►
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit#heading=h.yworp6sxzb6g
B
E
A
E
A
D
G
G
Yeah
I
mean
the
thing
that
you
know,
and
it
doesn't
seem
like
it's
about
like.
If
you're
fixing
a
security
vulnerability
in
a
project,
it
doesn't
seem
to
cover
that
it
just
covers
salsa
level
scorecard
improvements,
artifact
signing
All-Star,
installs
and
security
audits.
It
doesn't
cover
actually
fixing
security
vulnerabilities,
no.
D
G
G
A
G
F
A
Talk
with
the
funders
and
stuff,
but
I,
don't
think
the
intent
was
to
prevent
it,
but
but
here's
the
thing
the
intent
was,
if
you
just
want
to
harden
some
software,
as
opposed
to
say,
fix
a
specific
vulnerability,
most
vulnerability
projects
it
you
have
to
point
to
the
specific
vulnerability.
You
know
like
Cocker
one.
What
is
the
vulnerability,
I'm
fixing
and
if
the
answer
is
well
I'm,
just
hardening
it
up
to
make
it
harder?
A
G
G
D
G
D
G
D
G
So
I'm
I'm
with
that
so
I
stopped
Dev,
for
example,
Rick
one
of
the
things
that,
like
you
know
that
that
this
is
also
missing
too
I,
think
is
it's
not
incentivizing
the
main
like,
for
example,
with
the
with
the
the
snake
animal
case
right.
It's
been
a
known
vulnerability
for
six
years
and
I
managed
to
convince
this
maintainer
to
fix
it.
I
didn't
fix
it.
I
I
convinced
him
that
it
was
worth
fixing
and
honestly
I
think
the
maintainer
should
get
paid.
G
D
D
F
C
D
D
I
might
regret
saying
this
but
kind
of
insulting
to
give
someone
like
fifty
dollars
or
a
hundred
dollars
to
like
do
as
a
reward
for
like
security
work
that
has
taken
them.
You
know
years
of
experience
and
hours
to
days
of
work
to
do
it's
kind
of
like
like
I'll
I'll,
buy
you
a
coffee,
I'll
buy
you
a
beer
like
it
it's
if,
if
this
is
truly
important,
it
should
be
paid
on
that
scale
and
we
shouldn't
be
looking
at
crowdsourcing-ish
kind
of
platforms
as
a
way
to
get
labor.
D
C
D
C
C
B
G
Only
seen
like
200
payouts
but
apparently
they've
got
some
boosted
projects
that
are
some
really
high
payouts.
I
mean
my
first
year.
I,
not
I,
can't
claim
this
anymore,
but
like
the
first
year
of
the
get
up
security
lab
bug,
bending
program,
I
was
the
highest
paid
researcher
I
think
they
paid
me
like
ten
thousand
dollars
across
a
bunch
of
different
queries.
That
I
wrote,
but
you
know
that
I
I
haven't
maintained
that,
but
you
know
it
it
and
then
they've
also
increased
their
payouts
too.
G
D
Anyway,
so
topics
for
for
today
we
could
just
go
through
go
through
the
projects.
Whatever
you
guys
want
to
talk
about
is
is
good
with
me.
If
you
want
to
think
about
doing,
you
know
New
Year,
it's
got,
you
know
new
sharpened
pencils
and
a
new
Trapper
Keeper.
So
if
there
are
things
that
you
would
like
to
do
in
2023
that
we
have
that,
we
didn't
really
make
any
progress
on
in
2022,
because
spitball
ideas
there.
E
About
that,
so
we
have
difficulty
working
with
the
operations
team
because
of
the
holiday
season
and
everything.
So
we
plan
to
get
our
invitations
out
by
December
15.
As
for
as
of
date,
they
have
not
gone
through.
So
yesterday
we
had
a
kind
of
a
all
of
like
emergency
meeting
as
in
what
to
do
so.
There
were
three
groups
of
people
who
are
important
as
as
participants
there's
the
moderators
like,
for
example,
I've
spoken
with
David
here
as
as
one
of
the
moderators
and
so
on.
E
There's
the
panelists
that
we
have
a
list
and
invited
these
are
small
lists,
so
moderators,
there's
three
or
five
families,
there's
four
or
five
and
then
there's
the
50-something
participants
and
the
participants
have
never
been
informed
or
so
far
they
have
not
been
informed.
We
are
from
like
personal
how
creatures
telling
them
that
some
information,
or
some
invitation
is
coming
he
does
not
want
to,
but
anyway
yesterday,
so
we
have
resolved
this
like
Emily
and
I.
E
E
D
Out
perfect,
perfect
yeah
and
the
way
I
think
I
sent
in
eBay,
so
so
I
I
got
I
got
pinged
in
December,
just
asking
for
Clarity
on.
Is
this
an
an
official
open
ssf
event,
or
is
this
an
identifying
security
threats,
working
group
event
and
person?
I
I?
Don't
like
I,
don't
understand
like
if
that
distinction
is
important
or
not,
but
it
was.
It
seemed
important
to
the
person.
I
was
having
a
conversation
with
and
I.
D
Think
where
we
landed
was
that
it
it
if
it
is
an
identifying
security
threats
working
group
event,
then
it
is
completely
within
our
circle
of
authority
to
hold
it
and
learn
from
it
and
iterate
and
do
whatever
we
want.
If
it
is
a
open,
ssf
thing,
then
that
is
where
Tac
and
governing
board
and
more
people
need
to
be
involved
and
I.
Think
for
especially
for
this
first
one.
It
is
better
across
the
board
for
to
keep
it
as
a
identifying
security
threats
thing.
E
Yeah
I'm
going
to
inform
the
pet
as
well.
Absolutely
that's
right
after
we
like
converge
upon
the
updated
date,
so
I'm
going
to
send
an
email.
Eva
requested
me
to
do
that
so
I'm
gonna
do
that
and
yeah
the
the
other
concern
that
was
there
was
like
if
this
is
an
open,
SF
event
or
whatever
I
mean
what
is
the
budget
allocated
to
that?
And
right
now
there's
a
trivial
amount
of
money,
if
not
nothing
really
well,
because
it's
a
virtual
event,
so
that
has
also
been
like
propagated
and
now.
E
D
G
G
D
You
yeah
no,
so
so
it's
a
super
uninteresting
story
of
like
technical
debt,
but
no
the
for
some
reason.
Certbox
like
doesn't
stay
running
on
the
infrastructure,
so
every
four
months
or
so
or
three
or
four
months,
I
get
an
email
saying
my
search
about
to
expire.
I
need
to
like
go
in
and
log
in
and
just
hit.
Search
bot.
D
Then
it
renews
and
then
I'm
good
for
another
four
months,
and
at
this
point
it's
it's
it's
silly,
but
it's
infrastructure
that
works
today
that
I
don't
want
to
mess
with,
because
I
want
this
just
to
evolve
to
the
metrics,
dashboard
Sig
and
the
new
thing
and
like
I,
I,
I'm
I'm.
Frankly,
just
terrified
of
of
it
just
breaking
and
then
having
to
spend
the
weekend
trying
to
rebuild
look
yeah
but
yeah.
It.
B
D
D
A
I
think
we
just
need
to
keep
banging
on
the
drum
you
know.
Basically
it
it
is
important.
I
think
we
all
acknowledge
that
and
we
just
and
I
think
every
two
weeks,
just
you
know
constantly
saying:
okay,
what
are
we
doing?
How
far
have
we
gotten?
What's
next?
What's
left
to
do
and
just
kind
of
pressuring
on
that
for
now
I
think
is
the
key
thing
again:
it's
not
because
anybody's
trying
to
cause
trouble.
Yes,.
F
D
A
D
C
D
C
D
C
That,
because
usually
in
my
conversations
with
people,
go
oh
you're
an
open,
ssf,
oh,
they
have
the
alpha
omega
people
and
don't
they
offer
tooling
yeah,
they
do
offer
to
a
league.
But
how
do
you
use
it
like?
Where
does
it
fit?
Is
this
like
project
Discovery
or
like
what?
What
do
you
guys
do
and
that's
usually
that's
where
it
goes?
That's.
C
D
D
E
D
You
know
but
having-
and
this
is
more
of
an
open,
ssf
thing
which
is
totally
this
working
group.
Well,
maybe
not
this
work
group,
but
it's
totally
a
working
group
like
what
is
the
reference
like.
Is
there
a
reference
pipeline
of
like
here's,
the
five
things
you
do
if
you're,
if
you're
a
GitHub
project,
go
here,
click
this
click,
this
enable
depend
about
enable
security,
whatever
there's
like
a
secondary
box,
I
think
for
dependabot
for
code
ql.
If
you're
one
of
these
types
of
projects
go
here
here
are
some
gotchas.
C
And
and
some
feedback
from
Mark
from
OAS,
because
I
don't
know,
if
you
guys
know
Mark
I'm
sure
some
of
you
do,
but
he
found
out,
everyone
always
tries
to
put
everything
into
like
some
form
of
like
pipeline.
So
that
was
one
of
the
things
that
they
had
to
deal
with
at
oauth
is
like
a
it's.
A
big
deal
for
them
is
how
does
it
all
work
together,
because
anything
they
put
out?
People
were
trying
to
find
like
a
pathway
or
like
a
tool
kit
of
some
sort,
so
yeah.
D
D
D
Where
it
just
is
one
thing,
but
it
does
that
one
thing
well
and
it
is
discovering,
is,
is
end
of
life
and
it
does
it
proactively
against
a
project
as
opposed
to
having
the
project
need
to
do
it
for
themselves
as
I'm
thinking
about
this.
Maybe
this
is
just
stuff.
The
scorecard
has
already
with
the
is,
with
the
actively
maintained.
D
No,
maybe
not
because
it
could
actively
maintained,
is
slightly
different
than
than
me
alone
slightly
I,
don't
know,
I
may
have
just
dropped
myself
into
a
circle
there,
I
guess
for
me,
I
would
love
a
website
that
I
could
just
go
to,
and
type
like,
hey
is,
is,
is
zlib
still
still
being
maintained.
Yep
got
a
last
update
three
months
ago,
and
you
know
whatever.
C
I
I
do
plus
one
the
idea
Michael,
but
I.
Think
I
I
think
there
are
reasons
why
it
doesn't
exist.
Yeah
I,
don't
know
what
those
reasons
are
and
I'm
sure.
If
we
get
into
the
details,
I'm
sure
one
of
them
is
like,
but
it's
only
been
a
year.
It's
not
really
unmaintained
yeah
yeah
and
then
there's
people,
that's
like
I,
don't
I,
don't
do
maintenance,
I,
do
lazy
maintenance
or
whatever
you
want
to
call
it
right
right.
In
other
words,
I
wait
until
Rome
is
on
fire
until
I
actually
do
something.
C
Yeah
yeah,
so
yeah,
so
I
I
think
I
think
there
are
reasons
why
it
doesn't
exist,
but
I
do
think
it
would
be
helpful,
I
think,
but
like
it's
really
interesting,
because
different
packaging
teams,
in
my
from
my
point
of
view,
have
different
like
rules
as
far
as
what
is
unmaintained
but
I
know
that
that
year
mark
starts
to
push
it
and
that's
a
lot
of
people
like
to
use
the
year
mark
and
you
can't
use
the
year
mark.
It
has
to
be
like
three
years
right.
D
C
Ever
since
steam
debt
came
out
and
I
feel,
and
the
reason
why
I
think
that's
important
is
because
you
get
into
this
like
Homebrew
ideology,
where
people
don't
understand
that
Homebrew
has
nothing
to
do
with
security,
but
in
their
point
of
view,
Homebrew
has
everything
to
do
with
security.
And
if
it's
not
a
secure
package,
then
why
are
you
guys
carrying
a
not
secure
package
like
it's
your
fault.
C
C
D
D
F
D
Should
be
able
to
declare
essentially
your
retrofit
capabilities
model
into
into
into
these
ecosystems,
I
think
I,
I
I
feel
right
right
now.
This
second
I
feel
like
operating
like
OS
level
packages
and
application.
Level
packages
are
different,
are
different
enough
that
the
perfect
solution
for
one
may
be
very
maybe
the
completely
wrong
solution
for
the
other
I
might
be
convinced.
Otherwise,
though,.
D
C
A
If
I
would
say
flat
pack
and
so
on,
the
idea
is
it's
a
whole
lot
more.
Like
containers
you,
basically,
you
have
the
entire
application
within
a
single
image,
and
there
is
some
attempt.
This
is
the
why
I'm
and
if
you
can,
if
you
can't
hear
me
hedging,
you're,
not
listening
but
there's
some
attempt
at
some
claims
that
it
might
have
some
restrictions
on
the
security
access
as
it
gets
versus
just
I
run
as
an
application.
It
has
all
the
Privileges
of
of
the
user.
F
A
I
mean
a
quick,
a
quick
couple
notes
historically
and
Michael
I
think
you're
already
familiar
with
this,
but
I
I
don't
know
who
who
knows
what,
on
the
past
I
mean?
Historically,
for
example,
various
systems
have
tried
to
include
this
at
the
language
application
Level
in
Java.
There's
something
called
the
security
manager
python
used
to
attempt
to
have
this
sort
of
thing
in
general,
things
haven't
worked
out
very
well
for
the
most
part
language
level.
Folks
have
abandoned
ship,
it's
really
really
hard
to
do
it
correctly.
A
They
generally
try
to
implement
it
without
Hardware
support
and
trying
to
do
it
without
Hardware
support.
Well,
you
know,
you
know,
the
the
researchers
will
tell
you
it's
theoretically
possible
and
they're
correct,
but
theoretically
possible
does
not
make
it
actually
practical
in
any
useful
way,
and
so
you
know
the
idea
of
trying
to
have
this
kind
of
isolation.
I
think
is
is
good,
but
I'll
also
observe
that
in
a
lot
of
package
managers,
especially
in
the
ecosystems,
we
can't
even
get
the
ecosystems
to
stop
running
arbitrary
code
on
package.
A
Install
I
don't
want
to
call
out
the
the
okay.
The
package
repost
working
group
has
been
analyzing
the
differences
between
package
managers.
It's
awesome
I'm
very,
very
proud
of
of
some
of
the
analysis
that
they've
done,
but
several
package
managers
have
said
we
we're
not
even
going
to
prevent
that,
never
mind
any
serious
security
limitations
they
they
want
to
run
arbitrary
code
on
install
time
and
that's
something
that
most
assistant
package
managers
increasingly
abandoned
years
ago
because
of
the
danger
of
it.
So
if
you
can't
even
get
that.
D
E
D
D
C
C
Room
remember:
we
were
talking
about
saying
defaults.
Like
you
see,
this
is
the
thing
like
if
you're
gonna
talk
like,
if
you
really
want
like
say,
defaults,
like
I
guess
in
some
way
system,
D
is
like
your
only
option
like
yeah,
what
I'm
saying
like
in
that
and
you
see
even
there,
you
have
a
lot
of
like
pushback,
because
you
do
have
like
entire
distros
that
are
built
on
the
fact
that
they
don't
use
system
d
and
then
and
then
I
think
in
those
cases
all
sane
defaults
are
off
the
table.
A
F
G
A
F
A
A
A
A
A
A
I
think
in
a
lot
of
cases,
most
packages
don't
actually
need
that
capability
or
if
they
do
they.
What
they
actually
need
to
do
is
a
very
short
list
that
you
could
whitelist.
You
know,
because,
most
of
the
time
it's
hey
either
I
do
nothing.
I,
just
install
files
or
I
copy
them
to
particular
locations
or
I,
invoke
a
compiler
where
presumably
I
trust
the
compiler,
and
this
and
and
so
I'm
suspecting
that
there's
ways
to
reduce
the
Privileges
granted
to
packages
on
install
time.
Now,
whether
or
not
that's
worth
the
squeeze.
D
Mean
even
something
simple
like
so
the
way
that
this
works
with
chocolatey,
I,
believe
it
and
and
I
don't
know.
If
this
is
you
know,
but
but
it's
like
hey
I'm
gonna
run
this
arbitrary
script,
either
click
here
to
view
or
click.
Yes
to
do
you
approve
kind
of
you
know.
If
I
was
you
know,
npm
install
left
pad
and
said:
hey
you're,
going
to
run
this
script.
That
does
a
you
know:
curl
bash
to
burp
collaborator.
D
Let's
just
say,
you
know,
pre-allowed
like
completely
safe
like
things
and
how
many
of
them
have
other
things
and
if
you
just
weren't
for
the
other
things,
if
that
would
be
disruptive
or
not
like
or
you
know,
npm
install
dash
dash.
Warn
me
if
I'm
running
or
well,
actually,
no
npm
does
have
a
npm
installed.
No
Scripts
I
wonder
if
that's
the.
A
In
that
case,
but
the
problem
with
that
is
that
you
are
now,
depending
on
a
user,
to
do
something,
not
the
default,
and
they
have
no
way
to
know
what
damage
will
happen
when
they
do
things
the
wrong
way,
which
means
basically
no
one's
going
to
do
that
because
you
have
no.
You
generally
have
no
way
you'll
unless
you
download
the
inscripts
and
examine
them
themselves
yourself
and
figure
it
all
out.
Nah
nobody's
gonna
do
that
yeah.
C
Sets
up
node
and
the
way
that
node
sets
up.
Node
is
two
different
things
right
now.
If
you
ask
Vivian,
they
would
be
like
well.
Are
you
on
Divi?
Then?
Yes,
then
I
use
debian's
installation,
but
if
you
ask
no
they'd
be
like
no
don't
use
divians
installation,
they
know
nothing
about
no
use
our
installation.
So.
D
A
As
a
result,
you
really
it
doesn't
take
long
at
all
before
a
lot
of
people
assume
that
you're
going
to
use
packaged
Foo
version
7.3
and
the
system
level
package
is
1.2
and
nothing
else
works.
So
you
quickly
abandon
the
system,
level,
Packaging
and
so
I.
I
think
what
was
was
happened
with
all
the
system
level
is
that
they
installed
a
few
a
small
set,
and
if
you
want
a
larger
set
or
a
you
know,
packages
in
a
larger
set.
You
do
Michael
exactly
what
you
suggested.
C
D
D
Right
so
so
I'm
more
of
a
python
than
node
I'm
imagining
that
NVM
is
similar
to
correct,
like
python
virtual
virtual,
correct
okay,
so
so
so,
in
that
case
yeah,
so
one
would
be
like
installed
in
a
more
globally
accessible
place
right
less.
The
other
one
is
like
just
this
directory
and
you
have
to
like
do
a
magical
incantation
in
order
to
like
correct
intrude
into
it,
kind.
C
Of
okay,
so
like
AS
ASDF,
which
is
a
popular
node
one,
which
is
what
I'm
familiar
with
you,
could
you
could
just
install
it
locally
in
the
project
directory
and
use
it
that
way
or
you
could
use
it
like,
install
it
through
Homebrew?
And
then
you
would
have
it
like
system
level
where
it
recognizes
what
your
system
node
is,
and
that
way
you
could
keep
your
system
node
clean,
because
that's
what
Apple
would
want
you
to
do
and
you
use
like
a
local
version
for
your
projects
exactly
exactly
oh
yeah
I
think
it
just
depends.
C
F
C
I
think
it
just.
It
depends
a
lot
on
on
where
on
like
what
your
point
of
view
is,
but
everything
David
said
is
absolutely
true,
but
on
the
flip
side
of
that
there
are
people
that
do
it.
As
I
said
they
expect
us
not
to
upload
because,
like
as
packagers,
we
won't
upload
every
version
if
we
find
versions
with
problems
with
it.
So
some
people
depend
on
that
too.
It's
not
a
security
thing,
it's
just
sometimes
they
release
bad
versions.
We
can't
build
for
one
reason
or
the
other
yep.
D
Yep
and
I
think
I
think
that
you
know
that's
that's
totally.
Okay,
for
you
know
this
kind
of
goes
back
to
like
the
the
and
a
Walled
Garden
versus
Anonymous
FTP,
you
know
and
and
where
different
you
know,
every
every
distro
and
ecosystem
and
registry
can
choose
where
they
want
to
live
in
that
on
that
spectrum
of,
like
you
know,
what
assurances
do
we
provide
to
our
customers
like
under
what
conditions
like
well?
Are
we
going
to
host
malware?
Are
we
going
to
host
project
with
critical
vulnerabilities?
D
D
That
there's
a
there
are
some
who
would
argue
that
we
need
to
move
more
to
the
world
Garden
approach,
where
the
consumer
has
more
Assurance
as
to
the
security
quality
of
the
thing
and
there's
there's
a
whole
lot
of
arguments
that
that
would
destroy
Innovation
and
just
kind
of
destroy
the
world
and
that
we
should.
We
should
be
careful
about
moving
in
that
direction
and
I
I,
don't
know
what
the
right
answer
is.
C
Well,
if
I
made
the
reason
that
I
was
bringing
up
the
Next
Generation
packaging
is
because
I'm
seeing
a
lot
of
companies
like
use
steam
deck
as
like
an
example
of
what
you
should
do.
If
you
want
to
leverage
Linux
and
move
forward
and
that's
a
flat
pack
system,
that
is
basically
just
a
bunch
of
flat
packs
installed
on,
like
gnome
show
on
system
D
like
I
rebuilt
it
over
the
holiday
weekend
and
installed
it
in
a
steam
deck.
It
wasn't
that
hard
to
reverse
engineer.
C
D
C
Literally,
only
need
gnome
show,
that's
all
you
or
or
even
KDE,
because
KD
all
like
yeah
yeah
you,
but
you
just
need
the
shells
and
that's
it
like
you,
don't
need
like
everything
else
can
be
installed
via
flat
pack.
You
don't
need
extensions
now.
Let
me
say
this
for
as
much
as
I
tout
flat
pack.
I
think
it's
interesting
did
I
end
up
using
it.
No
I
went
back
to
fire
jail,
but
but
but
theoretically,
for
an
end
user
who
wants
to
turn
on
a
computer
and
send
an
email
and
not
be
like?
C
Why
is
evolution
sending
me
a
bunch
of
Errors,
then?
Yes,
it
is
a
nice
solution
for
that
and
like
if
you're
going
to
use
it
to
install
games
or
just
a
bunch
of
like
end
user
type.
Things
I
mean
it.
It
has
it.
It
has
like
a
lot
of
foundation
because
you
know
there
it
does
try
to
make
an
effort.
Is
it
perfect?
C
D
A
D
Yeah,
you
know,
although
it's
interesting,
because,
like
so
now
now
putting
on
a
consumer
hat
like
when
I
install
the
package
I
have
it
from
two
different
options:
core
or
flat
pack,
which
is
I
I
often
have
like
they're,
often
like
two
available
versions.
Right
I
will
always
instinctively
go
to
core,
because
I
quote:
Trust
Manjaro
to
police
their
ecosystem
more
than
flat
pack
who
I
don't
know
who
created
the
flat
pack
and
red
hat,
takes
a
red.
A
Yeah
I
think
the
thing
is
for
for
flat
pack,
and
the
reason
we're
talking
about
this
here
is
the
arguments
are
basically
the
same
as
containers
you're,
including
all
the
dependencies
within
the
image.
That
means
that
the
good
news
is,
you
know
that
it
works.
The
bad
news
is
is,
if
you
want
to
make
sure
it
doesn't
have
vulnerabilities,
you
need
to
make
sure
that
the
up,
they're,
updating
all
the
components
within
the
flat
pack.
C
Let
me
say
this
David,
so
they
do
use
a
virtualized
system,
so
what
flat
pack
will
do?
Is
they
kind
of
create
like
this
virtualized
operating
system?
That
actually
does
share
so,
like
all
of
the
flat
packs,
will
share
this
like
virtualized
file
system,
they
have
in
the
background
so
like.
If
you
install
ffmpg
full
flat
pack,
then
all
the
browsers
will
be
able
to
use
ffmpg
and
use
Hardware
acceleration.
C
So
to
some
degree
they
do
it's
more
of
like
a
it's,
not
that
every
single
thing
has
like
the
dependencies
packaged
into
it,
it's
more
of
a
matter
of
like
all
the
modules
and
all
the
things
get
shared
so
that
they're
separated
and
they
could
be
separated
at
a
system
level
or
at
a
user
level
and
yeah.
Oh.
E
C
C
C
D
It
it
depends
on
like
who
are
the
the
end.
Users
like
for
non
for
non-developers
flat
pack
seems
like
a
a
resilience
thing
as
a
as
much
as
anything
else
and
the
idea
of
steam
that,
like
it
totally
makes
sense
in
that
context
for
developers
I,
you
know
I
think
it
has
to
move
up
to
the
application
Level
in
some
way.
D
C
Let
me
let
me
also
say
this:
there
is
a
program
called
Flat
seal,
which
is
kind
of
funny,
but
someone
made
a
GUI
where
you
could
literally
just
control
the
entire
flat
pack
from
there.
So
this
is
also
where
flat
pack
in
the
last
like
three
or
four
months
at
Gen
2,
has
become
all
the
rage,
because
now
you
could
do
whatever
you
want
with
your
flat
packs
you
can
get
into
the
environment,
you
could
give
it
more
pass.
I
mean
you
could
even
turn
the
sandbox
off.
If
you
want
to
okay.
E
C
And
flat
steel
yeah
flat
seal
is
part
of
it.
That
is
part
of
of
the.
Why
all
the
kids
are
using
flat
pack
and
they
all
want
flat
pack
now,
because
they
all
want
to
build
the
steam
deck
on
their
computer
and
yeah
and
flat
seal
is
a
that's.
How
you
break
out
of
the
steam
deck
is
flat.
Sealed
got
it
because,
because
you
can
install
more
flat
packs
into
the
steam
deck
and
you
can
install
flat
steel
as
a
flat
pack
to
screw
all
your
other
flat
packs
up.