►
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
February,
2nd
groundhog's
day
identifying
security
threats
working
group
meeting.
Does
anyone
that
hasn't
been
here
before
and
would
like
to
introduce
themselves
feel
free?
A
A
Okay,
so
today
we
really
have,
I
think,
probably
two
main
topics
and
the
first
one
I
wanted
one.
I
put
this
one
first,
because
I
want
to
be
able
to
have
have
a
good
amount
of
time
to
talk
about
this,
which
is
sorry,
I
keep
getting
pinged
because
more
people
are
trying
to
add
so
I'm
not
getting
distracted.
A
I
mean
I
am
but
metrics.openssf.org
potentialforscorecard.dev,
lfx
security,
the
concept
of
a
we'll
just
call
it
a
metric
dashboard
of
security,
facts
and
information
about
open
source
projects
that
is
publicly
viewable
and
makes
sense
to
the
reader
and
is
searchable
and
all
that
stuff.
As
you
probably
know,
metrics.openssf.org
has
been
around
for
probably
six
months.
It's
definitely
kind
of
a
barely
beyond
proof
of
concept.
A
It
has
scorecard
information
scorecard
itself
has
expanded
out
to
a
million
plus
projects,
and-
and
I
think
that
there's
rightfully
the
question
of
like
well
what's
the
future,
like
you
know,
is,
are
we
gonna,
invest
in
making
metrics
at
openness.org
like
productiony
and
and
much
better,
or
do
we
deprecate
it
in
favor
of
something
else?
That's
what
this
conversation
is
for.
So
we
have.
A
We
have
abhishek
and
nazim
from
google
scorecard
and
I'm
hoping
that
we
have
shubra
from
representing
lfx
security,
which
I
do
not
see
him
yet
schubert.
Are
you
on
the
call?
I
see
a
phone
number,
I'm
not
probably
not
you,
but
okay
anyway,
we
can.
We
can
chat
regardless,
but
I
wanted
to
give
abhishek
azim
if
you
guys
wanted
to
give
your
thoughts
and
just
kind
of
go
from
there.
B
Yes
sounds
good,
so
one
of
the
things
I
felt
with
we
would
definitely
need
to
have
some
searchable
dashboards
for
all
the
scorecards
data
like
right.
Now,
it's
a
million
repositories.
So
it's
a
pretty
useful
database
for
anybody
to
explore
and
we
want
to
create
more,
like
a
maintained
environment,
to
make
this
searchable
and
there
is
an
organization
called
projects
by
iaf
who
will
do
some
design
work
on
scorecards.dev
already
and
we
were
just
proposing
if
they
could
create
some
search
wrappers
around
it.
So
that
way,
then
we
could
easily
maintain
it.
B
So
the
idea
would
be
probably
have
scorecards.dev
and
I
think
lfx
security
would
be
the
second
one.
If
we
have
two
of
these
environments
completely
maintained,
then
we
could
probably
just
turn
off
maybemetrics.openssf.org.
B
B
C
Nothing
else
that's
a
pain
to
maintain.
I
I
know
that
there's
been
a
lot
of
work
to
make
lfx
security
very
capable
up
to
this
point.
There's
I
don't
know
and
love
to
hear
from
shubra
lf
is
willing
to
add
specific
projects
that,
even
if
they
aren't
lf,
because
you
know
like
they're
critical.
C
On
the
other
hand,
I
don't
know
if
there's
a
commitment
to
add
all
open
source
projects
to
lfx
and
if
that's
not
the
case-
and
I
don't
think
there
is
because
there's
a
huge
cloud
bill
for
that
either
lfx
security
becomes
the
everything
merges
in
there
and
they
support
all
open
source
projects
or
we
need
something
else
that
collects
all
the
important
metrics
data
from
all
open
source
projects,
because
I
think,
there's
still
a
need
for.
C
I
am
developing
something
I
want
to
know
data
about
this
project
that
I'm
thinking
about
using,
but
it
needs
to
take.
I
don't
care
if
it's
on
github
or
not,
I
don't
it
doesn't
matter
if
it's
on
github,
getlab
or
anything
it
doesn't
matter.
If
it's
lf
project
or
not
it
doesn't
matter.
I
I
just
want
all
the
data,
so
I
can
hopefully
make
some
good
decisions.
C
Right,
I
think
right
now,
that's
I'm
thinking
much
more
than
scorecards,
because
scorecards
is
one
particular
set
of
metrics.
I
think
I
would
want
much
more
than
just
the
scorecard
data
when,
when
that
this
is
not
to
denigrate
scorecard
by
the
way
it's
just,
I
would
want
to
know
multiple
metrics
about
a
project
before
selecting
it
totally.
D
Agree
with
that,
so
my
my
opinion
on
this
is,
I
I
definitely
think
having
the
whole
metrics
dashboard
is
super
useful
because,
along
with
scorecards,
we
also
show
the
criticality
score
and
we
also
show
the
cia
best
practices
badge
thing,
but
but
I
think
to
actually
continue.
We
we
really
need
a
commitment
from
someone
to
like
maintain
this
full
time,
because
I
don't
think
this
is
just
about
having
the
ui.
D
I
think
it's
it's
also
about
having
that
integration
platform
like
david
and
abhishek
mentioned,
which
which
basically
collects
all
these
different
metrics
across
the
ecosystem.
So
scorecard
has
this
platform
today,
but
we
need
to
kind
of
expand
this
platform
to
collect
metrics
for
criticality
score
and
maybe
other
scores
that
open
ssf
tools
have.
So
I
I
think
it's
really
about
the
time
commitment
and
the
resource
commitment
we
have.
D
I
I
personally
think
it'll
be
very
useful
to
have
this,
but
it's
it's
harmful
if
you
are
not
maintaining
it
full
time
and
if
you
don't
have
the
commitment,
maybe
it's
worth
considering.
C
I'm
sure
we
need
full-time
commitment,
but
I
do
need
it
needs
to
be
somebody's
job.
I
I
think
for
a
lot
of
this
once
once
you
trigger
a
lot
of
the
stuff
I
most,
this
stuff
looks
like
once
you
get
things
going
you
just
keep
running,
I
mean
you
know,
you
don't
need
someone
full-time
to
re-run.
The
scorecard.
C
A
Azim,
do
you
see
the
future
of
scorecard
pulling
in
like?
Do
you
see
scorecard
being
the
focal
point
and
expanding
to
include
best
practice?
I
mean
I
know
you
have
a
marker
for
best
practice,
but
like
the
the
content
there
or
criticality
or
just
other
data
sources,
or
do
you
want
or
do
you
think
that
scorecard
should
be
a
data
provider
into
some
different
aggregation
platform.
D
So
I
I
mean,
I
think,
that's
a
larger
discussion
so
to
be
like
like
to
be
safe.
I
I
would
probably
say
that
it's
better,
that
each
of
these
projects,
or
each
of
these
metrics
are
separate.
I
mean
we
could
consider
including
them
in
scorecard
at
some
point,
but
I
wouldn't
want
to
make
a
decision
here
based
on
that
that
that
point.
B
It's
like
brainstorming
on
this,
a
little
bit
right
like
at
a
high
level.
What
are
the
things
that
are
outside
scorecards
that
could
go
into
that
aggregation
thing,
because
I
think
the
point
of
scorecards
was
to
actually
get
all
the
different
vendors
and
things
the
central
risk
assessment
things
right.
So
I'm
just
curious,
which
could
be
those
points
like
if
you
think
of
osv,
if
you
think
of
ci
best
practices,
if
you
think
of
everything
right
now
goes
into
scorecards.
C
No,
no,
not
even
close,
for
example,
if
here's
the
thing,
if
I'm
going
to
select
an
open
source
project
to
potentially
depend
on,
I
would
want
to
know,
for
example,
is
this
a
project?
That's
only
maintained
by
a
single
person,
or
is
this
something
where
there
are
multiple
people
who
are
developing
it?
C
It's
that
doesn't
mean
that
it's
wrong
to
have
a
single
person.
There
are
lots
of
projects
where
the
functionality
is
small
and
there
really
isn't
it's.
You
know
there
really
isn't
a
useful
alternative,
but
that
would
help
me
inform
my
my
thinking.
I'm
not
sure
that
would
be
a
good
scorecard
metric,
because
you
know
what
you
know:
I'm
a
single
developer.
What
am
I
supposed
to
do?
I
can't
create
new
people.
C
Okay,
all
right
that
may
that
may
not
have
been
a
good
example,
but
like
criticality
score.
A
Knows
about
crypto,
so
something
from
deep
in
the
best
practices
are
they
developing?
Have
the
developers
taken
your
security
training
yeah?
They
were
lying
around
things.
That
scorecard,
I
mean
obviously
there's
the
things
that
scorecard
has
today
there's
things
that
it
could
have
in
the
future,
and
there
were
things
that
are
just
so
far
like
no,
it's
just
the
wrong
thing,
in
which
case.
If
we
need
to
draw
a
line
around
that
inclusively,
then
it
has
to
be
an
aggregation
on
top
of
scorecard.
A
F
F
So
the
question,
in
my
opinion,
is
we
wanted
that
the
scorecard
is
the
main
and
unique
project
to
have
all
the
information
for
for
the
open
source
project,
because
probably
this
is
the
question,
so
we
want
to
replace
the
cii
page
and
other
related
tool
that
can
help
a
developer
or
a
user
to
evaluate
the
project
with
the
scorecard,
because
of
course,
at
the
moment
it's
not
complete.
It's
not.
C
I
I
don't
think
you're,
I
don't
think
you're
ever
going
to
replace
the
badge,
because
most
the
things
that
that
needs
are
not
it's
not
possible
to
check
them
in
an
automated
way.
So
a
tool
that
can
only
check
using
automated
analyses
won't
work
for
a
lot
of
the
critical
things.
Like
you
know,
hey
can
you
prove
that
everybody
has
been
trained?
B
So
do
you
think
this
aggregation
could
be
its
own
project?
An
example
of
it
is
also
this
thing
called
depth.dev.
If
you
have
heard
about
open
source
insights,
that's
actually
aggregating
things
from
cves
as
well,
scorecards
and
other
stuff
so
and
that's
kind
of
a
fully
maintained
effort.
It's
not
an
open
ssf
right
now,
but
we
can
bring
it
in
it's
fully
maintained,
but
I'm
very
open
to
the
idea
of
lfx
security
opening
it
too,
because
lfx
security
has
a
ton
of
metrics,
as
I
know,
but
want
to
brainstorm
with.
C
Yeah
how's
this
I
I
I
I
think
there
is
a
role
for
I
have
I'm
thinking
about
using
this.
This
software,
please
tell
me
more
information
about
it,
so
that
I
can
make
an
informed
decision.
I
don't
know
that
anything
we've
got
right
now
really
needs
there.
For
example,
depps.dev
only
deals
with
language
level
packages.
B
Probably
just
can
be
added,
I
think
the
way
it's
different
is
it
doesn't
look
at
source
repo.
So,
in
a
way,
let's
say
if
you
want
to
say
how
is
this
open,
ssl
repo
doing
the
security
posture?
That
would
be
hard,
but
it
looks
at
the
package
level.
So
that's
the
design
difference.
C
C
Right
but
yeah
how's
this
to
rewind
it
back.
I
think
that
there
is
a
role
for
I
am
thinking
about
using
this
software.
You
know
source
level
or
a
pat
or
a
package
level
thing.
I
would
like
information
to
help
me
make
a
good
decision
now
how
we
do
that.
I
think,
there's
lots
of
ways.
Lfx
is
one
metrics,
not
open
ssf,
I
mean
we
do
need
to
just
figure
out
which
role
who
has
which
roles.
G
Yeah
I
this
is
amir
from
ostif.
Here
I
thought
the
metrics
dashboard
was.
Definitely.
I
think
we
were
on
the
right
track.
With
that
effort,
I
mean
it
was
a
good
way
to
get
kind
of
a
high
level
snapshot
that
factored
in.
You
know
a
lot
of
qualitative
data.
You
know
from
the
criticality
score
and
security
course
scorecards,
as
well
as
as
well
as
some
qualitative
data
such
as
you
know,
security,
information
and-
and
what
have
you
so?
I
think
I
think
everyone
has
made
really
good
points
here.
D
I
I
wonder
if
we
should
also
have
I
mean
I
always
kind
of
thought
of
metrics
dashboard,
as
this
place
for
place
to
kind
of
you
know,
show
off
all
the
opennesses
of
work,
all
the
openness
of
tools
that
we
are
developing,
because,
as
of
now
that
that's
another
thing
we
would
probably
want
to
show
to
the
public,
as
these
are
all
the
different
tools,
and
these
are
all
the
different
things
that
the
you
know.
The
working
group
is
actually
developing.
So.
A
A
I
don't
think
it's
metrics
overnight.org,
it's
just
like
open
ssf,
slash
like
what
are
we
up
to,
or
you
know
our
tools
or
something
like
that
yeah.
I
think
my
feeling
on
this
is
is
like
I,
I
don't
care
like
where
and
I
don't
even
care
that
it
has
to
only
be
one.
It
shouldn't
be
42,
but
you
know
to
have
scorecard.dev
and
lfx
security.
A
You
know
have
scorecard.dev,
you
know,
evolve
in
in
kind
of
a
natural
way
and
have
lfx
security.
Include
that
and
then
you
know
I
mean
either
way.
I
think
my
one
ask
would
be
that
there's
an
api
layer
so
that
tools
like
because
I
really
want
like
npm,
install
left
pad-
and
it
says
you
know,
bam
scorecard
data
or
like
open
ssf
data,
inclusive
of
scorecard
data.
A
Things
like
that
and
and
be
able
to
you
know,
have
a
richer
ecosystem
of
tools
that
that
that
grab
this
data,
I
think,
having
an
aggregation
layer,
make
sense
there,
but.
C
Okay,
so
so
actually,
look,
I
think.
Maybe
this
is
the
right
track
actually
mike.
Maybe
what
we
need
to
do
is
say:
what
are
we
trying
to
accomplish
with
either
metrics
openssf.org
or
something
else?
And
then
the
question
is:
is
it
better
to
you
know,
is
it
better
to
keep
building
on
metrics
open,
south
org,
or
you
know
just
work
with
some
other
thing
to
integrate?
You
know
so
so,
basically,
what
is
desired
and
then
figure
out
how
to
best
get
there
given
where
we
are
right
now.
C
Is
that,
like
so
an
ap
enterprise
can
can
request
info
on
a
package
and
get
get
that
info
right,
yep,
okay,
I
I
think
the
the
thing
that
I
mentioned
was
basically
enable
end
users
developers
to
ask
I'm
thinking
about
you,
I'm
using
or
thinking
about
using
this
using
or
thinking
about
using
this
package.
C
B
B
Yeah
yeah,
and
I
think
this
api
interface
will
come
anyways
with
the
scorecards
work
right
as
in
so
I
think,
then
it
should
be
pretty
easy
to
migrate.
Even
my.
C
Tricks.Openssf.Org
be
the
guesthouse
whatever.
G
And
one
thing
we've
talked
about
in
the
past:
I
don't
know
if
it
would
make
it
way
too
complex,
but
was
kind
of
the
idea
of
almost
making
it
like
a
almost
like
a
wiki
where
people
can
edit
it
or
if
something,
let's
say
on
the
metrics
dashboard
is
incorrect,
where
someone
could
potentially
edit
that
or
fix
that
I
don't
know
from
a
design
phase.
If
something
like
that
would
be
feasible.
G
A
I
think
there
has
to
be
an
over.
I
mean
I
think,
some
of
this
good
luigi
security
insights.
You
know
if,
if
you
go
to
the
board,
if
you,
if
you
see
your
your
record
in
this
in
this
future
system-
and
it
says
that
you
don't
run
static,
analysis
and
you're
like,
but
I
do
and
it's
this-
you
should
be
able
to
express
that
in
a
way
that
your
score
goes
up,
at
least
to
the
point
of
it
being
an
an
assertion
from
you,
as
opposed
to
you
know,
data
and
yeah.
G
A
About
that
a
lot
but
okay
yeah,
that
makes
sense.
I
know
at
some
point
in
the
past.
I
felt
strongly
about
the
wiki
idea
and
I
think
that
there's
probably
something
there
without
it.
Turning
into
a
well
what
it
would
mean,
what
it
could
turn
into.
F
Yes,
the
main
difference
between
a
wiki
and
the
security
insights
is
that
if
you
find
a
wrong
value
on
the
dashboard,
instead
of
suggest
on
the
dashboard
edits,
you
go
on
the
gita
project.
Github
project
and
open
a
pr
to
edit
the
executing
sites.
Probably
it
is,
was
easier
for
the
maintainer,
of
course,
because
they
have
access
to
their
repo,
but
also
for
any
user
is
not
so
difficult
and
at
the
same
time,
these
help
us
to
not
have
a
wiki
approach
to
the
dashboard.
That
can
be
potentially
a
risk.
F
Maybe
or
we
need
to
define
the
very
well
some
rules
to
handle
a
similar
approach,
and
maybe
it's
not
so
easy.
A
The
other
thing
that
I
that
I
would
really
like
here
is
just
a
full
relational
graph
of
you
know
this
package
on
npm
is
this
thing
on
github
is
mirrored
over
here
like
and
I'm
thinking
like
you
know,
the
relationship
between
like
the
maddler
z,
like
zlib.net
and
the
ruby
gem
cold.
I
think
it's
called
zlib
like.
A
Is
there
a
tight
relationship
there
or
is
that
just
a
name
collision
and-
and
I
think
you
do
lots
of
other
interesting
things
on
top
of
that,
but
it's
it's
primarily
just
a
you
know,
data
connection
problem.
It
can
be
phase
two,
but
it
but
it
speaks.
I
think
the
the
advantages
to
having
a
common
aggregation
platform.
F
A
I
think
having
all
the
data
someplace
that
one
could
explore
would
would
allow
people
to
ask
interesting
questions
in
the
future.
So,
yes,
it
would
be
given
a
github
package.
What
is
the
corresponding
npm
package,
because,
right
now,
the
there's
a
a
weak
reference
from
npm
back
to
github,
but
you'd
have
to
like
read
the
docs
on
github
to
find
out
how
to
install
it.
F
In
the
security
inside
there
is
a
section
for
this
where
the
maintainer
can
add
it,
and
a
scanner
can
read
it
of
course.
Well
there
is
it's
not
easy
to
verify
this
fact
in
mind.
Yeah,
probably
there
are
some
tricks,
but
we
sorry
yeah.
A
Reproducibility
would
be
another
good
kind
of
set
or
sorry
build
ability.
I
guess
would
be
a
separate
thing
where,
like
I
don't
know,
if
scorecard
would
ever
consider,
this
goes
into
what
what's
the
project
persia
croatia.
First,
the.
A
C
C
Crazy
thing
yeah,
but
by
the
way
I've
been
trying
to
take
some
notes,
I
don't
know
if
I've
accurately
captured,
but
I'm
trying
I
just
added
the-
is
this
reproducible
I'll
put
it
in
bold
temporarily,.
A
So
I
I
think
what
might
be
useful
at
this
point
is
to
come
up
with
the
like.
How
would
we
make
a
decision
on
what
to
do
next?
Obviously,
we
need
shubert
in
the
room
to
get
to
get
his
opinion,
so
we'll
we'll
sink
back
with
him.
I
haven't
heard
any
strong
objections
to
any
particular
avenue,
so
it
seems
like
as
long
as
it's
supported
and
it
kind
of
basically
does
what
we
kind
of
collectively
think
it
should
do.
Then,
whether
it's
lfx
security
or
scorecard
or
even
potentially
deps.dev
is
fine.
D
Up,
oh
sorry,
I
was
just
wondering:
should
we
discuss
the
issue
of
like
resources
here
or
is
that
something
that
we
need
shubra
for
in.
A
Order
so
so
we
we,
I
have
had
some
conversation
with
shubra.
I
made
it
clear
that
if
shubert
is
going
to
resource
this,
it
would
be
an
open,
ssf
investment.
So
this
would
come
out
of
the
open,
ssf
general
fund,
not
alpha
omega,
because
that
was
in
the
context
that
it
came
up,
but
but
yes,
it
would
have
to
be
funded
and
committed
to
long
term.
Before
we
decide
that,
that's
that's
the
that's
the
route
to
go.
I
don't!
A
I
don't
see
that
being
a
problem
that
does
and
now
I'm
speaking
for
shubra,
but
it
seems
to
align
with
his
long-term
vision
of
and
actually
not
even
long-term,
but
medium-term
vision
of
lfx
security
to
expand
it
out
far
beyond
the
lf
projects,
make
making
a
at
least
a
good
subset
of
the
data
public,
in
which
case
you
know
sure.
A
Make
sense
so
maybe
we'll
do
this,
maybe
we'll
or
should
we
do
this
I'd
rather
not
wait,
two
weeks
to
have
another
conversation
on
this.
So
let's,
let's
get
just
an
email
thread
going
with
shubert
and
try
to
come
up
with
a
proposal
we'll
send
that
out
we'll
post
it
to
slack
and
you
send
it
out
to
the
folks
on
the
call
and
that
way,
if
you
have
strong
opinions.
C
Voice
them
yeah
and
by
the
way
I
I
see
no
problem
with
multiple
different
sites,
doing
different
things
as
long
as
it's
clear,
we
do
x,
not
y,
so
you
know
in
and-
and
I
think
that's
perfect.
At
least
what
I
had
in
mind
was
the
I'm
thinking
about
using
open
source
software.
I
want
a
single
stop
shop
to
give
me
some
high
level
information.
It's
okay
and
I
added
this
that
it
links
to
other
sites.
So,
for
example,
I
would
imagine
that
you
know
this.
C
Stop
top
level
thing
might
say:
here's
a
scorecard
value.
Here's
a
couple
data
points,
click
here
and
you
suddenly
show
up
on
the
scorecard
site
with
all
the
rest
of
it.
Okay,
you
know,
but
basically
making
it
so
that
you
know
if
there's
multiple
sites,
but
I
can
go
to
one
site
and
I
click
here.
Oh
it's
a
github
site
and
if
I
want
a
lot
of
get
out
of
specific
stats
click
there,
I
show
up
in
github
on
its
stats
page.
You
know
I
I
I
don't
think
this
is.
C
A
Could
I
can
I
just
throw
a
complete,
throw
wrench
in
all
this
thinking
you
as
a
developer
when,
if
you're
an
npm
developer,
where
do
you
go
to
get
to
look
for
packages
you
go
to
mtmjs
if
you're
a
nougat
you
go
to
nougat?
If
you're,
I
mean
ruby,
what
you
got
my
point
asking
a
developer
to
remember
and
bookmark.
This
other
thing
to
go.
Look
at
maybe
just
not
it'll
be
an
uphill
battle.
A
A
Npmjs.Com
or
whatever,
to
integrate
that
into
their
view
of
the
package
screen.
So
if
I'm,
if
I'm
on
the
left
pad
page,
I
see
scorecard
data
and
if
it
makes
sense,
I
see
this
is
a
critical
project,
and
here
is
some
security
like
and
have
that
as
a
plug-in,
and
that
way
we
get
the
entire
ecosystem
done
in
one
shot.
Everybody
that
uses
the
ecosystem
that
looks
at
the
website
sees
it,
and
that
way
the
package
managers
are
invested
in
it
as
well.
C
Here's
some
maybe
we
can
make
that
work,
but
here's
the
problem.
I
don't
think
it's
going
to
work
the
way
you're
describing
it
if
I'm
managing,
say
rubygems,
I'm
going
to
present
what
I've
got
and
I'm
not
interested
in
maintaining
eight.
You
know
all
these
other
metrics
and
modifying
them
over
time
and
maintaining
over
them
over
time.
You
know
I
don't
want
to
do
that
and
I
suspect
most
of
the
other
package
managers
don't
want
to
do
that
either
so
they're
already
they're
already
busy
managing
the
repos.
A
H
A
So
like
right
here,
what
I
would
what
I
think
would
be
kind
of
cool.
Is
you
know,
somewhere
on
this
page
on
the
right?
Let's
say
here:
there's
a
section
that
says
scorecard
and
it's
like
maintained,
thumbs
up,
static
analysis,
thumbs
down
whatever
and
you
click
on
it
and
maybe
go
to
scorecard.dev
and
maybe
there's
like
a
best
practices
section.
C
C
Well,
more
importantly,
we
can't
add
metrics
later
okay.
If,
for
example,
it
shows
scorecards
and
badges
and
salsa
saying
yeah,
then
that's
it
you're
not
going
to
be
able
to
go
back
to
npm
and
say
hey.
We
need
to
keep
adding
things
and
things
and
things
they're
they're
not
going
to
be
interested
in
the
endless
changes
and,
what's
worse,
if
you
have
40
or
50
pack,
you
know
ecosystems,
that's
you're,
multiplying
the
work
by
40
or
50
times,
because
there's
a
whole.
A
C
C
C
A
A
Perhaps
if
I'm
right,
if
I'm
wrong,
then
then
the
ui
is
more
valuable.
It
doesn't
really
matter
but
because
I
think
we
would
still
need
both,
but
maybe
just
you
should
think.
C
About
it,
I
think
yeah
yeah,
I
mean
I.
I
agree
that
meaning
people
where
they
are
is
a
good
idea.
I'm
wondering
if
the
let's
I
mean
we're
thinking
out
loud.
Maybe
what
we
can
do
is
suggest,
basically
inserting
a
few
of
these.
You
know
scorecards,
badges
whatever
and
then
a
link
to
I
mean
we
could
try
to
do
both.
C
You
know
a
link
to
a
couple
of
these
and
a
link
to
hey
lots,
more
security
information
and
then
still
have
a
site
that
has
lots
more,
but
that
still
meets
them
where
they
are
because
I
think
the
issue
really
isn't
whether
or
not
it
has
it's
on
the
page.
The
issue
is
whether
or
not
it's
easy
to
access
from
that
page
right.
People,
people.
C
Okay,
I
know
I'm
willing
to
click
links
and
find-
and
you
know,
hey
I'm
worried
about
this
new
package-
I'm
willing
to
click
a
couple,
links
and
learn
more.
I
may
not
be
willing
to
you
know,
start
from
scratch
and
google
research
and
read
all
the
docs.
I
I
You
know
how
many
users
are
coming
at
10,
pms
to
view
package
information,
and
things
like
that.
I
believe
you
know
from
a
security
perspective.
I
things
like
dips.tab
like
for
security
teams
or
somebody
interested
in
specific
security
information.
They
can
go
right,
but
I
don't
know
how
many
developers
are
actually
visiting
like,
especially
for
a
newer
version
and
how
much
they
care
about
the
security
information
there
right
like
it
yeah
it's
one
of
those
things.
C
If
I
may,
I
mean
I,
don't
have
any
great
data
on
that,
I
don't
think
anybody
does
just
anecdotally.
I
think
that
the
bigger
organizations
you
know
say:
10,
000,
plus
employees,
often
have
an
internal
repo
and
that's
not
just
industry.
I
know
that's
true
for
government
as
well
at
least
the
u.s
government.
I
don't
know
about
foreign
governments,
non-us
governments,
but
but
but
most
I
would
say,
a
vast
amount
of
software
in
the
world
is
developed
by
smaller
companies
and
that's
probably
the
vast
majority.
C
In
fact,
and
no,
they
don't
have
any
of
that
stuff.
They're
loading
straight
from
npm,
they
googled.
They
found
the
first
pack
the
package
that
came
up
first
on
the
list
that
did
their
job
and
they
click
and
go
and
they're
not
gonna.
You
know
if
the
information
is
easily
accessible
to
them.
I
think
they'll
look
at
it.
I
C
No,
no,
stop!
Stop!
There's
nothing
not
bother,
there's
a
cost
to
that.
If
you're,
if
you're
a
five-person
shop,
it
would
be
incredibly
unwise
to
build
your
own
repo
there's
already
one.
It's
called
npm.
You
use
that
you
would
be
foolish
to
try
to
recreate
it
yourself,
because
that
will
slow
you
down
and
create
an
unnecessary
cost.
Unless
you've
just
got
unlimited
vc
money,
you
need
to
burn
so,
for
I
think
for
a
vast
number
of
folks.
C
Yes,
they
are
using
npm
and
pi
pi
and
so
on
directly
they're,
not
using
some
indirect
repo
and
and
those
indirect
repos.
Don't
you
know
whether
or
not
they
add
value
depends
on
how
they're
maintained
too
they're,
not
always
a
good
thing,
so
I
think
people
do
use
intermediate.
Repos
people
do
use
the
direct
repos
as
well.
I
do
agree
with
mike
that
having
some
links
directly
from
those
repos
has
some
value.
C
A
A
You
know
we
don't
like
success
can
be
getting
getting
the
first
one
integrated.
So
let's
do
that,
let's
I'll
set
up
a
call,
because
I
want
to
talk
about
other
stuff
too.
Is
there
anything
else
that
anybody
just
really
needs
to
talk
about
for
this?
On
this
topic,
cool
awesome.
A
I
appreciate
the
conversation
second
topic
just
alpha
omega.
This
is
just
for
any
of
you
who
have
not
seen
we
launched
yesterday
morning
from
what
I've
seen
the
comments.
I've
seen
have
almost
all
been
positive.
We're
gonna
hold
a
information
session
on
the
16th,
so
let
me
finally
open
ssf.
A
Release
so
if
you
are
interested
in
joining
the
information
session,
you
are
welcome,
there's
an
announce
so
we'll
we'll
we'll
do
that.
We
do
need
to
at
some
point
detach
it
from
this
working
group
right
now.
The
I
think
the
only
reason
it's
connected
is
because
I'm
doing
both
that's
not
a
great
reason,
so
we'll
we'll
figure
that
out
most
of
the
decisions
are
happening
in
a
a
different
meeting
that
we
have.
F
A
Well,
it
it's
a
different,
it's
a
different
set
of
people
for
the
most
part.
Okay,
anybody
is
welcome
to
you
know.
Actually,
so
we
actually,
we
need
to
set
up
a
working
session
meeting
right
now.
We
have
kind
of
a
a
session
with
it's.
Basically
myself,
michael
windsor,
from
google
and
brian
and
david,
I
think
you're
there
usually
just
kind
of
talking
details.
Most
of
that
was
about
how
to
how
to
get
this
thing
launched
as
we
go
forward.
A
We
are
looking
to
hire
so
the
first
hire
is
going
to
be
the
most
important.
This
will
be
a
you
could
look
at
it
almost
like
a
ceo
of
a
startup.
A
They
will
almost
certainly
oversee
both
alpha
and
omega
from
an
execution
day-to-day
make
the
thing
successful,
but
this
needs
to
be
a
you
know,
a
driver
of
things,
but
also
an
evangelize
or
someone
that
can
talk
externally
and
and
get
everything.
So
if
you
have
anybody
that
you
you
say
wow,
this
person
would
be
awesome
for
this.
Let
me
know
we're
starting
to
starting
shortlist.
A
In
addition
to
that,
we
have
a
couple
spots
so
we'll
have,
I
think,
I
think,
right
now
we're
looking
for
at
least
one
project
manager,
at
least
one
security
analyst,
and
at
least
two
engineers.
The
engineers
is
a
little
bit
wishy-washy,
because
if
the
more
that
schubert
does
the
less
we
have
to
do,
I
think
we'll
still
need
two
and
all
that
we're
and
we're
still
coming
up
with
the
design
of
like
what
part
of
this
is
lfx
security.
What
part
of
this
is
external?
What
part
of
this
is?
A
You
know
the
analysis,
part
versus
the
triage
part
versus
reporting
and
everything
like
basically
everything
everything's
up
in
the
air,
but
we're
starting
to
move.
C
A
That's
awesome,
thank
you,
they
might
have
any
questions
I
mean
I
mean
I
should
open
it
up.
Does
anybody
have
questions
on
what
alpha
omega
is
or
the
announce
or
direction
or
anything.
F
H
H
Yeah,
the
open
ssf
there
was
an
email.
Today
came
so
I
just
joined
as
a
message.
A
Yes,
yeah
yep,
so
we're
probably
gonna
send
it
might
be
monday
by
the
time
it
actually
maybe
even
tuesday.
Next
week,
the
time
like
there's
announced
but
it'll
basically
be
a
you
know,
welcome
and
then
a
call
to
join
the
join
the
information
session.
Certainly,
if
you
have
questions
that
either
you
have-
or
you
think
others
might
have
about
alpha
omega-
please
let
us
know
so
we
can
come
up
with
like
really
good
answers
before
it.
A
I
I
would
like
the
I
don't
know
if
it's,
if
we're
going
to
call
it
a
webinar
or
an
information
session,
but
it
will
be
interactive
and
we
will
take
lots
of
questions.
Oh
that's
really.
The
thing.
H
I
was
talking
to
yeah.
I
was
talking
to
a
few
of
my
guys,
including
some
students.
They
were
interested
in
some
open
source
security
project,
so
yeah
this
is
krishna
speaking,
so
I
thought
I
will
introduce
them
to
this
team.
So
if
I
get
some
information,
I
can
share
to
them
and
ask
them
to
join
sometime.
Okay
thanks.
A
J
Hello,
everyone-
this
is
saurabh,
I'm
saying
hi,
I'm
new,
sorry,
I'm
singing
from
ibm,
and
thank
you.
In
fact,
this
is
my
first
meeting
here.
I
just
I
was
listening
to
everyone
what's
going
on
and
I'm
working
in
the
security
side
started
working
in
ibm
security
and
audit
site
compliance
related
stuff.
So
I'm
more
interested
to
work
on
the
scoreboard
and
matt
introduced
me
here
so
going
forward.
J
I'm
looking
forward
to
work
on
this
side,
seeing
now
just
trying
more
many
things
workflow
for
me
right
now,
yeah
I'm
trying
to
understand
is
today
is
the
first
day
just
I
just
cloned
my
repo
locally
to
understand
scoreboard.
A
Perfect
yeah
azim,
you
probably
heard,
but
the
azim
leads
the
scorecard
project.
So
he
is
he's
absolutely
the
right
person
to
you
know
talk
to.
If
you
have
any
questions,
but
the
the
whole
team
is
awesome.
All.
H
C
J
A
J
A
No,
no,
so
it's
okay!
So
each
of
the
so
open
sf
has
six
working
groups.
A
Each
working
group
meets,
I
think,
most
of
the
meet
every
other
week.
All
of
them.
This
is
one
of
the
working
groups
called
identifying
security
threats,
the
name,
don't
let
the
name
fool
you
we
do
other
things
too,
so
alpha
omega
was
was
a
project
that
was
kind
of
born
out
of
this
working
group,
but
we
also
do
security,
insights,
scooter,
reviews,
metrics.org.
A
So
you
know
I'd
certainly
encourage
you
to
look
at
other
working
groups
as
well
just
to
see
kind
of
what
you
know
get
a
good
handle
on
what
everybody's
doing.
J
H
B
A
Thank
you.
Thank
you,
yeah.
Okay,
awesome.
If
there
aren't
any
other
questions,
we
can
move
to
security
insights
luigi
and
in
this
something.
J
No,
I
mean
something
related
to
obsolete
packages
when
we
are
talking
about
how
to
get
those
packages,
how
we
are
going
to
look
into
and
this
package
which
are
obsolete
and
we
are
going
to
yeah
go
to
next.
F
The
circuit
inside
is
the
sort
of
it
is
a
yaml
file
that
should
should
contain
some
useful
information,
for
example,
the
link
to
the
security
md
contact
for
the
maintenance,
contact
and
other
helpful
information,
for
example,
link
to
the
ci
or
information
about
the
ci
or
information
about
pen
test
or
the
source
where
the
packages
are
distributed.
F
They
use
an
another
patent.
Another
name
and
for
this
reason
the
scorecard
failed
failed
to
oscar
to
identify
their
security
policy.
So
this
yaml
file
is
a
sort
of
a
human
readable
file
that
contain
all
the
information
that
can
be
used,
but
from
from
your
one,
of
course,
and
also
from
scanner
that
need
to
double
check
a
particular
information
or
if
the
scanner
don't
find
a
particular
file
in
the
regular
part.
Try
to
file
check
the
execute
insights
to
see
if
the
maintainer
moved
it
in
a
custom
position.
F
It's
quite
common,
especially
because
for
some
policy
there
is
no
standard.
For
example,
there
is
the
doc
folder,
the
docs
folder,
or
sometimes
the
the
wiki
is
in
a
totally
different
page.
So
there
are
some
missing
standards
for
the
open
source,
but
a
lot
of
operations
projects
have
this
information
in
custom
source
and
the
security
insight
can
help
to
collect
all
this
information
in
single
place
that
the
scanner
can
use
to
obtain
information.
A
J
F
As
far
as
I
know,
it
is
just
a
proposal
for
we
we
are
working
on
it.
I
haven't
still
pushed
the
last
comment.
There
are
my
local
repo,
but
I
have
other
section
for
the
documentation
at
the
moment.
It
is
a
generic
session.
I
mean
there
is
no
clear
definition
of
documentation,
so
it
can
be
just
the
folder
docs
in
the
repo
or
it
can
be
an
external
website
that
the
maintainer
I've
created
has
documentation.
It
is
quite
common,
for
example,
it
is
a
yaml
with
the
information
about
the
api.
F
There
are
especially
for
the
api.
The
documentation
is
auto
generated
now,
and
I
have
added
the
wait.
I
have
the
list
in
one
second.
F
Yes,
definitely
I
mean
at
the
moment
it
is.
I
am
still
working
on
it,
so
I'm
not.
C
Sure
yeah-
and
I
think
one
challenge
here
is
I
mean
this
is
an
early
proposal.
One
challenge
is
that
nobody's
committed
to
using
it.
As
you
know,
scorecards
is
very
worried
about
using
any
of
this
because
they
want
to
be
able
to
say
this
is
what
we
saw
and
I
think,
they're
quite
nervous
about
using
this
the
badging
project.
I
lead
that
part
willing,
but
there's
not
much
in
there.
That
is
direct
use
to
the
badging
project
right
now.
So
we
need
to
figure
out
how
to
fix
that.
A
I
mean
having
apache
commit
to
using
it
across.
Everything
would,
I
think,
be
useful
for
scorecard,
at
least
as
one
kind
of
large-ish
data
point.
C
C
C
F
F
Okay,
but
I
mean
I
have
seen
that
the
country
well,
the
contributing
dot.
Md
is
very
important,
but
also
the
link
to
the
license
and
also
the
list
of
the
dependencies
file
that
are
contained
in
the
repo
can
help.
So
if
someone
wants
to
choose
which
scanner
used
to
scan
a
particular
project,
especially
for
tea
party
packages,
you
need
to
know
what
are
the
the
the
the
files
that
contain
the
dependencies.
But
if
you
don't
know
the
languages,
you
don't
know
the
the
file.
F
So
in
this
way
you
can
have
easily
the
path,
and
I
have
added
also
the
link
to
the
change
log,
because
it
also
this
is
contained
in
the
cia
page
and
okay.
It
was
interesting,
yeah
and.
E
Yeah
I
mean
first,
I
want
to
say
I'm
extremely
pleased
about
this
update.
As
you
know,
michael,
you
know.
These
are
things
we
talked
about
months
ago
and
I
I
agree.
I
think
I
you
know
having
an
apache
project
myself.
I
always
hoped
you
know
it
talked
about
this
level
of
this,
this
tiered
mechanism,
and
it
goes
back
to
the
early
conversations
we
had
in
this
call
about
their
has
to
we
have
to
decide
or
scorecard
s
side.
You
know
how
we
incorporate
other
ecosystems,
other
policies,
other
practices,
other
things
like
that.
E
Apache
is
a
great
starting
point,
because
they
do
have
uniform
requirements
and
policies
for
graduation
that
all
projects
must
adhere
to.
So
they
can
point
to
the
the
apache
way
we
get
apache
to
codify
that
codify
those
policies.
In
some
way,
then
project
supply
overlap
their
specific
policies
how
they
implement
those
in
their
specific
project.
I
think
it
can
be
automated.
E
The
question
is
I
I
I
I
still
don't
understand
where
the
where
the
boundary
the
scorecard
is
because
then
early
in
the
call
I
heard
scorecard
can
do
everything
and
we
heard,
but
then
there
maybe
there
should
be
a
boundary
which
I
agree
there
has
to
be
some
negotiated
boundary
of
like.
If
scorecard
you
know,
you
know
if
the
data
that
can
other
people
want
to
represent
in
their
way
or
implement
it
in
a
certain
way,
if
there's
an
api
or
a
way
to
say
how
do
we
normalize
this
to
scorecard
all
the
better?
C
C
E
F
Yes,
convince
people
is
that
my
opinion,
the
most
difficult
part,
the
smart
insights
can
help,
because
you
can
maintain
the
technical
depth
and
technical
depth.
I
mean
you
can
maintain
your
standard,
just
adding
a
new
layer
that
can
be
used
to
from
a
new
scanner.
F
In
this
way,
we
can
try
to
convince
if
people
to
add
it
to
the
repo
and
then
we
need
to
convince
secu,
not
only
the
scorecard,
but
also
the
scanner,
but
starting
with
the
scorecard
to
use
it.
I
know
that
they
don't
want
to
trust
to
the
user.
I
understand
them
at
the
same
time,
they
already
trust
to
the
user
when
they
say
that
there
is
the
security.md,
because
they
don't
check
the
the
document
they
check.
Just
the
part
well,.
F
Exactly
and
so
they
can
use
the
security
inside
sorry,
bernard
hancock,.
I
Yes,
sir,
I
just
want
to
clarify
my
previous
point
david
and
mike,
like
a
I
didn't
meant
to
you,
know,
say
something
which
is
completely
so
what
I
meant
was
like
you
know.
This
data
is,
in
my
opinion,
is
mainly
useful
for
two
types
of
people.
Right,
one
is
a
developers
and
security
people,
and
I,
I
think,
developers
who
are
working
closely
with
an
open
source
project
or
library.
I
You
know
they
they
mostly
go
through
the
source
code
repository
like
github
url
and
everything
right
like
they
may
have
better
familiarity
with
the
the
source
of
the
location,
the
source
code
itself
and
security
people
I'm
a
part
of
a
security
people.
So
I
know
that
you
know
we
prefer
one
place
like
something
like
dip.
Stop
dab
right
like
I
really
like
the
fact
you
know
dips
already
put
so
many
meta
information
like
michael
mentioned
like
where
is
the
source
called
very
service?
Even
there
is
a
dependency
graph.
I
I
I
think
something,
I'm
not
saying
we
need
to
have
dipped
stock
there,
but
if
google
is
interested
tonight
open
ssf,
I
think
it's
a
great
idea,
but
I
think
something
like
that
will
be
more
useful
for
security
people,
but
I
think
for
developers.
I
think
the
data
in
the
github
or
something
like
that
would
be
much
more.
I
So
I
think
there
is
also
an
opportunity
to
encourage
other
openess
as
members
to
you
know,
try
scorecards,
and
you
know
at
least
let
them
know
what
are
the
benefits,
how
they
can
use
it.
There
can
be
different
use
case.
Even
you
know,
scorecard
and
other
metrics.
We
are
generating
not
just
for
open
source,
softwares
or
open
source
community,
even
for
enterprises
like
how
they
can
improve
their
existing
open
source
management
right
yeah.
A
Sounds
good,
we
are
over
time.
Thank
you,
everybody
for
your
opinions
and
thoughts
and
a
great
discussion.
We
will
pick
up
on
this
next
time
and
we'll
we'll
go
in
the
reverse
order.
So
we'll
pick
up
the
security
reviews
and
don't
be
a
jerk
paper.