
want.
A
A
I've
even
written
some
papers
on
the
topic,
but
you
know
there
are
only
so
many
hours
in
the
day
it
turns
out.
So
what
I
would
suggest
is
maybe
we
do
is
go
and
snag.
Somebody
from
there
come
here,
yeah.
C
B
D
A
Happy
to
I
I'd
happy
to
make
some
mutual
introductions.
A
I
I
have
somebody
particularly
in
mind,
but
there's
several
folks
who
I
think
would
be
probably
good
for
there's
a
german
gentleman
who
I
would
bring
in
for
the
chaos
overall
and
then
there's
some
different
people
who
are
involved
specifically
in
the
risk
working
group.
But.
B
Do
you
think
it
might
make
sense
to
have
kind
of
a
joint?
I
don't
know
workshop
get
to
know
each
other.
You
know
a
cocktail,
a
virtual
cocktail
hour
between
open
ssf
and
chaos.
A
I
think
it
might,
but
but
here's
what
I
would
suggest,
why
don't
we
fur?
Why
don't
you
first
have
like?
I
was
thinking
of
georg
link,
so
I
would
propose
invite
georg
link
to
the
next
thing
and
just
have
him
explain
a
little
bit
about
chaos
and
the
other
way
around
and
then
there'll
be
more
connections.
And
then,
when
you
create
that
virtual
cocktail-
I
I
don't
know
I
think
it
could
be.
I
think
it
could
be
more
or
the
problem
with
virtual
cocktails.
Is
you
can't
really
have
those
individual
conversations?
A
C
A
I
I'm
not
sure
how
that
would
work,
but
I
think
some
way
of
getting
more
people
to
talk
to
each
other
is
a
good
thing.
It's
perfectly
as,
as
you
know,
I've
been
trying
to
connect
different
groups.
Not
so
much
to
say:
hey,
you
know,
don't
do
anything
because
they're
doing
everything,
that's
not
my
intent,
it's
more
of
a
be
aware
of
each
other,
so
each
can
build
off
other
stuff,
if
that
makes
sense,
yep
totally
yeah.
So.
B
A
Would
propose
break?
Have
him
come
on
and
just
give
a
short
presentation
what
chaos
does?
Maybe
my
echo,
you
can
give
a
little
presentation
of
what
this
group's
been
doing
and
then
try
to
work
out.
Are
there
ways
we
can
cooperate
more
in
the
future
key
org
link
there
we
go.
Oh,
my
goodness.
How
do
you
know
how
to
spell
that.
A
A
There
are
probably
other
good
eggs,
but
he's
one
I
I
have
worked
with
for
years
and
I
have
nothing
but
but
but
good
things
to
say
he
might
say
the
same
about
me.
I
don't
know
we'll
see.
B
Actually,
it
looks
like
I
will
be
able
to
make
this
thursday's
risk
risk
meeting.
Yeah,
yeah,
okay,.
A
Is
not
let's
see
here,
let's
see,
okay,
you
know
what
I'm
gonna
copy
in
into
the
the
notes
about
the
risk,
meaning
oops.
Oh
I
I
included
it
here.
I
think
so.
The.
A
B
F
B
Awesome
one
random
question:.
B
Okay-
and
I
guess
on
the
metric
dashboard
dylan
you've
been
making
dashboard
updates.
I
did
give
you
permission.
Are
you
good
now
on
that?
Or
do
you
still
need
me
to
twiddle.
B
D
D
Making
local
changes
no
worries
at
all,
so
I
can
just
how
would
I
would
I
just
go
to
metrics
just
the
main
website,
and
now
I
can
make
edits
if
I
log
in
with.
B
You
know
what
let
me
I
think
it
may
have
expired.
Let
me
add
you
again:
oopsies,
let's
see.
D
That's
so
strange,
I
must
have
missed
it,
that's
all
good
did
it
send
an
email,
because
I
feel.
D
Yeah
I
kind
of
just
went
through
and
just
did
all
the
all
these
little
tiny
edits.
We
made
the
last
thing
that
I
wanted
to
get
done
yesterday,
but
I'll
get
on
that
today
is
the.
I
think
we
have
our.
We
want,
like
the
best
practices
descriptions
for,
like
the
summary,
aren't
very
yeah.
D
Whole
lot
of
data
from
that,
so
I'm
gonna
scrape
that
from
get
today
and
then,
while
I'm
doing
that,
it
should
be
easy
to
grab
the
watchers
instead
of
the
star.
So
do
that
awesome,
cool.
A
Yeah,
if
you're
gonna,
if
you're
snagging
descriptions
about
the
best
practices,
badge
happy
to
help
and
there's
also
ways
to
link
to
the
details
from
there.
The
best
practices
badge
has
a
page
that
lists
like
the
criteria
and
details
and
so
on.
So
if
you,
if
you
link
to
that
it,
would
you
could
jump
directly
to
some
criterion.
A
With
details
and
all
the
rest
of
that
stuff,
shall
I
shall
I
reveal
the
the
secret
urls
now.
D
I'll
probably
make
the
logic
that,
like,
if
there's
a
best
practices,
description
like
use
that
else
kind
of
just
go
with
whatever's
on
git.
I
think
it's
like
the
about
section.
Is
that
enough?
Do
you
guys
think
there's
just
like
a
very
short
or
do
you
want
me
to
like
do
any
kind
of
read
me
parsing
kind
of
situation
and
get
a
summary
here?
What
do
you
guys
think
I
was
wondering.
C
A
Okay
criterion
name
all
right,
so
here
here's
here's
a
way
if
you
wanted
to
to
have
a
link
to
a
criterion,
name
just
as
a
criterion
in
general.
A
D
Oh,
you
know
what's
so
funny.
Oh
I've
been
doing
this
actually
for
the
for
the
little
info
like
on
the
top
right
corner
of
the
metrics
you
can
like.
If
you
have
your
mouse,
I've
been,
I
kind
of
just
like
saw
how
it
was.
I
think
mike
had
done
a
couple
of
these
links
before
so.
D
A
Okay,
okay
yeah!
So
if
you
work
on
the
best
practices,
badger
rose,
we're
jumping
forward
after
best
practices
and
so
on.
If
you
put
a
language
in
there,
it'll
force
that
particular
language,
otherwise
it'll
use
whatever
the
person's
language
they
seem
to
prefer
from
the
web
browser
and
normally
it
doesn't
show
details
or
rationale.
A
The
only
get
only
challenge
here
is
that
the
right
we
don't
try
to
translate
the
rationales.
It's
a
lot
of
text
and
that's
asking
too
much
of
our
are
our
long-suffering
translators.
B
Are
pretty
good
at
doing
you
know,
web
page
translations,
so
I'm
sorry
web
page
web
browsers
are
pretty
good
at
doing
translations
now
so.
A
Yeah
now
that's
actually
not
been
my
experience.
They're
they're,
I
totally
agree
they're
much
better
than
a
poke
in
the
eye,
but
but
but
my
experience
with
translations
is,
if
you
stare
at
them
really
carefully,
you
can
get
a
vague
sense
of
what
it's
talking
about,
but
you
know
I
I
would
not.
I
would
not
want
to
trust
even
a
modern
computer
translation.
For
you
know
if
they're
accurate,
often
enough,
you
can
be
lulled
into
a
sense
of
security
that
you
should
not
be.
B
B
Okay
cool,
so
all
that
stuff
will
go
if
that
works
for
everybody
let's
hold
on.
Where
are
we
over
here,
yeah,
okay,
so
cia
audits
yeah?
We
should
definitely
add
the
reviews
from
the
cii
audit
program.
Would
someone
like
to
take
take
point
on
turning
that
into
a
pull
request.
A
C
C
A
Thank
you
so
very
much.
I'm
yeah,
I'm
very
busy
on
that
in
this
thing,
though
yeah
that
that
will
end
today,
because
the
deadline
is
today.
B
Only
we
had
a
time
machine,
okay,
awesome,
so
that's
good,
say
best
practice
got
information
there,
budget
david.
I
don't
know
if
you
have
any
information
on
this
and
I
thought
I
saw
k
pop
in,
but
maybe
I
was
just
maybe
not
a
couple
weeks
ago
we
put
in
budget
requests
for
the
rest
of
this
latter,
half
of
2021
and
2022.
B
I
don't
I
don't
know
if
there
is
a
a
date
expected
by
which
I
would
know
like
are
those
likely
to
happen.
Are
those
unlikely
to
happen?
Are
they
like
available
now
like?
What
does
that
kind
of
time
frame?
Look
like
I
I
I.
A
I
know
the
question
you're
asking
and
I
don't
know
the
answer,
but
I
can
tell
you
what's
going
on
and
maybe
that
will
help
you
in
some
very
general
way,
because
I
have
been
involved
in
some
of
this
excuse
me.
So
the
quick
answer
is
that
there's
multiple
groups
with
a
lot
of
the
same
people
involved
in
the
end,
it's
the
governing
board
that
approves
doesn't
approve,
but
they
don't
want
to
deal
with
it
directly
within
their
meetings.
A
A
Why
are
you
don't
waste
your
time
on
that
focus
on
what
you
want
to
accomplish
then
go
back,
and
if
you
need
marketing
or
whatever
fine
but
don't
create
a
long
list
of
the
things
you
might
want
someday,
you
know
focus
on
what
you're
trying
to
accomplish
so
and
then
the
there's
a
separate
group
called
the
planning
group
which
has
been
trying
to
work
out.
You
know,
besides
just
the
things
that
have
been
requested
by
the
working
groups.
What
in
general
it
do?
Does
the
open
ssf
want
to
actually
accomplish
right?
A
That
has
not
produced
a
lot
yet
I
had
and
then,
with
this
executive
order,
I
got
thrown
into
suddenly
a
whole
bunch
of
weird
tizzies.
Basically,
the
us
executive
order
has
suddenly
caused
a
ramp
up
in
a
whole
lot
of
things,
some
which
I
can
talk
about
and
some
which
I
can't,
but
I
was
asked
by
my
boss's
boss,
jim
zemlin
who's.
The
president
of
lf,
basically
david,
make
a
proposed
list
of
things
should
be
done
for
open
source
offer.
A
Give
me
a
budget
not
just
for
the
open
ssf,
but
for
anything,
and
I
want
the
whole
thing
by
friday,
nice.
That
was
wednesday.
A
So
I
did
that
I
busted
my
tail
and
I
slept
the
week
and
guess
that
was
a
lot
of
work
and
it
was
incomplete
and
quite
rough
but
hey.
I
started
from
nothing
on
wednesday,
so
I
you
know
I
I
feel
bad
in
a
broad
general
sense
of
if
I'd
had
more
time,
I
would
have
much
better
job,
but
I
actually
feel
good
of
it
gave
me
no
time
and
I
produced
something.
So
there.
A
Getting
things
done
so
I
presented
it
and
the
main
comment
was
wow.
You
did
a
lot.
Thank
you,
but
it's
kind
of
rough
yeah.
I
knew
that
you
wanted
it
bad.
You
got
it
bad.
A
On
the
other
hand,
I
think
what's
the
problem
right
now
is
there
is
a
perceived
rush
to
look
at
to
take
things
bigger
and
more
serious.
I
think
so.
I
think
the
budget
discussions
gotten
swept
up
in
that.
I
had
planned
to
present
my
proposal
to
the
planning
group
on
monday
and
I
was
directed
by
my
by
by
jim
zemlin.
Basically,
you
did
a
lot.
That's
like
it's
really
rough.
A
A
I
agree
it's
rough,
so
we're
gonna
try
to
he's
gonna
bring
in
some
other
people
to
work
on
that.
While
I'm
working
on
this.
This
thing,
which
was
my
other
rush
rush,
must
do
deadline
hurry.
A
So
so,
basically,
I'm
hoping
that
in
the
near
term,
while
I
work
on
some
other
things,
some
of
the
other
folks
will
work
on
some
other
things,
and
then
we
will
be
in
a
at
least
a
more
interesting
shape,
but
I
I
think
this
is
this
is
actually
crazy.
Creating
good
news,
long-term
complications,
short
term.
A
Basically,
the
eo
order,
eox
us
executive
order
has
made
lots
of
complications.
On
the
other
hand,
I
think
I
I
what
I
think
michael
is
that,
although
I
can't
guarantee
anything
right
now,
the
odds
are
very
good
that
there's
going
to
be
a
lot
going
on
the
problem
is
we
got,
I
think
the
key.
Is
you
got
to
get
your
proposals
seen
and
you
got
to
have
an
idea?
A
Okay,
because
there
are
people
who
there
are
people
who
have
money
who
are
looking
for
ideas,
and
there
are
people
who
have
some
ideas
in
their
heads,
but
have
not
necessarily
written
them
down
or
created
proposals.
A
The
ones
who
create
proposals
are
with
with
reasonable
estimates
and
suggestions
of
what
they'll
actually
do
have
an
edge,
a
really
big
edge.
Okay,.
B
So
I
that
is
an
perfect
insight
and
we
have.
B
A
A
I'm
just
watching
this
data
disappear
for
my
screen
so
and
I
will
say
that
you're
already
talking
with
the
chaos
folks,
I've
been
just
suddenly
overwhelmed
with
these.
You
know
the
the
budging
thing
and
then
this
thing-
but
you
know
also
talk
also
talking
with
the
lfx
insights
folks
talk
with
lfx
insights
folks,
you
know,
you
know
integrating
more
info
into
the
dashboard.
A
So
it's
a
true
one-stop
no
sub
yeah.
E
B
B
Sounds
good,
I
see
luigi
and
adrian
have
your
hands
up.
I
don't
know
who
went
first,
but.
F
Laura's,
yours
hey,
this
is
adrian
one
thing
I
wanted
to
talk
about
related
to
this,
and
also
what
we're
talking
about
before
with
watches
versus
stars
is
a
piece
of
information.
F
I
found
very
useful
for
trying
to
find
at-risk
packages
or
packages
that
may
be
typo
squats
or
something
similar
is
the
behavior
of
the
users
who
are
starting
a
thing
or
watching
a
thing
so
there's
in
the
same
manner
that
we're
collecting
metadata
about
repositories,
the
same
style
of
metadata
exists
about
the
user
accounts,
and
I've
noticed
that
you
can
use
this
data
to
identify
when
someone
is
like
starring
up
a
project
in
order
to
make
it
appear
to
be
more
official
than
another.
F
But
I've
not
found
a
tool
that
I
can
link
you
that
does
this,
like
you
know,
in
the
same
way
that
chaos
works,
things
are
a
little
bit
more
primitive
than
that,
but
I
was
think
well
what's
he
proposing
like.
Does
anyone
else
think
that
this
sounds
like
interesting
way
to
enrich
that
data?
Point
of
information
about
say
account
age,
or
you
know
that
sort
of
thing
about
the
people
who
are
actually
voting
up
the
project
to
get
a
better
picture
of
who's
doing
it.
And
why
maybe.
E
Related
to
type
squatting,
I
have
tried
to
create
a
fake
github
account
using
similar
name
to
important
companies,
and
I
mean
I
don't
think
that
people
have
used
a
similar
technique
to
hack
a
third
party
packages
or
try
to
do
a
supply
chain
attack.
But
I
think
it
is.
E
I
think
about
golang,
for
example,
about
golang,
where
the
developers
are
adding
a
third
party
packaging
using
github
directly,
and
I
don't
know
if
it
can
be
a
problem,
but
I
mean
I
am
curious
about
this-
about
type
squatting
techniques
to
try
to
do
supply
chain
attack.
So
it's
already
too
tough
squatting.
Sorry,
yes,.
B
So
so
so
the
type
of
squatting
I've
had
some
conversations.
It
looks
like
the
so
we
open
sourced.
Is
it
a
bunch
of
techniques?
I'm
not
not
claiming
these
are
the
only
techniques
or
that
they're
the
best
or
anything
like
that?
I'll
just
do
that
here.
B
We've
kind
of
written
that,
in
the
form
of
a
deep
of
the
detector,
for
it
and
anecdotally,
some
of
the
package
managers
are
starting
to
use
it
or
they've
they've,
taken
the
concepts
and
re
you
know,
ported
them
into
their
system
and
and
are
getting
pretty
good
results.
B
So
we're
going
to
try
to
continue
iterating
on
that,
but
I
think
the
the
important
thing
there
is
that
you
know
we've
done
thinking
like
well,
it's
yes,
it's!
You
know
homoglyphs
and
things
like
that,
but
it's
also
keyboard
distance
and
it's
prefix
and
suffix,
and
I
believe
that
there's
another
tool
out
there
that
that
I
came
across
that
has
some
similar
ones.
I
think
we
ported
some
of
those
rules
in
but.
B
Yeah
that
that's
one
thing,
but
I
like
the
idea
of
the
spam,
so
so
it
looks
like
on
the
on
that
side,
just
to
kind
of
show
like
what
it
would
look
like
you
know
for
for
github,
obviously,
for
for
a
particular
project
you
can
get.
I
think
subscribers
equals
watchers.
F
Yeah
yeah,
I
put
some
screenshots
in
the
chat
from
the
supreme
backdoor
factory
report
that
show
like
someone
identified
a
network
of
just
accounts
that
all
got
created
about
the
same
time
and
then
like
seeing
one
project
they
had
starred
basically
rippled
through,
and
you
could
see
all
of
the
other
projects
that
they
starred
and
all
of
them
were
dodgy.
All
of
them
were
bad
yeah.
Nice.
F
B
I
love
it.
Okay,.
F
A
F
Like
enrich
our,
you
know,
detection
technique
on
like
this
particular
health
metric,
so
to
speak,.
C
Yeah
yeah,
I
think
it's
a
good
point
adrian
and
anything
to
make
the
quality
of
the
the
data
or
the
metrics.
You
know
better
than
all
these
other
tools
that
are
doing
it.
I
think,
will
only
help
us
so
kind
of
thinking
of
those
those
things
that
maybe
not
everyone
else
is
thinking
of,
like
the
behavior
and
and
things
like
that.
I
think
it's
a
great
point.
B
I
think
there
are
also
I
mean
I've
heard
of
maybe
a
dozen
of
these
that
have
kind
of
they're.
B
I
don't
know
if
they've
graduated
from
like
the
research
stage
to
like
the
applied
stage,
but
using
ml
to
kind
of
gather
all
of
the
behaviors
and
then
just
building
a
model
to
detect
the
the
bad
ones
and
in
some
cases
it'll
be
typo.
Squatting
and
it'll
be
spam.
It'll,
be
these
kind
of
you
know,
star
farms,
but
there's
a
lot
of
data
and
people
have
tried
using
ml.
I'm
not
sure
how
effective
it's
been,
but.
F
Yeah
yeah
one
an
example
of
this
I
could
give
as
I
looked
at
the
recent
php
backdoor
attempt
and
try.
I
tried
to
build
a
model
off
of
that
and
I
actually
sent
it
to
michael
vorisek
who
discovered
the
backdoor
in
that
commit
in
on
march
26th,
and
he
he
agreed
that
the
what
the
model
was
detecting
on
was
the
thing
that,
like
made
him
suspicious
about
the
commit
before
he
even
looked
at
it,
and
saw
that
the
code
was
bad
right.
F
So
just
like
using
available
metadata
like
I
think
some
of
these
things
are
really
really
close,
but
I
haven't
had
the
opportunity
to
scale
it
up
to
just
like
tens
of
thousands
of
repositories
to
look
like
you
know
for
the
number
of
false
positives,
but
yeah.
This
kind
of
stuff
seems
to
be
working,
and
at
least
there's
structured
data
available
to
do
it.
B
Yeah
awesome
yeah,
I
mean
if
you
come
across
things
where
you're
limited
by
compute
or
whatever
like.
If
it's,
if
it's
the
kind
of
things
I
mean
we
some
resources,
some
resources
are
easier
to
muster
than
others
time
and
people
are
the
hardest
ones,
but.
F
B
Okay
yeah,
so
I
guess
in
terms
of
this,
it
probably
would
be
good-
and
we
probably
should
have
done
this
earlier,
but
coming
out
with
a
I
would
call
it
a
project
plan,
but
at
least
getting
everything
into
github
issues
so
that
we
can
start
like
chopping
them
down
and
and
getting
to
things,
because
we
we
talk
about
a
lot
of
good
ideas,
but
like
lib
years.
What
does
that
actually
look
like?
B
Well,
you
know
we
need
to
do
x,
y
and
z
to
get
libyars,
but
are
we
tracking
that
so
I
would
say,
buy
that?
But
by
the
next
time
we
meet
let's
I'll
I'll,
I
will
put
in
some
a
couple
hours
into
kind
of
fleshing
that
out
and
making
sure
that
our
our
backlog
is
still
relevant
and
and
all
that,
what
I'm
really
hoping
is
that
you
know,
as
we
can
articulate
that
in
such
a
way
that
we
get
budget
and
therefore
we
can
have
someone.
A
Maybe
this
is
working
with
you
know,
summer
inputs,
but
adding
more
more
projects.
I
mean,
I
don't
think
that
100k
I
mean
that's
just
from
your
input
source.
I
don't
know
of
anything
that
particularly
limits
us
to
do
that.
The
last
count
I
had
we
have
something
like
three
million.
A
B
Yep
yep
agreed
at
least.
B
B
A
C
B
That's
yes,
yep
and
well,
and
actually
what's
interesting
is
that
this
doesn't
sorry.
The
this
number
probably
does
not
include
the
wordpress
plugin
ecosystem,
which
is
probably
comparably
sized
to
to
these.
That
ecosystem
is
huge,
yeah.
A
We
probably
are
they
actually
don't
include
a
number
of
ecosystems
probably
ought
to.
It
would
be
cool
to
get.
I
don't
know
who
runs
module
counts.
First
of
all,
https
would
be
awesome
for
these
guys,
but
there
are
several.
There
are
actually
several
ecosystems
that
they
don't
include
here.
A
There's
also
queue
lang
if
you
ever
deal
with
common
lisp,
so
that's
not,
I
mean
not
q.
What
is
it
anyway?
There's
a
there's,
a
common
lisp
one.
So
I
mean
there's.
There
are
ecosystems
not
listed
here.
Yeah
yep.
B
But
so
as
far
as
how
can
we
expand
out
to
get
more
data,
one
of
the
things
we
were
we
wanted
to
do
was
to
generalize,
give
me
or
give
me
all
the
metadata
known
about
a
package
in
a
normalized
form.
So
I
can
compare
apples
to
apples.
So
we
did
this
for
npm,
but
if
you
do
it
for
one,
it's
it's
actually
not
making
anything
better,
but
we're
planning
to
to
extend
this
out
to
the
other
ecosystem.
So
you
just
get
back.
I
mean
it.
B
Doesn't
it's
just
a
normalized,
json
format
of
the
stuff
and
the
idea
would
be
then
now
we
can
run
this
against
everything
in
npm
and
then
everything
in
nougat
and
pipeline
and
everything
else
and
then
dump
that
into
into
the
database
and
now
have
something
structured
without
having
to
write
a
different
parser
for
each
one.
But
if
we
just
wanted
to
start
with
npm
I
mean
a
lot
of
the
ecosystems
is
pretty
it's
pretty
easy
to
get
to
the
metadata.
So.
A
Well,
if
they,
if
they
supply
it,
there's
the
challenge,
but
they
they'll
generally
supply.
At
least
you
know:
basics
like
urls
and
so
on.
You
know
obviously
names,
but
typically
the
url,
the
source.
B
B
Sorry
completely
random
tangent.
I
had
a
chat
with
the
folks
that
run
project
aura.
Okay,
this
is
a
project,
it's
a
static
analyzer
for
python,
where
what
they've
done
was
they've
run.
They
have
a
bunch
of
rules
and
they
ran
it
across
the
entire
python
ecosystem,
and
now
they
have
the
results.
B
So
some
of
the
results,
some
of
them
are
interesting.
Some
of
them
are
a
little
little
noisy,
but
it
got
me
thinking
like
what
what
role
we
would
play
in
like
I
don't.
I
don't
know
that
we
want
to
be
like
the
dashboard
with
actual
vulnerabilities
in
it
versus
the
count
and
links
to
places
where
one
might
find
such
vulnerabilities
or,
if
that's
now
kind
of
too
sharp
of
a
knife
that
we're
that
we're
putting
out
there
and
people
will
hurt
themselves
or
attackers
they're.
A
Already
public
it's
too
late,
I
I
think
the
the
correct
line
to
draw
is,
if
they're,
not
public,
then
being
more
cautious
makes
sense
it.
Now.
This
is
static
analysis,
so
they
can.
They
can
obviously
report
on
potential
vulnerabilities.
A
Now
I'll
tell
you
where,
okay,
you
don't
have
to
agree
with
this,
but
I
can
tell
you
where
at
least
the
us
department
of
defense
ended
up
going
on
this
particular
track
because
they
they
have
this.
They
I've
forgotten
the
exact
terminology
now
because
it
was
kind
of
convoluted,
but
basically
that's
not
so
forgotten.
Is
it
it's
not
so
I've
forgotten
it.
I
know
what
it
is.
A
They
would
often
refer
to
weaknesses
or
findings
which
are
not
the
same
as
vulnerabilities,
because,
typically,
what
happens
particularly
with
fuzz
testing,
but
really
also
a
static
analysis
when
you
tune
it,
when
you
turn
up
the
knobs,
not
every
finding
is
actually
a
vulnerability,
and
so
their
view
was
a
finding
found
from
public
using
a
public
tool,
especially
if
the
tool
program
being
analyzed
as
public
is
not
an
issue.
B
I
I
think
that
that's
a
good
distinction,
except
that,
if,
if,
if,
if
the
rest
of
you
are
the
ecosystem
and
one
of
you
publishes
the
tool
and
the
other
one
runs
another
public
tool
against
it
and
finds
a
finding
and
doesn't
triage
it
and
I'm
the
bad
guy
and
in
my
house
I
you
do
the
triage,
I
do
triage
now,
all
of
a
sudden
it
becomes
a
vulnerability.
So
it's
like
spooky
action
at
a
distance
here
where
now
I've
just
turned
your
finding
into
a
vulnerability
without
to
be.
A
Yeah,
to
be
fair,
it's
nothing
they
couldn't
do
already
now,
if
you're
going
to
argue
there
is
a
difference
when
you
make
things
easy.
That
is
also
true,
and
I
don't
have
a
simple
answer
for
that.
Yeah
because
I
mean
I,
I
think
what
we
really
need
to
do
is
help
the
developers
who
are
writing
the
code.
Hey
you've
got
a
vulnerability,
go
find
it.
I
think,
though,
that
for
us
here,
what
I
would
rather
do
is
focus
more
on
either
static
analysis.
A
That
just
suggests
that
there
may
or
may
not
be
an
issue
and
also
focus
on
known
vulnerabilities.
Hey,
go
fix
that
where
you
know,
there's
no
question
about
whether
or
not
it's
a
vulnerability.
Everybody
knows
his
vulnerability.
Please
update
now
yeah
yeah,
and
in
that
case,
what
you're
really
trying
to
do
is
you're
just
trying
to
help
somebody
who
has
an
old
version
of
x
and
you're
telling
them.
You
know
you
got
a
vulnerability,
go
go
patch.
A
A
Yeah,
but
I
I
think
at
least
the
way
this
metrics
tool
is
kind
of
shaping
up,
and
I
would
love
to
hear
like
the
chaos
chaos's
view,
because
chaos
has
both
the
here's,
some
specific
metrics
and
they
have
some
tools,
but
I
I
think
what
what
focus
is
different
here
is
that
you've
been
trying
to
to
capture
a
large
swathe,
and
that
is
different.
The
closest
I
can
think
of
is
was
it
black
ducks
open
hub,
yeah,
but
but
open
hub?
A
B
Yes,
perfectly
yeah,
and
I
I
think
I
honestly
I
I
mean
I
think
there
were
other
a
couple
of
others
like
it.
B
B
Having
it
be
clearly
open
source
maintained,
of
course
that
requires
dollars.
So
you
know
that's
hard.
A
Yeah,
and
in
fact
I
think
one
of
the
problems
is
open
hub
itself.
I
don't
think
brought
in
money.
So
if
you're
a
commercial
organization,
that's
it's
hard
to
pitch.
A
I
don't
know
if,
if
they
viewed
it
as
a
an
advertisement
how's
this
I
can
see.
I
I
don't
agree
with
you
that
commercial
org
can't
do
it.
C
A
I,
but
it
is
true
that
if
there's,
if
there's
no
clear
separate,
why
would
the
commercial
company
keep
doing
that?
Why
would
a
commercial
keep
doing
it?
It
doesn't
make
sense
for
a
commercial
company
to
just
do
things
all
by
itself
that
are
helpful,
but
have
no
help
to
them.
Yeah
there
needs
to
be
a
was
a
call
with
them.
A
What's
in
it
for
me,
yep
yep
and
it
could
be
advertising
which
is
perfectly
valid,
but
for
anybody
there
if,
if
they're
gonna
pay
for
it,
there
needs
to
be
some
reason
why
they're
paying
for
it.
B
Wonderful
then
yeah,
so
for
for
folks
that
that
joined
in
in
the
middle,
there
is
a
link
to
the
doodle.
Please
here
I'll
copy.
This
again.
B
Please
fill
out
this
doodle,
so
we
can
find
a
meeting
time
for
everybody.
Please,
if
you
please
try
your
very
very,
very
best
to
do
it
today,
so
that
I
can
cancel
the
meeting
tomorrow
and
and
get
us
on
a
more
consistent
meeting
time
that
works
better
for
everybody
awesome.
Thank
you.
So
much
awesome
thanks.
Everybody
thanks
mike
all
right
cheers,
have
a
good
one.
Bye.