►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit#heading=h.yworp6sxzb6g
B
D
E
A
All
right
in
that
case,
why
don't
I
yeah,
let's
see
here,
I
know
how
to
do
copy
paste.
It's
a
special
special
gift
of
mine,
I'm
new
to
unavailable
to.
E
A
D
G
G
Yeah
I
mean
the
thing
that
you
know,
and
it
doesn't
seem
like
it's
about
like.
If
you're
fixing
a
security
vulnerability
in
a
project,
it
doesn't
seem
to
cover
that
it
just
covers
salsa
level
scorecard
improvements,
artifact
signing
All-Star,
installs
and
security
audits.
It
doesn't
cover
actually
fixing
security
vulnerabilities,
no.
D
G
Because
I
haven't
applied
for
like
before
I
join,
there's
a
reason
that
I
didn't
apply
for
some
of
these
ones,
because
I
was
like
it
doesn't
feel
like
it's
in
scope.
You.
A
In
the
list
of
what
security
improvements
qualify,
one
of
the
items
is
fixing
Industries
discovered
by
OSS
funds
that
exceeded
disclosure
for
timelines,
so
the
the
intent
was
to
go
beyond
only
vulnerability
fixes
not
to
exclude
them
necessarily.
G
A
G
F
A
Talk
with
the
funders
and
stuff,
but
I,
don't
think
the
intent
was
to
prevent
it,
but
but
here's
the
thing
the
intent
was,
if
you
just
want
to
harden
some
software,
as
opposed
to
say,
fix
a
specific
vulnerability,
most
vulnerability
projects
it
you
have
to
point
to
the
specific
vulnerability.
You
know
like
Cocker
one.
What
is
the
vulnerability,
I'm
fixing
and
if
the
answer
is
well
I'm,
just
hardening
it
up
to
make
it
harder?
A
The
answer
is
no
go
we
stop,
and
so
this
the
goal
here
was
to
to
to
cover
the
areas
that
weren't
covered
by
other
things.
Things
like
you
know
getting
a
best
practices
badge
and
you
know
salsa
and
those
sorts
sorts
of
things
which
are
are
not
one.
G
G
D
G
D
G
D
G
So
I'm
I'm
with
that
so
I
stopped
Dev,
for
example,
Rick
one
of
the
things
that,
like
you
know
that
that
this
is
also
missing
too
I,
think
is
it's
not
incentivizing
the
main
like,
for
example,
with
the
with
the
the
snake
animal
case
right.
It's
been
a
known
vulnerability
for
six
years
and
I
managed
to
convince
this
maintainer
to
fix
it.
I
didn't
fix
it.
I
I
convinced
him
that
it
was
worth
fixing
and
honestly
I
think
the
maintainer
should
get
paid.
G
For
that
sure
like
right,
like
I
I,
you
know
I
could
I.
Could
you
know
I
could
tell
him
to
apply
or
I
I
would
want
the
the
better
solution
is
I
should
like
Spa
not
sponsor.
What's
the
word
refer
or
it's
a
word
I'm
missing
here-
that's
like
you
know,
put
them
up
for
consideration.
D
D
I
also
think
that
there's
probably
another
higher
level
category
of
things
for
SOS
Dev
that
we
should
think
about,
which
is
you
know,
eradicating
or
addressing
a
prep,
so
so
zip,
so
so
kind
of
with
the
work
that
you've
done,
like
you
know
to
say,
you
know
here
are
some
pervasive
classes
of
vulnerability
if
you
can
show
meaningful
Improvement
across
the
ecosystem
for
this.
D
So
if
so,
if
you
do,
the
automated
pull
request
thing
and
get
you
know,
a
thousand
projects
to
fix,
SQL
injection
in
you
know,
PHP
like
that
is
enormously
impactful
and
should
be
rewards
should
be
available
for
that
kind
of
you
know
more
than
whack-a-mole
level
work.
D
Because
I
think
you
you
want
to
incent
similar
to
how
GitHub
incense
code
ql
queries.
We
can
send
whatever
whatever
the
implementation
of
that
of
the
of
those
fixes
are
but
I'm.
Sorry
Randall.
You
have
your
hand
up
yeah.
F
C
D
D
I
might
regret
saying
this
but
kind
of
insulting
to
give
someone
like
fifty
dollars
or
a
hundred
dollars
to
like
do
as
a
reward
for
like
security
work
that
has
taken
them.
You
know
years
of
experience
and
hours
to
days
of
work
to
do
it's
kind
of
like
like
I'll
I'll,
buy
you
a
coffee,
I'll
buy
you
a
beer
like
it
it's
if,
if
this
is
truly
important,
it
should
be
paid
on
that
scale
and
we
shouldn't
be
looking
at
crowdsourcing-ish
kind
of
platforms
as
a
way
to
get
labor.
D
Cheap
I
think
it's
kind
of
exploitative.
Obviously,
if
people
opt
into
it
and
they
really
want
to
do
it
and
want
to
do
it
for
that
amount
like
or
but
it
just,
it
did
something
about
it.
Just
tastes
off
to.
C
D
C
C
B
Well,
I
mean
so
they're
boosted
projects
I'm,
seeing
that
they
have
they
have
payments
up
to
two
thousand
dollars
up
to
one
thousand
nine.
B
G
Only
seen
like
200
payouts
but
apparently
they've
got
some
boosted
projects
that
are
some
really
high
payouts.
I
mean
my
first
year.
I,
not
I,
can't
claim
this
anymore,
but
like
the
first
year
of
the
get
up
security
lab
bug,
bending
program,
I
was
the
highest
paid
researcher
I
think
they
paid
me
like
ten
thousand
dollars
across
a
bunch
of
different
queries.
That
I
wrote,
but
you
know
that
I
I
haven't
maintained
that,
but
you
know
it
it
and
then
they've
also
increased
their
payouts
too.
G
A
lot
which
is
nice
to
get
up
security
lab
I
think
the
problem
that
I
have
with
the
get
up
security,
Labs
I've,
actually
submitted
queer
like
queries
that
I've
written
is
that,
like
I,
always
feel
like
the
work's
not
done
so
I,
don't
feel
like
worthy
of
submitting
the
pull
request,
because
I'm
like
I
I,
only
reported
it
to
four
projects,
but
I
know
I
can
get
more
or
like
the
query,
doesn't
feel
like
it's
sufficient.
G
D
Anyway,
so
topics
for
for
today
we
could
just
go
through
go
through
the
projects.
Whatever
you
guys
want
to
talk
about
is
is
good
with
me.
If
you
want
to
think
about
doing,
you
know
New
Year,
it's
got,
you
know
new
sharpened
pencils
and
a
new
Trapper
Keeper.
So
if
there
are
things
that
you
would
like
to
do
in
2023
that
we
have
that,
we
didn't
really
make
any
progress
on
in
2022,
because
spitball
ideas
there.
D
E
About
that,
so
we
have
difficulty
working
with
the
operations
team
because
of
the
holiday
season
and
everything.
So
we
plan
to
get
our
invitations
out
by
December
15.
As
for
as
of
date,
they
have
not
gone
through.
So
yesterday
we
had
a
kind
of
a
all
of
like
emergency
meeting
as
in
what
to
do
so.
There
were
three
groups
of
people
who
are
important
as
as
participants
there's
the
moderators
like,
for
example,
I've
spoken
with
David
here
as
as
one
of
the
moderators
and
so
on.
E
There's
the
panelists
that
we
have
a
list
and
invited
these
are
small
lists,
so
moderators,
there's
three
or
five
families,
there's
four
or
five
and
then
there's
the
50-something
participants
and
the
participants
have
never
been
informed
or
so
far
they
have
not
been
informed.
We
are
from
like
personal
how
creatures
telling
them
that
some
information,
or
some
invitation
is
coming
he
does
not
want
to,
but
anyway
yesterday,
so
we
have
resolved
this
like
Emily
and
I.
E
We
resolved
this
with
the
operations
team
now
I
think
everything
is
on
page
and
and
it
should
go
ahead
smoothly,
but
the
consequence
of
that
is,
we
are
pushing
it
back
by
one
month.
E
E
That's
that's
the
plan
and
then
update
all
the
artifacts
like
there's
a
PR,
a
pull
request
that
you
accepted
or
or
you
Mars,
that
that
Michelle
created
there's
also
the
the
email
address
Etc,
but
all
of
these,
and
we
will
apologize
to
people
like
David
and
the
others,
like
the
small
group
of
moderators
and
panelists,
who
have
who
have
accepted
that
January
25
date
and
we'll
just
have
a
look
at
them
and
give
them
the
next
February
22nd
is
the
likely
date
that
we
are
looking
towards
and
as
far
as
the
Log
Jam,
that
we
had
with
the
operations
team
because
they
didn't
understand
whether
this
is
official,
open,
ssf
project
or
not.
E
D
Out
perfect,
perfect
yeah
and
the
way
I
think
I
sent
in
eBay,
so
so
I
I
got
I
got
pinged
in
December,
just
asking
for
Clarity
on.
Is
this
an
an
official
open
ssf
event,
or
is
this
an
identifying
security
threats,
working
group
event
and
person?
I
I?
Don't
like
I,
don't
understand
like
if
that
distinction
is
important
or
not,
but
it
was.
It
seemed
important
to
the
person.
I
was
having
a
conversation
with
and
I.
D
Think
where
we
landed
was
that
it
it
if
it
is
an
identifying
security
threats
working
group
event,
then
it
is
completely
within
our
circle
of
authority
to
hold
it
and
learn
from
it
and
iterate
and
do
whatever
we
want.
If
it
is
a
open,
ssf
thing,
then
that
is
where
Tac
and
governing
board
and
more
people
need
to
be
involved
and
I.
Think
for
especially
for
this
first
one.
It
is
better
across
the
board
for
to
keep
it
as
a
identifying
security
threats
thing.
E
Yeah
I'm
going
to
inform
the
pet
as
well.
Absolutely
that's
right
after
we
like
converge
upon
the
updated
date,
so
I'm
going
to
send
an
email.
Eva
requested
me
to
do
that
so
I'm
gonna
do
that
and
yeah
the
the
other
concern
that
was
there
was
like
if
this
is
an
open,
SF
event
or
whatever
I
mean
what
is
the
budget
allocated
to
that?
And
right
now
there's
a
trivial
amount
of
money,
if
not
nothing
really
well,
because
it's
a
virtual
event,
so
that
has
also
been
like
propagated
and
now.
E
D
What
else
have
we
got?
I
updated
the
SSL
certificate
on
metrics.openescent.org
I
continue
to
hope
that
this
will
be
the
last
time.
I
need
to
do
this,
but
I
guess
now
we
don't
have
it.
No,
we
don't
have
anybody
from
metrics
dashboard
saying
here
but
I,
because.
G
G
Have
you
heard
about
that's
what
I,
of
course,
you've
heard
about
it?
I
now,
I'm,
not
name
blanking
on
it
that
thing
that
generates
SSL
store
tickets
automatically
for
you,
let's
encrypt.
Thank.
D
You
yeah
no,
so
so
it's
a
super
uninteresting
story
of
like
technical
debt,
but
no
the
for
some
reason.
Certbox
like
doesn't
stay
running
on
the
infrastructure,
so
every
four
months
or
so
or
three
or
four
months,
I
get
an
email
saying
my
search
about
to
expire.
I
need
to
like
go
in
and
log
in
and
just
hit.
Search
bot.
D
Then
it
renews
and
then
I'm
good
for
another
four
months,
and
at
this
point
it's
it's
it's
silly,
but
it's
infrastructure
that
works
today
that
I
don't
want
to
mess
with,
because
I
want
this
just
to
evolve
to
the
metrics,
dashboard
Sig
and
the
new
thing
and
like
I,
I,
I'm
I'm.
Frankly,
just
terrified
of
of
it
just
breaking
and
then
having
to
spend
the
weekend
trying
to
rebuild
look
yeah
but
yeah.
It.
B
D
Use
just
not
loud,
okay,
so
so
metric
dashboard
Sig
is
there.
Let's
see?
D
Oh,
the
I
I
should
have
mentioned
the
the
open
up
stuff
annual
report
went
out
last
week.
So
thank
you
all
for
I
think.
Before
the
holidays,
we
put
together
the
content
for
it,
so
it's
there.
So
if
you
haven't,
if
you
haven't
seen
that
please
take
a
look.
D
D
Cool
awesome
thanks
yeah,
so
other
are
there
things
that
we
should
be
working
on
in
2023
like
you
know,
I
know
that,
like
identifying,
like
other
than
changing
the
name
of
the
working
group,
to
better
reflect
what
we
do
are
there
are
the
things
we
should
be,
focusing
on
that
or
experimenting
with,
or
talking
about
or
whatever
that
we
haven't
before.
A
I
think
there's
always
new
things
that
we
can
do,
but
I
would
like
to
see
even
more
emphasis
on
the
whole
dashboard,
because
it's
I
think
the
challenge
is
the
people
who
need
to
be
involved
are
already
overwhelmed
and
pulled
in
multiple
directions
and
I
speak
as
someone
who
is
guilty
as
charged.
D
A
I
think
we
just
need
to
keep
banging
on
the
drum
you
know.
Basically
it
it
is
important.
I
think
we
all
acknowledge
that
and
we
just
and
I
think
every
two
weeks,
just
you
know
constantly
saying:
okay,
what
are
we
doing?
How
far
have
we
gotten?
What's
next?
What's
left
to
do
and
just
kind
of
pressuring
on
that
for
now
I
think
is
the
key
thing
again:
it's
not
because
anybody's
trying
to
cause
trouble.
Yes,.
F
D
So
the
so
this
meeting
is
the
Sig
risk
Dash
or
the
risk.
D
A
You
know,
and
they
do
want
to
quickly,
acknowledge
because
of
a
conflict.
I
expect
I'm
gonna
miss
the
13th,
but
I
will
be
be
back
to
the
next
one
after
that,
with
the
27th,
of
course,
so
I'm
looking
forward
to
just
to
getting
that
moving
forward.
D
Cool
something
came
up
on
on
the
the
previous
call,
and
it
just
got
me
got
me
thinking
so
so,
there's
a
website
out
there
called
is
end
of
life
or
Randall,
you
ever
hand
up,
while
I'm.
Looking
for
that.
C
I
have
gotten
feedback
in
the
past
that
more
like
documentation.
Examples
of
the
alpha
omega,
tooling
and
action
would
be
nice,
so
I
don't
know
if
that
that
would
be
something
nice
to
see
in
2023.
D
Okay,
could
you
be
so
so
let
me
let
me
write
this
down
so
that
way,
I
don't
forget
or
misremember,
or
something
can't
even
find
the
thing.
D
Yeah,
okay,
so
I'm
gonna
try
to
write
this
in
the
notes.
D
C
D
It
yeah
doing
doing
some
some
like
video,
walkthroughs
and
and
better
getting
started
so
yeah.
We
should
definitely
do.
C
That,
because
usually
in
my
conversations
with
people,
go
oh
you're
an
open,
ssf,
oh,
they
have
the
alpha
omega
people
and
don't
they
offer
tooling
yeah,
they
do
offer
to
a
league.
But
how
do
you
use
it
like?
Where
does
it
fit?
Is
this
like
project
Discovery
or
like
what?
What
do
you
guys
do
and
that's
usually
that's
where
it
goes?
That's.
D
D
D
E
D
You
know
but
having-
and
this
is
more
of
an
open,
ssf
thing
which
is
totally
this
working
group.
Well,
maybe
not
this
work
group,
but
it's
totally
a
working
group
like
what
is
the
reference
like.
Is
there
a
reference
pipeline
of
like
here's,
the
five
things
you
do
if
you're,
if
you're
a
GitHub
project,
go
here,
click
this
click,
this
enable
depend
about
enable
security,
whatever
there's
like
a
secondary
box,
I
think
for
dependabot
for
code
ql.
If
you're
one
of
these
types
of
projects
go
here
here
are
some
gotchas.
C
And
and
some
feedback
from
Mark
from
OAS,
because
I
don't
know,
if
you
guys
know
Mark
I'm
sure
some
of
you
do,
but
he
found
out,
everyone
always
tries
to
put
everything
into
like
some
form
of
like
pipeline.
So
that
was
one
of
the
things
that
they
had
to
deal
with
at
oauth
is
like
a
it's.
A
big
deal
for
them
is
how
does
it
all
work
together,
because
anything
they
put
out?
People
were
trying
to
find
like
a
pathway
or
like
a
tool
kit
of
some
sort,
so
yeah.
D
D
Cool
I
can't
I
can't
find
this
I
always
find
this.
So
there's
a
website,
that's
like
is
end
of
life,
dot
net
or
order
something
and
you
type
in
Python.
It
says:
yup
python
2
is
end
of
life.
Python3
dot
X
is
supported
until
the
state
and
I'm
wondering
if.
D
Maybe
this
is
a
terrible
idea,
so
we'll
just
talk
and
then
we'll
decide
later
that
it's
terrible
but
I
wonder
if,
if
having
something
like
this,
where
you
can
you,
you
start
out
and
you
just
get
a
box,
it's
like
give
me
your
package
or
URL
or
whatever
and
it'll
go
out
and
say:
okay,
this
thing
hasn't
had
an
update
in
14
years
and
there's
some
issues
that
you
know
people
are
asking.
D
Is
this
EOL
and
the
maintainer
says
yup
or
it
has
a
security
insights
tag
that
says
end
of
life
or
archived
or.
D
Where
it
just
is
one
thing,
but
it
does
that
one
thing
well
and
it
is
discovering,
is,
is
end
of
life
and
it
does
it
proactively
against
a
project
as
opposed
to
having
the
project
need
to
do
it
for
themselves
as
I'm
thinking
about
this.
Maybe
this
is
just
stuff.
The
scorecard
has
already
with
the
is,
with
the
actively
maintained.
D
No,
maybe
not
because
it
could
actively
maintained,
is
slightly
different
than
than
me
alone
slightly
I,
don't
know,
I
may
have
just
dropped
myself
into
a
circle
there,
I
guess
for
me,
I
would
love
a
website
that
I
could
just
go
to,
and
type
like,
hey
is,
is,
is
zlib
still
still
being
maintained.
Yep
got
a
last
update
three
months
ago,
and
you
know
whatever.
C
I
I
do
plus
one
the
idea
Michael,
but
I.
Think
I
I
think
there
are
reasons
why
it
doesn't
exist.
Yeah
I,
don't
know
what
those
reasons
are
and
I'm
sure.
If
we
get
into
the
details,
I'm
sure
one
of
them
is
like,
but
it's
only
been
a
year.
It's
not
really
unmaintained
yeah
yeah
and
then
there's
people,
that's
like
I,
don't
I,
don't
do
maintenance,
I,
do
lazy
maintenance
or
whatever
you
want
to
call
it
right
right.
In
other
words,
I
wait
until
Rome
is
on
fire
until
I
actually
do
something.
C
Yeah
yeah,
so
yeah,
so
I
I
think
I
think
there
are
reasons
why
it
doesn't
exist,
but
I
do
think
it
would
be
helpful,
I
think,
but
like
it's
really
interesting,
because
different
packaging
teams,
in
my
from
my
point
of
view,
have
different
like
rules
as
far
as
what
is
unmaintained
but
I
know
that
that
year
mark
starts
to
push
it
and
that's
a
lot
of
people
like
to
use
the
year
mark
and
you
can't
use
the
year
mark.
It
has
to
be
like
three
years
right.
D
Yeah
end
of
life
dot
date,
okay,.
D
Against
I
mean
it's,
it's
obviously
a
curated,
or
at
least
it
looks,
looks
to
be
curated.
D
C
Ever
since
steam
debt
came
out
and
I
feel,
and
the
reason
why
I
think
that's
important
is
because
you
get
into
this
like
Homebrew
ideology,
where
people
don't
understand
that
Homebrew
has
nothing
to
do
with
security,
but
in
their
point
of
view,
Homebrew
has
everything
to
do
with
security.
And
if
it's
not
a
secure
package,
then
why
are
you
guys
carrying
a
not
secure
package
like
it's
your
fault.
C
C
D
I
I
think
we're
probably
some
years
out
from
consolidation.
I
think
we're
still
in
the
in
the
fan
out
with
different
ideas
so
like
like
the
node.js,
is
experimenting
with
permissions.
So.
D
F
D
Should
be
able
to
declare
essentially
your
retrofit
capabilities
model
into
into
into
these
ecosystems,
I
think
I,
I
I
feel
right
right
now.
This
second
I
feel
like
operating
like
OS
level
packages
and
application.
Level
packages
are
different,
are
different
enough
that
the
perfect
solution
for
one
may
be
very
maybe
the
completely
wrong
solution
for
the
other
I
might
be
convinced.
Otherwise,
though,.
D
C
A
If
I
would
say
flat
pack
and
so
on,
the
idea
is
it's
a
whole
lot
more.
Like
containers
you,
basically,
you
have
the
entire
application
within
a
single
image,
and
there
is
some
attempt.
This
is
the
why
I'm
and
if
you
can,
if
you
can't
hear
me
hedging,
you're,
not
listening
but
there's
some
attempt
at
some
claims
that
it
might
have
some
restrictions
on
the
security
access
as
it
gets
versus
just
I
run
as
an
application.
It
has
all
the
Privileges
of
of
the
user.
F
D
Dynamically
run
in
their
own
bubble:
no
okay,
okay,.
A
I
mean
a
quick,
a
quick
couple
notes
historically
and
Michael
I
think
you're
already
familiar
with
this,
but
I
I
don't
know
who
who
knows
what,
on
the
past
I
mean?
Historically,
for
example,
various
systems
have
tried
to
include
this
at
the
language
application
Level
in
Java.
There's
something
called
the
security
manager
python
used
to
attempt
to
have
this
sort
of
thing
in
general,
things
haven't
worked
out
very
well
for
the
most
part
language
level.
Folks
have
abandoned
ship,
it's
really
really
hard
to
do
it
correctly.
A
They
generally
try
to
implement
it
without
Hardware
support
and
trying
to
do
it
without
Hardware
support.
Well,
you
know,
you
know,
the
the
researchers
will
tell
you
it's
theoretically
possible
and
they're
correct,
but
theoretically
possible
does
not
make
it
actually
practical
in
any
useful
way,
and
so
you
know
the
idea
of
trying
to
have
this
kind
of
isolation.
I
think
is
is
good,
but
I'll
also
observe
that
in
a
lot
of
package
managers,
especially
in
the
ecosystems,
we
can't
even
get
the
ecosystems
to
stop
running
arbitrary
code
on
package.
A
Install
I
don't
want
to
call
out
the
the
okay.
The
package
repost
working
group
has
been
analyzing
the
differences
between
package
managers.
It's
awesome
I'm
very,
very
proud
of
of
some
of
the
analysis
that
they've
done,
but
several
package
managers
have
said
we
we're
not
even
going
to
prevent
that,
never
mind
any
serious
security
limitations
they
they
want
to
run
arbitrary
code
on
install
time
and
that's
something
that
most
assistant
package
managers
increasingly
abandoned
years
ago
because
of
the
danger
of
it.
So
if
you
can't
even
get
that.
D
So
that's
interesting,
so
I
was
like
literally
last
night,
doing
like
experimental
with
some
like
Ubuntu
installs,
and
it
was
like
a
whole
bunch
of
like
you
know
like
random
pop-ups
of
like
hey.
You
need
to
configure
your
time
zone
now.
So
that's
like
arbitrary
code,
I'm
sure
that
it's
wrong.
Oh.
A
Yeah
absolutely
so.
E
D
D
Know
there
there's
no,
there
still
isn't
a
great.
Your
system
is
like
an
install
is
not
just
a
well.
C
C
Room
remember:
we
were
talking
about
saying
defaults.
Like
you
see,
this
is
the
thing
like
if
you're
gonna
talk
like,
if
you
really
want
like
say,
defaults,
like
I
guess
in
some
way
system,
D
is
like
your
only
option
like
yeah,
what
I'm
saying
like
in
that
and
you
see
even
there,
you
have
a
lot
of
like
pushback,
because
you
do
have
like
entire
distros
that
are
built
on
the
fact
that
they
don't
use
system
d
and
then
and
then
I
think
in
those
cases
all
sane
defaults
are
off
the
table.
A
Yeah,
so
so
you
know
so
let
me
let
me
be
specific,
so
I
I
shouldn't
have
said
the
system
because
they're
they
obviously
can
execute.
However,
the
system
folks
will
tell
you
yeah
the
system
package.
Managers
generally,
you
can't
just
you
know
it
isn't
just
load
in
and
go
there's
separate.
A
F
G
A
Can
install
it
into
there
there's
no
separate
review
yeah!
It's
that's
right,
it's
an
honest,
FTP
download
and
go
it's
a
little
better.
It's
Anonymous
FTP
with
secure
loading,
so
the
connection
is
encrypted
and
authenticated.
So.
F
A
Exactly
but
let
me
be
specific
because
there's
no
there's
no
Grand
Secrets,
rust,
Ruby
and
Gradle.
Currently
you
can,
in
you
know,
whenever
you
install
code,
it'll,
run
arbitrary
code.
A
A
You
do
a
straight
install.
My
understanding
is
that
it
can
run
arbitrary
code
and
there's
reason
for
that.
It's
so
that,
for
example,
you
can
have
say
it
depends
on
a
C
library,
and
so
it
can
call
the
compiler
and
do
all
the
other
stuff
it
needs
to
do
a.
D
Nougat
and
npm
do
the
same
thing
and
python
installation
is
running
a
setup.pi
file.
A
A
A
I
think
in
a
lot
of
cases,
most
packages
don't
actually
need
that
capability
or
if
they
do
they.
What
they
actually
need
to
do
is
a
very
short
list
that
you
could
whitelist.
You
know,
because,
most
of
the
time
it's
hey
either
I
do
nothing.
I,
just
install
files
or
I
copy
them
to
particular
locations
or
I,
invoke
a
compiler
where
presumably
I
trust
the
compiler,
and
this
and
and
so
I'm
suspecting
that
there's
ways
to
reduce
the
Privileges
granted
to
packages
on
install
time.
Now,
whether
or
not
that's
worth
the
squeeze.
A
Obviously
people
differ
on
that
point.
I.
D
Mean
even
something
simple
like
so
the
way
that
this
works
with
chocolatey,
I,
believe
it
and
and
I
don't
know.
If
this
is
you
know,
but
but
it's
like
hey
I'm
gonna
run
this
arbitrary
script,
either
click
here
to
view
or
click.
Yes
to
do
you
approve
kind
of
you
know.
If
I
was
you
know,
npm
install
left
pad
and
said:
hey
you're,
going
to
run
this
script.
That
does
a
you
know:
curl
bash
to
burp
collaborator.
D
D
Let's
just
say,
you
know,
pre-allowed
like
completely
safe
like
things
and
how
many
of
them
have
other
things
and
if
you
just
weren't
for
the
other
things,
if
that
would
be
disruptive
or
not
like
or
you
know,
npm
install
dash
dash.
Warn
me
if
I'm
running
or
well,
actually,
no
npm
does
have
a
npm
installed.
No
Scripts
I
wonder
if
that's
the.
A
In
that
case,
but
the
problem
with
that
is
that
you
are
now,
depending
on
a
user,
to
do
something,
not
the
default,
and
they
have
no
way
to
know
what
damage
will
happen
when
they
do
things
the
wrong
way,
which
means
basically
no
one's
going
to
do
that
because
you
have
no.
You
generally
have
no
way
you'll
unless
you
download
the
inscripts
and
examine
them
themselves
yourself
and
figure
it
all
out.
Nah
nobody's
gonna
do
that
yeah.
C
Sets
up
node
and
the
way
that
node
sets
up.
Node
is
two
different
things
right
now.
If
you
ask
Vivian,
they
would
be
like
well.
Are
you
on
Divi?
Then?
Yes,
then
I
use
debian's
installation,
but
if
you
ask
no
they'd
be
like
no
don't
use
divians
installation,
they
know
nothing
about
no
use
our
installation.
So.
D
A
The
fundamental
problem-
and
this
has
been
going
on
for
years-
I-
don't
see
any
other
solution-
is
that
the
OS,
the
folks
who
are
doing
the
system
level
package,
installs,
they're,
they're,
typically
depending
on
a
separate
package
manager,
a
person
to
create
the
packages
that
becomes
a
bottleneck,
so
they
always
have
a
very
small
subset
of
the
larger
ecosystems,
packaging
and
they're,
often
behind.
A
As
a
result,
you
really
it
doesn't
take
long
at
all
before
a
lot
of
people
assume
that
you're
going
to
use
packaged
Foo
version
7.3
and
the
system
level
package
is
1.2
and
nothing
else
works.
So
you
quickly
abandon
the
system,
level,
Packaging
and
so
I.
I
think
what
was
was
happened
with
all
the
system
level
is
that
they
installed
a
few
a
small
set,
and
if
you
want
a
larger
set
or
a
you
know,
packages
in
a
larger
set.
You
do
Michael
exactly
what
you
suggested.
C
D
D
Right
so
so
I'm
more
of
a
python
than
node
I'm
imagining
that
NVM
is
similar
to
correct,
like
python
virtual
virtual,
correct
okay,
so
so
so,
in
that
case
yeah,
so
one
would
be
like
installed
in
a
more
globally
accessible
place
right
less.
The
other
one
is
like
just
this
directory
and
you
have
to
like
do
a
magical
incantation
in
order
to
like
correct
intrude
into
it,
kind.
C
Of
okay,
so
like
AS
ASDF,
which
is
a
popular
node
one,
which
is
what
I'm
familiar
with
you,
could
you
could
just
install
it
locally
in
the
project
directory
and
use
it
that
way
or
you
could
use
it
like,
install
it
through
Homebrew?
And
then
you
would
have
it
like
system
level
where
it
recognizes
what
your
system
node
is,
and
that
way
you
could
keep
your
system
node
clean,
because
that's
what
Apple
would
want
you
to
do
and
you
use
like
a
local
version
for
your
projects
exactly
exactly
oh
yeah
I
think
it
just
depends.
C
I
think
it
depends
on
the
developer.
I
think
it
depends
on
the
end
user.
You
know,
I
I
think
it
also
depends
on
the
operating
system
they're
using
because
a
lot
of
Mac
people
will
depend
on
Homebrew,
like
staff
and
everything
yeah.
So.
F
C
I
think
it
just.
It
depends
a
lot
on
on
where
on
like
what
your
point
of
view
is,
but
everything
David
said
is
absolutely
true,
but
on
the
flip
side
of
that
there
are
people
that
do
it.
As
I
said
they
expect
us
not
to
upload
because,
like
as
packagers,
we
won't
upload
every
version
if
we
find
versions
with
problems
with
it.
So
some
people
depend
on
that
too.
It's
not
a
security
thing,
it's
just
sometimes
they
release
bad
versions.
We
can't
build
for
one
reason
or
the
other
yep.
D
Yep
and
I
think
I
think
that
you
know
that's
that's
totally.
Okay,
for
you
know
this
kind
of
goes
back
to
like
the
the
and
a
Walled
Garden
versus
Anonymous
FTP,
you
know
and
and
where
different
you
know,
every
every
distro
and
ecosystem
and
registry
can
choose
where
they
want
to
live
in
that
on
that
spectrum
of,
like
you
know,
what
assurances
do
we
provide
to
our
customers
like
under
what
conditions
like
well?
Are
we
going
to
host
malware?
Are
we
going
to
host
project
with
critical
vulnerabilities?
D
Are
we
going
to
warn
you?
Are
we
going
to
say
enough,
like
and
and
all
options
are
okay,
I
think
as
an
industry,
it.
D
That
there's
a
there
are
some
who
would
argue
that
we
need
to
move
more
to
the
world
Garden
approach,
where
the
consumer
has
more
Assurance
as
to
the
security
quality
of
the
thing
and
there's
there's
a
whole
lot
of
arguments
that
that
would
destroy
Innovation
and
just
kind
of
destroy
the
world
and
that
we
should.
We
should
be
careful
about
moving
in
that
direction
and
I
I,
don't
know
what
the
right
answer
is.
C
Well,
if
I
made
the
reason
that
I
was
bringing
up
the
Next
Generation
packaging
is
because
I'm
seeing
a
lot
of
companies
like
use
steam
deck
as
like
an
example
of
what
you
should
do.
If
you
want
to
leverage
Linux
and
move
forward
and
that's
a
flat
pack
system,
that
is
basically
just
a
bunch
of
flat
packs
installed
on,
like
gnome
show
on
system
D
like
I
rebuilt
it
over
the
holiday
weekend
and
installed
it
in
a
steam
deck.
It
wasn't
that
hard
to
reverse
engineer.
C
D
So
so
just
get
to
the
the
the
benefit
for
the
end
user.
A
flat
pack
over
you
know
normal
or
previous
methods
is
that
by
installing
a
flat
pack,
your
the
the
the
rest
of
the
OS
is
insulated
from
your
you,
you,
you
look
less
less
impact
on
the
on
the
overall
Os
or
other
correct.
You.
C
Literally,
only
need
gnome
show,
that's
all
you
or
or
even
KDE,
because
KD
all
like
yeah
yeah
you,
but
you
just
need
the
shells
and
that's
it
like
you,
don't
need
like
everything
else
can
be
installed
via
flat
pack.
You
don't
need
extensions
now.
Let
me
say
this
for
as
much
as
I
tout
flat
pack.
I
think
it's
interesting
did
I
end
up
using
it.
No
I
went
back
to
fire
jail,
but
but
but
theoretically,
for
an
end
user
who
wants
to
turn
on
a
computer
and
send
an
email
and
not
be
like?
C
Why
is
evolution
sending
me
a
bunch
of
Errors,
then?
Yes,
it
is
a
nice
solution
for
that
and
like
if
you're
going
to
use
it
to
install
games
or
just
a
bunch
of
like
end
user
type.
Things
I
mean
it.
It
has
it.
It
has
like
a
lot
of
foundation
because
you
know
there
it
does
try
to
make
an
effort.
Is
it
perfect?
C
D
Been
super
happy
with
Manjaro
yeah
started
a
couple
months
ago.
It
it
just
ever
it
just
works
like
wonderfully.
C
Well,
and
and
and
I
have
correct
me
if
I'm
wrong,
that
I
think
that
Manjaro
does
use
flat
facts.
A
D
Yeah,
you
know,
although
it's
interesting,
because,
like
so
now
now
putting
on
a
consumer
hat
like
when
I
install
the
package
I
have
it
from
two
different
options:
core
or
flat
pack,
which
is
I
I
often
have
like
they're,
often
like
two
available
versions.
Right
I
will
always
instinctively
go
to
core,
because
I
quote:
Trust
Manjaro
to
police
their
ecosystem
more
than
flat
pack
who
I
don't
know
who
created
the
flat
pack
and
red
hat,
takes
a
red.
A
Yeah
I
think
the
thing
is
for
for
flat
pack,
and
the
reason
we're
talking
about
this
here
is
the
arguments
are
basically
the
same
as
containers
you're,
including
all
the
dependencies
within
the
image.
That
means
that
the
good
news
is,
you
know
that
it
works.
The
bad
news
is
is,
if
you
want
to
make
sure
it
doesn't
have
vulnerabilities,
you
need
to
make
sure
that
the
up,
they're,
updating
all
the
components
within
the
flat
pack.
C
Let
me
say
this
David,
so
they
do
use
a
virtualized
system,
so
what
flat
pack
will
do?
Is
they
kind
of
create
like
this
virtualized
operating
system?
That
actually
does
share
so,
like
all
of
the
flat
packs,
will
share
this
like
virtualized
file
system,
they
have
in
the
background
so
like.
If
you
install
ffmpg
full
flat
pack,
then
all
the
browsers
will
be
able
to
use
ffmpg
and
use
Hardware
acceleration.
C
So
to
some
degree
they
do
it's
more
of
like
a
it's,
not
that
every
single
thing
has
like
the
dependencies
packaged
into
it,
it's
more
of
a
matter
of
like
all
the
modules
and
all
the
things
get
shared
so
that
they're
separated
and
they
could
be
separated
at
a
system
level
or
at
a
user
level
and
yeah.
Oh.
E
C
C
It's
in,
if
you
go
to
their
flat
pack
Discord,
they
then
the
forums
it's
in
the
tutorial
section.
Okay,.
C
D
It
it
depends
on
like
who
are
the
the
end.
Users
like
for
non
for
non-developers
flat
pack
seems
like
a
a
resilience
thing
as
a
as
much
as
anything
else
and
the
idea
of
steam
that,
like
it
totally
makes
sense
in
that
context
for
developers
I,
you
know
I
think
it
has
to
move
up
to
the
application
Level
in
some
way.
D
You
know
otherwise
you're
just
running
your
application
in
a
container
anyway,
but
if
you
have,
if
flat
pack
were
applied
to
individual
module,
individual
dependencies
within
a
within
an
app
stack,
I
think
I
think
that's
super
interesting
and
might
solve
might
make
it
so
that
node
and
Python,
and,
like
all
the
arguments
we've
had
in
the
past
about
you,
know
security
manager
and
Kaz
and
and
all
those
other
kind
of
failed-ish
Technologies.
D
You
know,
maybe
that's
a
solution
there,
where
you
just
say
that
you
know
here
you're
in
a
basis
between
modules
and
those
things
are
opened.
Everything
else
is
closed
and
you're
you're,
you've
kind
of
said,
like
microservices
V2,.
C
Let
me
let
me
also
say
this:
there
is
a
program
called
Flat
seal,
which
is
kind
of
funny,
but
someone
made
a
GUI
where
you
could
literally
just
control
the
entire
flat
pack
from
there.
So
this
is
also
where
flat
pack
in
the
last
like
three
or
four
months
at
Gen
2,
has
become
all
the
rage,
because
now
you
could
do
whatever
you
want
with
your
flat
packs
you
can
get
into
the
environment,
you
could
give
it
more
pass.
I
mean
you
could
even
turn
the
sandbox
off.
If
you
want
to
okay.
E
C
And
flat
steel
yeah
flat
seal
is
part
of
it.
That
is
part
of
of
the.
Why
all
the
kids
are
using
flat
pack
and
they
all
want
flat
pack
now,
because
they
all
want
to
build
the
steam
deck
on
their
computer
and
yeah
and
flat
seal
is
a
that's.
How
you
break
out
of
the
steam
deck
is
flat.
Sealed
got
it
because,
because
you
can
install
more
flat
packs
into
the
steam
deck
and
you
can
install
flat
steel
as
a
flat
pack
to
screw
all
your
other
flat
packs
up.
D
Awesome
well,
thank
you
all
very
much.
It's
a
great
conversation
really
enjoyed
every
every
every
other
week
so
see
you
all
in
two
weeks
enjoy
the
beginning
of
2023
stay
happy
and
healthy
thanks
everybody
thanks
happy
New
Year,
everyone
happy
New,
Year.