►
From YouTube: OpenSSF Identifying Security Threats WG (March 30, 2022)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Getting
it
from
teams
out
is
is
not
super
fun
awesome,
so
for
the
agenda,
if
you
guys
should
not
have
access
to
the
minutes,
if
you
guys
want
to
edit
anything
that
you
want
to
talk
about
it's
kind
of
been
a
busy
week
for
a
lot
of
folks.
So
we'll
you
know,
please
add
yourself
if
you're
not
in
the
attendees
list.
This
is
copied
over
from
last
time.
So
I'm
sure
it's
not
not
accurate.
A
E
Go
ahead,
please,
I've
been
listening
and
learning
and
lurking
in
the
slack
for
a
while
and
I'm
here
to
continue
to
do
that.
I'll,
be
quiet
and
just
absorb
and
get
the
lay
of
the
land
thanks.
F
Hello:
everyone,
my
name's
david,
I'm
from
red
hat
I've
been
joining
a
couple
of
other
interesting
working
groups.
I
think
this
one
aligns
with
what
want
to
see
happening.
F
The
most
work
is
a
threat
modeler
and
I
think
the
work
in
this
working
group
is
really
interesting,
I'll,
be
sitting
in
the
back
for
the
same
being.
Listening
and
learning
as
I
need
to
do
a
bit
of
catch-up,
but
please
please
really,
please
meet
you
all
perfect.
G
H
G
Nice
to
meet
you
and
just
listening
also,
I
am
working
on
on.
G
C
Okay,
interesting,
I
was
just
asked
to
give
a
presentation
to
their
upcoming
thing,
so
I
know
security.
I
know
a
lot
less
about
mainframes.
I
can
spell
them,
so
maybe
you
can
later
on
give
me
some
insight
on
on
anything,
that's
special
or
different
regarding
the
mainframe
versus
other
worlds.
Oh.
G
I'll
be
loved,
I'd
love
to
and
john
martech,
probably
you
work
with
him
right
so
and
then
we
have
a
huge
interest
on.
You
know:
openness.
C
Yeah
the
person
who's,
I'm
talking
with
john
murdock
at
linux
foundation,
but
I'm
sure
there's
other
folks
too.
C
So
I'm
gonna
repost
in
the
chat,
the
basically
what
we
do
is
we
use
a
google
doc,
so
we
can
take
notes
as
we
go.
C
A
Although
I
heard
that
google
google
docs
just
announced
support
for
markdown
as
a
as
a
writing
format,
which
seems
pretty
cool
what
yeah
yes
and
it's
not
according
to
twitter,
as
in
it
can
export
markdown
or
whatever
I'm
hoping.
That
means
you
type
like
you
know:
pound
sign,
space,
foo
and
you
get
a
you
get
a
thing.
I
don't.
E
C
Not
what
they
mean
here,
okay,
that
sounds
irrelevant
to
everybody,
so.
A
I
guess
it's
like
a
hackmd
competitor.
Now.
A
I
B
I
have
proposed
in
the
scorecard
channel
the
security
insights
standard.
They
were
very
positive
to
the
proposal,
so
they
said
that
me
to
join
a
meeting
the
c
cncf
cloud
native
foundation.
Remember
that
entire
name
tag
meeting
it
is,
unfortunately
there
is
an
overlap
between
their
meeting
and
hour
one.
So
I
will
present
the
security
inside
project
as
part
of
this
working
group
on
15
april.
In
their
meeting
I
have
prepared
the
presentation.
It
is
almost
done.
B
I
think
honestly,
I
shared
the
public
link
here,
but
the
link
is
public.
Yes,
it
is
public.
Now
it
is
in
the
chat
in
the
mid
microsoft
team
chat
and
I.
I
B
We
need
to
be
sure
that
some
important
open
project
adopted
it
quite
soon
and
probably
in
this
moment,
open
ssf
is
in
the
best
moment
to
propose
a
similar
standard,
because
we
have
the
alpha
omega
project,
especially
for
the
alpha
project.
We
have
a
100
open
source
project
that
are
in
contact
with
us.
We
have
the
scorecard
that
can
use
parcel
your
total.
According
to
the
developer,
choose
the
security
insights,
and
in
this
way
we
can
launch
it
with
a
public
communication
also
and
align
people
on
this
standard.
B
It
seems
to
be,
I
mean
I
ever
just
tweeted
quickly
to
know
to
call
try
to
collect
some
feedback
from
the
community.
Of
course
it
is
my
community
I
mean
I,
everyone
has
a
group
of
followers
but
bots
on
linkedin
and
on
twitter,
a
very
small
group
of
people
answer
to
the
to
the
survey,
and
they
say
that,
yes,
they
want
to
have
a
sort
of
security.xd
for
open
source
project.
B
So
I
think
that
the
similar
files
can
be
helpful
for
everyone,
not
just
for
a
developer
or
company,
but
it
can
help
people.
So
I
will
present
in
two
weeks,
one
week
or
two
between
two
weeks
to
to
them.
B
Cncf
tag
me
meeting
and
we
try
to
convince
people
about
about
this.
I
have
still
some
improvements
that
I
would
I
would
like
to
to
implement
in
particular
and
in
scope
and
out
of
scope
for
the
security
for
the
vdp
that
is
directly
inside
the
yaml
file
and
a
link
to
the
code
of
conduct,
because
I
think
that
is
important
in
the
operators,
and
so
it's
not
related
to
security.
Maybe-
or
maybe
yes,
if
we
think
security,
not
just
above
the
code,
but
yes,
it
was
a
good,
a
good
feedback.
A
A
B
Need
to
check
if
I
need
to
restart,
because
I
am
on
mac,
maybe
I
need
to
restart
the
laptop.
Do
I
do
that
and
we'll
continue,
but
we'll
make
sure
we
have
enough.
C
B
It's
okay!
Okay,
if
you
want,
I
can
share
quickly
the
presentation
sure
I
can
try
again.
B
Okay
and
the
first
slide
is
a
literally
the
presentation
about
the
format
of
the
standard,
so
there
is
on
the
right
there,
yaml
example.
B
It
is
not
complete,
of
course,
because
it
is
too
long,
but
he
is
the
first,
how
people
view
it
and
it
I
try
to
explain
which
information
we
would
like
to
have
in
this
example
file
like,
for
example,
security,
and
why
we
why
we
want
to
have
it
so,
for
example,
we
want
to
have
security,
md
link
or
security
policy
link
in
the
yaml
other
important
information
related
to
the
security,
for
example,
if
they
have
a
penetration
testing.
C
C
Can
you
go
back?
I
want
to
make
one
comment:
no
previously
right,
the
the
second,
the
subtitle
there,
the
security.txt
for
open
source
projects.
I
think
what
you
should
emphasize
is
the
machine,
readable,
security.text.
K
C
C
E
C
K
B
So
in
the
second
slide,
I
try
to
present
the
reason
so
why
we
want
to.
We
are
working
on
this
file.
There
are
five
bullet
points.
Well,
we
have
seen
that
security.60,
that
is,
a
sort
of
machine,
readable
standard,
was
helpful
for
to
collect
information.
For
example,
there
are
more
than
one
website
that
offers
sort
of
database
containing
security
of
that
website.
B
We
have
seen
that
open
source
organization
and
project
already
have
tried
to
implement
similar
format,
especially
human
renewable
file,
but
there
is
no
standard,
so
we
have
some
projects
that
add
the
security
policy
in
the
gita
profile,
otherwise
other
project
that
I
deci
that
add
the
security
md
or
or
external
security
policy
in
the
organization
website,
for
example
eclipse,
then
we
have
seen
that
scorecard
result,
I'm,
I
am
saying
scorecard,
but
scanner
results
are
important,
of
course,
because
they
can
help
people
to
monitor
open
source
projects.
B
They
can
help
a
company
open
source,
oriented
company
to
monitor
their
project,
and
so
false
positive
are
a
problem
and
a
lot
of
scanner
have
a
lot
of
false
positives.
So
if
we
can
help
the
scanner
to
reduce
this
false
positive
or
to
give
more
information
more
context,
maybe
we
can
add
the
community.
B
And
in
addition,
a
similar
file
that
is
machine,
readable,
can
help
company
or
people
or
organizations
to
create
database
okay
database
that
people
can
use
that
can
use
using
api
endpoint,
for
example.
Okay,
a
sort
of
ecosystem
and
infrastructure
information
well
ordered
that
at
the
moment
it
is
missing
because
it's
not
so
easy
automate.
This
information
collection
and,
in
addition
it
it
will
be
a
a
standard
that
is
independent
by
the
platform.
B
So
you
don't
need
to
have
a
feature
on
gitlab
or
github,
especially
because
we
don't
know
what
is
the
next
big
platform
for
open
source
project
or
for
just
project.
So
it
is
important
that
this
standard
is
a
independent
or
not
dependent
by
the
platform.
For
example,
I
ever
created
this
slide
for
the
use
case.
There
are
more
use
cases
in
the
redmi
of
the
project
for
space
reason.
B
I
have
just
added
some
of
them,
so
there
are
three
use
cases
for
the
final
user
classic
use
case,
so
I
want
to
know
which
tool
are
used
to
link
or
scan
the
code
and
which
are
the
security
process
in
place.
So
I
can
evaluate
the
security
or
I
want
to
read
the
security
policies
so
that
they
can
easily
know
the
security
practice
in
place.
B
Also
for
the
security
researcher.
I
want
to
report
a
potential
vulnerability
so
that
the
project
maintainers
may
be
aware
of
it.
So
I
have
listed
some
use
cases
where
the
subject
is
different.
For
I
mean
there
are
four
different
subjects.
I
have
identified
this
one
and
just
to
show
that
it's
not
just
for
the
developer.
E
Another
use
case
for
this
is
to
evaluate
project
sustainability.
I've
seen
work
related
to
chaos
on
measuring
that,
and
this
definitely
would
be
useful.
B
B
Okay,
thank
you.
It
is
a
good
feedback
and
probably
I
will
remove
this
one.
That
is
a
sort
of
a
duplicate
of
this
one
and
yes,.
B
B
Unfortunately
we
have
a
split
saying
attack
in
the
in
the
security
inside
yaml,
because
if
you
link
to
early
parties,
sorry,
okay,
if
you
link
to
a
third
party
service
and
the
attacker
obtained
the
access
to
the
tea
party
service,
they
can
put
so
change
the
information
in
the
same
in
the
same
link.
So
this
is
a
technically
it's
a
picture
attack
or
something
similar.
B
B
Or
a
penetration
testing
result
before
the
patching,
and
it's
not
easy
to
mitigate
this,
because
when
an
information
is
public
for
feminists
and
gita,
probably
there
is
a
scandal
that
have
created
a
copy
of
that
page.
So
from
this
perspective,
it's
not
easy
to
mitigate
it.
Of
course
it
is
if
it
is
a
vulnerability,
you
can
just
fix
it,
but
it
is
a
sort
of
emergency
and
then
there
are
the
malicious
prerequisites,
so
malicious
user
that
try
to
push
a
malicious
pull
request
inside
the
security
inside
fight.
B
So
I
try
to
give
to
to
share
sort
of
threat
model
about
this
project,
especially
because,
if,
if
we
want
to
convince
scorecard
team
to
work
using
it,
we
need
to
be
sure
that
they
have
the
right
visibility
on
the
risk.
So
they
can
also
decide
how
tasks
this
file,
which
information
they
want
to
collect
and
similar.
B
B
This
means
that
people
need
to
adopt
this
file
need
to
use
it,
and
this
is
the
main
risk.
So
we
need
to
convince
maintainer
to
add
these
files
in
the
wrapper
in
their
app
in
their
project.
So
for
the
reason
we
need
to
maintain
it
easy
as
much
as
possible,
of
course,
but
at
the
same
time
usually
people
follow
other
people.
So
if
the
most
important
project
decide
to
implement
this
standard,
probably
also
medium
projects,
small
projects
start
to
work
on
it.
B
B
So
if
the
scanner
developer
like
scorecard,
but
not
only,
there
are
a
lot
of
scanner
decide
that
this
security
insight
is
not
trustable,
although
they
cannot
trust
to
the
standard,
because
there
are
too
high
risk,
of
course,
so
they
can
decide
to
not
implement
any
feature
in
the
scanner
to
use
or
to
collect
the
information
in
the
security
insight
and
at
the
end,
maybe
it's
not
so
helpful.
B
So
for
this
reason
I
have
prepared
a
threat
model
also
to
convince
people
that
okay,
we
we
have
some
risk
but
generally
low,
and
we
can
mitigate
in
some
way
and
in
this
way
we
can
convince
developer
to
use
the
information
that
are
contained
in
the
file,
the
roadmap,
because
if
the
adoption
is
the
main
risk
for
the
project
having
a
good
communication
coordination
is
important.
B
I
think
that
open
ssf
is
in
a
good
moment
and
to
present
a
similar
standard,
but
we
need
to
be
coordinated.
So
we
need
to
be
sure
that
when
we
launch
the
yaml
some
of
the
most
important
operations
project
already
have
it
in
place
better.
B
K
Is
sorry
but
alpha
you
mean
the
alpha
omega
projects
is
what
you
have
in
mind.
Yes,
thank.
B
It,
okay,
sorry
and
peace,
so
I
think
I
have
presented
the
entire
slide.
Thank
you
for
the
time.
Yes,.
C
Yeah-
and
I
I
put
in
a
comment
about
one
of
your
threats-
the
whole
false
information
which
I
think
is
important,
but
I'll
also.
I
think
it's
important
to
note,
probably
in
both
the
project
and
the
slides,
is
that
another
counter
measure
is
because
this,
where
this
is
in
the
project's
repository,
it's
pretty
much,
certainly
going
to
be
version
controlled,
which
means
that
you
know
who
submitted
them
the
false
information
and
when.
B
C
B
Yes,
I
agree,
I
need
to
add
it
in
the
thread
model,
because
it
is
not
a
mitigation,
but
you
can
still
monitor.
Who
is
the
actor?
And
yes
definitely
I
I
I
think.
C
It's
a
mitigation,
you
know,
okay
mitigation
doesn't
mean
it
prevents
it,
but
it
does.
It
does
provide
a
disincentive
to
do
it,
particularly
in
projects
where
there's
multiple
developers,
I
mean
if
it's
a
single
person
developer,
that's
a
different
issue.
K
B
Okay-
and
that
is,
I
thought
it
sound
good
to
you
in
general,
and
I
will
present
it.
I
will
try
to
convince
the
other
team
to
work
on
it
and
then
we
just
to
understand
how
to
coordinate
people
so
david,
michael.
Your
help
is
very
appreciated.
For
that
part,
you
are
mute,
michael.
A
Always
are
there
things
that
you
need
specifically,
so
so
you
mentioned
things
like
like
the
whether
it's
a
cli
or
a
web,
page
wizard,
or
something
to
generate
or
validate
the
the
yaml.
If
you're
looking
for
specific
help
on
those,
let's
pull
that
out.
B
Yes,
I
mean
for
for
our
working
group.
Probably
the
two
most
important
part
are
communicate
with
the
alpha
project
and
probably
you
are
the
right
contact
and
just
and
if
we
can
create
a
a
small
web
page
where
people
can
generate
or
read
the
yaml
file,
it
could
be
probably
helpful.
I
am
not
a
javascript
developer,
so
probably
we
need.
I
need
help
for
that
part,
but
it
should
not
to
be
so
difficult
because
we
have
the
yaml
template.
So
I
think
that
is
okay,
yeah.
C
B
Yes,
exactly
it
is,
I
mean
it's
just
an
apple,
it's
not
it's
a
done
test.
The
scorecard
can
test
the
information
or
some
information.
Of
course,.
C
Right,
it's
just
somewhere.
We
need
to
make
that
quick
quickly,
easily
done
so
that
if
there's
a
problem
you
know
here
it
is
with
with
hopefully
minimal
work
by
by
the
folks
luigi.
Is
there
a
yaml.
A
B
B
You
need
this
one,
probably
because
wait
so.
A
C
Right
in
the
short
term,
I
would
say
just
put
somewhere
on
a
page
run.
This
line
install
this
package
run
this
line.
Eventually
it
would
be
good
to
have
a
little
web
page
to
do
it,
but
even
if
it's
just
follow
these
directions,
I
mean
I
know
I
can
validate
yaml.
I
got
to
go.
Hunt
up
the
stuff.
If
you
give
me
something,
I
can
copy
and
paste
the
odds
of
me
doing
it
go
up.
C
A
Thank
you.
Moving
on
quick,
alpha,
omega
update,
hiring
was
we're
starting
interviews.
We
have
some
phone
screens
that
we're
reaching
out
to
folks,
hopefully
this
week.
So
that's
good.
We
have
a
couple
promising
candidates,
so
I'm
I'm
happy
about
that.
But
if
you
have
folks
that
you
know
great
time
to
refer
them,
the
links
are
there.
A
So
it's
a
lead
pm
who
is
effectively
going
to
be
the
let's
say,
product
product
manager,
product
owner
program
manager,
the
face
of
alpha
omega
they're,
going
to
be
be
accountable,
full
time
for
for
driving
driving
the
project
forward.
A
As
software
engineer,
who
is
going
to
be
responsible
for
the
tech
stack,
that
does
particularly
the
omega
analysis
and
rule
refinement
and
all
of
that
and
then
security
researcher
who's
going
to
be
reviewing
the
output
of
the
tools
triaging,
making
the
tools
better
through
feedback
to
the
engineer
and
then
reporting
out
fixes,
occasionally
things
like
that.
So
it's.
C
A
A
A
It's
it's
yeah.
No,
it
has
been
I'm
really
looking
forward
to
that
to
that
first,
one
that
that
lead
pm
role.
We
are
having
a
public
meeting
next
week.
It's
on
the
open,
ssf
calendar.
I
believe
it
is
wednesday
you're
all
welcome.
We're,
not
gonna
have
really
much
to
announce
it's
more
of
a
getting
something
on
the
schedule
where
anyone,
including
non-open
ssf
members,
can
come
and
talk
and
be
part
of
the
process.
A
In
kind
of
driving
driving
the
program
forward
so
next
week
anything
any
questions
or
anything
on
on
alpha
mega.
A
B
About
the
artimatic,
this
curiosity,
you
are
proceeding
alone
in
the
hiring
process,
so
you
have
people
that
help
you
how
it
work.
In
few
words.
A
A
How
does
how
to
include
the
right
people
for
a
loop,
which
will
mean
more
than
just
michael,
and
I
we
haven't,
figured
that
out
yet
right
now,
it's
just
that
initial
phone
screen.
We
don't
need
to
figure
out
in
the
next
like
two
weeks,
so
it'll
be
there.
If
anybody
is
interested
in
being
part
of
that
loop,
though,
please
reach
out
to
me,
I
would
be
very
happy
for
for
help
here.
You
know
throughout
for
for
for
all
of
this,
for
all
this
work.
A
Thank
you.
I
was
curious
yeah,
and
these
are
these
remote
friendly
international
friendly
like
this
is
you
know
we'll
we'll
work
to.
We
want
the
right
person
and
we'll
work
around
like
logistics.
A
Good
good,
okay,
google,
docs
yep.
That
was
just
that
note.
C
A
C
A
A
Got
it
right,
probably
not
super
okay,
metrics
on
open
sf.org,
so
I
would
love
so
I
would
love
somebody
to
just
take
this
problem
and
run
with
it.
The
problem,
in
a
nutshell,
is
back
when
we
did
metro
metrics.openssf.org,
that
predated
other
projects
have
matured
and
have
a
lot
more
momentum
behind
them
than
the
the
implementation
that
we
have
so
scorecard.
Depths.Dev,
I
think
score.
Scorecards,
dev
or
securityscorecards.dev
is
going
to
be
released
soon
or
maybe
already.
But
the
point
is
that
we
don't
need.
A
We
don't
need
to
like
compete
and
cannibalize
for
traffic,
and
you
know
mind
share
like
among
ourselves.
Lfx
security
expressed
interest
in
in
being
this
kind
of
aggregation
source.
I
have
really
no
opinions
on
who
should
like
where
the
the
aggregation
source
should
be,
but
I
know
that
the
implementation
of
metric
setup
opensf.org
is
probably
not
the
right
choice,
so
this
really
comes
down
to
a
it's
a
it's
a.
A
You
know
it
doesn't
matter
but
getting
rid
of
the
current
implementation
because
it's
it's
not
really
being
updated
and
frankly
I
just
I
just
don't
have
the
time
to
to
dedicate
to
it.
I'm
happy
to
hand
that
off
to
someone
else,
it
lives
in
the
open,
ssf
azure
subscription.
So
it's
just
a
vm,
so
I'm
happy
to
hand
over
the
keys
and
have
someone
else
maintain
it,
but
I
think
strategically.
A
The
better
thing
is
to
find
find
the
right
home
where
it
will
be
cared
for,
and
I
don't
know
if
that's
scorecards
or
lfx
or
depths,
but.
L
Michael,
is
there
any
more
information.
A
So
I'll
I'll
kind
of
take
it
here,
as
I'm
thinking
about
that
so
so
metrics.openssf.org
gathers
data
from
scorecards
critical
projects,
the
badge
program
and.
A
So
so
it's
these
four
and
from
an
order
of
magnitude,
this
is
like
a
million
projects.
This
is
like
a
hundred
thousand.
This
is
like
what
four
thousand
or
so.
A
Somewhere
around
there
and
security
reviews
is
like
I
don't
know
if
you
have
numbered,
like
thirty,
like.
A
Badge:
okay,
so
with
that,
like
the
vast
majority
of
data
comes
from
scorecards,
and
not
that
the
other
data
isn't
valuable
for
the
ones
that
it
exists
on
it's
just
it's
it's
very
sparse,
which
is
why
scorecards
might
be
the
right
place
to
just
absorb
some
additional
data.
It
completely
depends
on
like
what
their
what
their
vision
is
for
what
schoolcards.
should
be.
C
A
Yes,
yes
and
right,
so
so
I
think
so.
Deps
is
kind
of
an
independent
implementation
of
like
a
crawler
and
stuff
and
depth.dev
is
also
a
google
project
and
not
an
open,
ssf
project.
As
far
as
I
know,
right
now,
I
thought
that
they
said
they
would
be
amenable
to
like
moving
it
over
to
open
ssf.
C
A
So
so,
basically,
what
I'm,
what
I'm
hoping
for
is
someone
will?
Someone
will
be
reading
this
and
thinking
right
now
like
this
is
totally
up
my
alley
and
I
would
love
to
to
just
drive
this
and
make
this
better.
This
is
kind
of
high
profile.
Like
you
know,
this
is
important.
It
provides
lots
of
value
and
and.
C
Okay,
so
I'm
going
to
speak
up
slightly,
but
here's
the
thing
I'm
very
interested
in
this,
but
right
now
I'm
a
little
overwhelmed,
a
problem.
I'm
sure
you
appreciate,
but
so
frankly,
I'd
rather
someone
else,
but
if
not,
I
can
be
the.
I
can
be
the
backstop,
but
it's
going
to
take
me
a
little
while
before
I
can
get
there,
so
I'd
rather
someone's
run
run
off
ahead
of
me,
but
I
don't
want
this
to
die
off,
because
I
think
this
is
actually
really
important.
C
A
I
If
I
could
suggest
one
thing,
michael,
I
like
this,
how
someone
brought
up
you
know
what
the
sources
of
all
these
data
aggregators
are.
I
wonder
if,
as
a
first
step,
it
might
be
a
good
idea,
maybe
as
a
group,
if
it's
easier
as
a
work
group
exercise
to
try
and
identify
you
know.
Where
is
this
data
actually
coming
from
and
that
might
help
us
maybe
guide
the
discussion
a
little
better.
I
Not
necessarily,
but
like
the
the
the
different
options
of
the
different
potential
options
that
are
aggregating
data,
maybe
getting
an
idea.
I
That's
coming
from
and
maybe
comparing
them
to
kind
of
help
guide.
You
know
where
some
of
the
stuff
could
live
or
something
I
don't
know,
just
a
thought
yeah.
No,
I
I.
A
Think
that's
good,
I
mean
so
I
think
having
that
conversation.
So
it's
really
need
to
have
conversations.
A
With
debt.debt
scorecards
lfx
security.
A
Right
from
google's
big
table
or
bigquery
your
bigquery,
so
so
it's
the
raw
that
they
have
a
you
know:
20
gig
file
that
they
create
every
day.
A
It
because
that's
the
part,
that's
broken
that
hurts
my
soul,
but
that's
where
the
data
comes
from
yeah
critical
projects,
google,
it's
google's
big
data
table.
Yes,
this
is
coming
from
a
csv,
I
think
also
from
it's
also
from
google.
This
is
from
david's
api.
A
C
C
Yes,
because
I
think
I
think
the
theory
here
is
that
the
lf
has
been
investing
in
some.
You
know
data
sources
historically,
up
to
this
point,
it's
been
for
lf
projects
and
so
we're
we
need
to
move
on.
We've
had
a
number
of
discussions
about
expanding
it,
there's
interest,
but
we've
got
to
move
from
that
to
commitment
and
time
frames.
C
It
doesn't
have
to
be
done
in
a
day
and,
frankly,
I'd
also
want
to
see
some
license
open
source
licensing
of
some
key
parts.
So
yeah
we
need
to
you
know,
so
I
I
think
there's
interest,
but.
E
C
C
But
when
you
want
to
say
hey,
I
want
to
know
about
a
million
projects
that
I
mean
there's
nothing
that
says
it
couldn't
be
done,
but
it's
a
big
step
up
from
what
they
are
usually
used
for.
E
Yeah
you're
absolutely
right
like
it's,
not
it's
not
an
aggregator.
It's
for
nurturing
one
particular
project.
C
Right
exactly
it's
really
for
drilling
in
and
that's
not
a
bad
thing
and
by
the
way,
I
think
you
could
make
the
same
case
for
the
lfx
and
all
effects
security
folks,
but
I
don't
think
the
auger
folks
at
least
so
far
have
really
been
interested
in
the
in
the
the
large
data
set.
I
mean
I
could
be
wrong,
but
at
least
they
didn't
haven't
expressed
that
before,
whereas
I
think
the
lfx
folks
are
are
quite
willing
are
seriously
willing
to
talk
about
that.
C
But
I'm
actually
on
one
of
their
work
risk
working
groups,
so
I
do
talk
with
some
of
those
folks.
G
What's
the
the
reason
for
having
the
single
site,
is
it
going
to
be
central
singles
source
of
truth
for
all
open
ss
app
work?
I.
C
Think
the
goal
is
simplicity.
What
we
want
to
do
how's
this
I
I
can
tell
you
what
what
my
use
case
is
that
I'm
thinking
about
it
may
not
be
others.
But
my
use
case
is
you
know
a
developer
says:
oh,
I
need
to
do
x,
they're,
going
to
use
a
search
engine
like
google
to
find
you
know
a
project
that
does
that
for
them,
so
they
don't
have
to
write
all
that
code
themselves.
C
They'll
probably
find
more
than
one
such
project
I
want,
or
maybe
they'll
only
find
one.
I
want
them
to
be
able
to
get
immediately.
A
sense
of
is
this
risky.
Is
it
not
okay?
Ideally
you
would
even
integrate
this
into
the
repos,
but
that
may-
and
in
fact
I
don't
see
any
reason
why
it
can't
be
done
that
the
way
long
term,
but
it's
even
easier
to
integrate
into
repos
if
they
don't
have
to
do
a
lot
of
the
work
themselves
either.
A
Okay,
so,
for
example,
here
depth.dev
already
has
scorecard
integrated
in
so
as
kind
of
looking
at
this.
As
a
is
there
already
a
center
of
mass,
maybe
depth.dev
is
already
the
center
of
mass
and
then
we
we
say
well.
Do
we
really
like
what
would
you
know
having
having
a
badge
program
badge?
A
You
know
badge
program,
gold.
You
know
bronze
or
whatever
here,
maybe
that's
a
reasonable
integration
there
and
then
maybe
on
the
scooter
reviews.
It's
just
another.
You
know
security,
advisories
security
reviews
has
another
section,
and
you
know
it.
It
may
be
the
kind
of
thing
that
is
just
incremental
work.
On
top
of
this,
I'm
also
not
sure
what
the
scorecard
dev
site
will
do.
That's
different
than
this.
A
You
know
we
could
reroute
or
whatever
but
functionally.
We
would
want
that
that
to
be
in
a
part
of
this
larger.
C
I
think
if
we
focus
on
the
developer,
selecting
a
package
use
case,
the
other
one's
gonna
follow
because
nobody
likes
being
told
that
their
baby
look
is
ugly,
but
once
the
people
once
project
start
to
realize,
oh
people
are
looking
at
that.
They're
gonna
want
to
do
better
at
it.
A
Aggregation
point
so
security
insights.
If
that
flows
directly,
that's
great
if
it
goes
through
scorecards.
Well,
that's
great,
too,
but
either
way
you
know,
as
we
come
up
with
more
you
know,
I
mean
even
even
the
chaos
metrics,
so
so
we
we
do.
You
know
kind
of
calculate
chaos,
chaos,
source,
metrics,
broadly,
have
it
available
somewhere
suck
it
into
this
larger
thing?
Okay!
A
So
how
about
this?
So
we
really
do
need
an
owner
for
this.
If
nobody
here
is
either
interested
or
has
cycles
or
or
whatever
to
kind
of
take
this
on
next
best
would
be
to
look
for
someone
in
a
different
group
to
to
take
this
on.
I
could
put
it
in
general-
I
I
don't
want
to
do
that
until
I
give
everybody
here
a
chance
to
think
about
it
and
and
whatnot.
A
So
how
about
this
take
a
couple
days
if
you're
interested
in
owning
this
drop
me
an
email
ping
me
in
slack
whatever,
and
it's
yours,
or
at
least
we'll
chat
about
it.
If
I
don't
hear
anything
in
the
next
week,
I'll
post,
something
out
on
slack
more
broadly
asking
to
see
if
anybody's
interested
in
driving
this
forward.
C
C
That's
true,
too,
but
but
you
know
what
I
really
do
believe
that
you
know
helping
helping
developers
well,
really
anybody
who's
thinking
about
using
software,
helping
them
make
good
decisions
and
then
encouraging
projects
to
look
better
with.
For
that
information,
I
think
that's
going
to
encourage
a
lot
of
of
great
stuff.
It's
just
it's
going
to
take
time
to
get
there.
A
Oh,
is
there
anything
else
that
anybody
would
like
to
talk
about
today.
F
H
A
a
quick
brain
teaser
that
I
would
love
to
get
your
feedback
on
before
cool,
so
there's
there
are
two
resources
that
kind
of
track:
log4j
version
downloads,
one
is
the
song
dashboard
or
resources
resource
center.
I'll
put
the
links
in
the
chat
and
both
of
them
like
the
stats
are,
are
overwhelmingly
bad
and
I'm
just
wondering
why?
What
do
you
think
that
is?
If
you
have
any
theories,
because
I
have
a
few
of
my
own,
but
I'd
love
to
get
your
thoughts
about
that.
H
Let
me
do
the
let
me
just
paste
the
second
link.
So
currently
there
are
like
43
percent
of
the
downloaded
version
from
infant
central
are
still
2.15
and
below
that's
yeah,
it's.
It
is
interesting
and
that's
according
to
the
I'm,
not
sure
if
we
have
any
one
from
sonotype
here,
but
according
to
the
writing
like
the
below
the
dashboard,
it's
not
even
it
doesn't
include
even
version
one
at
first
I
thought.
Maybe
it's
you
know,
version
1.6,
but
but
it's
it's.
H
It's
overwhelmingly
a
large
number
giving
the
fact
that
you
were
four
months
in
into
this
thing,
so
yeah.
I
would
love
to
get
your
thoughts
if
you
have
any
theories
regarding
how
how
could
that
be,
and
the
the
first
link
that
I
posted
it's
it's
you
know
from.
H
And
it
says
out
of
17
000
affected
packages
for
the
vulnerability,
only
seven
seven
thousand
have
a
known
fix.
So
what
are
those
ten
thousand
packages
that
don't
have
a
fix,
and
why
is
that?
Do
you
think.
A
So
off
the
top
of
my
head,
it
and
there's
a
whole
lot
of
enterprise
internal
code.
That
does
not
get
updated.
Well.
A
Okay,
that's
a
pervasive
problem,
so
some
of
it
might
be
that
I
don't
know
how
if,
if
sonotype
can
tell
or
if
maven
central
can
tell
the
difference
between
a
top
level
dependency
and
a
transitive
dependency,
if
it's
transitive,
then
you
gotta
wait
for
somebody
else,
or
maybe
three
or
four
levels
up
to
update
and
that's
that's
long
and
painful,
particularly
if
you're
brought
in
so
in
a
lot
of
cases,
a
lot
for
jay
or
any
other
library.
A
If
it's
brought
in
as
like
a
fourth
level,
dependency
is
either
not
called
at
all,
or
only
called
you
know
in
a
in
a
non-exploitable
scenario,
it's
kind
of
hard
to
be
be
sure
there,
but
I
know
a
lot
of
the
problem
in
getting
some
things.
Updated
is
like.
Well,
it's
not
actually
like
it's
a
technical
vulnerability.
It's
not
a
practical
vulnerability,
so
maybe
there's
reticence
for
folks
to
rev
versions
where
they
don't
see
a
value
there,
but
forty
two
percent
is
really
I
if
it
was
like.
H
Yeah,
especially
given
the
fact
that
it
cuts
so
much
media
attention
and
so
much
so
yeah,
I'm
just
wondering
it
seems
kind
of
flat.
Also
like
the
line.
It's
not
it's
not
that
it's
slowly,
you
know
improving
it's
just
this
is
the
state
and
it
seems
that
it's
going
to
stay
that
way,
so
yeah
just
wondering.
H
C
Exactly
the
same
curve
that
you
see
with
heartbleed
and
many
many
other
well-publicized
vulnerabilities
I'll
note
that
equifax,
the
the
big
vulnerability
that
they
had
was
in
the
news
absolutely
everywhere
and
they
didn't
update
for
two
months
and
oh
by
the
way
they
had
the
pii
of
almost
every
u.s
citizen,
at
least.
B
I
C
C
True
yeah,
this
is
this
is
totally
normal,
behavior
and,
in
fact,
soda
type
wrote
a
paper
years
ago
specifically
about
this
problem.
It
was
the
first
time
somebody
people
had
suspected
it
for
20
for
like
20
years,
but
they
actually
wrote
a
paper
showing
that
this
was
happening.
C
Oh
gracious
at
least
10
years
ago,
probably
more
so
this
is
unfortunately
normal
behavior,
believe
it
or
not
it's
better
than
it
used
to
be.
I'm
not
saying
that's
good,
it's
just
it's
slightly
less
awful.
H
C
I'll
I'll
be
honest
with
you
and
I'm
realized
running
short
on
time,
but
let
me
answer
that
one
real
quickly.
I
believe
that
the
way
to
resolve
this
is
customer
visibility
and
letting
the
customers
complain.
So
whether
or
not
that's
true,
this
is
the
hope
of
s-bombs,
at
least
for
software.
That's
deployed
directly.
C
We
still
are
going
to
have
a
problem
with
you
know,
stuff
running
on
a
cloud
server
based
systems,
but
when
at
least
things
get
downloaded,
the
us
government
in
particular
is
basically
going
to
start
pressing
in
some
areas
and
expanding.
C
C
J
B
And
another
question
is
if,
after
an
version,
the
url
to
download
the
old
version
change
like,
for
example,
in
debian
repository,
if
you
tie,
they
maintain,
they
move
to
a
different
link.
They
all
the
the
oldest
version
of
debian,
and
it
is
a
friction
for
humans.
B
So
technically
you
just
need
to
edit
your
configuration
to
add
the
new
repository
for
old
file,
and
so
my
question
is
if,
after
end
version,
all
the
packages
from
maven,
but
also
for
other
repo
change,
the
url,
for
example,
old.package.mpm.com
to
download
it
to
force
people
to
or
take
the
decision
to
use
the
old
packages,
so
an
active
decision
or
to
move
them
to
the
to
the
new
package.
This
can
risk
to
break
too
many
back
candy
over
the
world,
or
it
is
a
good
proposal.
C
Yeah,
unfortunately,
we're
at
time
so
that
is
a
whole
nother
topic,
but
I
think
that's
I
mean
it's
an
important
topic.
Frankly,.
C
Yeah
at
least
starting
and
frankly,
I
I'm
hoping
that
the
that
that's
something
that
the
supply
into
in
integrity
folks,
but
you
know
what
it's
fine
to
raise
that
here.
I'm
worried
about
this
also
there's
a
complication
that
version
numbers
aren't
the
same
everywhere,
so
open
ssl
version
1.2.3
I
mean
I'm
just
making
it
silly
version
numbers
I
know,
but
you
know
it's
not
the
same
from
debian
as
opposed
to
the
website.
Okay,
a
lot
of
a
lot
of
distros
add
their
own
patches,
so
it's
more
complicated,
but
it's
an
important
problem.
C
A
All
very
much
see
you
guys,
everybody
in
two
weeks.